AWS transform documentation change
Summary
Major restructuring of the VMware network migration guide from a topic-based format to an 8-step procedural guide. Added detailed steps for network migration, expanded supported firewall sources (Cisco ACI), clarified security group generation requirements, added network diagram generation, and reorganized configuration extraction procedures.
Security assessment
The changes add security documentation by explicitly stating that AWS Transform does not open internet communication automatically (requiring manual security precautions), clarifying security group mapping strategies (MAP/SKIP), and adding requirements for cross-account IAM roles in multi-account deployments. However, there is no evidence of addressing a specific security vulnerability or incident - these are general documentation improvements and feature enhancements.
Diff
diff --git a/transform/latest/userguide/transform-vmware-migrate-network.md b/transform/latest/userguide/transform-vmware-migrate-network.md index 702f4ee7b..b16c7f46c 100644 --- a//transform/latest/userguide/transform-vmware-migrate-network.md +++ b//transform/latest/userguide/transform-vmware-migrate-network.md @@ -5 +5 @@ -Source Network MappingFirewall and Software-Defined Network Configuration FilesNetwork TopologiesIP migration approachesReview VPC ConfigurationsDeploy NetworkDeployment approvals processSecurity group associationTag network resources +Step 1: Source network mappingStep 2: Additional configuration filesStep 3: Network topologiesStep 4: Security group mappingStep 5: Review VPC configurationsStep 6: Network diagramStep 7: Tag your network resources (optional)Step 8: Deploy networkNetwork deletionConfiguration file extraction @@ -9 +9 @@ Source Network MappingFirewall and Software-Defined Network Configuration FilesN -AWS Transform migrates VMware networks to AWS by translating your source environment configuration into AWS-equivalent network resources. AWS Transform analyzes your source network data and creates VPCs, subnets, security groups, NAT gateways, transit gateways, elastic IPs, routes, and route tables as needed. You can review and modify the generated network configuration before deployment. For deployment, you can either have AWS Transform deploy the configuration for you and analyze deployed network connectivity, or choose self-deployment—in which case AWS Transform generates Infrastructure as Code (IaC) in your preferred format: AWS Cloud Development Kit (AWS CDK), Landing Zone Accelerator (LZA), or HashiCorp Terraform. +AWS Transform migrates VMware networks to AWS by translating your source environment configuration into AWS-equivalent network resources. AWS Transform analyzes your source network data and creates VPCs, subnets, security groups, NAT gateways, transit gateways, elastic IPs, routes, and route tables as needed. You can review and modify the generated network configuration before deployment. For deployment, you can either have AWS Transform deploy the configuration for you and analyze deployed network connectivity, or choose self-deployment—in which case AWS Transform generates Infrastructure as Code (IaC) in your preferred format: AWS Cloud Development Kit (AWS CDK) (AWS CDK), Landing Zone Accelerator (LZA), or HashiCorp Terraform. @@ -11 +11,26 @@ AWS Transform migrates VMware networks to AWS by translating your source environ -## Source Network Mapping +To migrate your network, follow these steps: + + 1. Upload your source network file + + 2. Upload additional configuration files (optional, for RVTools environments) + + 3. Select a network topology + + 4. Select security groups mapping strategy + + 5. Review the generated VPC configurations + + 6. Generate a network diagram (optional) + + 7. Tag your network resources (optional) + + 8. Deploy your network + + + + +###### Note + +For multi-account deployments, you must configure cross-account IAM roles and trusted access for AWS Organizations before starting the network migration. For more information, see [Migration to multiple target accounts](./migration-multiple-target-accounts.html). + +## Step 1: Source network mapping @@ -17 +42 @@ The network mapping process requires uploading a configuration file from your so - * **VMware vSphere networks:** [RVTools](https://www.dell.com/en-us/shop/vmware/sl/rvtools). Note: when using RVTools files, AWS Transform will focus on generate Amazon VPC configurations, while security group configurations require additional input. For network security settings, you may upload configuration files from additional sources like firewalls and software-defined networks. See Firewall and Software-Defined Network Configuration Files for more details. + * **VMware vSphere networks:** [RVTools](https://www.dell.com/en-us/shop/vmware/sl/rvtools). When using RVTools files, AWS Transform generates Amazon VPC configurations only. Security group configurations require additional input from firewall or software-defined network files. See Additional configuration files for more details. @@ -19 +44 @@ The network mapping process requires uploading a configuration file from your so - * **Networks based on firewall configuration data:** Export files from Palo Alto Networks Firewall or Fortinet FortiGate Firewall. + * **Networks based on firewall configuration data:** Export files from Palo Alto Networks Firewall, Fortinet FortiGate Firewall, or Cisco ACI. For supported versions and extraction instructions, see Configuration file extraction. @@ -22,0 +48,2 @@ The network mapping process requires uploading a configuration file from your so + * **Other file types:** If your configuration file is not one of the supported formats listed above, AWS Transform will attempt to automatically convert it to a format that can be processed by the service. This conversion can take up to two hours depending on the file size and complexity. + @@ -39,7 +66 @@ AWS Transform creates VPCs from all source network segments, with each detected -The network mapping process generates these key resources: - - * **Network topology:** Network deployment best practice for implementation. See the Network topologies section for more details. - - * **Workload segment configuration:** Amazon VPC segments with CIDR block definitions for organizing workloads and managing network traffic flow. - - * **Security configuration:** Pre-configured access rules for different network segments, supporting ingress and egress traffic control. +## Step 2: Additional configuration files @@ -46,0 +68 @@ The network mapping process generates these key resources: +For RVTools source environments, you can optionally upload additional configuration files to enable security group generation. Without additional configuration, no security groups will be generated for RVTools-based migrations. @@ -47,0 +70 @@ The network mapping process generates these key resources: +AWS Transform supports the following additional configuration file types. Only one configuration file from one platform can be uploaded. @@ -48,0 +72 @@ The network mapping process generates these key resources: + * Cisco Application Centric Infrastructure (ACI): Network policy configurations @@ -50 +74 @@ The network mapping process generates these key resources: -###### Note + * Palo Alto Networks: Firewall security policies @@ -52 +76 @@ The network mapping process generates these key resources: -AWS Transform tags all generated resources with "CreatedBy": "AWSTransform" along with definition and execution IDs for tracking and management purposes. + * Fortinet FortiGate: Firewall security policies @@ -54 +77,0 @@ AWS Transform tags all generated resources with "CreatedBy": "AWSTransform" alon -## Firewall and Software-Defined Network Configuration Files @@ -56 +78,0 @@ AWS Transform tags all generated resources with "CreatedBy": "AWSTransform" alon -AWS Transform supports configuration files that enable automated network and security group generation, based on firewall and policies configurations. These files can be used standalone or as a complement to RVTools file. @@ -58 +79,0 @@ AWS Transform supports configuration files that enable automated network and sec - * Cisco Application Centric Infrastructure (ACI): Network policy configurations @@ -60 +81 @@ AWS Transform supports configuration files that enable automated network and sec - * Palo Alto Networks: Firewall security policies +When you upload a firewall or Cisco ACI file, AWS Transform generates network infrastructure and security groups. When you upload an RVTools file alone, AWS Transform generates network infrastructure only. @@ -62 +83 @@ AWS Transform supports configuration files that enable automated network and sec - * Fortinet FortiGate: Firewall security policies +For supported versions and extraction instructions, see Configuration file extraction. @@ -63,0 +85 @@ AWS Transform supports configuration files that enable automated network and sec +## Step 3: Network topologies @@ -64,0 +87 @@ AWS Transform supports configuration files that enable automated network and sec +During the network definition step, you select a network topology. You can choose the **Isolated VPCs** topology or the **Hub and Spoke** topology. @@ -65,0 +89 @@ AWS Transform supports configuration files that enable automated network and sec +###### Important @@ -67 +91 @@ AWS Transform supports configuration files that enable automated network and sec -When you upload a firewall or Cisco ACI file, AWS Transform generates network infrastructure and security groups. When you upload an RVTools file, AWS Transform generates network infrastructure only. You can optionally add firewall or Cisco ACI file to generate security groups. +For both topologies, AWS Transform does not open the communication to the internet. You must open it manually after taking appropriate security precautions. @@ -69 +93 @@ When you upload a firewall or Cisco ACI file, AWS Transform generates network in -To extract configuration files from firewall and network environments, follow these procedures. Consult vendor documentation for the latest information. +### Isolated VPCs @@ -71 +95 @@ To extract configuration files from firewall and network environments, follow th -### Fortinet FortiGate +These are independent network environments that operate as separate units within AWS. VPCs maintain complete network isolation, with no built-in communication pathways between them. This separation provides the highest level of network boundary protection. You can connect the VPCs through specific networking configurations if needed. @@ -73 +97 @@ To extract configuration files from firewall and network environments, follow th - * Firmware: v7.0 and up +### Hub and Spoke @@ -75 +99 @@ To extract configuration files from firewall and network environments, follow th - * Requirements: `super_admin` or `super_admin_readonly` privileges on global level +In this model, an AWS Transit Gateway created by AWS Transform acts as the hub that connects to multiple workload VPCs (the spokes). During network convergence, AWS Transform creates a spoke VPC for each detected source network segment. @@ -77 +101 @@ To extract configuration files from firewall and network environments, follow th - * Steps: +AWS Transform creates three specialized VPCs for traffic management and security: @@ -79 +103 @@ To extract configuration files from firewall and network environments, follow th - * 1\. Connect to the firewall via SSH or built-in CLI client + * Inspection VPC: Where you establish the firewall that inspects the traffic. You can create firewall rule configurations here to modify VPC connections. @@ -81 +105 @@ To extract configuration files from firewall and network environments, follow th - * 2\. Run: `show | grep ""` (`| grep ""` disables pagination) + * Inbound VPC: For all traffic from the public internet (north-south). Includes an internet gateway. @@ -83 +107 @@ To extract configuration files from firewall and network environments, follow th - * 3\. Save all output to a file starting from the `show` command + * Outbound VPC: For all traffic to the public internet. Has an internet gateway, a Network Address Translation (NAT) gateway and an [elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html). @@ -88 +112 @@ To extract configuration files from firewall and network environments, follow th -### Palo Alto Networks +AWS Transform automatically associates all spoke VPCs with the default association route table and propagates routes from all spoke VPCs to the default propagation route table. This automation creates routing paths without manual configuration, though traffic flow remains subject to security group permissions. @@ -90 +114 @@ To extract configuration files from firewall and network environments, follow th - * Firmware: 10.1 and up +If you want fine-grained control over the communication between the VPCs, choose the **Isolated VPCs** option and modify the generated network to create the specific communication paths you require. @@ -92 +116 @@ To extract configuration files from firewall and network environments, follow th - * Requirements: superadmin role +## Step 4: Security group mapping @@ -94 +118 @@ To extract configuration files from firewall and network environments, follow th - * Steps: Connect via SSH, run commands below, save outputs to palo-conf.txt and palo-default.txt: +AWS Transform creates security groups based on your source environment configurations. AWS Transform converts security policies, security policy rules, gateway policies, and gateway policy rules to security groups. @@ -96 +120 @@ To extract configuration files from firewall and network environments, follow th - * `set cli pager off` +###### Important @@ -98 +122 @@ To extract configuration files from firewall and network environments, follow th - * `set cli config-output-format set` +AWS Transform makes a best effort to create security groups that match your source environment. Review and modify the generated security groups to ensure that they meet your company's needs and security policies. @@ -100 +124 @@ To extract configuration files from firewall and network environments, follow th - * `configure` +Choose one of the following security group mapping strategies: @@ -102 +126 @@ To extract configuration files from firewall and network environments, follow th - * `show` # Save as palo-conf.txt + * **MAP:** Translate rules from your source environment. Only static IP assignment is supported with this strategy (see IP migration approaches below). @@ -104 +128 @@ To extract configuration files from firewall and network environments, follow th - * `show predefined` # Save as palo-default.txt + * **SKIP:** Do not translate rules from your source environment. No security groups are generated. Both static and dynamic (DHCP) IP assignment are available. For RVTools source environments without additional configuration files, AWS Transform automatically uses SKIP. @@ -109 +133 @@ To extract configuration files from firewall and network environments, follow th -### Cisco ACI +**IP migration approaches** @@ -111 +135 @@ To extract configuration files from firewall and network environments, follow th - * Firmware: 6.0 and up +The system offers two key network configuration choices for your migration: @@ -113 +137 @@ To extract configuration files from firewall and network environments, follow th - * Requirements: Admin role with all privileges; SCP/SFTP/FTP destination configured +**Network range selection:** @@ -115 +139 @@ To extract configuration files from firewall and network environments, follow th - * Steps: + * **Keep Existing Ranges (IP Address Ranges Retention):** Keep original IP address ranges during migration. Ideal for lift-and-shift scenarios with legacy applications that have hard-coded IP dependencies or existing firewall rules. @@ -117 +141 @@ To extract configuration files from firewall and network environments, follow