Installing the Migrate Connector

Before you can start migrating VMs, you must first configure a migration source that specifies the on-premises data center from which you'll be migrating the VMs. To configure a migration source, install and configure the Migrate Connector on your vSphere data center.

Once installed, the Migrate Connector:

Establishes a secure datapath between the on-premises environment and the Google Cloud using Google Cloud APIs over port 443. Migration traffic can be routed over public internet, VPN, Private Google Access, or Dedicated interconnect.
Performs storage operations against VM disks using the vSphere APIs.
Queries on-premises VM inventory so that you can use the Google Cloud console to browse the VMs in the data center available for migration.
Stops and monitors source VMs using vSphere APIs when performing cut-over.

See Migrate to Virtual Machines Architecture for more on the Migrate Connector.

Before you begin

Before you can install the Migrate Connector, you must first enable Migrate to Virtual Machines on Google Cloud. See Enabling Migrate to Virtual Machines services.

Prerequisites

To install and register the Migrate Connector, you must first satisfy the following prerequisites:

Migrate Connector hardware requirements:
- 4 CPUs with Instruction Set Architecture (ISA) compatibility to Westmere CPU or higher
- 16 GB of RAM
- 30 GB of datastore space
On vSphere, you must create a vCenter user account with the permissions required by the Migrate Connector to access your vSphere environment. See 1. Creating the vCenter user for the Migrate Connector.
To connect your workstation to the Migrate Connector VM running on vSphere, you need to create an SSH public/private key pair. See 2. Creating the SSH public/private key pair.
On Google Cloud define two accounts:
- A user account with the necessary permissions to perform registration. This user account is only used at registration time.
- A service account used by the Migrate Connector for run-time data transfer to Google Cloud.
See 3. Defining Google Cloud accounts.
When registering the Migration connector, you must provide the Google Cloud region used to host your migrated VMs. See 4. Selecting the Google Cloud region.
Ensure that you have enabled network access for the Migrate Connector as described in 5. Configuring network access.

The following sections describe these prerequisites in more detail.

1. Creating the vCenter user for the Migrate Connector

Create a vCenter user account with the necessary permissions required by the Migrate Connector to access your vSphere environment. You then pass the user credentials to the Migrate Connector at install time.

The following table lists the permissions and the permission as it appears in the vSphere UI:

Permission	UI permission
`Global.DisableMethods`	Global -> Disable methods
`Global.EnableMethods`	Global -> Enable methods
`VirtualMachine.Config.ChangeTracking`	Virtual machine -> Change Configuration -> Toggle disk change tracking
`VirtualMachine.Interact.PowerOff`	Virtual machine -> Interaction -> Power off
`VirtualMachine.Provisioning.DiskRandomRead`	Virtual machine -> Provisioning -> Allow read-only disk access
`VirtualMachine.Provisioning.GetVmFiles`	Virtual machine -> Provisioning -> Allow virtual machine download.
`VirtualMachine.State.CreateSnapshot`	Virtual machine -> Snapshot management -> Create snapshot
`VirtualMachine.State.RemoveSnapshot`	Virtual machine -> Snapshot management -> Remove snapshot
`Cryptographer.Access^*`	Cryptographic operations -> Direct Access^*
^*Only if the source VM is an encrypted VM (vCenter 6.5 and later).

2. Creating the SSH public/private key pair

Create an SSH public/private key pair used to connect your workstation to the Migrate Connector VM running on vSphere. You then copy the public key to the Migrate Connector VM as part of the registration procedure. The Migrate Connector uses the public key when connecting to your workstation.

There are many ways to generate a public/private SSH key pair. The example below uses the Linux ssh-keygen utility but you can use any utility compatible with your workstation and OS.

Log in to your workstation, meaning the remote machine that you use to connect to the vSphere data center.
Change directory to ~/.ssh.

If this directory does not exist, create it.

Note: Some key generation utilities will create this directory for you.
Use the following example generates a public key (~/.ssh/id_rsa.pub) and a private key (~/.ssh/id_rsa) with a single command:
```
ssh-keygen -t rsa
```
This command creates a public key named id_rsa.pub that you pass to the Migrate Connector during registration. The actual name of your public key depends on the utility that you use to create the key.

