Amazon WorkSpaces : A Cost-effective Alternative to Windows Virtual Desktop

An Amazon WorkSpace is a cloud-based virtual desktop that can act as a replacement for a traditional desktop. A WorkSpace is available as a bundle of operating system, compute resources, storage space, and software applications that allow a user to perform day-to-day tasks just like using a traditional desktop.

Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

Monthly App Cost (Price Dated 06/08/2019):

Application Bundle Applications Additional Monthly Price
Default applications bundle Utilities Firefox, 7-Zip No additional charge
Plus applications bundle Microsoft Office Professional, Trend Micro Worry-Free Business Security Services, Firefox, WinZip Additional $15 per month

Compute cost sample (Price Dated 06/08/2019):

Compute Root Volume User Volume Monthly Pricing
4 vCPU, 16 GB Memory 80 GB 100 GB $104
8 vCPU, 32 GB Memory 80 GB 100 GB $154
8 vCPU, 15 GB Memory, 1 GPU, 4 GB Graphics Memory 100 GB 100 GB $880
16 vCPU, 122 GB Memory, 1 GPU, 8 GB Video Memory 100 GB 100 GB $1,228

Requirements:

AWS Virtual Private Cloud

  • Configure a VPC with Private Subnets and a NAT Gateway
  • Configure a VPC with Public Subnets

Ports

  • TCP/UDP 53 – DNS
  • TCP/UDP 88 – Kerberos authentication
  • UDP 123 – NTP
  • TCP 135 – RPC
  • UDP 137-138 – Netlogon
  • TCP 139 – Netlogon
  • TCP/UDP 389 – LDAP
  • TCP/UDP 445 – SMB
  • TCP 1024-65535 – Dynamic ports for RPC
  • TCP 443
  • TCP 80

Access Control

  • Grant IAM users permission to AWS Workspace

Internet Access

  • Allow ports 443 and 80 to 0.0.0.0/0

LDAP authentication

  • AD Connector — Use your existing on-premises Microsoft Active Directory. Users can sign into their WorkSpaces using their on-premises credentials and access on-premises resources from their WorkSpaces.
  • Microsoft AD — Create a Microsoft Active Directory hosted on AWS.
  • Simple AD — Create a directory that is compatible with Microsoft Active Directory, powered by Samba 4, and hosted on AWS.
  • Cross trust — Create a trust relationship between your Microsoft AD directory and your on-premises domain.

Task 1: Configure a VPC with Private Subnets and a NAT Gateway

Step 1: Allocate an Elastic IP Address

Allocate an Elastic IP address for your NAT gateway as follows. Note that if you are using an alternative method of providing internet access, you can skip this step.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Elastic IPs.
  3. Choose Allocate new address.
  4. On the Allocate new address page, choose Allocate and make a note of the Elastic IP address, then choose Close.

Step 2: Create a VPC. Create a VPC with one public subnet and two private subnets as follows.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose VPC Dashboard.
  3. Choose Launch VPC Wizard.
  4. Choose VPC with Public and Private Subnets and then choose Select.
  5. Configure the VPC as follows:
    1. For IPv4 CIDR block, type the CIDR block for the VPC. For example, 10.0.0.0/16. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.
    2. For VPC name, type a name for the VPC.
  6. Configure the public subnet as follows:
    1. For IPv4 CIDR block, type the CIDR block for the subnet.
    2. For Availability Zone, keep No Preference.
    3. For Public subnet name, type a name for the subnet (for example, WorkSpaces Public Subnet).
  7. Configure the first private subnet as follows:
    1. For Private subnet’s IPv4 CIDR, type the CIDR block for the subnet.
    2. For Availability Zone, select the first one in the list (for example, us-west-2a).
    3. For Private subnet name, type a name for the subnet (for example, WorkSpaces Private Subnet 1).
  8. For Elastic IP Allocation ID, choose the Elastic IP address that you created. Note that if you are using an alternative method of providing internet access, you can skip this step.
  9. Choose Create VPC. Note that it takes several minutes to set up your VPC. After the VPC is created, choose OK.

