NEW - You can now accelerate your migration and modernization with AWS Transform. Read [Getting Started](https://docs.aws.amazon.com/transform/latest/userguide/getting-started.html) in the *AWS Transform User Guide*.

# Installing the Application Migration Service vCenter Client
<a name="installing-vcenter-appliance-mgn"></a>

The first step to deploying the agentless solution is installing the Application Migration Service vCenter Client on your vCenter environment. 

**Note**  
If you have multiple vCenter environments, you need to install multiple clients. You may not have more than one Application Migration Service vCenter Client installed per AWS account. If you have multiple vCenter environments, you can either use a different AWS account for each environment or you can migrate your VMs serially, environment by environment, into the same AWS account. 

After the Application Migration Service vCenter Client has been installed, it discovers all of the VMs in your vCenter environment and add them to Application Migration Service.

## Application Migration Service vCenter Client requirements
<a name="client-notes-mgn"></a>

Ensure that you review the notes below prior to installing the Application Migration Service vCenter Client. Once you have read the notes, proceed to [install the client](client-installation-instructions-mgn.md).

### vCenter Client requirements
<a name="client-reqs"></a>
+ You must install the Application Migration Service vCenter Client on a VM that has outbound network connectivity to the AWS Application Migration Service API endpoints and outbound network connectivity to the vCenter endpoint. Customers who want to use PrivateLink can use VPN or AWS Direct Connect to connect to AWS.
+ The Application Migration Service vCenter Client currently only supports VirtualDiskFlatVer2BackingInfo VMDK on CBT. 
+ You must log in to your Broadcomm account and download VDDK 7.0.3.3 to the VM on which the Application Migration Service vCenter Client is installed. VDDK 7.0.3.3 must be used, regardless of the vCenter version used. 
+ The Application Migration Service vCenter Client requires these vCenter user permissions for agentless deployment. It is a best practice to create a dedicated role with these permissions and a dedicated user group with which the role is associated. Every new user created for the Application Migration Service vCenter Client needs to be a member of that group in order to obtain the required permissions. The vCenter predefined role: “ Consolidated Backup user (sample) ” provides most of these permissions. If that role is used, the **Toggle disk change tracking** permission must be provided..
  + Change configuration
    + Acquire disk lease
    + Toggle disk change tracking
  + Provisioning
    + Allow read-only disk access
    + Allow virtual machine download
  + Snapshot management
    + Create snapshot
    + Remove snapshot
+ The VM on which the Application Migration Service vCenter Client is installed should meet these RAM, CPU, and memory requirements:
  + Minimal requirements (these requirements allow the replication of up to 5 servers in parallel) – 2 GiB RAM, 1 core, 10 GiB of free disk space
  + Optional performance requirements (these requirements allow the replication of the maximum number of 50 servers in parallel) – 16 GiB RAM, 8 cores, 10 GiB of free disk space
+ VMs that are being replicated into AWS should have at least 2 GiB of free disk space.
+ The VM on which the Application Migration Service vCenter Client is installed should not allow any incoming (ingress) traffic.
+ The VM on which the Application Migration Service vCenter Client is installed should only allow outgoing traffic as following:
  + Egress TCP on the port on which the vCenter API is ran.
  + Egress TCP on port 443 for communication with the Application Migration Service API.
  + Egress TCP on port 1500 – for the replication server.
+ Patching of guest OS running AWS vCenter client should be handled by the customer as part of shared responsibility.
+ IAM credentials used by the vCenter Client should be rotated on a regular schedule. Learn more about how to rotate access keys for IAM users in [this IAM blog post](https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/). IAM credentials can be regenerated by reinstalling the AWS Replication Agent.
+ The VM that hosts the Application Migration Service vCenter Client should only be used for client hosting and should not be used for any other purposes.
+ Only a trusted administrator should have access to the VM on which the Application Migration Service vCenter Client is installed. 
+ The Application Migration Service vCenter Client should be located in an isolated and dedicated network and considered a sensitive segment.
+ You can deactivate the vCenter Client auto-update mechanism by running this command: `touch /var/lib/aws-vcenter-client/.disable_auto_updates` Once auto-updates are deactivated, you need to reinstall the client to perform a manual update. If you deactivate the auto-update mechanism, you are responsible for ensuring that all security updates are performed on the client. After a manual update, you should validate the new hash against the [installer hash](client-installation-instructions-mgn.md).

