The first step in migrating VMware VMs to Azure is to discover VMs using the Azure Migrate: Discovery and Assessment tool.
Overview of the Discovery and Assessment Tool
The Azure Migrate: Discovery and assessment tool is an Azure appliance you deploy in vCenter. When you deploy it, it continuously discovers VMware VM workloads and gathers performance information.
Specifically, this lightweight Azure Migrate tool gathers information about VM performance, applications running on the VMs servers, their dependencies, and databases.
Deploying this tool is the first step in preparing your VMware environment for a successful migration to Azure Cloud. In the remaining tasks in this guide, I’ll walk you through the steps to review the requirements for deploying this tool.
There are also steps to prepare your Azure account and VMware environment, deploy the Azure Migrate: Discovery and assessment tool appliance in vCenter, and initiate the discovery.
Let’s get this started!
Task 1: Configure Site-to-site VPN
Whenever I perform an on-premises VM to Azure migration, I first set up a site-to-site (S2S) VPN connection from the on-premises site to the Azure vNET, where the VMs will be migrated.
This is because, during the migration process, VMs you migrate to Azure can work with on-prem VMs that have yet to be migrated.
For example, migrating one VM to Azure first may be more efficient if you have a database and an app hosted in two VMs. In this scenario, you may not have enough windows to change both VMs on the same day.
So, say you move the database VM first. After the move, you can configure the app to continue using the migrated database VM. However, this would be impossible if you do not have a VPN connection to Azure.
Another great example is migrating Domain Controllers. You will likely be unable to migrate all your DCs to Azure in one change window.
If this happens, migrated DCs will continue replicating with on-prem DCs using the S2S VPN connection.
So, before proceeding with task 2 below, I strongly recommend creating a site-to-site VPN (complete steps 1 to 9) connection between your on-prem and Azure virtual network.
Task 2: Review the Discovery Prerequisites
Use the table below to ensure your environment meets the requirements for deploying the Azure Migrate: Discovery and assessment tool.
S/N | vCenter Server and ESXi host | Requirement |
---|---|---|
1 | VMware VMs | It supports discovering the performance, configuration data, and apps on all Windows and Linux versions. Read about supported OS versions. To discover installed apps, all VMware VMs must run VMware Tools (version 10.2.1 or later), and Windows Servers must run Windows PowerShell 2.0 or higher. Use these links to read about supported SQL Server versions and configuration, SQL authentication, and supported web apps in Windows OS and IIS versions, supported Linux OS and Tomcat versions. |
2 | Permissions for SQL Server access | The Windows or SQL account must meet the Azure migrate discovery tool requirements to discover Microsoft SQL Server instances and databases. You can use these steps to set up the SQL account that meets the requirements. |
3 | vCenter Serve and ESXi host | Your vCenter server must be on version 5.5, 6.0, 6.5, 7.0, or 8.0. Similarly, ESXi hosts must be version 5.5 or higher. The vCenter server and ESXi hosts must also allow inbound TCP port 443. |
4 | Azure Migrate appliance | Your vCenter server should have 32 GB of RAM, 8 vCPUs, and approximately 80 GB of disk storage to support the Azure Migrate appliance. It must also have an external virtual switch and an internet connection. |
Before moving on, based on the information in the table above, confirm the following and remediate any issues:
- Your vCenter server has at least 32 GB of RAM, 8 vCPUs, and 80 GB of storage.
- Also, check that the vCenter server has an external virtual switch and access to the internet.
- Check that port 443 is open on the vCenter server and all ESXi hosts it manages.
- Confirm that your vCenter server is running at least version 5.5
- Review the Windows, Linux, and SQL server requirements using the links provided in Table 1.0
Task 3: Prep the Azure Account
Later in this guide, you’ll create an Azure Migrate project and register an Azure Migrate appliance. To perform these tasks, you require an Azure account with the permissions detailed in the table below.
