Microsoft Workloads on AWS
How to create Windows Server Bring-Your-Own-License AMIs from on-premises with VM Import/Export
By Garry Singh, Senior Microsoft Solutions Architect and Sepehr Samiei, Senior Microsoft Solutions Architect
If you’re thinking of running your Microsoft Windows or Microsoft SQL Server applications on AWS, you’re not alone. We’ve spent 11 years helping thousands of customers run their most critical Microsoft workloads on AWS. Because we’re committed to helping you run your applications where you want, in December we launched a simplified Bring-Your-Own-License (BYOL) experience as an easier way to bring, and manage, existing licenses for Microsoft Windows Server and SQL Server to AWS.
Why does this matter? With this new BYOL experience, customers can use their existing Windows Server or SQL Server licenses to create virtual machines (VMs) in Amazon Elastic Compute Cloud (EC2) while AWS takes care of managing licenses to ensure compliance to licensing rules. We want you to have the best experience with Windows and SQL Server, and we’ve worked hard to ensure we can deliver this on AWS.
So let’s talk about how to get started. In this blog, I address how to use Windows Server Bring-Your-Own-License (BYOL) when importing a Windows VM image as an AMI with AWS Dedicated Hosts. In addition, I cover AWS License Manager configurations so that you can automatically track Windows license usage on AWS Dedicated Host through an AWS License Manager Host Resource group. Ready? Let’s go!
Rehosting for immediate savings
While there are different migration strategies for moving applications to the cloud, many organizations choose the simplest: rehosting. McKinsey’s research indicates that rehosting applications in the cloud results in 30–40 percent cost savings, a finding consistent with our customer experience. So what’s the process?
Customers can easily rehost workloads onto VM on Amazon Elastic Compute Cloud (Amazon EC2). Enterprises typically have VM templates to maintain a standard operating environment for provisioning on-premises VM. They can use these templates in AWS to standardize their operating systems environment across both cloud and on-premises environments.
Amazon EC2 VM Import/Export can automate import of on-premises VM templates to an Amazon Machine Image (AMI) to maintain a standard environment across operating systems while running existing Windows licenses. Customers typically use EC2 VM Import in the following ways:
- Bringing Windows licenses to AWS Dedicated Host on AWS by importing license included images.
- Migrating existing applications or workloads to AWS where lift-and-shift is difficult.
- Deploying new applications or workloads to AWS using a standard OS image catalog and templates.
- Creating a repository of images for disaster recovery.
About VM Import/Export
VM Import provides the ability to import a VM from your virtualization environment to Amazon EC2 as an Amazon Machine Image (AMI). With VM import/Export, you can launch EC2 instances from your AMI at any time. Additionally, you can export a VM that was that was previously imported from your virtualization environment. You can also import disks as Amazon EBS snapshots. Finally, VM Import supports Elastic Network Adapters (ENA) drivers for Linux. ENA support is enabled only if the original VM has ENA and/or NVMe drivers are installed. For this tutorial, we recommend installing the latest drivers.
Accessing VM Import/Export
VM Import/Export is accessible using the AWS Command Line Interface (CLI), AWS Tools for Windows PowerShell, Amazon EC2 API, and AWS Software Development Kits (SDKs) and Tools. We use AWS CLI in this blog to import VM images as an AMI.
If you have not already installed the AWS CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.
Supportability
Before we started, it is important to highlight the operating system and image format that VM Import/Export supports and understand the limitations on importing instances and volumes.
Image formats
VM Import/Export supports the following image formats for importing both disks and VMs:
- Open Virtual Appliance (OVA) image format, which supports importing images with multiple hard disks.
- Stream-optimized ESX Virtual Machine Disk (VMDK) image format, which is compatible with VMWare ESX and VMWare vSphere virtualization products.
Note: you can only import VMDK files into Amazon EC2 that were created through the OVF export process in VMWare.
- Fixed and Dynamic Virtual Hard Disk (VHD/VHDX) image formats, which are compatible with Microsoft Hyper-V, Microsoft Azure, and Citrix Xen virtualization products.
- Raw format for importing disks and VMs.
Volume types and file systems
VM Import/Export supports importing Windows MBR-partitioned volumes and GUID Partition Table (GPT) partitioned volumes that are formatted using the NTFS file system. For GPT-partitioned volumes, only VHDX is supported as an image format.
