Replication over private networks only
The following diagram displays the architecture of the most restrictive scenario, where all traffic goes over the private channel (AWS VPN or AWS Direct Connect) between the source environment and AWS.
The main components of this architecture are:
-
Source environment in the corporate data center (on the left). This is the environment to migrate from.
-
Staging environment in AWS with private virtual private cloud (VPC) and subnet (in the middle). This is the environment that Application Migration Service will use to create replication-related resources. These resources might include replication servers, conversion servers, and related Amazon Elastic Block Store (Amazon EBS) volumes and their Amazon Simple Storage Service (Amazon S3) snapshots.
-
VPN connection from the source environment to the staging VPC and subnet(s) to handle three types of traffic:
-
HTTPS/TCP port 443 for API communication
-
TCP port 1500 for data transfer
-
Domain Name System (DNS) traffic over UDP port 53
-
-
Target environment in AWS (on the right). This can be a completely isolated VPC or a subnet in the staging environment. (Note: There's no network connectivity requirement from the staging environment subnet to the target subnets.)
-
Amazon VPC interface endpoints for Application Migration Service, Amazon Elastic Compute Cloud (Amazon EC2), and Amazon S3 created in the staging environment, and an Amazon S3 VPC gateway endpoint that is accessible from the staging subnet.
-
And finally, DNS resolver inbound endpoint in the staging subnet. This is required for the source systems to resolve the fully qualified domain names (FQDNs) of the VPC endpoints into private IPs.