Step 3: Add a Second Private Subnet

In the previous step, you created a VPC with one public subnet and one private subnet. Use the following procedure to add a second private subnet.

  1. In the navigation pane, choose Subnets.
  2. Choose Create Subnet.
  3. For Name tag, type a name for the private subnet (for example, WorkSpaces Private Subnet 2).
  4. For VPC, select the VPC that you created.
  5. For Availability Zone, select the second one in the list (for example, us-west-2b).
  6. For IPv4 CIDR block, type the CIDR block for the subnet.
  7. Choose Yes, Create.

Step 4: Verify and Name the Route Tables. You can verify and name the route tables for each subnet.

  1. In the navigation pane, choose Subnets, and select the public subnet that you created.
    1. On the Route Table tab, choose the ID of the route table (for example, rtb-12345678).
    2. Select the route table. Type a name (for example, workspaces-public-routetable) and choose the check mark to save the name.
    3. On the Routes tab, verify that there is one route for local traffic and another route that sends all other traffic to the internet gateway for the VPC.
  2. In the navigation pane, choose Subnets, and select the first private subnet that you created (for example, WorkSpaces Private Subnet 1).
    1. On the Route Table tab, choose the ID of the route table.
    2. Select the route table. Type a name (for example, workspaces-private-routetable) and choose the check mark to save the name.
    3. On the Routes tab, verify that there is one route for local traffic and another route that sends all other traffic to the NAT gateway.
  3. In the navigation pane, choose Subnets, and select the second private subnet that you created (for example, WorkSpaces Private Subnet 2). On the Routes tab, verify that the route table is the private route table (for example, workspaces-private-routetable). If the route table is different, choose Edit and select this route table.

Task 2: Configure a VPC with Public Subnets (Optional if you have completed task 1)

Step 1: Create a VPC with one public subnet as follows.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose VPC Dashboard.
  3. Choose Launch VPC Wizard.
  4. Choose VPC with a Single Public Subnet and then choose Select.
  5. For IPv4 CIDR block, type the CIDR block for the VPC. We recommend that you use a CIDR block from the private (non-publicly routable) IP address ranges specified in RFC 1918. For example, 10.0.0.0/16. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.
  6. For VPC name, type a name for the VPC.
  7. For Public subnet’s IPv4 CIDR, type the CIDR block for the subnet.
  8. (Optional) For Subnet name, type a name for the subnet.
  9. For Availability Zone, choose the first one in the list.
  10. Choose Create VPC. After the VPC is created, choose OK.

Step 2: Add a Second Public Subnet

In the previous step, you created a VPC with one public subnet. Use the following procedure to add a second public subnet and associate it with the route table for the first public subnet, which has a route to the internet gateway for the VPC.

  1. In the navigation pane, choose Subnets.
  2. Choose Create Subnet.
  3. For Name tag, type a name for the subnet.
  4. For VPC, select the VPC that you created.
  5. For Availability Zone, choose the second one in the list.
  6. For IPv4 CIDR block, type the CIDR block for the subnet.
  7. Choose Create. After the subnet is created, choose Close.
  8. Associate the new public subnet with the route table created for the first subnet as follows:
    1. Select the checkbox for the first subnet.
    2. On the Route Table tab, choose the ID of the route table.
    3. On the Subnet Associations tab, choose Edit subnet associations.
    4. Select the checkbox for the second subnet and choose Save.

Step 3: Assign the Elastic IP Address

You can assign Elastic IP addresses to your WorkSpaces automatically or manually. To use automatic assignment, see Configure Automatic IP Addresses. To assign Elastic IP addresses manually, use the following procedure.

