Agentless snapshot based replication for vCenter source environments - Application Migration Service

Agentless snapshot based replication for vCenter source environments

Application Migration Service allows you to perform agentless snapshot replication from your vCenter source environment into AWS. This is achieved by installing the AWS MGN vCenter Client in your vCenter environment. Application Migration Service recommends using agent-based replication when possible, as it supports CDP (Continuous Data Protection) and provides the shortest cutover window. Agentless replication should be used when your company’s policies prevent you from installing the AWS Replication Agent on each individual server.

Agentless replication overview

Agentless snapshot based replication enables you to replicate Source Servers on your vCenter environment into AWS without installing the AWS Replication Agent.

In order to enable agentless replication, you must dedicate at least one VM in your vCenter environment to host the AWS MGN vCenter Client. The AWS MGN vCenter Client is a software bundle distributed by MGN and is available for installation as a binary installer. The installation process will install services on the client VM which will allow MGN to remotely discover your VMs that are suitable for agentless replication, and to perform data replication between your vCenter environment and AWS though the use of periodic snapshot shipping.

Agentless snapshot based replication is divided into two main operations: discovery and replication:

The discovery process involves periodically scanning your vCenter environment to detect Source Server VMs that are suitable for agentless replication, and adding these VMs to the MGN Console. Once a Source Server has been added, you may choose to initiate agentless replication on the source VM using the MGN API or Console. The discovery process also collects all of the necessary information from vCenter in order to perform an agentless conversion process once a migration job is launched.

The replication process involves continuously starting and monitoring the “snapshot shipping processes” on the Source Server VM being replicated. A “snapshot shipping process” is a long running logical operation which consists of taking a VMware snapshot on the replicated VM, and launching an ephemeral replication agent process which uses VMware’s Changed Block Tracking (CBT) feature to identify changed volume data location, using Virtual Disk Development Kit (VDDK) to read the modified data, and sending the data from the source environment to the customer’s target AWS account. The first snapshot shipping process performs an “initial sync” which sends the entire disk contents of the replicating VM into AWS. Following snapshot shipping processes will leverage CBT in order to only sync disk changes to the customer’s target AWS account. Each successful snapshot shipping process completes the replication operation by creating a group of consistent EBS snapshots in the customer’s AWS account, which can then be used by the customer to launch Test and Cutover instances through the regular MGN mechanisms.

The following are the main system components of agentless replication:

  • AWS MGN vCenter Client - A software bundle that is installed on a dedicated VM in your vCenter environment in order to facilitate agentless replication.

  • vCenter Replication Agent - A java agent that is based on the AWS Replication Agent, which replicates a single VM using VDDK and CBT as the data source instead of the MGN driver (that is used by the AWS Replication Agent)

  • MGN Service

  • MGN Console

The following diagram illustrates the high level interaction between the different agentless replication system components:

Prerequisites

VMware limitations

  1. MGN supports VMC on AWS for agentless replication.

  2. MGN partially supports vMotion, Storage vMotion, and other features based on virtual machine migration (such as DRS and Storage DRS) subject to the following limitations:

    • Migrating a virtual machine to a new ESXi host or datastore after one replication run ends, and before the next replication run begins, is supported as long as the vCenter account has sufficient permissions on the destination ESXi host, datastores, and datacenter, and on the virtual machine itself at the new location.

    • Migrating a virtual machine to a new ESXi host, datastore, and/or datacenter while a replication run is active—that is, while a virtual machine upload is in progress—is not supported. Cross vCenter vMotion is not supported for use with MGN.

  3. AWS does not provide support for migrating VMware Virtual Volumes.

  4. MGN does not support replicating VMware VMs that have snapshots.

Generating vCenter Client IAM credentials

In order to use the AWS MGN vCenter Client, you must first generate the correct IAM credentials. You will need to create at least one AWS Identity and Access Management (IAM) user, and assign the proper permission policies to this user. You will obtain an Access key ID and Secret access key, which you will need to enter into the Agent installation prompt in order to begin the installation.

  1. Open the AWS Management Console and look for IAM under Find Services.

  2. From the IAM main page, choose Users from the left-hand navigation menu.

  3. You can either select an existing user or add a new user. These steps show the path for adding a new user for Application Migration Service. Choose Add user.

  4. Give the user a User name and select the Programmatic access access type. Choose Next: Permissions.

  5. Choose the Attach existing policies directly option. Search for AWSApplicationMigrationVCenterClientPolicy and AWSApplicationMigrationAgentPolicy. Select the policies and choose Next: Tags.

