Migrate for Compute Engine AWS prerequisites

You must have the following prerequisites in preparation for migrating your AWS EC2 instances to Google Cloud:

  • An AWS account and EC2 instances to migrate.
  • An AWS VPC Subnet with VPN connectivity to Google Cloud. For detailed information, see Network access requirements on firewall, routing, and network tag considerations for your Migrate for Compute Engine deployment.
  • Migrate for Compute Engine IAM Roles, IAM users, and Access Policies deployed on the AWS account.

This document describes setting permissions for Migrate for Compute Engine to connect to AWS.

AWS Account - IAM roles and access policies

The Amazon IAM service enables the creation and enforcement of access policies. Migrate for Compute Engine uses AWS IAM groups and instance roles to define and enable these permissions.

At minimum, we recommend the following setup:

  • An IAM group (named VelosMgrGroup) for use by a Migrate for Compute Engine service account. This group enforces an access policy with the minimum privileges required by Migrate for Compute Engine, and allows provisioning and monitoring of cloud-side components and worker VMs. The Migrate for Compute Engine service account is used by the Migrate for Compute Engine Manager on Google Cloud.
  • An IAM user account in the VelosMgrGroup IAM Group.

Recommended permissions are described in the CloudFormation stack template zip file (download this from the Downloads page.

Creating the Migrate for Compute Engine IAM group

  1. Download and unzip the CloudFormation stack template from the Downloads page.

    This is a JSON file with a name such as VxCF-GA-V3-IAMONLY.rev1.json.

  2. Sign in to the AWS Console and select Cloud Formation.

  3. Click Create Stack.

  4. Click Choose File, upload the CloudFormation file, and then click Next.

  5. Enter a Name for the CloudFormation stack.

  6. Choose the VPC that contains the instances you want to migrate.

  7. From the Options page, click Next, then click Create. A group named {stack name prefix}-VelosMgrGroup is created.

Creating the AWS IAM user account for Migrate for Compute Engine

  1. In the AWS console, click your account name in the top right corner of the page and then select Security Credentials.
    Screenshot of AWS Security Credentials menu command (click to enlarge)
    Screenshot of AWS Security Credentials menu command (click to enlarge)
  2. From the left pane, select Users and then click Create New Users.
  3. For Access type, select Programmatic access.
  4. Download the user credentials (Keys). These keys will be used when creating the Migrate for Compute Engine Cloud Extension.
    Screenshot of Add User dialog box (click to enlarge)
    Screenshot of Add User dialog box (click to enlarge)
  5. Add the IAM user to the group created by the CloudFormation script.
    Screenshot of Add User dialog box (click to enlarge)
    Screenshot of Add User dialog box (click to enlarge)