Deploying the PoC environment - AWS Prescriptive Guidance

Deploying the PoC environment

Many users prefer to thoroughly test all communication channels and migration steps in advance. Testing migration from isolated networks could be a challenge. To address that need, AWS provides two options:

  • A CloudFormation template that prepares all required resources on AWS. The template builds a proof of concept (PoC) environment that emulates the components of the data center environment and sets up the AWS infrastructure. It includes isolated source and target VPCs, subnets, and VPC endpoints.

  • A dedicated workshop (Migrate the Well-Architected Way) with detailed, step-by-step instructions to create your test environment (see the step Create VPC Endpoints).

Alternatively, you can deploy your PoC environment by following the steps in the next sections.

Manual deployment

The following list outlines the major steps for manual deployments in your environment. For more information, see the AWS Prescriptive Guidance pattern Connect to Application Migration Service data and control planes over a private network

  1. Create the source VPC and staging area VPC with a private subnet.

  2. Create the following VPC endpoints in the staging area subnet:

    • Application Migration Service, and enable the private DNS name (shared by the replication server and source server).

    • Amazon EC2, and enable the private DNS name (shared by the replication server and source server).

    • Amazon S3 (private DNS name not supported). Interface endpoints are supported across Direct Connect, AWS VPN, and VPC peering. Therefore, this is required for source servers only (and could be located on premises) to connect to the Application Migration Service control plane over a private network.

      Note

      The ssm and ssmmessages endpoints are optional and currently created to connect the source server through the SSM Session Manager.

    • Amazon S3 gateway endpoint in the staging area subnet. This is required by the replication server to connect to Amazon S3. You must update the routes for the staging area subnet.

  3. Create an inbound resolver endpoint in the staging area VPC to allow resolution of the private DNS record (for VPC interface endpoints) from the source VPC. 

  4. Update the source VPC DHCP options with the inbound resolver endpoint of the staging area VPC as DNS server IP. 

  5. Enable peering between the source and staging VPCs, and update both VPC route tables. 

  6. Create a security group in the source and staging VPCs to allow the following ports.

    Source Destination Port Description

    Source data center

    Amazon S3 service URLs

    443 (TCP)

    Communication over TCP port 443

    Source data center

    The Application Migration Service AWS Region-specific console address

    443 (TCP)

    Communication between the source servers and Application Migration Service over TCP port 443

    Source data center

    Staging area subnet

    1500 (TCP)

    Communication between the source servers and the staging area subnet over TCP port 1500

    Staging area subnet

    The Application Migration Service AWS Region-specific console address

    443 (TCP)

    Communication between the staging area subnet and Application Migration Service over TCP port 443

    Staging area subnet

    Amazon S3 service URLs

    443 (TCP)

    Communication over TCP port 443

    Staging area subnet

    Amazon EC2 endpoint of its AWS Region

    443 (TCP)

    Communication over TCP port 443

  7. Initialize Application Migration Srvice in the staging area AWS Region by updating the staging area subnet details and enabling communication over private IP.

  8. Create an AWS Identity and Access Management (IAM) role for installing Application Migration Service Agent. Attach managed policies and generate access keys and a secrets key.

  9. Create an IAM profile to connect Amazon EC2 via the SSM Session Manager.

  10. Install an Agent on the source machines.

Automating Agent deployments with Cloud Migration Factory

The Cloud Migration Factory on AWS automates the deployment of the Application Migration Service Agent for the private networks scenario, with additional command line parameters. When you deploy this solution (see options for automated deployment), you can use these scripts and one of the following options:

These scripts automate the following:

  • Application Migration Service Agent installation on a Windows server using private endpoints

  • Application Migration Service Agent installation on Linux servers using private endpoints