# Setting up homogeneous data migrations in AWS DMS
To set up homogeneous data migrations in AWS DMS, complete the following prerequisite tasks.
**Topics**
+ [Creating required IAM resources for homogeneous data migrations in AWS DMS](dm-iam-resources.md)
+ [Setting up a network for homogeneous data migrations in AWS DMS](dm-network.md)
+ [VPC peering network configurations](vpc-peering.md)
# Creating required IAM resources for homogeneous data migrations in AWS DMS
To run homogeneous data migrations, you must create an IAM policy and an IAM role in your account to interact with other AWS services. In this section, you create these required IAM resources.
**Topics**
+ [Creating an IAM policy for homogeneous data migrations in AWS DMS](#dm-resources-iam-policy)
+ [Creating an IAM role for homogeneous data migrations in AWS DMS](#dm-resources-iam-role)
## Creating an IAM policy for homogeneous data migrations in AWS DMS
To access your databases and to migrate data, with AWS DMS, you can create a serverless environment for homogeneous data migrations. Also, AWS DMS stores logs, metrics, and progress for each data migration in Amazon CloudWatch. To create a data migration project, AWS DMS needs access to these services.
In this step, you create an IAM policy that provides AWS DMS with access to Amazon EC2 and CloudWatch resources. Next, create an IAM role and attach this policy.
**To create an IAM policy for homogeneous data migrations in AWS DMS**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **Create policy** page, choose the **JSON** tab.
1. Paste the following JSON into the editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:*:*:log-group:dms-data-migration-*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:dms-data-migration-*:log-stream:dms-data-migration-*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*"
}
]
}
```
------
1. Choose **Next**.
1. Enter **HomogeneousDataMigrationsPolicy** for **Policy name**, and choose **Create policy**.
## Creating an IAM role for homogeneous data migrations in AWS DMS
In this step, you create an IAM role that provides AWS DMS with access to AWS Secrets Manager, Amazon EC2, and CloudWatch.
When creating an IAM role, you must also create a `dms-vpc-role`. For more information, see [Creating an IAM role for AWS DMS to manage Amazon VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DMS_migration-IAM.dms-vpc-role.html) in the *Amazon Relational Database Service User Guide*.
**To create an IAM role for homogeneous data migrations in AWS DMS**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. Choose **Create role**.
1. On the **Select trusted entity** page, for **Trusted entity type**, choose **AWS Service**. For **Use cases for other AWS services**, choose **DMS**.
1. Select the **DMS** check box and choose **Next**.
1. On the **Add permissions** page, choose **HomogeneousDataMigrationsPolicy** that you created before.
1. On the **Name, review, and create** page, enter **HomogeneousDataMigrationsRole** for **Role name**, and choose **Create role**.
1. Choose **Update policy**.
# Setting up a network for homogeneous data migrations in AWS DMS
With AWS DMS, you can create a serverless environment for homogeneous data migrations which uses networking connectivity model that relies on network interfaces. For each data migration, AWS DMS assigns a private IP within one of the subnets defined in the instance profile DMS subnet group. Additionally, a non-static public IP may be assigned if the instance profile is configured for public access. The subnets used in the instance profile should provide access to both source and target hosts, as defined in the data providers. This access can be within the local VPC or established through VPC peering, Direct Connect, VPN, etc.
Also, for ongoing data replication, you must set up interaction between your source and target databases. These configurations depend on the location of your source data provider and your network settings. The following sections provide descriptions of common network configurations.
**Topics**
+ [Configuring a network using a single virtual private cloud (VPC)](#dm-network-one-vpc)
+ [Configuring a network using different virtual private clouds (VPCs)](#dm-network-different-vpc)
+ [Using Direct Connect or a VPN to configure a network to a VPC](#dm-networking_Direct_Connect)
+ [Resolving domain endpoints using DNS](#dm-networking-resolving_endpoints)
## Configuring a network using a single virtual private cloud (VPC)
In this configuration, AWS DMS connects to your source and target data providers within the private network.
**To configure a network when your source and target data providers are in the same VPC**
1. Create the subnet group in the AWS DMS console with the VPC and subnets that your source and target data providers use. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Also, choose VPC security groups that your source and target data providers use. For more information, see [Creating instance profiles](instance-profiles.md).
1. Ensure that the security group used for the source and target database allows connections from the security group attached to instance profile used by data migration or CIDR block of subnets, specified in replication subnet group.
This configuration doesn't require you to use the public IP address for data migrations.
