Configuring an HTTPS proxy

Migrate to Containers supports the use of on-premises processing clusters to perform a migration. For example, you can create a Migrate to Containers processing cluster by using Anthos on bare metal.

In many on-premises environments, outbound internet access is tightly controlled through the use of an HTTPS proxy server. By default, Migrate to Containers does not use a proxy to make outbound requests. If your environment uses a proxy server to control outbound internet access, then you can configure Migrate to Containers to use that proxy.

When Migrate to Containers makes outbound requests

As part of performing a migration, Migrate to Containers makes outbound requests to write information to different data repositories:

1. Docker image files representing the migrated VM are written to a Docker registry.

   These Docker image files represent the files and directories of the migrated VM.

2. Migration artifacts that represent the migrated workload are written to a data repository.

   Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, and other files. The exact artifacts depend on whether you are migrating Linux or WIndows workloads.

Accessing a Docker registry

For on-premises processing clusters, there is no default Docker registry defined. You configure the location of the Docker registry at the time you install Migrate to Containers. The registry can be located:

• On Google Cloud by using Container Registry (GCR).

• On a local or remote Docker registry.

For more on configuring a repository for Migrate to Containers, see Defining data repositories.

Accessing an artifacts repository

For on-premises processing clusters, there is no default artifacts repository defined. You configure the location of the artifacts repository at the time you install Migrate to Containers. The registry can be located:

• On Google Cloud by using Cloud Storage.

• On S3 either locally or remotely from your cluster.

For more on configuring a repository for Migrate to Containers, see Defining data repositories.

Defining a proxy server to access a repository

If your processing cluster requires a proxy to make outbound requests to access a repository, then you can configure proxy access when you install Migrate to Containers.

Cluster requirements

To use a proxy with Migrate to Containers, your on-premises processing cluster must be configured to support proxy access and also configured for any firewall rules required by the proxy to be able to access the data repositories.

To learn how to configure a proxy for your Anthos on bare metal processing cluster, see Install behind a proxy.

Firewall requirements

Your proxy server might have access restrictions configured to allow or deny access to specific external locations.

For processing clusters to be able to connect to Google Cloud services, the proxy server must allow traffic to the following domains:

• For Docker registry on Google Cloud using GCR: *.gcr.io
• For migration artifacts repository on Google Cloud using Cloud Storage: storage.googleapis.com

If you are using your own data repository, ensure that the proxy server allows outbound access to the necessary locations.

Proxy authentication

Some proxy servers restrict access by using basic authentication. If your proxy requires basic authentication credentials, then you can configure those credentials when you configure Migrate to Containers to use the proxy.

Proxy requests using basic authentication use a URL of the form:

https://user:password@proxy:proxyPort/

SSL/TLS requirements

Migrate to Containers supports proxy requests over HTTPS only. HTTP is not supported.

When using an HTTPS proxy, Migrate to Containers does not support self-signed certificates. You must use a signed cert with an HTTPS proxy.

Examples

To configure an HTTPS proxy with no authentication:

migctl setup proxy --https-proxy myproxy.com

To update the proxy, run the command again with different values. You can only have one proxy configuration so running the command again overwrites the current configuration.

To configure an HTTPS proxy and also specify domains where the proxy is not used:

migctl setup proxy --https-proxy myproxy.com --no-proxy localhost,mydomain.com

If the proxy uses basic authentication:

migctl setup proxy --https-proxy myproxy.com --proxy-basic-authentication

You are prompted to enter the username and password.

Or you can enter the credentials as part of the proxy-address:

migctl setup proxy --https-proxy user:pword@myproxy.com

To remove the proxy configuration:

migctl setup proxy --remove 

What's next

• Planning best practices