Importing an Existing Windows 2012 Server to AWS

AWS has covered a lot of the bases when it comes to offering machine images (AMIs) of popular configurations. You can choose the latest greatest Windows Server 2012, a fully configured LAMP stack, Amazon’s own Linux distro or myriad of other OS and application combinations

But if you don’t want to build out your shiny new AWS instance from scratch or use one of the supplied AMIs, AWS have helpfully provided a VM import/export tool to allow on premise hosted virtual machines to be automatically converted to a a custom private AMI .

There are few reasons why you might want to do this:

  • You may have legacy software configured on an on-premise machine that you do not want to re-install on an AWS instance
  • Your on-premise VM already complies with your organisation’s security and compliance criteria
  • You have a large volume of on premise VM based servers that require migration and you would like to automate the migration

There are several steps involved with migrating an on-premise VM to AWS – the high level steps are roughly as follows:

  • Shut down and convert existing VM to OVA format
  • Copy OVA file to S3
  • Run the EC2 or AWS CLI command to convert the OVA to and AMI

 

Pre-Requisites

The first step is to check that the operating system version that your on-premise VM is running is supported in the AWS ecosystem.

The supported OSs are:

  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
  • Red Hat Enterprise Linux (RHEL) – not all versions supported
  • CentOS – not all versions supported
  • Ubuntu
  • Debian

The restrictions on operating system are mainly due to the driver support within EC2.

It’s important to note that there  are two distinct methods of importing VMs into AWS; the original EC2 CLI based command ec2-import-instance which results in a stopped ec2 instance and the newer AWS CLI command import-image which results in an AMI.

For this example we are going to use the newer import-image command, amongst the benefits of the this command are that the OVA file format is supported as well multiple disks/volumes. ec2-import-instance is restricted to importing single disk VMs only.

Depending on which tool you decide to use you must install either the EC2 CLI or AWS CLI tools on the server or workstation that you are going to kick off the import from.

 

IAM Role

In order to allow the VM import command to run an IAM role needs to be created with a specific policy and trusted entities. The policy below grants access to the not yet created IAM role vmimport.

Create a file named policy.json file with the following policy:

{
“Version”:”2012-10-17″,
“Statement”:[

{

“Sid”:””,
“Effect”:”Allow”, “Principal”:{
“Service”:”vmie.amazonaws.com”

},
“Action”:”sts:AssumeRole”,
“Condition”:{
“StringEquals”:{
“sts:ExternalId”:”vmimport”

}

}

}

]
}

Now create an iam role that uses the policy file you created earlier

aws iam create-role –role-name vmimport –assume-role-policy-document file://policy.json

 

Note. The IAM role must be called ‘vmimport’ for the service to work properly.

Now we must give the newly created IAM role access to the S3 bucket where you plan to upload the exported VM image file using the following policy – create another policy file called policy2.json – replace cloudtenvmimports3bucket with the name of the S3 bucket where you plan to upload your VM:

{
“Version”:”2012-10-17″,
“Statement”:[

{

“Effect”:”Allow”,
“Action”:[

“s3:ListBucket”,
“s3:GetBucketLocation”

],

“Resource”:[
“arn:aws:s3:::cloudtenvmimports3bucket”
]

},
{

“Effect”:”Allow”,
“Action”:[
“s3:GetObject”
],
“Resource”:[

“arn:aws:s3::: cloudtenvmimports3bucket/*”
]

},
{

“Effect”:”Allow”,
“Action”:[

“ec2:ModifySnapshotAttribute”,
“ec2:CopySnapshot”,
“ec2:RegisterImage”,
“ec2:Describe*”

],
“Resource”:”*”

}

]
}

Now apply the policy to your vimport role by running the following command:

aws iam put-role-policy –role-name vmimport –policy-name vmimport –policy-document file://policy2.json

Finally, if you are not using the AWS root account and are using an IAM user to run the command (very good idea and best practice) then you’ll also need access to the bucket in order to upload the file and run the command against the bucket.

{

“Version”: “2012-10-17”,
“Statement”: [

{

“Effect”: “Allow”,
“Action”: [
“s3:ListAllMyBuckets”
],

“Resource”: “*”

},
{

“Effect”: “Allow”,
“Action”: [

“s3:CreateBucket”,
“s3:DeleteBucket”,
“s3:DeleteObject”,
“s3:GetBucketLocation”,
“s3:GetObject”,
“s3:ListBucket”,
“s3:PutObject”

],
“Resource”: [“arn:aws:s3::: cloudtenvmimports3bucket “,”arn:aws:s3::: cloudtenvmimports3bucket /*”]

},
{

“Effect”: “Allow”,
“Action”: [
“ec2:CancelConversionTask”,
“ec2:CancelExportTask”,
“ec2:CreateImage”,
“ec2:CreateInstanceExportTask”,
“ec2:CreateTags”,
“ec2:DeleteTags”,
“ec2:DescribeConversionTasks”,
“ec2:DescribeExportTasks”,
“ec2:DescribeInstanceAttribute”,
“ec2:DescribeInstanceStatus”,
“ec2:DescribeInstances”,
“ec2:DescribeTags”,
“ec2:ImportInstance”,
“ec2:ImportVolume”,
“ec2:StartInstances”,
“ec2:StopInstances”,
“ec2:TerminateInstances”,
“ec2:ImportImage”,
“ec2:ImportSnapshot”,
“ec2:DescribeImportImageTasks”,
“ec2:DescribeImportSnapshotTasks”,
“ec2:CancelImportTask”

],
“Resource”: “*”

}
]

}

Exporting and Uploading Your VM

Now that your AWS environment is all set up to receive the VM we can export the VM from its current environment.

Depending on how your VM is currently virtualized will dictate how the export is performed. In this example I am using Oracle’s Virtualbox virtual environment.

To export my VM I selected the VM I required then File-> Export Appliance

 

export

 

 

 

 

 

 

 

 

 

 

 

I had a choice of OVF formats for the OVA VM we are creating – OVF2.0 is compatible with AWS vmimport, OVF1.0 should also work.

Now we must upload the OVA file to AWS. For this example I used the S3 GUI within the AWS management console and simply dragged and dropped my file into the specific S3 bucket.

 

Note. Typically non-commercial broadband connections have much slower upload than download speeds, the OVA file may take hours to upload to S3

 

Importing the VM and Creating an AMI

Now for the fun part, the actual import and the result with luck will be a fresh, private AMI.

At the command line run the following to kick off the VM import task:

aws ec2 import-image –cli-input-json “{  \”Description\”: \”Windows 2012 OVA\”, \”DiskContainers\”: [ { \”Description\”: \”First CLI task\”, \”UserBucket\”: { \” cloudtenvmimports3bucket\”: \”my-import-bucket\”, \”S3Key\” : \”Windows2012.ova\” } } ]}”

You should receive a confirmation status message confirming that the task has been successfully kicked off.

The VM Import process can take hours to complete. If you’d like to check on the status of the process you can display the task using the following command:

aws ec2 describe-import-image-tasks

If all goes according to plan the end result will be a private AMI available within your management console that can be started as an instance at will and will contain all the custom configuration you set up on the original VM.

 

console