th - * Connect to APIC controller via browser + * **Update to new IP ranges (CIDR update):** You can modify each VPC CIDR range during migration, and AWS Transform automatically propagates changes to subnets, route tables, and security groups. @@ -119 +142,0 @@ To extract configuration files from firewall and network environments, follow th - * Go to Admin >> Config Rollbacks @@ -121 +143,0 @@ To extract configuration files from firewall and network environments, follow th - * In “Take a snapshot” select remote location and push “Create a snapshot now” button @@ -123 +144,0 @@ To extract configuration files from firewall and network environments, follow th - * After receiving “Transfer successful” message, connect to the remote location server and retrieve the latest snapshot file (.gz file) @@ -124,0 +146 @@ To extract configuration files from firewall and network environments, follow th +**IP addresses assignment:** @@ -125,0 +148 @@ To extract configuration files from firewall and network environments, follow th + * **Fixed IP addresses (Static):** The system assigns static IPs based on the CIDR. This is best for applications requiring predictable network behavior, DNS management, or IP-based access control. IPs persist across instance restarts using Elastic Network Interfaces (ENIs). @@ -126,0 +150 @@ To extract configuration files from firewall and network environments, follow th + * **Dynamic IP assignment (AWS DHCP):** Automatically assign IPs from subnet pools at instance launch. Optimal for cloud-native applications and auto-scaling workloads. Reduces operational overhead but requires applications to use DNS or service discovery. @@ -128 +151,0 @@ To extract configuration files from firewall and network environments, follow th -## Network Topologies @@ -130 +152,0 @@ To extract configuration files from firewall and network environments, follow th -During the migration to the target network you can choose the **Isolated VPCs** topology or the **Hub and Spoke** topology. @@ -132 +153,0 @@ During the migration to the target network you can choose the **Isolated VPCs** -###### Important @@ -134 +155 @@ During the migration to the target network you can choose the **Isolated VPCs** -For both topologies AWS Transform does not open the communication to the internet. You must open it manually after taking appropriate security precautions. +You can combine either range selection with either IP assignment method. @@ -136 +157 @@ For both topologies AWS Transform does not open the communication to the interne -### Isolated VPCs +###### Note @@ -138 +159 @@ For both topologies AWS Transform does not open the communication to the interne -These are independent network environments that operate as separate units within AWS . VPCs maintain complete network isolation, with no built-in communication pathways between them. This separation provides the highest level of network boundary protection. You can connect the VPCs through specific networking configurations if needed. +IP addresses assignment strategy is set at the wave level. You can assign different strategies to specific servers by customizing the wave file. For example, if you chose a static IP address approach for the wave but want to assign a dynamic approach to a specific server, you would use `[RESET_VALUE]` as described in [Editing your configuration](https://docs.aws.amazon.com/mgn/latest/ug/configuration-editing.html) in the _Application Migration Service user guide_. @@ -140 +161 @@ These are independent network environments that operate as separate units within -### Hub and Spoke +## Step 5: Review VPC configurations @@ -142 +163 @@ These are independent network environments that operate as separate units within -In this model, an AWS Transit Gateway created by AWS Transform acts as the hub that connects to multiple workload VPCs (the spokes). During network convergence, AWS Transform creates a spoke VPC for each detected source network segment. +After AWS Transform generates Amazon VPC configurations, it displays the generated VPC networks. You can either use the current configuration or modify VPC CIDRs. @@ -144 +165 @@ In this model, an AWS Transit Gateway created by AWS Transform acts as the hub t -AWS Transform creates three specialized VPCs for traffic management and security: +For single-account deployments, you can edit VPC CIDRs only. For multi-account deployments, you can also edit the target accounts for each VPC network. @@ -146 +167 @@ AWS Transform creates three specialized VPCs for traffic management and security - * Inspection VPC: Where you establish the firewall that inspects the traffic. You can create firewall rule configurations here to modify VPC connections. +###### Note @@ -148 +169 @@ AWS Transform creates three specialized VPCs for traffic management and security - * Inbound VPC: For all traffic from the public internet (north-south). Includes an internet gateway. +You cannot modify the prefix length (the value after the "/"). @@ -150 +171 @@ AWS Transform creates three specialized VPCs for traffic management and security - * Outbound VPC: For all traffic to the public internet. Has an internet gateway, a Network Address Translation (NAT) gateway and an [elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html). +To modify VPC CIDRs: