NEW - You can now accelerate your migration and modernization with AWS Transform. Read [Getting Started](https://docs.aws.amazon.com/transform/latest/userguide/getting-started.html) in the *AWS Transform User Guide*. # Installing the AWS Application Migration Service vCenter Client for Agentless Replication on vCenter source environments Installing the vCenter Client AWS Application Migration Service allows you to perform agentless snapshot replication from your vCenter source environment into AWS. This is achieved by installing the Application Migration Service vCenter Client in your vCenter environment. Application Migration Service recommends using agent-based replication when possible, as it supports CDP (Continuous Data Protection) and provides the shortest cutover window. Agentless replication should be used when your company’s policies prevent you from installing the AWS Replication Agent on each individual server. **Topics** + [ # Agentless replication overview ](installing-vcenter-overview-mgn.md) + [ ## Prerequisites ](#installing-vcenter-prereques-mgn) + [ # VMware limitations ](installing-vcenter-reques-mgn.md) + [ # Generating vCenter Client IAM credentials ](vcenter-credentials-mgn.md) + [ # Installing the Application Migration Service vCenter Client ](installing-vcenter-appliance-mgn.md) + [ # Replicating servers from vCenter to AWS ](replicating-vcenter-aws-mgn.md) + [ # Updating the vCenter or AWS Credentials ](updating-vcenter-or-aws-credentials.md) + [ # Differentiating agentless and agent-based servers ](differences-vcenter-aws.md) # Agentless replication overview Agentless snapshot-based replication allows you to replicate source servers on your vCenter environment into AWS without installing the AWS Replication Agent. In order to use agentless replication, you must dedicate at least one VM in your vCenter environment to host the Application Migration Service vCenter Client. The Application Migration Service vCenter Client is a software bundle distributed by Application Migration Service and is available for installation as a binary installer. The installation process installs services on the client VM which allow Application Migration Service to remotely discover your VMs that are suitable for agentless replication, and to perform data replication between your vCenter environment and AWS through the use of periodic snapshot shipping. Agentless snapshot based replication is divided into two main operations: discovery and replication: The discovery process involves periodically scanning your vCenter environment to detect source server VMs that are suitable for agentless replication, and adding these VMs to the Application Migration Service console. Once a source server has been added, you may choose to initiate agentless replication on the source VM using the Application Migration Service API or console. The discovery process also collects all of the necessary information from vCenter in order to perform an agentless conversion process once a migration job is launched. The replication process involves continuously starting and monitoring the “snapshot shipping processes” on the source server VM being replicated. A “snapshot shipping process” is a long running logical operation which consists of taking a VMware snapshot on the replicated VM, and launching an ephemeral replication agent process which uses VMware’s Changed Block Tracking (CBT) feature to identify changed volume data location, using Virtual Disk Development Kit (VDDK) to read the modified data, and sending the data from the source environment to the customer’s target AWS account. The first snapshot shipping process performs an “initial sync” which sends the entire disk contents of the replicating VM into AWS. Following snapshot shipping processes leverage CBT only to sync disk changes to the customer’s target AWS account. Each successful snapshot shipping process completes the replication operation by creating a group of consistent Amazon EBS snapshots in the customer’s AWS account, which can then be used by the customer to launch test and cutover instances through the regular Application Migration Service mechanisms. These are the main system components of agentless replication: + Application Migration Service vCenter Client – A software bundle that is installed on a dedicated VM in your vCenter environment in order to facilitate agentless replication. + vCenter Replication Agent – A java agent that is based on the AWS Replication Agent, which replicates a single VM using VDDK and CBT as the data source instead of the Application Migration Service driver (that is used by the AWS Replication Agent) + Application Migration Service Service + Application Migration Service console **Note** Agentless replication does not work in IPv6-only source environments. This diagram illustrates the high level interaction between the different agentless replication system components: ![\[Diagram showing agentless replication from corporate data center to AWS Cloud with staging and migration steps.