This topic describes how to configure Google Cloud so that you can use Velostrata. It requires that you set up the following Google Cloud resources:
- User account
- Organization
- Project
- Virtual Private Cloud network (Google recommends using a custom network)
- Subnet
- Cloud VPN connectivity to your on-premises data center
You also need to export your private key from your Google Cloud account using a Google Cloud Credential File.
Setting up a Google Cloud account, organization, and project
- Go to the Google Cloud console and sign in or, if you don't already have an account, sign-up to create one.
- To set up an organization, see Creating and managing organizations and read Decide a resource hierarchy for your Google Cloud landing zone.
- Assign the following permissions for people who will administer the
organization and run the account and role creation script:
- Organization Administrator
- Compute Admin
- (Project) Owner
To understand IAM concepts such as Google Cloud accounts, service accounts, etc., see the IAM Overview.
Setting up networks on Google Cloud
Velostrata uses Google Cloud Virtual Private Cloud (VPC) networks and VPN connectivity to your on-premises data center or other clouds from which you are planning to migrate.
Inside the VPC network, Velostrata uses subnets for Cloud Edge components. Outbound internet access is enabled by default for VPC subnets. This enables the Velostrata Cloud Edge nodes to send data to the Velostrata Telemetry Service and the Cloud Storage service.
For detailed information on firewall, routing, and network tagging considerations for your Migrate to Virtual Machines deployment, see Migrate to VMs network access requirements.
Creating Google Cloud roles and service accounts by using Cloud Shell
Permissions overview
Velostrata requires a number of roles and service accounts on
Google Cloud. Roles are a set of
permissions. Service accounts are assigned these
roles. Brief explanations of the roles are provided below. They are also
available in Jinja
templates accessible in Cloud Shell under the
/google/velostrata/previous-versions/4.0
directory.
The Velostrata Management service account (velos-gcp-mgmt-sa) creates all the resources that a Cloud Extension needs (VMs, Cloud Storage buckets, etc.).
The Velostrata Cloud Extension service account (velos-gcp-ce-sa) has permissions to manage Cloud Storage for migrations.
The Velostrata Project Worker service account (velos-gcp-worker-sa) uses the same Google Cloud storage permissions as the Cloud Extension account, but is only used for the Prepare to Detach operation.
The number and placement of service accounts depends on the number of Google Cloud projects your organization plans to use for a migration. If you are using multiple projects, all roles are created uniquely within the organization. Service accounts, however, are created under different projects.
This document describes the easiest and fastest way to create the appropriate service accounts, using the Migrate to VMs service account and roles utility available in Cloud Shell.
Though we don't recommended it, you can configure Google Cloud manually.
Prerequisites
The script enables the following Google Cloud APIs:
- Resource Manager API
- Identity and Access Management (IAM) API
- Compute Engine API
- Cloud Storage API
- Cloud Deployment Manager API
The user running Cloud Shell needs the following IAM roles:
- Owner
- Compute Admin
- Organization Administrator
From Google Cloud, you need the following information:
- Numeric Organization ID
- Project IDs
The script requires elevated permissions, so commands must be run with sudo
.
Adding API permissions
Sign in as a user with administrative privileges in Google Cloud.
If you have not created a primary project to host your migrations, Create a project in Google Cloud.
Console
- Open the APIs & Services Library
- Turn on all of the following:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Google Cloud Deployment Manager V2 API
- Compute Engine API
- Next, Open the IAM page
- Find the line that contains "@cloudservices.gserviceaccount.com" and click the icon to the right of the name
- Click Add Another Role.
- Select Roles from the left column and Role Administrator from the right column. Click Save.
Running the configuration script
To run the configuration script:
- Launch Cloud Shell.
- Change to the directory containing the Velostrata script:
cd /google/velostrata/previous-versions/4.0
Run the script with the following command:
sudo ./velos_sa_roles.py COMMAND
Where COMMAND
is either:
list-projects
, which lists all the projects the user has the permissions to access.deploy
, which creates and assigns the service accounts for your migration.
list-projects
Here's an example with the script using list-projects
.
sudo ./velos_sa_roles.py list-projects [--org-id organization_id] [--projects-file filename]
FLAGS
--org-id
takes a numeric Google Cloud organization ID. Returns only
projects from that organization.
--projects-file
Saves output to a file.
deploy
Here's an example with the script using deploy
.
sudo ./velos_sa_roles.py deploy --host-proj-id single_proj_id --ce-proj-id single_proj_id --projects-file projects.txt [--audit]
REQUIRED FLAGS
--host-proj-id
, the ID of the Google Cloud project that contains the
Velostrata Manager,
--ce-proj-id
, the project that will contain your Cloud Extensions.
FLAGS
--org-id
takes a numeric Google Cloud organization ID. Returns only
projects from that organization.
--audit
generates a shell script (named deployment_[RANDOM].sh, where random
is a random string generated by the script) that allows you to verify the
commands to be executed.
--projects-file
a text file that contains Google Cloud project IDs,
one per line.
EXAMPLES
To configure Velostrata to use a single project for all migrated VMs:
sudo ./velos_sa_roles.py deploy --host-proj-id single_proj_id --ce-proj-id single_proj_id --projects-file projects.txt
To configure Velostrata to use multiple projects, using all available projects in the Google Cloud organization as target projects for workloads:
sudo ./velos_sa_roles.py deploy --host-proj-id host_proj_id --ce-proj-id ce_proj_id --org-id org_id
Saving the scripts
The role creation script generates a series of files that you must copy in order to keep. From Cloud Shell, you can save copies to your local machine or copy them to a Cloud Storage bucket.
Make a local copy
To copy the deployment and rollback scripts to your local machine from the Cloud Shell environment:
- Find the fully qualified file names that you want to copy, for example
/google/velostrata/deployment_rollback_SAMPLE.sh
. - Click the expanded menu button above the Cloud Shell terminal.
- Click Download file.
- Enter the Fully qualified file path of the file you want to download.
- Repeat for any other files you would like a copy of.
Copy to Cloud
Files can be copied from Cloud Shell to a
Cloud Storage bucket using the
gsutil cp
command.
gsutil cp deployment_rollback_*.sh gs://my-bucket
Rolling back the script
If you need to roll back your service account setup, run the following command:
sudo ./deployment_rollback_[RANDOM].sh
Creating the Google Cloud Credential File
Velostrata Manager, you need to export your private key from the Google Cloud console.
Console
- Open IAM & Admin > Service Accounts.
- If necessary, select your project from the Select a project menu.
- Find the Migrate to VMs service account you created that ends in "mgmt-sa".
- Click the action menu to the right of that line and select the Create Key option.
- Select JSON as your Key Type and click Create.
- Download the file.