Google Cloud Platform
SUREedge® MIGRATOR 7.0.7
Installation Guide for Google Cloud Platform
1. Introduction
SUREedge® Migrator is a proven enterprise-class software appliance for Application Mobility, significantly simplifying and improving the process of moving enterprise applications and systems across disparate environments. With a multi-tier application migration planner, agentless architecture, WAN throttling, application awareness and world class encryption and deduplication capabilities, SUREedge® Migrator is easy to deploy, highly scalable and hardware- and hypervisor-agnostic. With the ability to capture and migrate applications, data and servers between disparate virtualization environments, data centers and public, private and hybrid clouds, SUREedge® Migrator is the most complete and easy-to-use solution available in the market.
1.1 Deployment Scenarios
An instance of SUREedge migrator can be used to move systems, applications, and data between compute environments – from one data center to another, from physical systems into private or public clouds, across compute clouds and other virtualization environments, or any computationally “distant” environments. This process is referred to as migration.
Note that the same SUREedge Migrator software is installed and similar installation procedures are followed for both the source and target instances; the role of a given instance (target or source) is determined solely by its configuration. Therefore, these installation instructions apply to both source and target site installs.
1.2 Installation Overview
To set up an environment for migration you should first determine the location(s) where SUREedge Migrator should be installed. You can then:
- Obtain the required documentation and software for the environment(s) you have identified. You should have SUREedge Migrator 7.0.7 Installation Guide for Google Cloud Platform (GCP).
- Perform the installation of SUREedge Migrator software as instructed.
- License and configure SUREedge Migrator as appropriate for each environment, as described in the Installation Guide and the SUREedge Migrator 7.0.7 User Guide.
This Installation Guide covers the steps necessary for installing SUREedge Migrator in a GCP environment. The following sections will take you through the steps to obtain installation materials and to install, license and configure SUREedge Migrator to run in a GCP environment. You can then use the SUREedge Migrator 7.0.7 User Guide to configure and start using SUREedge Migrator for migration.
2. Installing SUREedge Migrator
SUREedge Migrator installers, tools and documentation are all available online for download. The next sections will detail you to obtain the documentation and software binaries you will need to get started with SUREedge Migrator.
2.1 Obtaining Documentation
SUREedge Migrator documentation is available for download as PDF files from the Sureline Systems. To get access to SUREedge Migrator documentation, navigate to this URL in your browser:
https://drive.google.com/drive/u/1/folders/1mbEpFoWMFTYS1tmknGBHprjwU–SsfFS
You will need an account to log in and access the SUREedge Migrator documentation. If you are a new user, please click on “Request access”. After request is approved, you will have access to the download area:
2.2 Prerequisites for SUREedge Migrator Deployment in Google Cloud.
To create virtual machines in the target project(s) where migrating servers will be relocated SUREedge Migrator needs to perform operations using a service account with sufficient permissions and have network access to the new virtual machines. This requires that the necessary APIs be enabled for the project(s) where VMs will be migrating and the availability of a service account with the appropriate roles and permissions enabled. You must also make sure that the virtual networking for the project(s) is configured such that for the duration of the migration operation the migrating VMs can be reached by the SUREedge Migrator instance that you deploy.
The following sections describe the specifics of these prerequisites and how to meet them.
2.2.1 Accounts and Privileges
To be able to make the cloud API calls required to create the cloud-side virtual machines and transform them to run in the cloud SUREedge Migrator needs the project to have the necessary APIs enabled and a service account with the appropriate permissions. Sureline provides a script that you can use to make the process of creating the roles and enabling the APIs easier. The details of required APIs, roles and permissions are outlined in section 4 “Required APIs, Roles and Permissions”.
2.2.2 Networking Configurations
SUREedge Migrator uses Google Cloud Virtual Private Cloud (VPC) networks and requires specific networking firewall rules to be configured for deployment and migration of workloads. This section describes networking requirement and firewall rules needed for deployment.
All projects where VMs will be recovered must be reachable by the SUREedge Migrator instance; if multiple projects are involved, then this will require a Shared VPC. (Note: Legacy networks are not supported.) Any project can host the Shared VPC with the remaining projects attached. In the case where all migrated systems are going into a single project then the SUREedge Migrator instance should be deployed there and the default VPC for the project can be used.