S/N | Permission | Reason for permission |
---|---|---|
1 | Contributor or Owner at Azure Subscription | To create an Azure Key Vault, which is required during agentless server migration. |
2 | Application.ReadWrite.All permission | Required to register an application in Microsoft Entra |
If you created the Azure account you’re using for this project, your account will be assigned “Owner” permission at the subscription level.
You could use this account to migrate in a lab or test environment. However, security best practices require applying the principle of least privilege for production migration.
I strongly recommend creating another Azure account dedicated to the migration project to meet this requirement. In the following sub-tasks, I have explained how to create an Azure account and grant it the least privileges required for the migration.
Task 3.1: Create an Azure Account
- Search for and open Microsoft Entra ID. Then, click +Add > Users > Create new user.
- On the new account window, complete the required fields and click Review + create. Then, click Create.
Task 3.2: Grant the Account the Required Permissions
Run the following PowerShell commands from Azure Cloud Shell to grant the account “Application Administrator” role in Microsoft Entra and “Contributor” to your subscription.
#1. Get the user the user's ID
$userID = (Get-AzADUser -UserPrincipalName <[email protected]>).Id
#2. Get the Azure Subscription Id - change AZ-100 to the first few text in the subscription name
$subscriptionId = (Get-AzSubscription | Where-Object {$_.Name -like "*AZ-100*"}).Id
#3. Assign the Contributor role to the user in the subscription
$roleDefinition = Get-AzRoleDefinition -Name "Contributor"
New-AzRoleAssignment -ObjectId $userID -RoleDefinitionId $roleDefinition.Id -Scope "/subscriptions/$subscriptionId"
To grant the user the “Application Administrator” role, open the user’s properties in Microsoft Entra ID, click “Assigned roles,” check “Application Administrator,” and finally, click the Add button.
Before proceeding, confirm that the user has the “Contributor” role in the subscription.
Task 4: Create VMware and Server Accounts
The Azure Migrate discovery appliance is a VMware appliance you deploy in vCenter. You require a vCenter account with these permissions to deploy it.
Similarly, Azure Migrate needs a read-only vCenter account to discover VMware VMs (servers). Finally, to allow Azure Migrate to discover installed applications and agentless dependency analysis in VMware servers, enable the Guest operations Privilege in the account.
Azure Migrate also requires a local or domain account on with local administrator permission on Windows server and on Linux servers, a sudo user account with permissions to execute ls and netstat commands.
Based on the abovementioned requirements, I will create a local vCenter account with these permissions. This account will be used for OVF deployment and agentless discovery.
Similarly, I will create a domain account – my test environment is a Windows environment – and add the account to the local administrators account for the VMware VMs running Windows Server.
Task 4.1: Create a Local vCenter Account
In this sub-task, I’ll create a vCenter user and add the account to the vCenter local administrators group.
- Sign in to vCenter via a browser, click the menu, and choose Administrator.
- Then, on the Single Sign On section, click Users and Groups, then, click ADD under the Users tab.
- Enter the account details and click ADD.
- To add the newly created user to the Administrators group, click Global Permissions under Access Control, then click ADD. After that, select the options in my second screenshot below and click OK.
Before moving on to Task 4.2, confirm that the account is in the list.
Task 4.2: Create a Windows Domain Account
Open PowerShell as administrator and run these commands. Run #1 and 2 in a Domain Controller and #3 on the Windows VMware VM. If the VMware VM is a Domain Controller, run command #4 to add the user to the domain’s administrators group
#1. Set the variables - change $ADLocation variable to the DN of the OU you want to create the account
$Username = 'azure-mig-dsad'
$ADLocation = 'OU=Service Accounts,DC=lab,DC=infopressmedia,DC=com'
$Credential = (Get-Credential -UserName $Username -Message "Enter the password for the $Username")
#2. Create the user
New-ADUser -Name $Username -Path $ADLocation -PasswordNeverExpires $true -AccountPassword $Credential.Password -Enabled $true
#3. Add the Windows domain account to the Windows VMware VM's local administrators account - run this command on each Windows VMware VM
Add-LocalGroupMember -Group "Administrators" -Member "lab\azure-mig-dsad"
#4. Add the Windows domain account to the Windows domain administrators group
Add-ADGroupMember -Identity "Administrators" -Members azure-mig-dsad
If you have Linux Servers in your VMware environment, see the Linux servers section in Create an account to access servers.