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless-architecture.png) ## Prerequisites 1. Ensure that you have initialized AWS Application Migration Service. # VMware limitations Application Migration Service supports VMC on AWS for agentless replication. + Application Migration Service partially supports vMotion, Storage vMotion, and other features based on virtual machine migration (such as DRS and Storage DRS) subject to these limitations: + Migrating a virtual machine to a new ESXi host or datastore after one replication run ends, and before the next replication run begins, is supported as long as the vCenter account has sufficient permissions on the destination ESXi host, datastores, and datacenter, and on the virtual machine itself at the new location. + Migrating a virtual machine to a new ESXi host, datastore, and/or datacenter while a replication run is active – that is, while a virtual machine upload is in progress – is not supported. Cross vCenter vMotion is not supported for use with Application Migration Service. + AWS does not provide support for migrating VMware Virtual Volumes. # Generating vCenter Client IAM credentials In order to use the Application Migration Service vCenter Client, you must first generate the correct IAM credentials. You need to create at least one AWS Identity and Access Management (IAM) user, and assign the proper permission policies to this user. Obtain an Access key ID and Secret access key, which you need to enter into the Agent installation prompt in order to begin the installation. We recommend that you use **IAM access last used information** to rotate and remove access keys safely. For more information, see [Rotating access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey). 1. Open the **AWS Management Console** and look for **IAM** under **Find Services**. 1. From the **IAM** main page, choose **Users** from the left-hand navigation menu. 1. You can either select an existing user or add a new user. To add a new user, click **Add user**. 1. Give the user a **User name** and select the **Programmatic access** access type. Click **Next: Permissions**. 1. Choose the **Attach existing policies directly** option. Search for **AWSApplicationMigrationVCenterClientPolicy** and **AWSApplicationMigrationAgentPolicy**. Select the policies and click **Next: Tags.** 1. Add tags if you wish to use them and then click **Next: Review.** 1. Review the information. Ensure that the **Programmatic access** type is selected and that the correct policy is attached to the user. Choose **Create user**. 1. A confirmation message appears and you can see the **Access key ID** and **Secret access key** that you need in order to install the AWS Replication Agent on your source servers. To save this information as .csv file, click **Download .csv**. You can also access this information and re-generate your security credentials by navigating to **IM > Users > Your user**. Open the **Security credentials** tab and scroll down to **Access keys**. Here you can manage your access keys (create, delete, and more). # Installing the Application Migration Service vCenter Client The first step to deploying the agentless solution is installing the Application Migration Service vCenter Client on your vCenter environment. **Note** If you have multiple vCenter environments, you need to install multiple clients. You may not have more than one Application Migration Service vCenter Client installed per AWS account. If you have multiple vCenter environments, you can either use a different AWS account for each environment or you can migrate your VMs serially, environment by environment, into the same AWS account. After the Application Migration Service vCenter Client has been installed, it discovers all of the VMs in your vCenter environment and add them to Application Migration Service. ## Application Migration Service vCenter Client requirements Ensure that you review the notes below prior to installing the Application Migration Service vCenter Client. Once you have read the notes, proceed to [install the client](client-installation-instructions-mgn.md). ### vCenter Client requirements + You must install the Application Migration Service vCenter Client on a VM that has outbound network connectivity to the AWS Application Migration Service API endpoints and outbound network connectivity to the vCenter endpoint. Customers who want to use PrivateLink can use VPN or AWS Direct Connect to connect to AWS. + The Application Migration Service vCenter Client currently only supports VirtualDiskFlatVer2BackingInfo VMDK on CBT. + You must log in to your Broadcomm account and download VDDK 7.0.3.3 to the VM on which the Application Migration Service vCenter Client is installed. VDDK 7.0.3.3 must be used, regardless of the vCenter version used. + The Application Migration Service vCenter Client requires these vCenter user permissions for agentless deployment. It is a best practice to create a dedicated role with these permissions and a dedicated user group with which the role is associated. Every new