# Plan your deployment
<a name="plan-your-deployment"></a>

This section describes the Region, [cost](cost.md), [security](security-1.md), and [quota](quotas.md) considerations for planning your deployment.

## Supported AWS Regions
<a name="supported-aws-regions"></a>

This solution uses Amazon OpenSearch Service, which is not currently available in all AWS Regions. For the most current availability of AWS services by Region, see the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

Migration Assistant for Amazon OpenSearch Service is available in the following AWS Regions:


| Region name | Region | 
| --- | --- | 
|  US East (N. Virginia)  |  us-east-1  | 
|  US East (Ohio)  |  us-east-2  | 
|  US West (N. California)  |  us-west-1  | 
|  US West (Oregon)  |  us-west-2  | 
|  Africa (Cape Town)  |  af-south-1  | 
|  Asia Pacific (Hong Kong)  |  ap-east-1  | 
|  Asia Pacific (Hyderabad)  |  ap-south-2  | 
|  Asia Pacific (Jakarta)  |  ap-southeast-3  | 
|  Asia Pacific (Melbourne)  |  ap-southeast-4  | 
|  Asia Pacific (Mumbai)  |  ap-south-1  | 
|  Asia Pacific (Osaka)  |  ap-northeast-3  | 
|  Asia Pacific (Seoul)  |  ap-northeast-2  | 
|  Asia Pacific (Singapore)  |  ap-southeast-1  | 
|  Asia Pacific (Sydney)  |  ap-southeast-2  | 
|  Asia Pacific (Tokyo)  |  ap-northeast-1  | 
|  Canada (Central)  |  ca-central-1  | 
|  Canada West (Calgary)  |  ca-west-1  | 
|  Europe (Frankfurt)  |  eu-central-1  | 
|  Europe (London)  |  eu-west-2  | 
|  Europe (Milan)  |  eu-south-1  | 
|  Europe (Paris)  |  eu-west-3  | 
|  Europe (Spain)  |  eu-south-2  | 
|  Europe (Stockholm)  |  eu-north-1  | 
|  Europe (Zurich)  |  eu-central-2  | 
|  Ireland (eu-west-1)  |  eu-west-1  | 
|  Israel (Tel Aviv)  |  il-central-1  | 
|  Middle East (Bahrain)  |  me-south-1  | 
|  Middle East (UAE)  |  me-central-1  | 
|  South America (São Paulo)  |  sa-east-1  | 
|  AWS GovCloud (US-East)  |  us-gov-east-1  | 
|  AWS GovCloud (US-West)  |  us-gov-west-1  | 

# Cost
<a name="cost"></a>

You are responsible for the cost of the AWS services used while running this solution. As of this revision, the cost for running this solution with the default settings in the US East (N. Virginia) Region is approximately **\$13,096 for a 15-day migration with 100 TB of existing data and 15 MBps of live traffic**. These costs are for the resources shown in the sample cost table.

We recommend creating a budget through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution.

A migration typically has different duration and data volume for the individual steps described in the [Migrations phases](https://docs.opensearch.org/docs/latest/migration-phases/). Customers typically wait to remove infrastructure or delete data until after a migration is complete. It’s crucial to understand the volume and duration of each of the steps to estimate the cost of the solution.

In the following example, we outline the cost of a 15-day migration with the following schedule:

 **Depicts an example 15-day migration schedule from deployment to teardown** 

![\[cost migration schedule\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/images/cost-migration-schedule.png)


To understand the costs, we need to map these steps into cost components, including data retention periods as applicable. This yields the following schedule:

 **Depicts an example 15-day migration schedule mapped to this solution’s components** 

![\[cost migration schedule components\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/images/cost-migration-schedule-components.png)

+ Core Services - 15 days
+ Capture Proxy - 6 days
+ Capture Proxy Data Retention Period - 4 days
+ Snapshot - 1 day
+ Snapshot Data Retention Period - 9 days
+ Reindex from Snapshot - 3 days
+ Traffic Replayer - 2 days
+ Traffic Replayer Data Retention Period - 4 days
+ Target Proxy - 4 days

Using this schedule, the following is an example of a customer performing a zero-downtime migration of a cluster with 100 TB of primary shard data with 15 MBps aggregated request-response throughput. The ongoing request throughput over the 6-day capture timeline gives a capture/replay volume of about 7.8 TB.

