AWS Prescriptive Guidance
Patterns

Migrate an on-premises Linux server to an Amazon EC2 Linux instance using AWS SMS

R Type :ReHost

source :Operating Systems

target :Amazon EC2

tags :ec2, rehost, sms, red hat, linux, suse/sles, centos, ubuntu, oracle, fedora, debian

Summary

This pattern walks you through the steps for rehosting (“lift-and-shift”) an on-premises Linux server by migrating it to a supported Amazon Elastic Compute Cloud (Amazon EC2) Linux instance, using AWS Server Migration Service (AWS SMS).

For information about migrating databases (such as Oracle) that are associated with the servers and applications you are migrating, see the database migration patterns in this catalog.

Assumptions and Prerequisites

Prerequisites

General requirements:

  • You must have an active AWS account.

  • Disable any antivirus or intrusion detection software on the virtual machine (VM).

  • Disconnect any CD-ROM drives (virtual or physical) connected to the VM.

Linux VMs:

  • Enable Secure Shell (SSH) for remote access, and enable host firewall access to SSH.

  • Make sure that your Linux VM uses GRUB (GRUB legacy) or GRUB 2 as its bootloader.

  • The root volume of your Linux VM must use one of the following file systems: ext2, ext3, ext4, Btrfs, JFS, XFS.

Hardware requirements:

  • VMware vCenter version 5.5 or higher (validated up to 6.5) 

  • ESXi 5.1 or higher (validated up to 6.5) 

  • Minimum 4 GB RAM 

  • Minimum available disk storage of 20 GB (thin-provisioned) or 250 GB (thick-provisioned) 

Software requirements:

  • If VMware vCenter Server is configured to use a non-default port, enter the vCenter hostname and port, separated by a colon (for example, HOSTNAME: PORT or IP: PORT) in the vCenter Service Account page in Connector setup.

  • Make sure that your system supports the following network services (you might need to reconfigure your firewall to permit stateful outbound connections from the connector to these services):

    • Domain Name System (DNS) - Allow the connector to initiate connections to port 53 for name resolution.

    • HTTPS on vCenter - Allow the connector to initiate secure web connections to port 443 of vCenter. You can also configure a non-default port at your discretion.

    • HTTPS on ESXi - Allow the connector to initiate secure web connections to port 443 of the ESXi hosts that contain the VMs you intend to migrate.

    • Internet Control Message Protocol (ICMP) - Allow the connector to initiate connections using ICMP. 

    • Network Time Protocol (NTP) - The connector must be able to reach a time server on port 123.

  • Allow outbound connections from the connector to the following URL ranges: 

    • *.amazonaws.com 

    • *.aws.amazon.com 

    • *.ntp.org (optional; used only to validate that connector time is in sync with NTP)

 For additional information, see AWS SMS Requirements in the AWS SMS documentation.

Linux licensing options:

When you create a new replication job, the AWS SMS console provides a License type option that provides these values: 

  • Auto(default) - Detects the source system operating system (OS) and applies the appropriate license to the migrated VM.

  • AWS- Replaces the source system license with an AWS license, if appropriate, on the migrated VM.

  • BYOL- Retains the source system license, if appropriate, on the migrated VM.

If you choose a license type that is incompatible with your VM, the replication job fails with an error message. 

Linux operating systems support only BYOL licenses, so if you choose Auto(the default), AWS SMS will use a BYOL license.

Migrated Red Hat Enterprise Linux (RHEL) VMs must use Cloud Access (BYOL) licenses. For more information, see Red Hat Cloud Access on the Red Hat website.

Migrated SUSE Linux Enterprise Server (SLES) VMs must use SUSE Public Cloud Program (BYOS) licenses. For more information, see SUSE Public Cloud Program—Bring Your Own Subscription on the SUSE website.

Limitations

  • The migration source must be a VMware server. The use of AWS SMS is limited as follows:

    • 50 concurrent VM migrations per account

    • 90 days of service usage per VM (not per account), beginning with the initial replication of a VM

  • The target operating system must be supported by Amazon EC2. Supported systems include RHEL, SLES, CentOS, Ubuntu, Oracle Linux, Fedora, and Debian Linux. RHEL 6.0 is not supported. For a complete list, see Amazon EC2 FAQs.