Task 5: Install VMware Tools
The Azure Migrate agentless migration uses Vmware tools to discover applications installed on the VMware servers you’re migrating. So, it is important to confirm that the latest VMware tools are installed on all VMs you intend to migrate.
Agentless dependency analysts will fail if a VM is not running VMware tools.
Task 6: Create an Azure Migrate Project
Now that you’ve prepared the VMware environment, creating an Azure Migrate project is time. Follow these steps to create an Azure Migrate project.
- Sign in to your Azure account, search Azure Migrate, and open the resource.
- On the Getting started tab, click discover, assess, migrate in the Servers, databases and web apps section. After that, click Create project.
- Then, on the Create project window, select the subscription and resource group (RG) to create the project under. Then, enter a name and select the Azure region to create the project.
- After entering the details, click Create, then wait for the project to be deployed. When the project is fully created, proceed to Task 6 below.
Task 7: Download the Appliance’s OVA File
Task 7.1: Generate the Project Key
- On the Azure Migrate: Discovery and assessment section of the Azure Migrate project, click the Discover drop-down and choose Using appliance.
- Then, click the Are your servers virtualized? drop-down and choose Yes, with VMware vSphere hypervisor.
- After that, on the 1: Generate project key, enter a name for the VMware appliance in the Name your appliance field, then click Generate key.
When you click Generate key, Azure will start creating the required Azure resources – DO NOT close the windows while the resources are being created.
Key vault – in the region you created the resource group.
- When Azure finishes creating the resources, it will generate the project key. Copy the key and save it in a file.
Task 7.2: Download the OVF File
To download the Azure Migrate Discovery appliance VM OVF file, choose the “.OVA file” option in 2: Download Azure Migrate appliance and click the dowload link.
Task 7.3: Verify the OVF File
After downloading the OVF file, before importing it to your vCenter server, verify the file’s security using these steps:
- Open Command Prompt as administrator. Then, run the command below to generate the hash for the downloaded OVA file.
CertUtil -HashFile <file_location> <hashing_agorithm>
I ran the command below to generate the has for my OVA file.
CertUtil -HashFile "D:\Azure Migrate\MicrosoftAzureMigration.ova" SHA256
- Note the has file and compare it to the hash for the latest OVA file. The first screenshot below, shows the hash file from the previous link – the latest OFA file as of September 2024 when I wrote this guide.
Meanwhile, the second screenshot shows the has of my downloaded OVA file. The has of the two files are the same, so my downloaded file is safe!
Task 8: Set Up the Appliance in vCenter
Task 8.1: Configure the Appliance in vCenter
- Sign in to vCenter with an account that has the permission to create VMs using OVA files.
- After that, upload the OVA file into vCenter, then, wait for the file to upload.
- Once the OVA file is uploaded to vCenter, right-click the vCenter location you want to deploy the OFA file and choose Deploy OVF Template.
- Then, on the first page of the wizard, use choose the second option and use the UPLOAD FILES button to select the OVA file from the folder you saved it in your computer. Once the file is verified, click Next.
- Give the Azure Appliance a name and select the vCenter location to deploy it – I’m deploying mine in my vCenter cluster. After the compactibility test, click Next again to progress to the next stage.
- After that, wait for vCenter to display information about the template, then click Next.
- Finally, select the datastore, VM Network, and click FINISH to deploy the Azure Migragrate VM appliance. Wait for the appliance to be set up in vCenter.
The Azure Migrate appliance is assigned 32 GB of RAM and 4 CPUs.
Since I’m running this migration in my home lab – the vCenter server does not have up to 32 GB – I modified the appliance’s VM RAM to 8 GB and 2 vCPUs.
Task 7.2: Configure the Appliance
- Power up the Azure Migrate appliance. Then, click on it to open the console.