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose WorkSpaces.
  3. Expand the row for the WorkSpace and note the value of WorkSpace IP. This is the primary private IP address of WorkSpace.
  4. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  5. In the navigation pane, choose Elastic IPs. If you do not have an available Elastic IP address, choose Allocate new address and follow the directions.
  6. In the navigation pane, choose Network Interfaces.
  7. Select the network interface for your WorkSpace. Note that the value of VPC ID matches the ID of your WorkSpaces VPC and the value of Primary private IPv4 IP matches the primary private IP address of the WorkSpace that you noted earlier.
  8. Choose Actions, Associate Address.
  9. On the Associate Elastic IP Address page, choose an Elastic IP address from Address and then choose Associate Address.

Option 1: Launch a WorkSpace Using AWS Managed Microsoft AD

Step 1: Create an AWS Managed Microsoft AD Directory

First, create an AWS Managed Microsoft AD directory. AWS Directory Service creates two directory servers, one in each of the private subnets of your VPC. Note that there are no users in the directory initially. You will add a user in the next step when you launch the WorkSpace.

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose Directories.
  3. Choose Set up Directory, Create Microsoft AD.
  4. Configure the directory as follows:
    1. For Organization name, type a unique organization name for your directory (for example, my-demo-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.
    2. For Directory DNS, type the fully-qualified name for the directory (for example, workspaces.demo.com).
    3. For NetBIOS name, type a short name for the directory (for example, workspaces).
    4. For Admin password and Confirm password, type a password for the directory administrator account. For more information about the password requirements, see Create Your AWS Managed Microsoft AD Directory in the AWS Directory Service Administration Guide.
    5. (Optional) For Description, type a description for the directory.
    6. For VPC, select the VPC that you created.
    7. For Subnets, select the two private subnets (with the CIDR blocks 10.0.1.0/24 and 10.0.2.0/24).
    8. Choose Next Step.
  5. Choose Create Microsoft AD.
  6. Choose Done. The initial status of the directory is Creating. When directory creation is complete, the status is Active.

Step 2: Create a WorkSpace

Now that you have created an AWS Managed Microsoft AD directory, you are ready to create a WorkSpace.

To create a WorkSpace

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose WorkSpaces.
  3. Choose Launch WorkSpaces.
  4. On the Select a Directory page, choose the directory that you created, and then choose Next Step. Amazon WorkSpaces registers your directory.
  5. On the Identify Users page, add a new user to your directory as follows:
    1. Complete Username, First Name, Last Name, and Email. Use an email address that you have access to.
    2. Choose Create Users.
    3. Choose Next Step.
  6. On the Select Bundle page, select a bundle and then choose Next Step.
  7. On the WorkSpaces Configuration page, choose a running mode and then choose Next Step.
  8. On the Review & Launch WorkSpaces page, choose Launch WorkSpaces. The initial status of the WorkSpace is PENDING. When the launch is complete, the status is AVAILABLE and an invitation is sent to the email address that you specified for the user.

Step 3: Connect to the WorkSpace

After you receive the invitation email, you can connect to your WorkSpace using the client of your choice. After you sign in, the client displays the WorkSpace desktop.

Note

When you are connected to your WorkSpace from a Windows or MacOS client, you can toggle the fullscreen display by using following command shortcuts:

  • Windows client: Ctrl+Alt+Enter
  • MacOS client: Control+Option+Return

To connect to the WorkSpace

  1. Open the link in the invitation email. When prompted, specify a password and activate the user. Remember this password as you will need it to sign in to your WorkSpace.
  2. When prompted, download one of the client applications or, for Windows WorkSpaces, launch Web Access. http://clients.amazonworkspaces.com/
  3. Start the client, enter the registration code from the invitation email, and choose Register.
  4. When prompted to sign in, type the user name and password for the user, and then choose Sign In.
  5. (Optional) When prompted to save your credentials, choose Yes.