user created for the Application Migration Service vCenter Client needs to be a member of that group in order to obtain the required permissions. The vCenter predefined role: “ Consolidated Backup user (sample) ” provides most of these permissions. If that role is used, the **Toggle disk change tracking** permission must be provided.. + Change configuration + Acquire disk lease + Toggle disk change tracking + Provisioning + Allow read-only disk access + Allow virtual machine download + Snapshot management + Create snapshot + Remove snapshot + The VM on which the Application Migration Service vCenter Client is installed should meet these RAM, CPU, and memory requirements: + Minimal requirements (these requirements allow the replication of up to 5 servers in parallel) – 2 GiB RAM, 1 core, 10 GiB of free disk space + Optional performance requirements (these requirements allow the replication of the maximum number of 50 servers in parallel) – 16 GiB RAM, 8 cores, 10 GiB of free disk space + VMs that are being replicated into AWS should have at least 2 GiB of free disk space. + The VM on which the Application Migration Service vCenter Client is installed should not allow any incoming (ingress) traffic. + The VM on which the Application Migration Service vCenter Client is installed should only allow outgoing traffic as following: + Egress TCP on the port on which the vCenter API is ran. + Egress TCP on port 443 for communication with the Application Migration Service API. + Egress TCP on port 1500 – for the replication server. + Patching of guest OS running AWS vCenter client should be handled by the customer as part of shared responsibility. + IAM credentials used by the vCenter Client should be rotated on a regular schedule. Learn more about how to rotate access keys for IAM users in [this IAM blog post](https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/). IAM credentials can be regenerated by reinstalling the AWS Replication Agent. + The VM that hosts the Application Migration Service vCenter Client should only be used for client hosting and should not be used for any other purposes. + Only a trusted administrator should have access to the VM on which the Application Migration Service vCenter Client is installed. + The Application Migration Service vCenter Client should be located in an isolated and dedicated network and considered a sensitive segment. + You can deactivate the vCenter Client auto-update mechanism by running this command: `touch /var/lib/aws-vcenter-client/.disable_auto_updates` Once auto-updates are deactivated, you need to reinstall the client to perform a manual update. If you deactivate the auto-update mechanism, you are responsible for ensuring that all security updates are performed on the client. After a manual update, you should validate the new hash against the [installer hash](client-installation-instructions-mgn.md). ### vCenter Client installer notes + The Application Migration Service vCenter Client installer only supports vCenter 6.7, 7.0 and 8.0. + The Application Migration Service vCenter Client can be installed on these 64 bit Linux versions: + Ubuntu 18.x\$1 (64 bit) - 22.04 + Amazon Linux 2 + RHEL 8.x + If you are using a RHEL 8.x environment, ensure that you run the `sudo yum install python3` command to install python prior to launching the client installer. + These flags are used by the installer: + usage: aws-vcenter-client-installer-init.py [-h] + [--aws-access-key-id AWS\$1ACCESS\$1KEY\$1ID] + [--aws-access-key-id AWS\$1ACCESS\$1KEY\$1ID] + [--aws-secret-access-key AWS\$1SECRET\$1ACCESS\$1KEY] + [--region REGION] + [--endpoint ENDPOINT] + [--s3-endpoint S3\$1ENDPOINT] + [--vcenter-host VCENTER\$1HOST] + [--vcenter-port VCENTER\$1PORT] + [--vcenter-user VCENTER\$1USER] + [--vcenter-password VCENTER\$1PASSWORD] + [--vcenter-ca-path VCENTER\$1CA\$1PATH] + [--vddk-path VDDK\$1PATH] + [--vcenter-client-tags KEY=VALUE [KEY=VALUE ...]] + [--source-server-tags KEY=VALUE [KEY=VALUE ...]] + [--disable-ssl-cert-validation] + [--no-prompt] + Use this flag for an unattended installation. If you are using this flag, you must also use the --force-delete-existing client flag. [--force-delete-existing-client] + Use this flag to delete an existing version of the vCenter Client from your VM. You must use this flag if you've previously installed the vCenter Client on the VM. If you use the --no-prompt flag, you must also use this flag. [--version] Optional arguments: -h, --help show this help message and exit ### vCenter environment requirements + AWS Application Migration Service supports VM hardware version 7 and higher with CBT activated. Ensure that you upgrade any VMs you have to hardware version 7 or higher. Ensure that CBT support is activated in your vSphere deployment. Application Migration Service activates CBT on replicating VMs. You can deactivate CBT after cutover. + The VM being replicated into Application Migration Service must not contain any existing VMware snapshots. + Once added to Application Migration Service, snapshot-based replication