Oracle Cloud Infrastructure Documentation

Managing Remote Agent Appliances

In Oracle Cloud Migrations, a remote agent appliance collects metadata from virtual machines (VMs) from an external environment and replicates the VM data disks to Oracle Cloud Infrastructure (OCI).

The deployment of remote agent appliance requires installation and registration. After the agent appliance is registered with a source environment, the agent maintains a persistent secure connection back to OCI by performing a secure token exchange. These secure tokens are refreshed regularly. If the remote agent appliance is unable to refresh the authentication token, the agent is disconnected, and you must manually re-register from the remote agent appliance console. The remote agent appliance includes a diagnostic tool to help identify any network connectivity issues or problems communicating to OCI.

Each remote agent appliance can only be registered to one source environment. If virtual machines in an external environment are migrated to multiple OCI regions, do the following:
  1. Create a separate source environment for each region.
  2. Deploy at least one remote agent appliance for each target region.

After the remote agent appliance is registered and becomes active, the appliance launches two plugins namely, discovery and replication. The discovery plugin searches for VMware virtual machines in the source environment using environment-specific connectors. The replication plugin manages the replication of source assets snapshots from the source environment to OCI.

You can deploy multiple remote agent appliances for a single source environment to provide redundancy and increased replication throughput.

You can manage the remote agent appliance in OCI by performing the following tasks:

Prerequisites

Before you start using the remote agent appliance in OCI, perform the following tasks:

DNS Resolution

For the replication to work, the Remote Agent Appliance must have connectivity to a domain name system (DNS) server that resolves addresses for names in the oraclecloud.com domain and the fully qualified domain names (FQDN) of VMware infrastructure components (vCenter server and ESXi hosts).

To verify if your DNS resolution is working properly before deploying your virtual appliance, perform the following steps:

  • Find the IP address of the DNS server that you intend to use (for example, 10.0.2.1).
  • Connect to the vCenter management interface, and find an FQDN used by a host (for example, esx1.vcluster.mycompany.local ).
  • To see if the name is properly resolved, run a DNS diagnostic tool. MacOS and most Linux distribution have domain information groper (dig) tool preinstalled. The dig that you can use for verification is, dig @{dns_server_IP} {FQDN}. Example: dig @10.0.2.1 esx1.vcluster.mycompany.local

If correct IP address of the host is returned in the output, then your DNS resolution is working properly. To correctly configure the DNS, see VMware and DNS server documentation.

Required IAM Policies

You can create policies to allow user groups to access remote agent appliance resources.

View the verb to permission mapping for remote agent appliance to decide which verb meets the access requirements. For example, inspect allows users to view the list of all the agents in a compartment and read allows users to view the details of all plugins running on a specific agent.

For details about writing policies for Oracle Cloud Migrations, see Oracle Cloud Migrations IAM Policies. For users to access the Oracle Cloud Migrations resources, see user policies. For using the Oracle Cloud Migrations service, see service policies.

Required Network Connectivity in the External Environment

The remote agent appliance is distributed as a sealed virtual machine that requires an IPv4 address to operate, which can be assigned manually or via Dynamic Host Configuration Protocol (DHCP).

Internal connectivity is for communication with vCenter and ESXi host. External connectivity is for communication with oraclecloud.com public endpoints. The network interfaces on the remote agent appliance can be configured automatically using DHCP or manually. For manual configuration, see step 7 in the Details for Deploying an OVA or OVF Template section.

Following are the required vCenter configurations for networking ports, protocols, and direction that the remote agent appliance uses for connecting OCI with the external VMware environment:

Note

To allow the remote agent appliance, verify that the vCenter environment uses the egress ports that are mentioned in the table.

Direction Port Protocol Description Network Type
Ingress 3000 TCP Register remote agent appliance Local network
Egress ICMP Ping-based health checks Local network
Egress 53 UDP, TCP DNS resolution Local network
Egress 67, 68 UDP, TCP DHCP configuration Local network
Egress 123 UDP, TCP NTP clock synchronization Internet
Egress 443 TCP HTTPS connection to OCI and vCenter Server Management Internet
Egress 902 UDP, TCP VDDK connection to ESXi Management Local network
Note

Default Listening Ports

For the API endpoints used by the remote agent appliance, use the following default TCP ports to configure your VMware vCenter:
  • TCP port 443 - Use this port to configure vCenter Server Management API
  • TCP/UDP port 902 - Use this port to configure the host or server access

The remote agent appliance does not support working vCenter configurations that use nondefault ports.

Required vSphere Privileges

For the discovery and replication phases of migration, the remote agent appliance requires vCenter credentials. You can use the same user credentials for discovery and replication phases or create a user for each of these phases.

The following are the minimal required privileges for the discovery and replication phases:
  • Discovery: Create a user with a Read Only role. For information on how to create a user, see vCenter Server System Roles in VMware documentation.
  • Replication: For replicating assets, create a vCenter server custom role, such as Oracle Cloud Migrations. For information on how to create a custom role, see Create a vCenter Server Custom Role in VMware documentation.

    The privileges that you must define for the role that you create are as follows:

    1. Global: For the global category, select the following privileges:
      • Disable methods
      • Enable methods
      • Licenses
    2. Virtual machine: For the virtual machine category, select the following privileges:
      • Change configuration: Acquire disk lease
      • Provisioning: Allow read-only disk access
      • Provisioning: Allow virtual machine download
      • Snapshot management: Create snapshot
      • Snapshot management: Remove snapshot

    You can create a role by cloning an existing role. For example, you can clone the VMware Consolidated Backup user (sample role), add required global privileges, and then save the role as a new role for replication.