2.2.2.1 Configuring Firewall rules
In order to create and transform servers being migrated into GCP the SUREedge Migrator instance must be able to communicate with the VMs being created in the cloud. To allow this any firewalls between the SUREedge Migrator instance and the projects that will contain the migrated VMs must allow the following network communications:
- ICMP: Firewalls must allow ICMP packets to be passed between the SUREedge Migrator instance and the target projects and networks.
- TCP: Ports 22, 25025, 25026, 25027, and 25028 must be open between the SUREedge Migrator instance and the target project networks.
- TCP: Ports 80 and 443 are used to access the SUREedge Migrator UI and must be open between the SUREedge Migrator MC VM and any systems where a browser will be used to access the Migrator UI.
2.3 Deploying SUREedge Migrator on GCP
This section contains the instructions for deploying SUREedge Migrator on Google Cloud Platform.
- Login to GCP and navigate to the Marketplace (https://console.cloud.google.com/marketplace) and search for “SUREedge Migrator”:
- You will see a listing for SUREedge Migrator:
- Click on “SUREedge Migrator” as highlighted in the above screen. This brings you to the Migrator’s Marketplace Product Page:
- Click the LAUNCH button to begin the deployment process. This shows the SUREedge Migrator Deployment page:
- First select the project in which you wish to deploy.
- In the New SUREedge Migrator deployment section you can customize any of the deployment parameters as per your requirements.
You must supply the following information:
- In the Deployment you should select a VPC which is shared across the project where SUREedge is deployed and the target projects where VMs need to be migrated.
- In the Migration Controller Service Account field enter a service account to be used by the deployed Migrator instance (as described in Section 2.2, “Prerequisites for SUREedge Migrator Deployment in Google Cloud” above.)
- In the Networking field you should select a VPC which is shared across the project where SUREedge is deployed and the target projects where VMs need to be migrated. (If all VMs are going to be recovered into the same project as the one where Migrator is being deployed you can select any network attached to it.)
You may also modify the following parameters:- In the Zone field select the appropriate zone/ country from the dropdown list for deployment process.
- If you wish the deployment process to add tags and firewall rules to your chosen (non-Shared) VPC that will allow migration related from the internet then enable the Communication Ports option. You can restrict the source IP addresses given this access by adding them to the Source Server IP Ranges field. (These steps are not required if, for example, you will be utilizing a VPN to connect your networking to the systems being migrated.)
- If you wish the deployment process to add tags and firewall rules to your chosen (non-Shared) VPC that will allow web-based UI traffic from the internet then enable the SUREedge Web UI Ports option. You can restrict the source IP addresses given this access by adding them to the IP ranges from which SUREege Web UI traffic will be allowed.
- If you are deploying on a Shared VPC you should not use the Communication Ports or SUREedge Web UI Ports options; this could result in the deployment operation failing. Instead you should configure your Shared VPC with the appropriate firewall rules to allow traffic from the source servers and UI clients before deploying SUREedge Migrator. You can also add any networking tags to the deployed SUREedge Migrator VMs to that are required enable the necessary connectivity by specifying the tags as a comma separated list in the Networking Tags area.
- You can expand the More Networking Details area to access more options, such as whether an external IP address should be assigned to the Migrator Instance VMs being deployed.
- In the Windows VM Details section, you can modify the values for the SUREedge Migrator MC virtual machine, such as the machine type, disk type and size, etc.
- In the Linux VM Details section, you can modify the values for SUREedge Store virtual machine, such as the machine type, disk type and size, etc.
You can modify the amount of disk space allocated for storing images of migrating systems in the Linux Data Disk section. It defaults to 1TB which is sufficient for many migration projects and the disks are automatically resized as needed while migration is in progress.
Once deployment is completed the post-deployment page shows Windows VM address where you can access the Migrator user interface, and a pre-configured username and password used to log in.
3. Getting Started
Your system is now installed and ready to perform Migration. Please refer to the SUREedge Migrator User Guide for more information about SUREedge Migrator applications and systems.
Use the Windows Site Address link to access the newly deployed SUREedge Migrator instance. This will lead you to the following login screen. Enter the Admin user (from the post-deployment page) in the Username field and the Admin Password in the Password field.
