Migrating Azure VM to AWS EC2 using AWS Server Migration Service

Requirements for Azure connector

The recommended VM size of Azure connector is F4s – 4 vCPUs and 8 GB RAM. Ensure that you have a sufficient Azure CPU quota in the region where you are deploying the connector.

  • A Standard Storage Account (cannot be Premium) under which the connector can be deployed.
  • A virtual network where the connector can be deployed.
  • Allow inbound port 443 within the connector’s virtual network or not to the the public internet to view the connector dashboard.
  • Outbound Internet access for AWS, Azure, and so on.

Operating Systems Supported by AWS SMS

  • Microsoft Windows Server 2003 R2 or later version
  • Ubuntu 12.04 or later
  • Red Hat Enterprise Linux (RHEL) 5.1-5.11 or later
  • SUSE Linux Enterprise Server 11 with SP1 or later
  • CentOS 5.1-5.11, 6.1-6.6, 7.0-7.6
  • Debian 6.0.0-6.0.8, 7.0.0-7.8.0, 8.0.0
  • Oracle Linux 5.10-5.11 with el5uek kernel
  • Fedora Server 19-21

Considerations for Migration Scenarios

  • A single Server Migration Connector appliance can only migrate VMs under one subscription and one Azure Region.
  • After a Server Migration Connector appliance is deployed, you cannot change its subscription or Region unless you deploy another connector in the new subscription/Region.
  • AWS SMS supports deploying any number of Server Migration Connector appliance VMs to support migration from multiple Azure subscriptions and Regions in parallel.

Migration Steps   

  • Step 1: Download the Connector Installation Script
  • Step 2: Validate the Integrity and Cryptographic Signature of the Script File
  • Step 3: Run the Script
  • Step 4: Configure the Connector
  • (Alternative Procedure) Deploy the Server Migration Connector Manually
  • Step 5. Replicate Azure VM to AWS EC2 instance

Step1: Download the PowerShell script and hash files from the following URLs:

    After download, transfer the files to the computer or computers where you plan to run the script.

Step 2: Validate the Integrity and Cryptographic Signature of the Script File

To validate script integrity using cryptographic hashes (PowerShell). Use one or both of the downloaded hash files to validate the integrity of the script file. To validate with the MD5 hash, run the following command in a PowerShell window:

        PS C:\Users\Administrator> Get-FileHash aws-sms-azure-setup.ps1 -Algorithm MD5

        To validate with the SHA256 hash, run the following command in a PowerShell window:

        PS C:\Users\Administrator> Get-FileHash aws-sms-azure-setup.ps1 -Algorithm SHA256

Compare the returned hash values with the values provided in the downloaded files, aws-sms-azure-setup.ps1.md5 and aws-sms-azure-setup.ps1.sha256.

Next, use either PowerShell or the Windows user interface to check that the script file includes a valid signature from AWS. To check the script file for a valid cryptographic signature (PowerShell)

PS C:\Users\Administrator> Get-AuthenticodeSignature aws-sms-azure-setup.ps1 | Select *

PS C:\Users\Administrator\Desktop\aws-sms-azure-setup.ps1

To check the script file for a valid cryptographic signature (Windows GUI). In Windows Explorer, open the context (right-click) menu on the script file and choose Properties, Digital Signatures, Amazon Web Services, and Details. Verify that the displayed information contains “This digital signature is OK” and that “Amazon Web Services, Inc.” is the signer.

Step 3: Run the Script

Run this script from any computer with PowerShell 5.1 or later installed.

PS C:\Users\Administrator> Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser

PS C:\Users\Administrator> Set-ExecutionPolicy -ExecutionPolicy UnRestricted -Scope LocalMachine

PS C:\Users\Administrator> Connect-AzAccount

If you’re a Cloud Solution Provider (Azure CSP), the -TenantId value must be a tenant ID.

PS C:\Users\Administrator> Connect-AzAccount -TenantId ‘xxxx-xxxx-xxxx-xxxx’

PS C:\Users\Administrator> Connect-AzureRmAccount -Tenant “xxxx-xxxx-xxxx-xxxx” -SubscriptionId “yyyy-yyyy-yyyy-yyyy”

PS C:\Users\Administrator> .\aws-sms-azure-setup.ps1 -StorageAccountName name -ExistingVNetName name -SubscriptionId id -SubnetName name

StorageAccountName =  The name of the Azure storage account where you want to deploy the connector.

ExistingVNetName = The name of the Azure virtual network where you want to deploy the connector.

SubscriptionId = The ID of the subscription to use. The default subscription for the account is used.

SubnetName = The name of the subnet in the virtual network. The subnet named “default” is used.