Option 2: Launch a WorkSpace Using AD Connector (Hybrid Identity or On-prem User Identity using Windows Active Directory)

Step 1: Create an AD Connector

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose Directories.
  3. Choose Set up Directory, Create AD Connector.
  4. For Organization name, type a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.
  5. For Connected directory DNS, type the fully-qualified name of your on-premises directory (for example, example.com).
  6. For Connected directory NetBIOS name, type the short name of your on-premises directory (for example, example).
  7. For Connector account username, type the user name of a user in your on-premises directory. The user must have permissions to read users and groups, create computer objects, and join computers to the domain.
  8. For Connector account password and Confirm password, type the password for the on-premises user account.
  9. For DNS address, type the IP address of at least one DNS server in your on-premises directory.
  10. (Optional) For Description, type a description for the directory.
  11. Keep Size as Small.
  12. For VPC, select your VPC.
  13. For Subnets, select your subnets. The DNS servers that you specified must be accessible from each subnet.
  14. Choose Next Step.
  15. Choose Create AD Connector. It takes several minutes for your directory to be connected. The initial status of the directory is Requested and then Creating. When directory creation is complete, the status is Active.

Step 2: Create a WorkSpace

Now you are ready to launch WorkSpaces for one or more users in your on-premises directory.

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose WorkSpaces.
  3. Choose Launch WorkSpaces.
  4. For Directory, choose the directory that you created.
  5. Choose Next. Amazon WorkSpaces registers your AD Connector.
  6. Select one or more existing users from your on-premises directory. Do not add new users to an on-premises directory through the Amazon WorkSpaces console.  To find users to select, you can type all or part of the user’s name and choose Search or choose Show All Users. Note that you cannot select a user that does not have an email address.
  7. After you select the users, choose Add Selected and then choose Next Step.
  8. Under Select Bundle, choose the default WorkSpace bundle to be used for the WorkSpaces. Under Assign WorkSpace Bundles, you can choose a different the bundle for an individual WorkSpace if needed. When you have finished, choose Next Step.
  9. Choose a running mode for your WorkSpaces and then choose Next Step. For more information, see Manage the WorkSpace Running Mode.
  10. Choose Launch WorkSpaces. The initial status of the WorkSpace is PENDING. When the launch is complete, the status is AVAILABLE.
  11. Send invitations to the email address for each user. For more information, see Send an Invitation Email.

Step 3: Connect to the WorkSpace

You can connect to your WorkSpace using the client of your choice. After you sign in, the client displays the WorkSpace desktop.

  • Windows client: Ctrl+Alt+Enter
  • MacOS client: Control+Option+Return

To connect to the WorkSpace

  1. Open Google Chrome, browse http://clients.amazonworkspaces.com/
  2. When prompted, download one of the client applications or launch Web Access.
  3. Start the client, enter the registration code from the invitation email, and choose Register.
  4. When prompted to sign in, type the username and password for the user, and then choose Sign In.
  5. (Optional) When prompted to save your credentials, choose Yes.

Migrating Azure VM to AWS EC2 using AWS Server Migration Service

Requirements for Azure connector

The recommended VM size of Azure connector is F4s – 4 vCPUs and 8 GB RAM. Ensure that you have a sufficient Azure CPU quota in the region where you are deploying the connector.

  • A Standard Storage Account (cannot be Premium) under which the connector can be deployed.
  • A virtual network where the connector can be deployed.
  • Allow inbound port 443 within the connector’s virtual network or not to the the public internet to view the connector dashboard.
  • Outbound Internet access for AWS, Azure, and so on.

Operating Systems Supported by AWS SMS

  • Microsoft Windows Server 2003 R2 or later version
  • Ubuntu 12.04 or later
  • Red Hat Enterprise Linux (RHEL) 5.1-5.11 or later
  • SUSE Linux Enterprise Server 11 with SP1 or later
  • CentOS 5.1-5.11, 6.1-6.6, 7.0-7.6
  • Debian 6.0.0-6.0.8, 7.0.0-7.8.0, 8.0.0
  • Oracle Linux 5.10-5.11 with el5uek kernel
  • Fedora Server 19-21

Considerations for Migration Scenarios

  • A single Server Migration Connector appliance can only migrate VMs under one subscription and one Azure Region.
  • After a Server Migration Connector appliance is deployed, you cannot change its subscription or Region unless you deploy another connector in the new subscription/Region.
  • AWS SMS supports deploying any number of Server Migration Connector appliance VMs to support migration from multiple Azure subscriptions and Regions in parallel.

