Import machine images

A machine image lets you store the configuration, metadata, permissions, and data from one or more disks for a virtual machine (VM) instance running on Compute Engine. For information about when and how to use machine images, see Machine images.

This page describes the steps that you can use to import a machine image from a virtual appliance using Migrate to Virtual Machines.

Before you begin

Enable the VM Migration API on your project. For more information about enabling the VM Migration API, see Enable Migrate to Virtual Machines services.
Ensure that the operating system on the boot disk is supported by Migrate to Virtual Machines. For more information, see Supported operating systems.

Supported formats

You can import machine image files in the following formats using Migrate to Virtual Machines:

Open Virtualization Format (OVF): One OVF file and virtual machine disk (VMDK) files in the same bucket.
Open Virtual Appliance (OVA): One OVA file containing an OVF file and VMDK files.

Machine image import process

To import a machine image to a machine image using Migrate to Virtual Machines, use the following steps:

Prepare a machine file for import

To import a machine image to a Compute Engine image, you must first prepare the machine image file for import. The following sections discuss these tasks in detail.

Add the machine image file to Cloud Storage

To import a machine image to a Compute Engine image, you must first add the machine image file to Cloud Storage. For more information, see Upload objects from a file system. For better performance, we recommend that you upload the machine image file to a bucket in the same Google Cloud in which you want to create the image.

Grant the required permissions

To import a machine image to a Compute Engine image, grant permissions as described in the following table.

Role	Permissions required	Description
Storage Object Viewer	`roles/storage.objectViewer`	In the host project, grant this permission to the Cloud VM Migration service account (`vmmigration` service account). This permission lets the service access the source machine image in the host project.
VM Migration Service Account	`roles/vmmigration.serviceAgent`	In the target project, grant this permission to the `vmmigration` service account you used in the host project. For example, if `[email protected]` is the `vmmigration` service account in the host project, you must grant this service account the `roles/vmmigration.serviceAgent` role as well to be able to create the machine image in the target project.

Choose a target project

To host the machine image, you must create or choose a target project. A target project defines the destination project for a machine image. For more information on creating or choosing a target project, see Adding a target project.

Import a machine image to Compute Engine

You can import a machine image to Compute Engine using the Google Cloud CLI or REST API commands.

When you import a machine image, Migrate to Virtual Machines creates some temporary resources, such as VMs or disks, in the target project. These temporary resources are deleted when the machine image import process is complete.

gcloud

To import a machine image to Compute Engine using the Google Cloud CLI, use the following request.

gcloud alpha migration vms machine-image-imports create IMAGE_NAME \
--source-file=SOURCE_FILE \
--location=REGION_ID \
--target-project=projects/HOST_PROJECT_ID/locations/global/targetProjects/TARGET_PROJECT

Replace the following:

IMAGE_NAME: the name of the image that you want to create. For more information on the naming rules, see Naming convention.
SOURCE_FILE: the file from which you want to import the image. Enter the path in the format gs://bucket/folder/file. To get the path of an object inside a bucket, see View object metadata. Note that you can only import images from .vmdk and .tar.gz files.
REGION_ID: the region in which you want the machine image import process to run. The machine image is created in the closest multi-region. If you want the machine image to be created in a region, ensure that singleRegionStorage is set to true. For a list of supported regions, see Regions and Zones.
HOST_PROJECT_ID: the name of the host project from which you want to migrate the machine image.
TARGET_PROJECT: the target project in which you want to create the image. If you've not already added a target project, do so using the instructions given in Add a target project.
REGION_ID: the region in which you want the machine image import process to run. The machine image is created in the closest multi-region. If you want the machine image to be created in a region, ensure that singleRegionStorage is set to true. For a list of supported regions, see Regions and Zones.

For more information, see gcloud alpha migration vms machine-image-imports.

REST

To import a machine image to Compute Engine using the REST API, use the following steps.

Create a machine image import resource using the following request.

POST https://vmmigration.googleapis.com/v1/projects/HOST_PROJECT_ID/locations/REGION_ID/imageImports?imageImportId=IMPORT_NAME
{
"cloudStorageUri": "SOURCE_FILE",
"machineImageTargetDefaults": {
"imageName": "IMAGE_NAME",
"targetProject": "projects/HOST_PROJECT_ID/locations/global/targetProjects/TARGET_PROJECT",
...
}
}

Replace the following:

HOST_PROJECT_ID: the name of the host project from which you want to migrate the machine image.
REGION_ID: the region in which you want the image import process to run. The image is created in the closest multi-region. If you want the image to be created in a region, ensure that singleRegionStorage is set to true. For a list of supported regions, see Regions and Zones.
SOURCE_FILE: the file from which you want to import the image. Enter the path in the format gs://bucket/folder/file. To get the path of an object inside a bucket, see View object metadata. Note that you can only import images from .vmdk and .tar.gz files.
IMAGE_NAME: the name of the image that you want to create. For more information on the naming rules, see Naming convention.
TARGET_PROJECT: the target project in which you want to create the image. If you've not already added a target project, do so using the instructions given in Add a target project.

