Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

In the modern cloud-centric landscape, transferring applications is often a matter of just a few clicks. But what do you do when you’re faced with a heavily secured environment, where servers operate in isolation without internet access? This challenging scenario is common among organizations with stringent security protocols, where even installing the AWS Application Migration Service (MGN) replication agent can become a daunting task.

Picture a scenario devoid of internet gateways, NAT gateways, or even proxy servers. In these isolated settings, the straightforward installation of the MGN agent morphs into a complex conundrum. The agent requires access to the S3 service endpoint to download its installer and the replication agent. Moreover, it must maintain a steady connection to the MGN console both during installation and throughout its operational lifecycle. So, how can you navigate this lack of connectivity while ensuring robust security and still harnessing the capabilities of AWS MGN? Let’s delve into the world of secure migrations together. We will outline simple methods to connect systems and transfer data, making the entire process not just possible, but attainable for everyone.

In this post, we will illustrate how to set up the AWS MGN replication agent on servers situated in tightly secured, offline environments. This includes safeguarding and replicating an Amazon Elastic Compute Cloud (EC2) instance that operates within a protected Virtual Private Cloud (VPC). Our approach will utilize VPC interface endpoints alongside the Amazon Simple Storage Service (S3) Gateway VPC endpoint. It’s crucial to understand that the AWS MGN agent needs access to the Amazon S3 service endpoint for downloading the agent installer and the replication agent itself. Additionally, during installation and while the source server is being replicated, the replication agent must stay connected to the Application Migration Service console.

Initially, we will focus on the configuration of interface endpoints, but setting up a gateway endpoint for S3 is equally important. Below are detailed steps that will clarify the entire process and enhance your understanding.

Prerequisites

1. AWS Account and Access: An AWS account and an IAM user are required to utilize AWS MGN. Refer to AWS MGN initialization and permissions for specifics.
2. Initialize AWS MGN before use. For details, check the AWS MGN User Guide.
3. An EC2 instance must be running for testing and installing the AWS MGN agent.
4. Establish two separate VPCs, each in a different region, with no connection to the internet. These regions should be connected via VPC Peering. The target VPC will also include staging subnets for data replication and private subnets for launching workload EC2s post-cutover.
5. An IAM user should be configured to create VPC endpoints, S3 endpoints, Gateway endpoints, and Security Groups.
6. To integrate your on-premise DNS with Amazon Route53, create a private hosted zone in Route53 and set up your on-premise DNS server to forward queries for the hosted zone to the Route53 resolver endpoints.
7. Configure replication and launch settings in AWS MGN.
8. A foundational understanding of VPC, S3 endpoints, and VPC peering is necessary.

Solution Overview:

Scenario 1: From AWS Region 1 to AWS Region 2 (ap-southeast-1 → ap-south-1)

In this scenario, we are replicating an EC2 instance currently operating in a highly secured VPC environment in the ap-southeast-1 (Singapore) region to the ap-south-1 (Mumbai) region. The VPC in Mumbai is also tightly secured and lacks direct internet access. For communication between these two isolated VPCs, we have established a VPC peering connection in this demonstration.

Scenario 2: On-Premises to AWS

When dealing with on-premises infrastructure, the overall architectural approach remains consistent, but the connectivity method to link the on-premises setup with cloud infrastructure is key.

1. Connectivity Options:

AWS provides two main options for creating a secure connection between your on-premises infrastructure and its cloud services. The first is AWS Direct Connect, which offers a dedicated, private network link from your data center to AWS, ensuring stable network performance and potentially lower networking costs. Alternatively, an AWS Site-to-Site VPN creates an encrypted tunnel over the internet, linking your on-premises network to your Amazon VPC. While the VPN option is quicker to set up, Direct Connect can provide more bandwidth and is suitable for production workloads needing high capacity. Consider factors like performance, resilience, and cost when choosing between these methods.

2. DNS Resolution:

AWS MGN and Amazon EC2 interface endpoints have private DNS names that need to be resolvable within the VPC. However, on-premises servers must also be configured to resolve these names, which requires forwarding on-premises DNS queries to the Amazon Route 53 Resolver inbound endpoint situated in the staging area VPC.

3. AWS Transit Gateway:

This is used to interconnect the on-premises network and AWS VPCs.

Walkthrough

For this blog, we have established our source architecture in different AWS regions (scenario 1), yet a similar approach can be adopted for scenario 2 where your on-premises setup serves as the source. When initiating the installation, your source virtual machines will need to connect to the AWS MGN regional endpoint; this is the sole network connectivity required during the agent installation and throughout its operational lifespan on the source server. Ensure that the security groups tied to the VPC interface endpoints allow HTTPS traffic from the source VPC CIDR and the staging area subnet.

Connecting Source Servers to Endpoints

1. To facilitate the download of the replication installer and agent on the source server, access to S3 is essential. Therefore, create a VPC S3 Interface endpoint in ap-south-1.
2. Modify the URL of the installer and specify the –s3-endpoint switch during the agent installation process.
3. Connectivity to the MGN regional endpoint is also necessary during installation, prompting the creation of an MGN VPC interface endpoint in the ap-south-1 region.

For more insights on how to navigate your career and explore side hustles that actually work, check out this article. Additionally, if you’re interested in promoting inclusivity, visit this resource on how HR can support the introduction of individuals with disabilities into the workforce. Finally, for those looking for opportunities, consider this excellent resource for a learning ambassador position at Amazon.