Migrate for Anthos supports the use of on-prem processing clusters to perform a migration. For example, you can create a Migrate for Anthos processing cluster in a vSphere environment by using Anthos clusters on VMware, or create a processing cluster using Anthos clusters on AWS.
In many on-prem environments, outbound internet access is tightly controlled through the use of an HTTPS proxy server. By default, Migrate for Anthos does not use a proxy to make outbound requests. If your environment uses a proxy server to control outbound internet access, then you can configure Migrate for Anthos to use that proxy.
When Migrate for Anthos makes outbound requests
As part of performing a migration, Migrate for Anthos makes outbound requests to write information to different data repositories:
Docker image files representing the migrated VM are written to a Docker registry.
These Docker image files represent the files and directories of the migrated VM.
Migration artifacts that represent the migrated workload are written to a data repository.
Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, as well as other files. The exact artifacts depend on whether you are migrating Linux or WIndows workloads.
Accessing a Docker registry
For on-prem processing clusters, there is no default Docker registry defined. You configure the location of the Docker registry at the time you install Migrate for Anthos. The registry can be located:
On Google Cloud by using Google Container Registry (GCR).
On ECR either locally or remotely from your cluster.
On a local or remote Docker registry.
For more on configuring a repository for Migrate for Anthos, see Defining data repositories.
Accessing an artifacts repository
For on-prem processing clusters, there is no default artifacts repository defined. You configure the location of the artifacts repository at the time you install Migrate for Anthos. The registry can be located:
On Google Cloud by using Google Cloud Storage.
On S3 either locally or remotely from your cluster.
For more on configuring a repository for Migrate for Anthos, see Defining data repositories.
Defining a proxy server to access a repository
If your processing cluster requires a proxy to make outbound requests to access a repository, then you can configure proxy access when you install Migrate for Anthos.
Cluster requirements
To use a proxy with Migrate for Anthos, your on-prem processing cluster must be configured to support proxy access and also configured for any firewall rules required by the proxy to be able to access the data repositories.
The steps to configure proxy depend on where you installed your processing cluster. See the following documentation for more:
Firewall requirements
Your proxy server might have access restrictions configured to allow or deny access to specific external locations.
For processing clusters to be able to connect to Google Cloud services, the proxy server must allow traffic to the following domains:
- For Docker registry on Google Cloud using GCR:
*.gcr.io - For migration artifacts repository on Google Cloud using Cloud Storage:
storage.googleapis.com
If you are using your own data repository, ensure that the proxy server allows outbound access to the necessary locations.
Proxy authentication
Some proxy servers restrict access by using basic authentication. If your proxy requires basic authentication credentials, then you can configure those credentials when you configure Migrate for Anthos to use the proxy.
Proxy requests using basic authentication use a URL of the form:
https://user:password@proxy:proxyPort/
SSL/TLS requirements
Migrate for Anthos supports proxy requests over HTTPS only. HTTP is not supported.
When using an HTTPS proxy, Migrate for Anthos does not support self-signed certificates. You must use a signed cert with an HTTPS proxy.
Examples
To configure an HTTPS proxy with no authentication:
migctl setup proxy --https-proxy myproxy.com
To update the proxy, run the command again with different values. You can only have one proxy configuration so running the command again overwrites the current configuration.
To configure an HTTPS proxy and also specify domains where the proxy is not used:
migctl setup proxy --https-proxy myproxy.com --no-proxy localhost,mydomain.com
If the proxy uses basic authentication:
migctl setup proxy --https-proxy myproxy.com --proxy-basic-authentication
You will then be prompted to enter the username and password.
Or you can enter the credentials as part of the proxy-address:
migctl setup proxy --https-proxy user:pword@myproxy.com
To remove the proxy configuration:
migctl setup proxy --remove