Migration Steps   

  • Step 1: Download the Connector Installation Script
  • Step 2: Validate the Integrity and Cryptographic Signature of the Script File
  • Step 3: Run the Script
  • Step 4: Configure the Connector
  • (Alternative Procedure) Deploy the Server Migration Connector Manually
  • Step 5. Replicate Azure VM to AWS EC2 instance

Step1: Download the PowerShell script and hash files from the following URLs:

    After download, transfer the files to the computer or computers where you plan to run the script.

Step 2: Validate the Integrity and Cryptographic Signature of the Script File

To validate script integrity using cryptographic hashes (PowerShell). Use one or both of the downloaded hash files to validate the integrity of the script file. To validate with the MD5 hash, run the following command in a PowerShell window:

        PS C:\Users\Administrator> Get-FileHash aws-sms-azure-setup.ps1 -Algorithm MD5

        To validate with the SHA256 hash, run the following command in a PowerShell window:

        PS C:\Users\Administrator> Get-FileHash aws-sms-azure-setup.ps1 -Algorithm SHA256

Compare the returned hash values with the values provided in the downloaded files, aws-sms-azure-setup.ps1.md5 and aws-sms-azure-setup.ps1.sha256.

Next, use either PowerShell or the Windows user interface to check that the script file includes a valid signature from AWS. To check the script file for a valid cryptographic signature (PowerShell)

PS C:\Users\Administrator> Get-AuthenticodeSignature aws-sms-azure-setup.ps1 | Select *

PS C:\Users\Administrator\Desktop\aws-sms-azure-setup.ps1

To check the script file for a valid cryptographic signature (Windows GUI). In Windows Explorer, open the context (right-click) menu on the script file and choose Properties, Digital Signatures, Amazon Web Services, and Details. Verify that the displayed information contains “This digital signature is OK” and that “Amazon Web Services, Inc.” is the signer.

Step 3: Run the Script

Run this script from any computer with PowerShell 5.1 or later installed.

PS C:\Users\Administrator> Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser

PS C:\Users\Administrator> Set-ExecutionPolicy -ExecutionPolicy UnRestricted -Scope LocalMachine

PS C:\Users\Administrator> Connect-AzAccount

If you’re a Cloud Solution Provider (Azure CSP), the -TenantId value must be a tenant ID.

PS C:\Users\Administrator> Connect-AzAccount -TenantId ‘xxxx-xxxx-xxxx-xxxx’

PS C:\Users\Administrator> Connect-AzureRmAccount -Tenant “xxxx-xxxx-xxxx-xxxx” -SubscriptionId “yyyy-yyyy-yyyy-yyyy”

PS C:\Users\Administrator> .\aws-sms-azure-setup.ps1 -StorageAccountName name -ExistingVNetName name -SubscriptionId id -SubnetName name

StorageAccountName =  The name of the Azure storage account where you want to deploy the connector.

ExistingVNetName = The name of the Azure virtual network where you want to deploy the connector.

SubscriptionId = The ID of the subscription to use. The default subscription for the account is used.

SubnetName = The name of the subnet in the virtual network. The subnet named “default” is used.

