Menu
AWS Database Migration Service
User Guide (Version API Version 2016-01-01)

Setting Up a Network for Database Migration

AWS DMS always creates the replication instance in an Amazon Virtual Private Cloud (Amazon VPC), and you specify the VPC where your replication instance is located. You can use your default VPC for your account and region, or you can create a new VPC. The VPC must have two subnets in at least one Availability Zone.

The Elastic Network Interface (ENI) allocated for the replication instance in your VPC must be associated with a security group that has rules that allow all traffic on all ports to leave (egress) the VPC. This approach allows communication from the replication instance to your source and target database endpoints, as long as correct egress rules are enabled on the endpoints. We recommend that you use the default settings for the endpoints, which allows egress on all ports to all addresses.

The source and target endpoints access the replication instance that is inside the VPC either by connecting to the VPC or by being inside the VPC. The database endpoints must include network ACLs and security group rules (if applicable) that allow incoming access from the replication instance. Depending on the network configuration you are using, you can use the replication instance VPC security group, the replication instance's private or public IP address, or the NAT Gateway's public IP address. These connections form a network that you use for data migration.

Network Configurations for Database Migration

You can use several different network configurations with AWS Database Migration Service. The following are common configurations for a network used for database migration.

Configuration with All Database Migration Components in One VPC

The simplest network for database migration is for the source endpoint, the replication instance, and the target endpoint to all be in the same VPC. This configuration is a good one if your source and target endpoints are on an Amazon Relational Database Service (Amazon RDS) DB instance or an Amazon Elastic Compute Cloud (Amazon EC2) instance.

The following illustration shows a configuration where a database on an Amazon EC2 instance connects to the replication instance and data is migrated to an Amazon RDS DB instance.


                             AWS Database Migration Service All in one VPC example

The VPC security group used in this configuration must allow ingress on the database port from the replication instance. You can do this by either ensuring that the security group used by the replication instance has ingress to the endpoints, or by explicitly allowing the private IP address of the replication instance.

Configuration with Two VPCs

If your source endpoint and target endpoints are in different VPCs, you can create your replication instance in one of the VPCs and then link the two VPCs by using VPC peering.

A VPC peering connection is a networking connection between two VPCs that enables routing using each VPC’s private IP addresses as if they were in the same network. We recommend this method for connecting VPCs within a region. You can create VPC peering connections between your own VPCs or with a VPC in another AWS account within the same AWS region. For more information about VPC peering, see VPC Peering in the Amazon VPC User Guide.

The following illustration shows a configuration where the source database on an Amazon EC2 instance in a VPC is connected by using VPC peering to a VPC containing the replication instance and the target database on an Amazon RDS DB instance.


                             AWS Database Migration Service replication instance

The VPC security groups used in this configuration must allow ingress on the database port from the replication instance.

Configuration for a Network to a VPC Using AWS Direct Connect or a VPN

Remote networks can connect to a VPC using several options such as AWS Direct Connect or a software or hardware VPN connection. These options are often used to integrate existing on-site services, such as monitoring, authentication, security, data, or other systems, by extending an internal network into the AWS cloud. By using this type of network extension, you can seamlessly connect to AWS-hosted resources such as a VPC.

The following illustration shows a configuration where the source endpoint is an on-premises database in a corporate data center. It is connected by using AWS Direct Connect or a VPN to a VPC that contains the replication instance and a target database on an Amazon RDS DB instance.


                             AWS Database Migration Service replication instance

In this configuration, the VPC security group must include a routing rule that sends traffic destined for a specific IP address or range to a host that can bridge traffic from the Amazon VPC into the on-premises VPN. In this case, the NAT host includes its own security group settings that must allow traffic from the replication instance’s private IP address or security group into the NAT instance.

Configuration for a Network to a VPC Using the Internet

If you don't use a VPN or AWS Direct Connect to connect to AWS resources, you can use the Internet to migrate a database to an Amazon EC2 instance or Amazon RDS DB instance. This configuration involves a public replication instance in a VPC with an Internet gateway that contains the target endpoint and the replication instance.


                             AWS Database Migration Service replication instance

To add an Internet gateway to your VPC, see Attaching an Internet Gateway in the Amazon VPC User Guide.

The VPC security group must include routing rules that send traffic not destined for the VPC by default to the Internet gateway. In this configuration, the connection to the endpoint will appear to come from the public IP address of the replication instance, not the private IP address.

You can use ClassicLink, in conjunction with a proxy server, to connect an Amazon RDS DB instance that is not in a VPC to a AWS DMS replication server and DB instance that reside in a VPC. ClassicLink allows you to link an EC2-Classic DB instance to a VPC in your account, within the same region. After you've created the link, the source DB instance can communicate with the replication instance inside the VPC using their private IP addresses. Since the replication instance in the VPC cannot directly access the source DB instance on the EC2-Classic platform using ClassicLink, you must use a proxy server to connect the source DB instance to the VPC containing the replication instance and target DB instance. The proxy server uses ClassicLink to connect to the VPC, and port forwarding on the proxy server allows communication between the source DB instance and the target DB instance in the VPC.


                        AWS Database Migration Service using ClassicLink

For step-by-step instructions on creating a ClassicLink for use with AWS DMS, see Using ClassicLink with AWS Database Migration Service.

Creating a Replication Subnet Group

As part of the network to use for database migration, you need to specify what subnets in your Amazon Virtual Private Cloud (Amazon VPC) you plan to use. A subnet is a range of IP addresses in your VPC in a given Availability Zone. These subnets can be distributed among the Availability Zones for the region where your VPC is located.

You create a replication instance in a subnet that you select, and you can manage what subnet a source or target endpoint uses by using the AWS DMS console.

You create a replication subnet group to define which subnets will be used. You must specify at least one subnet in two different Availability Zones.

To create a replication subnet group

  1. Sign in to the AWS Management Console and choose AWS Database Migration Service. Note that if you are signed in as an AWS Identity and Access Management (IAM) user, you must have the appropriate permissions to access AWS DMS. For more information on the permissions required for database migration, see IAM Permissions Needed to Use AWS DMS.

  2. In the navigation pane, choose Subnet Groups.

  3. Choose Create Subnet Group.

  4. On the Edit Replication Subnet Group page, shown following, specify your replication subnet group information. The following table describes the settings.

    
                             AWS Database Migration Service replication instance
    For This Option Do This

    Identifier

    Type a name for the replication subnet group that contains from 8 to 16 printable ASCII characters (excluding /,", and @). The name should be unique for your account for the region you selected. You can choose to add some intelligence to the name such as including the region and task you are performing, for example DMS-default-VPC.

    Description

    Type a brief description of the replication subnet group.

    VPC

    Choose the VPC you want to use for database migration. Keep in mind that the VPC must have at least one subnet in at least two Availability Zones.

    Available Subnets

    Choose the subnets you want to include in the replication subnet group. You must select subnets in at least two Availability Zones.

  5. Choose Add to add the subnets to the replication subnet group.

  6. Choose Create.