This topic describes how to set up Anthos clusters on AWS as a processing cluster for migrating Linux VMs. You use the processing cluster to generate migrated container artifacts, operate, and monitor the migration.
Before you begin
Before creating Anthos clusters on AWS, you need:
- A user with GKE Administrator privileges. These privileges are only necessary for the setup portion.
- Prerequisites for migration. See Prerequisites for migrating Linux VMs on AWS for more.
- AWS IAM Roles, IAM users, and Access Policies deployed on the AWS account for use by Migrate for Anthos. See Configuring AWS IAM groups and instance roles for more.
Connecting to Anthos clusters on AWS
Many procedures used to migrate a VM require that you run the migctl CLI
on your cluster. Depending on your workstation's connectivity to the cluster,
you might have to open a tunnel to the bastion host to use migctl.
See Connecting to the management service
for more.
Configuring AWS IAM groups and instance roles
As part of performing a migration, Migrate for Anthos writes information to different data repositories:
Docker image files representing a migrated Linux VM are written to a Docker registry.
These Docker image files represent the files and directories of the migrated Linux VM.
Migration artifacts that represent the migrated workload are written to a second repository.
Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, and other files.
See Defining data repositories for more.
You must satisfy the following prerequisites in preparation for migrating your AWS VMs so that your Anthos clusters on AWS can access these repositories:
An AWS account and EC2 instances to migrate.
Migrate for Anthos IAM Roles, IAM users, and Access Policies deployed on the AWS account.
About AWS Accounts - IAM roles and access policies
The Amazon IAM service enables the creation and enforcement of access policies. Migrate for Anthos uses AWS IAM groups and instance roles to define and enable these permissions.
At minimum, we recommend the following setup:
An IAM group (named
MigrateForAnthos) for use by Migrate for Anthos user account on AWS.This group enforces an access policy with the minimum privileges required by Migrate for Anthos to access the required data repositories and EC2 instances. See Defining data repositories for more.
An IAM user account in the
MigrateForAnthosIAM Group.The recommended permissions are described in the CloudFormation stack template file.
Creating the Migrate for Anthos IAM group
Download and extract the CloudFormation stack template file,
IAMGroupForAnthosOnAws_CloudFormation.json.Sign in to the AWS Console and select Cloud Formation.
Click Create Stack.
Click Choose File, upload the CloudFormation file, and then click Next.
Enter a Name for the CloudFormation stack.
From the Options page, click Next, then click Create. A group named
MigrateForAnthosis created.
Creating the AWS IAM user for Migrate for Anthos
In the AWS console, click your account name in the top-right corner of the page and then select Security Credentials.
From the left pane, select Users and then click Create New Users.
For Access type, select Programmatic access.
Download the CSV file with the user credentials (Keys).
You need that CSV file when configuring the repositories used by Anthos clusters on AWS and when creating a migration source. See Defining data repositories and Adding a migration source for more.
Add the IAM user to the group created by the CloudFormation script.
Creating Anthos clusters on AWS
Because of the many options you have when installing Anthos clusters on AWS, see the installation information in the Anthos clusters on AWS documentation to install your cluster.
Your cluster must:
- Use GKE 1.5.1 or later.
- Define at least one node with 4 or more CPUs and 15 GB or more of RAM.
- If the source VM references an encrypted EBS volume, ensure that your processing cluster has access to the encrypted volume. See Prerequisites for migrating Linux VMs on AWS for more.