For migrations to Amazon Web Services cloud and Microsoft Azure cloud, you can use the AWS Quick Start and the Migrate server image template in Azure Marketplace to deploy PlateSpin Migrate server in the respective cloud environment. However, for migrations to Oracle Cloud Infrastructure, you must manually install the PlateSpin Migrate server in that Oracle Cloud Infrastructure environment.
Use the following information to plan, deploy, and configure a PlateSpin Migrate server in your cloud account.
For information about non-VPN deployment scenarios that require a cloud-based PlateSpin Migrate server, see the following information in Preparing Your Migration Environment
in the PlateSpin Migrate User Guide:
Before you install PlateSpin Migrate server in the cloud, ensure that you understand the following requirements for your cloud environment.
Set up an account in the cloud environment. Ensure that the cloud account is correctly configured and available. See the following for more information, as appropriate for your target cloud environment:
Table 2-1 AWS Account Requirements
|
AWS Configuration |
Description |
|---|---|
|
AWS Account |
To create an AWS account, go to Amazon Web Services Console. |
|
AWS EC2 Subscription |
PlateSpin supports only Amazon Virtual Private Cloud (VPC). |
|
Amazon Virtual Private Cloud (VPC) |
Create an AWS VPC to launch AWS resources into your virtual network. See Amazon Virtual Private Cloud Documentation. |
|
AWS user credentials |
You need an AWS Identity and Access Management (IAM) user in your AWS account, with an appropriate IAM role to perform migrations into the VPC using the AWS APIs. PlateSpin Migrate provides an AWS Role Tool to enable an administrative user to create a new IAM policy based on a default policy and assign an IAM user to the policy. See Creating an IAM Policy and Assigning an IAM User to the Policy in the PlateSpin Migrate 2020.2 User Guide. Enable Programmatic Access for the IAM user to generate an access key and a secret access key. AWS Management Console Access is optional, but it can be useful for troubleshooting. See Access Keys (Access Key ID and Secret Access Key). NOTE:We recommend that administrators regularly rotate access keys for IAM users. However, the keys must be rotated only after ensuring that no migration workflow is in progress. See |
Table 2-2 Azure Account Requirements
|
Azure Configuration |
Description |
|---|---|
|
Microsoft Azure Account. |
Create a account in the Azure environment where you will migrate workloads: An administrator on the account is required to perform the Application setup, to enable PRE programmatic access, and to create a Contributor user that is to be used by Migrate. |
|
Azure Subscription ID |
The ID for the Azure Subscription in the specified Azure account that you want to bill for Azure-related costs. An account can have multiple subscriptions. |
|
Contributor user for the subscription created in Azure Active Directory |
A special-purpose user identity for PlateSpin Migrate that you create in Azure Active Directory. You add a Contributor role to the user account for the specified subscription. Using this Contributor user only for Migrate helps to uniquely identify actions performed by Migrate in Azure for the subscription. In Migrate, you use the Contributor user credentials to add Azure as a target in Migrate. Migrate uses the credentials for this user when it accesses the Migrate Azure API through the related subscription. |
|
Azure Virtual Network and Subnet |
You must create least one Virtual Network with a Subnet in the specified Subscription. If you have an site-to-site VPN set up, the subnet must be different than the default Gateway Subnet. |
Table 2-3 Oracle Cloud Infrastructure Account Requirements
|
Oracle Cloud Infrastructure Configuration |
Description |
|---|---|
|
Oracle Cloud Infrastructure Account |
Before you use PlateSpin Migrate to migrate workloads to Oracle Cloud Infrastructure, you must ensure that you have a Oracle Cloud Account with all the required permissions for performing migrations. |
A cloud-based PlateSpin Migrate server does not require a site-to-site VPN connection between your local data center and the target cloud platform. When no VPN is provided:
Internet access is required.
Public IP addresses are required for the PlateSpin Migrate server, the replication network, and target machines. A public IP address is not required for the source machine when you use the Migrate Agent. If you do not use the Migrate Agent, then all components need public IP addresses.
NOTE:PlateSpin Migrate supports semi-automated migration of workloads to Virtual Machine Instances on your Oracle Cloud Infrastructure environment. Migrate Agent is not supported for registering source workloads that are migrated using the semi-automated migrations. So, public IP is required for the source machine that you want to migrate to Oracle Cloud Infrastructure.
Use Migrate Agent to register workloads with the cloud-based Migrate server. Migrate Agent uses secure communications over the public Internet.
NOTE:PlateSpin Migrate supports semi-automated migration of workloads to Virtual Machine Instances on your Oracle Cloud Infrastructure environment. Migrate Agent is not supported for registering source workloads that are migrated using the semi-automated migrations.
You should encrypt data transfer between the source network and cloud location.
For cloud targets, compression is enabled by default with a setting of Optimal.
Use a static IP address for the Migrate server to ensure that the IP address does not change when the server is restarted. A change in IP address on the PlateSpin Server breaks the heartbeat communications with source workloads.
AWS: Specify Elastic as the allocation method for the public IP address for the Migrate server.
Azure: Specify Static as the allocation method for the public IP address of the Migrate server.
Oracle Cloud Infrastructure: Specify Static as the allocation method for the public IP address of the Migrate server.
NOTE:You cannot specify the actual IP address assigned to the public IP resource. The cloud vendor allocates and reserves an IP address from a pool of its available IP addresses in the location where you deploy the Migrate server.
Ensure that the network security group for the PlateSpin Migrate server allows the minimum port settings described in Required Network Security Group Settings for PlateSpin Migrate Server.
Transport Layer Security (TLS) 1.2 is automatically enabled for the Windows operating system on the PlateSpin Migrate Server virtual host for Migrate servers deployed in Azure Cloud (by using server image template available in Azure Marketplace) and AWS Cloud (by using AWS Quick Start).
For Migrate servers available in Azure Marketplace or using the AWS Quick Start, TLS 1.0 and TLS 1.1 are disabled by default. Migrate provides scripts to easily enable or disable TLS 1.0 and TLS 1.1 on the Migrate server virtual host in the C:\Windows\OEM folder:
Table 2-4 describes the minimum default port settings required for the network security group for the PlateSpin Migrate server in the cloud. These settings are required in both VPN and non-VPN deployment scenarios.
NOTE:For PlateSpin Migrate servers deployed using the server image template available in Azure Marketplace or the AWS Quick Start, the network security group is created and configured automatically with the default port settings.
Additional ports might be required, depending on your migration scenario. See Access and Communication Requirements across Your Migration Network
in the PlateSpin Migrate 2020.2 User Guide.
Table 2-4 Network Security Group Settings for PlateSpin Migrate Server Communications
|
Ports |
Inbound/Outbound |
Protocol |
Remark |
|---|---|---|---|
|
443, TCP |
Inbound and Outbound |
HTTPS |
|
|
3389, TCP |
Inbound and Outbound |
RDP |
Required only for traffic from your management network. |
|
22, TCP |
Outbound |
SSH |
Required to communicate with target Linux workloads. |
|
123, TCP |
Outbound |
Network Time Protocol (NTP) |
AWS uses this port to synchronize time for cloud instances in the Amazon Region where it is deployed by using the Amazon Time Sync Service. For Azure, add this port setting to the security group if you are using an NTP service outside the virtual network where you deploy the Migrate server. |
For information about configuring a network security group in the cloud, refer to the following vendor documentation:
AWS: Security Groups for Your VPC in Amazon Web Services EC2 Documentation.
Azure: Create, Change, or Delete a Network Security Group in Microsoft Azure Documentation.