Step 4: Configure the Connector

RDP to another VM on the same virtual network where you deployed the connector, use Google chrome browser  to the connector’s web interface using the following URL, https://ip-address-of-connector

  1. On the connector landing page, choose Get started now
  2. Review the license agreement, select the check box, and choose Next.
  3. Create a password for the connector. The password must meet the displayed criteria. Choose Next.
  4. On the Network Info page, you can find instructions to perform network-related tasks, such as setting up AWS proxy for the connector. Choose Next.
  5. On the Log Uploads page, select Upload logs automatically and choose Next.
  6. On the Server Migration Service page, provide the following information:
  7. For AWS Region, choose your Region from the list.
  8. For AWS Credentials, enter the IAM credentials that you created in Configure AWS SMS Permissions and Roles. Choose Next.
  9. On the Azure Account Verification page, verify that your Azure subscription ID and location are correct. This connector can migrate VMs under this subscription and location. Provide the object ID of the System Assigned Identity of the connector VM, which was provided as output from the deployment script.
  10. If you successfully set up the connector, the Congratulations page is displayed. To view the health status of the connector, choose Go to connector dashboard.
  11. To verify that the connector that you registered is listed, open the Connectors page on the Systems Manager console.

(Alternative Procedure) Deploy the Server Migration Connector Manually

Complete this procedure to install the connector manually in your Azure environment.

To install the connector manually

Log into the Azure Portal as a user with administrator permissions for the subscription under which you are deploying this connector.

Make sure that you are ready to supply a Storage Account, its Resource Group, a Virtual Network, and the Azure Region as described in Requirements for Azure connector.

Download the connector VHD and associated files from the URLs in the following table.

 Verify the cryptographic integrity of the connector VHD using procedures similar to those described in Step 2: Validate the Integrity and Cryptographic Signature of the Script File.

Upload the connector VHD and associated files to your Storage Account.

$resourceGroupName = “myResourceGroup”

$urlOfUploadedVhd = “https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd”

Add-AzVhd -ResourceGroupName $resourceGroupName -Destination $urlOfUploadedVhd -LocalFilePath “E:\Virtual hard disks\myVHD.vhd”

Create a new managed disk with the following parameter values:

$sourceUri = “https://storageaccount.blob.core.windows.net/vhdcontainer/osdisk.vhd”

$osDiskName = “myOsDisk”

$osDisk = New-AzDisk -DiskName $osDiskName –Disk (New-AzDiskConfig -AccountType Standard_LRS -Location $location -CreateOption Import -SourceUri $sourceUri) -ResourceGroupName $destinationResourceGroup

 Where $SourceUri or Storage Blob (Choose the VHD blob you uploaded from step 3.c.)

Create a public IP address and NIC

Create the public IP. In this example, the public IP address name is set to myIP.

$ipName = “myIP”

$pip = New-AzPublicIpAddress  -Name $ipName -ResourceGroupName $destinationResourceGroup

   -Location $location  -AllocationMethod Dynamic

Create the NIC. In this example, the NIC name is set to myNicName.

$nicName = “myNicName”

$nic = New-AzNetworkInterface -Name $nicName -ResourceGroupName $destinationResourceGroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

Set the VM name and size

$vmName = “myVM”

$vmConfig = New-AzVMConfig -VMName $vmName -VMSize “F4s”

$vm = Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id

Add the OS disk

$vm = Set-AzVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -StorageAccountType Standard_LRS -DiskSizeInGB 128 -CreateOption Attach -Windows

Complete the VM

New-AzVM -ResourceGroupName $destinationResourceGroup -Location $location -VM $vm

Download the two role documents:

    Edit SMSConnectorRole.json. Change the name field to sms-connector-role-subscription_id. Then change the AssignableScopes field to match your subscription ID.

    Edit SMSConnectorRoleSA.json. Change the name field to sms-connector-role-storage_account. For example, if your account is testStorage, then the name field must be sms-connector-role-testStorage. Then change the AssignableScopes field to match your Subscription, Resource Group, and Storage Account values.

You must use Az CLI or Az PowerShell for this step.

PS C:\Users\Administrator> New-AzRoleDefinition -InputFile C:\Temp\roleDefinition.json

Assign roles to the connector VM. In Azure Portal, choose Storage Account, Access Control, Roles, Add, Add Role Assignment. Choose the role sms-connector-role, assign access to Virtual Machine, and select the connector VM’s System Assigned Identity from the list. Repeat this for the role sms-connector-role-storage_account.

Restart the connector VM to activate the role assignments.

Step 4: Configure the SMS Connector.

