Migrating workloads to the cloud can be extremely rewarding. Getting there, however, can be full of challenges and pitfalls.
Fortunately, there is a five-step process that organizations can follow to ensure their journey to the cloud is both smooth and secure:
- Assess migration opportunities
- Identify the scope of change
- Build a dependency plan between applications and components
- Build the infrastructure
- Migrate to and validate the target environment
This article, which is part of a series on secure cloud migration, focuses on how to migrate your workloads securely to Google Cloud Platform (GCP) by following the five steps listed above. Each step is discussed separately below.
The first step in any migration plan is to get a clear picture of why your organization is performing a migration, and identify the benefits as well as the challenges you expect to encounter along the way.
You can do this by creating or gathering all architecture documents pertaining to your existing environment. This should include a complete list of all your assets (applications and data), as well as the ways they interact with and depend on one another.
After this, you need to analyze each asset in light of the target environment to discover which are the best candidates for migration. Some questions you’ll need to take into consideration are:
- Which additional resources will need to be migrated along with it?
- Can migrating this asset to the cloud eliminate any current technical debt?
- What other complications might arise upon migration?
To help you with this step, Google Cloud provides an abundance of self-learning resources, from documentation and whitepapers to tutorials and online courses. You also have access to multiple Google Cloud Partners, including companies such as Pythian, Atos, and Onix, that offer advanced tools to help assess migration opportunities and identify which assets should be migrated and in what order. Furthermore, customers can benefit directly from Google’s deep expertise via Google’s professional consulting services.
Determine the Scope of Change
Once you’ve identified the assets you want to migrate, you’ll need to assess the degree of change required after migration–can the application be transferred to the cloud as-is, or does it need to undergo refactoring or redesign?
The scope of change can be classified into four options: rehost, replatform, repurchase, and redesign.
Rehosting is the fastest and simplest approach to migration. It involves an application being migrated to the cloud as-is with a lift and shift approach and no changes in design.
To facilitate rehosting, Google Cloud offers several tools for data transfer, each tailored for different scenarios such as the size of the dataset being transferred and the amount of bandwidth. These include the gstuil tool, Storage Transfer Service, and Transfer Appliance.
When replatforming, applications undergo a few small yet powerful changes to take full advantage of features that are unique to the cloud. In Google Cloud, for example, applications can start using Google Cloud Databases, which cover a wide range of storage options such as Cloud SQL, a fully managed relational database service, and Firebase Realtime Database, a cloud-hosted NoSQL database that allows you to store and sync data between your clients in real time.
Repurchasing means purchasing or licensing your application directly from Google Cloud Marketplace, where you can find numerous products and services designed for the cloud. By doing this, you hit two birds with one stone: Using Microsoft License Mobility, you won’t have to pay any additional software licensing fees, and once the data is transferred, your application should work smoothly with no refactoring or redesign necessary.
Redesigning involves modifying the application. Although this is the most expensive and time-consuming option, it can produce many long-term benefits and serve as an opportunity to adopt a service-oriented architecture approach. For Google Cloud users, applications can leverage Google microservices such as Google Cloud Function, an event-driven serverless compute platform, and Cloud Pub/Sub, used for global messaging and event ingestion.
Map Dependencies and Create a Security Plan
In this stage, you plan the actual migration process and the optimal order of asset migration. Since migration can become complicated, companies often start small, first migrating just one application to validate the process before moving any of their mission-critical and major revenue-producing products to the cloud. Another key consideration here involves technical dependencies, business considerations, and operational issues, all of which should be taken into account when planning the order of migration.
At this point, you’ll also be handling one of the most important aspects of migration: security. Many companies make the mistake of emphasizing security after the migration, overlooking the hazards that can occur during the complicated process of transferring data to the cloud. You need to plan security measures ahead of time, to ensure that your applications are secure immediately.
Google Cloud Armor is usually an important part of web application security for any GCP deployment. However, it is a security framework, not a complete security solution. Reblaze can convert Cloud Armor into an autonomous, comprehensive web security platform.
Another useful service is GCP’s Cloud Security Command Center, which offers numerous security features:
- Discovering and protecting sensitive data with Cloud DLP API (Cloud Data Loss Prevention)
- Access control monitoring
- Cloud Audit Logs to investigate threats
- Real-time alerts and remediation with Pub/Sub messaging and Cloud Functions
Combining these services with a Google partner such as Reblaze guarantees you’ll have the optimal security posture needed for migration.
Creating the Infrastructure
Now that you have a solid and secure migration plan, it’s time to provision your cloud resources on Google Cloud. Cloud Deployment Manager simplifies this process with flexible templates that allow you to provision resources for your application declaratively using YAML.
Google Cloud also supports an infrastructure-as-code approach (necessary for immutable infrastructure, and an important part of DevSecOps on GCP), which allows you to provision and configure an entire environment via simple commands and configuration files. Terraform and Ansible are two open-source solutions that have partnered with Google Cloud, and they allow the deployment of your cloud infrastructure using this approach.
Migrate and Validate
Now that your infrastructure is ready, there’s nothing left to do except perform the migration itself. This stage also involves validation, i.e., making sure your data has maintained its integrity and consistency.
There are three main approaches to transferring data from on-premises to Google Cloud.
Firstly, you can connect to the cloud via a public internet connection. In this case, you should take into consideration that your ISP’s routing and capacity can affect network throughput. A second option is to use Direct Peering, where data transfers occur between your network and Google’s Edge Points of Presence (PoPs), avoiding the public internet and resulting in fewer hops. Finally, there is Cloud Interconnect, which uses Google or a Cloud Interconnect service provider to connect directly to Google Cloud. This last option can help bypass the public internet and also delivers more consistent throughput if you’re dealing with large data migrations.
For the actual transfer, Google’s gstuil tool is an optimal and reliable tool for transferring small to medium datasets–less than a few TBs–from an on-premises data center to Google Cloud. If you’re dealing with large-scale transfers and have sufficient bandwidth to make the transfer, Storage Transfer Service is the best solution for you. It supports both full copies and incremental copies, has a very easy-to-use interface, and comes with extensive error-reporting. It can also limit any potential impacts your migration might have on other workloads.
Transfer Appliance is the optimal solution in the case of large-scale data transfers and limited network connection. If you have data centers in remote locations where bandwidth is low or nonexistent, this is a great option since it operates offline. However, this option is only available in certain countries and usually incurs high latency.
Google Cloud provides a broad range of built-in validation testing to ensure data is both consistent and complete. To check that data is consistent, you can load a data sample into Google’s Transformer Page to identify mismatched, outlying, and duplicate values and then perform data-range checks as well as permitted-character checks. To check data completeness, Google provides simple tools to locate missing, null, or unrepresented values.
From a security standpoint, Google Cloud has partnered with companies such as ClearObject and MavenCode that can perform penetration testing for your entire environment, making sure no data leakages occur. You’ll also need to perform other basic tests, such as for network security, IAM policies, key management, patching, and data encryption.
Migrating to Google Cloud can be a powerful move, bringing to your workloads the benefits of the public cloud, including flexibility and data protection capabilities. However, before you hop on, you’ll need to have a solid, well-thought out migration plan in place.
There are many native Google Cloud tools and Google partners that can support you along the way–from assessing opportunities and mapping dependencies to provisioning resources and validating your data post-migration.
If you have questions on any of the above, feel free to contact us.