NEW - You can now accelerate your migration and modernization with AWS Transform. Read [Getting Started](https://docs.aws.amazon.com/transform/latest/userguide/getting-started.html) in the *AWS Transform User Guide*. # Application Migration Service Connectors MGN Connectors Application Migration Service connectors enable you to run commands on multiple source servers. Use connectors for large-scale migrations with multiple operating system types and versions, which may be distributed across multiple data centers. A connector can also help: + Verify the prerequisites are met for installation of the MGN replication agent on the source servers. + Install the Application Migration Service replication agents on the source servers. You can install the AWS MGN connector in your source environment and use it to perform actions on source servers in your data center. This feature, combined with the post-launch action framework, offers automation across the entire deployment process. **Note** The MGN connector is not supported for IPv6. **Topics** + [ # Prerequisites for installing the MGN connector ](mgn-connector-prerequisites.md) + [ # Architecture overview for MGN connector ](mgn-connector-architecture.md) + [ # IAM roles needed for the MGN connector ](mgn-connector-permissions.md) + [ # Set up the MGN Connector ](mgn-connector-setup-instructions.md) + [ # Installing the MGN connector on a secured network ](mgn-connector-installing-secured-network.md) + [ # Manage your MGN Connectors ](mgn-connector-main.md) + [ # Review details about your MGN connectors ](connector-details.md) # Prerequisites for installing the MGN connector Prerequisites To use the Application Migration Service connector you must meet these prerequisites. ## General prerequisites General prerequisites + While the MGN connector can be deployed on the same server that hosts the MGN vCenter Client installer (agentless appliance), we recommend that the MGN connector be installed on a dedicated server. + The *openssl* library must be installed on the server. + You must have the required [permissions](mgn-connector-permissions.md). ## Operating systems that support the MGN connector The MGN connector can be installed on servers running the following Linux versions: + Ubuntu 18.x\$1 (64 bit) - 22.04 (x86\$164) + Amazon Linux 2 (x86\$164) + RHEL8.x (x86\$164) ## SSM agent installation requirements SSM requirements Installation of the MGN Connector also installs the SSM agent. + If the SSM agent is already installed on the server you must uninstall it before installing the MGN connector. See [ Uninstalling SSM Agent from Linux instances ](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-uninstall-agent.html) in the *AWS Systems Manager User Guide*. + A minimum of 200 MB of free disk space and 200 KB of free disk space in the `/var` directory. + Installation is not supported on these operating systems: + CentOS 5.x + CentOS 6.x + RHEL 6.x + Oracle 6.x + Amazon Linux 1 ## Security recommendations for MGN connector Security recommendations We recommend that the MGN connector server is only accessed by authorized personnel and has the required OS patches. We also recommend that the servers to which the MGN connector connects have all the required OS patches. If you configure [outputting logs to S3](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-logging), you will first [create an Amazon S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html). We recommend that you apply S3 bucket [S3 security practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html) # Architecture overview for MGN connector Architecture overview The following is the architecture overview when using AWS MGN with MGN connector. ![\[Architecture diagram showing AWS MGN connector, local network, and AWS Cloud components for migration.\]](http://docs.aws.amazon.com/mgn/latest/ug/images/mgn-connector-architecture.png) # IAM roles needed for the MGN connector IAM roles for connector To use MGN connector you must have these required IAM roles for individual accounts and AWS Organizations networks: + **MGNConnectorInstallerRole** + **AWSApplicationMigrationConnectorManagementRole** + **AWSApplicationMigrationConnectorSharingRole\$1*management-account-id*** Needed in an individual account. Also needed in an organization, on *every* account, including the management account. **Individual account: **For an MGN connector in an individual account, create these roles as described in [Create roles manually](create-permissions-manually.md). **Multiple accounts: **If the MGN connector manages source servers from multiple accounts, set up the global view feature and set up your AWS Organization, as described in [Manage large-scale migrations with global view](global-view.md). After you set up your AWS Organization: 1. Create the MGNConnectorInstallerRole and the AWSApplicationMigrationConnectorManagementRole as described in [Create roles manually](create-permissions-manually.md). 1. Configure the CloudFormation StackSet to create the AWSApplicationMigrationConnectorSharingRole\$1*management-account-id* role per management account. Use the template "Enable Application Migration Service Connector access". Instructions are in [Deploy role using a CloudFormation template ](CloudFormation_Template.md). # Create roles manually To create permissions manually, you create the MGNConnectorInstallerRole to install the MGN Connector and the AWSApplicationMigrationConnectorManagementRole needed to enable the connector to run. The connector assumes the AWSApplicationMigrationConnectorSharingRole\$1*management-account-id* role as needed, for example, to install the replication agent on a source server. ## Create the MGNConnectorInstallerRole MGNConnectorInstallerRole The **MGNConnectorInstallerRole** role is used to install the Connector. The user or identity that installs the Connector will require permission to assume this role. To create the role: 1. Create a policy from the following JSON: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mgn:TagResource" ], "Resource": "arn:aws:mgn:*:*:connector/*", "Effect": "Allow", "Condition": { "StringEquals": { "mgn:CreateAction": "CreateConnector" } } }, { "Action": [ "mgn:CreateConnector" ], "Resource": "*", "Effect": "Allow" } ] } ``` ------ 1. Name the policy **MGNConnectorInstallerPolicy**. 1. Create a role with your account as the trusted entity. Alternatively use a custom trust policy that will grant the user or identity that will install the Connector, permission to assume this role. 1. Attach the **MGNConnectorInstallerPolicy** policy to the Permission policies. 1. Name the role **MGNConnectorInstallerRole**. ## AWSApplicationMigrationConnectorManagementRole The **AWSApplicationMigrationConnectorManagementRole** role is the role that is initially assumed by the Connector. To create the role: 1. After replacing **ACCOUNT-ID** with your account number, and **AWS\$1REGION** with the connector region, create a policy from the following JSON: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_ACCOUNT-ID", "Effect": "Allow" }, { "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } }, "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": ["arn:aws:s3:::aws-application-migration-service-AWS_REGION/latest/source-automation-client/linux/ssaf-client/ssaf_client", "arn:aws:s3:::amazon-ssm-AWS_REGION/*"], "Effect": "Allow" } ] } ``` ------ 1. If you created an S3 bucket for SSM logging, replace **LOGS-BUCKET** with the bucket name and append the following to the policy: ``` { "Action": "s3:PutObject", "Resource": "arn:aws:s3:::LOGS-BUCKET/*", "Effect": "Allow" } ``` 1. In order for the MGN connector to send logs to CloudWatch, append this statement to the policy: ``` { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" } ``` 1. Name the policy **MgnConnectorPolicy** 1. Create a role with the following trust relationship: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Attach the following policies: 1. **AmazonSSMManagedInstanceCore** 1. **MgnConnectorPolicy** 1. Name the role **AWSApplicationMigrationConnectorManagementRole** # Deploy the AWSApplicationMigrationConnectorSharingRole\$1*management-account-id* role using a CloudFormation template Deploy role using CloudFormation template See the [Create roles manually](create-permissions-manually.md) to deploy these permissions manually. 1. To configure the required IAM roles and policies, after replacing the described parameters, save the following AWS CloudFormation JSON template to a text file called `aws-mgn-connector-iam-principals.json` on your local system: 1. Replace the example account number **111122223333** with your account number. 1. Replace **ROLE-NAME** with the user role that serves as the trusted entity. This user role assumes the **MGNConnectorInstallerRole** role and can install the connector. 1. Replace the example region **us-east-2** with the Region of the account. 1. Replace **LOGS-BUCKET** with the S3 logs bucket name. Remove the relevant item from the statement if you have not set up outputting logs to S3. ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "IAM Roles for AWS Application Migration Connector", "Resources": { "MGNConnectorInstallerRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:ROLE-NAME" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "MGNConnectorInstallerPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mgn:TagResource", "Resource": "arn:aws:mgn:*:*:connector/*", "Condition": { "StringEquals": { "mgn:CreateAction": "CreateConnector" } } }, { "Effect": "Allow", "Action": "mgn:CreateConnector", "Resource": "*" } ] } } ] } }, "AWSApplicationMigrationConnectorManagementRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ], "Policies": [ { "PolicyName": "MgnConnectorPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-application-migration-service-us-east-2/latest/source-automation-client/linux/ssaf-client/ssaf_client", "arn:aws:s3:::us-east-2/*" ], "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::LOGS-BUCKET/*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_111122223333" }, { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } } } ] } } ] } } } } ``` 1. Create a stack: ------ #### [ Via AWS CloudFormation console ] 1. **Stacks → Create stack → With new resources (standard)** 1. Under **Specify template** select **Upload a template file** 1. Click **Choose file** and select the template file `aws-mgn-connector-iam-principals.json` in the dialog. 