To perform any migration, you need to connect the migration endpoints. This means setting up the following resources for proper access:
- Firewall rules across all environments: on-premises, AWS, and Google Cloud Virtual Private Cloud.
- VPNs or other network connections set up with static or dynamic routing and forwarding rules to the correct network subnets and VMs within Google Cloud, AWS, or inside the corporate LAN.
- GCP Network Tags or Instance Service Accounts that allow for traffic to pass between instances.
This page does not list firewall rules or routes for specific applications, other than Velostrata. Your applications may require additional configuration specific to them, which need to be set up separately on Google Cloud. For more information, see Firewall Rules, Routes, and Configuring Network Tags.
Network tags
Google Cloud uses tags to identify which network firewall rules apply to particular VMs. Components with the same network tags can communicate with each other. Velostrata assigns network tags to facilitate workload migration.
The following sections describe required network tags, suggested names, and configurations.
Velostrata Manager network tag (suggested name: fw-velosmanager)
This network tag can be specified when deploying the Velostrata Manager using the Google Cloud Marketplace click-to-deploy option. Alternatively, an Instance Service Account may be specified and used in firewall rules.
Velostrata Edge network tag (suggested name: fw-velostrata)
Velostrata Cloud Extensions are created with a network tag setting of your choosing. One or more network tag names can be specified during creation of the Velostrata Cloud Extension.
Workload network tag (suggested name: fw-workload)
For simplicity, this document describes workload network access rules by referencing the Workload network tag, which allows workload nodes to access your project's Velostrata resources. You can set up additional workload network tags to specify firewall rules that apply to different applications. Alternatively, Instance Service Accounts may be used with firewall rules, and can be set during Velostrata migration operations.
Custom tags
Custom tags enable connectivity among the instances that share them. If you have several VM instances serving a website, tag these instances with common value, and then use that tag to apply a firewall rule that allows HTTP access to those instances.
Firewall rules
Each resource involved in an application migration needs certain permissions through any firewalls located in the on-premises corporate network, over a VPN or other interconnection to either Google Cloud or AWS, and in a Virtual Private Cloud or AWS network or subnet(s).
For Velostrata to function, the following tables list the type of firewall access needed from the source to the destination and their protocol and port.
For additional information, see the following firewall documentation:
- For firewalls inside the on-premises corporate LAN, see your vendor documentation.
- Virtual Private Cloud firewall documentation
- AWS VPC firewall documentation
Google Cloud Virtual Private Cloud
Source | Destination | Firewall Scope | Optional? | Protocol | Port |
Velostrata Manager network tags (GCP) | GCP API Endpoint | Internet or Private Google Access | No | HTTPS | TCP/443 |
Velostrata Manager network tags (GCP) | AWS API Endpoint
(AWS-to-GCP migrations) |
Internet | No | HTTPS | TCP/443 |
Corporate LAN Subnets (for web UI access) | Velostrata Manager network tags (GCP) | VPN On-Premises | No | HTTPS | TCP/443 |
Velostrata Backend | Velostrata Manager network tags (GCP) | VPN On-Prem | No | gRPC | TCP/9119 |
Velostrata Manager network tags (GCP) | Workload network tags (GCP)
For instance console availability probe |
VPC | Yes | RDP
SSH |
TCP/3389
TCP/22 |
Velostrata Manager network tags (GCP) | Velostrata Telemetry Service | Internet | Yes | HTTPS | TCP/443 |
Velostrata Manager network tags (GCP) | Velostrata Edge network tags (GCP) | VPC | No | HTTPS | TCP/443 TCP/9111 |
Velostrata Manager network tags (GCP) | Velostrata Importers (AWS Subnet) | VPN to AWS | No | HTTPS | TCP/443 |
Velostrata Edge network tags | Google Cloud Storage API | Internet or Google Private Access | No | HTTPS | TCP/443 |
Velostrata Edge network tags (GCP) | Velostrata Telemetry Service | Internet | Yes | HTTPS | TCP/443 |
Workload network tags (GCP)
Or Instance Service Accounts (GCP) |
Velostrata Edge network tags (GCP) | VPC | No | iSCSI | TCP/3260 |
Velostrata Backend | Velostrata Edge network tags (GCP) | VPN On-Prem | No | TLS | TCP/9111 |
Velostrata Importers (AWS Subnet) | Velostrata Edge network tags (GCP) | VPN to AWS | No | TLS | TCP/9111 |
Velostrata Edge network tags (GCP) | Velostrata Edge network tags (GCP) | VPC | No | ANY | ANY |
On-Premises
The following table lists the rules that apply when migrating VMware virtual machines or physical machines on-premises to GCP.
