This topic describes the network access you'll need to configure to have a functioning migration environment.
As you're setting up to migrate, the migration environment you create is made up of multiple components in multiple networks. For migration to work, these networks must allow specific traffic access between migration components.
Steps to set up network access
At a high level, you'll do the following to set up network access in a migration environment:
Set up a Virtual Private Cloud (VPC) on Google Cloud.
The VPC defines a virtual network for your components on Google Cloud. It also provides a place for you to create firewall rules that allow access between VM instances, as well as between the network and external components.
Define the network tags you will be assigning to each component on the VPC network.
Network tags are text attributes that you can add to Google Cloud VM instances. The following table lists components to create tags for, as well as examples of network tag text.
For restrictions and required permissions when assigning network tags, see Configuring network tags.
Component Suggested network tag Migrate for Compute Engine Manager fw-migration-managerMigrate for Compute Engine Cloud Extension fw-migration-cloud-extensionWorkload fw-workloadUse the network tags you define to create firewall rules on Google Cloud VPC to allow traffic between components in your migration environment.
That includes between components on Google Cloud, as well as between those and components on the source platform from which you'll be migrating VMs.
This topic lists the firewall rules you should create.
Apply the tags as metadata when you deploy the VM instances that run components in your migration environment.
Once you have created firewall rules using the tags and applied the tags to corresponding component VM instances, you will have specified which firewall rules apply to which VM instances.
Apply the tags you defined to the following:
- Migrate for Compute Engine Manager -- Specify network tags (such as
fw-migration-manager) when you deploy the Migrate for Compute Engine Manager. - Migrate for Compute Engine Cloud Extensions -- Specify network tags (such
as
fw-migration-cloud-extension) when you create Migrate for Compute Engine Cloud Extensions. - VM workloads -- Specify network tags (such as
fw-workload) in theGcpNetworkTagsfield of the runbook CSV file that lists the VMs you're migrating with a wave.
Note that if you need to set or change a network tag after you deploy the components listed above, you can do so with the instructions.
- Migrate for Compute Engine Manager -- Specify network tags (such as
On the source platform from which you're migrating VMs, create rules that allow traffic between that platform and Google Cloud.
As needed, define additional static routes to carry traffic between networks.
Firewall rules
Firewall rules allow access for traffic between components of your migration environment. The tables in this topic list firewall rules you'll need:
- At the destination VPC on Google Cloud
- At the source platform from which you're migrating VMs.
Before you configure firewall rules, see the other network access steps described above.
For additional information, see the following firewall documentation:
- For firewalls inside the on-premises corporate LAN, see your vendor documentation.
- For firewalls on Google Cloud, see VPC firewall documentation.
- AWS VPC firewall documentation
- Azure VPC firewall documentation
Rules configured at the destination
In your Google Cloud VPC network, create firewall rules that will allow traffic between components in your migration environment.
In Google Cloud VPC, you define firewall rules in which one component is the target, and the other is the source (for an ingress rule) or the destination (for an egress rule).
Create a firewall rule for each of the rows in the following table. You can create each rule as either an ingress or egress rule. For example, imagine the rule allows traffic from Cloud Extension components (specified by their network tags) to the Migrate for Compute Engine Manager (specified by its network tags), you can create the rule as either of the following:
- An egress rule where the Cloud Extension network tags are the target and the Migrate for Compute Engine Manager network tags are the destination.
- An ingress rule where the Migrate for Compute Engine Manager network tags are the target and the Cloud Extension network tags are the source.
In the following table, component locations are indicated as follows:
| Component in Google Cloud | Component external to Google Cloud |
| Source | Destination | Firewall scope | Optional? | Protocol | Port |
|---|---|---|---|---|---|
| Migrate for Compute Engine Manager network tags | Google Cloud API Endpoint | Internet or Private Google Access | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Manager network tags | AWS API Endpoint
(Migrations from AWS) |
Internet | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Manager network tags | Azure API Endpoint
(Migrations from Azure) |
Internet | No | HTTPS | TCP/443 |
| Corporate LAN Subnets (for web UI access) | Migrate for Compute Engine Manager network tags | VPN On-Premises | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Manager network tags | Workload network tags
For instance console availability probe |
VPC | Yes | RDP
SSH |
TCP/3389
TCP/22 |
| Migrate for Compute Engine Cloud Extension network tags | Migrate for Compute Engine Manager network tags | VPC | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Importers (AWS Subnet) | Migrate for Compute Engine Manager network tags | AWS to VPN | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Importers (Azure Subnet) | Migrate for Compute Engine Manager network tags | Azure to VPN | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Cloud Extension network tags | Google Cloud Storage API | Internet or Google Private Access | No | HTTPS | TCP/443 |
| Workload network tags | Migrate for Compute Engine Cloud Extension network tags | VPC | No | iSCSI | TCP/3260 |
| Migrate for Compute Engine Backend | Migrate for Compute Engine Cloud Extension network tags | VPN On-Prem | No | TLS | TCP/9111 |
| Migrate for Compute Engine Importers (AWS Subnet) | Migrate for Compute Engine Cloud Extension network tags | VPN to AWS | No | TLS | TCP/9111 |
| Migrate for Compute Engine Importers (Azure Subnet) | Migrate for Compute Engine Cloud Extension network tags | VPN to Azure | No | TLS | TCP/9111 |
| Migrate for Compute Engine Cloud Extension network tags | Migrate for Compute Engine Cloud Extension network tags | VPC | No | ANY | ANY |
Rules configured on source platforms
On the platform from which your VMs will be migrated, configure firewall rules to allow traffic described in the following tables.
VMware
If you're migrating VMs from VMware, configure firewall rules on VMware to allow access between the source and destination components listed in the following table.
| Source | Destination | Firewall scope | Optional? | Protocol | Port |
|---|---|---|---|---|---|
| Migrate for Compute Engine Backend | vCenter Server | Corp LAN | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Backend | vSphere ESXi | Corp LAN | No | VMW NBD | TCP/902 |
| Migrate for Compute Engine Backend | Stackdriver using the Internet | Internet | Yes | HTTPS | TCP/443 |
| Migrate for Compute Engine Backend | Corp DNS Server | Corp LAN | No | DNS | TCP/UDP/53 |
| Migrate for Compute Engine Backend | Migrate for Compute Engine Manager | VPN to Google Cloud | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Backend | Migrate for Compute Engine Cloud Extension nodes (Google Cloud Subnet) | VPN to Google Cloud | No | TLS | TCP/9111 |
| vCenter Server | Migrate for Compute Engine Backend | Corp LAN | No | HTTPS | TCP/443 |
AWS
If you're migrating VMs from AWS, configure firewall rules on AWS VPC to allow access between the source and destination components listed in the following table.
| Source | Destination | Firewall scope | Optional? | Protocol | Port |
|---|---|---|---|---|---|
| Migrate for Compute Engine Importers Security Group | Migrate for Compute Engine Manager | Google Cloud to VPN | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Importers Security Group | Migrate for Compute Engine Cloud Extension Nodes (Google Cloud Subnet) | VPN to Google Cloud | No | TLS | TCP/9111 |
Azure
If you're migrating VMs from Azure, configure firewall rules on Azure VNet to allow access between the source and destination components listed in the following table.
| Source | Destination | Firewall scope | Optional? | Protocol | Port |
|---|---|---|---|---|---|
| Migrate for Compute Engine Importers Security Group | Migrate for Compute Engine Manager | Google Cloud to VPN | No | HTTPS | TCP/443 |
| Migrate for Compute Engine Importers Security Group | Migrate for Compute Engine Cloud Extension Nodes (Google Cloud Subnet) | VPN to Google Cloud | No | TLS | TCP/9111 |
Troubleshooting
The following rules are not required for migrations, but allow you to directly connect to servers and receive logs while troubleshooting problems.
| Source | Destination | Firewall scope | Optional? | Protocol | Port |
|---|---|---|---|---|---|
| Your local machine | Migrate for Compute Engine Manager | VPN to Google Cloud | Yes | SSH | TCP/22 |
| Migrate for Compute Engine Manager | Migrate for Compute Engine on-premises backend
Migrate for Compute Engine Cloud Extension Network Tags Migrate for Compute Engine Importers (AWS Subnet) |
VPN On-Prem
VPC VPN to AWS |
Yes | SSH | TCP/22 |
| Workload Network Tags | Migrate for Compute Engine Cloud Extension Network Tags | VPC | Yes | SYSLOG (for Google Cloud VM boot phase) | UDP/514 |
Example On-Premises to Google Cloud configuration
Prior sections explain rules that could apply for your migration. This section explains a sample networking configuration for your VPC, configured through the Google Cloud console. For more information, see Creating firewall rules.
In the following example, the 192.168.1.0/24 subnet represents the on-premises network and 10.1.0.0/16 represents the VPC on Google Cloud.
| Name | Type | Target | Source | Ports | Purpose |
|---|---|---|---|---|---|
| velos-ce-backend | Ingress | fw-migration-cloud-extension | 192.168.1.0/24 | tcp:9111 | Encrypted migration data sent from Migrate for Compute Engine Backend to Cloud Extensions. |
| velos-ce-control | Ingress | fw-migration-cloud-extension | fw-migration-manager | tcp:443, tcp:9111 |
Control plane between Cloud Extensions and Migrate for Compute Engine Manager. |
| velos-ce-cross | Ingress | fw-migration-cloud-extension | fw-migration-cloud-extension | all | Synchronization between Cloud Extension nodes. |
| velos-console-probe | Ingress | fw-workload | fw-migration-manager | tcp:22, tcp:3389 | Allows the Migrate for Compute Engine Manager to check if the SSH or RDP console on the migrated VM is available. |
| velos-webui | Ingress | fw-migration-manager | 192.168.1.0/24, 10.1.0.0/16 |
tcp:443 | HTTPS access to Migrate for Compute Engine Manager for web UI. |
| velos-workload | Ingress | fw-migration-cloud-extension | fw-workload | tcp:3260, udp:514 |
iSCSI for data migration and syslog |
Network routing and forwarding
Once firewall rules that allow necessary communication are in place, additional static routes to carry traffic between networks may be necessary.
For routing and forwarding inside the on-premises corporate LAN, see your router, firewall, and VPN vendor documentation.
For more on routing and forwarding in Google Cloud, see the following documentation:
For routing and forwarding from AWS to Google Cloud, see the following documents:
For routing and forwarding from Azure to Google Cloud, see the following documents: