Step 1: Create AWS Resources
In this step, you create and configure the required AWS resources for homogeneous data migrations in AWS DMS.
Creating a VPC
In this section, you create a virtual private cloud (VPC). This VPC is based on the Amazon Virtual Private Cloud (Amazon VPC) service and contains your AWS resources. Make sure that you create this VPC in one of the AWS Regions that support homogeneous data migrations in AWS DMS. For more information, see the list of supported Regions.
To migrate your on-premises source database, make sure that you configure a private network to connect to your target database. For more information, see the Using an on-premises source data provider.
To create a VPC for homogeneous data migrations
-
Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
Choose your AWS Region.
-
Choose Create VPC.
-
On the Create VPC page, enter the following settings:
-
Resources to create — VPC and more
-
Name tag auto-generation — Choose Auto-generate and enter a globally unique name. For example, enter
dm-vpc. -
IPv4 CIDR block —
10.0.1.0/24 -
NAT gateways — In 1 AZ
-
VPC endpoints — None
-
-
Keep the rest of the settings as they are, and choose Create VPC.
Use this VPC when you create your target Amazon RDS database in Step 3 and your subnet group in Step 5.
Creating an IAM policy
In this section, you create an AWS Identity and Access Management (IAM) policy that AWS DMS requires to run homogeneous data migrations.
To create an IAM policy for homogeneous data migrations
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create policy.
-
On the Create policy page, choose the JSON tab.
-
Paste the following JSON into the editor.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribePrefixLists", "logs:DescribeLogGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": "arn:aws:servicequotas:*:*:vpc/L-0EA8095F" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:dms-data-migration-*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:dms-data-migration-*:log-stream:dms-data-migration-*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateRoute", "ec2:DeleteRoute" ], "Resource": "arn:aws:ec2:*:*:route-table/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:vpc-peering-connection/*", "arn:aws:ec2:*:*:vpc/*" ] }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource": "arn:aws:ec2:*:*:security-group-rule/*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "arn:aws:ec2:*:*:security-group/*" }, { "Effect": "Allow", "Action": [ "ec2:AcceptVpcPeeringConnection", "ec2:ModifyVpcPeeringConnectionOptions" ], "Resource": "arn:aws:ec2:*:*:vpc-peering-connection/*" }, { "Effect": "Allow", "Action": "ec2:AcceptVpcPeeringConnection", "Resource": "arn:aws:ec2:*:*:vpc/*" } ] }
-
Choose Next The Review, and create page opens.
-
For Name, enter
HomogeneousDataMigrationsPolicy, and choose Create policy.
Use this IAM policy when you create the IAM role.
Creating an IAM role
In this section, you create an IAM role for homogeneous data migrations. AWS DMS uses this IAM role to access database credentials stored in AWS Secrets Manager, store log files in Amazon CloudWatch, and interact with Amazon EC2.
To create an IAM role that provides access to AWS Secrets Manager
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Choose Create role.
-
On the Select trusted entity page, choose AWS service. For Use case, Choose DMS.
-
Choose Next. The Add permissions page opens.
-
Choose HomogeneousDataMigrationsPolicy that you created before. Also, choose SecretsManagerReadWrite.
-
Choose Next. The Name, review, and create page opens.
-
For Role name, enter
HomogeneousDataMigrationsRoleand choose Create role. -
On the Roles page, enter
HomogeneousDataMigrationsRolefor Role name. Choose HomogeneousDataMigrationsRole. -
Choose the Trust relationships tab and choose Edit trust policy.
-
On the Edit trust policy page, paste the following JSON into the editor, replacing the existing text.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "dms-data-migrations.amazonaws.com", "dms.your_region.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
Replace
your_regionwith the name of your Region, such asus-east-1. -
Choose Update policy.
Use this IAM role when you create your instance profile in Step 5 and your migration project in Step 7.