### vCenter Client installer notes
<a name="client-notes-appliance-mgn"></a>
+ The Application Migration Service vCenter Client installer only supports vCenter 6.7, 7.0 and 8.0.
+ The Application Migration Service vCenter Client can be installed on these 64 bit Linux versions:
  + Ubuntu 18.x\$1 (64 bit) - 22.04
  + Amazon Linux 2
  + RHEL 8.x
+ If you are using a RHEL 8.x environment, ensure that you run the `sudo yum install python3` command to install python prior to launching the client installer.
+ These flags are used by the installer: 
  + usage: aws-vcenter-client-installer-init.py [-h]
  +  [--aws-access-key-id AWS\$1ACCESS\$1KEY\$1ID]
  + [--aws-access-key-id AWS\$1ACCESS\$1KEY\$1ID]
  + [--aws-secret-access-key AWS\$1SECRET\$1ACCESS\$1KEY]
  + [--region REGION]
  + [--endpoint ENDPOINT]
  + [--s3-endpoint S3\$1ENDPOINT]
  + [--vcenter-host VCENTER\$1HOST]
  + [--vcenter-port VCENTER\$1PORT]
  + [--vcenter-user VCENTER\$1USER]
  + [--vcenter-password VCENTER\$1PASSWORD]
  + [--vcenter-ca-path VCENTER\$1CA\$1PATH]
  + [--vddk-path VDDK\$1PATH]
  + [--vcenter-client-tags KEY=VALUE [KEY=VALUE ...]]
  + [--source-server-tags KEY=VALUE [KEY=VALUE ...]]
  + [--disable-ssl-cert-validation]
  + [--no-prompt]
  + Use this flag for an unattended installation. If you are using this flag, you must also use the --force-delete-existing client flag.

     [--force-delete-existing-client]
  + Use this flag to delete an existing version of the vCenter Client from your VM. You must use this flag if you've previously installed the vCenter Client on the VM. If you use the --no-prompt flag, you must also use this flag. 

     [--version]

    Optional arguments:

     -h, --help show this help message and exit

### vCenter environment requirements
<a name="client-notes-environment-mgn"></a>
+ AWS Application Migration Service supports VM hardware version 7 and higher with CBT activated. Ensure that you upgrade any VMs you have to hardware version 7 or higher. Ensure that CBT support is activated in your vSphere deployment. Application Migration Service activates CBT on replicating VMs. You can deactivate CBT after cutover. 
+ The VM being replicated into Application Migration Service must not contain any existing VMware snapshots.
+ Once added to Application Migration Service, snapshot-based replication creates snapshots on the replicated VM, which may result in slower disk performance.
+ VMs with independent disks, Raw Device Mappings (RDM), or direct-attach disks (iSCSI, NBD) are not supported for replication into Application Migration Service.
+ The VM being replicated into Application Migration Service can be either stopped or running. Changing the VM state during data replication does not affect data replication and causes no data corruption.

# Application Migration Service vCenter Client installation instructions
<a name="client-installation-instructions-mgn"></a>

To install the Application Migration Service vCenter Client, follow these steps:



1. Download the Application Migration Service vCenter Client installer onto a VM within your vCenter environment. You can download the client from this URL: `https://aws-application-migration-service-(region).s3.(region).amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py` Replace `(region)` with the AWS Region into which you are replicating. 

