Tuesday 23 February 2016

Migrating an ESXI virtual machine to AWS EC2

AWS allows you to migrate existing machines to it's EC2 platform - although there are specific pre-requisites we should ensure are in place before attempting to migrate a machine:

- SSH must be enabled on the host

- The IP configuration must be set to DHCP

- OS must be Linux or Windows - although I know BSD distro's are available - but don't see any reference to thme and support

- Partitions for Windows and Linux must be MBR for system volumes (no GPT).

- Filesystems for Windows must be NTFS - Linux should be ext2, ext3, ext4, Btrfs, JFS, or XFS.

- Linux VM's must be imported as x64!

There are quite a few others (i've tried to cover the main ones here) - more info here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/VMImportPrerequisites.html#vmimport-limitations

We will start by creating an OVA file - from the vSphere GUI (or Web Client) client we need to shutdown the VM - select it and then go to: File >> Export >> Export OVF Template...

Ensure that 'OVA' format is selected, specify a name and output directory and hit OK.

Download and run the Amazon AWS CLI installer: https://s3.amazonaws.com/aws-cli/AWSCLI64.msi

Open a command prompt here: C:\Program Files\Amazon\AWSCLI

We then configure are account information by issuing:

aws configure

We will need to create a specific IAM role to allow VM import/export operations - as when running the vmimport function it requires access to other services such as S3:

So we should a file as follows: trust-policy.json

With the following content:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"",
         "Effect":"Allow",
         "Principal":{
            "Service":"vmie.amazonaws.com"
         },
         "Action":"sts:AssumeRole",
         "Condition":{
            "StringEquals":{
               "sts:ExternalId":"vmimport"
            }
         }
      }
   ]
}

And then create the role in the CLI:

aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json

We should also create a service role - by creating a new file called: role-policy.json

and adding the following to it (remembering to replacing both instances of '<disk-image-file-bucket>' with your bucket you wish to upload the OVA to):

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":[
            "arn:aws:s3:::<disk-image-file-bucket>"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject"
         ],
         "Resource":[
            "arn:aws:s3:::<disk-image-file-bucket>/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource":"*"
      }
   ]
}

and creating the policy via the CLI:

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json


If your logged in with your IAM user you will additionally need the following permissions in your policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:DeleteObject",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": ["arn:aws:s3:::mys3bucket","arn:aws:s3:::mys3bucket/*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CancelConversionTask",
        "ec2:CancelExportTask",
        "ec2:CreateImage",
        "ec2:CreateInstanceExportTask",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:DescribeConversionTasks",
        "ec2:DescribeExportTasks",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeTags",
        "ec2:ImportInstance",
        "ec2:ImportVolume",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "ec2:ImportImage",
        "ec2:ImportSnapshot",
        "ec2:DescribeImportImageTasks",
        "ec2:DescribeImportSnapshotTasks",
        "ec2:CancelImportTask"
      ],
      "Resource": "*"
    }
  ]
}

We should now ensure we have uploaded the OVA file into our bucket - you can do this by logging into S3 on the AWS portal or use the CLI to upload directly to your S3 bucket.

and then we proceed by importing the OVA file from the bucket into EC2:

aws ec2 import-image --cli-input-json "{  \"Description\": \"Windows 2008 OVA\", \"DiskContainers\": [ { \"Description\": \"First CLI task\", \"UserBucket\": { \"S3Bucket\": \"my-import-bucket\", \"S3Key\" : \"my-windows-2008-vm.ova\" } } ]}"

Note: Where 'my-windows-2008-vm.ova' is the OVA you have uploaded to your S3 bucket.

You can checkup on the import progress by running the following command:

ec2 describe-import-image-tasks

When it has completed - we can then go to the AWS Console and should see our imported in the 'user-created' AMI's section.

0 comments:

Post a Comment