AWS transform documentation change
Summary
Removed sections related to VPC configuration generation, network resource tagging, and security group association workflows
Security assessment
The removed content included security-related guidance about securing mapping files and security group associations, but the deletion appears to be general documentation restructuring rather than addressing a specific vulnerability. No evidence of security incident remediation.
Diff
diff --git a/transform/latest/userguide/transform-vmware-workflow.md b/transform/latest/userguide/transform-vmware-workflow.md index 610096ffa..8a3c78275 100644 --- a//transform/latest/userguide/transform-vmware-workflow.md +++ b//transform/latest/userguide/transform-vmware-workflow.md @@ -5,2 +4,0 @@ -Generate VPC configurationTag network resourcesSecurity group association - @@ -11,63 +8,0 @@ The type of VMware migration job you choose determines the workflow. For a descr -## Generate VPC configuration - -###### To import network data - - 1. In the **Job Plan** pane, choose **Migrate network**. - - 2. Expand **Generate VPC configuration**. - - 3. Choose **Import network data**. - - 4. In the **Network source data** section, either select an existing import, or choose **Upload file** to import a new file to add to the list, and then select the file that you uploaded. - - 5. In the **Network topology** section, the topology that you want AWS Transform to generate. - - 6. Choose **Generate VPC configuration**. - - 7. After AWS Transform generates a Amazon VPC configuration, choose **Review generated VPC configuration**. - - 8. Ensure that the target account has the required quotas. - - - - -AWS Transform then analyzes your source network data and translates your source network to the following AWS networking resources as needed: VPCs, subnets, security groups, network access control lists (NACLs), NAT gateways, transit gateways, internet gateways, elastic IPs, routes, and route tables. AWS Transform then creates AWS CloudFormation templates and AWS Cloud Development Kit (AWS CDK) templates. Review the generated network configuration, and then either deploy it on your own or ask AWS Transform to deploy it for you. However, if you make changes to the generated configuration, you have to deploy the modified configuration yourself. If you choose to let AWS Transform deploy the network for you, it will also use tools such as Reachability Analyzer to run an analysis in order to check connectivity between subnets across multiple VPCs and under the same VPC. - -## Tag network resources - -For AWS Transform to launch Amazon EC2 instances within your existing AWS network resources which were not created by AWS Transform, the target network resources must be tagged. You can ask AWS Transform to do the tagging for you, in which case it will tag **all** network resources that it finds in the target AWS account and AWS Region. You can also manually tag target network resources that you’ve created on your own with the following tag: - -Key: `CreatedFor` Value: `AWSTransform` - -## Security group association - -When you migrate networks from an NSX source environment, AWS Transform creates security groups based on your source environment configurations. AWS Transform converts the following NSX configurations to security groups: - - * Security policies and security policy rules - - * Gateway policies and gateway policy rules - - - - -The association is based on the `source_groups` for outbound communication, and on the `destination_groups` for inbound communication. During server migration (import inventory), AWS Transform uses the following logic to associate these security groups with the appropriate network interfaces: - - * Rules associated to a VM external ID are attached to all of the elastic network interfaces of the given VM. - - * Rules associated to an IP are attached to the network interface with the specific IP. - - * _Exclude_ rules are ignored. However, you can manually create replacements for them. - - - - -The association maintains the security rules specified in the inventory import. The migration process creates encoded mapping files, one per VPC in your Amazon S3 bucket, that link VM external identifiers and IP addresses to the security groups they should be bound to. Follow AWS best practices to secure these files because they contain sensitive information about mappings. For guidance, see [Data protection in AWS Transform](./data-protection.html). - -###### Important - -Do not modify these mapping files, as they are essential for proper security group association. Modifying these files will cause a failure during the import inventory phase. - -Security groups removed from the VPC after network deployment will not be associated with migrated servers. - -During import, AWS Transform automatically deduplicates security groups based on their ID so as to remove redundant assignments. -