Prerequisites for migrating Azure VMs

You must have the following prerequisites in place before migrating your Azure instances to Google Cloud:

  • An Azure account and virtual machine instances to migrate.
  • An Azure virtual subnet with VPN connectivity to Google Cloud. For detailed information, see Network access requirements on firewall, routing, and network tag considerations for your Migrate for Compute Engine deployment.
  • Azure application ID to be used by Migrate for Compute Engine.

This document describes setting permissions for Migrate for Compute Engine to connect to Azure.

Supported source OSes and OS versions.

Be sure to see Supported operating systems for a list of supported OSes and versions.

Azure resources created during migration

When migrating your VMs, Migrate for Compute Engine creates multiple resources in your source environment. Be aware that these might incur temporary additional costs in your source environment. The system will automatically cleanup these source when migration operation is completed.

These resources include:

  • Storage account
  • Migrated VM Disks snapshots
  • Importer disk, NIC
  • Importer instance

Setting up permissions on Azure for migration

You must grant permission in your Azure system so that Migrate for Compute Engine to migrate your VMs.

Migrate for Compute Engine provides a PowerShell script to create an application ID. This script will:

  • Create an Application ID with the name you provide.
  • Create a Custom Role called "Velostrata Custom Role".

    For a list of specific permissions assigned to this role, see "Permissions assigned for use by Migrate for Compute Engine" below.

  • Attach the custom role to the application ID.


Create roles needed by Migrate for Compute Engine

Create the role and permissions using a script, then create a client secret.

  1. Download the Azure user creation script from the Downloads page.
  2. Using PowerShell, run the script.

    When you run the script, the system will prompt you for:

    • Your Azure credentials.
    • The Azure subscription ID in which the application ID will be created.
    • The application ID display name to create.
  3. Create a client secret for Azure Cloud Credentials using the following steps:

    1. Open Azure Active Directory > App registrations.
    2. Choose the application ID you created with the script.
    3. Open Certificates & Secrets.
    4. Create a new client secret.

Permissions assigned for use by Migrate for Compute Engine

The following lists the permissions needed on Azure for migration using Migrate for Compute Engine.

  • Microsoft.Compute/availabilitySets/read
  • Microsoft.Compute/availabilitySets/write
  • Microsoft.Compute/availabilitySets/delete
  • Microsoft.Compute/availabilitySets/vmSizes/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/disks/write
  • Microsoft.Compute/disks/delete
  • Microsoft.Compute/locations/diskOperations/read
  • Microsoft.Compute/locations/operations/read
  • Microsoft.Compute/snapshots/read
  • Microsoft.Compute/snapshots/write
  • Microsoft.Compute/snapshots/delete
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachines/write
  • Microsoft.Compute/virtualMachines/delete
  • Microsoft.Compute/virtualMachines/start/action
  • Microsoft.Compute/virtualMachines/powerOff/action
  • Microsoft.Compute/virtualMachines/restart/action
  • Microsoft.Compute/virtualMachines/deallocate/action
  • Microsoft.Compute/virtualMachines/vmSizes/read
  • Microsoft.Compute/virtualMachines/instanceView/read
  • Microsoft.Compute/virtualMachines/extensions/read
  • Microsoft.Compute/virtualMachines/extensions/write
  • Microsoft.Compute/virtualMachines/extensions/delete
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkInterfaces/write
  • Microsoft.Network/networkInterfaces/join/action
  • Microsoft.Network/networkInterfaces/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/publicIPAddresses/join/action
  • Microsoft.Network/virtualNetworks/read
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
  • Microsoft.Network/virtualNetworks/virtualMachines/read
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/join/action
  • Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Storage/register/action
  • Microsoft.Storage/checknameavailability/read
  • Microsoft.Storage/storageAccounts/write
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/regeneratekey/action
  • Microsoft.Storage/storageAccounts/delete
  • Microsoft.Storage/storageAccounts/listkeys/action
  • Microsoft.Storage/operations/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Resources/subscriptions/resourcegroups/resources/read
  • Microsoft.Resources/subscriptions/tagNames/read
  • Microsoft.Resources/subscriptions/tagNames/write
  • Microsoft.Resources/subscriptions/tagNames/delete
  • Microsoft.Resources/subscriptions/tagNames/tagValues/read
  • Microsoft.Resources/subscriptions/tagNames/tagValues/write
  • Microsoft.Resources/subscriptions/tagNames/tagValues/delete
  • Microsoft.Resources/subscriptions/resources/read
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/operationresults/read
  • Microsoft.Resources/subscriptions/providers/read
  • Microsoft.Resources/subscriptions/locations/read
  • Microsoft.Compute/virtualMachines/convertToManagedDisks/action