# Advanced endpoint configuration
<a name="CHAP_Advanced.Endpoints"></a>

You can configure advanced settings for your endpoints in AWS Database Migration Service (AWS DMS) to setup control over how source and target endpoints behave during the migration process. As part of the advanced setup you can configure AWS DMS VPC peering to enable secure communication between VPCs, DMS Security Groups to control inbound and outbound traffic, Newtwork Access Control lists (NACLs) as additional layer of security, and VPC endpoints for AWS Secrets Manager.

You can set these configurations during endpoint creation or modified later through the AWS DMS Console or API, to fine-tune the migration processes based on specific database engine requirements and performance needs.

Following, you can find out more details about advanced endpoint configuration.

**Topics**
+ [

# VPC peering configuration for AWS DMS.
](CHAP_Advanced.Endpoints.vpc.peering.md)
+ [

# Security group configuration for AWS DMS
](CHAP_Advanced.Endpoints.securitygroup.md)
+ [

# Network Access Control List (NACL) configuration for AWS DMS
](CHAP_Advanced.Ednpoints.NACL.md)
+ [

# Configuring AWS DMS secrets manager VPC Endpoint
](CHAP_Advanced.Endpoints.secretsmanager.md)
+ [

## Additional considerations
](#CHAP_secretsmanager.additionalconsiderations)

# VPC peering configuration for AWS DMS.
<a name="CHAP_Advanced.Endpoints.vpc.peering"></a>

VPC peering enables private network connectivity between two VPCs, allowing AWS DMS replication instances and database endpoints to communicate across different VPCs as if they were in the same network. This is crucial when your DMS replication instance resides in one VPC while source or target databases exist in separate VPCs, enabling direct, secure data migration without traversing the public internet.

When using Amazon RDS, you must configure VPC peering between DMS and RDS if your instances are located in different VPCs.

You must perform the following steps:

**Creating a VPC peering connection**

1. Navigate to the [Amazon VPC console](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, select **Peering Connections** under **Virtual private cloud**.

1. Click **Create Peering Connection**.

1. Configure the peering connections:
   + Name tag (optional): Enter a name for the peering connection (example: `DMS-RDS-Peering`).

     **VPC Requester**: Select the VPC that contains your DMS instance.
   + **VPC accepter**: Select the VPC that contains your RDS instance.
**Note**  
If the accepter VPC is associated with a different AWS account, you must have the Account ID and VPC ID for that acount.

1. Click **Create the Peering Connection**.

**Accepting the VPC peering connection**

1. In the **Peering Connections** list, find the new peering connection with a **Pending Acceptance** status.

1. Select the appropriate peering connection, click **Actions** and select **Accept Request**.

   The peering connection status changes to **Active**.

**Updating route tables**

To enable traffic between the VPCs, you must update the route table in both your VPCs. To update the route tables in the DMS VPC:

1. Identify CIDR block of the RDS VPC:

   1. Navigate to your VPCs and select your RDS VPC.

   1. Copy the IPv4 CIDR value in **CIDRs** tab.

1. Identify relevant DMS route tables using resource map:

   1. Navigate to your VPCs and select your DMS VPC.

   1. Click the **Resource Map** tab and note the route tables associated with the subnets where your DMS instance is located.

1. Update all route tables in the DMS VPC:

   1. Navigate to the route tables in the [Amazon VPC console](https://console.aws.amazon.com/vpc/).

   1. Select the route tables identifies for the DMS VPC. You can open them from the VPC's **Resource map** tab.

   1. Click **Edit routes**.

   1. Click Add route and enter the following information:
      + **Destination**: Enter the IPv4 CIDR block of the RDS VPC (Example: `10.1.0.0/16`).
      + **Target**: Select the peering configuration ID (Example: `pcx-1234567890abcdef`).

   1. Click **Save routes**.

      Your VPC routes are saved for the DMS VPC. Perform the same steps for your RDS VPC.

**Update Security Groups**

1. Verify the DMS instance Security Group:

   1. You must ensure that the outbound rules allow traffic to the RDS instance:
     + **Type**: Custom TCP or the specific database port (Example: 3306 fir MySQL).
     + **Destination**: The CIDR block of the RDS VPC or the security group of the RDS instance.

1. Verify the RDS instance Security Group:

   1. You must ensure that the inbound rules allow traffic from the DMS instance:
     + **Type**: The specific database port.
     + Source: The CIDR block of the DMS VPC or the security group of the RDS instabce.

**Note**  
You must also ensure the following:  
**Active Peering Connection**: Ensure the VPC peering connection is in the **Active** state before proceeding.
**Resource Map**: Use the **Resource map** tab in the [Amazon VPC console](https://console.aws.amazon.com/vpc/) console to identify which route tables need update.
**No Overlapping CIDR Blocks**: The VPCs must have non-overlapping CIDR blocks.
**Security Best Practices**: Restrcict Security Group rules to the necessary ports and sources.  
For more information, see [VPC peering connections](https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html) in the *Amazon Virtual Private Cloud user guide*.

