Azure Migrate Checklist
Microsoft has robust and detailed guides on how to deploy and configured Azure Migrate [here][L1]. However there are a number of key items that need to be taken into account when deploying Azure Migrate, in order to insure that it your assessment is a success.
Deployment Checklist
Networking
💡 Do you have an Azure Migrate Appliance present within each network security boundary?
A security boundary is defined as a separate part of the environment, where traffic is managed separately, for example Prod vs a DMZ environment.
Appliances should be deployed within those environment, and should be configured to discover that segment.
💡 Have you checked that required ports are open between the Azure Migrate Appliance and the estate?
Depending on your appliance there are a number of requirements that need to be met. They are detailed below
-
Inbound connections on TCP port 3389 to allow remote desktop connections to the appliance.
-
Ensure that 443 and 5985 (HTTP) is open between the appliances and the servers being discovered, (Linux servers require port 22 (TCP) to be open along side 443)
-
Windows servers must have PowerShell remoting enabled and PowerShell version 2.0 or later installed.
-
WMI must be enabled and available on Windows servers to gather the details of the roles and features installed on the servers.
-
Linux servers must have Secure Shell (SSH) connectivity enabled and ensure that the following commands can be executed on the Linux servers to pull the application data:
list
tail
awk
grep
locate
head
sed
ps
print
sort
uniqBased on OS type and the type of package manager being used, here are some more commands: rpm/snap/dpkg, yum/apt-cache, mssql-server.
Required Credentials
Hypervisor Credentials
💡 Have you provided credentials to the Azure Migrate Appliance for the hypervisor fabric?
For Vmware Appliance
The VMware appliance requires Guest Operations rights to be able to collect details from Vmware environments. Click here to learn how to assign Vmware Guest Operations Access
For HyperV Appliance
Option 1: Prepare an account with Administrator access to the Hyper-V host machine.
Option 2: Prepare a Local Admin account, or Domain Admin account, and add the account to these groups: Remote Management Users, Hyper-V Administrators, and Performance Monitor Users.
OS Level
💡 Have you provided credentials to the Azure Migrate Appliance for the servers being assessed?
Is the account provided a member of the Local Admins group on all servers?
For Windows servers and web apps discovery
Create an account (local or domain) that has administrator permissions on the servers. This can either be an account that is a Domain Admin or Member of Local Admins group. This account should be present on all servers that you want to assess.
For Linux servers, provide a sudo user account with permissions to execute ls and netstat commands or create a user account that has the CAP_DAC_READ_SEARCH and CAP_SYS_PTRACE permissions on /bin/netstat and /bin/ls files. If you’re providing a sudo user account, ensure that you have enabled NOPASSWD for the account to run the required commands without prompting for a password every time sudo command is invoked.
SQL Level
💡 Have you provided credentials to the Azure Migrate Appliance for the SQL Servers being assessed?
To discover SQL Server instances and databases, the Windows or SQL Server account must be a member of the sysadmin server role or have these permissions for each SQL Server instance.
Top Tip: While SQL SysAdmin Access is preferred, a Lest privilege account mask is available here SQL Custom Login