2.1 Preparing to Deploy PlateSpin Migrate in the Cloud

For migrations to Amazon Web Services cloud and Microsoft Azure cloud, you can use the AWS Quick Start and the Migrate server image template in Azure Marketplace to deploy PlateSpin Migrate server in the respective cloud environment. However, for migrations to Oracle Cloud Infrastructure, you must manually install the PlateSpin Migrate server in that Oracle Cloud Infrastructure environment.

Use the following information to plan, deploy, and configure a PlateSpin Migrate server in your cloud account.

2.1.2 Requirements for Deploying PlateSpin Migrate in the Cloud

Before you install PlateSpin Migrate server in the cloud, ensure that you understand the following requirements for your cloud environment.

Cloud Account

Set up an account in the cloud environment. Ensure that the cloud account is correctly configured and available. See the following for more information, as appropriate for your target cloud environment:

Table 2-1 AWS Account Requirements

AWS Configuration

Description

AWS Account

To create an AWS account, go to Amazon Web Services Console.

AWS EC2 Subscription

PlateSpin supports only Amazon Virtual Private Cloud (VPC).

Amazon Virtual Private Cloud (VPC)

Create an AWS VPC to launch AWS resources into your virtual network. See Amazon Virtual Private Cloud Documentation.

AWS user credentials

You need an AWS Identity and Access Management (IAM) user in your AWS account, with an appropriate IAM role to perform migrations into the VPC using the AWS APIs.

PlateSpin Migrate provides an AWS Role Tool to enable an administrative user to create a new IAM policy based on a default policy and assign an IAM user to the policy. See Creating an IAM Policy and Assigning an IAM User to the Policy in the PlateSpin Migrate 2019.8 User Guide.

Enable Programmatic Access for the IAM user to generate an access key and a secret access key. AWS Management Console Access is optional, but it can be useful for troubleshooting. See Access Keys (Access Key ID and Secret Access Key).

NOTE:We recommend that administrators regularly rotate access keys for IAM users. However, the keys must be rotated only after ensuring that no migration workflow is in progress. See Rotating Access Keys in the AWS Identity and Access Management User Guide.

Table 2-2 Azure Account Requirements

Azure Configuration

Description

Microsoft Azure Account.

Create a account in the Azure environment where you will migrate workloads:

An administrator on the account is required to perform the Application setup, to enable PRE programmatic access, and to create a Contributor user that is to be used by Migrate.

Azure Subscription ID

The ID for the Azure Subscription in the specified Azure account that you want to bill for Azure-related costs. An account can have multiple subscriptions.

Contributor user for the subscription created in Azure Active Directory

A special-purpose user identity for PlateSpin Migrate that you create in Azure Active Directory. You add a Contributor role to the user account for the specified subscription. Using this Contributor user only for Migrate helps to uniquely identify actions performed by Migrate in Azure for the subscription.

In Migrate, you use the Contributor user credentials to add Azure as a target in Migrate. Migrate uses the credentials for this user when it accesses the Migrate Azure API through the related subscription.

Azure Virtual Network and Subnet

You must create least one Virtual Network with a Subnet in the specified Subscription. If you have an site-to-site VPN set up, the subnet must be different than the default Gateway Subnet.

Table 2-3 Oracle Cloud Infrastructure Account Requirements

Oracle Cloud Infrastructure Configuration

Description

Oracle Cloud Infrastructure Account

Before you use PlateSpin Migrate to migrate workloads to Oracle Cloud Infrastructure, you must ensure that you have a Oracle Cloud Account with all the required permissions for performing migrations.

Non-VPN Deployment

A cloud-based PlateSpin Migrate server does not require a site-to-site VPN connection between your local data center and the target cloud platform. When no VPN is provided:

  • Internet access is required.

  • Public IP addresses are required for the PlateSpin Migrate server, the replication network, and target machines. A public IP address is not required for the source machine when you use the Migrate Agent. If you do not use the Migrate Agent, then all components need public IP addresses.

    NOTE:PlateSpin Migrate supports semi-automated migration of workloads to Virtual Machine Instances on your Oracle Cloud Infrastructure environment. Migrate Agent is not supported for registering source workloads that are migrated using the semi-automated migrations. So, public IP is required for the source machine that you want to migrate to Oracle Cloud Infrastructure.

  • Use Migrate Agent to register workloads with the cloud-based Migrate server. Migrate Agent uses secure communications over the public Internet.

    NOTE:PlateSpin Migrate supports semi-automated migration of workloads to Virtual Machine Instances on your Oracle Cloud Infrastructure environment. Migrate Agent is not supported for registering source workloads that are migrated using the semi-automated migrations.

  • You should encrypt data transfer between the source network and cloud location.

  • For cloud targets, compression is enabled by default with a setting of Optimal.

Static Public IP Address

Use a static IP address for the Migrate server to ensure that the IP address does not change when the server is restarted. A change in IP address on the PlateSpin Server breaks the heartbeat communications with source workloads.

  • AWS: Specify Elastic as the allocation method for the public IP address for the Migrate server.

  • Azure: Specify Static as the allocation method for the public IP address of the Migrate server.

  • Oracle Cloud Infrastructure: Specify Static as the allocation method for the public IP address of the Migrate server.

NOTE:You cannot specify the actual IP address assigned to the public IP resource. The cloud vendor allocates and reserves an IP address from a pool of its available IP addresses in the location where you deploy the Migrate server.

Network Security Group

Ensure that the network security group for the PlateSpin Migrate server allows the minimum port settings described in Required Network Security Group Settings for PlateSpin Migrate Server.

TLS Protocols

Transport Layer Security (TLS) 1.2 is automatically enabled for the Windows operating system on the PlateSpin Migrate Server virtual host for Migrate servers deployed in Azure Cloud (by using server image template available in Azure Marketplace) and AWS Cloud (by using AWS Quick Start).

For Migrate servers deployed from Azure Marketplace or using the AWS Quick Start, TLS 1.0 and TLS 1.1 are disabled by default. Migrate provides scripts to easily enable or disable TLS 1.0 and TLS 1.1 on the Migrate server virtual host in the C:\Windows\OEM folder:

  • DisableTLS-1_and_1.1
  • EnableTLS-1_and_1.1

2.1.3 Required Network Security Group Settings for PlateSpin Migrate Server

Table 2-4 describes the minimum default port settings required for the network security group for the PlateSpin Migrate server in the cloud. These settings are required in both VPN and non-VPN deployment scenarios.

NOTE:For PlateSpin Migrate servers deployed using the server image template available in Azure Marketplace or the AWS Quick Start, the network security group is created and configured automatically with the default port settings.

Additional ports might be required, depending on your migration scenario. See Access and Communication Requirements across Your Migration Network in the PlateSpin Migrate 2019.8 User Guide.

Table 2-4 Network Security Group Settings for PlateSpin Migrate Server Communications

Ports

Inbound/Outbound

Protocol

Remark

443, TCP

Inbound and Outbound

HTTPS

 

3389, TCP

Inbound and Outbound

RDP

Required only for traffic from your management network.

22, TCP

Outbound

SSH

Required to communicate with target Linux workloads.

123, TCP

Outbound

Network Time Protocol (NTP)

AWS uses this port to synchronize time for cloud instances in the Amazon Region where it is deployed by using the Amazon Time Sync Service.

For Azure, add this port setting to the security group if you are using an NTP service outside the virtual network where you deploy the Migrate server.

For information about configuring a network security group in the cloud, refer to the following vendor documentation: