Part 1 of the series covered first three steps in the flowchart below

Part 2 (this post) covers the final step of network cutover. We will continue from Step 4 here.

Cloud migration steps

Step 4: Network Unextend or Cutover

Unextend the network using HCX portal by selecting the stretched networks that need to be cutover.

As soon as the network unextending task completes, the network i.e. default gateway is attached to the cloud gateway.

Network is connected in the cloud
Network is connected in the cloud

It is important to check the box to ‘Connect cloud network to cloud edge gateway’, as this is what will activate the network on the cloud side. If the box is not checked, the default gateway remains on-prem leaving the cloud network disconnected. There are situations where this box should be left unchecked, especially when not cutting over – more on that later.

The default behavior of the cloud gateway is to advertise the networks out by default, and hence these networks will now be learnt by on-prem via BGP. Just before or during the cutover, the on-prem networks can be disconnected or deleted from the on-prem router. Below example is showing B2 Router (NSX Edge in our case) but this could be any device with the network definitions.

Disconnecting the network from on-prem
Disconnecting the network from on-prem

BGP filtering in B1 can also be updated before cutover to allow these networks to be advertised by the cloud side into the on-prem.

R2#show ip prefix-list
ip prefix-list R1-DENY: 5 entries
   seq 5 permit 192.168.128.0/19 le 24
   seq 10 permit 192.168.160.0/19 le 24
   seq 15 permit 192.168.19.0/24
   seq 20 permit 192.168.48.0/24
   seq 25 permit 192.168.49.0/24
ip prefix-list R1-PERMIT: 1 entries
   seq 5 permit 192.168.0.0/16 le 32

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#no ip prefix-list R1-DENY seq 15 permit 192.168.19.0/24
R2(config)#no ip prefix-list R1-DENY seq 25 permit 192.168.49.0/24

R2#show ip prefix-list
ip prefix-list R1-DENY: 3 entries #deny list is now updated to allow the two netowrks
   seq 5 permit 192.168.128.0/19 le 24
   seq 10 permit 192.168.160.0/19 le 24
   seq 20 permit 192.168.48.0/24
ip prefix-list R1-PERMIT: 1 entries
   seq 5 permit 192.168.0.0/16 le 32

Network topology here again for quick reference. Refer part 1 for the original route tables before cutover or for additional details.

VMware Cloud connectivity topology
VMware Cloud connectivity topology

B1 Route table after cutover below. Voila, the migrated networks next hop is now cloud! Only 192.168.48.0/24 remains on-prem – probably waiting to be scheduled in the next wave.

B2 Route Table after cutover
B1 Route Table after cutover

The on-prem router (B2) now learns the networks from the cloud side via BGP (‘B’) and are not locally connected networks (‘C’) anymore!

B2 Route Table after cutover
B2 Route Table after cutover

In the above tests the connectivity resumed instantly within a handful of seconds. The route propagation is mostly instant within seconds in customer environments, and I have not come across big delays. Once everything is working as expected, the corresponding virtual port groups and remnants of the networks within the on-prem environment can be removed. The considerations shown here mostly cover BGP filtering, please leave in comments if you would like other on-prem scenarios covered.

Every environment is different! Ensure to test the end to end process to learn environment specific behavior and needs. The whole process can be easily tested using test network/workloads.

Security update

Security configuration updates may NOT be needed in cases where the traffic flows between the private segments are already allowed in the existing security rules.

Taking the below screenshot example, if the ‘cloud-subnets’ group already cover the migrated subnets (say using a supernet or dynamic grouping), there is no further action required as the migrated VMs are automatically part of the subnet and continue to access the required services. Firewalls could potentially be filtering at S1 and S2 in the layout diagram above.

Sample Firewall Rule

If the migrated subnets or workloads are not part of the security rules, they will have to be added to the relevant groups (‘cloud-subnets’ in the above example or new groups). The rules can be set and tested even before the migrations are started.

Hopefully the considerations explained above are useful. Please feel free to reach out if you would like to cover other scenarios in the future blog posts. Do leave comments and feedback, I already know what Chandler would say –

Thanks for reading.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s