Before you can start migrating VMs, you must first configure a migration source that specifies the on-premises data center from which you'll be migrating the VMs. To configure a migration source, install and configure the Migrate Connector on your vSphere data center.
Once installed, the Migrate Connector:
Establishes a secure datapath between the on-premises environment and the Google Cloud using Google Cloud APIs over port 443. Migration traffic can be routed over public internet, VPN, Private Google Access, or Dedicated interconnect.
Performs storage operations against VM disks using the vSphere APIs.
Queries on-premises VM inventory so that you can use the Google Cloud console to browse the VMs in the data center available for migration.
Stops and monitors source VMs using vSphere APIs when performing cut-over.
See Migrate for Compute Engine Architecture for more on the Migrate Connector.
Before you begin
Before you can install the Migrate Connector, you must first enable Migrate for Compute Engine on Google Cloud. See Enabling Migrate for Compute Engine services.
To install and register the Migrate Connector, you must first satisfy the following prerequisites:
On vSphere, you must create a vCenter user account with the permissions required by the Migrate Connector to access your vSphere environment. See 1. Creating the vCenter user for the Migrate Connector.
To connect your workstation to the Migrate Connector VM running on vSphere, you need to create an SSH public/private key pair. See 2. Creating the SSH public/private key pair.
On Google Cloud define two accounts:
A user account with the necessary permissions to perform registration. This user account is only used at registration time.
A service account used by the Migrate Connector for run-time data transfer to Google Cloud.
When registering the Migration connector, you must provide the Google Cloud region used to host your migrated VMs. See 4. Selecting the Google Cloud region.
Ensure that you have enabled network access for the Migrate Connector as described in 5. Configuring network access.
The following sections describe these prerequisites in more detail.
1. Creating the vCenter user for the Migrate Connector
Create a vCenter user account with the necessary permissions required by the Migrate Connector to access your vSphere environment. You then pass the user credentials to the Migrate Connector at install time.
The following table lists the permissions and the permission as it appears in the vSphere UI:
||Global -> Disable methods|
||Global -> Enable methods|
||Virtual machine -> Change Configuration -> Toggle disk change tracking|
||Virtual machine -> Interaction -> Power off|
||Virtual machine -> Provisioning -> Allow read-only disk access|
||Virtual machine -> Provisioning -> Allow virtual machine download.|
||Virtual machine -> Snapshot management -> Create snapshot|
||Virtual machine -> Snapshot management -> Remove snapshot|
||Cryptographic operations -> Direct Access*|
|*Only if the source VM is an encrypted VM (vCenter 6.5 and later).|
2. Creating the SSH public/private key pair
Create an SSH public/private key pair used to connect your workstation to the Migrate Connector VM running on vSphere. You then copy the public key to the Migrate Connector VM as part of the registration procedure. The Migrate Connector uses the public key when connecting to your workstation.
There are many ways to generate a public/private SSH key pair. The example below
uses the Linux
ssh-keygen utility but you can use any utility compatible with your workstation and OS.
Log in to your workstation, meaning the remote machine that you use to connect to the vSphere data center.
Change directory to
If this directory does not exist, create it.
Use the following example generates a public key (
~/.ssh/id_rsa.pub) and a private key (
~/.ssh/id_rsa) with a single command:
ssh-keygen -t rsa
This command creates a public key named
id_rsa.pubthat you pass to the Migrate Connector during registration. The actual name of your public key depends on the utility that you use to create the key.
This example uses the PuTTY client on Windows to generate the keys:
Download and install PuTTY from https://www.putty.org/.
Under Parameters, select RSA.
Select Generate to create the keys.
You see the public key displayed in PuTTy, in the form
ssh-rsa AAAAB3NzaC1yc2EAAAADAQA.... Copy the public key for use later in this procedure.
Select Save public key and Save private key to save the keys.
3. Defining Google Cloud accounts
On Google Cloud, you need two accounts:
A service account in your host project used by the Migrate Connector for run-time data transfer to Google Cloud.
You can specify an existing service account, or let the Migrate Connector create a new one for you. The Migrate Connector applies all necessary permissions to the service account to configure it.
A user account in your host project with the necessary permissions to register the Migrate Connector. This user account is only used at registration time, not at run time.
See the procedure below to configure this account.
