To perform a migration with Google Cloud Migrate for Compute Engine (formerly Velostrata), you need to connect networks on-premises and on Google Cloud. This means setting up the following resources:
- A Virtual Private Cloud (VPC) on Google Cloud.
- Firewall rules across all environments: on-premises, AWS, Azure, and Google Cloud VPC.
- VPNs or other network interconnections with routing and forwarding rules between Google Cloud, AWS, Azure, or inside the corporate LAN.
- Google Cloud Network Tags or Instance Service Accounts that allow traffic to pass between instances.
This page does not list firewall rules or routes for applications other than Migrate for Compute Engine. Your applications may require additional configuration on Google Cloud. For more information, see Firewall Rules, Routes, and Configuring Network Tags.
Prerequisites
Before continuing, make sure you have created a VPC to host your Migrate for Compute Engine components and your migrated workloads.
Network tags
Google Cloud uses tags to identify which network firewall rules apply to particular VMs. Components with the same network tags can communicate with each other. Migrate for Compute Engine assigns network tags to facilitate workload migration.
The following table describes required network tags, suggested names, and configurations.
Network tag | Suggested name | Description |
---|---|---|
Velostrata Manager | fw-velosmanager | You specify this network tag before deploying the Velostrata Manager using the Google Cloud Marketplace click-to-deploy option. |
Migrate for Compute Engine Cloud Extension | fw-velostrata | You can apply one or more network tags when you create your Migrate for Compute Engine Cloud Extensions. |
Workload | fw-workload | For simplicity, this topic references the Workload network tag, which allows workload nodes to access your project's Migrate for Compute Engine resources. |
Custom |
Custom tags enable connectivity among the instances that share them. If you have several VM instances serving a website, tag these instances with common value, and then use that tag to apply a firewall rule that allows HTTP access to those instances. Note: Valid network tag names on Google Cloud contain only lowercase letters, numerals, and dashes. They must also start and end with a number or a lowercase character. |
Firewall rules
For Migrate for Compute Engine to function, the following tables list the type of firewall access needed from the source to the destination and their protocol and port.
For additional information, see the following firewall documentation:
- For firewalls inside the on-premises corporate LAN, see your vendor documentation.
- VPC firewall documentation
- AWS VPC firewall documentation
- Azure firewall documentation
Google Cloud VPC
Source | Destination | Firewall scope | Optional? | Protocol | Port |
---|---|---|---|---|---|
Velostrata Manager network tags (GCP) | GCP API Endpoint | Internet or Private Google Access | No | HTTPS | TCP/443 |
Velostrata Manager network tags (GCP) | AWS API Endpoint
(AWS-to-GCP migrations) |
Internet | No | HTTPS | TCP/443 |
Velostrata Manager network tags (GCP) | Azure API Endpoint
(Azure-to-GCP migrations) |
Internet | No | HTTPS | TCP/443 |
Corporate LAN Subnets (for web UI access) | Velostrata Manager network tags (GCP) | VPN On-Premises | No | HTTPS | TCP/443 |
Velostrata Backend | Velostrata Manager network tags (GCP) | VPN On-Prem | No | gRPC | TCP/9119 |
Velostrata Manager network tags (GCP) | Workload network tags (GCP)
For instance console availability probe |
VPC | Yes | RDP
SSH |
TCP/3389
TCP/22 |
Velostrata Manager network tags (GCP) | Migrate for Compute Engine Cloud Extension network tags (GCP) | VPC | No | HTTPS | TCP/443 TCP/9111 |
Velostrata Manager network tags (GCP) | Migrate for Compute Engine Importers (AWS Subnet) | VPN to AWS | No | HTTPS | TCP/443 |
Velostrata Manager network tags (GCP) | Migrate for Compute Engine Importers (Azure Subnet) | VPN to Azure | No | HTTPS | TCP/443 |
Migrate for Compute Engine Cloud Extension network tags | Google Cloud Storage API | Internet or Google Private Access | No | HTTPS | TCP/443 |
Workload network tags (GCP)
Or Instance Service Accounts (GCP) |
Migrate for Compute Engine Cloud Extension network tags (GCP) | VPC | No | iSCSI | TCP/3260 |
Velostrata Backend | Migrate for Compute Engine Cloud Extension network tags (GCP) | VPN On-Prem | No | TLS | TCP/9111 |
Migrate for Compute Engine Importers (AWS Subnet) | Migrate for Compute Engine Cloud Extension network tags (GCP) | VPN to AWS | No | TLS | TCP/9111 |
Migrate for Compute Engine Importers (Azure Subnet) | Migrate for Compute Engine Cloud Extension network tags (GCP) | VPN to Azure | No | TLS | TCP/9111 |
Migrate for Compute Engine Cloud Extension network tags (GCP) | Migrate for Compute Engine Cloud Extension network tags (GCP) | VPC | No | ANY | ANY |
On-Premises
The following table lists the rules that apply when migrating VMware virtual machines or physical machines on-premises to GCP.
