ECS instances located in virtual private clouds (VPCs) are more secure and support more features, such as associating elastic IP addresses (EIPs), than those located in the classic network. This topic describes how to use a migration plan to migrate one or more ECS instances from the classic network to a VPC.

Prerequisites

The ECS instances that you want to migrate from the classic network to a VPC meet the following requirements:
  • The instances do not have local disks attached. If the instances have local disks attached, submit a ticket to seek advice from Alibaba Cloud on how to migrate the instances.
  • The instances have a public bandwidth higher than 0 Mbit/s. If an instance has a public IP address and a public bandwidth of 0 Mbit/s, you must upgrade the public bandwidth before you can migrate the instance. For more information, see Modify public bandwidth.
  • The instances are located in one of the following regions that support the migration plan feature: China (Qingdao), China (Beijing), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), US (Silicon Valley), and Singapore (Singapore).
    Note Some instances located in Hangzhou Zone C cannot be migrated from the classic network to VPCs.

Impacts of migrating an ECS instance from the classic network to a VPC

Item Description
Amount of time required to migrate the instance It takes about 15 minutes from the time the instance is stopped in the classic network until the instance is migrated and started in the VPC.
Note After the computing and network resources of an instance are migrated, the instance is started in the VPC. If the instance is migrated across zones, the system continues to migrate disk data of the instance after the instance is started. Typically, it takes about 4 hours to migrate 100 GiB of disk data. During the migration, the I/O performance of disks degrades and snapshot- and disk-related features are not supported.
Instance state During migration, the instance is stopped and then started again. We recommend that you schedule to migrate your instance during off-peak hours.
Network type After the instance is migrated, its network type changes from classic network to VPC. For information about VPCs, see What is a VPC?.
Software authorization code After the instance is migrated, its software authorization codes may change.
IP address
  • The public IP address of the instance remains unchanged.
    Notice ECS instances located in VPCs do not have public network interface controllers (NICs), and use NAT devices to access the Internet. You can find only internal IP addresses inside the instances. If your applications require a public IP address visible in the instance operating system, reconsider whether to migrate your instance from the classic network to a VPC.
  • You can specify whether to retain the internal IP address of the instance when you create a migration plan to migrate the instance. You can also modify the internal IP address of the instance after the instance is migrated. For more information, see Modify a private IP address.
Disk name Some ECS instances have their underlying virtualization technology upgraded when they are migrated from the classic network to VPCs. This may cause the disk names on the instances to change. On Linux instances, disks names follow a naming convention of vd?, such as vda, vdb, and vdc.
  • If a disk name is in the vd? format before the instance is migrated, the disk name remains unchanged after the instance is migrated.
  • If a disk name is in the xvd? format before the instance is migrated, the disk name is converted to the vd? format such as vda, vdb, or vdc after the instance is migrated. Alibaba Cloud updates the /etc/fstab file for Linux instances. However, you must check whether applications are dependent on the original disk names.
Fee
  • You are not charged for the migration. After a subscription instance is migrated from the classic network to a VPC, a new billing cycle immediately starts and the unit price of the instance type changes. An instance located in a VPC is more cost-effective than an instance with the same configurations located in the classic network.
  • Orders for instance renewal and configuration changes that do not take effect or are unpaid are canceled. You can renew the instance and change its configurations again.
Others
  • The ID, username, and logon password of the instance remain unchanged.
  • If the ECS instance has been added to the vServer group of a Server Load Balancer (SLB) instance before the ECS instance is migrated, the ECS instance is not automatically associated with the SLB instance after the ECS instance is migrated. You must manually add the ECS instance to the vServer group of the SLB instance. For more information, see Modify a VServer group.

Preparations

  1. Create snapshots for the disks on the ECS instances to be migrated to back up data.

    For more information, see Create a snapshot for a disk.

  2. (Optional) If an ECS instance to be migrated is associated with an Alibaba Cloud database service, you must enable the hybrid access mode for the database service beforehand.

    In hybrid access mode, Alibaba Cloud database services are accessible to ECS instances regardless of whether the instances are located in the classic network or in VPCs. For more information, see Overview of the hybrid access mode of ApsaraDB.