  6. Add tags if you wish to use them. Tags are optional. These instructions do not include adding tags. Choose Next: Review.

  7. Review the information. Ensure that the Programmatic access type is selected and that the correct policy is attached to the user. Choose Create user.

  8. The AWS Management Console will confirm that the user has been successfully created and will provide you with the Access key ID and Secret access key that you will need in order to install the AWS Replication Agent.

    You need the Access key ID and secret access key in order to install the AWS Replication Agent on your source servers. You can save this information as .csv file by choosing the Download .csv option.

    You can also access this information and re-generate your security credentials by navigating to IM > Users > Your user.

    Open the Security credentials tab and scroll down to Access keys. Here you can manage your access keys (create, delete, etc).

Installing the AWS MGN vCenter Client

The first step to deploying the agentless solution is installing the AWS MGN vCenter Client on your vCenter environment.

Note

If you have multiple vCenter environments, you will need to install multiple clients. You may not have more than one AWS MGN vCenter Client installed per AWS Account. If you have multiple vCenter environments, you can either use a different AWS Account for each environment or you can migrate your VMs serially, environment by environment, into the same AWS Account.

After the AWS MGN vCenter Client has been installed, it will discover all of the VMs in your vCenter environment and add them to MGN.

MGN vCenter Client notes

Ensure that you review the notes below prior to installing the MGN vCenter Client. Once you have read the notes, proceed to install the client.

vCenter Client requirement notes

Note

You must install the AWS MGN vCenter Client on a VM that has outbound and inbound network connectivity to the Application Migration Service API endpoints and outbound and inbound network connectivity to the vCenter endpoint. Customers who want to use PrivateLink can use VPN or DirectConnect to connect to AWS.

Note

The AWS MGN vCenter Client currently only supports VirtualDiskFlatVer2BackingInfo VMDK on CBT. Learn more about this in the VMware knowledgebase.

Note

You must download this VDDK version to the VM on which the AWS MGN vCenter Client is installed. VDDK 6.7 must be used, regardless of the vCenter version used.

Note

The AWS MGN vCenter Client requires the following vCenter user permissions for agentless deployment. It is a best practice to create a dedicated role with these permissions and a dedicated user group with which the role will be associated. Every new user created for the AWS MGN vCenter Client will need to be a member of that group in order to obtain the required permissions. The vCenter predefined role: “ Consolidated Backup user (sample) ” provides most of these permissions. If that role is used, the following additional permission must be provided: “ Toggle disk change tracking ” .

  • Change Configuration

    • Acquire disk lease

    • Toggle disk change tracking

  • Provisioning

    • Allow read-only disk access

    • Allow virtual machine download

  • Snapshot management

    • Create snapshot

    • Remove snapshot

Note

The VM on which the AWS MGN vCenter Client is installed should meet the following RAM, CPU, and memory requirements:

Minimal requirements (these requirements will allow the replication of up to 5 servers in parallel) - 2 GiB RAM, 1 core, 10 GiB of free disk space

Optional performance requirements (these requirements will allow the replication of the maximum number of 50 servers in parallel) - 16 GiB RAM, 8 cores, 10 GiB of free disk space

Note

VMs that are being replicated into AWS should have at least 2 GiB of free disk space.

Note

The VM on which the AWS MGN vCenter Client is installed should not allow any incoming (ingress) traffic.

Note

The VM on which the AWS MGN vCenter Client is installed should only allow outgoing traffic as following:

  • Egress TCP on the port on which the vCenter API is ran.

  • Egress TCP on port 443 for communication with the MGN API.

  • Egress TCP on port 1500 - for the replication server.

Note

Patching of guest OS running AWS vCenter client should be handled by the customer as part of shared responsibility.

Note

IAM credentials used by the vCenter Client should be rotated on a regular schedule. Learn more about how to rotate access keys for IAM users in this IAM blog post. IAM credentials can be regenerated by re-installing the AWS Replication Agent.

Note

The VM that hosts the AWS MGN vCenter Client should only be used for client hosting and should not be used for any other purposes.

Note

Only a trusted administrator should have access to the VM on which the AWS MGN vCenter Client is installed.

Note

The AWS MGN vCenter Client should be located in an isolated and dedicated network and considered a sensitive segment.