## Configuring a network using different virtual private clouds (VPCs)
In this configuration, AWS DMS uses a private network to connect to your source or target data provider. For another data provider, AWS DMS uses a public network. Depending on which data provider you have in the same VPC as your instance profile, choose one of the following configurations.
### To connect through a private network
1. Create the subnet group in the AWS DMS console with the VPC and subnets that your source data provider uses. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Also, choose VPC security groups that your source data provider uses. For more information, see [Creating instance profiles](instance-profiles.md).
1. Configure VPC peering connection between source and target database VPCs. For more information see, [Work with VPC peering connections](https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html).
1. Make sure to enable DNS resolution for both directions if you plan to use endpoints instead of private IPs directly. For more information see, [Enable DNS resolution for a VPC peering connection](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-dns.html).
1. Allow access from the CIDR block of source database’s VPC for target database security group. For more information, see [Controlling access with security groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html).
1. Allow access from the CIDR block of target database’s VPC for target database security group. For more information, see [Controlling access with security groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html).
### To connect through a Public network
If your database accepts connections from any address:
1. Create the subnet group in the AWS DMS console with the VPC and public subnets. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Set the **Publicly Available** option to **On** for the instance profile.
If you require a persistent public IP address that can be associated to the data migration:
1. Create the subnet group in the AWS DMS console with the VPC and private subnets. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Set the **Publicly Available** option to **Off** for the instance profile.
1. Setup NAT Gateway. For more information see [Work with NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-working-with.html).
1. Setup Routing table for NAT gateway. For more information see [NAT gateway use cases](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html).
1. Allow access from the public IP address of your NAT Gateway in your database security group. For more information, see [Controlling access with security groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html).
## Using Direct Connect or a VPN to configure a network to a VPC
You can connect remote networks to your VPC through Direct Connect or VPN connections (software or hardware). These options enable you to extend your internal network into AWS Cloud and integrate existing on-premises services such as monitoring, authentication, security, and data systems with your AWS resources. For this configuration, your VPC security group must include a routing rule that directs traffic to a host capable of bridging VPC traffic to your on-premises VPN. This traffic can be designated using either your VPC CIDR range or specific IP addresses. The NAT host must have its own security group configured to allow traffic from your VPC CIDR range or security group into the NAT instance, ensuring seamless communication between your VPC and on-premises infrastructure. For more information, see [step 5](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection) for [Get started with AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection) procedure in the AWS Site-to-Site VPN User Guide.
## Resolving domain endpoints using DNS
For DNS resolution in AWS DMS homogeneous migrations, the service primarily uses the Amazon ECS DNS resolver to resolve domain endpoints. If you need additional DNS resolution capabilities, Amazon Route 53 Resolver is available as an alternative solution. For more information, see [Getting started with Route 53 Resolver](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-getting-started.html) in the Amazon Route 53 user guide. For more information, regarding configuring endpoint resolution using your on-premises name server with Amazon Route 53 Resolver, see [Using your own on-premises name server](CHAP_BestPractices.md#CHAP_BestPractices.Rte53DNSResolver).
**Note**
If your data migration log shows the message "Initiating connection - Networking model: VPC Peering", refer to [VPC peering network configurations](vpc-peering.md) topic.
# VPC peering network configurations
With AWS DMS, you can create a serverless environment for homogeneous data migrations in a virtual private cloud (VPC) based on the Amazon VPC service. When you create your instance profile, you specify the VPC to use. You can use your default VPC for your account and AWS Region, or you can create a new VPC.
For each data migration, AWS DMS establishes a VPC peering connection with the VPC that you use for your instance profile. Next, AWS DMS adds the CIDR block in the security group that is associated with your instance profile. Because AWS DMS attaches a public IP address to your instance profile, all your data migrations that use the same instance profile have the same public IP address. When your data migration stops or fails, AWS DMS deletes the VPC peering connection.
To avoid CIDR block overlapping with the VPC of your instance profile VPC, AWS DMS uses the `/24` prefix from one of the following CIDR blocks: `10.0.0.0/8`, `172.16.0.0/12`, and `192.168.0.0/16`. For example, if you run three data migrations in parallel, AWS DMS uses the following CIDR blocks to establish a VPC peering connection.
+ `192.168.0.0/24` – for the first data migration
+ `192.168.1.0/24` – for the second data migration
+ `192.168.2.0/24` – for the third data migration
You can use different network configurations to set up interaction between your source and target databases with AWS DMS. Also, for ongoing data replication, you must set up interaction between your source and target databases. These configurations depend on the location of your source data provider and your network settings. The following sections provide descriptions of common network configurations.