1. Click **Next**. 1. In the following screen, choose a name for your CloudFormation stack (for example: `aws-mgn-connector-iam-principals-stack`) and click **Next**. 1. Click **Next** again. 1. Acknowledge the required capabilities and click on **Submit**. 1. Wait for the stack to finish creation. ------ #### [ Via AWS CLI ] 1. Using the following command: **Example** ``` aws cloudformation deploy --stack-name aws-mgn-connector-iam-principals-stack --capabilities CAPABILITY_NAMED_IAM --region --template-file ``` 1. Replace `` with the AWS region you will be deploying in and `` with the CloudFormation template file path. 1. Wait for the stack to finish creation. ------ # Set up the MGN Connector Setup instructions In order to set up your MGN connector, take the following steps: 1. Make sure your account have the required permissions as defined [here](mgn-connector-permissions.md). 1. If the MGN connector manages source servers from multiple accounts, set up the global view feature and set up your AWS Organization, following the instructions [here](global-view.md). After you set up your AWS Organization, configure the CloudFormation StackSet in order to create the required role per management account. Use the template "Enable Application Migration Service Connector access". Full instructions are available [here](setting-up-stacksets.md). 1. If the MGN connector manages source servers from a single account, and both the MGN connector and the source servers belong to the same account: 1. After replacing **ACCOUNT-ID** with your account number, create a role using the following trust policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/AWSApplicationMigrationConnectorManagementRole" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Attach the **AWSApplicationMigrationAgentInstallationPolicy** policy to the Permission policies. 1. Name the role **AWSApplicationMigrationConnectorSharingRole\$1ACCOUNT-ID** (replace **ACCOUNT-ID** with your account number). 1. [Create a new MGN connector](add-connector.md) on the MGN connectors page. # Installing the MGN connector on a secured network The MGN connector and the AWS Replication Agents that the MGN connector installs, require network access to various AWS endpoints. If your on-premises network is not open to AWS endpoints, then you can install the MGN connector and the AWS Replication Agents with the aid of PrivateLink. You can connect your on-premises network to your VPCs using AWS VPN or DirectConnect. ## Global view If you are using the [Global view](global-view.md) feature, which provides cross-account view and operations, you will have at least one staging VPC per member account. You will also need to designate a VPC in the management account in order to allow the MGN connector to communicate with AWS services via PrivateLink. If you are migrating some of your source servers into the management account, you can use the same VPC as a staging VPC. **The following sections apply to the MGN connector VPC as well as to each staging VPC.** ## Create VPC endpoints To allow the MGN connector and AWS Replication Agents to communicate with AWS services, create the VPC endpoints listed below. For each endpoint: 1. Select your staging area VPC or MGN connector VPC (see [Global view](#mgn-connector-global-view) above). 1. **Enable private DNS names.** 1. Choose a subnet, and ensure that a route exists from the MGN connector or AWS Replication Agent to the selected subnet. 1. Ensure that the security groups associated with the endpoint allow inbound traffic from the MGN connector and source servers. Create the following interface endpoints: 1. **`com.amazonaws.region.ssm`** – The endpoint for the Systems Manager service. This endpoint is required by the SSM Agent, which is installed by the MGN connector installer. 1. **`com.amazonaws.region.ec2messages`** – Systems Manager uses this endpoint to make calls from the SSM Agent to the Systems Manager service. 1. **`com.amazonaws.region.ssmmessages`** – This endpoint is required only if you wish to connect to the MGN connector using Session Manager. 