Summary Prerequisites and limitations Architecture Tools Best practices Epics Related resources

Migrate an on-premises VM to Amazon EC2 by using AWS Application Migration Service

Created by Thanh Nguyen (AWS)

Environment: Production	Source: On-premises virtual machine	Target: Amazon EC2
R Type: Rehost	Technologies: Migration	AWS services: AWS Application Migration Service; Amazon EC2; Amazon EBS

Summary

When it comes to application migration, organizations can take different approaches to rehost (lift and shift) the application’s servers from the on-premises environment to the Amazon Web Services (AWS) Cloud. One way is to provision new Amazon Elastic Compute Cloud (Amazon EC2) instances and then install and configure the application from scratch. Another approach is to use third-party or AWS native migration services to migrate multiple servers at the same time.

This pattern outlines the steps for migrating a supported virtual machine (VM) to an Amazon EC2 instance on the AWS Cloud by using AWS Application Migration Service. You can use the approach in this pattern to migrate one or multiple virtual machines manually, one by one, or automatically by creating appropriate automation scripts based on the outlined steps.

Prerequisites and limitations

Prerequisites

An active AWS account in one of the AWS Regions that support Application Migration Service
Network connectivity between the source server and target EC2 server through a private network by using AWS Direct Connect or a virtual private network (VPN), or through the internet

Limitations

For the latest list of supported Regions, see the Supported AWS Regions.
For a list of supported operating systems, see the Supported operating systems and the General section of Amazon EC2 FAQs.

Architecture

Source technology stack

A physical, virtual, or cloud-hosted server running an operating system supported by Amazon EC2

Target technology stack

An Amazon EC2 instance running the same operating system as the source VM
Amazon Elastic Block Store (Amazon EBS)

Source and target architecture

The following diagram shows the high-level architecture and main components of the solution. In the on-premises data center, there are virtual machines with local disks. On AWS, there is a staging area with replication servers and a migrated resources area with EC2 instances for test and cutover. Both subnets contain EBS volumes.

Initialize AWS Application Migration Service.
Set up the staging area server configuration and reporting, including staging area resources.
Install agents on source servers, and use continuous block-level data replication (compressed and encrypted).
Automate orchestration and system conversion to shorten the cutover window.

Network architecture

The following diagram shows the high-level architecture and main components of the solution from the networking perspective, including required protocols and ports for communication between primary components in the on-premises data center and on AWS.

Tools

AWS Application Migration Service helps you rehost (lift and shift) applications to the AWS Cloud without change and with minimal downtime.

Best practices

Do not take the source server offline or perform a reboot until the cutover to the target EC2 instance is complete.
Provide ample opportunity for the users to perform user acceptance testing (UAT) on the target server to identify and resolve any issues. Ideally, this testing should be start at least two weeks before cutover.
Frequently monitor the server replication status on the Application Migration Service console to identify issues early on.
Use temporary AWS Identity and Access Management (IAM) credentials for agent installation instead of permanent IAM user credentials.

Epics

Task Description Skills required

Task	Description	Skills required
Create the AWS Replication Agent IAM role.	Sign in with administrative permissions to the AWS account. On the AWS Identity and Access Management (IAM) console, create an IAM role: On the IAM console, choose Roles. Choose Create role. On the Select trusted entity page, in Trusted entity type section, select AWS Account. In the An AWS account section, select *This account (<account-id>). Choose Next. On the Add permissions page, search for the `AWSApplicationMigrationAgentInstallationPolicy` policy, select the check box next to the policy name. Choose Next. On the Role details* page, enter MGN_Agent_Installation_Role as the role name. Verify that the fields are correct, and then choose Create role.	AWS administrator, Migration engineer
Generate temporary security credentials.	On a machine with AWS Command Line Interface (AWS CLI) installed, sign in with administrative permissions. Or alternatively (within a supported AWS Region), on the AWS Management Console, sign in with administrative permissions to the AWS account, and open AWS CloudShell. Generate temporary credentials with the following command, replacing `<account-id>` with the AWS account ID. `aws sts assume-role --role-arn arn:aws:iam::<account-id>:role/MGN_Agent_Installation_Role --role-session-name mgn_installation_session_role` From the output of the command, copy the values for `AccessKeyId`, `SecretAccessKey`, and `SessionToken`. Store them in a safe location for later use. Important: These temporary credentials will expire after one hour. If you need credentials after one hour, repeat the previous steps.	AWS administrator, Migration engineer

Create the AWS Replication Agent IAM role.

On the AWS Identity and Access Management (IAM) console, create an IAM role:

On the IAM console, choose Roles.
Choose Create role.
On the Select trusted entity page, in Trusted entity type section, select AWS Account.
In the An AWS account section, select This account (<account-id>).
Choose Next.
On the Add permissions page, search for the AWSApplicationMigrationAgentInstallationPolicy policy, select the check box next to the policy name.
Choose Next.
On the Role details page, enter MGN_Agent_Installation_Role as the role name.
Verify that the fields are correct, and then choose Create role.

AWS administrator, Migration engineer

Generate temporary security credentials.

On a machine with AWS Command Line Interface (AWS CLI) installed, sign in with administrative permissions. Or alternatively (within a supported AWS Region), on the AWS Management Console, sign in with administrative permissions to the AWS account, and open AWS CloudShell.