Click Login. You will be taken to the SUREedge Migrator main user interface.
When you first log into your SUREedge Migrator instance you will see the Data Encryption Settings page:
Here you need to set an Encryption Password and an Encryption Passphrase which will be used to encrypt data that is transferred over-the-wan and when it is put into persistent storage.
Note: You must remember your Encryption Password and Encryption Passphrase if you are going to perform an onsite deployment of SUREedge Migrator.
After setting the Encryption Password and Encryption Passphrase, click on Save button.
Note: It will take time to save the encryption details.
Once, you have completed the encryption settings, you will see the Global Recovery Settings page:
These setting are default attributes used when creating the VMs that represent the systems that are being migrated into GCP. These include things like the project where VMs should be recovered, the region, networking and disk details, etc. These values are used as defaults and can be overridden later during the recovery workflow. (Note that the selectable options such as projects, zones, etc., are taken from your GCP account; you can refresh the values by clicking the Sync GCP Project Information button.)
Note: It may take time to reflect data after clicking on Sync GCP Project Information button.
Once you have selected your default recovery values click on the Save button to continue.
If you are using a single instance of Migrator to perform your migrations, then your deployment is complete! You can now start adding systems to migrate; see the SUREedge Migrator User Guide for more information on the migration process.
Note: For Dual Instance Deployments
A SUREedge Migrator Dual Instance Deployment involves deploying an instance of Migrator within the source site, where the systems being migrated reside, which is used to capture and securely transfer system images to the Migrator instance running in the cloud. (For details on when you might want to use a Dual Instance deployment, see the Introduction to the SUREedge Migrator User Guide.)
If you are going to use a Dual Instance deployment your next step is to download and install the Migrator instance at the source site. To download the software, navigate to the Settings page of the Migrator UI and select the Dual Instance section:
Here you will find installation media for installing Migrator in various environments, along with instructions for its installation and configuration.
4. Required APIs, Roles and Permission
SUREedge Migrator requires that certain APIs can be used within the project(s) where VMs will be migrating and needs a service account with the appropriate roles and permissions enabled. The APIs, roles and permissions required are listed in the table below:
| Project APIs needed: | ||
| iam.googleapis.com | cloudresourcemanager.googleapis.com | logging.googleapis.com |
| compute.googleapis.com | storage-component.googleapis.com | monitoring.googleapis.com |
| Roles Needed: | ||
| iam.serviceAccountUser | logging.logWriter | roles/monitoring.metricWriter |
| roles/monitoring.viewer | ||
| Permissions Needed: | ||
| compute.addresses.create | compute.addresses.createInternal | compute.addresses.delete |
| compute.addresses.deleteInternal | compute.addresses.get | compute.addresses.list |
| compute.addresses.setLabels | compute.addresses.use | compute.addresses.useInternal |
| compute.diskTypes.get | compute.diskTypes.list | compute.disks.create |
| compute.disks.delete | compute.disks.get | compute.disks.list |
| compute.disks.setLabels | compute.disks.update | compute.disks.use |
| compute.disks.useReadOnly | compute.disks.createSnapshot | compute.images.get |
| compute.images.list | compute.images.useReadOnly | compute.snapshots.create |
| compute.snapshots.delete | compute.snapshots.useReadOnly | compute.instances.attachDisk |
| compute.instances.create | compute.instances.delete | compute.instances.detachDisk |
| compute.instances.get | compute.instances.getSerialPortOutput | compute.instances.list |
| compute.instances.reset | compute.instances.setDiskAutoDelete | compute.instances.setLabels |
| compute.instances.setMachineType | compute.instances.setMetadata | compute.instances.setMinCpuPlatform |
| compute.instances.setScheduling | compute.instances.setServiceAccount | compute.instances.setTags |
| compute.instances.start | compute.instances.startWithEncryptionKey | compute.instances.stop |
| compute.instances.update | compute.instances.updateNetworkInterface | compute.instances.updateShieldedInstanceConfig |
| compute.instances.use | compute.licenseCodes.get | compute.licenseCodes.list |
| compute.licenseCodes.update | compute.licenseCodes.use | compute.licenses.get |
| compute.licenses.list | compute.machineTypes.get | compute.machineTypes.list |
| compute.networks.get | compute.networks.list | compute.networks.use |
| compute.networks.useExternalIp | compute.nodeGroups.get | compute.nodeGroups.list |
| compute.nodeTemplates.list | compute.projects.get | compute.regionOperations.get |
| compute.regions.get | compute.regions.list | compute.subnetworks.get |
| compute.subnetworks.list | compute.subnetworks.use | compute.subnetworks.useExternalIp |
| compute.zoneOperations.get | compute.zones.get | compute.zones.list |
| iam.serviceAccounts.get | iam.serviceAccounts.list | resourcemanager.projects.get |
| storage.buckets.create | storage.buckets.delete | storage.buckets.get |
| storage.buckets.list | storage.buckets.update | storage.objects.create |
| storage.objects.delete | storage.objects.get | storage.objects.list |
| storage.objects.update | compute.disks.resize | |
To ease the process of setting up these permissions Sureline has provided a script that can be run in a cloud shell in your account create a service account grant it the required roles and permissions. The script needs to be run under a user account with the following roles:
- Owner: privileges for the project(s) into which systems will be migrating;
- Organization Role Administrator privileges for the account; and
- Organization Administrator privileges for the cloud account.
