Velostrata AWS prerequisites

You must have the following prerequisites in preparation for migrating your AWS EC2 instances to Google Cloud:

  • An AWS account and EC2 instances to migrate.
  • An AWS VPC Subnet with VPN connectivity to Google Cloud. For detailed information, see Network access requirements on firewall, routing, and network tag considerations for your Velostrata deployment.
  • Velostrata IAM Roles, IAM users, and Access Policies deployed on the AWS account.

This document describes setting permissions for Velostrata to connect to AWS.

AWS Account - IAM roles and access policies

The Amazon IAM service enables the creation and enforcement of access policies. Velostrata uses AWS IAM groups and instance roles to define and enable these permissions.

At minimum, we recommend the following setup:

  • An IAM group (named VelosMgrGroup) for use by a Velostrata service account. This group enforces an access policy with the minimum privileges required by Velostrata, and allows provisioning and monitoring of cloud-side components and worker VMs. The Velostrata service account is used by the Velostrata Manager on Google Cloud.
  • An IAM user account in the VelosMgrGroup IAM Group.

Recommended permissions are listed in the AWS CloudFormation template.

Creating the Velostrata IAM group for AWS migration

  1. Download the AWS CloudFormation template.
  2. Sign in to the AWS Console and select Cloud Formation.
  3. Click Create Stack.
  4. Click Choose File, upload the CloudFormation file, and then click Next.
  5. Enter a Name for the CloudFormation stack.
  6. Choose the VPC that contains the instances you want to migrate.
  7. From the Options page, click Next, then click Create. A group named {stack name prefix}-VelosMgrGroup is created.

Creating the AWS IAM user account for Velostrata

  1. In the AWS console, click your account name in the top right corner of the page and then select Security Credentials.
    Screenshot of AWS Security Credentials menu command (click to enlarge)
    Screenshot of AWS Security Credentials menu command (click to enlarge)
  2. From the left pane, select Users and then click Create New Users.
  3. For Access type, select Programmatic access.
  4. Download the user credentials (Keys). These keys will be used when creating the Velostrata Cloud Extension.
    Screenshot of Add User dialog box (click to enlarge)
    Screenshot of Add User dialog box (click to enlarge)
  5. Add the IAM user to the group created by the CloudFormation script.
    Screenshot of Add User dialog box (click to enlarge)
    Screenshot of Add User dialog box (click to enlarge)