Step 4: Configure the Connector

RDP to another VM on the same virtual network where you deployed the connector, use Google chrome browser  to the connector’s web interface using the following URL, https://ip-address-of-connector

  1. On the connector landing page, choose Get started now
  2. Review the license agreement, select the check box, and choose Next.
  3. Create a password for the connector. The password must meet the displayed criteria. Choose Next.
  4. On the Network Info page, you can find instructions to perform network-related tasks, such as setting up AWS proxy for the connector. Choose Next.
  5. On the Log Uploads page, select Upload logs automatically and choose Next.
  6. On the Server Migration Service page, provide the following information:
  7. For AWS Region, choose your Region from the list.
  8. For AWS Credentials, enter the IAM credentials that you created in Configure AWS SMS Permissions and Roles. Choose Next.
  9. On the Azure Account Verification page, verify that your Azure subscription ID and location are correct. This connector can migrate VMs under this subscription and location. Provide the object ID of the System Assigned Identity of the connector VM, which was provided as output from the deployment script.
  10. If you successfully set up the connector, the Congratulations page is displayed. To view the health status of the connector, choose Go to connector dashboard.
  11. To verify that the connector that you registered is listed, open the Connectors page on the Systems Manager console.

(Alternative Procedure) Deploy the Server Migration Connector Manually

Complete this procedure to install the connector manually in your Azure environment.

To install the connector manually

Log into the Azure Portal as a user with administrator permissions for the subscription under which you are deploying this connector.

Make sure that you are ready to supply a Storage Account, its Resource Group, a Virtual Network, and the Azure Region as described in Requirements for Azure connector.

Download the connector VHD and associated files from the URLs in the following table.

 Verify the cryptographic integrity of the connector VHD using procedures similar to those described in Step 2: Validate the Integrity and Cryptographic Signature of the Script File.

Upload the connector VHD and associated files to your Storage Account.

$resourceGroupName = “myResourceGroup”

$urlOfUploadedVhd = “https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd”

Add-AzVhd -ResourceGroupName $resourceGroupName -Destination $urlOfUploadedVhd -LocalFilePath “E:\Virtual hard disks\myVHD.vhd”

Create a new managed disk with the following parameter values:

$sourceUri = “https://storageaccount.blob.core.windows.net/vhdcontainer/osdisk.vhd”

$osDiskName = “myOsDisk”

$osDisk = New-AzDisk -DiskName $osDiskName –Disk (New-AzDiskConfig -AccountType Standard_LRS -Location $location -CreateOption Import -SourceUri $sourceUri) -ResourceGroupName $destinationResourceGroup

 Where $SourceUri or Storage Blob (Choose the VHD blob you uploaded from step 3.c.)

Create a public IP address and NIC

Create the public IP. In this example, the public IP address name is set to myIP.

$ipName = “myIP”

$pip = New-AzPublicIpAddress  -Name $ipName -ResourceGroupName $destinationResourceGroup

   -Location $location  -AllocationMethod Dynamic

Create the NIC. In this example, the NIC name is set to myNicName.

$nicName = “myNicName”

$nic = New-AzNetworkInterface -Name $nicName -ResourceGroupName $destinationResourceGroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

Set the VM name and size

$vmName = “myVM”

$vmConfig = New-AzVMConfig -VMName $vmName -VMSize “F4s”

$vm = Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id

Add the OS disk

$vm = Set-AzVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -StorageAccountType Standard_LRS -DiskSizeInGB 128 -CreateOption Attach -Windows

Complete the VM

New-AzVM -ResourceGroupName $destinationResourceGroup -Location $location -VM $vm

Download the two role documents:

    Edit SMSConnectorRole.json. Change the name field to sms-connector-role-subscription_id. Then change the AssignableScopes field to match your subscription ID.

    Edit SMSConnectorRoleSA.json. Change the name field to sms-connector-role-storage_account. For example, if your account is testStorage, then the name field must be sms-connector-role-testStorage. Then change the AssignableScopes field to match your Subscription, Resource Group, and Storage Account values.

You must use Az CLI or Az PowerShell for this step.

PS C:\Users\Administrator> New-AzRoleDefinition -InputFile C:\Temp\roleDefinition.json

Assign roles to the connector VM. In Azure Portal, choose Storage Account, Access Control, Roles, Add, Add Role Assignment. Choose the role sms-connector-role, assign access to Virtual Machine, and select the connector VM’s System Assigned Identity from the list. Repeat this for the role sms-connector-role-storage_account.