In this example, IMPORT_NAME is an ID that represents the machine image import resource. When you import an image to Compute Engine, Migrate to Virtual Machines creates an first creates an image import resource. The machine image import resource represents the machine image import process. You can use the IMPORT_NAME to get the link to the image that was imported as part of the machine image import process.

See the following table for the full list of machine image import create request fields supported fields.

Field name Description

cloudStorageUri The path of the file from which you want to import the machine image. Enter the path in the format gs://bucket/folder/file. To get the path of an object inside a bucket, see View object metadata.
Note that you can only import machine images from .vmdk, .ovf, and .ova files.

machineImageTargetDefaults.targetProject

The target project in which you want to create the machine image. For more information, see target project API reference. For example,
projects/HOST_PROJECT_ID/locations/global/targetProjects/TARGET_PROJECT
In the example, replace the following:

HOST_PROJECT_ID: the name of the host project from which you want to migrate the machine image.
TARGET_PROJECT: the target project in which you want to create the image.

machineImageTargetDefaults.machine_image_name The name of the machine image to be created. For more information on the naming rules, see resource naming convention.

machineImageTargetDefaults.description (Optional) A description of the machine image.

machineImageTargetDefaults.machine_type (Optional) The machine to create the machine image with. If you don't specify the machine type, Migrate to Virtual Machines chooses a relevant machine type based on the information from the source machine image.

machineImageTargetDefaults.labels To organize your project, add labels as key-value pairs to your resources. See Labeling resources.

machineImageTargetDefaults.tags Add any tags that you want to attach to the machine image. See Manage tags for resources.

machineImageTargetDefaults.additionalLicenses

You can add up to 10 additional licenses to the VM instance created from the imported machine image using a valid URL format. For example, you can add additional licenses using the following URL format:

https://www.googleapis.com/compute/beta/projects/windows-sql-cloud/global/licenses/sql-server-2012-enterprise

machineImageTargetDefaults.service_account Specify the service account on the target project used by the machine image. By default, no service account is assigned to the machine image.
If you create a Compute Engine instance from a machine image and plan to run an application on it, the instance might need access to other gcloud CLI services and APIs. Create a service account in the target project with the necessary permissions to access these services and APIs before creating the Compute Engine instance. Then, specify that service account here. For more information, see set up a VM to run as a service account.
To attach the service account to the Compute Engine instance, your user account on the Migrate to Virtual Machines host project requires the necessary permissions. For more information, see Configuring permissions on target project service account.

machineImageTargetDefaults.shielded_instance_config (Optional) Enable Shielded VM on this instance. Shielded VMs are hardened by a set of security controls that help defend against rootkits and bootkits. See What is Shielded VM?

machineImageTargetDefaults.singleRegionStorage Set this flag to true if you want the machine image storageLocations to be a region. If you set this flag to false, the closest multi-region is selected.

machineImageTargetDefaults.skip_os_adaptation Set this flag to true if you want to skip OS adaptation.
To function properly on Google Cloud, VMs created from imported machine images require changes to be made to their configuration. These changes are referred to as OS adaptations. Migrate to Virtual Machines performs OS adaptations automatically in the machine image import process. For more information, see Adapt VM instances to run on Google Cloud.

machineImageTargetDefaults.osAdaptationParameters.licenseType

The license type you want to use for your machine image. Compute Engine supports pay as you go (PAYG) licenses and bring your own licenses (BYOL) for your deployed VMs. The default license type for a migrated VM is assigned by Migrate to Virtual Machines based on the migrated operating system, as described in Supported operating systems.
If your operating system supports multiple license types, you can override the default license type to explicitly specify a license type of PAYG or BYOL.

machineImageTargetDefaults.osAdaptationParameters.network_interfaces

Migrate to Virtual Machines lets you optionally create a machine images with multiple network interfaces (NICs). Each interface is attached to a different VPC network, giving that machine image access to different VPC networks in gcloud CLI.
Before you add additional network interfaces, be aware of the following considerations:

Attaching multiple network interfaces to the same VPC network is not supported. While the configuration might get save, the instantiation of the VM will fail.
After a Compute Engine instance is instantiated from a machine image, by using test-clone or cut-over, you cannot add or remove a network interface on the created instance. You can repeat test-clone or cut-over with different target details to recreate the instance.
To add or remove a network interface:

Select Add network interface to add an additional network interface to the Compute Engine instance. You can set all of the same options as you do with the initial network interface.

For more information, see Creating instances with multiple network interfaces.

machineImageTargetDefaults.osAdaptationParameters.generalize Set this flag to true if you want to generalize the machine image.
When you create an instance from an machine image, Windows adds some unique information to the instance. Generalization is a process that removes this information so that you can create multiple instances from the same machine image.

machineImageTargetDefaults.encryption

The Google managed encryption key that you want to use to encrypt your data during the import process. For more information, see Default encryption at rest.