Operating systems
VM Import/Export supports Windows and Linux operating systems. For a detailed list of supported operating systems, see the VM Import/Export Requirements.
Limitations
UEFI/EFI boot partitions are supported only for Windows boot volumes with VHDX as the image format. Otherwise, a VM’s boot volume must use Master Boot Record (MBR) partitions. In either case, boot volume cannot exceed 2 TiB (uncompressed) due to MBR limitations. Additional non-bootable volumes may use GUID Partition Table (GPT) partitioning, but cannot be bigger than 16 TiB. If you are using VMIE APIs (instead of AWS Server Migration Service), you must construct a manifest file for disks larger than 4 TiB. For more information, see VM Import Manifest.
Licensing for Windows
Windows Server operating systems support either BYOL or AWS licenses. Your licensing option can be defined while creating a new VM Import task using –license-type parameter, and setting the value to Auto, AWS, and BYOL. We are using BYOL as the value for license type parameter to import the Windows Server OS as an AMI.
Note: If you choose Auto (the default), the AWS license is used if the VM has a server OS.
There are specific rules that apply when you use your BYOL Microsoft license, either through MSDN or Windows Software Assurance Per User. The rules are defined in the Licensing for Windows section of VM Import/Export Requirements.
VM Import pre-requisite configuration
Create an S3 bucket
- Create an S3 bucket to store the exported image. When creating S3 bucket, make sure that the S3 bucket is located in the Region that is used for the image import. Also, make sure to use a private bucket so that the data is not exposed to public.
For this blog, I’ve created a S3 bucket as ‘vmimport-syd’ and have granted required user access to S3 bucket as shown in subsequent step.
Setting up the account and granting Amazon S3 permissions
Required permissions for VM Import user
- Create a new IAM user that is used to import your VM. I refer to the user as ‘VM Import user’ in this blog.
- Log in to the console as an IAM user that has permission to change IAM policy for VM Import user.
Note: You must define user permissions to use VM Import/Export. The permissions allow the VM Import user to access all AMIs across the account.
- Before you use the following IAM policy provided, change the bucket name in ‘Resource’ section of the policy to the bucket name you crated in 1. In the example I have used the S3 bucket ‘vmimport-syd’ created in Step 1.
Note: The resource section has two lines pointing to same S3 bucket with a difference in ‘/*’ in the second line. Be careful when changing the bucket name, as it might cause import to fail.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": ["arn:aws:s3::: vmimport-syd","arn:aws:s3:::vmimport-syd/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:CancelConversionTask",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeSnapshots",
"ec2:CancelImportTask"
],
"Resource": "*"
}
]
}
VM Import/Export requires a role to perform certain operations on your behalf. You must create a service role named vmimport with a trust relationship policy document that allows the VM Import/Export service to assume this service role and attach the IAM policy. For more information, see IAM Roles in the IAM User Guide.
We use CLI to create the service role. You can also use AWS console to create the service role and assign trust relationship and role policy. Please ensure the IAM user creating the trust policy have permissions to do so.
- Create a file named trust-policy.jsonon your computer.
- Add the following policy to the file:
- Use the following example command given to create a role named vmimportand grant VM Import/Export access to it.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vmie.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals":{ "sts:Externalid": "vmimport" } } } ] } - Specify the full path to the location of the trust-policy.jsonfile that you created in the previous step, including the file:// prefix as shown in the following example:
$ C:\>aws iam create-role --role-name vmimport --assume-role-policy-document file://C:\import\trust-policy.json
- Create a file named role-policy.jsonwith the following policy, where vmimport-syd is the bucket for disk images.
"Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::vmimport-syd", "arn:aws:s3:::vmimport-syd/*" ] }, { "Effect":"Allow", "Action":[ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "license-manager:GetLicenseConfiguration", "license-manager:UpdateLicenseSpecificationsForResource", "license-manager:ListLicenseSpecificationsForResource" ], "Resource":"*" } ] } { - Change the bucket name from vmimport-sydto the bucket name you created in step 1.
- Use the following command to attach the policy to the previous role created, making sure that you specify the full path to the location of the role-policy.json
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://C:\import\role-policy.json
Importing on-premise VMimages
Export the VM
- Export VM image from on-premises environment in any of the supported formats. Export process varies for VMWare, Hyper-V and Citrix platforms. I have used a VM image disk (.vhdk) exported from Hyper-V for this example
Note: Before you export the VM image, make sure it is configured for the export process. The link provides required configuration for VM Export.