Generate temporary credentials with the following command, replacing <account-id> with the AWS account ID.

aws sts assume-role --role-arn arn:aws:iam::<account-id>:role/MGN_Agent_Installation_Role --role-session-name mgn_installation_session_role

From the output of the command, copy the values for AccessKeyId, SecretAccessKey, and SessionToken. Store them in a safe location for later use.

Important: These temporary credentials will expire after one hour. If you need credentials after one hour, repeat the previous steps.

AWS administrator, Migration engineer

Task Description Skills required

Task	Description	Skills required
Initialize the service.	On the console, sign in with administrative permissions to the AWS account. Choose Application Migration Service, and then choose Get started.	AWS administrator, Migration engineer
Create and configure the Replication Settings template.	Provide the following configuration details: Select the staging area subnet. Select the replication server instance type (`t3.small` by default). Select the EBS volume type (gp3 by default). Select the EBS encryption option. Ensure that the Always use Application Migration Service security group check box is selected. Select the Use private IP for data replication (VPN, DirectConnect, VPC peering) check box if you are using private network connectivity between the on-premises environment and AWS. Select the Throttle network bandwidth (per server - in Mbps) check box if you want to limit the network bandwidth for Application Migration Service. Choose Create template. Application Migration Service will automatically create all the IAM roles required to facilitate data replication and the launching of migrated servers.	AWS administrator, Migration engineer

Initialize the service.

On the console, sign in with administrative permissions to the AWS account.

Choose Application Migration Service, and then choose Get started.

AWS administrator, Migration engineer

Create and configure the Replication Settings template.

Provide the following configuration details:
1. Select the staging area subnet.
2. Select the replication server instance type (t3.small by default).
3. Select the EBS volume type (gp3 by default).
4. Select the EBS encryption option.
5. Ensure that the Always use Application Migration Service security group check box is selected.
6. Select the Use private IP for data replication (VPN, DirectConnect, VPC peering) check box if you are using private network connectivity between the on-premises environment and AWS.
7. Select the Throttle network bandwidth (per server - in Mbps) check box if you want to limit the network bandwidth for Application Migration Service.
Choose Create template.

Application Migration Service will automatically create all the IAM roles required to facilitate data replication and the launching of migrated servers.

AWS administrator, Migration engineer

Task	Description	Skills required
Have the required AWS credentials ready.	When you run the installer file on a source server, you will need to enter the temporary credentials that you generated earlier, including `AccessKeyId`, `SecretAccessKey`, and `SessionToken`.	Migration engineer, AWS administrator
For Linux servers, install the agent.	Copy the installer command, log in to your source servers, and run the installer. For detailed instructions, see the AWS documentation.	AWS administrator, Migration engineer
For Windows servers, install the agent.	Download the installer file to each server, and then run the installer command. For detailed instructions, see the AWS documentation.	AWS administrator, Migration engineer
Wait for initial data replication to be completed.	When the agent has been installed, the source server will appear on the Application Migration Service console, in the Source servers section. Wait while the server undergoes initial data replication.	AWS administrator, Migration engineer

Task	Description	Skills required
Specify the server details.	On the Application Migration Service console, choose the Source servers section, and then choose a server name from the list to access the server details.	AWS administrator, Migration engineer
Configure the launch settings.	Choose the Launch settings tab. You can configure a variety of settings, including general launch settings and EC2 launch template settings. For detailed instructions, see the AWS documentation.	AWS administrator, Migration engineer

Task	Description	Skills required
Test the source servers.	On the Application Migration Service console, in the Source servers section, ensure that the source servers’ Migration lifecycle is Ready for testing and that Data replication status is Healthy. Select the check box to the left of each source server. Choose Test and Cutover, and then choose Launch Test Instance. When prompted, choose Launch. The servers will be launched.	AWS administrator, Migration engineer
Verify that the test completed successfully.	After the test server is completely launched, the Alerts status on the page will show Launched for each server.	AWS administrator, Migration engineer
Test the server.	Perform testing against the test server to ensure that it functions as expected.	AWS administrator, Migration engineer

Task	Description	Skills required
Schedule a cutover window.	Schedule an appropriate cutover timeframe with relevant teams.	AWS administrator, Migration engineer
Perform the cutover.	On the Application Migration console, on the Source Servers page, select the check box to the left of each source server. Choose Test and Cutover, and select Mark as 'Ready for cutover'. Verify that each source server's Migration lifecycle is Ready for cutover. Choose Test and Cutover, and then select Launch cutover instances. When prompted, choose Launch. The servers will be launched. The source server's Migration lifecycle will change to Cutover in progress.	AWS administrator, Migration engineer
Verify that the cutover completed successfully.	After the cutover servers are completely launched, the Alerts status on the Source Servers page will show Launched for each server.	AWS administrator, Migration engineer
Test the server.	Perform testing against the cutover server to ensure that it functions as expected.	AWS administrator, Migration engineer
Finalize the cutover.	Choose Test and Cutover, and then select Finalize cutover to finalize the migration process.	AWS administrator, Migration engineer

Related resources

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Migrate data to Amazon S3 using AWS SFTP