Network Access Requirements

To perform a migration, connect the components. This means setting up the following resources:

  • Firewall rules across all environments: on-premises, AWS, and Google Cloud Platform Virtual Private Cloud.
  • VPNs or other network connections set up with routing and forwarding rules to the correct network subnets and VMs between GCP, AWS, or inside the corporate LAN.
  • GCP Network Tags or Instance Service Accounts that allow traffic to pass between instances.

This page does not list firewall rules or routes for specific applications, other than Velostrata. Your applications may require additional configuration on GCP. For more information, see Firewall Rules, Routes, and Configuring Network Tags.

Network tags

GCP uses tags to identify which network firewall rules apply to particular VMs. Components with the same network tags can communicate with each other. Velostrata assigns network tags to facilitate workload migration.

The following table describes required network tags, suggested names, and configurations.

Network tag Suggested name Description
Velostrata Manager fw-velosmanager You specify this network tag before deploying the Velostrata Manager using the GCP Marketplace click-to-deploy option.
Velostrata Cloud Extension fw-velostrata You can apply one or more network tags when you create your Velostrata Cloud Extensions.
Workload fw-workload For simplicity, this topic references the Workload network tag, which allows workload nodes to access your project's Velostrata resources.
Custom

Custom tags enable connectivity among the instances that share them. If you have several VM instances serving a website, tag these instances with common value, and then use that tag to apply a firewall rule that allows HTTP access to those instances.

Note: Valid network tag names on GCP contain only lowercase letters, numerals, and dashes. They must also start and end with a number or a lowercase character.

Firewall rules

For Velostrata to function, the following tables list the type of firewall access needed from the source to the destination and their protocol and port.

For additional information, see the following firewall documentation:

GCP Virtual Private Cloud

Source Destination Firewall scope Optional? Protocol Port
Velostrata Manager network tags (GCP) GCP API Endpoint Internet or Private Google Access No HTTPS TCP/443
Velostrata Manager network tags (GCP) AWS API Endpoint

(AWS-to-GCP migrations)

Internet No HTTPS TCP/443
Corporate LAN Subnets (for web UI access) Velostrata Manager network tags (GCP) VPN On-Premises No HTTPS TCP/443
Velostrata Backend Velostrata Manager network tags (GCP) VPN On-Prem No gRPC TCP/9119
Velostrata Manager network tags (GCP) Workload network tags (GCP)

For instance console availability probe

VPC Yes RDP

SSH

TCP/3389

TCP/22

Velostrata Manager network tags (GCP) Velostrata Cloud Extension network tags (GCP) VPC No HTTPS TCP/443 TCP/9111
Velostrata Manager network tags (GCP) Velostrata Importers (AWS Subnet) VPN to AWS No HTTPS TCP/443
Velostrata Cloud Extension network tags Google Cloud Storage API Internet or Google Private Access No HTTPS TCP/443
Workload network tags (GCP)

Or

Instance Service Accounts (GCP)

Velostrata Cloud Extension network tags (GCP) VPC No iSCSI TCP/3260
Velostrata Backend Velostrata Cloud Extension network tags (GCP) VPN On-Prem No TLS TCP/9111
Velostrata Importers (AWS Subnet) Velostrata Cloud Extension network tags (GCP) VPN to AWS No TLS TCP/9111
Velostrata Cloud Extension network tags (GCP) Velostrata Cloud Extension network tags (GCP) VPC No ANY ANY

On-Premises

The following table lists the rules that apply when migrating VMware virtual machines or physical machines on-premises to GCP.

Source Destination Firewall scope Optional? Protocol Port
Velostrata Backend vCenter Server Corp LAN No HTTPS TCP/443
Velostrata Backend vSphere ESXi Corp LAN No VMW NBD TCP/902
Velostrata Backend Stackdriver using the Internet Internet Yes HTTPS TCP/443
Velostrata Backend Corp DNS Server Corp LAN No DNS TCP/UDP/53
Velostrata Backend Velostrata Manager (GCP) VPN to GCP No TLS/SSL

HTTPS

TCP/9119

TCP/443

Velostrata Backend Velostrata Cloud Extension Nodes (GCP Subnet) VPN to GCP No TLS/SSL TCP/9111
vCenter Server Velostrata Backend Corp LAN No HTTPS TCP/443
vCenter Server Velostrata Plugin Velostrata Manager on GCP VPN to GCP No HTTPS TCP/443

AWS VPC

The following table lists the rules that apply when migrating when migrating AWS EC2 instances from AWS VPC to GCP.

Source Destination Firewall scope Optional? Protocol Port
Velostrata Manager Velostrata Importers Security Group VPN to GCP No HTTPS TCP/443
Velostrata Importers Security Group Velostrata Cloud Extension Nodes (GCP Subnet) VPN to GCP No TLS TCP/9111

Troubleshooting

The following rules are not required for migrations, but allow you to directly connect to servers and receive logs while troubleshooting problems.

Source Destination Firewall scope Optional? Protocol Port
Your local machine Velostrata Manager on GCP VPN to GCP Yes SSH TCP/22
Velostrata Manager (GCP) Velostrata on-premises backend

Velostrata Cloud Extension Network Tags (GCP)

Velostrata Importers (AWS Subnet)

VPN On-Prem

VPC

VPN to AWS

Yes SSH TCP/22
Workload Network Tags (GCP)

Or

Instance Service Account (GCP)

Velostrata Cloud Extension Network Tags (GCP) VPC Yes SYSLOG (for GCP VM boot phase) UDP/514

Example On-Premises to GCP configuration

Prior sections explain rules that could apply for your migration. This section explains a sample networking configuration for your VPC, configured through the GCP console. For more information, see Creating firewall rules.

In the following example, the 192.168.1.0/24 subnet represents the on-premises network and 10.1.0.0/16 represents the VPC.

Name Type Target Source Ports Purpose
velos-backend-control Ingress fw-velosmanager 192.168.1.0/24 tcp:9119 Control plane between Velostrata Backend and Velostrata Manager.
velos-ce-backend Ingress fw-velostrata 192.168.1.0/24 tcp:9111 Encrypted migration data sent from Velostrata Backend to Cloud Extensions.
velos-ce-control Ingress fw-velostrata fw-velosmanager tcp:443,
tcp:9111
Control plane between Cloud Extensions and Velostrata Manager.
velos-ce-cross Ingress fw-velostrata fw-velostrata all Synchronization between Cloud Extension nodes.
velos-console-probe Ingress fw-workload fw-velosmanager tcp:22, tcp:3389 Allows the Velostrata Manager to check if the SSH or RDP console on the migrated VM is available.
velos-vcplugin Ingress fw-velosmanager 192.168.1.0/24 tcp:443 Control plane between vCenter plugin and Velostrata Manager.
velos-webui Ingress fw-velosmanager 192.168.1.0/24,
10.1.0.0/16
tcp:443 HTTPS access to Velostrata Manager for web UI.
velos-workload Ingress fw-velostrata fw-workload tcp:3260,
udp:514
iSCSI for data migration and syslog

Network routing and forwarding

Once firewall rules that allow necessary communication are in place, additional static routes to carry traffic between networks may be necessary.

For routing and forwarding inside the on-premises corporate LAN, see your router, firewall, and VPN vendor documentation.

For more on routing and forwarding in GCP, see the following documentation:

For routing and forwarding from AWS to GCP, see the following documents:

傳送您對下列選項的寶貴意見...

這個網頁
Velostrata - Cloud Migration Software for GCP