Configuring the migration manager

This topic describes how to use the Google Cloud console to perform most of the tasks to configure the Migrate for Compute Engine Manager on Google Cloud.

For more on APIs enabled and service accounts created during this configuration, see Configuring Google Cloud overview.

For an architectural view of the environment, see Migration environment architecture.

Before you begin

When setting up the migration manager using the wizard described in this topic, you'll be prompted to confirm or perform the following.

  • Configure required network connectivity.

    Before starting the wizard, set up a virtual private network (VPN) so that the migration manager can communicate with the source platform from which you'll be migrating VMs. For more about the options available, see Cloud VPN overview.

  • Configure firewall rules.

    After you set up the VPN, create firewall rules that allow communication among the components in your migration environment. For more on the rules you'll need, see Network access requirements.

  • Create service accounts.

    Migrate for Compute Engine components such as the Migrate for Compute Engine Manager and Cloud Extensions require service accounts to perform migration tasks. You can create these service accounts in the following ways:

  • Create migration manager passwords

    Migrate for Compute Engine Manager uses two passwords: one for authenticating the apiuser in the Migrate for Compute Engine Manager, and one for encrypting the private key for Migrate for Compute Engine Manager. You can create these passwords in the following ways:

    • Enter them directly into the Google Cloud console when configuring the migration manager. This will store the password in the Manager VM metadata.

    • Use the Secret Manager to create an encrypted Secret for each password.

Setting up a GCP account, organization, and project

You'll need a Google Cloud organization as a migration destination and as a place to create an infrastructure project.

To create a Google Cloud organization and infrastructure project, use the following steps.

  1. Go to the Google Cloud console and sign in.
  2. If you don't already have an account, sign-up to create one.

  3. If you don't have an organization, set one up using the instructions in Creating and managing organizations.

    For more information, see Decide a resource hierarchy for your Google Cloud landing zone.

  4. If you don't have one yet, create a user account for the administrator who will configuring Google Cloud as a migration destination.
  5. For the administrator, assign the following permissions to give the account access to make required changes to your Google Cloud organization:
  6. Create a Google Cloud project to host Migrate for Compute Engine infrastructure on Google Cloud. In the rest of this document, we'll call this the infrastructure project.

Setting up APIs, networking, and Migrate for Compute Engine Manager

Through the following steps, you'll install the Migrate for Compute Engine Manager as a VM deployed to Compute Engine. Before you begin, be sure you've read the prerequisites listed at the beginning of this topic. It describes configuration that the Migrate for Compute Engine Manager requires, and which you should have in place before you begin.

Creating and configuring needed resources with Cloud Marketplace

  1. Go to the Migrate for Compute Engine page in the Cloud Marketplace

    This page lists components and benefits of Migrate for Compute Engine. For more about the key components listed here, see Migration environment architecture.

  2. Click Go to Migrate for Compute Engine.

    • If you haven't yet enabled the APIs required for migration, you'll be prompted to enable them. Click Required APIs to view the list of APIs enabled from this page.

      1. To enable the APIs, click Enable APIs.
      2. Click Deploy Migration Manager to create a migration manager (a VM instance running on Compute Engine).
    • If you have already enabled the required APIs, you'll be prompted to go ahead and create a migration manager instance.

      • Click Create Manager.
  3. Under step 1, Configuring network connectivity, perform the following to set up resources needed in your migration environment:

    • Configure required network connectivity

      If you haven't already, set up a virtual private network (VPN) so that the migration manager can communicate with the source platform from which you'll be migrating VMs.

      • Click Go to hybrid connectivity to set up a VPN connection. For more about the options available, see Cloud VPN overview.
    • Configure firewall rules

      If you haven't already -- and after you set up the VPN -- create firewall rules that allow communication among the components in your migration environment. For more on the rules you'll need, see Network access requirements.

      • Click Go to firewall rules to set up firewall rules.
  4. Select the checkbox confirming that you've completed the network connectivity prerequisites, then click Continue.

  5. Under step 2, Configure migration manager page, enter information to set up the migration manager.

    For more about the migration manager, see Migration environment architecture.

    Enter or select values in the fields as described in the following table:

    Migration manager VM instance

    Setting Acceptable values Description
    Migration manager VM instance name An alphanumeric string. The name you would like Migrate for Compute Engine Manager to have when it is deployed. Choose something meaningful for the migration you'll be doing, such as account-processing-migration-manager.
    Region A region name available from the dropdown.

    Select a region that is accessible from your VPN. Accessible regions will be listed among the subnet's configuration values in the VPC network's configuration.

    For more about regions, see Regions and zones in the Compute Engine documentation.

    Zone A zone name available from the dropdown.

    Select a zone that is accessible from your VPN. Accessible zones will be listed among the subnet's configuration values in the VPC network's configuration.

    For more about zones, see Regions and zones in the Compute Engine documentation.

    Machine type Value is preset.

    Currently, only one machine type is available as the type to use for the Migrate for Compute Engine Manager.

    For more about machine types, see Machine types in the Compute Engine documentation.

    Networking

    Setting Acceptable values Description
    Network A network name available from the dropdown.

    Determines network traffic the instance can access.

    For more about networks and subnetworks, see Regions and zones in the Compute Engine documentation.

    Subnet A subnetwork name available from the dropdown. The list is populated based on the Network you choose.

    Assigns the instance an IPv4 address from the subnetwork's range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network.

    For more about networks and subnetworks, see Regions and zones in the Compute Engine documentation.

    Network tags (optional) Lowercase letters, numbers, and dashes.

    Network tags will be assigned to the Migrate for Compute Engine Manager.

    For more information, including a suggested tag name, see Setting up networks. For more on network tags, see Configuring network tags.

    Enable only internal access to APIs and services Selected or cleared.

    Select the check box to specify that the Migrate for Compute Engine Manager should access APIs and services using its internal IP address. No public IP address will be created for the Migrate for Compute Engine Manager.

    If you select this option, you must provide private access for the Migrate for Compute Engine Manager. For example, you can use Private Google Access.

    After you have installed and configured the Migrate for Compute Engine Manager and network access, you can discover whether it is reachable by opening the Migrate for Compute Engine Manager, going to System Settings, and viewing the Logs tab.

    Service accounts

    Here, you can select a service account you've already created or have Migrate for Compute Engine create the service account for you. To have a service account created for you, select Create Service Account from the dropdowns.

    Setting Acceptable values Description
    Migration Manager Service Account

    A service account name, as described in Service accounts.

    Used when performing Google Cloud API calls from the Migrate for Compute Engine Manager.

    If you created a service account using instructions in Enabling APIs and creating service accounts, you can use that account name here.

    Migrate for Compute Engine Cloud Extension Service Account

    A service account name, as described in Service accounts.

    Used when performing Google Cloud API calls from the Cloud Extension created during setup.

    If you created a service account using instructions in Enabling APIs and creating service accounts, you can use that account name here.

    Migration manager passwords

    Setting Acceptable values Description
    Migration Manager and API password A string longer than 8 alphanumeric characters. Password you will use for authenticating in the Migrate for Compute Engine Manager or its API with the apiuser username.
    Private key encryption password A string longer than 8 alphanumeric characters. Can contain any of the following symbols: ~!@#%^&*()_+{}[]|./<>: Used to encrypt the private key of Migrate for Compute Engine Manager.

    Either:

    • Enter the passwords as plain text directly into the apiPassword and secretEncKey fields. This will store the password in the Manager VM metadata.

    Or:

    • Use the Secret Manager to create an encryped Secret for each password.

      1. Enable the Secret Manager in any project:

        gcloud services enable secretmanager.googleapis.com
      2. Go to the Secret Manager page in the Cloud Marketplace

      3. Create the secret for the Migration Manager and API password:

        1. Click Create Secret.
        2. Enter the secret name. For example, my-secret-password.
        3. Enter the Secret value that corresponds to the Migration Manager and API password.
        4. Leave the Regions section unchanged.
        5. Select Create secret. The Details page for the secret appears.
        6. Click Show Info Panel to open the panel.
        7. In the info panel, click Add Principal.
        8. In the New principals text area, enter the email address of the service account you specified in the previous step.
        9. In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.
      4. Repeat Step c to create a secret for the private key encryption password.

      5. Switch back to the Configure migration manager page.

      6. In the apiPassword field, enter:

        secret:PROJECT-NAME/SECRET-NAME
      7. In the secretEncKey field, enter:

        secret:PROJECT-NAME/SECRET-NAME
  6. Click Continue.

  7. Confirm your configuration.

Configure logging from Migrate for Compute Engine Manager

You can configure the Migrate for Compute Engine Manager to begin logging. You can also get the token you'll need when you deploy the Migrate for Compute Engine Backend on vSphere.

  1. Sign in to the Migrate for Compute Engine Manager using the User Name apiuser and the Password that you specified when configuring Migrate for Compute Engine Manager. This server uses a self-signed SSL certificate and may present a certificate warning.

  2. After you sign in, you can Enable Automatic Google Cloud Observability Log Collection. Enabling log collection provides the following for Migrate for Compute Engine:
  3. When the Migrate for Compute Engine Manager home, as page appears, click System Settings.
  4. For VMware to Google Cloud migrations only, click Create Token and copy the token to the clipboard.

    You will use this token to configure the Migrate for Compute Engine Backend on vSphere, as described in Deploying the Migrate for Compute Engine Backend.

    Tokens are valid for 90 minutes. Only one token is valid at a time.

Next Steps