creates snapshots on the replicated VM, which may result in slower disk performance. + VMs with independent disks, Raw Device Mappings (RDM), or direct-attach disks (iSCSI, NBD) are not supported for replication into Application Migration Service. + The VM being replicated into Application Migration Service can be either stopped or running. Changing the VM state during data replication does not affect data replication and causes no data corruption. # Application Migration Service vCenter Client installation instructions To install the Application Migration Service vCenter Client, follow these steps: 1. Download the Application Migration Service vCenter Client installer onto a VM within your vCenter environment. You can download the client from this URL: `https://aws-application-migration-service-(region).s3.(region).amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py` Replace `(region)` with the AWS Region into which you are replicating. This is an example of the installer link for us-east-1: `https://aws-application-migration-service-us-east-1.s3.us-east-1.amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py` If you need to validate the installer hash, the correct hash can be found here: `https://aws-application-migration-service-hashes-(region).s3.(region).amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py.sha512 ` This is an example of the installer hash link for us-east-1: `https://aws-application-migration-service-hashes-us-east-1.s3.us-east-1.amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py.sha512` 1. In command prompt, navigate to the directory where you downloaded the Application Migration Service vCenter Client installer and run the installer with this command: `sudo python3 aws-vcenter-client-installer-init.py` ![\[Command prompt showing execution of Python script for AWS vCenter Client installer.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless3.png) 1. The installer prompts you for your credentials, enter the required info in each field and then press **Enter**: ![\[Terminal window displaying AWS access key details and endpoint information.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless4.png) + AWS Access Key ID – Enter the AWS Access Key ID you generated in the previous section. + AWS Secret Access Key – Enter the AWS Secret Access Key you generated in the previous section. + AWS Region name – The AWS Region of your account (for example, eu-west-1). + The Private Link endpoint for AWS Application Migration Service (optional, leave blank if not using Private Link). + The VPC endpoint for Amazon S3 (optional, leave blank if not using a VPC endpoint). 1. The installer then prompts you to enter your vCenter information, enter the required info in each field and then press **Enter**: ![\[Command line interface prompting for vCenter connection details including IP, port, and credentials.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless5.png) + vCenter IP or hostname + vCenter port (press Enter to use the default TCP Port 443) + vCenter username + vCenter password + Path to vCenter root CA certificate (optional) - To use SSL certificate validation, download the certificates from `https:///certs/download.zip` ( example: `wget https:///certs/download.zip --no-check-certificate`) then enter the path of the certificate (example: `/usr/local/src/lin/f7f2bd6e.0)`). Otherwise, press **Enter** to deactivate SSL certificate validation. **Note** The certificate must be located in a file that's readable to the vCenter client user, such as a shared directory. If the certificate is not located in a shared directory, you see a permission error in the logs (Error 13). To use a certificate in your vCenter environment, you must setup a connection using a hostname. Using an IP does not work with a certificate. It's a security best practice to use certificates. Customers that do not use certificated authentication are responsible for any security issues that may arise. + Path to VDDK tarball - Provide the path to the VDDK tarball that you previously downloaded onto the VM. (example: `path/to/VMware-vix-disklib-7.0.3-21933544.x86_64.tar.gz`). You can download VDDK tarball from your Broadcomm account. + Resource tags for the AWS vCenter client (optional) - Use this format for tagging: KEY=VALUE [KEY=VALUE ...] add resource tags to the AWS vCenter client; use a space to separate each tag (e.g., --vcenter-client-tags tag1=val1 tag2=val2 tag3=val3) + Resource tags for source servers to be discovered by the AWS vCenter client (optional) - Use this format for tagging: KEY=VALUE [KEY=VALUE ...] add resource tags to the source servers added by discovery; use a space to separate each tag (e.g., --vcenter-client-tags tag1=val1 tag2=val2 tag3=val3) 1. The installer downloads and installs the AWS vCenter client and registers it with AWS Application Migration Service. ![\[Terminal output showing successful download and installation of AWS vCenter client.