This example uses the PuTTY client on Windows to generate the keys:

Download and install PuTTY from https://www.putty.org/.
Start puttykeygen.exe.
Under Parameters, select RSA.
Select Generate to create the keys.

You see the public key displayed in PuTTy, in the form ssh-rsa AAAAB3NzaC1yc2EAAAADAQA.... Copy the public key for use later in this procedure.
Select Save public key and Save private key to save the keys.

3. Defining Google Cloud accounts

On Google Cloud, you need two accounts:

A service account in your host project used by the Migrate Connector for run-time data transfer to Google Cloud.

You can specify an existing service account, or let the Migrate Connector create a new one for you. The Migrate Connector applies all necessary permissions to the service account to configure it.
A user account in your host project with the necessary permissions to register the Migrate Connector. This user account is only used at registration time, not at run time.

Note: The user account used to register the connector is limited to 19 sources. If you want to register more than 19 sources to the same Migrate to Virtual Machines host project, you need to create additional service accounts.

See the procedure below to configure this account.

To configure the user account:

You can specify any user account in your host project to register the Migrate Connector. The specified user account requires the following permissions:

roles/iam.serviceAccountKeyAdmin
roles/iam.serviceAccountCreator
roles/vmmigration.admin

Determine the email address of the user account you want to use for registration. In the Google Cloud console, you can see all users in your project on the IAM page:

Go to the IAM page
Grant the iam.serviceAccountKeyAdmin role to the user account:
```
gcloud projects add-iam-policy-binding PROJECT_ID
  --member=user:USER_EMAIL_ADDRESS --role=roles/iam.serviceAccountKeyAdmin
```
Note: Depending on the security configuration of your project, you might be prompted to select a condition. Often selecting the option of None is correct, but confirm that with your security team.

Grant the iam.serviceAccountCreator role to the user account:

gcloud projects add-iam-policy-binding PROJECT_ID
  --member=user:USER_EMAIL_ADDRESS --role=roles/iam.serviceAccountCreator

Grant the vmmigration.admin role to the user account:

gcloud projects add-iam-policy-binding PROJECT_ID
  --member=user:USER_EMAIL_ADDRESS --role=roles/vmmigration.admin

For more on assigning roles and permissions to a user account, see Granting, changing, and revoking access to resources.

4. Selecting the Google Cloud region

On the Google Cloud a region is a specific geographical location where you can host your resources. Regions have three or more zones. For example, the us-west1 region denotes a region on the west coast of the United States that has three zones: us-west1-a, us-west1-b, and us-west1-c.

You choose which region hosts your resources, which controls where your data is stored and used. Distribute your resources across multiple regions to tolerate outages. Therefore, if a region experiences any disturbances, you should have backup services running in a different region.

When you install the Migrate Connector on vSphere, you select a Google Cloud region. The source VMs migrated using this connector are then associated with the chosen region.

To migrate VMs to multiple regions, you must:

Create a host project.
Install and configure a separate Migrate Connector for each supported Google Cloud region.
Migrate and deploy your VMs selecting your desired supported region for each VM or VM group.

In that way, if one region goes down, you can still perform migrations by using a migration source associated with a different region.

See Migrate to Virtual Machines locations for a list of supported regions.

5. Configuring network access

Enable network access for the Migrate Connector by opening the required ports and by opening access to the domains required by the Google Cloud APIs:

Ensure that you have enabled network access for the Migrate Connector. The following table lists the network connectivity requirements for the connector:

Source	Destination	Firewall scope	Protocol	Port
Migrate Connector	vCenter Server	Corp LAN	HTTPS	TCP/443
Migrate Connector	vCenter Server	Corp LAN	VMW NBD	TCP/902
Migrate Connector	vSphere ESXi	Corp LAN	VMW NBD	TCP/902
Migrate Connector*	Google Cloud APIs and Container Registry (*.googleapis.com, gcr.io)	Internet, Cloud VPN, or Cloud Interconnect	HTTPS	TCP/443
Migrate Connector	Corp DNS Server	Corp LAN	DNS	TCP/UDP/53
* If you configure the Migrate Connector VM on vSphere to use a proxy server, traffic sent to Google Cloud APIs is directed over the proxy server. Direct network connectivity to Google Cloud APIs over port 443 is then not required by the connector.