Restart the connector VM to activate the role assignments.

Step 4: Configure the SMS Connector.

This step guides you to replicating Azure VMs Using the AWS SMS Console. Use the AWS SMS console to import your server catalog and migrate your Azure VMs to Amazon EC2. You can perform the following tasks:

  1. Replicate a server using the console
  2. Monitor and modify server replication jobs
  3. Shut down replication

To replicate a VM from Azure to AWS using the console

  1. Install the Server Migration Connector as described in Getting Started with AWS Server Migration Service, including the configuration of an IAM service role and permissions.
  2. In a web browser, open the SMS homepage.
  3. In the navigation menu, choose Connectors. Verify that the connector that you deployed in your Azure environment is shown with a status of healthy.
  4. If you have not yet imported a catalog, choose Servers, Import server catalog. To reflect new servers added in your Azure environment after your previous import operation, choose Re-import server catalog. This process can take up to a minute.
  5. Select a server to replicate and choose Create replication job.
  6. On the Configure server-specific settings page, in the License type column, select the license type for AMIs to be created from the replication job. Windows servers can only use Bring Your Own License (BYOL). Choose Next.
  7. On the Configure replication job settings page, the following settings are available:
  8. For Replication job type, choose a value. The One-time migration option triggers a single replication of your server without scheduling repeating replications.
  9. For Start replication run, configure your replication run to start either immediately or at a later date and time up to 30 days in the future. The date and time settings refer to your browser’s local time.
  10. For IAM service role, provide (if necessary) the IAM service role that you previously created.
  11. For Enable automatic AMI deletion, configure AWS SMS to delete older replication AMIs in excess of a number that you provide in the field.
  12. For Enable AMI Encryption, choose a value. If you choose Yes, AWS SMS encrypts the generated AMIs. Your default CMK is used unless you specify a non-default CMK. For more information, see Amazon EBS Encryption.
  13. For Enable notifications, choose a value. If you choose Yes, you can configure Amazon Simple Notification Service (Amazon SNS) to notify a list of recipients when the replication job has completed, failed, or been deleted.
  14. For Pause replication job on consecutive failures, choose a value. The default is set to Yes. If the job encounters consecutive failures, it will be moved to the PausedOnFailure state and not marked Failed immediately.
  15. Choose Next.
  16. On the Review page, review your settings. If the settings are correct, choose Create. To change the settings, choose Previous. After a replication job is set up, replication starts automatically at the specified time and interval.
  17. On the Replication jobs page, select a job and choose Actions, Start replication run. This starts a replication run that does not affect your scheduled replication runs, except in the case that the on-demand run is still ongoing at the time of your scheduled run. In this case, the scheduled run is skipped and rescheduled at the next interval. The same thing happens if a scheduled run is due while a previous scheduled run is still in progress.
  18. In the AWS SMS console, choose Replication jobs. You can view all replication jobs by scrolling through the table. In the search bar, you can filter the table contents on specific values. Filter the jobs by PausedOnFailure to identify all the paused jobs.
  19. After you have finished replicating a server, you can delete the replication job. Choose Replication jobs, select the desired job, choose Actions, and then choose Delete replication jobs. In the confirmation window, choose Delete. This stops the replication job and cleans up any artifacts created by the service (for example, the job’s S3 bucket). This does not delete any AMIs created by runs of the stopped job.
  20. Once Replication is complete, Pause the replication, Shutdown the Azure VM and Power on AWS EC2 instances.
  21. Once Migration is complete and when you are done using a connector and no longer need it for any replication jobs, you can disassociate it. Choose Connectors and select the connector to disassociate. Choose Disassociate at the top-right corner of its information section and choose Disassociate again in the confirmation window. This action de-registers the connector from AWS SMS.