쿠키 기본 설정 선택

당사는 사이트와 서비스를 제공하는 데 필요한 필수 쿠키 및 유사한 도구를 사용합니다. 고객이 사이트를 어떻게 사용하는지 파악하고 개선할 수 있도록 성능 쿠키를 사용해 익명의 통계를 수집합니다. 필수 쿠키는 비활성화할 수 없지만 '사용자 지정' 또는 ‘거부’를 클릭하여 성능 쿠키를 거부할 수 있습니다.

사용자가 동의하는 경우 AWS와 승인된 제3자도 쿠키를 사용하여 유용한 사이트 기능을 제공하고, 사용자의 기본 설정을 기억하고, 관련 광고를 비롯한 관련 콘텐츠를 표시합니다. 필수가 아닌 모든 쿠키를 수락하거나 거부하려면 ‘수락’ 또는 ‘거부’를 클릭하세요. 더 자세한 내용을 선택하려면 ‘사용자 정의’를 클릭하세요.

Installing the MGN connector on a secured network

포커스 모드
Installing the MGN connector on a secured network - Application Migration Service
이 페이지는 귀하의 언어로 번역되지 않았습니다. 번역 요청

The MGN connector and the AWS Replication Agents that the MGN connector installs, require network access to various AWS endpoints. If your on-premises network is not open to AWS endpoints, then you can install the MGN connector and the AWS Replication Agents with the aid of PrivateLink.

You can connect your on-premises network to your VPCs using AWS VPN or DirectConnect.

Global view

If you are using the Global view feature, which provides cross-account view and operations, you will have at least one staging VPC per member account.

You will also need to designate a VPC in the management account in order to allow the MGN connector to communicate with AWS services via PrivateLink. If you are migrating some of your source servers into the management account, you can use the same VPC as a staging VPC.

The following sections apply to the MGN connector VPC as well as to each staging VPC.

Create VPC endpoints

To allow the MGN connector and AWS Replication Agents to communicate with AWS services, create the VPC endpoints listed below. For each endpoint:

  1. Select your staging area VPC or MGN connector VPC (see Global view above).

  2. Enable private DNS names.

  3. Choose a subnet, and ensure that a route exists from the MGN connector or AWS Replication Agent to the selected subnet.

  4. Ensure that the security groups associated with the endpoint allow inbound traffic from the MGN connector and source servers.

Create the following interface endpoints:

  1. com.amazonaws.region.ssm – The endpoint for the Systems Manager service. This endpoint is required by the SSM Agent, which is installed by the MGN connector installer.

  2. com.amazonaws.region.ec2messages – Systems Manager uses this endpoint to make calls from the SSM Agent to the Systems Manager service.

  3. com.amazonaws.region.ssmmessages – This endpoint is required only if you wish to connect to the MGN connector using Session Manager.

  4. com.amazonaws.region.kms – This endpoint is required only if you wish to connect to the MGN connector using Session Manager and using AWS KMS encryption to add an additional layer of encryption to the session. For more information, see Turn on KMS key encryption of session data in the Amazon Systems Manager User Guide.

  5. com.amazonaws.region.s3 – Systems Manager uses this endpoint to update the SSM Agent and to perform patching operations. The MGN connector installer and the AWS Replication Agent installer download installation assets from this endpoint.

    1. Note that private DNS names are disabled by default for the S3 endpoint.

    2. If you wish to also Enable private DNS only for inbound endpoint, you must first create an S3 gateway VPC endpoint. For more information, see S3 Private DNS in the Amazon Simple Storage Service User Guide.

  6. com.amazonaws.region.secretsmanager – The MGN connector calls this endpoint to retrieve source server credentials.

  7. com.amazonaws.region.sts – The MGN connector calls this endpoint to retrieve credentials of the AWS Replication Agent installer role.

  8. com.amazonaws.region.mgn – The endpoint for MGN. This endpoint is required by the MGN connector, the AWS Replication Agent, and their respective installers. If a VPCE Policy is used (to scope down access), add the following statement to your policy:

    { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:<region>:*:*/POST/CreateSessionForMgn" }

For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a Route 53 inbound endpoint

To route your traffic to the VPC endpoints created above, create a Route 53 inbound endpoint in your staging area VPC or the MGN connector VPC (see Global view above).

Ensure that the security group associated with the inbound endpoint allows traffic from your on-premises DNS resolvers.

Configure DNS resolvers on your on-premises network to forward DNS queries for the endpoints of the above AWS services, to the IP addresses of your Route 53 inbound endpoint. To find the regional endpoints of these services, see Service endpoints in the AWS General Reference Guide. For example, the endpoint of the MGN service in the US East (Ohio) Region (us-east-2) is mgn.us-east-2.amazonaws.com

For more information, see Forwarding inbound DNS queries to your VPCs in the Amazon Route 53 User Guide.

Modify replication settings

In order to allow the AWS Replication Agent to communicate with the replication server without using the public internet, you must use Private IP for data replication. The replication server requires access to the EC2 service. Therefore:

  • If your staging area VPC has a VPC endpoint for com.amazonaws.region.ec2 with private DNS names enabled, or if your staging area subnet has a route to the public internet via a NAT gateway, then the replication server can communicate with EC2 over its private IP. Choose the option:

    Use private IP for data replication

  • Otherwise, if your staging area subnet has a route to the public internet via an internet gateway, a public IP is required for the replication server to reach EC2. Choose the option:

    Create public IP, and use Private IP for data replication

Ensure that the security groups associated with the MGN VPC endpoint allow inbound traffic from the replication server.

Verify VPC endpoints are being used

Use CloudTrail to verify that calls to AWS services from the MGN connector and its associated source servers, are made via the vpcEndpointIds of the VPC endpoints you have created.

프라이버시사이트 이용 약관쿠키 기본 설정
© 2025, Amazon Web Services, Inc. 또는 계열사. All rights reserved.