Import the VM
- After you upload your VM image file to Amazon S3 created in step 1 of the “VM Import pre-requisite configuration” section, use the AWS CLI to import the image.
The tools accept either the Amazon S3 bucket and path to the file or a URL for a public Amazon S3 file. Private Amazon S3 files require a presigned URL.
The following examples use the AWS CLI command import-image to create import tasks.
- Import VM as BYOL, using the VM import user to execute the following command.
- aws ec2 import-image --description "Win2012R2_Firstdisk" --disk-containers file://C:\import\containers.json -- license-type BYOL
The following is an example containers.json file.
[
{
"Description": "Win2012R2_Firstdisk",
"Format": "vhdX",
"UserBucket": {
"S3Bucket": "vmimport-syd",
"S3Key": "vms/Win2012R2.vhdx"
}
}
]
The output of the command is as follows. To check the status of AMI import, take note of the Import Task ID.
3. Verify the status of your import by running the following command, replacing "import-ami-0cce9e33f76c429bd" with the Import Task ID captured in the previous step:
$ C:\> aws ec2 describe-import-image-tasks --import-task-ids import-ami-0cce9e33f76c429bd
The following screenshot shows the status when the image was being converted followed by screenshots of preparing AMI and completion of import process.
Figure 2- Screenshot of Image Conversion
Figure 3 – Screenshot of AMI Preparation
Figure 4 – Screenshot of Completion of Image Import
Once the image is imported it can be found under snapshot section of EC2 Service on AWS console as shown in following screenshot. You can search the snapshot using the ImportTask ID and Snapshot ID as highlighted in preceding Figure 4.
AWS License Manager Integration to track Windows Server BYOL
Configure License Manager and Dedicated Host
To use AWS License Manager to track Windows Server BYOL licenses on AWS Dedicated Host, I use License Configuration and Host Resource Group. This Host Resource Group is used to launch a BYOL Windows Server instance to provide elasticity and a cloud-like experience on Dedicated Host.
- On the EC2 Service section of AWS console, create a Dedicated Host Allocation. Make sure that you check the Support multiple instance type box to launch multiple instance types in the same EC2 instance family.
- Under License Manager, create a License and associate the imported AMI to the configuration.
- Create a Host Resource Group in License Manager and associate it with the License Configuration defined in previous step.
Launch BYOL instance and track license consumption
- After clicking Launch Instance under EC2, select the imported AMI under My AMI. I’ve used the AMI name ‘import-ami-0cce9e33f76c429bd’ that we captured during the import proces.
- Select the same instance family as Dedicated Host type. For example, if the Dedicated Host instance family is m5, select m5.large.
Note: if you have not configured the Dedicated Host to support multiple instance types, you will be restricted to only one instance type.
- Under the Configure Instance Details page, verify that the Tenancy is set to Dedicated Host. This should happen by default, since we are using YOL AMI that can only be launched on a Dedicated Host.
- Check the box for Host Resource Group name and choose the group we created in step 3.
- Launch the instance.
After the instance is launched, the number of consumed cores in License Manager increases to the number of cores used by Dedicated Host.
Cleanup
After the VM is imported successfully, it is recommended to delete the S3 bucket if not used for any other storage purpose or delete the image exported from on-premises. By deleting the exported image or bucket, you are not charged for the storage cost to store the unnecessary images.
Summary
At AWS, our concern is to help our customers get the most value from their preferred software, which is why we’ve spent over a decade helping customers be successful with Microsoft technologies. As you migrate your on-premises Microsoft workloads to AWS, you have flexibility with licensing options. Customers can choose from a variety of available licensing options, including buying license-included AWS instances with a pay-as-you-go model and a bringing your own licenses.
We also make it easier to bring your existing VM image catalog to AWS without recreating the images using EC2 VM Import/Export. In addition, you can use the new, simplified, Bring-Your-Own-License (BYOL) experience to easily bring and manage your existing licenses for Microsoft Windows Server to AWS Dedicated Hosts. Whether you’re running Windows or Linux, SQL Server or MySQL, we want you to be successful.
To learn more on migrating Windows Server or SQL Server, visit Windows on AWS. For more information on how AWS can help you modernize your legacy Windows applications, check our our Modernization page. Contact us to start your modernization journey today.