This step guides you to replicating Azure VMs Using the AWS SMS Console. Use the AWS SMS console to import your server catalog and migrate your Azure VMs to Amazon EC2. You can perform the following tasks:

  1. Replicate a server using the console
  2. Monitor and modify server replication jobs
  3. Shut down replication

To replicate a VM from Azure to AWS using the console

  1. Install the Server Migration Connector as described in Getting Started with AWS Server Migration Service, including the configuration of an IAM service role and permissions.
  2. In a web browser, open the SMS homepage.
  3. In the navigation menu, choose Connectors. Verify that the connector that you deployed in your Azure environment is shown with a status of healthy.
  4. If you have not yet imported a catalog, choose Servers, Import server catalog. To reflect new servers added in your Azure environment after your previous import operation, choose Re-import server catalog. This process can take up to a minute.
  5. Select a server to replicate and choose Create replication job.
  6. On the Configure server-specific settings page, in the License type column, select the license type for AMIs to be created from the replication job. Windows servers can only use Bring Your Own License (BYOL). Choose Next.
  7. On the Configure replication job settings page, the following settings are available:
  8. For Replication job type, choose a value. The One-time migration option triggers a single replication of your server without scheduling repeating replications.
  9. For Start replication run, configure your replication run to start either immediately or at a later date and time up to 30 days in the future. The date and time settings refer to your browser’s local time.
  10. For IAM service role, provide (if necessary) the IAM service role that you previously created.
  11. For Enable automatic AMI deletion, configure AWS SMS to delete older replication AMIs in excess of a number that you provide in the field.
  12. For Enable AMI Encryption, choose a value. If you choose Yes, AWS SMS encrypts the generated AMIs. Your default CMK is used unless you specify a non-default CMK. For more information, see Amazon EBS Encryption.
  13. For Enable notifications, choose a value. If you choose Yes, you can configure Amazon Simple Notification Service (Amazon SNS) to notify a list of recipients when the replication job has completed, failed, or been deleted.
  14. For Pause replication job on consecutive failures, choose a value. The default is set to Yes. If the job encounters consecutive failures, it will be moved to the PausedOnFailure state and not marked Failed immediately.
  15. Choose Next.
  16. On the Review page, review your settings. If the settings are correct, choose Create. To change the settings, choose Previous. After a replication job is set up, replication starts automatically at the specified time and interval.
  17. On the Replication jobs page, select a job and choose Actions, Start replication run. This starts a replication run that does not affect your scheduled replication runs, except in the case that the on-demand run is still ongoing at the time of your scheduled run. In this case, the scheduled run is skipped and rescheduled at the next interval. The same thing happens if a scheduled run is due while a previous scheduled run is still in progress.
  18. In the AWS SMS console, choose Replication jobs. You can view all replication jobs by scrolling through the table. In the search bar, you can filter the table contents on specific values. Filter the jobs by PausedOnFailure to identify all the paused jobs.
  19. After you have finished replicating a server, you can delete the replication job. Choose Replication jobs, select the desired job, choose Actions, and then choose Delete replication jobs. In the confirmation window, choose Delete. This stops the replication job and cleans up any artifacts created by the service (for example, the job’s S3 bucket). This does not delete any AMIs created by runs of the stopped job.
  20. Once Replication is complete, Pause the replication, Shutdown the Azure VM and Power on AWS EC2 instances.
  21. Once Migration is complete and when you are done using a connector and no longer need it for any replication jobs, you can disassociate it. Choose Connectors and select the connector to disassociate. Choose Disassociate at the top-right corner of its information section and choose Disassociate again in the confirmation window. This action de-registers the connector from AWS SMS.

Amazon EC2 and Azure Virtual Machine (Instance) Comparison

Both Amazon EC2 and Azure VM provide a wide selection of VM types optimised to fit different use cases. An instance or VM is combinations of virtual CPU, virtual memory, temporary storage, and networking capacity and give a customer the flexibility to choose the appropriate mix of resources for workloads. Both AWS EC2 and Azure offers instances at scale for the requirements of any target workload. Both EC2 and Azure provide the option to store VM in persistent storage called EBS in Amazon terminology or Blob Storage in Azure terminology.