  3. (Optional) If an ECS instance to be migrated is associated with an Alibaba Cloud database service (such as ApsaraDB RDS) that provides the whitelist feature, you must add the CIDR block of the destination vSwitch to the corresponding whitelists of the database service beforehand.

    For more information, see Configure a whitelist.

  4. (Optional) To ensure that services can be rapidly restored after the migration, we recommend that you configure application services to run on instance startup and monitor service availability.
  5. Disable or uninstall server security software on the ECS instances to be migrated.
    Note The device drivers of ECS instances are updated when the instances are migrated. You must disable or uninstall security software such as Safedog, Huweishen, and Yunsuo on the instances beforehand.
  6. Reserve at least 500 MiB of free space on the system disk of each ECS instance to be migrated.
  7. Make sure that the destination vSwitch has sufficient internal IP addresses available. The number of the available internal IP addresses must be greater than that of ECS instances to be migrated.

Step 1: Create a migration plan

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Maintenance & Monitoring > Migration Plan.
  3. In the top navigation bar, select a region.
  4. Click Create Migration Plan.
  5. In the Configure Migration Plan step, configure parameters in different sections and then click Next.
    1. Configure parameters in the Destination Zone and VPC section.
      Destination Zone and VPC section
      Parameter Description
      Plan Name Enter a name for the migration plan.
      Select a destination zone Select a destination zone from the drop-down list. The available zones are automatically planned based on resource availability. If you want to specify a zone that is not in the drop-down list, submit a ticket.
      Note Only a single zone can be specified in each migration plan. If you want to migrate multiple ECS instances to different zones, you must create multiple migration plans.
      Destination VPC or Create a VPC Select a destination VPC from the drop-down list. The CIDR block of the selected destination VPC determines whether to retain the internal IP addresses of the ECS instances from the classic network.
      • If you want to retain the internal IP addresses of the ECS instances, you must select a VPC that is associated with the 10.0.0.0/8 CIDR block. You can select the default option or a VPC that you created.
        • If you have not created VPCs that are associated with the 10.0.0.0/8 CIDR block, select (Default) Automatically create a VPC, CIDR block: 10.0.0.0/8 for the system to create a VPC that is associated with the 10.0.0.0/8 CIDR block.
        • If you have created a VPC that is associated with the 10.0.0.0/8 CIDR block, select the VPC.
      • If you do not want to retain the internal IP addresses of the ECS instances, you must select a VPC that is associated with a CIDR block other than 10.0.0.0/8.
    2. Configure parameters in the Instance Network Properties section.
      Instance Network Properties
      Parameter Description
      Destination Security Group Specify destination security groups for the ECS instances from the classic network. Valid values:
      • (Default) Clone Security Groups of Classic Network-type Instances: The security groups of the ECS instances are automatically cloned from the classic network to the destination VPC. The rules in the new security groups (clone security groups) in the VPC are the same as those in the original security groups in the classic network.

        If you set Destination VPC or Create a VPC to (Default) Automatically create a VPC, CIDR block: 10.0.0.0/8, Destination Security Group is automatically set to (Default) Clone Security Groups of Classic Network-type Instances and cannot be modified.

        Note If a security group contains rules in which other security groups are configured as sources or destinations for traffic, the security group cannot be cloned.
      • Specify Security Groups: Select one or more existing security groups from the drop-down list.
        Note Improper security group settings affect the connectivity of your ECS instances. Make sure that your security group rules meet your connectivity requirements.
      Mac Address Retention Policy Specify which MAC address to retain for the ECS instances from the classic network. In the classic network, if an ECS instance is assigned a public IP address, the instance has a public MAC address and a private MAC address. In a VPC, each ECS instance has only a private MAC address and can have its internal IP address mapped by a NAT device to a public IP address for Internet access. You can select (Default) Private Mac Address or Public Mac Address based on your needs.
      • If your business system is associated with a MAC address, for example, if your software is associated with a MAC address for registration, retain the associated MAC address.
      • If your business system is not associated with a MAC address, select (Default) Private Mac Address or Public Mac Address.
    3. Configure parameters in the Instance Network Connectivity section.
      Instance Network Connectivity
      Parameter Description
      Retain Internal IP Address Specify whether to retain the internal IP addresses of the ECS instances from the classic network. If you specify to retain the internal IP addresses of the ECS instances, you must specify how to create a vSwitch. If you specify not to retain the internal IP addresses of the ECS instances, you must select a vSwitch from the drop-down list.
      • (Default) Yes: retains the internal IP addresses of the ECS instances from the classic network. If (Default) Yes is selected, you must continue to specify vSwitch Creation Policy.
        • If vSwitch Creation Policy is set to Automatic, a vSwitch is automatically created and associated with a CIDR block based on the internal IP addresses of the ECS instances. Make sure that the CIDR block that corresponds to the internal IP addresses of the ECS instances is not used. Otherwise, the vSwitch cannot be created.
          Note If you set Destination VPC or Create a VPC to (Default) Automatically create a VPC, CIDR block: 10.0.0.0/8, Retain Internal IP Address is automatically set to (Default) Yes, and vSwitch Creation Policy is automatically set to Automatic and cannot be modified.
        • If vSwitch Creation Policy is set to Manual, you must manually create a vSwitch in the specified destination zone based on the internal IP addresses of the ECS instances from the classic network.
          Note You can set vSwitch Creation Policy to Manual only when you select a user-created VPC that is associated with the 10.0.0.0/8 CIDR block for Destination VPC or Create a VPC.
      • No: does not retain the internal IP addresses of the ECS instances. You must select a vSwitch from the drop-down list.
        Note If you cannot find the vSwitches that you created in the drop-down list, it may be because that the vSwitches are not located in the specified destination zone. Create a vSwitch in the destination zone. For more information, see Work with vSwitches.
      Ensure interconnections between the migrated instances and the classic network-type instances specified in the plan over the internal network Specify whether to allow mutual access over the internal network between migrated and unmigrated instances that are included in this migration plan. Configure this parameter based on the value of Retain Internal IP Address: (Default) Yes or No.
      • (Default) Yes:
        • If you do not want to allow mutual access over the internal network between migrated and unmigrated instances that are included in this migration plan, select (Default) No.
        • If you want to allow mutual access over the internal network between migrated and unmigrated instances that are included in this migration plan, select Yes. Then, in the Select Instances step, select all ECS instances in the classic network that require mutual access over the internal network. You can schedule different migration times for these instances to control the order in which to migrate them.
          Note ECS instances in the classic network that are not included in this migration plan cannot communicate with the ECS instances that are migrated to the specified VPC. After this migration plan is created, ECS instances cannot be added to or removed from it.
      • No:
        • If you do not want to allow mutual access over the internal network between migrated and unmigrated instances that are included in this migration plan, proceed to the Select Instances step.
        • If you want to allow mutual access over the internal network between migrated and unmigrated instances that are included in this migration plan, configure ClassicLink to link these instances to the specified VPC before you migrate them. For more information, see Connect a classic network to a VPC.
  6. In the Select Instances step, select ECS instance and click Next.
    If you set Retain Internal IP Address to (Default) Yes and specify to allow mutual access over the internal network between migrated and unmigrated instances that are included in the migration plan, you must select all ECS instances in the classic network that require mutual access over the internal network. You can schedule different migration times for these instances to control the order in which to migrate them.
    Note ECS instances in the classic network that are not included in this migration plan cannot communicate with the ECS instances that are migrated to the specified VPC. After this migration plan is created, ECS instances cannot be added to or removed from it.

    In the following figure, the ① section shows the instances that you want to migrate first, and the ② section shows the instances that you want to migrate afterward.