Ensure that the firewall rules on your vSphere server allow external access to the following domains required by the Google Cloud APIs:
- *.googleapis.com
- gcr.io

Installing the Migrate Connector

To install the Migrate Connector:

Download the Migrate Connector OVA file to VCenter (checksum).
Sign in to vSphere using an account with the permissions required to deploy an OVF file.
Right-click on your data center and select Deploy OVF Template.
Select the Migrate Connector OVA file, and then select Next.
Choose the virtual machine name and folder for the connector, or use the default name, and then select Next.
Select the compute resource, and then select Next.
Review the installation details, and then select Next.
Select the storage datasource used by the connector, and then select Next.
Select the network that will host the connector, and then select Next.
Customize the template:
1. Provide the SSH public key that you created on your workstation machine.
  
  This is the key you created above in 2. Creating the SSH public/private key pair. In that example, the SSH public key was written to a file named ~/.ssh/id_rsa.pub. Provide the contents of the file here. For example ssh-rsa AAAAB3NzaC1yc2EAAAADAQA....
2. Set the hostname of the machine or accept the default.
3. Optionally, set any properties under Networking Properties. If you do not set these properties, then the VM uses DHCP. Two options that you might have to set include:
  1. Google API Address: Specifies if the API address is Public, Private, or Restricted. The default value is Public. Choose Private or Restricted if you are using Google Private Access.
  2. HTTP Proxy: Specifies a proxy server used for all outbound traffic to Google Cloud. The Migrate Connector does not support authentication so do not specify any authentication credentials.
  3. Static network route: If required by your network environment specify static routes.
Select Finish when you have completed the configuration to deploy the VM.
After deployment completes, start the VM.
After the VM starts, record its IP address.

You need the IP address in the next section to register the connector.

Registering the Migrate Connector as a Google Cloud source

After you install the Migrate Connector on VSphere, you need to register it as a Google Cloud source. Registration allows the connector to then pass data to Google Cloud.

To register the connector:

From your workstation, open an SSH connection to the Migrate Connector using the IP address of the Migrate Connector VM and the private key you created earlier in 2. Creating the SSH public/private key pair.

For example, for Linux you can use the ssh command:
```
ssh -i path-to-private-key admin@connector-ip-or-hostname 
```
For Windows, you can use PuTTy to open the connection:
1. Start Putty.
2. Under Connection -> SSH-> AUTH -> private key file for authentication select the private key file.
3. In Session -> Host Name specify:
  
  admin@connector-ip-or-hostname
4. Click Open.
View help information for the m2vm CLI:
```
m2vm --help
```
View the connector status:
```
m2vm status
```
The results should show that the connector can reach Cloud APIs and that it is not registered.
To register the connector enter the command:
```
m2vm register
```
You are prompted for the following information:
1. The vCenter host IP address, meaning the IP address of the vCenter in the vSphere cluster you are migrating VM from. This is typically the same IP address that you see when you sign in to vSphere.
2. Verify the vSphere thumbprint.
3. Enter the username and password for the vCenter account used to administer the Migrate Connector. This is the account you created as described in 1. Creating the vCenter user for the Migrate Connector.
4. Enter your Google Cloud access token:
```
Please provide your Google Cloud User Account access token to register Migrate Connector (Note: The token is valid for 60 minutes) Enter access token:
```
  To obtain an access token using Google Cloud console, follow these steps:
  1. Navigate to Google Cloud console.
  2. Click the Activate Cloud Shell Terminal button in the top-right of Google Cloud console. The Cloud Shell Terminal should appear at the bottom of your screen.
  3. In the Cloud Shell Terminal, run the following command:
```
gcloud auth print-access-token
```
  4. Copy the access token from Cloud Shell and paste it into the Migrate to Virtual Machines CLI.
5. Select the Google Cloud host project you want to connect with the Migrate Connector. You must have already enabled the Migrate to Virtual Machines API in this project as described in Enabling Migrate to Virtual Machines services.
6. Select the Google Cloud region you want to connect with this Migrate Connector. See 4. Selecting the Google Cloud region for more on selecting the region.
7. Enter the source name. This is the name of the source as shown in the Google Cloud console for Migrate to Virtual Machines.
  