Assumptions:
+ No data is retained after the teardown step, representing no resources and cost after day 15.
+ Deployment in US East (N. Virginia).
+ The Source Cluster, Target Cluster, and VPC are imported and cost excluded from this calculation, including data transfer cost based on VPC setup. We recommend that the VPC includes an Amazon S3 Gateway Endpoint and cluster data communication over VPC Interface Endpoints to reduce data transfer cost.

This gives us the following cost table:


| AWS service | Dimensions | Cost [USD] | 
| --- | --- | --- | 
|   **Core services**   |  |  | 
|  Amazon ECS  |  Migration Management Console: Task vCPU:  *1 task × 24 hours per day × 15 days × (0.50 vCPU × 0.04048 USD per hour) = \$17.29*  Task Memory:  *1 task × 24 hours per day × 15 days × (1 GB × 0.004445 USD per hour) = \$11.60*   |  \$18.89  | 
|  AWS Lambda  |   *< 10 requests × 0.20 per 1M requests = \$1\$10.00*   *< 10 seconds × \$10.0000166667 per GB-second = \$1\$10.00*   |  \$1\$10.00  | 
|  AWS Secrets Manager  |   *(\$10.40 per secret-month × 10 secrets × 15 days) / 30 days per month = \$12.00*   |  \$12.00  | 
|  Amazon Route 53  |   *(\$10.50 per Hosted Zone × 15 days) / 30 days per month = \$10.25*   |  \$10.25  | 
|  Amazon Elastic Container Registry (Amazon ECR)  |   *(3 GB × \$10.10 GB/month × 15 days) / 30 days per month = \$10.15*   |  \$10.15  | 
|  Amazon EC2  |  Bootstrap Box (t3.large):  *1 × \$10.0832/hr × 24 hours per day × 15 days = \$129.95*   |  \$129.95  | 
|  Amazon EBS  |  Bootstrap Box:  *(50 GB × \$10.08/GB-month × 15 days) / 30 days per month = \$12.00*   |  \$12.00  | 
|  Amazon Virtual Private Cloud (Amazon VPC)  |  Bootstrap Box VPC - NAT Gateway:  *1 × 24 hours per day × 15 days × \$10.045/hour = \$116.20*   *30 GB × \$10.045/GB = \$11.35*   |  \$117.55  | 
|  Elastic Load Balancing  |  Application Load Balancer hours:  *15 days × 24 hours × \$10.0225 per Application Load Balancer-hour = \$18.10*   |  \$18.10  | 
|   **Core services total:**   |  |   **\$168.89**   | 
|   **Miscellaneous services**   |  |  | 
|  Amazon CloudWatch  |   This is a high estimate for aggregated charges over all components for a large migration.  Log data ingested (200 GB):  *\$10.50 per GB × 200 GB = \$1100.00*  Archived log charges (assume log data compresses to 30 GB):  *(\$10.03 per GB-month × 30 GB × 15 days) / 30 days per month = \$10.45*  Metrics (200 metrics):  *(200 metrics × \$10.30 per metric-month × 15 days) / 30 days per month = \$160.00*   Metrics are metered only while being sent. Actual usage and cost might be lower.   |  \$1160.45  | 
|  AWS X-Ray  |   *1M traces × \$15.00 per million traces = \$15.00*   |  \$15.00  | 
|   **Miscellaneous services total:**   |  |   **\$1165.45**   | 
|   **Optional services**   |  |  | 
|   **Capture proxy (7.776 TB), 6 days running; 4 days data retention)**   |  |  | 
|  Amazon Managed Streaming for Apache Kafka (Amazon MSK)  |   Assume deployment in 2 Availability Zones.  Broker (6 days running \$1 4 days data retention): \$1 2 nodes (M5.large) × \$10.21 node per hour × 10 days × 24 hours per day = \$1151.20 \$1 Storage (9,331 GB Provisioned (20% buffer) for 6 days running \$1 4 days data retention): \$1(2 nodes × 9,331 GB × \$10.10 per GB-month × 10 days) / 30 days per month = \$1620.07 \$1 Data transfer:  *7,776 GB × \$10.01 per GB inbound = \$177.76*   |  \$1849.03  | 
