Public HTTPS egress at the source and private staging area resources
The following diagram illustrates the architecture in the hybrid scenario where HTTPS egress traffic is allowed from any source servers and is used to communicate with Application Migration Service and Amazon S3 endpoints, whereas the replication data on TCP port 1500 goes over the private channel (AWS VPN or AWS Direct Connect) between the source environment and AWS.
This architecture simplifies the requirements for the staging area subnet, because HTTPS communications from agents don't travel through the private channel. Also, there is no need to create additional Amazon S3 interface VPC endpoints or Amazon Route 53 inbound resolver endpoints for DNS traffic, because source servers will use their traditional DNS servers to resolve the standard, public DNS names of Application Migration Service and Amazon S3 endpoints.
However, in this scenario, staging area subnet resources still run on a private and fully isolated network and have no public access to any HTTPS endpoints, so they need to create both Application Migration Service and Amazon EC2 interface endpoints as well as an Amazon S3 gateway endpoint.