AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2026-01-28 · Documentation low

File: transform/latest/userguide/transform-vmware-migrate-network.md

Summary

Updated VMware network migration documentation to include firewall/SDN configurations, revised file requirements, expanded tagging details, and added vendor-specific extraction steps

Security assessment

Changes enhance documentation of security features by detailing how firewall/SDN configurations generate security groups and include privileged access requirements for configuration extraction. No evidence of addressing a specific vulnerability.

Diff

diff --git a/transform/latest/userguide/transform-vmware-migrate-network.md b/transform/latest/userguide/transform-vmware-migrate-network.md
index 263563c53..842a07925 100644
--- a//transform/latest/userguide/transform-vmware-migrate-network.md
+++ b//transform/latest/userguide/transform-vmware-migrate-network.md
@@ -5 +5 @@
-Source Network MappingAdditional Configuration FilesNetwork TopologiesIP migration approachesReview VPC ConfigurationsDeploy NetworkDeployment approvals processSecurity group associationTag network resources
+Source Network MappingFirewall and Software-Defined Network Configuration FilesNetwork TopologiesIP migration approachesReview VPC ConfigurationsDeploy NetworkDeployment approvals processSecurity group associationTag network resources
@@ -9 +9 @@ Source Network MappingAdditional Configuration FilesNetwork TopologiesIP migrati
-AWS Transform migrates VMware networks to AWS by translating your source environment configuration into AWS-equivalent network resources. AWS Transform analyzes your source network data and creates VPCs, subnets, security groups, NAT gateways, transit gateways, elastic IPs, routes, and route tables as needed. You can review and modify the generated network configuration before deployment. For deployment, you can either have AWS Transform deploy the configuration for you and analyze deployed network connectivity, or choose self-deployment—in which case AWS Transform generates Infrastructure as Code (IaC) in your preferred format: AWS Cloud Development Kit (AWS CDK) (AWS CDK), Landing Zone Accelerator (LZA), or HashiCorp Terraform.
+AWS Transform migrates VMware networks to AWS by translating your source environment configuration into AWS-equivalent network resources. AWS Transform analyzes your source network data and creates VPCs, subnets, security groups, NAT gateways, transit gateways, elastic IPs, routes, and route tables as needed. You can review and modify the generated network configuration before deployment. For deployment, you can either have AWS Transform deploy the configuration for you and analyze deployed network connectivity, or choose self-deployment—in which case AWS Transform generates Infrastructure as Code (IaC) in your preferred format: AWS Cloud Development Kit (AWS CDK), Landing Zone Accelerator (LZA), or HashiCorp Terraform.
@@ -13 +13 @@ AWS Transform migrates VMware networks to AWS by translating your source environ
-The network mapping process requires uploading a configuration file from your source environment. You can use RVTools, Export for vCenter, Import/Export for NSX, or modelizeIT to capture on-premises network data and import it to AWS Transform. The tool you choose depends on your source network type:
+The network mapping process requires uploading a configuration file from your source environment. The tool you choose depends on your source network type:
@@ -15 +15 @@ The network mapping process requires uploading a configuration file from your so
-  * **NSX-defined network:** Upload an NSX configuration file using Import/Export for NSX.
+  * **Software Defined Networks (SDN):** Import/Export for VMware NSX network virtualization or Cisco ACI config for Cisco Application Centric Infrastructure.
@@ -17 +17 @@ The network mapping process requires uploading a configuration file from your so
-  * **vSphere-defined network:** Upload an RVTools file or Export for vCenter file. When using RVTools files, AWS Transform will focus on generate Amazon VPC configurations, while security group configurations require additional input. For network security settings, you may upload configuration files from additional sources like firewalls and software-defined networks. See Additional Configuration Files for more details.
+  * **VMware vSphere networks:** [RVTools](https://www.dell.com/en-us/shop/vmware/sl/rvtools). Note: when using RVTools files, AWS Transform will focus on generate Amazon VPC configurations, while security group configurations require additional input. For network security settings, you may upload configuration files from additional sources like firewalls and software-defined networks. See Firewall and Software-Defined Network Configuration Files for more details.
@@ -19 +19,3 @@ The network mapping process requires uploading a configuration file from your so
-  * **Non-Windows workstation or need granular control:** Use Export for vCenter, which generates files in the same format as RVTools.