|  Amazon ECS  |  Task vCPU:  *4 tasks × 0.5 vCPU × 0.04048 USD per vCPU-hour × 6 days × 24 hours per day = \$111.66 \$1*Task memory:\$14 tasks × 2 GB × 0.004445 USD per GB-hour × 6 days × 24 hours per day = \$15.12  |  \$116.78  | 
|  Elastic Load Balancing  |  Load Balancer Capacity Unity (LCU) (assuming GB is the cost dimension):  *7,776 GB × \$10.008 per LCU = \$162.21*   |  \$162.21  | 
|   **Capture proxy total:**   |  |   **\$1928.02**   | 
|   **Target proxy (15 MBps for 4 days (5.184 TB))**   |  |  | 
|  Amazon ECS  |  Task vCPU:  *4 tasks × 0.5 vCPU × 0.04048 USD per vCPU-hour) × 4 days × 24 hours per day = \$17.77*  Task memory:  *4 tasks × 2 GB × 0.004445 USD per GB-hour × 4 days × 24 hours per day = \$13.41*   |  \$111.18  | 
|  Elastic Load Balancing  |  LCU (assuming GB is the cost dimension):  *5,184 GB × \$10.008 per LCU = \$141.47*   |  \$141.47  | 
|   **Target proxy total:**   |  |   **\$152.65**   | 
|   **Replay (7.776 TB over 2 days, retention 4 days)**   |  |  | 
|  Amazon ECS  |  Task vCPU:  *1 task × 1 vCPU × 0.04048 USD per vCPU-hour × 2 days × 24 hours per day = \$11.94*  Task memory:  *1 task × 4 GB × 0.004445 USD per GB-hour × 2 days × 24 hours per day = \$10.86*   |  \$12.80  | 
|  Amazon MSK  |  Intra-Region:  *7,776 GB × 0.01 USD per GB outbound = \$177.76*   |  \$177.76  | 
|  Amazon Elastic File System (Amazon EFS)  |   Calculating cost based on constant size of 15.552 TB (7.776 TB × 2). Actual cost might differ due to some data spending less than 5 days in EFS Infrequent Access or data inflation.  EFS Standard (infrequent after 1 day):  *15,552 GB × \$10.30 per GB-month × 1 day / 30 days per month = \$1155.52*  EFS Infrequent Access (5 days maximum):  *15,552 GB × \$10.025 per GB-month × 5 days / 30 days per month = \$164.80*  EFS Infrequent Access - Tiering:  *15,552 GB × \$10.01 per GB = \$1155.52*   |  \$1375.84  | 
|   **Replay total:**   |  |   **\$1456.40**   | 
|   **Historical Backfill (100 TB Snapshot over 1 month)**   |  |  | 
|  Amazon ECS  |  RFS: Each task is capable of delivering approximately 5 MBps of snapshot data. To deliver 100 TB over 3 days, 77 tasks are needed. Task vCPU:  *77 tasks × 3 days × 24 hours per day × 2 vCPUs × \$10.04048 per hour = \$1448.84 \$1*Task memory:\$177 tasks × 3 days × 24 hours per day × 4 GB × \$10.004445 per hour = \$198.57 Task storage: \$177 tasks × 3 days × 24 hours per day × (200GB - 20GB Free Tier) × \$10.000111 per hour = \$1110.77 \$1  |  \$1657.34  | 
|  Amazon S3  |   This calculates the cost for all the data occurring in the S3 bucket for the entire duration. The actual cost might be less for storage due to partial rate while the snapshot is being taken. Snapshot storage:  *(100 TB × 1,000 GB per TB × \$10.023 per GB-month × 10 days) / 30 days per month = \$1766.66*    |  \$1766.66  | 
|   **Historical Backfill total:**   |  |   **\$11,424.00**   | 
|   **Total for all components:**   |  |   **\$13,095.41**   | 

The Capture and Replay yields an effective cost per TB of \$1199.87, and the Historic Backfill is \$115.41 per TB. For a given cluster, the amount of data in Historic Backfill is largely fixed, while the data for Capture and Replay is based on the time needed to capture. For this reason, it can be cost advantageous to scale up the target OpenSearch cluster beyond the final intended capacity for the Historic Backfill period to reduce the duration and quantity of data for Capture and Replay.

Taking the table above and dividing out the components cost, we can determine the following calculation method for cost. This is a broad estimation making assumptions on traffic pattern including size per request, and number of new connections. We can also subdivide this by migration type applicable.


| Component | Applicable migration type | Cost [USD] | 
| --- | --- | --- | 
|  Core services  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$14.59/day  | 
|  Miscellaneous services  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$1165.45 per large migration  | 
|  Capture runtime  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$117.22/day \$1 \$18.00/TB-day \$1 \$118.00/TB  | 
|  Capture data retention period  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$115.12/day \$1 \$18.00/TB-day  | 
|  Snapshot  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$10.7667/TB-day  | 
|  Snapshot data retention period  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$10.7667/TB-day  | 
|  Reindex from snapshot  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$16.57/TB  | 
|  Traffic Replayer  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$11.40/day \$1 \$150.00/TB \$1 \$11.6667/TB-day  Due to Amazon EFS-Intelligent Tiering, \$11.6667/TB-day is not paid for the first day.   | 
|  Traffic Replayer data retention period  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$11.6667/TB-day  | 
|  Target proxy  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/migration-assistant-for-amazon-opensearch-service/cost.html)  |  \$12.10/day \$1 \$18.00/TB  | 

We can also identify the cost for full migrations of different sizes that follow the 15-day migration timeline. By applying the durations shown previously, as well as a conversion from TB/day to MB/s, we get the following formula for a representative cost estimate:

 *15-day migration = \$1390.35 \$1 \$114.24 × HistoricalTB \$1 \$171.86 × LiveMBps* 

This results in the following cost estimates table:

**Note**  
All costs are rounded to the nearest dollar.


| 15-day full migration cost (\$1 USD/migration) |  | Live traffic throughput |  | 
| --- | --- | --- | --- | 
|  Historical data volume  |  5 MBps  |  20 MBps  |  50 MBps  | 
|  1 TB  |  \$1764  |  \$11,842  |  \$14,125  | 
|  10 TB  |  \$1892  |  \$11,970  |  \$13,252  | 
|  100 TB  |  \$12,174  |  \$13,252  |  \$15,407  | 

# Security
<a name="security-1"></a>

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](http://aws.amazon.com/security/).

## IAM roles
<a name="iam-roles"></a>

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution aims to create IAM roles with least privilege where resource access is required. This includes allowing some required Migration ECS services to produce/consume from MSK, make requests to the target cluster, and access provided secrets stored within AWS Secrets Manager needed for target cluster authentication and authorization.

## Security groups
<a name="security-groups"></a>

The solution creates security groups designed to control and isolate network traffic between Migration ECS containers, as well as between certain Migration ECS containers and associated services such as Amazon MSK, Amazon OpenSearch Service, and Amazon EFS. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running.

## AWS Secrets Manager
<a name="aws-secrets-manager"></a>

Migration Assistant for Amazon OpenSearch Service allows accessing stored secrets from AWS Secrets Manager in the Migration Management Console, Traffic Replayer, and Reindex-from-Snapshot containers. Accessing these secrets allows for proper authentication when migrating data from source to target, and for observing migration status.

# Quotas
<a name="quotas"></a>

Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.

## Quotas for AWS services in this solution
<a name="quotas-for-aws-services-in-this-solution"></a>

Make sure you have sufficient quota for each of the services implemented in this solution. For more information, refer to [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).

Use the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead.

## AWS CloudFormation quotas
<a name="aws-cloudformation-quotas"></a>

Your AWS account has CloudFormation quotas that you should be aware of when launching the stack for this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, refer to [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation Users Guide*.