Note

You can disable the vCenter Client auto-update mechanism by running the following command: touch /var/lib/aws-vcenter-client/.disable_auto_updates Once auto-updates are disabled, you will need to reinstall the client to perform a manual update. If you disable the auto-update mechanism, you will be responsible for ensuring that all security updates are performed on the client. After a manual update, you should validate the new hash against the installer hash.

vCenter Client installer notes

Note

The AWS MGN vCenter Client installer only supports vCenter 6.7 and 7.x

Note

The AWS MGN vCenter Client installer can only be installed on 64 bit Ubuntu 18, RH8 or AL2 VMs.

Note

If you are using a RH8 environment, ensure that you run the sudo yum install python3 command to install python prior to launching the client installer.

Note

The following flags are used by the installer:

usage: aws-vcenter-client-installer-init.py [-h]

[--aws-access-key-id AWS_ACCESS_KEY_ID]

[--aws-secret-access-key AWS_SECRET_ACCESS_KEY]

[--region REGION]

[--s3-endpoint S3_ENDPOINT]

[--vcenter-host VCENTER_HOST]

[--vcenter-port VCENTER_PORT]

[--vcenter-user VCENTER_USER]

[--vcenter-password VCENTER_PASSWORD]

[--vcenter-ca-path VCENTER_CA_PATH]

[--vddk-path VDDK_PATH]

[--vcenter-client-tags KEY=VALUE [KEY=VALUE ...]]

[--source-server-tags KEY=VALUE [KEY=VALUE ...]]

[--disable-ssl-cert-validation]

[--no-prompt]

Note

Use this flag for an unattended installation. If you are using this flag, you must also use the --force-delete-existing client flag.

[--force-delete-existing-client]

Note

Use this flag to delete an existing version of the vCenter Client from your VM. You must use this flag if you've previously installed the vCenter Client on the VM. If you use the --no-prompt flag, you must also use this flag.

[--version]

optional arguments:

-h, --help show this help message and exit

vCenter environment requirement notes

Note

Application Migration Service supports VM hardware version 7 and higher with CBT enabled. Ensure that you upgrade any VMs you have to hardware version 7 or higher. Ensure that CBT support is enabled in your vSphere deployment. MGN enables CBT on replicating VMs. You can disable CBT after Cutover.

Note

The VM being replicated into MGN must not contain any existing VMware snapshots.

Note

Once added to MGN, snapshot-based replication will create snapshots on the replicated VM, which may result in slower disk performance.

Note

VMs with independent disks, Raw Device Mappings (RDM), or direct-attach disks (iSCSI, NBD) are not supported for replication into MGN.

Note

The VM being replicated into MGN can be either stopped or running. Changing the VM state during data replication will not affect data replication and will cause no data corruption.

MGN vCenter Client installation instructions

To install the AWS MGN vCenter Client, follow these steps:

  1. Download the AWS MGN vCenter Client installer onto a VM within your vCenter environment. You can download the client from this URL: https://aws-application-migration-service-(region).s3.(region).amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py Replace (region) with the AWS Region into which you are replicating.

    The following is an example of the installer link for us-east-1: https://aws-application-migration-service-us-east-1.s3.us-east-1.amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py

    If you need to validate the installer hash, the correct hash can be found here: https://aws-application-migration-service-hashes-(region).s3.(region).amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py.sha512

    The following is an example of the installer hash link for us-east-1: https://aws-application-migration-service-hashes-us-east-1.s3.us-east-1.amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py.sha512

  2. In command prompt, navigate to the directory where you downloaded the AWS MGN vCenter Client installer and run the installer with the following command: sudo python3 aws-vcenter-client-installer-init.py

  3. The installer will prompt you for your credentials, enter the required info in each field and then press Enter:

    • AWS Access Key ID - Enter the AWS Access Key ID you generated in the previous section.

    • AWS Secret Access Key - Enter the AWS Secret Access Key you generated in the previous section.

    • AWS Region Name - The AWS Region of your Account (ex. eu-west-1)

    • The Private Link endpoint for Application Migration Service (optional, leave blank if not using Private Link)

    • The VPC endpoint for S3 (optional, leave blank if not using a VPC endpoint)

  4. The installer will then prompt you to enter your vCenter information, enter the required info in each field and then press Enter:

    • vCenter IP or hostname

    • vCenter port (press Enter to use the default TCP Port 443)

    • vCenter username

    • vCenter password

    • Path to vCenter root CA certificate (optional) - To use SSL certificate validation, download the certificates from https://<vcenter-ip>/certs/download.zip ( example: wget https://<vcenter-ip>/certs/download.zip --no-check-certificate) then enter the path of the certificate (example: /usr/local/src/lin/f7f2bd6e.0)). Otherwise, press Enter to disable SSL certificate validation.