EC2 vs Azure VM

Available Windows/Linux VM both Cloud Services Providers:

Type Description Azure VM

Windows & Linux

AWS EC2

Windows & Linux

General purpose Balanced CPU-to-memory ratio. B, Dsv3, Dv3, DSv2, Dv2, Av2 T2, M4, M5
Compute-optimised High CPU-to-memory ratio. Fsv2, Fs, F C4, C5
Memory-optimised High memory-to-CPU ratio. Great for database servers Esv3, Ev3, M, GS, G, DSv2, Dv2 X1e, X1, R5, R4, Z1d
Storage optimised High disk throughput and IO. Ls H1, i3, D2
GPU Specialized for heavy graphic rendering and video editing NV, NC, NCv2, NCv3, ND P3, P2, G3, F1
High performance compute fastest and most powerful CPU H C4, C5

Both AWS and Azure are utility pricing model analogous to your gas, water or power bills. Both Amazon and Azure provide standard instance as PAYG model, and also some instances are available in the reserved pricing model. In a reserved pricing model, you pay upfront at a cheaper rate for instance but commit for certain months or years. In a reserved instance, you pay additional for -storage consumption and network utilisation if it’s cross-geo connectivity. Both AWS and Azure have vast marketplace from where you can pick up and deploy any instance of your requirements at Scale.

Here is where Microsoft differentiate from AWS, you can save up to 72% over pay-as-you-go pricing with an upfront one- or three-year commitment in Azure Cloud. You can also exchange or cancel the RI at any time. Microsoft also offers Hybrid benefits, i.e. 40% off when you bring in Microsoft Windows/Linux workloads from On-prem to Azure. You can use your on-premises Windows Server or SQL Server licences with Software Assurance to make big savings when migrating a few workloads or entire data centres to the cloud.

You can get discounted rates on Azure for your ongoing development and testing, including no Microsoft software charges on Azure Virtual Machines and special dev/test pricing on other services.

Microsoft also offers US$5000 credit for the validated Not-for-Profit organisation for the use of Azure Cloud whilst signing

Relevant References:

Azure Pricing Calculator

Azure TCO Calculator

Offset IT Cost with Azure Cloud

Microsoft Azure credits now available to eligible not-for-profit organisations

Azure 54 regions in 140 countries

Migrate Amazon Web Services (AWS) EC2 VM to Azure Cloud

In my previous blog, I have written how to migrate workloads from VMware to Azure Cloud.  In this tutorial, I am going to elaborate you how to migrate Amazon Web Services (AWS) EC2 virtual machines (VMs) to Azure VMs by using Azure Site Recovery.

AWStoAzure

Supported Workloads Which can be migrated:

  1. Windows Server 2016 or later version
  2. Red Hat Enterprise Linux 6.7

Prerequisites

  1. The Mobility service must be installed on each VM that you want to replicate. Site Recovery installs this service automatically when you enable replication for the VM.
  2. For non-domain joined Windows VMs, disable Remote User Access control on the local machine at the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add the DWORD entry LocalAccountTokenFilterPolicy and set the value to 1.
  3. A separate VM in AWS subscriptions to use as Site Recovery Configuration Server. This instance must be running Windows Server 2012 R2.

Credential Requirements

  1. A root on the source Linux server
  2. A Domain Admin Credentials for Windows VM.
  3. A Local Admin Account for non-domain joined VM.

Prepare Azure resources (Target)

Step1: Create a Storage Account

  1. In the Azure portal, in the left menu, select Create a resource > Storage > Storage account.
  2. Create a Storage Account in your region.

Step2: Create a Recovery Vault

  1. In the Azure portal, select All services. Search for and then select Recovery Services vaults.
  2. Add new Recovery Vault in your region.

Step3: Add a separate network for migrated VM

  1. In the Azure portal, select Create a resource > Networking > Virtual network.
  2. Add new Network and Address Space.

Step4: Prepare Recovery Goal

  1. On your vault page in the Azure portal, in the Getting Started section, select Site Recovery, and then select Prepare Infrastructure.
  2. Create a protection goal from On-prem to Azure.
  3. When you’re done, select OK to move to the next section.

Step5: Create a Replication Policy

  1. To create a new replication policy, click Site Recovery infrastructure > Replication Policies > +Replication Policy. In Create replication policy, specify a policy name.
  2. In RPO threshold, specify the recovery point objective (RPO) limit. This value specifies how often data recovery points are created. An alert is generated if continuous replication exceeds this limit.
  3. In Recovery point retention, specify how long (in hours) the retention window is for each recovery point. Replicated VMs can be recovered to any point in a window. Up to 24 hours retention is supported for machines replicated to premium storage, and 72 hours for standard storage.
  4. In App-consistent snapshot frequency, specify how often (in minutes) recovery points containing application-consistent snapshots will be created. Click OK to create the policy.