  • Linux/Unix (64-bit) volume types and file systems: MBR-partitioned volumes that are formatted using the ext2, ext3, ext4, Btrfs, JFS, or XFS file system. 

  • For operating system licensing policies and limitations, see AWS SMS Requirements.

  • AWS SMS partially supports vMotion, Storage vMotion, and other features based on virtual machine migration, with the following limitations:

    • Migrating a virtual machine to a new ESXi host or datastore after one replication run ends, and before the next replication run begins, is supported as long the Server Migration Connector's vCenter service account has sufficient permissions on the destination ESXi host, datastores, and data center, and on the virtual machine itself at the new location. 

    • Migrating a virtual machine to a new ESXi host, datastore, or data center while a replication run is active—that is, while a virtual machine upload is in progress—is not supported. 

    • Cross vCenter vMotion is not supported for use with AWS SMS.

Architecture

Source technology stack

On-premises application/web servers: 

  • Red Hat Enterprise Linux (RHEL)

  • SUSE Linux Enterprise Server (SLES)

  • CentOS 

  • Ubuntu 

  • Oracle Linux 

  • Fedora 

  • Debian Linux 

Target technology stack

EC2 instances running the following operating systems (supporting migrations from the same system on premises): 

  • RHEL  

  • SLES

  • CentOS  

  • Ubuntu 

  • Oracle Linux 

  • Fedora  

  • Debian Linux 

Target architecture

Tools Used

AWS SMSAWS Server Migration Service (AWS SMS) automates the migration of virtual machines to AWS. It provides the following features: 

  • Automated migration of an on-premises VMware server fleet to the AWS Cloud.

  • Incremental replication of VMs to Amazon Machine Images (AMIs). AWS SMS transfers only the delta to the cloud, so you can test small changes iteratively and save network bandwidth.

  • Multi-server migration to AWS, including scheduling and periodic replication for a group of servers.

To migrate VMs, you need to set up the AWS Server Migration Connector in your on-premises virtualization environment. To deploy the Server Migration Connector, choose Get Started from the AWS SMS console.

  • Schedule the connector download. The connector is an OVA image that's nearly 10 GB in size, so it could take a long time to download, depending on the speed of your internet connection. We recommend that you schedule an appropriate time to download the appliance, based on your connection speed and traffic priority. The downloaded OVA should be made available to vCenter for later deployment. For step-by-step instructions, see the AWS SMS documentation.

  • Create a vCenter account. The connector requires a vCenter service account with (at the minimum) Create Snapshot and Delete Snapshot permissions on VMs that you plan to migrate to AWS. We recommend that you create a service account that has access only to the vCenter data centers and ESXi hosts, folders, and datastores that you plan to migrate. 

  • Create an IAM user. The connector requires AWS Identity and Access Management (IAM) credentials to communicate with AWS. Use the following AWS CloudFormation template to create an IAM user with the ServerMigrationConnectorAWS managed policy attached. After you create the IAM user, navigate to the IAM console and search for the IAM user ServerMigrationServiceConnector. Create an IAM access key for this user, and then download and save the access key securely. The credential will be used in the connector configuration.

AWSTemplateFormatVersion: '2010-09-09' Description: | # # Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Amazon Software License (the "License"). # You may not use this file except in compliance with the # License. A copy of the License is located at # # http://aws.amazon.com/asl/ # # or in the "license" file accompanying this file. This file is # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, express or implied. See the License # for the specific language governing permissions and # limitations under the License. # # IAM user for AWS Server Migration Service (SMS) Connector Resources: SmsConnector: Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/ServerMigrationConnector UserName: ServerMigrationServiceConnector Type: AWS::IAM:: ser
  • Create an IAM role. AWS SMS requires a service role to access AWS resources. Use the following AWS CloudFormation template to create a service role. 