   This is an example of the installer link for us-east-1: `https://aws-application-migration-service-us-east-1.s3.us-east-1.amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py`

   If you need to validate the installer hash, the correct hash can be found here: `https://aws-application-migration-service-hashes-(region).s3.(region).amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py.sha512 `

   This is an example of the installer hash link for us-east-1: `https://aws-application-migration-service-hashes-us-east-1.s3.us-east-1.amazonaws.com/latest/vcenter-client/linux/aws-vcenter-client-installer-init.py.sha512`

1. In command prompt, navigate to the directory where you downloaded the Application Migration Service vCenter Client installer and run the installer with this command: `sudo python3 aws-vcenter-client-installer-init.py`  
![\[Command prompt showing execution of Python script for AWS vCenter Client installer.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless3.png)

1. The installer prompts you for your credentials, enter the required info in each field and then press **Enter**:   
![\[Terminal window displaying AWS access key details and endpoint information.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless4.png)
   + AWS Access Key ID – Enter the AWS Access Key ID you generated in the previous section.
   + AWS Secret Access Key – Enter the AWS Secret Access Key you generated in the previous section.
   + AWS Region name – The AWS Region of your account (for example, eu-west-1).
   + The Private Link endpoint for AWS Application Migration Service (optional, leave blank if not using Private Link).
   + The VPC endpoint for Amazon S3 (optional, leave blank if not using a VPC endpoint).

1. The installer then prompts you to enter your vCenter information, enter the required info in each field and then press **Enter**:   
![\[Command line interface prompting for vCenter connection details including IP, port, and credentials.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless5.png)

   
   + vCenter IP or hostname
   + vCenter port (press Enter to use the default TCP Port 443)
   + vCenter username
   + vCenter password
   + Path to vCenter root CA certificate (optional) - To use SSL certificate validation, download the certificates from `https://<vcenter-ip>/certs/download.zip` ( example: `wget https://<vcenter-ip>/certs/download.zip --no-check-certificate`) then enter the path of the certificate (example: `/usr/local/src/lin/f7f2bd6e.0)`). Otherwise, press **Enter** to deactivate SSL certificate validation. 
**Note**  
The certificate must be located in a file that's readable to the vCenter client user, such as a shared directory. If the certificate is not located in a shared directory, you see a permission error in the logs (Error 13).
To use a certificate in your vCenter environment, you must setup a connection using a hostname. Using an IP does not work with a certificate.
It's a security best practice to use certificates. Customers that do not use certificated authentication are responsible for any security issues that may arise. 
   + Path to VDDK tarball - Provide the path to the VDDK tarball that you previously downloaded onto the VM. (example: `path/to/VMware-vix-disklib-7.0.3-21933544.x86_64.tar.gz`). You can download VDDK tarball from your Broadcomm account.
   + Resource tags for the AWS vCenter client (optional) - Use this format for tagging: 

     KEY=VALUE [KEY=VALUE ...] add resource tags to the AWS vCenter client; use a space to separate each tag (e.g., --vcenter-client-tags tag1=val1 tag2=val2 tag3=val3)
   + Resource tags for source servers to be discovered by the AWS vCenter client (optional) - Use this format for tagging: 

     KEY=VALUE [KEY=VALUE ...] add resource tags to the source servers added by discovery; use a space to separate each tag (e.g., --vcenter-client-tags tag1=val1 tag2=val2 tag3=val3)

1. The installer downloads and installs the AWS vCenter client and registers it with AWS Application Migration Service.  
![\[Terminal output showing successful download and installation of AWS vCenter client.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/agentless6.png)

1. Once the AWS vCenter client has been installed, all of the VMs in your vCenter are added to AWS Application Migration Service. The VMs are added in the DISCOVERED state.
**Note**  
If you have a significant number of VMs in your vCenter environment, it may take some time for all of the VMs to become visible in the Application Migration Service console. 
The Application Migration Service vCenter Appliance is excluded from the discovered servers list.

You can configure transparent proxy either by using an environment variable prior to the installation (Linux and Windows), or by using the --proxy-address flag in the Linux installer:
+ Using the installer: ./aws-vcenter-client-installer-init.py --proxy-address http://PROXY:PORT/
+ Using environment variable: export https\$1proxy=http://PROXY:PORT/; ./aws-vcenter-client-installer-init.py

Make sure the proxy has a trailing forward slash.