      Note

      The certificate must be located in a file that's readable to the vCenter client user, such as a shared directory. If the certificate is not located in a shared directory, you will see a permission error in the logs (Error 13).

      Note

      To use a certificate in your vCenter environment, you must setup a connection using a hostname. Using an IP will not work with a certificate.

      Note

      It's a security best practice to use certificates. Customers that do not use certificated authentication are responsible for any security issues that may arise.

    • Path to VDDK tarball - Provide the path to the VDDK tarball you previously downloaded onto the VM. (example: path/to/vddk.tar.gz)

    • Resource tags for the AWS vCenter client (optional) - Use the following format for tagging:

      KEY=VALUE [KEY=VALUE ...] add resource tags to the AWS vCenter client; use a space to separate each tag (e.g., --vcenter-client-tags tag1=val1 tag2=val2 tag3=val3)

    • Resource tags for source servers to be discovered by the AWS vCenter client (optional) - Use the following format for tagging:

      KEY=VALUE [KEY=VALUE ...] add resource tags to the source servers added by discovery; use a space to separate each tag (e.g., --vcenter-client-tags tag1=val1 tag2=val2 tag3=val3)

  5. The installer will proceed to download and install the AWS vCenter client and will register it with Application Migration Service.

  6. Once the AWS vCenter client has been installed, all of the VMs in your vCenter will be added to Application Migration Service. The VMs will be added in the DISCOVERED state.

    Note

    If you have a significant amount of VMs in your vCenter environment, it may take some time for all of the VMs to become visible in the MGN Console.

    Note

    The MGN vCenter Appliance is excluded from the discovered servers list.

Replicating servers from vCenter to AWS

Once you have successfully installed the AWS vCenter client, all of your vCenter VMs will be added to MGN in the DISCOVERED state. The DISCOVERED state means that the VM has not been replicated to AWS.

Note

VMware only sends data for up to 50 servers in parallel. Replicating more than 50 servers at once will cause the rest to be queued and will result in a longer wait.

By default, the MGN Console only shows active servers. You can tell which servers are being shown by looking at the filtering box under the main Source servers title.

To see your DISCOVERED non-replicating servers that have been added from vCenter, open the filtering menu and choose Discovered source servers.

You will now see all of your non-replicating DISCOVERED VMs.

To replicate one or more VMs into AWS, select the box to the left of each VM name, choose the Replication menu, and then choose Start data replication.

Choose Start on the Start data replication for x servers dialog.

The MGN Console will indicate that data replication has started.

To view the data replication progress, open the filtering menu and return to the default Active source servers view.

You will now only see your replicating source servers. You can follow the launch process on the main Source Servers view.

Once the VM has reached the Ready for testing state under Migration lifecycle, you can continue to launch Test and Cutover instances and perform all other regular MGN operations on the server.

Updating the vCenter credentials

Users who want to change the vCenter credentials used by the MGN appliance should follow these steps. This change requires root privileges on the appliance:

  1. In the command prompt, navigate to the aws-vcenter-client directory:

    cd /var/lib/aws-vcenter-client/

  2. Run the vCenter configuration update tool with the following command:

    sudo vcenter_configuration_update

  3. The tool will receive flags or prompt you for your vCenter credentials. Provide the required info in each field and then press Enter:

    • New vCenter username (--new-vcenter-user)

    • New vCenter password (--new-vcenter-password)

  4. The tool will verify the new vCenter credentials by attempting to connect to vCenter using them.

  5. Upon successful connection to vCenter, the tool will save the new vCenter configuration and restart the necessary services.

  6. In case of failure to connect to vCenter, the new credentials will not be stored, and the previous configuration will be retained. The following error message will be displayed:

    Failed to connect to the vCenter endpoint using the new connection details. The configuration changes will not be applied.

Differentiating agentless and agent-based servers

You can differentiate an agentless vCenter VM that's replicating through snapshot shipping and an agent-based server (from any source infrastructure) through several ways:

  1. On the Source Servers page, under the Replication type column, the MGN Console identifies the replication type, whether it is through Snapshot shipping (agentless) or Agent based.

  2. In the Server details view, under the Migration dashboard, agentless servers that are replicated through snapshot shipping will have an additional Lifecycle step - Not started.

  3. Similarly, in the Server details view, under the Migration dashboard, the Data replication status box will show the Replication type as Snapshot shipping.