# Security group configuration for AWS DMS
<a name="CHAP_Advanced.Endpoints.securitygroup"></a>

Security group in AWS DMS must allow inbound and outbound connections for your replication instances on the appropriate database port. If you are using Amazon RDS, you must configure the security group between DMS and RDS for your instances.

You must perform the following steps:

**Configure the RDS instance security group**

1. Navigate to the [Amazon VPC console](https://console.aws.amazon.com/vpc/).

1. In the navigation pane on the left under **Security**, select **Security Groups**.

1. Select the RDS Security Group associated with your RDS instance.

1. Edit the inbound rules:

   1. Click **Actions** and select **Edit inbound rules**.

   1. Click **Add Rule** to create a new rule.

   1. Configure the rule as follows:
      + **Type**: Select your database type (Example: MySQL/Aurora for port 3306, PostgreSQL for port 5432).
      + **Protocol**: This auto-populates based on your database type.
      + **Port Range**: this auto-populates based on your database type.
      + **Source**: Choose **Custom**, and paste the security group ID associated with your DMS instance. This allows traffic from any resource within that security group. You can also specify the IP range (CIDR block) of your DMS instance.

   1. Click **Save rules**.

**Configure the DMS replication instance security group**

1. Navigate to the [Amazon VPC console](https://console.aws.amazon.com/vpc/).

1. In the navigation pane on the left under **Security**, select **Security Groups**.

1. In the **Security Group** list find and select the security group associated with your DMS replication instance.

1. Edit the outbound rules:

   1. Click **Actions** and select **Edit outbound rules**.

   1. Click **Add Rule** to create a new rule.

   1. Configure the rule as follows:
      + Type: Select your database type (Example: MySQL/Aurora, PostgreSQL).
      + Protocol: This auto-populates based on your database type.
      + Port Range: this auto-populates based on your database type.
      + Source: Choose **Custom**, and paste the security group ID associated with your RDS instance. This allows traffic from any resource within that security group. You can also specify the IP range (CIDR block) of your RDS instance.

   1. Click **Save rules**.

## Additional Considerations
<a name="CHAP_securitygroup_additional_considerations"></a>

You must consider the following additional configuration information:
+ **Use Security Group References**: Referencing security groups in the source or destional instances allows for dynamic management and is more secure than using IP addresses as it automatically included all resources within the group.
+ **Database Ports**: Ensure you are using the correct port for your database.
+ **Security Best Practices**: Only open the necessary ports to minimize security risks. you must also regular review of your security group rules to ensure they meed your security standards and requirements.

# Network Access Control List (NACL) configuration for AWS DMS
<a name="CHAP_Advanced.Ednpoints.NACL"></a>

When using Amazon RDS as a replication source, you should update the Network Access Control Lists (NACLs) for your DMS and RDS instance. Ensure that the NACLs are associated with the subnets where these instances reside. This allows inbound and outbound traffic on the specific database port.

To update the Network Access Control Lists, you must perform the following steps:

**Note**  
If your DMS and RDS instances are in the same subnet, you only need to update that subnet's NACL.

**Identify the relevant NACLs**

1. Navigate to the [Amazon VPC console](https://console.aws.amazon.com/vpc/).

1. In the navigation pane on the left under **Security**, select **Network ACLs**.

1. Select the relevant NACLs associated with the subnets where your DMS and RDS instances reside.

**Update the NACLs for the DMS instance subnet**

1. Identify the NACL associated with your DMS instance's subnet. To do so, you can browse through the subnets in the [Amazon VPC console](https://console.aws.amazon.com/vpc/), find the DMS subnet, and note the associated NACL ID.

1. Edit the inbound rules:

   1. Click the **Inbound Rules** tab for the selected NACL.

   1. Select **Edit inbound rules**.

   1. Add a new rule:
      + **Rule \$1**: Choose a unique number (Example: 100).
      + **Type**: Select **Custom TCP Rule**.
      + **Protocol**: TCP
      + **Port Range**: Enter your database port (Example: 3306 for MySQL).
      + **Source**: Enter the CIDR block of the RDS subnet (Example: 10.1.0.0/16).
      + **Allow/Deny**: Select **Allow**.

1. Edit the outbound rules:

   1. Click the **Outbound Rules** tab for the selected NACL.

   1. Click **Edit outbound rules**.

   1. Add a new rule:
      + **Rule \$1**: Use the same number as used in the inbound rules.
      + **Type**: All traffic.
      + **Destination**: 0.0.0.0/0
      + **Allow/Deny**: Select **Allow**.