1. **`com.amazonaws.region.kms`** – This endpoint is required only if you wish to connect to the MGN connector using Session Manager and using AWS KMS encryption to add an additional layer of encryption to the session. For more information, see [ Turn on KMS key encryption of session data ](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-enable-encryption.html) in the *Amazon Systems Manager User Guide*. 1. **`com.amazonaws.region.s3`** – Systems Manager uses this endpoint to update the SSM Agent and to perform patching operations. The MGN connector installer and the AWS Replication Agent installer download installation assets from this endpoint. 1. Note that private DNS names are disabled by default for the S3 endpoint. 1. If you wish to also **Enable private DNS only for inbound endpoint**, you must first create an S3 gateway VPC endpoint. For more information, see [ S3 Private DNS ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#private-dns) in the *Amazon Simple Storage Service User Guide*. 1. **`com.amazonaws.region.secretsmanager`** – The MGN connector calls this endpoint to retrieve source server credentials. 1. **`com.amazonaws.region.sts`** – The MGN connector calls this endpoint to retrieve credentials of the AWS Replication Agent installer role. 1. **`com.amazonaws.region.mgn`** – The endpoint for MGN. This endpoint is required by the MGN connector, the AWS Replication Agent, and their respective installers. If a VPCE Policy is used (to scope down access), add the following statement to your policy: ``` { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api::*:*/POST/CreateSessionForMgn" } ``` For more information, see [ Creating an interface endpoint ](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint.html) in the *Amazon VPC User Guide*. ## Create a Route 53 inbound endpoint To route your traffic to the VPC endpoints created above, create a Route 53 inbound endpoint in your staging area VPC or the MGN connector VPC (see [Global view](#mgn-connector-global-view) above). Ensure that the security group associated with the inbound endpoint allows traffic from your on-premises DNS resolvers. Configure DNS resolvers on your on-premises network to forward DNS queries for the endpoints of the above AWS services, to the IP addresses of your Route 53 inbound endpoint. To find the regional endpoints of these services, see [ Service endpoints ](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html) in the *AWS General Reference Guide*. For example, the endpoint of the MGN service in the US East (Ohio) Region (us-east-2) is **`mgn.us-east-2.amazonaws.com`** For more information, see [ Forwarding inbound DNS queries to your VPCs ](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-forwarding-inbound-queries.html) in the *Amazon Route 53 User Guide*. ## Modify replication settings In order to allow the AWS Replication Agent to communicate with the replication server without using the public internet, you must use Private IP for data replication. The replication server requires access to the EC2 service. Therefore: + If your staging area VPC has a VPC endpoint for **`com.amazonaws.region.ec2`** with private DNS names enabled, or if your staging area subnet has a route to the public internet via a NAT gateway, then the replication server can communicate with EC2 over its private IP. Choose the option: **Use private IP for data replication** + Otherwise, if your staging area subnet has a route to the public internet via an internet gateway, a public IP is required for the replication server to reach EC2. Choose the option: **Create public IP, and use Private IP for data replication** Ensure that the security groups associated with the MGN VPC endpoint allow inbound traffic from the replication server. ## Verify VPC endpoints are being used Use CloudTrail to verify that calls to AWS services from the MGN connector and its associated source servers, are made via the **vpcEndpointId**s of the VPC endpoints you have created. # Manage your MGN Connectors MGN Connectors management The MGN Connectors page lists all the installed MGN connectors, providing a quick overview of your MGN connectors and their status and allowing you to quickly perform actions. ## Introduction to the MGN connector page The **MGN Connectors** page displays the list of MGN connectors, and supports adding, deleting and editing MGN connectors as well as performing actions using the MGN connectors. The **MGN Connectors** page provides information for each MGN connector, including: + **MGN Connector name** - The unique name for each MGN connector. Additional details of the MGN connector are available in the MGN details page. Click the MGN connector name, to view its details. + **Registered servers** - The number of registered source servers managed by this MGN connector. + **Last seen** - The last time AWS Application Migration Service communicated with the MGN connector. **Topics** + [ ## Introduction to the MGN connector page ](#mgn-connector-list-interacting) + [ # Add MGN connector ](add-connector.md) + [ # Edit connector ](edit-connector.md) + [ # Delete MGN connector ](delete-connector.md) + [ # Register server credentials ](connector-register-server-credentials.md) + [ # Verify source server prerequisites ](connector-verify-prereqs.md) + [ # Install the replication agent ](connector-install-agent.md) + [ # View command history ](connector-view-command-history.md) # Add MGN connector To add an MGN connector, click **Add MGN connector**, to open the Add MGN connector page. Set up your MGN connector by providing the following: + Connector name: The MGN connector name is used to identify the connector. This field is mandatory, and limited to 256 characters. The name must be unique (case-insensitive) per account per Region. + Obtain the SSM hybrid activation parameters (installation key and ID), which is required in order install the SSM agent on the MGN connector. For more information on SSM activation parameters see [here](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-managed-instance-activation.html). + In the SSM hybrid activation set the **AWSApplicationMigrationConnectorManagementRole** in the management account. + Activation setting → select an existing IAM role → **AWSApplicationMigrationConnectorManagementRole** + See the [permissions](mgn-connector-permissions.md) page for the required permissions of **AWSApplicationMigrationConnectorManagementRole**. + Temporary IAM credentials of the **MGNConnectorInstallerRole** role that you created [here](mgn-connector-permissions.md). + Request temporary security credentials [ through AWS STS ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) through the [AssumeRole API](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html). + [Learn more about how temporary credentials work.](Agent-Related-FAQ.md#temporary-credentials-operation) To download the MGN connector software, use the following commands: + **Download the installer command** - Copy and paste the command into the command prompt of the server you’ve designated for the MGN connector. This will download the AWS MGN installer. + **Copy and paste this command into the command line on your MGN connector** - Copy and paste the command into the command prompt of the same server. This will install the AWS MGN connector software. After the MGN connector is installed it automatically begins communicating with the console and appears in the MGN connectors list. Next, you must register source servers to the MGN connector. You may install multiple MGN connectors to handle large amount of source servers or multiple data centers. Each MGN connector is able to handle up to 500 source servers. AWS MGN supports up to 50 MGN connectors per account per region. The MGN connector installation is facilitated through the SSAF client, which is publicly accessible from the S3 bucket `aws-application-migration-service-{{region}}`. The most recent installer can be found at `/latest/source-automation-client/linux/ssaf-client/`, with a corresponding signature file at `/latest/source-automation-client/linux/ssaf-client/ssaf_client.sig` for binary validation. For user convenience, these technical aspects are handled automatically when using either the console or the SSM document *"AWSMigration-RunSourceServerAction"* to perform the installation. # Edit connector To edit an MGN connector, click **Edit**. When the **Edit MGN connector** page opens, you can modify the MGN connector name and tags. To finalize your changes, click **Save changes**. # Delete MGN connector To delete an MGN connector, click **Delete**. When the **Delete MGN connector** dialog opens, verify that you want to delete the selected MGN connector. Once an MGN connector is uninstalled, it can no longer be used to manage your source servers. **Note** Deleting the MGN connector will disassociate the servers from the MGN connector, but will not delete them from servers inventory. # Register server credentials Once you have the MGN connector set up and ready to use, you can register source servers to the MGN connector. To do so click on the MGN connector name, then click “Register servers“. The servers list contain the source servers that were imported via the import feature or discovered by the agentless replication process. Select the source servers you want to register to the MGN connector. Click the "Register servers with the MGN connector" button. To perform actions on your source server, you must provide source server credentials. Server credentials are stored in AWS Secrets Manager. You can use an existing secret from the AWS Secrets Manager or create a new one. You can create the credentials in the MGN console, by choosing **Register server credentials** from the **Actions** men. + Use existing secret + Using AWS Secrets Manager MGN can use the stored source server credentials and API keys in order to connect to the source machine and perform actions on it. You must specify the secret that stores the source server credentials, using an existing secret. + You may designate the same secret for multiple source servers, if they share the same credentials. + Be sure to add the AWSApplicationMigrationServiceManaged tag to the secret. The value is ignored, and may be left empty. + Create new secret + **Secret name** - Enter a name for your new secret. The name you specify will be saved in AWS Secret Manager. + **Encryption key** - To encrypt, either use the KMS key provided by Secret Manager or create your own customer managed KMS key. + **For Windows servers:** + **Communication protocol** – this is the WinRM connection protocol between the MGN Connector and Source Servers used to install the agents. **Note** Though you can use HTTP, we recommend that you use HTTPS to ensure secure and encrypted communication between the MGN connector and the source servers. Specify either: + **HTTP** + **HTTPS** + **UserName** – A user that is authorized to install the agent and perform actions on the source server. + **Password** – The specific source server's password. + **CertificateAuthority** (Optional) - Include the source server IPs in the certificate's SAN field to enable communication. + **For Linux servers:** + **UserName** – A user that is authorized to install the agent and perform actions on the source server. + **Provide one of the following:** + **Password** – The specific source server's password. + **PrivateKey** – The source server’s private key. + **HostKey** (Optional) – include the host key to validate it during SSH connection. + **Tags** - Secret key-value pairs will be assigned to the new secret. Note that AWSApplicationMigrationServiceManaged tag will also be added. + Here is the structure of the secrets manager entry: ``` { "WinConnectionProtocol":"HTTPS", "WinUserName":"windows_username", "WinPassword":"windows_password", "WinCertificateAuthority":"", "WinCaValidation":false, "LinuxUserName":"linux_username", "LinuxPrivateKey":"linux_private_key", "LinuxHostKey":"linux_host_key", "LinuxHostKeyValidation":false } ``` + **Note** The CA/HostKey validation is turned on by default, indicated by the validation flag being set to true. Provide the CA or HostKey in the json for validation. If you don’t provide it, you must explicitly disable validation by setting the validation flag to false. The key algorithm in HostKey, must be provided in the following format: ``` "HostKey": "algorithm_name thumbprint" ``` List of supported algorithms: "ssh-ed25519", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ssh-dss" # Verify source server prerequisites The **Verify prerequisites** action ensures the AWS replication agent can be installed on each of the source servers. The verification process ensures there’s enough disk space, RAM and CPU for installing the AWS replication agent. # Install the replication agent Following the prerequisite check, you can proceed to **install the replication agent**, to start your migration execution. # View command history After performing an action, you can **view the command history** for information on the command status. # Review details about your MGN connectors Click the **MGN connector name** of any MGN connector to open its details page. The page includes the following details: + Overview – View all the information related to the specific MGN connector including state and when it last communicated with AWS Application Migration Service. + Source servers – This section features all the source servers managed by the MGN connector. Each row in the "servers" table provides details about a single source server, including: + **Hostname** – The source server's hostname. + **Account** - The source server account id. + **Prerequisites** – The status of prerequisites verification, with the following options: **Verified**, **Not verified**, **In progress**, or **Invalid**. + **Agent installed** – Indicates whether the AWS MGN Agent is installed on the server. + **Credential secret** – The secret of the specific source server. + **Next step** – What is the new action in the connector installation workflow. Options include: + **Initiate test** – Test your source server before migration. + **Mark as tested** – Mark that the source server is ready for migration. + **Check prerequisites** – Ensure that the source server meets the required prerequisites. + **Wait for check to complete** – This indicates that the prerequisites are being verified. If this step is completed successfully, the next step will be **Install agent**. If not, the next step will be **Resolve cause of invalidity**. + **Resolve cause of invalidity** – This indicates that the prerequisite verification process failed and that a specific issue needs to be resolved. + Tags - This section features the tags associated with your connector.