**Topics**
+ [Configuring a network using a single virtual private cloud (VPC)](#vpc-peering-one-vpc)
+ [Configuring a network using different virtual private clouds (VPCs)](#vpc-peering-different-vpc)
+ [Using an on-premises source data provider](#vpc-peering-on-premesis)
+ [Configuring ongoing data replication](#vpc-peering-ongoing-replication)
## Configuring a network using a single virtual private cloud (VPC)
In this configuration, AWS DMS connects to your source and target data providers within the private network.
**To configure a network when your source and target data providers are in the same VPC**
1. Create the subnet group in the AWS DMS console with the VPC and subnets that your source and target data providers use. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Also, choose VPC security groups that your source and target data providers use. For more information, see [Creating instance profiles](instance-profiles.md).
This configuration doesn't require you to use the public IP address for data migrations.
## Configuring a network using different virtual private clouds (VPCs)
In this configuration, AWS DMS uses a private network to connect to your source or target data provider. For another data provider, AWS DMS uses a public network. Depending on which data provider you have in the same VPC as your instance profile, choose one of the following configurations.
**To configure a private network for your source data provider and a public network for your target data provider**
1. Create the subnet group in the AWS DMS console with the VPC and subnets that your source data provider uses. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Also, choose VPC security groups that your source data provider uses. For more information, see [Creating instance profiles](instance-profiles.md).
1. Open your migration project. On the **Data migrations** tab, choose your data migration. Take a note of the **public IP address** under **Connectivity and security** on the **Details** tab.
1. Allow access from the public IP address of your data migration in your target database security group. For more information, see [Controlling access with security groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html) in the *Amazon Relational Database Service User Guide*.
**To configure a public network for your source data provider and a private network for your target data provider**
1. Create the subnet group in the AWS DMS console with the VPC and subnets that your target data provider uses. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Also, choose VPC security groups that your target data provider uses. For more information, see [Creating instance profiles](instance-profiles.md).
1. Open your migration project. On the **Data migrations** tab, choose your data migration. Take a note of the **public IP address** under **Connectivity and security** on the **Details** tab.
1. Allow access from the public IP address of your data migration in your source database security group. For more information, see [Controlling access with security groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html) in the *Amazon Relational Database Service User Guide*.
## Using an on-premises source data provider
In this configuration, AWS DMS connects to your source data provider within the public network. AWS DMS uses a private network to connect to your target data provider.
**Note**
For homogeneous data migrations, AWS DMS connects to your source database within the public network. However, connectivity to a source database within a public network is not always possible. For more information, see [ Migrate an on-premises MySQL database to Amazon Aurora MySQL over a private network using AWS DMS homogeneous data migration and Network Load Balancer ](https://aws.amazon.com/blogs/database/migrate-an-on-premises-mysql-database-to-amazon-aurora-mysql-over-a-private-network-using-aws-dms-homogeneous-data-migration-and-network-load-balancer/).
**To configure a network for your source on-premises data provider**
1. Create the subnet group in the AWS DMS console with the VPC and subnets that your target data provider uses. For more information, see [Creating a subnet group](subnet-group.md).
1. Create the instance profile in the AWS DMS console with the VPC and the subnet group that you created. Also, choose VPC security groups that your target data provider uses. For more information, see [Creating instance profiles](instance-profiles.md).
1. Open your migration project. On the **Data migrations** tab, choose your data migration. Take a note of the **public IP address** under **Connectivity and security** on the **Details** tab.
1. Allow access to your source database from the public IP address of your data migration in AWS DMS.
AWS DMS creates inbound or outbound rules in in VPC security groups. Make sure that you don't delete these rules because this action can lead to a failure of your data migration. You can configure your own rules in VPC security groups. We recommended that you add a description to your rules so that you can manage them.
## Configuring ongoing data replication
To run data migrations of the **Full load and change data capture (CDC)** or **Change data capture (CDC)** type, you must allow connection between your source and target databases.
**To configure a connection between your publicly accessible source and target databases**
1. Take a note of the public IP addresses of your source and target databases.
1. Allow access to your source database from the public IP address of your target database.
1. Allow access to your target database from the public IP address of your source database.
**To configure a connection between your source and target databases that are privately accessible in a single VPC**
1. Take a note of the private IP addresses of your source and target databases.
**Important**
If your source and target databases are in different VPCs or in different networks, then you can only use public IP addresses for your source and target databases. You can only use public hostnames or IP addresses in data providers.
1. Allow access to your source database from the security group of your target database.
1. Allow access to your target database from the security group of your source database.