8.2 Requirements for Migrating Workloads to Amazon Web Services

Before you can migrate workloads to AWS with PlateSpin Migrate, you must set up your cloud environment. The PlateSpin Migrate server can be installed on-premise where the source workloads reside, or it can be installed in your AWS account.

8.2.1 Minimum AWS Prerequisites

Before you use PlateSpin Migrate to migrate workloads to AWS, ensure that the following cloud access prerequisites are correctly configured and available:

Table 8-1 Minimum Required Configuration for Your AWS Account

AWS Configuration

Description

AWS Account

To create an AWS account, go to Amazon Web Services Console.

AWS EC2 Subscription

PlateSpin supports only Amazon Virtual Private Cloud (VPC).

Amazon Virtual Private Cloud (VPC)

Create an AWS VPC to launch AWS resources into your virtual network. See Amazon Virtual Private Cloud Documentation.

AWS user credentials

You need an AWS Identity and Access Management (IAM) user in your AWS account, with an appropriate IAM role to perform migrations into the VPC using the AWS APIs.

PlateSpin Migrate provides an AWS Role Tool to enable an administrative user to create a new IAM policy based on a default policy and assign an IAM user to the policy. See Creating an IAM Policy and Assigning an IAM User to the Policy

Enable Programmatic Access for the IAM user to generate an access key and a secret access key. AWS Management Console Access is optional, but it can be useful for troubleshooting. See Access Keys (Access Key ID and Secret Access Key).

NOTE:We recommend that administrators regularly rotate access keys for IAM users. However, the keys must be rotated only after ensuring that no migration workflow is in progress. See Rotating Access Keys in the AWS Identity and Access Management User Guide.

For information about setting up the migration user group, policy, and user, see Creating an IAM Policy and Assigning an IAM User to the Policy.

8.2.2 AWS Prerequisites for Using an On Premise Migrate Server

Before you use an on-premise PlateSpin Migrate server to migrate workloads to AWS, ensure that the following prerequisites are correctly configured and available:

  • A PlateSpin Migrate license.

  • PlateSpin Migrate server installed on premise in a network that can properly access the source workloads.

  • A site-to-site VPN connection connecting the AWS gateway to your on-premise gateway. A public IP address for Migrate server is optional when you use a VPN.

    For information, see the following AWS resources:

  • The minimum network-related prerequisites for a successful migration are described in Table 8-2.

    For information about creating and configuring an AWS Security Group, refer to Security Groups for Your VPC in the Amazon Web Services EC2 Documentation.

    For detailed access and communication requirements across your migration network, see Access and Communication Requirements across Your Migration Network.

Table 8-2 Port Requirements for Migrate Server on Premise for Migrations to AWS

Location

Port

Protocol

Remarks

On-premise source workload

Cloud-based target workload

TCP 443, outbound

HTTPS

The on-premise source workload and the cloud-based target workload must be able to communicate with the PlateSpin Migrate server through HTTPS (TCP/port 443) over the site-to-site VPN connection. The target workload is the replica of the source workload that will reside in AWS.

On-premise Migrate Server

TCP 443, outbound

HTTPS

The on-premise PlateSpin Migrate server must be able to communicate with the AWS API endpoint.

On-premise source workloads

TCP 22

TCP 135, 445

UDP 135, 138 and TCP 39

SSH (Linux)

WMI/RPC/DCCOM

NetBIOS

The PlateSpin Migrate server must be able to communicate with the source workloads on the ports that are used for discovery. See Requirements for Discovery and Discovering Details for Source Workloads

On-premise source workloads using Migrate Agent

TCP 22

TCP 443

SSH (Linux)

HTTPS

Instead of discovery, you can alternatively use the Migrate Agent utility to register source workloads with the Migrate server. See Requirements for Workload Registration and Registering Workloads and Discovering Details with Migrate Agent.

On-premise source workload

Cloud-based target workload

TCP 3725/custom

Migrate

The cloud-based target workload must be able to communicate (target to source) with the on-premise source workload across the VPN. The source workload must be able to send data to the target workload during replication across the VPN.