- On the VM’s console, accept the license agreement, and set a password for the local administrator account. The Server will be assigned an IP address by your DHCP server.
However, to be able to access the appliance from a consistent IP address, log in to the VM with the local administrator account and assign it a static IP address.
If you want to access the appliance via its name instead of IP address, create a host A record. I will be managing mine via its IP address.
- From a browser on any PC that can reach the Azure Migrate VM appliance’s IP address, open its IP on port 44368.
The browser will display a warning, click Advanced and proceed. Then, sign in with the local administrator credentials of the appliance.
https://192.168.0.116:44368/
- Once you sign in, accept the Azure Migrate licence agreement. After that, the appliace will test connection to and time synch with Azure.
Task 8.3: Register the Appliance in Azure Migrate
To register the vCenter appliance with Azure, follow these steps:
- Enter the project key you copied in Task 6.1, step 3 in the registration field, and click Verify. The key will be verified, and the appliance will initiate an auto-update. According to the notes, this may take up to 5 minutes.
- When the appliance auto-update is completed, the login button will be activated. Sign in to your account account by clicking the Login button.
- Then, from the pop-up, click Copy code and login.
- Paste the code and click Next.
- Then, sign in to Azure with the account you created for the migration. After signing in, wait for the appliance to register in Azure.
If the appliance registration fails, click the error details, wait about 5 minutes, and then click and click Re-try.
- When the appliance is successfully registered to Azure, download and install the VMware Virtual Disk Development Kit.
- After downloading the file, extracting the zip, and copying them to C:\Program Files\VMware\VMware Virtual Disk Development Kit, click Verify.
All sections of 1. Set up prerequisites should now be green. Progress to Task 8.
Task 9: Start Azure Migrate Continuous Discovery
Task 9.1: Set up vCenter Server Details
- Scroll to 2. Manage credentials and discovery sources section. Then, in Step 1: Provide vCenter Server credentials for discovery of VMware VMs, click Add Credentials.
- Then, on the pop-up window, enter the local vCenter account you created in Task 4.1 and click Save.
- Then, in Step 2: Provide vCenter Server details, select Add discovery source. After that, enter the vCenter server’s FQDN or IP address and click Save.
The Azure Migrate Discovery appliance will validate the vCenter and if successful, the status will display “Validation successful.”
Task 9.2: Configure Server Credentials
- In Step 3: Provide server credentials to perform software inventory, agentless dependency analysis, discovery of SQL Server instances and databases and discovery of web apps in your VMware environment., click Add credentials
- Then, in the Add credential pop-up, select the type, enter the details, and click Save.
Once all these tasks are completed, opening the project in Azure displays the current state of the service health.
Task 9.3: Start VMware VM Discovery
To start discovering vCenter VM workloads, click Start discovery and wait for the discovery to complete.
The discovery should take between 20-25 minutes. When it is completed, the Discovery status should show a green tick and you canm view the discovered inventory in Azure.
Task 9.4: View Discovered VMware Data
To view the vCenter discovered inventory in Azure, follow these steps:
- Sign in to Azure, search Azure migrate and open the resource. After that, expand Migration goals and select Servers, databases and web apps.
The Azure Migrate: Discovery and assessment should show the number of discovered servers.
- To view the discovered servers, click on the bumber.
My home lab vCenter environment has 3 servers – a Domain Controller (IPMvDC1), the Azure Migrate appliance VM (IPMvAzureAp) and the vCener Server (IPMvVCSA1).
The only VM relevant for my migration is the DC. As seen in the above screenshot, the Azure Migrate discovery tool found 9 apps in the Domain Controller.
- To view the discovered applications and the roles and features installed on the server, click the application hyper-link.
Fianlly, to view the Windows Server roles installed on the server, click the Roles and features tab.
This is a simplified scenarior compared to a real-world that may include Linux servers, SQL, other database servers and other applications. Howver, by following this guide, you should have completed the discovered phase of the Azure Migrate process.
To learn more, read how discovery works.
With the discovery stage completed, proceed to the part 2 of this guide, assessing discovered VMs .