To configure the user account:
You can specify any user account in your host project to register the Migrate Connector. The specified user account requires the following permissions:
Determine the email address of the user account you want to use for registration. In the Google Cloud console, you can see all users in your project on the IAM page:
iam.serviceAccountKeyAdminrole to the user account:
gcloud projects add-iam-policy-binding PROJECT_ID --member=user:USER_EMAIL_ADDRESS --role=roles/iam.serviceAccountKeyAdmin
iam.serviceAccountCreatorrole to the user account:
gcloud projects add-iam-policy-binding PROJECT_ID --member=user:USER_EMAIL_ADDRESS --role=roles/iam.serviceAccountCreator
vmmigration.adminrole to the user account:
gcloud projects add-iam-policy-binding PROJECT_ID --member=user:USER_EMAIL_ADDRESS --role=roles/vmmigration.admin
For more on assigning roles and permissions to a user account, see Granting, changing, and revoking access to resources.
4. Selecting the Google Cloud region
On the Google Cloud a region is a specific
geographical location where you can host your resources. Regions have three or more zones.
For example, the
us-west1 region denotes a region on the west coast of the United States
that has three zones:
You choose which region hosts your resources, which controls where your data is stored and used. Distribute your resources across multiple regions to tolerate outages. Therefore, if a region experiences any disturbances, you should have backup services running in a different region.
When you install the Migrate Connector on vSphere, you select a Google Cloud region. The source VMs migrated using this connector are then associated with the chosen region.
To migrate VMs to multiple regions, you must:
Create a host project.
Install and configure a separate Migrate Connector for each supported Google Cloud region.
Migrate and deploy your VMs selecting your desired supported region for each VM or VM group.
In that way, if one region goes down, you can still perform migrations by using a migration source associated with a different region.
See Migrate for Compute Engine locations for a list of supported regions.
5. Configuring network access
Enable network access for the Migrate Connector by opening the required ports and by opening access to the domains required by the Google Cloud APIs:
Ensure that you have enabled network access for the Migrate Connector. The following table lists the network connectivity requirements for the connector:
Source Destination Firewall scope Protocol Port Migrate Connector vCenter Server Corp LAN HTTPS TCP/443 Migrate Connector vCenter Server Corp LAN VMW NBD TCP/902 Migrate Connector vSphere ESXi Corp LAN VMW NBD TCP/902 Migrate Connector* Google cloud APIs and Container Registry (*.googleapis.com, gcr.io) Internet, Cloud VPN, or Cloud Interconnect HTTPS TCP/443 Migrate Connector Corp DNS Server Corp LAN DNS TCP/UDP/53 * If you configure the Migrate Connector VM on vSphere to use a proxy server, traffic sent to Google Cloud APIs is directed over the proxy server. Direct network connectivity to Google Cloud APIs over port 443 is then not required by the connector.
Ensure that the firewall rules on your vSphere server allow external access to the following domains required by the Google Cloud APIs:
Installing the Migrate Connector
To install the Migrate Connector:
Sign in to vSphere using an account with the permissions required to deploy an OVF file.
Right-click on your data center and select Deploy OVF Template.
Select the Migrate Connector OVA file, and then select Next.
Choose the virtual machine name and folder for the connector, or use the default name, and then select Next.
Select the compute resource, and then select Next.
Review the installation details, and then select Next.
Select the storage datasource used by the connector, and then select Next.
Select the network that will host the connector, and then select Next.
Customize the template:
Provide the SSH public key that you created on your workstation machine.
This is the key you created above in 2. Creating the SSH public/private key pair. In that example, the SSH public key was written to a file named
~/.ssh/id_rsa.pub. Provide the contents of the file here. For example
Set the hostname of the machine or accept the default.
Optionally, set any properties under Networking Properties. If you do not set these properties, then the VM uses DHCP. Two options that you might have to set include:
HTTP Proxy: Specifies a proxy server used for all outbound traffic to Google Cloud. The Migrate Connector does not support authentication so do not specify any authentication credentials.
Static network route: If required by your network environment specify static routes.
Select Finish when you have completed the configuration to deploy the VM.
After deployment completes, start the VM.
After the VM starts, record its IP address.
You need the IP address in the next section to register the connector.
Registering the Migrate Connector as a Google Cloud source
After you install the Migrate Connector on VSphere, you need to register it as a Google Cloud source. Registration allows the connector to then pass data to Google Cloud.
To register the connector:
From your workstation, open an SSH connection to the Migrate Connector using the IP address of the Migrate Connector VM and the private key you created earlier in 2. Creating the SSH public/private key pair.
For example, for Linux you can use the
ssh -i path-to-private-key admin@connector-ip-or-hostname
For Windows, you can use PuTTy to open the connection:
Under Connection -> SSH-> AUTH -> private key file for authentication select the private key file.
In Session -> Host Name specify:
View help information for the
View the connector status:
The results should show that the connector can reach Cloud APIs and that it is not registered.