Source | Destination | Firewall scope | Optional? | Protocol | Port |
---|---|---|---|---|---|
Velostrata Backend | vCenter Server | Corp LAN | No | HTTPS | TCP/443 |
Velostrata Backend | vSphere ESXi | Corp LAN | No | VMW NBD | TCP/902 |
Migrate for Compute Engine Backend | Stackdriver using the Internet | Internet | Yes | HTTPS | TCP/443 |
Velostrata Backend | Corp DNS Server | Corp LAN | No | DNS | TCP/UDP/53 |
Velostrata Backend | Velostrata Manager (GCP) | VPN to GCP | No | TLS/SSL
HTTPS |
TCP/9119
TCP/443 |
Velostrata Backend | Migrate for Compute Engine Cloud Extension Nodes (GCP Subnet) | VPN to GCP | No | TLS/SSL | TCP/9111 |
vCenter Server | Velostrata Backend | Corp LAN | No | HTTPS | TCP/443 |
Azure VNet
The following table lists the rules that apply when migrating Azure instances from Azure to GCP.
Source | Destination | Firewall scope | Optional? | Protocol | Port |
---|---|---|---|---|---|
Velostrata Manager | Migrate for Compute Engine Importers Security Group | VPN to GCP | No | HTTPS | TCP/443 |
Migrate for Compute Engine Importers Security Group | Migrate for Compute Engine Cloud Extension Nodes (GCP Subnet) | VPN to GCP | No | TLS | TCP/9111 |
AWS VPC
The following table lists the rules that apply when migrating AWS EC2 instances from AWS VPC to GCP.
Source | Destination | Firewall scope | Optional? | Protocol | Port |
---|---|---|---|---|---|
Velostrata Manager | Migrate for Compute Engine Importers Security Group | VPN to GCP | No | HTTPS | TCP/443 |
Migrate for Compute Engine Importers Security Group | Migrate for Compute Engine Cloud Extension Nodes (GCP Subnet) | VPN to GCP | No | TLS | TCP/9111 |
Troubleshooting
The following rules are not required for migrations, but allow you to directly connect to servers and receive logs while troubleshooting problems.
Source | Destination | Firewall scope | Optional? | Protocol | Port |
---|---|---|---|---|---|
Your local machine | Velostrata Manager on Google Cloud | VPN to GCP | Yes | SSH | TCP/22 |
Velostrata Manager (GCP) | Migrate for Compute Engine on-premises backend
Migrate for Compute Engine Cloud Extension Network Tags (GCP) Migrate for Compute Engine Importers (AWS Subnet) |
VPN On-Prem
VPC VPN to AWS |
Yes | SSH | TCP/22 |
Workload Network Tags (GCP)
Or Instance Service Account (GCP) |
Migrate for Compute Engine Cloud Extension Network Tags (GCP) | VPC | Yes | SYSLOG (for GCP VM boot phase) | UDP/514 |
Example On-Premises to Google Cloud configuration
Prior sections explain rules that could apply for your migration. This section explains a sample networking configuration for your VPC, configured through the Google Cloud console. For more information, see Creating firewall rules.
In the following example, the 192.168.1.0/24 subnet represents the on-premises network and 10.1.0.0/16 represents the VPC on Google Cloud.
Name | Type | Target | Source | Ports | Purpose |
---|---|---|---|---|---|
velos-backend-control | Ingress | fw-velosmanager | 192.168.1.0/24 | tcp:9119 | Control plane between Velostrata Backend and Velostrata Manager. |
velos-ce-backend | Ingress | fw-velostrata | 192.168.1.0/24 | tcp:9111 | Encrypted migration data sent from Velostrata Backend to Cloud Extensions. |
velos-ce-control | Ingress | fw-velostrata | fw-velosmanager | tcp:443, tcp:9111 |
Control plane between Cloud Extensions and Velostrata Manager. |
velos-ce-cross | Ingress | fw-velostrata | fw-velostrata | all | Synchronization between Cloud Extension nodes. |
velos-console-probe | Ingress | fw-workload | fw-velosmanager | tcp:22, tcp:3389 | Allows the Velostrata Manager to check if the SSH or RDP console on the migrated VM is available. |
velos-webui | Ingress | fw-velosmanager | 192.168.1.0/24, 10.1.0.0/16 |
tcp:443 | HTTPS access to Velostrata Manager for web UI. |
velos-workload | Ingress | fw-velostrata | fw-workload | tcp:3260, udp:514 |
iSCSI for data migration and syslog |
Network routing and forwarding
Once firewall rules that allow necessary communication are in place, additional static routes to carry traffic between networks may be necessary.
For routing and forwarding inside the on-premises corporate LAN, see your router, firewall, and VPN vendor documentation.
For more on routing and forwarding in Google Cloud, see the following documentation:
For routing and forwarding from AWS to Google Cloud, see the following documents:
For routing and forwarding from Azure to Google Cloud, see the following documents: