You're viewing documentation for a prior version of Migrate for Compute Engine (formerly Velostrata). You can continue using this version, or use the current version.

Configuring GCP for Velostrata

Before migrating your applications using Velostrata, you'll need to configure your GCP organization. This configuration enables Velostrata to manage the migration and communicate with the other components involved.

GCP configuration includes:

  1. Setting up a GCP account, organization, and project, including organization-level permissions and a project that Velostrata will use for its own infrastructure.
  2. Setting up networks on GCP so that components that are part of your migration (such as Velostrata, GCP, and the source environment from which you're migrating) can communicate with one another through firewalls over GCP Virtual Private Cloud.
  3. Creating GCP roles and service accounts via Cloud Shell to set permissions so that Velostrata can create resources and manage APIs used during the migration.

Before you begin

  • You'll need to have identified the GCP organization administrator account which will execute Velostrata scripts that configure GCP.
  • You'll need to have set up a Google Cloud Platform Virtual Private Cloud. Velostrata uses Virtual Private Cloud to support communication between GCP and your source environment.
  • Your GCP organization is one of several components that are part of the migration. You'll perform configuration tasks for each. For the bigger picture, be sure to read the description of the Velostrata architecture.

Setting up a GCP account, organization, and project

You need a GCP organization to migrate into GCP. Once you have an organization, you'll assign permissions that allow a Velostrata script to configure GCP with roles and service accounts. You'll create a Velostrata infrastructure project that will host the Velostrata Manager.

  1. Go to the Google Cloud Platform Console and sign in. If you don't already have an account, sign-up to create one.
  2. To set up an organization, see Creating and managing organizations. For more information, see Best practices for enterprise organizations.
  3. Assign the following permissions to your administrator who runs the account and role creation script:

    • Organization Role Administrator
    • Organization Administrator
    • Compute Admin
    • (Project) Owner

    For more information on IAM concepts such as GCP accounts, service accounts, and roles, see the IAM Overview.

  4. Create a GCP project to host Velostrata infrastructure on GCP. In the rest of this document, we'll call this the infrastructure project.

Setting up networks on GCP

Velostrata uses GCP Virtual Private Cloud networks and VPN connectivity to your source environment, and requires specific networking rules set up before migrations can be completed. For detailed information on firewall, routing, and network tagging for your deployment, see network access requirements.

The network configuration tasks assume that you have GCP Virtual Private Cloud and that you're already familiar with Virtual Private Cloud firewall rules. For more information, see Google Cloud Platform Virtual Private Cloud.

Creating GCP roles and service accounts via Cloud Shell

You'll need to create GCP roles and service accounts that Velostrata can use to create GCP resources and manage the Cloud Storage API. Velostrata includes a Cloud Shell script for making these changes.

The script creates roles and service accounts in the infrastructure project except when you'll be migrating into multiple GCP projects. In that case, the script will create the Velostrata Manager role at the organization level, creating the other role and service accounts in the infrastructure project.

The following table describes the roles and service accounts created by the Cloud Shell script.

Role Service account Permissions enabled
Velostrata Manager (velos_manager_[deployment_name]) velos-manager-[deployment_name] Ability to create all the resources for your migration (VMs, Cloud Storage buckets, and so on).
Velostrata Cloud Extension (velos_ce_[deployment_name]) velos-cloud-extension-[deployment_name] Ability to manage the Cloud Storage API for migrations.

The easiest way to create the required service accounts is by using a Cloud Shell script available with Velostrata. The script enables the following GCP APIs:

  • Cloud Resource Manager API
  • Identity and Access Management (IAM) API
  • Compute Engine API
  • Google Cloud Storage API
  • Stackdriver Logging API
  • Stackdriver Monitoring API

Though it isn't recommended, you can instead configure GCP manually.

Prerequisites

If you want to migrate to multiple projects within your organization, you need your numeric Organization ID.

Running the configuration script

To run the configuration script:

  1. Open Cloud Shell
  2. Change to the directory containing the Velostrata script:
    cd /google/velostrata
    
  3. Choose a deployment name that will be appended to your service account and role IDs, for example main.
  4. Run the script:

      python3 velostrata_sa_roles.py -p project-ID -d deployment-name [-o organization]
    

    For more information, see the Configuration script reference below.

Single-project configuration example

In this example, you will configure GCP with roles and service accounts in the velostrata infrastructure project and with the deployment name main.

python3 velostrata_sa_roles.py -p velostrata -d main

This command creates:

  • The velos_manager_main and velos_ce_main roles in the velostrata project.
  • The velos-manager-main@velostrata.iam.gserviceaccount.com and velos-cloud-extension-main@velostrata.iam.gserviceaccount.com service accounts in the velostrata project.

Multiple-project configuration example

In this example, you will configure GCP with roles and service accounts to handle migrations into multiple projects. The script will use the velostrata infrastructure project.

Running the script with the -o flag will create the manager role at the organization level, allowing you to migrate VMs to multiple projects.

python3 velostrata_sa_roles.py -p velostrata -d main -o 12345678

This command creates:

  • The velos_manager_main role in the organization with ID 12345678.
  • The velos_ce_main role in the velostrata project.
  • The velos-manager-main@velostrata.iam.gserviceaccount.com and velos-cloud-extension-main@velostrata.iam.gserviceaccount.com service accounts in the velostrata project.

Configuration script reference

Use the velostrata_sa_roles.py script to create GCP roles and service accounts that give Velostrata permission to create resources and manage the Cloud Storage API.

The script creates roles and service accounts in the infrastructure project except when you'll be migrating into multiple GCP projects. In that case, the script creates the Velostrata Manager role at the organization level, creating the other role and service accounts in the infrastructure project.

Note that in order for this script to complete successfully, you'll need to have assigned (to the administrator running the script) the roles described in Setting up a GCP account, organization, and project, above.

python3 velostrata_sa_roles.py -p project-ID -d deployment-name [-o organization-ID]

Parameters

Parameter Description Required
-d or --deployment-name Specifies the deployment name. This is appended to service account and role names. Must be less than 8 characters and can only contain lowercase letters and numbers. Yes.
-p or --project-id Specifies the ID of the GCP project that will host your migration. Yes.
-o or --org-id Specifies the numeric GCP organization ID. Use this when you'll be migrating into multiple GCP projects. No.

Next Steps

Was this page helpful? Let us know how we did:

Send feedback about...

Migrate for Compute Engine (formerly Velostrata)