# Migrating the data


All migrations must iterate on a configuration and build out the dependency tree. When using a single configuration file, this is all done for you. If you use the [TMSH API](https://clouddocs.f5.com/api/tmsh/), then you will have to iterate and build out the dependency tree. The following sections will outline the different options and configurations available when migrating an F5 BIG-IP workload.

**Topics**
+ [

# Migrating a full configuration
](migration-at-a-glance.md)
+ [

# Migrating a partial configuration
](migrate-partial-configuration.md)
+ [

# High-density deployments without Elastic IPs
](high-density-deployments.md)
+ [

# Interconnecting your VPCs
](interconnecting-vpcs.md)
+ [

# Connecting to your AWS infrastructure
](considerations-existing-aws-infrastructure.md)

# Migrating a full configuration


In this approach, you take a configuration from an existing system and migrate it to a new system. This process will copy an existing configuration, IP addresses, certificates, keys, pass phrases, and sign-in credentials. 

The primary reason for migrating an entire configuration is for a like-for-like system replacement, such as a hardware upgrade or an RMA. Typically, these concepts do not apply to the AWS Cloud. 

You can use UCS or SCF files to migrate a full configuration, and the following tables provide an overview of the advantages and disadvantages of using them. 



**Use a UCS or qkview file**

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/migration-at-a-glance.html)

**Use an SCF file**

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/migration-at-a-glance.html)

# Migrating a partial configuration


When you choose to migrate a partial configuration, you will use either a TMSH or SCF file as your starting point. You will also need to look up the objects that you want to move and compile them in the correct order. The following table outlines the advantages and disadvantages of migrating a partial configuration. 



[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/migrate-partial-configuration.html)

# High-density deployments without Elastic IPs


If you need highly dense deployments, then you can operate in the performance metrics and these applications do not require the use of Elastic IPs. This is referred to as an “alien IP.” 

An alien IP is a network or subnet range that is external to the VPC CIDR block and to which F5 maps virtual services. Alien IP addresses do not work in all scenarios, but can be used for a high density of virtual servers. Before an alien IP can be used, the following resources are required.
+ One subnet to host the applications
+ An F5 BIG-IP deployment with a Cloud Failover Extension to manage the routes
+ A route in the AWS route tables pointing to the elastic network interfaces

  

Using alien IP addresses does have implications for how you interconnect VPCs to other VPCs, as well as how you can interconnect VPCs to your data centers. The following diagram helps determine if an alien IP address is required. 

 ![\[Process flow for identifying if you require an alien IP address.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/images/F5-alien-address.png) 

# Interconnecting your VPCs


The following tables show the key considerations when you are interconnecting your VPCs.


| **Security VPC with VPC peering** | **Security VPC with AWS Transit Gateway** | **Security VPC with VPN interconnect** | 
| --- | --- | --- | 
| Advantages | Disadvantages  | Advantages  | Disadvantages | Advantages | Disadvantages | 
|  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html)  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html)  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html)  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html)  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html)  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/migration-f5-big-ip/interconnecting-vpcs.html)  | 


| Client (sends SYN) | AWS Transit Gateway | VPC peering | VPN between VPCs | Solution overview and possible concerns | 
| --- | --- | --- | --- | --- | 
| Internet or Direct Connect to service in a single VPC with a public or private subnet. | N/A | N/A | N/A |  Traffic traverses internet gateway, or virtual gateway - does not need to cross more than the VPC boundary. VPC acts as designed stub networks. Traffic ingresses from on premises to the AWS Cloud (Direct Connect, VPN).  | 
| Internet or Direct Connect in a VPC with clients in other VPCs (for example, pool members in another VPC), no SNAT. | Yes | No | Yes |  AWS Transit Gateway or VPNs allow the traffic to bypass the VPC peering filter that only VPC-assigned CIDRs can pass.  VPN solutions will be constrained. No equal-cost multi-path routing (ECMP) (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel).  | 
| Internet or Direct Connect to a service in a VPC with customers in other VPCs (for example, pool members in another VPC), with SNAT. | Yes (but not required) | Yes | Yes (but not required) |  Since the interconnection between the VPCs sees traffic from VPC-assigned CIDRs, any will work. VPN solutions will be constrained. No ECMP (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel).  | 
| Inside of VPC to service in same VPC. | N/A | N/A | N/A | All traffic constrained to a single VPC. Interconnection is not required. | 
| Inside of one VPC to a service VPC. Service is in the destination VPC CIDR. | Yes (but not required) | Yes | Yes (but not required) | Since the interconnection between the VPCs sees traffic from VPC-assigned CIDRs, any will work. | 
| Inside of one VPC to a service VPC. Service is outside the VPC CIDR range. | Yes | No | Yes |  Since the interconnection between the VPCs sees traffic from VPC-assigned CIDRs, any will work. VPN solutions will be constrained. No ECMP (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel).  | 
| Inside of a single VPC to an internet service. | N/A | N/A | N/A | Traffic is from a VPC-assigned CIDR, if Elastic IP, NAT, or route table constructs are inline then traffic will flow. | 
| Inside of a VPC to an internet service, routing out through a security or inspection VPC. | Yes | No | Yes |  Since the interconnection between the VPCs sees traffic from outside a VPC-assigned CIDR range, VPC peering cannot be used. VPN solutions will be constrained. No ECMP (only a single route) and no bandwidth (about 1.2 GB-seconds per tunnel, in general only one tunnel).  | 

# Connecting to your AWS infrastructure


 The following table shows key consideration for when you connect to your new AWS infrastructure during an F5 BIG-IP migration. 


| Connectivity method | Routing protocol support | Bandwidth limits | Endpoint IP addressing (public, private, or both) | Support for alien address space  | Multi-VPC support for one connection | Multi-Region support | 
| --- | --- | --- | --- | --- | --- | --- | 
| Internet | N/A | You link in to AWS, 5 GB-seconds per instance out | Public | No | Yes | Yes | 
| VPN - VPC | Static, BGP | IPsec limits (about 1.2 GB-seconds per tunnel) | Private | Yes (you must set up an additional IPsec tunnel from the F5 BIG-IP in the VPC to the virtual gateway connected to the VPC). | No | No | 
| VPN and AWS Transit Gateway | Static, BGP | IPsec limits (about 1.2 GB-seconds per tunnel) | Private | Yes | Yes | No (if the transit gateway is extended, it will be impacted) | 
| AWS Direct Connect - VPC | Static, BGP | Direct Connect limits (supports bonding), individual instances limited to 5 GB-seconds | Both | No | No | No | 
| Direct Connect - gateway | Static, BGP | Direct Connect limits (supports bonding), individual instances limited to 5 GB-seconds | Both | No | Yes | Yes | 
| Direct Connect gateway - AWS Transit Gateway (limited to several AWS Regions) | Static, BGP | Direct Connect limits (supports bonding), individual instances limited to 5 GB-seconds | Verbal confirmation from AWS architect team  | Yes | Yes | Limited to several Regions |