AWS Database Migration Service
User Guide (Version API Version 2016-01-01)

Network Security for AWS Database Migration Service

The security requirements for the network you create when using AWS Database Migration Service depend on how you configure the network. The general rules for network security for AWS DMS are as follows:

  • The replication instance must have access to the source and target endpoints. The security group for the replication instance must have network ACLs or rules that allow egress from the instance out on the database port to the database endpoints.

  • Database endpoints must include network ACLs and security group rules that allow incoming access from the replication instance. You can achieve this using the replication instance's security group, the private IP address, the public IP address, or the NAT gateway’s public address, depending on your configuration.

  • If your network uses a VPN Tunnel, the EC2 instance acting as the NAT Gateway must use a security group that has rules that allow the replication instance to send traffic through it.

By default, the VPC security group used by the AWS DMS replication instance has rules that allow egress to on all ports. If you modify this security group or use your own security group, egress must, at a minimum, be permitted to the source and target endpoints on the respective database ports.

The network configurations you can use for database migration each require specific security considerations:

  • Configuration with All Database Migration Components in One VPC — The security group used by the endpoints must allow ingress on the database port from the replication instance. Ensure that the security group used by the replication instance has ingress to the endpoints, or you can create a rule in the security group used by the endpoints that allows the private IP address of the replication instance access.

  • Configuration with Two VPCs — The security group used by the replication instance must have a rule for the VPC range and the DB port on the database.

  • Configuration for a Network to a VPC Using AWS Direct Connect or a VPN — a VPN tunnel allowing traffic to tunnel from the VPC into an on- premises VPN. In this configuration, the VPC includes a routing rule that sends traffic destined for a specific IP address or range to a host that can bridge traffic from the VPC into the on-premises VPN. If this case, the NAT host includes its own Security Group settings that must allow traffic from the Replication Instance’s private IP address or security group into the NAT instance.

  • Configuration for a Network to a VPC Using the Internet — The VPC security group must include routing rules that send traffic not destined for the VPC to the Internet gateway. In this configuration, the connection to the endpoint appears to come from the public IP address on the replication instance.

  • Configuration with an Amazon RDS DB instance not in a VPC to a DB instance in a VPC Using ClassicLink — When the source or target Amazon RDS DB instance is not in a VPC and does not share a security group with the VPC where the replication instance is located, you can setup a proxy server and use ClassicLink to connect the source and target databases.

  • Source endpoint is outside the VPC used by the replication instance and uses a NAT gateway — You can configure a network address translation (NAT) gateway using a single Elastic IP Address bound to a single Elastic Network Interface, which then receives a NAT identifier (nat-#####). If the VPC includes a default route to that NAT Gateway instead of the Internet Gateway, the replication instance will instead appear to contact the Database Endpoint using the public IP address of the Internet Gateway. In this case, the ingress to the Database Endpoint outside the VPC needs to allow ingress from the NAT address instead of the Replication Instance’s public IP Address.