AWS-to-GCP Migration: Engineering a Reliable Transition

Competition, cost pressure, and advanced ML capabilities often drive cloud migrations. Google Cloud Platform has matured rapidly, frequently offering lower TCO (Total Cost of Ownership), more consistent egress pricing, and more efficient ML/analytics tooling—notably Vertex AI and BigQuery.

But moving production workloads from AWS to GCP exposes architectural mismatches and surface-area risk. Rushed lift-and-shift migrations often lead to bill shock, degraded reliability, or hidden dependencies emerging at cutover. Mapping out workload topology, critical-path dependencies, and expected outcomes is non-negotiable.

Assess the Existing AWS Landscape

Start assessment with cold precision: enumerate workloads, dependency graphs, implicit service links.

Tooling:

aws application-discovery-service for VM discovery.
Cloudamize or Turbonomic for business impact analytics.
Manual review still crucial for poorly documented services and in-region peerings.

Example Workload Survey

Workload	AWS Services	Core Dependency	Notes	Criticality
Shop API (Node.js)	EC2 (Amazon Linux 2.5), S3, RDS (MySQL 8.0.28)	RDS, Redis (clustered), S3	RDS custom parameter group	High
Analytics ETL	EMR 6.2, S3	Nightly HDFS batch jobs	Tight S3 ACLs, custom VPC FW	Medium
Asset CDN	S3 w/ CloudFront	public read, low churn	Signed URLs everywhere	Low

Tip: Be explicit in your inventory about network-level dependencies; these often cause outages post-migration.

Define Migration Objectives

What's non-negotiable—zero downtime, cost shrinkage, or unlocking new ML capabilities? Quantify each:

Downtime tolerance: e.g., “single 10-min window acceptable, midnight UTC”
Performance: Legacy RDS: 2,500 TPS, <40ms p99; target has to exceed.
Security context: Any workload with KMS dependencies or VPC peering? GCP IAP and CMEK equivalents must be ready.

Migration Strategy Selection

There’s rarely a one-size-fits-all approach. Consider:

Rehost (Lift-and-shift):
- Fastest; minimal code changes, but OPEX might increase.
Refactor:
- Aligns workloads with managed GCP services—RDS → Cloud SQL, EMR → Dataproc.
- Requires smoke testing, config drift management.
Rearchitect:
- Cloud-native transformation—e.g., EC2 + monolith → GKE + microservices.
- ROI highest, but so is complexity.

Gotcha: Hybrid models (e.g., partial move, phased containerization) add operational overhead—monitor both clouds’ billings and logs closely.

Preparing GCP

Networking Parity

Configure VPCs before compute resources; subnetting often mismatches AWS “default” CIDR blocks. Ensure IAM separation for projects and service boundaries.

gcloud compute networks create prod-vpc --subnet-mode=custom
gcloud compute networks subnets create prod-web \
  --network=prod-vpc \
  --region=us-central1 \
  --range=10.12.0.0/20

IAM Principles

Map AWS IAM roles to GCP IAM primitives. Example: EC2 “ReadS3” → Service account with roles/storage.objectViewer. Some AWS identities (IAM instance profiles) lack direct mapping—prefer federated identity (Workforce Identity Federation or SAML where needed).

Note: Audit GCP Org Policies early; default-deny on external image pulls catches many first migrations by surprise.

Data Migration: Storage and Databases

S3 to GCS

For TB-scale data, don’t use simple gsutil cp. Instead:

Use Storage Transfer Service.
For near-real-time workflows, consider s3_to_gcs with object change notification triggers.

gsutil -m rsync -r s3://shop-assets-bucket gs://gcp-assets-prod

Watch for S3 object versioning: GCP’s GCS versioning model diverges.

Database Transition: RDS to Cloud SQL

Best practice for MySQL 8.0.x:

Provision a matching Cloud SQL instance (recommend: db-custom-2-8192 or equivalent).
Use Database Migration Service with continuous replication (CDC/replication slot), validating replica lag.

Run full dump for off-hours validation:

mysqldump --single-transaction --routines --triggers -h <rds-endpoint> -u <user> -p > rds_backup.sql
gcloud sql import sql <CLOUDSQL_INSTANCE> rds_backup.sql

Cutover: drop connections on RDS, promote GCP instance, change endpoints in config.

Known Issue: Cloud SQL lacks built-in support for certain MySQL plugins; test for compatibility with your RDS parameter group.

Application Migration & Validation

Containers:

Rebuild any EC2-hosted apps into OCI-compliant containers (Docker ≥24.0.2 recommended). Build manifests for Google Kubernetes Engine:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: shop-api
spec:
  replicas: 4
  template:
    spec:
      containers:
      - name: shop-api
        image: gcr.io/proj/shop-api:v2.7.1
        ports:
        - containerPort: 8080

CI/CD: Integrate with Cloud Build or use GitHub Actions (google-github-actions/deploy-cloudrun@v1) for blue/green rollouts.

Functional Testing

Smoke test through external GCLB endpoint
Test database failover, replication lag
Validate IAM permission boundaries (audit logs: gcloud logging read)

Cutover: DNS, Traffic, Observability

Freeze write operations (FLUSH TABLES WITH READ LOCK; for MySQL) ahead of cutover.
Update DNS (Route 53 or other) TTL at least 24 hours before cut, so client-side caches clear. Switch to GCP’s Cloud Load Balancers.

Monitor real-time latency and error rate in GCP Monitoring (ex-Stackdriver):

gcloud monitoring metrics list --filter="metric.type=compute.googleapis.com/instance/network/received_bytes_count"

Side effect: Some application frameworks cache DNS results aggressively—test failover from AWS ENIs to GCP load balancer before final cut.

Example: E-Commerce Migration

Environment: Node.js 18 app on EC2 (Amazon Linux 2.5), RDS MySQL 8.0.28, S3/CloudFront for assets.
Target: GKE 1.28, Cloud SQL, Cloud Storage, GCP Cloud CDN.
Integration: Vertex AI Recommendations AI for product listing; batch queries landing in BigQuery.
Findings: Initial downtime required for Cloud SQL promotion (5–7 minutes in practice), S3 signed URL ACLs required manual translation to GCS signed URLs; weak IAM mapping surfaced during smoke test (missing storage.objects.list permission).

Post-Migration

Immediate review of cost reports—the GCP Console’s “cost breakdown by SKU” surfaces accidental persistent disks or over-provisioned instances early.
Benchmark with wrk, ab or k6 for HTTP APIs vs. baselines.
Turn on VPC Flow Logs. Unexpected egress traffic or RFC1918 overlap is not uncommon.

Non-obvious tip: GCP service quotas (API, IPs) are lower by default than AWS—review and pre-increase relevant limits before cutover.

Final Thoughts

Migrations between AWS and GCP never go exactly as planned. Critical success factors: detailed dependency mapping, repeated validation in staging, strict IAM parity, and solid DNS/failover planning.

If you hit a wall with uncooperative legacy services, sometimes “good enough lift-and-shift” is the pragmatic choice—optimize once stable.

For low-level anomalies (strange network ACLs, old EC2 images), drop into the cloud provider’s support ticket system preemptively—resolution times remain variable.

Questions? Hit an unexpected snag moving a hybrid workload? Share configuration fragments or gotchas you hit—every migration has at least one.

Migrate Aws To Gcp