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless6.png) 1. Once the AWS vCenter client has been installed, all of the VMs in your vCenter are added to AWS Application Migration Service. The VMs are added in the DISCOVERED state. **Note** If you have a significant number of VMs in your vCenter environment, it may take some time for all of the VMs to become visible in the Application Migration Service console. The Application Migration Service vCenter Appliance is excluded from the discovered servers list. You can configure transparent proxy either by using an environment variable prior to the installation (Linux and Windows), or by using the --proxy-address flag in the Linux installer: + Using the installer: ./aws-vcenter-client-installer-init.py --proxy-address http://PROXY:PORT/ + Using environment variable: export https\$1proxy=http://PROXY:PORT/; ./aws-vcenter-client-installer-init.py Make sure the proxy has a trailing forward slash. # Replicating servers from vCenter to AWS Once you have successfully installed the AWS vCenter client, all of your vCenter VMs are added to Application Migration Service in the DISCOVERED state. The DISCOVERED state means that the VM has not been replicated to AWS. **Note** VMware only sends data for up to 50 servers in parallel. Replicating more than 50 servers at once causes the rest to be queued and results in a longer wait. By default, the Application Migration Service console only shows active servers. You can tell which servers are being shown by looking at the filtering box under the main **Source servers** title. To see your discovered non-replicating servers that have been added from vCenter, open the filtering menu and choose **Discovered source servers**. You now see all of your non-replicating DISCOVERED VMs. To replicate one or more VMs into AWS, select the box to the left of each VM name, choose the **Replication** menu, and then choose **Start data replication**. Choose **Start** on the **Start data replication for x servers** dialog. The Application Migration Service console indicates that data replication has started. To view the data replication progress, open the filtering menu and return to the default **Active source servers** view. You now only see your replicating source servers. You can follow the launch process on the main **Source servers** view. Once the VM has reached the **Ready for testing** state under **Migration lifecycle**, you can continue to [launch test and cutover instances](launching-test-servers.md) and perform all other regular Application Migration Service operations on the server. # Updating the vCenter or AWS Credentials Users who want to change the vCenter or AWS credentials used by the Application Migration Service appliance should follow these steps. This change requires root privileges on the appliance: 1. In the command prompt, navigate to the aws-vcenter-client directory: `cd /var/lib/aws-vcenter-client/1.1.8/` 1. Run the vCenter configuration update tool with this command: `sudo ./vcenter_configuration_update` 1. When running the vCenter configuration update tool, you are prompted to provide the necessary credentials. Follow these steps to update the credentials. Provide the required info in each field and then press Enter: + New vCenter username (--new-vcenter-username) + New vCenter password (--new-vcenter-password) + New AWS Secret Key ID (--new-aws-access-key-id) + New AWS Secret Access Key (--new-aws-secret-access-key) + New path to the CA (optional) (--new-ca-path) 1. If you do not provide the `--new-ca-path` flag, the tool first asks if you want to update the CA path. If you answer yes, it prompts you for the new CA path. If you answer no, the tool uses the CA path from the previous configuration. The tool verifies the new vCenter and AWS credentials by attempting to connect to vCenter and Application Migration Service using them. 1. Upon successful connection to vCenter and Application Migration Service, the tool saves the new credentials and restart the necessary services. 1. In case of failure to connect to vCenter or Application Migration Service, the new credentials are not stored, and the previous configuration is retained. This error message is displayed: `Failed to connect to the vCenter endpoint or MGN using the new connection details. The configuration changes will not be applied.` # Differentiating agentless and agent-based servers You can differentiate an agentless vCenter VM that's replicating through snapshot shipping and an agent-based server (from any source infrastructure) through several ways: 1. On the **Source servers** page, under the **Replication type** column, the Application Migration Service console identifies the replication type, whether it is through **Snapshot shipping** (agentless) or **Agent based**. 1. In the server details view, under the **Migration dashboard**, agentless servers that are replicated through snapshot shipping have an additional **Lifecycle** step – **Not started.** 1. Similarly, in the server details view, under the **Migration dashboard**, the **Data replication status** box shows the **Replication type** as **Snapshot shipping**.