What is VM Import/Export?

VM Import/Export is a feature provided by AWS (Amazon Web Services) that allows users to import virtual machine images from their existing environment into Amazon EC2 (Elastic Compute Cloud), and export them back. This feature is particularly useful in several scenarios:

1. Migration to the Cloud: If you have virtual machines running on-premises or in another cloud environment, you can use VM Import to bring those VMs into Amazon EC2. This makes it easier to transition to cloud computing without needing to rebuild your existing servers from scratch.
2. Disaster Recovery: By exporting EC2 instances to your on-premises virtualization infrastructure, you can create an off-site backup of your cloud-based servers. This is useful for disaster recovery planning.
3. Development and Testing: You can create a virtual machine in your local environment, test it, and then import it into EC2 for production use. This helps ensure consistency between your development and production environments.

In technical terms, VM Import/Export allows the movement of VMs in the form of virtual hard disks. Supported formats include popular ones like VMDK (from VMware), VHD/VHDX (from Microsoft Hyper-V), and OVA (Open Virtualization Format).

Once imported to EC2, these VM images can be used to launch instances (virtual servers), benefiting from the scalable, flexible nature of AWS cloud services. Similarly, EC2 instances can be exported back to your local environment in these formats, allowing for a seamless interchange between cloud and on-premises resources.

Permissions required for VM Import/ Export [On-Prem to AWS and vice versa]

Creating an AWS Security Token Service (AWS STS) token for VM Import/Export isn’t typically a standard procedure, as VM Import/Export primarily relies on IAM roles and policies for access and permissions. AWS STS is generally used for granting limited and temporary access to AWS resources, which is not directly related to the standard VM Import/Export process.

However, if you’re looking to use AWS STS in a scenario where temporary access is required for VM Import/Export, you would generally follow these steps:

1. Define the Necessary Permissions: First, identify the permissions required for VM Import/Export. These are generally the permissions to access S3 buckets where your VM images are stored and to perform actions on EC2 instances.
2. Create an IAM Policy: Create an IAM policy that encapsulates these permissions.
3. Use AWS STS to Assume a Role: Use AWS STS to assume a role that has the necessary permissions for VM Import/Export. The AssumeRole API call is used for this purpose. This role can be the vmimport role if it has the right policies attached, or a custom role designed for temporary access.
4. Retrieve the Security Credentials: Upon successfully assuming the role, AWS STS returns security credentials, including an access key ID, a secret access key, and a session token. These credentials are temporary and have an expiration time.
5. Use the Credentials in Your Application or SDK: Use these temporary security credentials in your application or AWS SDK to perform VM Import/Export operations. These credentials will provide access based on the permissions defined in the assumed role.

Example: trust-policy.json

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": { "Service": "vmie.amazonaws.com" },
         "Action": "sts:AssumeRole",
         "Condition": {
            "StringEquals":{
               "sts:Externalid": "vmimport"
            }
         }
      }
   ]
}

AWS CLI Command [Windows]:

aws iam create-role --role-name vmimport --assume-role-policy-document "file://C:\<file-path>\trust-policy.json"

AWS CLI Command [Linux/ Unix]:

aws iam create-role --role-name vmimport --assume-role-policy-document "file:///home/<file-path>/trust-policy.json"

To perform VM Import/Export in AWS, a specific IAM (Identity and Access Management) service role is required. This role is named vmimport. This role grants the necessary permissions for AWS services to access your resources during the import and export processes.

Here’s a basic outline of the steps involved in creating and using the vmimport service role:

1. Create a Role: You need to create an IAM role named vmimport. This role is assumed by AWS services during the VM import/export process.
2. Attach Policies: Attach an IAM policy to the vmimport role that grants permissions to perform tasks such as accessing your S3 bucket (where the VM images are stored) and creating EC2 instances.
3. Trust Relationship: The role must have a trust relationship that allows the vmimport service to assume this role.
4. Use the Role in VM Import/Export: When you start an import or export job, you specify this IAM role. AWS services then assume this role to perform the actions required for importing or exporting your VM.

Here is an example of a policy that you might attach to the vmimport role:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket" 
         ],
         "Resource": [
            "arn:aws:s3:::yourbucket",
            "arn:aws:s3:::yourbucket/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource": "*"
      }
   ]
}

AWS CLI Command [Windows]:

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\<file-path>\role-policy.json"

AWS CLI Command [Linux/ Unix]:

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file:///home/<file-path>/role-policy.json"

• Export the VM disk image in one of the supported format.
  — Open Virtual Appliance (OVA).
  — Stream-optimized ESX Virtual Machine Disk (VMDK) — VMware virtualization products.
  — Fixed and Dynamic Virtual Hard Disk (VHD/VHDX) — Microsoft virtualization products.
  — Raw format for importing disks and VMs.
• Configure AWS CLI.
• Upload the exported disk image/images to S3 bucket. (You can use CLI for better results.)
• Create the vmimport role with required policy documents.
• Then run the EC2 import image command to create the AMI out of Disk images stored in S3.
• Once we get the AMI, we can launch the EC2 machine or instance

Command to import the VM Image

aws ec2 import-image --description "My VM Server" --disk-containers "file://C:\<file-path>\vmimage.json"

Example vmimage.json:

[
  {
    "Description": "My VM Image",
    "Format": "ova",
    "UserBucket": {
        "S3Bucket": "my-vm-bucket",
        "S3Key": "my-vm-image.ova"
    }
  }
]

When we execute the above command, we will get an import task ID, but we cannot see what the progress is.

In order to see the progress, run the command below:

aws ec2 describe-import-image-tasks --import-task-ids import-ami-1a3gthu6u8u0abcdef0

[IMPORTANT] Creating an Admin user who will perform all the migration activities. It is recommended NOT to use root user for any AWS tasks. (optional)

1. Create a new user for migration activity.

2. Attach the administrator policy to the user

3. Add the tags for the User. It is really useful. But totally optional.

4. Review and create the user.

[IMPORTANT] — Download and save the access key and secret access key from this step. If you do not do it now, you cannot get it back. You will need to create a new user and down the keys.

5. Download the access and secret access key .csv file to your computer.