+  * **Networks based on firewall configuration data:** Export files from Palo Alto Networks Firewall or Fortinet FortiGate Firewall.
+
+  * **Hybrid networks running both VMware and non-VMware workloads:** Application mapping tools - modelizeIT.
@@ -52 +54 @@ AWS Transform tags all generated resources with "CreatedBy": "AWSTransform" alon
-## Additional Configuration Files
+## Firewall and Software-Defined Network Configuration Files
@@ -54 +56 @@ AWS Transform tags all generated resources with "CreatedBy": "AWSTransform" alon
-AWS Transform supports additional configuration files that enable automated security group generation when combined with RVTools files. You can upload configuration files from the following enterprise solutions:
+AWS Transform supports configuration files that enable automated network and security group generation, based on firewall and policies configurations. These files can be used standalone or as a complement to RVTools file.
@@ -65 +67 @@ AWS Transform supports additional configuration files that enable automated secu
-When you upload a combination of RVTools and one or more of these configuration files, AWS Transform generates both the target VPC network infrastructure and corresponding security groups based on your existing security policies. This preserves your security investments and ensures consistent policy enforcement in AWS.
+When you upload a firewall or Cisco ACI file, AWS Transform generates network infrastructure and security groups. When you upload an RVTools file, AWS Transform generates network infrastructure only. You can optionally add firewall or Cisco ACI file to generate security groups.
@@ -71 +73,7 @@ To extract configuration files from firewall and network environments, follow th
-  * Firmware: 7.0 - 7.6
+  * Firmware: v7.0 and up
+
+  * Requirements: `super_admin` or `super_admin_readonly` privileges on global level
+
+  * Steps: 
+
+    * 1\. Connect to the firewall via SSH or built-in CLI client
@@ -73 +81 @@ To extract configuration files from firewall and network environments, follow th
-  * Requirements: super_admin or super_admin_readonly privileges
+    * 2\. Run: `show | grep ""` (`| grep ""` disables pagination)
@@ -75 +83 @@ To extract configuration files from firewall and network environments, follow th
-  * Steps: Connect via SSH, run `show | grep ""` (| grep "", save output to file
+    * 3\. Save all output to a file starting from the `show` command
@@ -82 +90 @@ To extract configuration files from firewall and network environments, follow th
-  * Firmware: 10.1.X
+  * Firmware: 10.1 and up
@@ -103 +111 @@ To extract configuration files from firewall and network environments, follow th
-  * Firmware: 6.3+
+  * Firmware: 6.0 and up
@@ -111 +119 @@ To extract configuration files from firewall and network environments, follow th
-    * Go to Admin and Config Rollbacks
+    * Go to Admin >> Config Rollbacks
@@ -113 +121 @@ To extract configuration files from firewall and network environments, follow th
-    * Select remote location and select "Create a snapshot now" option
+    * In “Take a snapshot” select remote location and push “Create a snapshot now” button
@@ -115 +123 @@ To extract configuration files from firewall and network environments, follow th
-    * Retrieve .gz file after "Transfer successful" message.
+    * After receiving “Transfer successful” message, connect to the remote location server and retrieve the latest snapshot file (.gz file)
@@ -258 +266,25 @@ AWS Transform converts the following configurations to security groups:
-To use existing AWS network resources not created by AWS Transform, you must tag the resources (including VPCs and subnets). AWS Transform can tag resources during migration wave execution—it will tag all network resources in the target AWS account and Region. Alternatively, you can manually tag network resources you've created with the following tags:
+AWS Transform automatically tags all generated resources with `"CreatedBy": "AWSTransform"` along with definition and execution IDs for tracking purposes. You can also add custom tags to network resources during migration to track and manage your infrastructure.
+
+You can apply custom tags at two levels:
+
+  * **Job-level tags:** Applied to all resources created during the migration job, including VPCs, subnets, security groups, and route tables.
+
+  * **VPC-level tags:** Applied to specific VPC resources and their associated components.
+
+
+
+
+###### Note
+
+If your migration is part of the **AWS Migration Acceleration Program (MAP 2.0)** , you can include the required MAP tag:
+
+  * **Key:** `map-migrated` **Value:** `mig`MPE_ID``
+
+(where `MPE_ID` is your Migration Portfolio Evaluation identifier)
+
+
+
+
+AWS Transform automatically apply these tags during network deployment.
+
+To use existing AWS network resources not created by AWS Transform, you must tag the resources (including VPCs and subnets). AWS Transform can tag resources during migration wave execution — it will tag all network resources in the target AWS account and AWS Region. Alternatively, you can manually tag network resources you've created with the following tags: