This page describes how to configure network connectivity to Amazon RDS for Oracle sources for heterogeneous Oracle to AlloyDB for PostgreSQL migrations with Database Migration Service.
There are three different methods you can use to configure the necessary network connectivity for migrations from Amazon RDS for Oracle sources:
- Public IP allowlist
- Forward-SSH tunnel
- Requires Cloud VPN or Cloud Interconnect: Private IP connectivity with Virtual Private Cloud peering
To learn more about source database network connectivity, see Source networking methods overview.
Configure IP allowlist connectivity
To use the public IP allowlist connectivity method, follow these steps:
- In the AWS Management Console, perform the following steps:
- Ensure that your source Amazon RDS database is configured for public IP connections.
- Identify the endpoint name and port number. You need to enter these values when you create the connection profile.
For more information about preparing your Amazon RDS for Oracle instance, see Connecting to your Oracle DB instance in the Amazon RDS documentation.
Create a security group that allows traffic from Database Migration Service to your Amazon RDS VPC. See Provide access to your DB instance in your VPC by creating a security group.
Make sure you allow all Database Migration Service public IP addresses for the region where you create the migration job.
- At a later stage, when you
create the source connection profile, do the following:
- In the Define connection details section, use your instance's endpoint name for the source database IP.
- In the Define connectivity method section, select IP allowlist.
Configure connectivity over a forward-SSH tunnel
To connect to your source database with a Secure Shell (SSH) tunnel, follow these steps:
-
Launch an Amazon EC2 instance to serve as a dedicated forward-SSH tunnel. Make sure you configure it in the same Amazon VPC where you have your source Amazon RDS for Oracle.
For more information, see Get started with Amazon EC2 in the Amazon documentation.
-
Connect to your EC2 instance and set up the SSH tunnel.
Follow these steps:
- Create a separate, dedicated user account for Database Migration Service to
connect as:
adduser TUNNEL_ACCOUNT_USERNAME
- Restrict shell access for the Database Migration Service account to
enhance security:
usermod -s /usr/sbin/nologin TUNNEL_ACCOUNT_USERNAME
Decide what authentication method you want Database Migration Service to use when connecting to the tunnel.
You can use a password, or generate SSH keys in the
PEM
format that you can later upload to Database Migration Service when you create the source connection profile.- If you want to use a password, you don't need to configure anything additional. Remember what password you created for the TUNNEL_ACCOUNT_USERNAME account.
- If you want to use key-based authentication, you need to generate
a private-public key pair. For example, you can use the
ssh-keygen
utility:- Generate the key pair:
ssh-keygen -m PEM -f YOUR_KEY_NAME
- Copy the public key (
YOUR_KEY_NAME.pub
) to the~/.ssh/
directory on your tunnel server. - Save the private key. You need to upload it later to Database Migration Service when you create the source connection profile.
- Generate the key pair:
- Edit the
/etc/ssh/sshd_config
file to configure the forward-SSH tunnel to match your organization's requirements. We recommend using the following settings:# Only allow the Database Migration Service user to connect. AllowUsers TUNNEL_ACCOUNT_USERNAME # Send keep-alive packets every 60 seconds to ensure that # the tunnel doesn't close during the migration ServerAliveInterval=60 # Optional: Force key-based authentication PasswordAuthentication no # Enables Database Migration Service to connect from a different host PermitTunnel yes GatewayPorts yes
- Run the
ssh
command to start the tunnel.Before using any of the command data below, make the following replacements:
- TUNNEL_SERVER_SSH_PORT with the port number where your server is listening for SSH connections.
- SOURCE_DATABASE_PRIVATE_IP with the private IP address of your source database. The SSH server needs to be able to reach that IP.
- SOURCE_DATABASE_PORT with the port number
where your source database is listening for connections. The default port
number for TCP connections on Oracle is
1433
. - USERNAME with the name of the user account that will be running the tunnel. This is a separate account from TUNNEL_ACCOUNT_USERNAME.
- TUNNEL_SERVER_PUBLIC_IP with the public IP of your SSH tunnel server.
ssh -N -L \ TUNNEL_SERVER_SSH_PORT:SOURCE_DATABASE_PRIVATE_IP:SOURCE_DATABASE_PORT \ USERNAME@TUNNEL_SERVER_PUBLIC_IP
- Create a separate, dedicated user account for Database Migration Service to
connect as:
- At a later stage, when you
create the source connection profile, do the following:
- In the Define connection details section, use your instance's endpoint name for the source database IP.
- In the Define connectivity method section, select Forward-SSH tunnel.
- Provide the public IP address or hostname of your SSH server.
- Provide the port that you designated for the SSH connections on the tunnel server.
- Enter the username for the user you created for Database Migration Service to connect as (that is, the value of TUNNEL_ACCOUNT_USERNAME).
- From the Authentication method drop-down menu, select
the authentication method you want to use with TUNNEL_ACCOUNT_USERNAME:
- If you want to use the user password, select Password and enter TUNNEL_ACCOUNT_USERNAME password in the form.
- If you configured your SSH server to use key-based authentication,
select Private/Public key pair and upload the private key
you generated in with the
ssh-keygen
command.
Configure private connectivity with VPC peering
To use private connectivity with Amazon RDS for Oracle sources, you need to have a Cloud VPN or Cloud Interconnect configured in the same VPC network where you intend to create the private connectivity configuration for Database Migration Service. If you can't create the private connectivity configuration in the VPC network where you have your Cloud VPN or Cloud Interconnect, then you also need a reverse proxy Virtual Machine (VM) on Compute Engine to establish the connection.
If you can't use Cloud VPN or Cloud Interconnect, we recommend that you use the forward-SSH tunnel or the IP allowlist connectivity methods instead.
To use private connectivity with VPC peering and Cloud VPN, follow these steps:
-
Set up direct connectivity with Cloud VPN to your Amazon RDS for PostgreSQL instance.
For more information, see Create HA VPN connections between Google Cloud and AWS in the Cloud VPN documentation.
- Optional: If you can't create the private connectivity configuration in the same VPC network where you have the Cloud VPN, create a reverse proxy Virtual Machine (VM) on Compute Engine to forward the connections between VPCs.
- In Database Migration Service, create a private connectivity configuration to peer with the VPC network where you have your Cloud VPN.
- At a later stage, when you
create the source connection profile, do the following:
- In the Define connection details section, enter the private IP of your source Amazon RDS instance.
- In the Define connectivity method section, select Private connectivity (VPC peering).
- From the drop-down menu, select the private connectivity configuration you created in the previous step.