AWSTemplateFormatVersion: '2010-09-09' Description: | # # Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Amazon Software License (the "License"). # You may not use this file except in compliance with the # License. A copy of the License is located at # # http://aws.amazon.com/asl/ # # or in the "license" file accompanying this file. This file is # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, express or implied. See the License # for the specific language governing permissions and # limitations under the License. # # IAM Role for AWS Server Migration Service (SMS) Resources: smsRole: Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Sid: SmsServiceRoleAssumeRolePolicyDocument Effect: Allow Principal: Service: sms.amazonaws.com Action: sts:AssumeRole Condition: StringEquals: sts:ExternalId: sms RoleName: sms Type: AWS::IAM::Role policy: Properties: Description: IAMManagedPolicyForSmsServiceRole PolicyDocument: Version: '2012-10-17' Statement: - Sid: SmsServiceRolePolicyDocument Effect: Allow Resource: "*" Action: - ec2:ModifySnapshotAttribute - ec2:CopySnapshot - ec2:CopyImage - ec2:DescribeImages - ec2:DescribeSnapshots - ec2:DeleteSnapshot - ec2:DeregisterImage - ec2:CreateTags - ec2:DeleteTags Roles: - Ref: smsRole Type: AWS::IAM::ManagedPolicy
  • Plan your firewall configurations. When the connector operates, it needs to connect to in-scope vCenter and ESXi hosts on the HTTPS port (443), NTP servers, DNS servers, and AWS endpoints that have the patterns *.amazonaws.com and *.aws.amazon.com. Please plan your network configurations, including IP allocation, firewall change, and monitoring updates. You might need to submit change requests to get approvals for these changes in your organization. 

  • Prepare storage space and VM resources. When deploying the connector, the appliance requires 20 GB of disk space and 8 GB of RAM at the minimum. The disk in each connector may grow up to 250 GB if you choose thin provisioning, so make sure that your VMware storage has this capacity. 

  • Install additional connectors if necessary. If you're migrating multiple data centers, we recommend that you install at least one connector in each data center. For step-by-step installation instructions, see the AWS SMS documentation. For information about configuring vCenter, see the blog post AWS Server Migration Service – Server Migration to the Cloud Made Easy

  • Validate after installation. After deploying the connector, verify the registration by signing in to the AWS Management console and opening the AWS SMS console. You should see the connector registered on the Connectors page. 

Epics

Plan the migration

Tasks

Title Description Skills Predecessor
Check the current state footprint and performance baseline (application discovery). Assess the Linux server before rehosting. BA, Migration Lead
Validate the source and target OS instance. Confirm that the Linux server version is compatible with the target EC2 instance. SysAdmin
Identify the hardware requirements for the target server instance. Confirm that Linux server hardware is compatible with the targeted EC2 bare metal instance. SysAdmin
Identify storage requirements (storage type and capacity). Validate the Linux server storage capacity and compatibility with the targeted EC2 instance. SysAdmin
Choose the proper instance type based on capacity, storage features, and network features. Make sure that the targeted EC2 instance is compatible with the existing Linux server profile. SysAdmin
Identify the network access security requirements for the source and target databases. Confirm that the security configuration for the target EC2 instance is set up properly. SysAdmin
Create an outbound security group to the source and target databases. Make sure that the new security group maps correctly from the Linux server to the target EC2 instance. SysAdmin
Complete the migration design and migration guide for the application. Confirm that the migration design and migration guide map correctly to the Linux server and target EC2 instance. Build Lead, Migration Lead
Complete the application migration runbook. Assess the migration strategy that has been mapped. Build Lead, Cutover Lead, Testing Lead, Migration Lead