To register the connector enter the command:
You are prompted for the following information:
The vCenter host IP address, meaning the IP address of the vCenter in the vSphere cluster you are migrating VM from. This is typically the same IP address that you see when you sign in to vSphere.
Verify the vSphere thumbprint.
Enter the username and password for the vCenter account used to administer the Migrate Connector. This is the account you created as described in 1. Creating the vCenter user for the Migrate Connector.
Enter your Google Cloud access token:
Please provide your Google Cloud User Account access token to register Migrate Connector (Note: The token is valid for 60 minutes) Enter access token:
To obtain an access token using Cloud console, follow these steps:
Navigate to Cloud console.
Click the Activate Cloud Shell Terminalbutton in the top-right of Cloud console. The Cloud Shell Terminal should appear at the bottom of your screen.
In the Cloud Shell Terminal, run the following command:
gcloud auth print-access-token
Copy the access token from Cloud Shell and paste it into the Migrate for Compute Engine CLI.
Select the Google Cloud host project you want to connect with the Migrate Connector. You must have already enabled the Migrate for Compute Engine API in this project as described in Enabling Migrate for Compute Engine services.
Select the Google Cloud region you want to connect with this Migrate Connector. See 4. Selecting the Google Cloud region for more on selecting the region.
Enter the source name. This is the name of the source as shown in the Google Cloud console for Migrate for Compute Engine.
In the following image, the source name is set to
Select new and enter name for a new source, or select an existing source to overwrite it.
Specify the service account in your host project to be used by the Migrate Connector to connect to Google Cloud. You can select an existing service account, or let the Migrate Connector create a new one for you as described above in 3. Defining Google Cloud accounts.
The Migrate Connector connects to disks in your on-premises data center to replicate data to Google Cloud. Registration applies the necessary roles to this service account automatically to enable this data transfer.
Check the status:
Ensure that the connector is now registered.
Open the Migrate for Compute Engine page in the Google Cloud console:
Select the Sources tab. You should see the new source appear in the source drop-down list.
Modifying a Migrate Connector configuration
You can modify the properties of a Migrate Connector configuration. The way you modify the connector is based on the properties that you want to update:
To modify properties of the Migrate Connector VM, such as the Static network route, sign in to vSphere and edit the OVA parameters for the Migrate Connector.
To modify the properties used to register the connector as a Google Cloud source, such as the Google Cloud host project or region, use the
To modify the VM parameters:
Sign in to vSphere using an account with the permissions required to edit a VM.
Stop the Migrate Connector VM.
Edit the OVA parameters for the Migrate Connector.
Start the VM.
To modify the Google Cloud registration properties:
From your workstation, open an SSH connection to the Migrate Connector using the IP address of the Migrate Connector VM and the private key you created earlier:
ssh -i path-to-private-key admin@connector-vm-ip
Updating a Migrate Connector
Migrate for Compute Engine supports Migrate Connector updates. When an update is available for a Migrate Connector, you'll see a relevant message in the Sources card on the dashboard, and also on the Sources tab while the relevant source is selected. You'll also be notified on the Sources tab if other sources have updates.
To update your Migrate Connector, follow these steps:
Click the Sources tab. If an update is available, you'll see the message: An update is available for your source.
Click the View details button. On the Source details page, you'll see the message: An in-place update is available for your source.
Click the Update button. Once your Migrate Connector has been updated, you'll see the message: Source has been successfully updated.
Optional: Verify the update by checking the Last update field on the Source details page.
Redeploying a Migrate Connector
In rare cases (such as a significant change in the core Migrate Connector code base), automatic updates may not available for your Migrate Connector. In this case, you need to redeploy your Migrate Connector.
To redeploy a Migrate Connector, follow these steps:
Download the and install the Migrate Connector OVA file.
Register the new Migrate Connector using the same region and source (your old Migrate Connector will become idle).
Stop and delete your old Migrate Connector's VM to clean up resources.
Deleting a Migrate Connector
To delete a Migration Connector, you must delete the corresponding source in the Google Cloud console, and delete the vSphere VM for the Migrate Connector.
To delete the Migrate Connector:
Open the Migrate for Compute Engine page in the Google Cloud console:
Select the Sources tab.
From the drop-down list, select the source corresponding to the Migrate Connector.
Select the Migrations tab.
Select all source VMs.
Select Delete and then confirm the deletion.
The VMs are removed from the Migration table.
Select the Sources tab.
Select Source Details.
Under the Data center connectors section of the Source Details page, select the trash icon next to the name of the source to delete the connector.
Confirm the delete.
Select Delete Source to delete the source.
Sign in to vSphere using an account with the permissions required to delete a VM.
Stop the Migrate Connector VM.
Delete the VM.