Configuring an HTTPS proxy
Migrate to Containers supports the use of on-premises processing clusters to perform a migration. For example, you can create a Migrate to Containers processing cluster by using Anthos on bare metal.
In many on-premises environments, outbound internet access is tightly controlled through the use of an HTTPS proxy server. By default, Migrate to Containers does not use a proxy to make outbound requests. If your environment uses a proxy server to control outbound internet access, then you can configure Migrate to Containers to use that proxy.
When Migrate to Containers makes outbound requests
As part of performing a migration, Migrate to Containers makes outbound requests to write information to different data repositories:
Docker image files representing the migrated VM are written to a Docker registry.
These Docker image files represent the files and directories of the migrated VM.
Migration artifacts that represent the migrated workload are written to a data repository.
Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, and other files. The exact artifacts depend on whether you are migrating Linux or WIndows workloads.
Accessing a Docker registry
For on-premises processing clusters, there is no default Docker registry defined. You configure the location of the Docker registry at the time you install Migrate to Containers. The registry can be located:
On Google Cloud by using Container Registry (GCR).
On a local or remote Docker registry.
For more on configuring a repository for Migrate to Containers, see Defining data repositories.
Accessing an artifacts repository
For on-premises processing clusters, there is no default artifacts repository defined. You configure the location of the artifacts repository at the time you install Migrate to Containers. The registry can be located:
On Google Cloud by using Cloud Storage.
On S3 either locally or remotely from your cluster.
For more on configuring a repository for Migrate to Containers, see Defining data repositories.
Defining a proxy server to access a repository
If your processing cluster requires a proxy to make outbound requests to access a repository, then you can configure proxy access when you install Migrate to Containers.
Cluster requirements
To use a proxy with Migrate to Containers, your on-premises processing cluster must be configured to support proxy access and also configured for any firewall rules required by the proxy to be able to access the data repositories.
To learn how to configure a proxy for your Anthos on bare metal processing cluster, see Install behind a proxy.
Firewall requirements
Your proxy server might have access restrictions configured to allow or deny access to specific external locations.
For processing clusters to be able to connect to Google Cloud services, the proxy server must allow traffic to the following domains:
- For Docker registry on Google Cloud using GCR:
*.gcr.io
- For migration artifacts repository on Google Cloud using Cloud Storage:
storage.googleapis.com
If you are using your own data repository, ensure that the proxy server allows outbound access to the necessary locations.
Proxy authentication
Some proxy servers restrict access by using basic authentication. If your proxy requires basic authentication credentials, then you can configure those credentials when you configure Migrate to Containers to use the proxy.
Proxy requests using basic authentication use a URL of the form:
https://user:password@proxy:proxyPort/
SSL/TLS requirements
Migrate to Containers supports proxy requests over HTTPS only. HTTP is not supported.
When using an HTTPS proxy, Migrate to Containers does not support self-signed certificates. You must use a signed cert with an HTTPS proxy.
Examples
To configure an HTTPS proxy with no authentication:
migctl setup proxy --https-proxy myproxy.com
To update the proxy, run the command again with different values. You can only have one proxy configuration so running the command again overwrites the current configuration.
To configure an HTTPS proxy and also specify domains where the proxy is not used:
migctl setup proxy --https-proxy myproxy.com --no-proxy localhost,mydomain.com
If the proxy uses basic authentication:
migctl setup proxy --https-proxy myproxy.com --proxy-basic-authentication
You are prompted to enter the username and password.
Or you can enter the credentials as part of the proxy-address:
migctl setup proxy --https-proxy user:pword@myproxy.com
To remove the proxy configuration:
migctl setup proxy --remove
What's next
- Learn about modernizing traditional workloads.