1. Click **Save changes**.

1. Perform the same steps to update the NACLs associated with the RDS instance's subnet.

## Verify the NACL rules
<a name="CHAP_NACL.verify.NACL.Rules"></a>

You must ensure the following criteria for regarding the NACL rules.:
+ **Order of rules**: NACLs processes rules in the ascending order based on th erule number. Ensure that all the rules set as "**Allow**" have lower rule numbers than all the rules set as "**Deny**" as that might block traffic.
+ **Stateless nature**: NACLs are stateless. You must explicity allow both inbound and outbound traffic.
+ **CIDR blocks**: You must ensure that the CIDR blocks you use accurately represent the subnets of your DMS and RDS instances.

# Configuring AWS DMS secrets manager VPC Endpoint
<a name="CHAP_Advanced.Endpoints.secretsmanager"></a>

You must create a VPC endpoint to access the AWS Secrets Manager from a replication instance in a private subnet. This allows the replication instance access the Secrets Manager directly through the private network without sending traffic over the public internet.

To configure, you must follow the following steps:

**Create a security group for the VPC endpoint.**

1. Navigate to the [Amazon VPC console](https://console.aws.amazon.com/vpc/).

1. In the navigation pane on the left, select **Security groups**, and choose **Create security group**.

1. Configure security group details:
   + **Security group name**: Example: `SecretsManagerEndpointSG`
   + **Description**: Enter an appropriate description. (Example: Security group for secrets manager VPC endpoint).
   + **VPC**: Select the VPC where your replication instance and endpoints reside.

1. Click **Add Rule** to set inbound rules and configure the following:
   + Type: HTTPS (As the secrets manager uses HTTPS on port 443).
   + Source: Choose **Custom**, and enter the securty group ID of your replication instance. This ensures that any instance associated with that security group can access the VPC endpoint.

1. Review the changes and click **Create security group**.

**Create a VPC endpoint for secrets manager**
**Note**  
Create an interface VPC endpoint as outline in the [Creating an Interface Endpoint documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) topic in the *Amazon Virtual Private Cloud user guide*. When following this procedure, ensure the following:  
For **Service Category**, you should select **AWS services.**
For **Service name**, search `seretsmanager` and select the secretes manager service.

1. Select **VPC and Subnets** and configure the following:
   + **VPC**: Ensure it is the same VPC as your replication instance.
   + **Subnets**: Select the subnets where your replication instance resides.

1. In **Additional Settings**, ensure that the **Enable DNS name** is enabled by default for the interface endpoints

1. Under **Security group**, select the appropriate security group name. Example: `SecretsManagerEndpointSG` as created earlier).

1. Review all the settings and Click **Create endpoint**.

**Retrieve the VPC endpoint DNS name**

1. Access the VPC endpoint details:

   1. Navigate to the [Amazon VPC console](https://console.aws.amazon.com/vpc/) and choose **Endpoints**.

   1. Select the appropriate endpoint you created.

1. Copy the DNS name:

   1. Under the **Details** tab, navigate to the **DNS Names** section.

   1. Copy the first DNS name listed. (Example: `vpce-0abc123def456789g-secretsmanager.us-east-1.vpce.amazonaws.com`). This is the regional DNS name.

**Update your DMS endpoint**

1. Navigate to the [AWS DMS](https://console.aws.amazon.com/dms/v2) console.

1. Modify the DMS endpoint:

   1. In the navigation pane on the left, select **Endpoints**.

   1. Choose the appropriate endpoint you want to configure.

   1. Click **Actions** and select **Modify**.

1. Configure endpoint settings:

   1. Navigate to **Endpoint settings** and select **Use endpoint connection attributes** checkbox.

   1. In the **Connection attributes** field, add: `secretsManagerEndpointOverride=<copied DNS name>`.
**Note**  
If you have multiple connection attributes, you can separate them with a semicolon ";". For example: `datePartitionEnabled=false;secretsManagerEndpointOverride=vpce-0abc123def456789g-secretsmanager.us-east-1.vpce.amazonaws.com`

1. Click **Modify endpoint** to save your changes.

## Additional considerations
<a name="CHAP_secretsmanager.additionalconsiderations"></a>

You must consider the following additional configuration information:

**Replication instance security group:**
+ Ensure that the security group associated with your replication instance allows outbound traffic to the VPC endpoint on port 443 (HTTPS).

**VPC DNS settings:**
+ Confirm that **DNS resolution** and **DNS hotnames** are enabled in your VPC. This allows your instances to resolve the VPC endpoint DNS names. You can confirm that by navigating to VPCs in the [Amazon VPC console](https://console.aws.amazon.com/vpc/) and select your VPC to verify that **DNS resolution** and **DNS hotnames** are set to "**Yes**".

**Testing connectivity:**
+ From your replication instance, you can perform a DNS lookup to ensure it resolves the VPC endpoint: `nslookup secretsmanager.<region>amazonaws.com`. It must return the Ip address associated with your VPC endpoint