Migrate to Virtual Machines lets you migrate your virtual machine (VM) instances running on Google Cloud VMware Engine to VM instances running on Compute Engine.
Before you begin
- Enable Migrate to Virtual Machines on Google Cloud. See Enabling Migrate to Virtual Machines services.
- Enable the VM Migration API on your host project using https://console.cloud.google.com/apis/library/vmmigration.googleapis.com.
- Review Migrating VMs with Migrate to Virtual Machines: Getting started documentation. This document provides insight into the overall structure of Migrate to Virtual Machines including, key terms, concepts, and reference information that'll help you migrate your workload efficiently and effectively.
Migrate your workload from a Google Cloud VMware Engine source
To migrate VMs from an VMware Engine source, you must configure a migration source that specifies the VMware Engine data center from which you'll be migrating the VMs. To configure a migration source, you have to install and configure the Migrate Connector on the VMware Engine data center.
Follow these steps to install and configure a Migrate Connector, and create a VMware Engine source:
On VMware Engine, you must create a VMware Engine user account with the permissions required by the Migrate Connector to access your VMware Engine environment. See Create the VMware Engine user for the Migrate Connector.
On Google Cloud define two accounts:
A user account with the necessary permissions to perform registration. This user account is only used at registration time.
A service account used by the Migrate Connector for run-time data transfer to Google Cloud.
When registering the Migration Connector, you must provide the Google Cloud region used to host your migrated VMs. See Select the Google Cloud region.
Ensure that you have enabled network access for the Migrate Connector as described in Configuring network access.
Install and register the Migrate Connector as described in Install the Migrate Connector.
Create the VMware Engine user for the Migrate Connector
Create a VMware Engine user account with the permissions required by the Migrate Connector to access your VMware Engine environment. You then pass the user credentials to the Migrate Connector at install time.
The following table lists the permission names and the corresponding permissions as shown in the VMware Engine UI:
| Permission | UI permission |
|---|---|
Global.DisableMethods
|
Global -> Disable methods |
Global.EnableMethods
|
Global -> Enable methods |
VirtualMachine.Config.ChangeTracking
|
Virtual machine -> Change Configuration -> Toggle disk change tracking |
VirtualMachine.Interact.PowerOff
|
Virtual machine -> Interaction -> Power off |
VirtualMachine.Provisioning.DiskRandomRead
|
Virtual machine -> Provisioning -> Allow read-only disk access |
VirtualMachine.Provisioning.GetVmFiles
|
Virtual machine -> Provisioning -> Allow virtual machine download. |
VirtualMachine.State.CreateSnapshot
|
Virtual machine -> Snapshot management -> Create snapshot |
VirtualMachine.State.RemoveSnapshot
|
Virtual machine -> Snapshot management -> Remove snapshot |
Cryptographer.Access*
|
Cryptographic operations -> Direct Access* |
| *Only if the source VM is an encrypted VM (vCenter 6.5 and later). | |
Define Google Cloud accounts
On Google Cloud, you need two accounts:
A service account in your host project used by the Migrate Connector for run-time data transfer to Google Cloud.
You can specify an existing service account, or let the Migrate Connector create a new one for you. The Migrate Connector applies all necessary permissions to the service account to configure it.
A user account in your host project with the necessary permissions to register the Migrate Connector. This user account is only used at registration time, not at run time.
Configure the user account
You can specify any user account in your host project to register the Migrate Connector. The specified user account requires the following permissions:
roles/iam.serviceAccountKeyAdminroles/iam.serviceAccountCreatorroles/vmmigration.admin
Determine the email address of the user account you want to use for registration. In the Google Cloud console, you can see all users in your project on the IAM page:
Grant the
iam.serviceAccountKeyAdminrole to the user account:gcloud projects add-iam-policy-binding PROJECT_ID --member=user:USER_EMAIL_ADDRESS --role=roles/iam.serviceAccountKeyAdmin
Grant the
iam.serviceAccountCreatorrole to the user account:gcloud projects add-iam-policy-binding PROJECT_ID --member=user:USER_EMAIL_ADDRESS --role=roles/iam.serviceAccountCreator
Grant the
vmmigration.adminrole to the user account:gcloud projects add-iam-policy-binding PROJECT_ID --member=user:USER_EMAIL_ADDRESS --role=roles/vmmigration.admin
For more on assigning roles and permissions to a user account, see Granting, changing, and revoking access to resources.
Select the Google Cloud region
On the Google Cloud a region is a specific
geographical location where you can host your resources. Regions have three or
more zones. For example, the us-west1 region denotes a region on the west
coast of the United States that has three zones: us-west1-a, us-west1-b, and
us-west1-c.
You choose which region hosts your resources, which controls where your data is stored and used. Distribute your resources across multiple regions to tolerate outages. Therefore, if a region experiences any disturbances, you should have backup services running in a different region.
When you install the Migrate Connector on Google Cloud VMware Engine, you select a Google Cloud region. The source VMs migrated using this connector are then associated with the chosen region.
To migrate VMs to multiple regions, you must:
Create a host project.
Install and configure a separate Migrate Connector for each supported Google Cloud region.
Migrate and deploy your VMs selecting the supported region for each VM or VM group.
In that way, if one region goes down, you can still perform migrations by using a migration source associated with a different region.
See Migrate to Virtual Machines locations for a list of supported regions.
Configure network access
Enable network access for the Migrate Connector by opening the required ports and by opening access to the domains required by the Google Cloud APIs:
Ensure that you have enabled network access for the Migrate Connector. The following table lists the network connectivity requirements for the connector:
Source Destination Firewall scope Protocol Port Migrate Connector vCenter Server Corp LAN HTTPS TCP/443 Migrate Connector vCenter Server Corp LAN VMW NBD TCP/902 Migrate Connector vSphere ESXi Corp LAN VMW NBD TCP/902 Migrate Connector* Google Cloud APIs and Artifact Registry (*.googleapis.com, gcr.io) Internet, Cloud VPN, or Cloud Interconnect HTTPS TCP/443 Migrate Connector Corp DNS Server Corp LAN DNS TCP/UDP/53 * If you configure the Migrate Connector VM on vSphere or VMware Engine to use a proxy server, traffic sent to Google Cloud APIs is directed over the proxy server. Direct network connectivity to Google Cloud APIs over port 443 is then not required by the connector. Ensure that the firewall rules on your vSphere or VMware Engine server allow external access to the following domains required by the Google Cloud APIs:
*.googleapis.comgcr.io
Install the Migrate Connector
You can now install and register the Migrate Connector. For more information, see Installing the Migrate Connector.
After you've installed and registered the Migrate Connector, you can start migrating your VMs from the Google Cloud VMware Engine data center to Migrate to Virtual Machines. For more information, see Next steps: Start your migration.
Next steps: Start your migration
Start your migration process, see Migrating individual VM.