Configuring a processing cluster on AWS

This topic describes how to set up Anthos clusters on AWS as a processing cluster for migrating Linux VMs. You use the processing cluster to generate migrated container artifacts, operate, and monitor the migration.

Before you begin

Before creating Anthos clusters on AWS, you need:

• A user with GKE Administrator privileges. These privileges are only necessary for the setup portion.
• Prerequisites for migration. See Prerequisites for migrating Linux VMs using AWS processing clusters for more.
• AWS IAM Roles, IAM users, and Access Policies deployed on the AWS account for use by Migrate for Anthos and GKE. See Configuring AWS IAM groups and instance roles for more.

Creating Anthos clusters on AWS

Because of the many options you have when installing Anthos clusters on AWS, see the installation information in the Anthos clusters on AWS documentation to install your cluster.

Your cluster must:

• Use Anthos 1.5.1 or later.
• Define at least one node with 4 or more CPUs and 15 GB or more of RAM.
• If the source VM references an encrypted EBS volume, ensure that your processing cluster has access to the encrypted volume. See Prerequisites for migrating Linux VMs on AWS for more.

Connecting to Anthos clusters on AWS

Many procedures used to migrate a VM require that you run the migctl CLI on your cluster. Depending on your workstation's connectivity to the cluster, you might have to open a tunnel to the bastion host to use migctl. See Connecting to the management service for more.

Configuring AWS IAM groups and instance roles

As part of performing a migration, Migrate for Anthos and GKE writes information to different data repositories:

1. Docker image files representing a migrated Linux VM are written to a Docker registry.

   These Docker image files represent the files and directories of the migrated Linux VM.

2. Migration artifacts that represent the migrated workload are written to a second repository.

   Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, and other files.

See Defining data repositories for more.

You must satisfy the following prerequisites in preparation for migrating your AWS VMs so that your Anthos clusters on AWS can access these repositories:

• An AWS account and EC2 instances to migrate.

• Migrate for Anthos and GKE IAM Roles, IAM users, and Access Policies deployed on the AWS account.

About AWS Accounts - IAM roles and access policies

The Amazon IAM service enables the creation and enforcement of access policies. Migrate for Anthos and GKE uses AWS IAM groups and instance roles to define and enable these permissions.

At minimum, we recommend the following setup:

• An IAM group (named MigrateForAnthos) for use by Migrate for Anthos and GKE user account on AWS.

  This group enforces an access policy with the minimum privileges required by Migrate for Anthos and GKE to access the required data repositories and EC2 instances. See Defining data repositories for more.

• An IAM user account in the MigrateForAnthos IAM Group.

  The recommended permissions are described in the CloudFormation stack template file.

Creating the Migrate for Anthos and GKE IAM group

1. Download and extract the CloudFormation stack template file, IAMGroupForAnthosOnAws_CloudFormation.json.

2. Sign in to the AWS Console and select Cloud Formation.

3. Click Create Stack.

4. Click Choose File, upload the CloudFormation file, and then click Next.

5. Enter a Name for the CloudFormation stack.

6. From the Options page, click Next, then click Create. A group named MigrateForAnthos is created.

Creating the AWS IAM user for Migrate for Anthos and GKE

1. In the AWS console, click your account name in the top-right corner of the page and then select Security Credentials.

   

2. From the left pane, select Users and then click Create New Users.

3. For Access type, select Programmatic access.

4. Download the CSV file with the user credentials (Keys).

   You need that CSV file when configuring the repositories used by Anthos clusters on AWS and when creating a migration source. See Defining data repositories and Adding a migration source for more.

   

5. Add the IAM user to the group created by the CloudFormation script.

   

About AWS workload identity

Workload identity for Anthos clusters on AWS lets you bind Kubernetes service accounts to AWS IAM accounts with specific permissions. Workload identity uses AWS IAM permissions to block unwanted access to cloud resources.

With workload identity, you can assign different IAM roles to each workload. This fine-grained control of permissions lets you follow the principle of least privilege.

Using workload identity with Migrate for Anthos and GKE

Migrate for Anthos and GKE lets you deploy your migrated workloads to Anthos clusters on AWS. In some cases, you might use the same cluster as both the processing cluster and the deployment cluster. If you have enabled workload identity on your deployment cluster, then you have to ensure that you configure your deployment environment correctly to support Migrate for Anthos and GKE.

Additionally, you must ensure that any services started as part of the init process are configured correctly for workload identity. The steps you perform depend on the service manager for your cluster. See Deploying a Linux workload to a target cluster for the configuration steps.

Next Steps

• Installing Migrate for Anthos and GKE