The port number is configurable. See port 3725 in Requirements for Migration.

If you use Migrate Agent for registration and discovery, the default direction of the replication connection must be reversed (source to target) by changing advanced settings on the Migrate server. See Configuring the Contact Direction for the Replication Port.

AWS Security Group for the cloud-based target workloads

VPC Gateway

TCP 3725/custom, inbound and outbound

Migrate

Provide an address range covering all source workloads.

TCP 22, inbound

SSH (Linux)

Provide the IP address of the PlateSpin Migrate server.

TCP 3389, inbound

RDP (Windows)

Provide the IP address of the machine you plan to use to launch an RDP connect to target workloads.

TCP 443, outbound

HTTPS

Provide the IP address of the PlateSpin Migrate server.

TCP 123, outbound

Network Time Protocol (NTP)

Provide the IP address of your NTP server.

8.2.3 AWS Prerequisites for Using an AWS-Based Migrate Server

Before you use PlateSpin Migrate to migrate workloads to AWS, ensure that the following cloud access prerequisites are correctly configured and available:

  • A PlateSpin Migrate license.

  • Use the AWS Quick Start to deploy PlateSpin Migrate server on the AWS Cloud. See Deploying PlateSpin Migrate Server in the Cloud in the PlateSpin Migrate 2019.8 Installation and Upgrade Guide

    NOTE:The cloud-based Migrate server does not require a site-to-site VPN connection between your local data center and AWS Portal. When no VPN is provided between the source network and the cloud-based Migrate server, you can use Migrate Agent to register workloads with the cloud-based Migrate server using secure communications over the public Internet. Internet access and public IP addresses are required. For deployment information, see Figure 8-2, Cloud-Based Migrate Server for Automated Migration to AWS.

  • Configure migrations to AWS with a public IP address for the replication network.

  • (For non-VPN setup) In the PlateSpin Configuration settings on the Migrate server, change the SourceListensForConnection parameter from True to False. See Configuring the Contact Direction for the Replication Port in the User Guide.

  • Allocate a Elastic IP address for the Migrate server to ensure that the IP address does not change when the server is restarted.

    NOTE:A change in IP address on the PlateSpin Server breaks the heartbeat communications with source workloads.

  • Ensure that workloads can reach the public IP address for Migrate server. Set the AlternateServerAddress parameter to the Migrate server’s public IP address on the PlateSpinConfiguration page. See Configuring Alternate IP Addresses for PlateSpin Server.

Table 8-3 Port Requirements for Migrate Server in AWS

Location

Port

Protocol

Remarks

Source workload

Network firewall

TCP 443, outbound

HTTPS

The source workload must be able to register (using the Migrate Agent utility) and communicate with the cloud-based PlateSpin Migrate server through HTTPS (TCP/port 443). The PlateSpin Migrate Server uses secure SSL for communications with the workloads you want to migrate.

Source workload

Network firewall

TCP 3725/custom, outbound

Migrate

The source workload must be able to connect to the cloud-based target workload on TCP port 3725. The PlateSpin Migrate Server uses secure SSL for communications with the workloads you want to migrate.

Port 3725 is the default port number for data transfer. By default, the data transfer is initiated from the target workload to the source workload. The port number and direction for initiating the connection are configurable. For information about changing the default port setting, see port 3725 in Requirements for Migration.

AWS Security Group for the Migrate Server in AWS

TCP 3725/custom, inbound and outbound

Migrate

Provide an address range covering all source workloads.

TCP 22, outbound

SSH (Linux)

This port allows outbound communications from the Migrate server to Linux workloads.

Provide the IP address of the PlateSpin Migrate server.

TCP 3389, inbound

RDP (Windows)

Allow inbound connections in the AWS Security Group for the cloud-based Migrate server.

Provide the IP address of the machine you plan to use to launch an RDP connect to target workloads.

TCP 443, inbound

HTTPS

Provide the IP address of the PlateSpin Migrate server.

TCP 123, outbound

Network Time Protocol (NTP)

Add this port setting to the security group if you are using an NTP service outside the virtual network where you deploy the Migrate server.