  In the following image, the source name is set to mfce-test-demo-source:
  
  Select new and enter name for a new source, or select an existing source to overwrite it.
8. Specify the service account in your host project to be used by the Migrate Connector to connect to Google Cloud. You can select an existing service account, or let the Migrate Connector create a new one for you as described above in 3. Defining Google Cloud accounts.
  
  The Migrate Connector connects to disks in your on-premises data center to replicate data to Google Cloud. Registration applies the necessary roles to this service account automatically to enable this data transfer.
  
  Note: It might take several minutes for the registration process to complete before the status indicates that the connector is registered.
Check the status:
```
m2vm status
```
Ensure that the connector is now registered.
Open the Migrate to Virtual Machines page in the Google Cloud console:

Go to the Migrate to Virtual Machines page
Select the Sources tab. You should see the new source appear in the source drop-down list.

Note: It might take several minutes for the new source to appear in the drop-down list.

Modifying a Migrate Connector configuration

You can modify the properties of a Migrate Connector configuration. The way you modify the connector is based on the properties that you want to update:

To modify properties of the Migrate Connector VM, such as the Static network route, sign in to vSphere and edit the OVA parameters for the Migrate Connector.
To modify the properties used to register the connector as a Google Cloud source, such as the Google Cloud host project or region, use the m2vm CLI.

To modify the VM parameters:

Sign in to vSphere using an account with the permissions required to edit a VM.
Stop the Migrate Connector VM.
Edit the OVA parameters for the Migrate Connector.
Start the VM.

To modify the Google Cloud registration properties:

From your workstation, open an SSH connection to the Migrate Connector using the IP address of the Migrate Connector VM and the private key you created earlier:
```
ssh -i path-to-private-key admin@connector-vm-ip 
```
Run the register command:
```
m2vm register
```
See Registering the Migrate Connector as a Google Cloud source.

Updating a Migrate Connector

Migrate to Virtual Machines supports Migrate Connector updates. When an update is available for a Migrate Connector, you'll see a relevant message in the Sources card on the dashboard, and also on the Sources tab while the relevant source is selected. You'll also be notified on the Sources tab if other sources have updates.

To update your Migrate Connector, follow these steps:

Click the Sources tab. If an update is available, you'll see the message: An update is available for your source.
Click the View details button. On the Source details page, you'll see the message: An in-place update is available for your source.

Note: If the Update button is unavailable and you see the message A new version of the Migrate Connector is available for your source, you need to redeploy your Migrate Connector.
Click the Update button. Once your Migrate Connector has been updated, you'll see the message: Source has been successfully updated.
Optional: Verify the update by checking the Last update field on the Source details page.

Redeploying a Migrate Connector

In rare cases (such as a significant change in the core Migrate Connector code base), automatic updates may not available for your Migrate Connector. In this case, you need to redeploy your Migrate Connector.

To redeploy a Migrate Connector, follow these steps:

Download the and install the Migrate Connector OVA file.
Register the new Migrate Connector using the same region and source (your old Migrate Connector will become idle).
Stop and delete your old Migrate Connector's VM to clean up resources.

Deleting a Migrate Connector

To delete a Migration Connector, you must delete the corresponding source in the Google Cloud console, and delete the vSphere VM for the Migrate Connector.

To delete the Migrate Connector:

Open the Migrate to Virtual Machines page in the Google Cloud console:

Go to the Migrate to Virtual Machines page
Select the Sources tab.
From the drop-down list, select the source corresponding to the Migrate Connector.
Select the Migrations tab.
Select all source VMs.
Select Delete and then confirm the deletion.

The VMs are removed from the Migration table.
Select the Sources tab.
Select Source Details.
Under the Data center connectors section of the Source Details page, select the trash icon next to the name of the source to delete the connector.
Confirm the delete.
Select Delete Source to delete the source.
Sign in to vSphere using an account with the permissions required to delete a VM.
Stop the Migrate Connector VM.
Delete the VM.

What's next

Migrating individual VMs