Use customer-managed encryption keys (CMEK) to encrypt the data of the machine image. These encryption keys are created, managed, and owned by you. For more information, see Protect resources by using Cloud KMS keys.
When you add a CMEK, you must grant permissions as described in the following table.

Role	Permissions required	Description
Cloud VM Migration Service Account	roles/vmmigration.serviceAgent	Grant this permission to the Compute Engine service account to encrypt data of the machine image created during the import process.
Compute Engine Service Agent	roles/compute.serviceAgent	Grant this permission to the Migrate to Virtual Machines service agent to encrypt the data during the import process.

You should see a response similar to the following sample response.

{
  "name": "projects/HOST_PROJECT_ID/locations/REGION_ID/operations/OPERATION_ID",
  "metadata": {
    "createTime": "2023-10-31T09:12:26.94928636Z",
    "target": "projects/HOST_PROJECT_ID/locations/us-central1/imageImports/IMPORT_NAME",
    "verb": "create",
    "apiVersion": "v1",
    "@type": "type.googleapis.com/google.cloud.vmmigration.v1.OperationMetadata"
  }
}

Check if the machine image import job is complete by polling the operation using the following command.

GET https://vmmigration.googleapis.com/v1/projects/HOST_PROJECT_ID/locations/REGION_ID/operations/OPERATION_ID

Replace the following:

HOST_PROJECT_ID: the name of the host project from which you are migrating the machine image.
REGION_ID: the region in which you want the machine image import process to run. The machine image is created in the closest multi-region. If you want the machine image to be created in a region, ensure that singleRegionStorage is set to true. For a list of supported regions, see Regions and Zones.
OPERATION_ID: the operation ID of the migrate job.

You should see an operation completion response similar to the following sample response.

  {
    "done": true,
    "name": "projects/HOST_PROJECT_ID/locations/REGION_ID/operations/OPERATION_ID",
    "response": {
      "@type": "type.googleapis.com/google.cloud.vmmigration.v1.ImageImport",
      "name": "projects/<HOST_PROJECT_ID>/locations/us-central1/imageImports/IMPORT_NAME",
      "cloudStorageUri": "SOURCE_FILE",
      "createTime": "2023-10-31T09:04:04.413664947Z",
      "machineImageTargetDefaults": {
        "imageName": "IMAGE_NAME",
        "targetProject": "projects/HOST_PROJECT_ID/locations/global/targetProjects/TARGET_PROJECT"
      },
      "recentImageImportJobs": [
        {
          "name": "projects/HOST_PROJECT_ID/locations/us-central1/imageImports/IMPORT_NAME/imageImportJobs/image-import-job",
          "diskImageTargetDetails": {
           "imageName": "IMAGE_NAME",
           "targetProject": "projects/HOST_PROJECT_ID/locations/global/targetProjects/TARGET_PROJECT"
        },
         "state": "PENDING"
       }
      ]
    },
    "metadata": {
      "createTime": "2023-10-31T09:04:04.416740716Z",
      "endTime": "2023-10-31T09:05:36.79987142Z",
      "target": "projects/HOST_PROJECT_ID/locations/us-central1/imageImports/IMPORT_NAME",
      "verb": "create",
      "apiVersion": "v1",
      "@type": "type.googleapis.com/google.cloud.vmmigration.v1.OperationMetadata"
    }
  }

Monitor the machine image import job for completion using the following command.
```
GET https://vmmigration.googleapis.com/v1/projects/HOST_PROJECT_ID/locations/REGION_ID/imageImports/IMPORT_NAME/imageImportJobs/image-import-job
```
Replace the following:
- HOST_PROJECT_ID: the name of the host project from which you are migrating the machine image.
- REGION_ID: the region in which you want the machine image import process to run. The machine image is created in the closest multi-region. If you want the machine image to be created in a region, ensure that singleRegionStorage is set to true. For a list of supported regions, see Regions and Zones.
- IMPORT_NAME: the ID that represents the machine image import resource. When you import an machine image to Compute Engine, Migrate to Virtual Machines creates an first creates an machine image import resource. The machine image import resource represents the machine image import process. You can use the IMPORT_NAME to get the link to the machine image that was imported as part of the machine image import process.
You should see a job completion response similar to the following sample response.
```
{
  "createTime":"2023-10-31T09:12:27.053788394Z",
  "createdResources":[
    "https://www.googleapis.com/compute/v1/projects/USER_PROJECT/global/images/IMAGE_NAME"
  ],
  "diskImageTargetDetails": {
    "imageName":"IMAGE_NAME",
    "targetProject":"projects/HOST_PROJECT_ID/locations/global/targetProjects/TARGET_PROJECT"
  },
  "endTime":"2023-10-31T09:16:50.224865783Z",
  "name":"projects/HOST_PROJECT_ID/locations/us-central1/imageImports/IMPORT_NAME/imageImportJobs/image-import-job",
  "state":"SUCCEEDED"
}
```