Architecture components and requirements for restricted replication - AWS Prescriptive Guidance

Architecture components and requirements for restricted replication

This section provides a detailed description of the most restrictive scenario, where all communication occurs over the private channel only, and includes a detailed explanation of the requirements and corresponding components to be built for each area.

Staging subnet

The staging subnet is the most important part of the replication infrastructure. This is where all Application Migration Service replication servers will be launched, and it contains the IP addresses the replication traffic will be directed to. For inbound private data replication, configure the replication server settings for Application Migration Service with the Use private IP option.

For outbound requirements, you can use the Create public IP option to choose whether replication servers will communicate with required AWS services (Amazon S3, Application Migration Service, Amazon EC2) over private or public IP. The standard options to provide outbound internet connectivity are listed in the Application Migration Service documentation: either a public IP address with an internet gateway or a private IP address with a NAT gateway. Both options allow you to implement a simplified hybrid scenario in which data replication traffic goes over a private connection (AWS VPN or AWS Direct Connect) while replication servers communicate with AWS services over the public network. 

However, having public outbound connectivity is usually prohibited in closed corporate environments, and this is the most restrictive scenario discussed in the next section. In this case, you use AWS PrivateLink and configure the following VPC endpoints in staging subnets for replication servers:

  • VPC gateway endpoint to communicate with Amazon S3

  • VPC interface endpoints to communicate with Application Migration Service and Amazon EC2

To learn more about VPC endpoints, see the AWS PrivateLink documentation.

Source subnet

The source subnet is any subnet you are replicating from. This is where your source servers are located and where you will install AWS Replication Agent on these servers. The network requirements for an Agent include:

  • Communicating over HTTPS/TCP port 443 with AWS services such as Amazon S3 and Application Migration Service

  • Communicating with the replication server's IP address (private or public, based on its settings) 

The Agent also supports hybrid scenarios where communication with AWS services can happen over the public network (using standard HTTPS traffic) while replication data is sent over private networks to the private IP of the replication server.

This guide focuses on a more restrictive scenario where even HTTPS traffic to AWS services isn't allowed from source systems, so the following endpoints are configured in the staging subnet:

  • VPC interface endpoints for Application Migration Service and Amazon S3 (Regional interface endpoint, not the gateway endpoint that's required for replication servers)

  • An inbound DNS resolver endpoint, to allow on-premises sources and DNS servers to resolve private IP addresses for VPC endpoints, located in the staging subnet

Target subnet

The target subnet is any subnet that you plan to launch your servers into, including test and cutover instances. These subnets have no network connectivity requirement at all, and could be located in any other VPC in the same AWS account and Region. This is because Application Migration Service uses Amazon EC2 APIs to create new test or cutover instances (which is why replication servers in the staging subnet require outbound HTTPS connectivity to Amazon EC2), and accesses Regional S3 snapshots created from replicated EBS volumes. None of these operations require direct network access to or from the target subnet, so this could even be a completely isolated private subnet.

However, Application Migration Service also automatically installs several tools such as EC2Config or AWS Systems Manager Agents (SSM Agents) on target instances, and these activities require outbound HTTPS/TCP port 443 connectivity from target instances and subnets.