Prepare Source Environment (AWS)

Step6: Prepare Source ASR Configuration Server

  1. Log on to the EC2 instance where you would like to install Configuration Server
  1. Configure the proxy on the EC2 instance VM you’re using as the configuration server so that it can access the service URLs.
  2. Download Microsoft Azure Site Recovery Unified Setup. You can download it to your local machine and then copy it to the VM you’re using as the configuration server.
  3. Select the Download button to download the vault registration key. Copy the downloaded file to the VM you’re using as the configuration server.
  4. On the VM, right-click the installer you downloaded for Microsoft Azure Site Recovery Unified Setup, and then select Run as administrator.
  5. Under Before You Begin, select Install the configuration server and process server, and then select Next.
  6. In Third-Party Software License, select I accept the third-party license agreement, and then select Next.
  7. In Registration, select Browse, and then go to where you put the vault registration key file. Select Next.
  8. In Internet Settings, select Connect to Azure Site Recovery without a proxy server, and then select Next.
  9. The Prerequisites Check page runs checks for several items. When it’s finished, select Next.
  10. In MySQL Configuration, provide the required passwords, and then select Next.
  11. In Environment Details, select No. You don’t need to protect VMware machines. Then, select Next.
  12. In Install Location, select Next to accept the default.
  13. In Network Selection, select Next to accept the default.
  14. In Summary, select Install. Installation Progress shows you information about the installation process. When it’s finished, select Finish. A window displays a message about a reboot. Select OK. Next, a window displays a message about the configuration server connection passphrase. Copy the passphrase to your clipboard and save it somewhere safe.
  15. On the VM, run cspsconfigtool.exe to create one or more management accounts on the configuration server. Make sure that the management accounts have administrator permissions on the EC2 instances that you want to migrate.

Step7: Enable Replication for a AWS EC2 VM

  1. Click Replicate application > Source.
  2. In Source, select the configuration server.
  3. In Machine type, select Physical machines.
  4. Select the process server (the configuration server). Then click OK.
  5. In Target, select the subscription and the resource group in which you want to create the Azure VMs after failover. Choose the deployment model that you want to use in Azure (classic or resource management).
  6. Select the Azure storage account you want to use for replicating data.
  7. Select the Azure network and subnet to which Azure VMs will connect, when they’re created after failover.
  8. Select Configure now for selected machines, to apply the network setting to all machines you select for protection. Select Configure later to select the Azure network per machine.
  9. In Physical Machines, and click +Physical machine. Specify the name and IP address. Select the operating system of the machine you want to replicate. It takes a few minutes for the servers to be discovered and listed.
  10. In Properties > Configure properties, select the account that will be used by the process server to automatically install the Mobility service on the machine.
  11. In Replication settings > Configure replication settings, verify that the correct replication policy is selected.
  12. Click Enable Replication. You can track progress of the Enable Protection job in Settings > Jobs > Site Recovery Jobs. After the Finalize Protection job runs the machine is ready for failover.

Test failover at Azure Portal

Step8: Test a Failover

  1. On the page for your vault, go to Protected items > Replicated Items. Select the VM, and then select Test Failover.
  2. Select a recovery point to use for the failover:
    • Latest processed: Fails over the VM to the latest recovery point that was processed by Site Recovery. The time stamp is shown. With this option, no time is spent processing data, so it provides a low recovery time objective (RTO).
    • Latest app-consistent: This option fails over all VMs to the latest app-consistent recovery point. The time stamp is shown.
    • Custom: Select any recovery point.
  3. In Test Failover, select the target Azure network to which Azure VMs will be connected after failover occurs. This should be the network you created in Prepare Azure resources.
  4. Select OK to begin the failover. To track progress, select the VM to view its properties. Or you can select the Test Failover job on the page for your vault. To do this, select Monitoring and reports > Jobs > Site Recovery jobs.
  5. When the failover finishes, the replica Azure VM appears in the Azure portal. To view the VM, select Virtual Machines. Ensure that the VM is the appropriate size, that it’s connected to the right network, and that it’s running.
  6. You should now be able to connect to the replicated VM in Azure.
  7. To delete Azure VMs that were created during the test failover, select Cleanup test failover in the recovery plan. In Notes, record and save any observations associated with the test failover.

Migrate an AWS EC2 Instance to Azure Cloud

Step9: Trigger Azure Migration

  1. In Protected items > Replicated items, select the AWS instances, and then select Failover.
  2. In Failover, select a Recovery Point to failover to. Select the latest recovery point.
  3. Select Shut down machine before beginning failover if you want Site Recovery to attempt to do a shutdown of source virtual machines before triggering the failover. Failover continues even if shutdown fails. You can follow the failover progress on the Jobs
  4. Ensure that the VM appears in Replicated items.
  5. Right-click each VM, and then select Complete Migration. This finishes the migration process, stops replication for the AWS VM, and stops Site Recovery billing for the VM.