Simplifying Google Cloud Migration Center Setup

Google Cloud is seeing more and more adoption, in part because of our security capabilities and unique differentiators. In order to help customers understand what a journey to Google Cloud might look like, Migration Center is here to help. Migration Center scans your assets and provides a detailed analysis on resource utilization, right-sizing information, and total cost of ownership. In order to help streamline this process, this blog will serve as a one-stop shop to deploy Google Cloud Migration Center in your environment.

The first thing to determine is where you will run Migration Center. Just like all Google Cloud products, Migration Center is API driven. This means you will need a Google Cloud Project. If you already have a Google Cloud Organization, this shouldn’t be a problem. For those that do not, you can work with your account team to get one established.

Once you have a Google Cloud project, IAM roles will need to be assigned to use Migration Center. You can assign the following roles to the user(s) or group(s) who will be setting it up:

• Migration Center Admin (roles/migrationcenter.admin)
• Viewer (roles/viewer)
• Service Account Key Admin (roles/iam.serviceAccountKeyAdmin)

For more granular IAM delegation, you can review the list of Migration Center roles here. You can also create a custom role to narrow down the scope of permissions for your users by following the steps denoted in the previous link.

Once your users are given the right roles, activate the service. You can do this by navigating to the Google Cloud console, navigating to the project you wish to enable Migration Center in, then go to the Migration Center homepage to enable the API. Enabling the API can be codified in Terraform if you’re using IAC to create and manage projects. You will be prompted to select the region to store your data. Be careful here if you have data residency requirements. You can optionally add in an Expert Request number if you have been given one by your Google Cloud account team. Optionally, set Migration Preferences, which will be used later when you run reports. It should look similar to this:

Enable the API

Once the API has been enabled, create a Google Cloud service account for Migration Center:

1. In the Google Cloud console, go to IAM -> Service Accounts from the project where Migration Center is enabled
2. Click Create service account
3. Enter a service account name to display in the Google Cloud console.
   — The Google Cloud console generates a service account ID based on this name. Edit the ID if necessary. You cannot change the ID later.
4. Optional: Enter a description of the service account
5. To finish creating the service account, click Done

Once your service account is created, you’ll need to install the Discovery Client. It’s a best practice to install one Discovery Client per datacenter, so plan accordingly. Based on the size of your fleet and how many assets you plan to scan will determine the size of the Discovery Client VM:

• Under 100 assets: 1 CPU core, 8 GB RAM, 10 GB free space.
• Under 1000 assets: 2 CPU core, 12 GB RAM, 20 GB free space.
• Under 5000 assets: 4 CPU core, 16 GB RAM, 40 GB free space.

If you will be scanning more than 5000 assets in a single datacenter, you will need multiple Discovery Clients to manage the load.

The client needs to run on a Windows server inside your data center, and it must have:

• Microsoft .NET Desktop Runtime 6.0.25
• Microsoft Visual C++ 2019 Redistributable x64 version 14.29.30135
• Microsoft Visual C++ 2019 Redistributable x86 version 14.29.30135

From an outbound network perspective, the VM running the Discovery Client needs minor network configuration. It will require outbound TCP 443 access to the following API endpoints in Google Cloud:

• https://accounts.google.com
• https://console.cloud.google.com
• https://www.googleapis.com
• https://cloudresourcemanager.googleapis.com
• https://rapidmigrationassessment.googleapis.com
• https://iam.googleapis.com
• https://oauth2.googleapis.com
• https://storage.googleapis.com

The Discovery Client VM will also need open line-of-sight to your scanned assets. For Linux VMs, it requires inbound access on TCP 22 (SSH), and for Windows VMs, it requires inbound access on TCP port 135 (WMI) and TCP inbound dynamic ports as follows:

• Ports 49152–65535 for Windows Server 2008 and newer.
• Ports 1025–5000 for Windows Server 2003 and older

For all VM types, the Discovery Client VM requires ICMP to your scanned assets.

Once we have a VM that meets all installation and network requirements, you can now configure the Discovery Client. We typically recommend installing for online discovery, but you also have the option to install for offline discovery in the case that you cannot run online for any reason. This blog will only cover online discovery.

For Online Discovery, you can follow these steps:

1. In the Google Cloud console, go to Migration Center -> Data import
2. Click *Add data > Set up Discovery Client V5*

Add Discovery Client v5

3. On the Discovery client setup, page, do the following:
— Enter the Discovery client name — this could be the datacenter you’re scanning.
— From the Service account list, select the service account that you created for Migration Center.
— Enter the expected number of assets in your data center.
— Enter the number of days that you want the Discovery Client to collect data for.
— If you don’t specify anything, the Discovery Client collects data for 90 days. After this period, the Discovery Client stops collecting data, and its status changes to Paused to indicate that.

Add Data Source

4. To create the Discovery Client, click Add data source

Once this step is complete, you will be given a download link to the installer. Download and copy the installer to the VM that will be running the client. You should run the installer as Administrator. Follow the on-screen instructions to finish the installation, which should prompt you to create a shortcut on the desktop, if desired.

Open the Discovery Client. The first time running it, you will be required to authorize it against the correct Google Cloud project. The permissions assigned previously should cover what’s needed, but more information can be found here. Perform the following steps in the Discovery Client UI:

1. Click Authorize with Migration Center

2. Under Connectivity check, click Run check
— Troubleshoot any issues that are reported — things can’t proceed until this is successful

3. Click Continue, then Log in with Google
— Follow the instructions on the screen, select the Google Account you use in Google Cloud when prompted, then click Sign In

4. Under Choose project, select the Google Cloud project where you created the Discovery Client from the list

5. Under Choose Discovery Client, select the Discovery Client for your data center from the list

6. To confirm, click Authorize

If permissions are correct, you should see a successful message. Review the three methods from which the Discovery Client can collect data:

1. OS scan (preferred): collects data from servers or VMs with Windows or Linux operating systems.
2. vSphere scan: collects data from VMware assets where OS scan cannot run.
3. Database scan: collects data from databases.

If you are curious about what data we collect, you can review that here for each type of scan.

Next, review the target asset requirements. The Discovery Client can collect information about Windows VMs, Linux VMs, VMware vCenter, and databases. To recap the link, the requirements for Windows assets are:

• WMI (Windows Management Instrumentation) Service running
• Windows Firewall disabled
  — Alternatively, a firewall exception to allow for Remote WMI
• Open line of sight from Discovery Client to each asset
• An account with local administrator rights to the operating system — NOT a domain admin

For Linux:

• SSH enabled with support for the following encryption algorithms:
  — RSA and DSA in PEM format
  — ECDSA 256/384/521, ED25519 in OpenSSL or PEM formats
• Open line of sight from Discovery Client to each asset
• An account with user-level access (no sudo or root privileges required)

For vCenter:

• vCenter 5.5 or higher
• Open line of sight from Discovery Client to vCenter
• Read level access to vCenter

For databases:

• Open line of sight to each database
  — The following are the default port numbers for the database engines supported by the Discovery Client. Your configuration may vary.
  — — MongoDB: 27017
  — — MySQL: 3306
  — — Oracle: 1521
  — — PostgreSQL: 5432
  — — SQL Server: 1433
• For Oracle databases, the Discovery Client fully supports versions 12.2 and later. Earlier versions might have only limited compatibility.
• For Oracle 12c and later, before starting data collection run the permission script.
• For all non-Oracle databases, use an account with administrator rights to the database.

Once your assets can meet these requirements, input credentials into the Discovery Client. You will need credentials for each type of asset you are scanning. From the Discovery Client UI, for OS Scan credentials:

1. Click Add Credentials in the Discovery Client UI

2. Select OS Scan, then click Configure to enter the details

3. Enter the name of your credential, then select one of the credential types available.
— No Credentials: you must specify credentials for each individual asset.
— Username & Password: applicable to both Windows and Linux collections.
— — Enter domain accounts as DOMAIN\USERNAME.

— — Enter local accounts as .\USERNAME.
— — SSH Key / Certificate (Linux only): you can SSH into a Linux machine with a certificate-based authentication instead of using a username and password combination. Select a previously uploaded certificate, or upload a new private key in the PEM format.

4. In the Schedule group section, keep the default Auto-schedule On to allow Discovery Client to gather data at regular intervals.
— Optionally, you can select Advanced Options to customize the days and hours when you want the Discovery Client to gather data.

5. Click Add credential to finish.

For vSphere:

1. Click Add Credentials.
2. Select vSphere Scan, then click Configure to enter the details.

3. Enter the name of your credential.

4. Enter your vSphere host or IP, username and password.

5. In the Schedule group section, keep the default Auto-schedule On to allow Discovery Client to gather data at regular intervals.
— Optionally, you can select Advanced Options to customize the days and hours when you want Discovery Client to gather data. By default, all days and hours are selected.

6. Click Add credential to finish.

For databases:

1. Click Add Credentials.
2. Select Database Scan, then click Configure to enter the details.

3. Enter the name of your credential, then select one of the following database types:
— SQL Server
— MySQL
— PostgreSQL
— Oracle

4. Enter the username and password for your database.
— If you select SQL Server as database type, choose if you want to use Windows login credentials in the format domain-name\login-name, instead of database credentials.
— If you select Oracle as database type, choose if you want to connect as SYSDBA user.

5. In the Schedule group section, keep the default Auto-schedule On to allow Discovery Client to gather data at regular intervals.
— Optionally, you can select Advanced Options to customize the days and hours when you want Discovery Client to gather data. By default, all days and hours are selected.

6. Click Add credential to finish.

Once all of your credentials have been entered, add your assets. The most common method is by adding IP address ranges. In the Discovery Client UI:

1. Click Add assets > Machine > Scan IP address ranges

— Click to accept the warning about multiple logon attempts

2. From the Scan IP address ranges page, select Add IP address ranges > Enter ranges

3. In the IP Ranges section, enter the initial and final IP addresses of the range in the fields provided
— Note that you can add at most a /16 subnet (or 65,536 IP addresses) to a single range
— You can define additional ranges by clicking Add IP range

4. Lastly, click Start IP Scan to kick off the asset data collection

If you have a bunch of ranges to enter, you can do this en masse:

1. Click Add assets > Machine > Scan IP address ranges.
2. From the Scan IP address ranges page, select Add IP address ranges > Upload CSV of ranges.
3. Click Download IP address range template and fill in the CSV template with the IP ranges that you want to scan.
4. After you’re finished, from the Upload section select IP address range file from the list and upload the filled-in CSV file into the Discovery Client.

5. Click Save, then, from the dialog, click Dismiss.

If your assets are scattered or you have a specific list of assets you wish to scan, you can import a list of IP addresses instead of using ranges:

1. In the Discovery Client application, click Add assets > Machine > Scan IP address ranges.
2. From the Scan IP address ranges page, select Add IP address ranges > Upload CSV of ranges.
3. Click Download IP address template and fill in the CSV template with the IP ranges that you want to scan.
4. After you’re finished, from the Upload section select IP address file from the list and upload the filled-in CSV file into the Discovery Client.

5. Click Save, then, from the dialog, click Dismiss.

Once your asset information has been uploaded, the Discovery Client will take care of the rest! It will poll once an hour to collect basic information about each asset it’s able to connect to, and catalog the results for your consumption. The details will be available in the Migration Center UI inside your Google Cloud Project. The Summary menu will display high-level information about the data collected, and you can navigate to the Report Catalog to run reports to pull out information relevant and important to you.

If you’ve made it to the end, I hope you found this summarization helpful, and this kickstarts your migration to Google Cloud!