Source | Destination | Firewall Scope | Optional? | Protocol | Port |
Velostrata Backend | vCenter Server | Corp LAN | No | HTTPS | TCP/443 |
Velostrata Backend | Velostrata Telemetry Service | Internet | Yes | HTTPS | TCP/443 |
Velostrata Backend | vSphere ESXi | Corp LAN | No | VMW NBD | TCP/902 |
Velostrata Backend | Corp DNS Server | Corp LAN | No | DNS | TCP/UDP/53 |
Velostrata Backend | Velostrata Manager (GCP) | VPN to GCP | No | TLS/SSL
HTTPS |
TCP/9119
TCP/443 |
Velostrata Backend | Velostrata CloudExtension Nodes (GCP Subnet) | VPN to GCP | No | TLS/SSL | TCP/9111 |
vCenter Server | Velostrata Backend | Corp LAN | No | HTTPS | TCP/443 |
vCenter Server Velostrata Plugin | Velostrata Manager (GCP) | VPN to GCP | No | HTTPS | TCP/443 |
AWS VPC
The following table lists the rules that apply when migrating when migrating AWS EC2 instances from AWS VPC to GCP.
Source | Destination | Firewall Scope | Optional? | Protocol | Port |
Velostrata Manager | Velostrata Importers Security Group | VPN to GCP | No | HTTPS | TCP/443 |
Velostrata Importers Security Group | Velostrata CloudExtension Nodes (GCP Subnet) | VPN to GCP | No | TLS | TCP/9111 |
Troubleshooting
Source | Destination | Firewall Scope | Optional? | Protocol | Port |
You local machine | Velostrata Manager (GCP) | VPN to GCP | Yes | SSH | TCP/22 |
Velostrata Manager (GCP) | Velostrata on-premises backend
Velostrata Edge Network Tags (GCP) Velostrata Importers (AWS Subnet) |
VPN On-Prem
VPC VPN to AWS |
Yes | SSH | TCP/22 |
Workload Network Tags (GCP)
Or Instance Service Account (GCP) |
Velostrata Edge Network Tags (GCP) | VPC | Yes | SYSLOG (for GCP VM boot phase) | UDP/514 |
Example On-Premises to Google Cloud configuration
Prior sections explain rules that could apply for your migration. This section explains a sample networking configuration for your VPC, configured through the Google Cloud console. For more information, see Creating firewall rules.
In the following example, the 192.168.1.0/24 subnet represents the on-premises network and 10.1.0.0/16 represents the VPC.
Name | Type | Target | Source | Ports | Purpose |
---|---|---|---|---|---|
velos-backend-control | Ingress | fw-velosmanager | 192.168.1.0/24 | tcp:9119 | Control plane between Velostrata Backend and Velostrata Manager. |
velos-ce-backend | Ingress | fw-velostrata | 192.168.1.0/24 | tcp:9111 | Encrypted migration data sent from Velostrata Backend to Cloud Extensions. |
velos-ce-control | Ingress | fw-velostrata | fw-velosmanager | tcp:443, tcp:9111 |
Control plane between Cloud Extensions and Velostrata Manager. |
velos-ce-cross | Ingress | fw-velostrata | fw-velostrata | all | Synchronization between Cloud Extension nodes. |
velos-console-probe | Ingress | fw-workload | fw-velosmanager | tcp:22, tcp:3389 | Allows the Velostrata Manager to check if the SSH or RDP console on the migrated VM is available. |
velos-vcplugin | Ingress | fw-velosmanager | 192.168.1.0/24 | tcp:443 | Control plane between vCenter plugin and Velostrata Manager. |
velos-webui | Ingress | fw-velosmanager | 192.168.1.0/24, 10.1.0.0/16 |
tcp:443 | HTTPS access to Velostrata Manager for web UI. |
velos-workload | Ingress | fw-velostrata | fw-workload | tcp:3260, udp:514 |
iSCSI for data migration and syslog |
Network routing and forwarding
Once firewall rules that allow necessary communication are in place, additional static routes to carry traffic between networks may be necessary.
For routing and forwarding inside the on-premises corporate LAN, see your router, firewall, and VPN vendor documentation.
For more on routing and forwarding in Google Cloud, see the following documentation:
For routing and forwarding from AWS to Google Cloud, see the following documents: