I have been getting asked more and more how to manually import on-premise virtual machines into AWS, without using other services such as CloudEndure or AWS Migration Services. Some may want a quick and dirty way to get the source to the destination without spinning up any extra appliances, going through Change Control, or just getting to the end goal faster compared to the extra layers offered by other services.
VM Import/Export enables you to import virtual machine images from your existing virtualization environment (VMWare, HyperV, etc.) to Amazon EC2. This enables you to migrate applications and workloads to Amazon EC2, copy your VM image to Amazon EC2, or create a repository of VM images for backup and disaster recovery. As there are other services to do the heavy lifting, this article sheds light on what it takes to convert an on-premise virtual machine to AWS as an AMI.
Pre-requisites for VMWare Image:
1. Remove VMWare tools if installed
2. Disable AV or IDS applications
3. Disconnect CD-ROM drives
4. Enable DHCP
5. Enable RDP and modify OS firewall rules to allow RDP
6. Install .NET Framework 4.5 or later
AWS CLI
Silent Install
To silently install AWS CLI on a computer (referenced below as the management machine, not the VM you want to import) with internet access:
1. Open PowerShell
2. Run: msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi /q
Confirm
To confirm AWS CLI has been successfully installed:
1. Open PowerShell
2. Run: aws –version
3. Output should show the version that was installed
AWS CLI Configuration
AWS Profile
On your management machine (not the VM), create your AWS profile with your secret key and secret access key:
1. Open PowerShell or Command Prompt
2. Run:
aws configure3. Input your Secret Key and press Enter
4. Input your Secret Access Key and press Enter
5. Input your default location: us-east-1 as an example and press Enter
6. Input your format: JSON as an example
Confirm your AWS profile was saved:
1. Open PowerShell
2. Run:
cat c:\users\<your login name>\.aws\configa. This will show general properties for your default profile
3. Run:
cat c:\users\<your login name>\.aws\credentialsa. This will show your credentials which includes your Secret Key and Secret Access Key
S3 Bucket
In order to save the vmdk (or vhd) file for your virtual machine, you will need to create a bucket in AWS. Each bucket has to be unique across ALL of AWS (not just your account) and has to be in lower case.
Create bucket:
1. Open Powershell or Command Prompt
2. Run:
aws s3 mb s3://nameofmybucket/importa. nameofmybucket is an example name; please substitute for something unique to you
b. /import is a ’folder’ (S3 doesn’t really do folders, but that is another discussion) in the ‘nameofmybucket’ bucket; this will be the location of the virtual machine file
Copy to Bucket:
1. Open PowerShell or Command Prompt
2. Browse to the location of your vmdk file
3. Run:
aws s3 cp 'locationOfvirtualMachineFolder\vm.vmdk' s3://nameofmybucket/import/4. Wait for the file to finish uploading
Import Roles and Policies
In order for the Import service to work properly, certain permissions must be created for the service. Three files will be created (locally on the management machine) for this task:
1. containers.json – this file contains the location of your vmdk file in AWS S3. You can use vmdk, vhd, ovf files
2. trust-policy.json – this file provies the VM Import service to assume the role for your account
3. role-policy.json – this file provides the permissions to access the S3 bucket holding your vmdk file, which will be linked to a role
Code
1. Create a file called containers.json and copy and paste the contents below into that file, changing the contents of the bold entries to match yours:
[{
"Description": "First CLI task",
"Format": "vmdk",
"UserBucket": {
"S3Bucket": "name of your bucket",
"S3Key": "import/name of the vmdk file"
}
}]
2. Create a file called trust-policy.json and copy and paste the contents below into that file
#trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "vmimport"
}
}
}
]
}
3. Create a file called role-policy.json and copy and paste the contents below into that file, changing the contents of the bold entries to match yours:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::arun-lifetime/import",
"arn:aws:s3:::arun-lifetime/import/*"
]
}
]
}
Roles
Create roles based on the files you created above:
1. Open PowerShell
2. Browse to the location of the files above
3. Run:
aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json4. Run:
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.jsonImport VMDK to AMI
5. Open PowerShell
6. Run:
aws ec2 import-image --description "Windows 2008 VHD" --license-type BYOL --disk-containers file://containers.jsonThe above will provide you with a task-id, which you can use to view the status/progress:
7. In PowerShell run (replace highlighted with the ID you are provided from above):
aws ec2 describe-import-image-tasks --import-task-ids import-ami-1234567890abcdef0Launch AMI
Once the conversion is complete, you can:
8. Log into the AWS Console
9. Near the top, search for EC2 and click on the link shown to head to the EC2 administration console
10. Click on Launch Instance
11. Select My AMIs from the left pane
12. Find your AMI and click on Select
13. Continue on as with any EC2 provisioning picking the specs, subnets, security groups, etc.
Workflow
