This topic describes how to set up Anthos clusters on AWS as a processing cluster for migrating Linux VMs. You use the processing cluster to generate migrated container artifacts, operate, and monitor the migration.
Before you begin
Before creating Anthos clusters on AWS, you need:
- A user with GKE Administrator privileges. These privileges are only necessary for the setup portion.
- Prerequisites for migration. See Prerequisites for migrating Linux VMs using AWS processing clusters for more.
- AWS IAM Roles, IAM users, and Access Policies deployed on the AWS account for use by Migrate for Anthos and GKE. See Configuring AWS IAM groups and instance roles for more.
Creating Anthos clusters on AWS
Because of the many options you have when installing Anthos clusters on AWS, see the installation information in the Anthos clusters on AWS documentation to install your cluster.
Your cluster must:
- Use Anthos 1.5.1 or later.
- Define at least one node with 4 or more CPUs and 15 GB or more of RAM.
- If the source VM references an encrypted EBS volume, ensure that your processing cluster has access to the encrypted volume. See Prerequisites for migrating Linux VMs on AWS for more.
Connecting to Anthos clusters on AWS
Many procedures used to migrate a VM require that you run the
on your cluster. Depending on your workstation's connectivity to the cluster,
you might have to open a tunnel to the
bastion host to use
See Connecting to the management service
Configuring AWS IAM groups and instance roles
As part of performing a migration, Migrate for Anthos and GKE writes information to different data repositories:
Docker image files representing a migrated Linux VM are written to a Docker registry.
These Docker image files represent the files and directories of the migrated Linux VM.
Migration artifacts that represent the migrated workload are written to a second repository.
Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, and other files.
See Defining data repositories for more.
You must satisfy the following prerequisites in preparation for migrating your AWS VMs so that your Anthos clusters on AWS can access these repositories:
An AWS account and EC2 instances to migrate.
Migrate for Anthos and GKE IAM Roles, IAM users, and Access Policies deployed on the AWS account.
About AWS Accounts - IAM roles and access policies
The Amazon IAM service enables the creation and enforcement of access policies. Migrate for Anthos and GKE uses AWS IAM groups and instance roles to define and enable these permissions.
At minimum, we recommend the following setup:
An IAM group (named
MigrateForAnthos) for use by Migrate for Anthos and GKE user account on AWS.
This group enforces an access policy with the minimum privileges required by Migrate for Anthos and GKE to access the required data repositories and EC2 instances. See Defining data repositories for more.
An IAM user account in the
The recommended permissions are described in the CloudFormation stack template file.
Creating the Migrate for Anthos and GKE IAM group
Download and extract the CloudFormation stack template file,
Sign in to the AWS Console and select Cloud Formation.
Click Create Stack.
Click Choose File, upload the CloudFormation file, and then click Next.
Enter a Name for the CloudFormation stack.
From the Options page, click Next, then click Create. A group named
Creating the AWS IAM user for Migrate for Anthos and GKE
In the AWS console, click your account name in the top-right corner of the page and then select Security Credentials.
From the left pane, select Users and then click Create New Users.
For Access type, select Programmatic access.
Download the CSV file with the user credentials (Keys).
Add the IAM user to the group created by the CloudFormation script.
About AWS workload identity
Workload identity for Anthos clusters on AWS lets you bind Kubernetes service accounts to AWS IAM accounts with specific permissions. Workload identity uses AWS IAM permissions to block unwanted access to cloud resources.
With workload identity, you can assign different IAM roles to each workload. This fine-grained control of permissions lets you follow the principle of least privilege.
Using workload identity with Migrate for Anthos and GKE
Migrate for Anthos and GKE lets you deploy your migrated workloads to Anthos clusters on AWS. In some cases, you might use the same cluster as both the processing cluster and the deployment cluster. If you have enabled workload identity on your deployment cluster, then you have to ensure that you configure your deployment environment correctly to support Migrate for Anthos and GKE.
Additionally, you must ensure that any services started as part of the init process are configured correctly for workload identity. The steps you perform depend on the service manager for your cluster. See Deploying a Linux workload to a target cluster for the configuration steps.