Configuring Google Cloud for Velostrata

This topic describes how to configure Google Cloud so that you can use Velostrata. It requires that you set up the following Google Cloud resources:

  • User account
  • Organization
  • Project
  • Virtual Private Cloud network (Google recommends using a custom network)
  • Subnet
  • Cloud VPN connectivity to your on-premises data center

You also need to export your private key from your Google Cloud account using a Google Cloud Credential File.

Setting up a Google Cloud account, organization, and project

  1. Go to the Google Cloud console and sign in or, if you don't already have an account, sign-up to create one.
  2. To set up an organization, see Creating and managing organizations and read Decide a resource hierarchy for your Google Cloud landing zone.
  3. Assign the following permissions for people who will administer the organization and run the account and role creation script:
    1. Organization Administrator
    2. Compute Admin
    3. (Project) Owner

To understand IAM concepts such as Google Cloud accounts, service accounts, etc., see the IAM Overview.

Setting up networks on Google Cloud

Velostrata uses Google Cloud Virtual Private Cloud (VPC) networks and VPN connectivity to your on-premises data center or other clouds from which you are planning to migrate.

Inside the VPC network, Velostrata uses subnets for Cloud Edge components. Outbound internet access is enabled by default for VPC subnets. This enables the Velostrata Cloud Edge nodes to send data to the Velostrata Telemetry Service and the Cloud Storage service.

For detailed information on firewall, routing, and network tagging considerations for your Migrate to Virtual Machines deployment, see Migrate to VMs network access requirements.

Creating Google Cloud roles and service accounts by using Cloud Shell

Permissions overview

Velostrata requires a number of roles and service accounts on Google Cloud. Roles are a set of permissions. Service accounts are assigned these roles. Brief explanations of the roles are provided below. They are also available in Jinja templates accessible in Cloud Shell under the /google/velostrata/previous-versions/4.0 directory.

The Velostrata Management service account (velos-gcp-mgmt-sa) creates all the resources that a Cloud Extension needs (VMs, Cloud Storage buckets, etc.).

The Velostrata Cloud Extension service account (velos-gcp-ce-sa) has permissions to manage Cloud Storage for migrations.

The Velostrata Project Worker service account (velos-gcp-worker-sa) uses the same Google Cloud storage permissions as the Cloud Extension account, but is only used for the Prepare to Detach operation.

The number and placement of service accounts depends on the number of Google Cloud projects your organization plans to use for a migration. If you are using multiple projects, all roles are created uniquely within the organization. Service accounts, however, are created under different projects.

This document describes the easiest and fastest way to create the appropriate service accounts, using the Migrate to VMs service account and roles utility available in Cloud Shell.

Though we don't recommended it, you can configure Google Cloud manually.

Prerequisites

The script enables the following Google Cloud APIs:

  • Resource Manager API
  • Identity and Access Management (IAM) API
  • Compute Engine API
  • Cloud Storage API
  • Cloud Deployment Manager API

The user running Cloud Shell needs the following IAM roles:

  • Owner
  • Compute Admin
  • Organization Administrator

From Google Cloud, you need the following information:

  • Numeric Organization ID
  • Project IDs

The script requires elevated permissions, so commands must be run with sudo.

Adding API permissions

Sign in as a user with administrative privileges in Google Cloud.

If you have not created a primary project to host your migrations, Create a project in Google Cloud.

Console

  • Open the APIs & Services Library
  • Turn on all of the following:
    • Identity and Access Management (IAM) API
    • Cloud Resource Manager API
    • Google Cloud Deployment Manager V2 API
    • Compute Engine API
  • Next, Open the IAM page
  • Find the line that contains "@cloudservices.gserviceaccount.com" and click the icon to the right of the name
  • Click Add Another Role.
  • Select Roles from the left column and Role Administrator from the right column. Click Save.

Running the configuration script

To run the configuration script:

  1. Launch Cloud Shell.
  2. Change to the directory containing the Velostrata script: 
    cd /google/velostrata/previous-versions/4.0

Run the script with the following command:

sudo ./velos_sa_roles.py COMMAND

Where COMMAND is either:

  • list-projects, which lists all the projects the user has the permissions to access.
  • deploy, which creates and assigns the service accounts for your migration.

list-projects

Here's an example with the script using list-projects.

sudo ./velos_sa_roles.py list-projects [--org-id organization_id] [--projects-file filename]

FLAGS

--org-id takes a numeric Google Cloud organization ID. Returns only projects from that organization.

--projects-file Saves output to a file.

deploy

Here's an example with the script using deploy.

sudo ./velos_sa_roles.py deploy --host-proj-id single_proj_id --ce-proj-id single_proj_id --projects-file projects.txt [--audit]

REQUIRED FLAGS

--host-proj-id, the ID of the Google Cloud project that contains the Velostrata Manager,

--ce-proj-id, the project that will contain your Cloud Extensions.

FLAGS

--org-id takes a numeric Google Cloud organization ID. Returns only projects from that organization.

--audit generates a shell script (named deployment_[RANDOM].sh, where random is a random string generated by the script) that allows you to verify the commands to be executed.

--projects-file a text file that contains Google Cloud project IDs, one per line.

EXAMPLES

To configure Velostrata to use a single project for all migrated VMs:

sudo ./velos_sa_roles.py deploy --host-proj-id single_proj_id --ce-proj-id single_proj_id --projects-file projects.txt

To configure Velostrata to use multiple projects, using all available projects in the Google Cloud organization as target projects for workloads:

sudo ./velos_sa_roles.py deploy --host-proj-id host_proj_id --ce-proj-id ce_proj_id --org-id org_id

Saving the scripts

The role creation script generates a series of files that you must copy in order to keep. From Cloud Shell, you can save copies to your local machine or copy them to a Cloud Storage bucket.

Make a local copy

To copy the deployment and rollback scripts to your local machine from the Cloud Shell environment:

  1. Find the fully qualified file names that you want to copy, for example /google/velostrata/deployment_rollback_SAMPLE.sh.
  2. Click the expanded menu button above the Cloud Shell terminal.
  3. Click Download file.
  4. Enter the Fully qualified file path of the file you want to download.
  5. Repeat for any other files you would like a copy of.

Copy to Cloud

Files can be copied from Cloud Shell to a Cloud Storage bucket using the gsutil cp command.

gsutil cp deployment_rollback_*.sh gs://my-bucket

Rolling back the script

If you need to roll back your service account setup, run the following command:

sudo ./deployment_rollback_[RANDOM].sh

Creating the Google Cloud Credential File

Velostrata Manager, you need to export your private key from the Google Cloud console.

Console

  1. Open IAM & Admin > Service Accounts.
  2. If necessary, select your project from the Select a project menu.
  3. Find the Migrate to VMs service account you created that ends in "mgmt-sa".
  4. Click the action menu to the right of that line and select the Create Key option.
  5. Select JSON as your Key Type and click Create.
  6. Download the file.