How do I resolve cross-account connectivity issues with AWS DMS replication instances for database migration between source and target endpoints?

Resolution

Make sure that you use the correct network configuration requirements. To resolve network connectivity errors, use one of the following methods:

• Create a direct networking connection with Amazon Virtual Private Cloud (Amazon VPC) Peering.
• Set up AWS PrivateLink for service-to-service connectivity with minimal network changes that don't overlap Classless Inter-Domain Routing (CIDR) blocks.
• Use AWS Transit Gateway to interconnect multiple virtual private clouds (VPCs) across the accounts and on-premises networks.

Network configuration requirements

To confirm that your replication instance has the network configuration requirements, take the following actions:

• Make sure that you have an outbound rule for the IP address with the port of the source or target database in the security group and network access control list (network ACL). By default, the outbound rule of a security group and network ACL allows all traffic.
• Check that you have an inbound rule for the IP address with the ephemeral ports of the source or target database in the network ACL. By default, the inbound rule of a network ACL allows all traffic.
• Make sure that you have a route table with the route added for VPC peering and transit gateway for cross-account access.

To confirm that your source or target database has the network configuration requirements, take the following actions:

• An inbound rule for the IP address of the replication instance or the CIDR block of the subnet group of the replication instance. The inbound rule must include the port of the source or target database in the security group and the network ACL. Confirm that there's no explicit deny rule for the IP address and port.
• An outbound rule for the IP address or the CIDR block of the subnet group of the replication instance with ephemeral ports in the network ACL. By default, the outbound rule of a network ACL allows all traffic.
• Make sure that you have a route table with the route added for VPC peering and transit gateway for cross account access.

Note: It's a best practice to configure your network to allow the CIDR block of the subnet group of the replication instance. The IP address of the replication instance changes during a failover or host replacement event.

Create a VPC peering connection

Prerequisite: Make sure that both VPCs have non-overlapping CIDR blocks. You must have access to both the requester and accepter accounts.

Complete the following steps:

1. Activate Domain Name System (DNS) hostnames and DNS resolution in both VPCs.
2. Create a VPC peering connection.
3. Accept the peering connection.
4. Turn on DNS resolution.
5. Update your route tables.

Set up PrivateLink for service-to-service connectivity

To connect the accounts with AWS PrivateLink, create the endpoint service and Network Load Balancer in the target account. Then, create an Amazon Relational Database Service (Amazon RDS) replication instance and VPC endpoint in the source account.

In the following example, the source AWS DMS replication instance account is the service consumer and the target Amazon RDS database account is the service provider.

To create a target group, complete the following steps:

1. Open the Amazon EC2 console.
2. Create a target group.
3. In the Settings section, specify the following:
   For Target type, choose IP addresses.
   For Target Group, enter a name.
   For Protocol, choose TCP.
   For Port, choose 80.
   For IP address type, choose your IP address type.
   For VPC, select the VPC where the RDS database exist.
4. In the Health checks section, choose TCP.
5. Choose Next.
6. In the Register targets - recommended section, specify the following:
   For Network, select a network.
   For Enter an IPv4 address from a VPC subnet, specify the RDS IP address.
   For Ports, specify the database port.
7. Choose Next.
8. Choose Create target group.

To create the Network Load Balancer, complete the following steps in the target account:

1. Create a Network Load Balancer.
   For Load balancer name, enter a name.
   For Scheme, choose Internal.
   For Load balancer IP address type, choose IPv4.
   For VPC, select a VPC that matches your target database.
   For Availability Zone, select an Availability Zone that matches your target database.
   For Security groups, select the security group that accepts traffic from the source AWS DMS replication instance CIDR block, IP address on Listener port 80, or custom port.
   For Listener Protocol, select TCP.
   For Port, select 80 or custom port.
   For Target Group, select the target group that you created in the preceding section.
2. Review your configuration, and then choose Create load balancer.
3. In the Details page, choose the Attributes tab, and then choose Edit.
4. In the Availability Zone routing configuration section, choose Enable cross-zone load balancing.
5. Choose Save changes.

To create an endpoint service in the target account that points to the Network Load Balancer, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoint services.
3. Choose Create endpoint service.
4. For Load balancer type, choose Network.
5. For Available load balancers, select the Network Load Balancer that you created in the preceding section.
   Note: Make sure that the Network Load Balancer is in Active state.
6. (Optional) To make your endpoint service available from AWS Regions other than the Region where it's hosted, select your Regions from Service Regions. For more information, see Cross-Region access.
7. For Require acceptance for endpoint, choose Acceptance required.
   Note: If you don't select Acceptance required, then the requests are accepted automatically.
8. For Enable private DNS name, choose Associate a private DNS name with the service, and then enter the private DNS name. Note that service consumers can use the endpoint-specific DNS name provided by AWS.
   Note: Before service consumers can use the private DNS name, the service provider must verify that they own the domain. For more information, see Manage DNS names.
9. For Supported IP address types, select your IP address type.
10. (Optional) To add a tag, choose Add new tag, and then enter the tag key and the tag value.
11. Choose Create.

To manage permissions for your endpoint service, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoint services.
3. Select the endpoint service, and then choose the Allow principals tab.
4. To add permissions, choose Allow principals.
5. For Principals to add, select the AWS Identity and Access Management (IAM) principal that you used to configure AWS DMS replication in the source account.
6. Choose the Details tab, and then note the Service name for when you create a VPC endpoint in the next steps.

To create a VPC endpoint in the source account, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoints.
3. Choose Create endpoint.
   For Type, choose Endpoint services that use NLBs and GWLBs.
   For Service name, enter the endpoint Service name from the preceding section.
4. Choose Verify service.
5. For VPC, select the VPC where your AWS DMS replication instance and required subnets exist.
6. For Security groups, select the security group that accepts traffic from the source DMS replication instance CIDR block or IP address on Listener port 80 or custom port.
7. Choose Create endpoint.

In the target account, accept the connection request from the Endpoint services. Then, note the DNS name in the Details tab.

To test the connectivity, create the DMS endpoint in the source account. Make sure that the Server name is the DNS name that you noted in the preceding step.

Use a Transit Gateway for cross-account access

To share a Transit Gateway, you must have an AWS Site-to-Site VPN attachment that you create in the same AWS account that owns the transit gateway. Make sure that you also have an attachment to an AWS Direct Connect gateway that uses a transit gateway association. Note that your attachment to an AWS Direct Connect gateway can be in the same account as the Direct Connect gateway or a different account.

To share a Transit Gateway, complete the following steps:

1. Create a transit gateway.
2. Use AWS Resource Access Manager (AWS RAM) to create a resource share in your source account.
   For Resource type, choose Transit Gateways. Then, select your Transit Gateway.
3. Accept the resource share in your target account.
4. In each account, create a transit gateway attachment with the following configurations:
   For Transit gateway ID, select the shared Transit Gateway.
   For Attachment type, choose VPC.
   For VPC ID, select the VPC that you want to attach.
   For Subnet IDs, select your subnets.
   Note: It's a best practice to choose one subnet per availability zone.
5. Choose Create transit gateway attachment.
6. If the attachment state is Pending in your source account, then manually accept the shared attachment.
7. In each account, add the route to your route table with the following configurations:
   For Destination, enter the CIDR block of the remote VPCs that you want to reach.
   For Target, choose Transit Gateway.
8. Choose Save changes.

To configure the Transit Gateway route tables in your source account, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Transit gateway route tables.
3. Select your route table.
4. Confirm that you set Default propagation route table to Yes.
5. (Optional) Add static routes for specific routing requirements.