Configuring an HTTPS proxy

Migrate for Anthos supports the use of on-prem processing clusters to perform a migration. For example, you can create a Migrate for Anthos processing cluster in a vSphere environment by using Anthos clusters on VMware, or create a processing cluster using Anthos clusters on AWS.

In many on-prem environments, outbound internet access is tightly controlled through the use of an HTTPS proxy server. By default, Migrate for Anthos does not use a proxy to make outbound requests. If your environment uses a proxy server to control outbound internet access, then you can configure Migrate for Anthos to use that proxy.

When Migrate for Anthos makes outbound requests

As part of performing a migration, Migrate for Anthos makes outbound requests to write information to different data repositories:

  1. Docker image files representing the migrated VM are written to a Docker registry.

    These Docker image files represent the files and directories of the migrated VM.

  2. Migration artifacts that represent the migrated workload are written to a data repository.

    Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, as well as other files. The exact artifacts depend on whether you are migrating Linux or WIndows workloads.

Accessing a Docker registry

For on-prem processing clusters, there is no default Docker registry defined. You configure the location of the Docker registry at the time you install Migrate for Anthos. The registry can be located:

For more on configuring a repository for Migrate for Anthos, see Defining data repositories.

Accessing an artifacts repository

For on-prem processing clusters, there is no default artifacts repository defined. You configure the location of the artifacts repository at the time you install Migrate for Anthos. The registry can be located:

For more on configuring a repository for Migrate for Anthos, see Defining data repositories.

Defining a proxy server to access a repository

If your processing cluster requires a proxy to make outbound requests to access a repository, then you can configure proxy access when you install Migrate for Anthos.

Cluster requirements

To use a proxy with Migrate for Anthos, your on-prem processing cluster must be configured to support proxy access and also configured for any firewall rules required by the proxy to be able to access the data repositories.

The steps to configure proxy depend on where you installed your processing cluster. See the following documentation for more:

Firewall requirements

Your proxy server might have access restrictions configured to allow or deny access to specific external locations.

For processing clusters to be able to connect to Google Cloud services, the proxy server must allow traffic to the following domains:

  • For Docker registry on Google Cloud using GCR: *.gcr.io
  • For migration artifacts repository on Google Cloud using Cloud Storage: storage.googleapis.com

If you are using your own data repository, ensure that the proxy server allows outbound access to the necessary locations.

Proxy authentication

Some proxy servers restrict access by using basic authentication. If your proxy requires basic authentication credentials, then you can configure those credentials when you configure Migrate for Anthos to use the proxy.

Proxy requests using basic authentication use a URL of the form:

https://user:password@proxy:proxyPort/

SSL/TLS requirements

Migrate for Anthos supports proxy requests over HTTPS only. HTTP is not supported.

When using an HTTPS proxy, Migrate for Anthos does not support self-signed certificates. You must use a signed cert with an HTTPS proxy.

Examples

To configure an HTTPS proxy with no authentication:

migctl setup proxy --https-proxy myproxy.com

To update the proxy, run the command again with different values. You can only have one proxy configuration so running the command again overwrites the current configuration.

To configure an HTTPS proxy and also specify domains where the proxy is not used:

migctl setup proxy --https-proxy myproxy.com --no-proxy localhost,mydomain.com

If the proxy uses basic authentication:

migctl setup proxy --https-proxy myproxy.com --proxy-basic-authentication

You will then be prompted to enter the username and password.

Or you can enter the credentials as part of the proxy-address:

migctl setup proxy --https-proxy user:pword@myproxy.com

To remove the proxy configuration:

migctl setup proxy --remove 

Next Steps