Configure the infrastructure

Tasks

Title Description Skills Predecessor
Create a virtual private cloud (VPC). Set up a VPC for the Linux server that is being migrated to the targeted EC2 instance. SysAdmin
Create security groups. Establish security groups that map to the Linux server that is being migrated to the targeted EC2 instance. SysAdmin
File a change request for firewall rule changes. Make sure that the firewall for the targeted EC2 instance maps to the Linux server that is being migrated. SysAdmin
File a change request for DNS changes. Make sure that the DNS for the targeted EC2 instance maps to the Linux server that is being migrated. SysAdmin
Download the AWS Service Migration Connector. Confirm that the AWS Service Migration Connector has been downloaded and prepared for Linux server migration to the targeted EC2 instance. SysAdmin
Install the AWS Server Migration Connector. Set up the connector to migrate the Linux server to the targeted EC2 instance. SysAdmin
Verify that the connector is displayed in the AWS SMS console. If the connector is properly configured, it will show up in the AWS SMS console when you choose Connectors from the navigation pane. SysAdmin

Migrate your application using AWS SMS

Tasks

Title Description Skills Predecessor
Create a replication job. Establish the replication environment. SysAdmin
Configure server-specific settings (select the license type). Confirm that the server configuration maps to the targeted instance. SysAdmin
Configure replication job settings with the appropriate IAM role (the output should be an AMI). Manage access to the replication environment that you have set up. SysAdmin
Enable subsequent replication runs to occur every 12 to 24 hours (12 hours preferred). Establish a continuous schedule for replication runs. SysAdmin
Complete the setup. Follow the procedure described at https://aws.amazon.com/blogs/apn/aws-server-migration-service-server-migration-to-the-cloud-made-easy/ to complete the setup. SysAdmin

Cut over

Tasks

Title Description Skills Predecessor
Communicate any changes or outages to business and application users and stakeholders. Make sure that everyone is up to date on the status of migration. Cutover Lead
Update production DNS entries for the servers being replicated via AWS SMS to point to the sitedown/maintenance URL, and set the DNS TTL to 1 minute. This is the final step before shutting down and stopping source servers. SysAdmin
Shut down and stop source servers. Commit to cloud operations. SysAdmin
Rename source servers to append "DO NOT TURN ON". Do not re-engage source servers. SysAdmin
Run the AWS SMS VM migration task to copy final data sync of source servers to the production AWS account. Complete the final data sync of source servers. SysAdmin
Run AWS CloudFormation scripts to build and apply any infrastructure configuration (for example, security group, firewall ports allowed, IAM roles, permissions). Use AWS CloudFormation templates to ensure that correct procedures are followed and everything is in order for cloud operations. SysAdmin, Migration Engineer
Make application-specific changes to map to new IP addresses, and make any other required configuration changes, as specified in the application migration runbook. Make sure that necessary changes are made, mapping to what is detailed in the application migration runbook. SysAdmin, Migration Engineer, Application Owner
Update production DNS entries for source servers to point to the EC2 application instance. Map DNS entries to targeted EC2 instance. SysAdmin
Start the application and its associated databases. Validate the application in accordance with product verification tests (PVTs), build verification tests (BVTs), and other test regimens, as specified in the application migration runbook. Make sure that the applications that were migrated to AWS are validated according to the test regimen described in the application migration runbook. App Owner, QA Team
Obtain sign-off from the TSO or business owner that application testing is complete. Get final approval and validation from the TSO or business owner that the application works as expected. Cutover Lead, App Owner
Update the configuration management database (CMDB) with details on the migrated VMs/hosts and new EC2 instances. Make sure that the CMDB is updated to reflect the latest information. Cutover Lead, App Owner
Communicate project completion and new environment availability to business and application users and stakeholders. Make sure that all concerned parties are aware that changes have been completed. Cutover Lead

Close the project

Tasks

Title Description Skills Predecessor
Shut down temporary AWS resources Stop using the temporary AWS resources that were set up for migration. SysAdmin, Migration Engineer
Review and validate the project documents. Check project results against plans, post-migration. Migration Lead, SysAdmin, Application Owner
Gather metrics around time to migrate, % of manual vs. tool, cost savings, etc. Report on how the migration process progressed and was completed. Migration Lead, DBA, SysAdmin, Application Owner
Close out the project and provide feedback. Include details on anything that wasn't previously mentioned. Migration Lead, DBA, SysAdmin, Application Owner

References and Help

References

Contact and help

Migration Pattern Library Support: aws-mpl@amazon.com