    Select Instances
  7. In the Scheduled Migration step, set migration times for the instances and click Verify.
    The instances are stopped and then started again during the migration. We recommend that you schedule to migrate your instances during off-peak hours. An individual migration time can be specified for each instance.
    • To set a migration time for only a single instance at a time, click Schedule Migration Time in the Actions column.
    • To set a migration time for multiple instances at a time, select the instances and click Batch Schedule Migration Time.
    • To set the migration time for all of the instances at a time, click Set Unified Migration Time.
    Notice Set a late migration time for ECS instances that need to remain in the classic network but require mutual access with migrated ECS instances over the internal network. Before the migration time arrives, determine whether to migrate the ECS instances from the classic network.
  8. In the Verify dialog box, read the migration considerations and verify whether your migration plan meets the specified requirements.
    • If your migration plan meets the specified requirements, select the options and click Confirm and Create.
    • If your migration plan does not meet the requirements, an error message is displayed. You can perform troubleshooting based on the error message and create a migration plan again.

Step 2: Migrate the ECS instances

After the migration plan is created, the system migrates the specified ECS instances from the classic network to the destination VPC at the specified times. The migration is complete
During the migration, the system performs the following operations:
  1. Stop the ECS instances to be migrated.
  2. Migrate the computing and network resources of the ECS instances.
  3. Start the migrated ECS instances.
  4. Continue to migrate the disk data of the ECS instances.
  5. Complete the migration.
Note For a cross-zone migration, after the computing and network resources are migrated and the instances are started, the system continues to migrate disk data. Typically, it takes about 4 hours to migrate 100 GiB of disk data. During the migration, the I/O performance of disks degrades and snapshot- and disk-related features are not supported.

Step 3: Check the migration results

  1. In the left-side navigation pane, choose Instances & Images > Instances.
  2. Find the migrated ECS instances and click the ID of each of these instances.
  3. On the Instance Details page, check whether the network type of the instance is VPC.
    If the instances are migrated to the specified VPC, their network type changes to VPC. Check the results
  4. Check the internal network and business runtime environments.
    Scenario Migration plan What to do next
    Migrate all ECS instances from the classic network to a VPC
    • Set Destination VPC or Create a VPC to (Default) Automatically create a VPC, CIDR block: 10.0.0.0/8.
    • Set Ensure interconnections between the migrated instances and the classic network-type instances specified in the plan over the internal network to Yes.
    Check whether your business system runs normally.
    Migrate some ECS instances to a VPC and retain other ECS instances in the classic network
    • Set Destination VPC or Create a VPC to (Default) Automatically create a VPC, CIDR block: 10.0.0.0/8.
    • Set Ensure interconnections between the migrated instances and the classic network-type instances specified in the plan over the internal network to Yes.
    Check whether your business system runs normally.
    Other scenario Set Destination VPC or Create a VPC to a VPC that is associated with a CIDR block other than 10.0.0.0/8.
    1. Check network connectivity.
    2. In this scenario, Retain Internal IP Address cannot be set to No. If your business is connected by using internal IP addresses, you must configure new internal IP addresses.
    3. Check whether your business system runs normally.

Post-migration considerations

  1. If an ECS instance runs a Linux operating system and is assigned a different internal IP address after the instance is migrated, you must modify the /etc/hosts file of the instance. Modify hosts
    1. Run the vi /etc/hosts command to open the hosts file.
    2. Press the I key to enter the edit mode.
    3. Change the original internal IP address to the new internal IP address for the instance.
    4. Press the Esc key to exit the edit mode.
    5. Enter :wq and press the Enter key.
  2. If you have set Retain Internal IP Address to No in the migration plan, remove the internal IP addresses that are no longer used from the whitelists of other cloud services after the migration,

    such as AparaDB RDS, SLB, Object Storage Service (OSS), and Container Service for Kubernetes.

  3. If an instance is migrated across zones, its connectivity with other Alibaba Cloud services such as ApsaraDB RDS, ApsaraDB for Redis, and ApsaraDB for MongoDB may be affected. Adjust application configurations in a timely manner. For example, migrate the corresponding RDS instances to the same zone as the ECS instance to ensure connectivity.

    For more information, see Migrate an ApsaraDB RDS for MySQL instance across zones in the same region.

  4. If you have not restarted or upgraded the kernel of an instance for an extended period of time, problems may occur after the instance is migrated. For example, a file system check (fsck) may be performed, configuration changes may become invalid, and the instance may be unable to start.
  5. (Optional) Software authorization codes change because NICs are deleted.

    If software is associated with a MAC address on your ECS instance and the software vendor approves the migration certificate issued by Alibaba Cloud, you can re-authorize the instance to use the software. If an error occurs, you must modify the configurations or roll back the instance.

  6. (Optional) If you have not restarted an ECS instance for an extended period of time or if you have not restarted an instance after its kernel is upgraded, the system checks the file systems of the instance and updates the configurations of the instance when the instance is restarted. If your ECS instance cannot be started, Submit a ticket in a timely manner to contact Alibaba Cloud.

FAQ

  • Why am I unable to open websites, use services, or read data from or write data to databases on an instance after the instance is migrated from the classic network to a VPC?

    This may be because traffic is not allowed on the required communication ports in the new security groups of your instance. We recommend that you clone the original security groups. For more information, see Clone a security group.

  • After an instance is migrated, some software cannot be used and I am prompted that the authorization code is expired or invalid or that no authorization code exists for the software. Why?
    This issue may occur due to one of the following reasons:
    • The software vendor has not approved the migration certificate issued by Alibaba Cloud. We recommend that you contact the software vendor or channel partner to submit a verification form for re-authorization.
    • The software was associated with a MAC address to register to your instance. Some software is registered to a valid environment by associating MAC addresses. After an ECS instance is migrated to a VPC, only the public or private MAC address of the instance is retained. If the MAC address with which a piece of software was associated to register is deleted, an authorization error occurs. We recommend that you contact the software vendor to check whether the software was associated with a MAC address to register to your instance. If yes, you must re-associate the MAC address of the instance with the software. For more information, see Overview.
  • Why am I no longer able to use the FTP service on an instance after the instance is migrated?
    After your ECS instance is migrated, its public NIC is deleted and the FTP service becomes unavailable. We recommend that you perform the following operations:
    1. Convert the system-assigned public IP address of an instance that is located in a VPC to an EIP.
    2. Associate an EIP with a secondary ENI in cut-through mode.
    Note Some retired instance types and entry-level instance types of the previous generation do not support ENIs. If the instance type of your instance does not support ENIs, upgrade the instance to an instance type that supports ENIs before you perform the preceding operations. For more information, see Overview of instance configuration changes.
  • I cannot find data disks on some Windows instances after the instances are migrated. What do I do?

    After some Windows instances are migrated, the disks attached to them go offline. We recommend that you perform the following steps to configure the disks to automatically go back online. For more information, see Methods for processing offline disks on Windows ECS instances.

    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Maintenance & Monitoring > ECS Cloud Assistant.
    3. Click Create or Run Command to create and run a Cloud Assistant command.
      In the Create Command panel, configure parameters described in the following table. For the parameters that are not described in the table, accept the default values. For more information, see Immediate execution.
      Parameter Description
      Command Type PowerShell
      Command
      @("san policy=onlineall") |diskpart
      Select Instances Select one or more Windows instances.
    4. Click Execute and Save.
  • Why am I unable to transfer files to or from an instance over FTP after the instance is migrated from the classic network to a VPC?

    ECS instances in the classic network have both public and private NICs, whereas ECS instances in VPCs have only ENIs, which are private NICs. If your applications are configured to recognize only public IP addresses, you must reconfigure the applications.

    Most FTP clients access FTP servers in passive mode. In passive mode, FTP servers must communicate their IP addresses to FTP clients. In VPCs, public IP addresses cannot be recognized and FTP servers send their internal IP addresses to FTP clients. When the clients use the internal IP addresses to access the servers, errors occur.

    When you use an ECS instance located in a VPC as an FTP server, we recommend that you communicate the public IP address of the instance to the FTP server program. The procedures to communicate the public IP addresses of ECS instances vary based on the types of FTP server programs. Find a procedure that is suitable for your FTP server program. In the following example, vsftpd is used. Open the configuration file of vsftpd and add the following content to the file:
    listen_ipv6=NO
    pasv_address=<PublicIP>
    Note Replace <PublicIP> with the system-assigned public IP address or EIP of your instance. If an EIP is associated with the instance, we recommend that you use the EIP.

References