Note: If the systems being migrated will all be brought up within a single project, then the migration can be achieved with permissions strictly enabled for that project. In this case the script can be run with only the project’s Owner role.
4.1 Running The Setup Script
To run the permissions setup script click the “Activate Cloud Shell” button at the top of the Google Cloud Platform Console.
A Cloud Shell session opens inside a new frame at the bottom of the Console and displays a command-line prompt. It can take a few seconds for the session to be initialized.
At the prompt Issue the command below to download a configuration script to create Google Cloud roles and service accounts:
gsutil cp gs://sureline-release/gcpmigrator/7.0.7/SUREedgePreDeployment/* .
This command copies these files into the Cloud Shell environment:
SUREedgeMigratorPreDeployment.py sureedge_deployment.json
The script SUREedgeMigratorPreDeployment.py can then be run to create the required role and service account for SUREedge Migrator. The script’s usage is as follows:
python3 SUREedgeMigratorPreDeployment.py [-h] -d <DEPLOYMENT_NAME> -p <PROJECT_ID> [-o <ORG_ID>]
where the arguments are:
| Argument | Description | Required |
|---|---|---|
| -h, –help | show this help message and exit | No |
| -d <DEPLOYMENT_NAME> –deployment-name <DEPLOYMENT_NAME> | A suffix that will be appended to the Service Account and Role names created by the script. Must be less than 8 characters and can only have lowercase letters and numbers. | Yes |
| -p <PROJECT_ID> –project-id PROJECT_ID |
The ID of the GCP project will host your Migrator instance. | Yes |
| -o <ORG_ID> –org-id <ORG_ID> |
The numeric GCP organization ID in which the role will be created, and which administers the project(s) where migrated systems will exist. | No |
For example, to create roles and permissions using the suffix sureorg2 for deployment of a SUREedge Migrator instance into the project sureline-demo within the organization who’s ID is 012345678910 you would run the command:
python3 SUREedgeMigratorPreDeployment.py -d sureorg2 -p sureline-demo -o 012345678910
This will create the role SUREedge Manager sureorg2 within the organization with ID 012345678910 and within the project sureline-demo and create the service account sureedge-manager-sureorg@sureline-demo.iam.gserviceaccount.com.
In the case where all migration operations will occur within a single project the script can be run without the organization ID option (-o <ORG_ID> ):
python3 SUREedgeMigratorPreDeployment.py -d sureorg3 -p sureline-demo
This command creates SUREedge Manager sureorg3 role and the service account sureedge-manager-sureorg3@sureline-demo.iam.gserviceaccount.com service account in the sureline-demo project.
5. Contacting Support
The Sureline Systems website (https://www.surelinesystems.com/support) provides a support page where you can submit your issues. A ticket will be generated automatically, and the support team will contact you.
Email Us
Alternatively, you can write an email to support@surelinesystems.com with a detailed description of the issue. This will automatically create a support ticket, and a member of our customer support team will reach out to you soon after.
Telephone Support:
You can also contact us directly on this number 408–331-8750, if you wish to speak with a Sureline Systems Engineer directly.