Configure network connectivity to Amazon RDS for Oracle sources

This page describes how to configure network connectivity to Amazon RDS for Oracle sources for heterogeneous Oracle to AlloyDB for PostgreSQL migrations with Database Migration Service.

There are three different methods you can use to configure the necessary network connectivity for migrations from Amazon RDS for Oracle sources:

To learn more about source database network connectivity, see Source networking methods overview.

Configure IP allowlist connectivity

To use the public IP allowlist connectivity method, follow these steps:

  1. In the AWS Management Console, perform the following steps:
    1. Ensure that your source Amazon RDS database is configured for public IP connections.
    2. Identify the endpoint name and port number. You need to enter these values when you create the connection profile.

    For more information about preparing your Amazon RDS for Oracle instance, see Connecting to your Oracle DB instance in the Amazon RDS documentation.

  2. Create a security group that allows traffic from Database Migration Service to your Amazon RDS VPC. See Provide access to your DB instance in your VPC by creating a security group.

    Make sure you allow all Database Migration Service public IP addresses for the region where you create the migration job.

  3. At a later stage, when you create the source connection profile, do the following:
    1. In the Define connection details section, use your instance's endpoint name for the source database IP.
    2. In the Define connectivity method section, select IP allowlist.

Configure connectivity over a forward-SSH tunnel

To connect to your source database with a Secure Shell (SSH) tunnel, follow these steps:

  1. Launch an Amazon EC2 instance to serve as a dedicated forward-SSH tunnel. Make sure you configure it in the same Amazon VPC where you have your source Amazon RDS for Oracle.

    For more information, see Get started with Amazon EC2 in the Amazon documentation.

  2. Connect to your EC2 instance and set up the SSH tunnel. Follow these steps:
    1. Create a separate, dedicated user account for Database Migration Service to connect as:
      adduser TUNNEL_ACCOUNT_USERNAME
    2. Restrict shell access for the Database Migration Service account to enhance security:
      usermod -s /usr/sbin/nologin TUNNEL_ACCOUNT_USERNAME
    3. Decide what authentication method you want Database Migration Service to use when connecting to the tunnel.

      You can use a password, or generate SSH keys in the PEM format that you can later upload to Database Migration Service when you create the source connection profile.

      • If you want to use a password, you don't need to configure anything additional. Remember what password you created for the TUNNEL_ACCOUNT_USERNAME account.
      • If you want to use key-based authentication, you need to generate a private-public key pair. For example, you can use the ssh-keygen utility:
        1. Generate the key pair:
              ssh-keygen -m PEM -f YOUR_KEY_NAME
              
        2. Copy the public key (YOUR_KEY_NAME.pub) to the ~/.ssh/ directory on your tunnel server.
        3. Save the private key. You need to upload it later to Database Migration Service when you create the source connection profile.
    4. Edit the /etc/ssh/sshd_config file to configure the forward-SSH tunnel to match your organization's requirements. We recommend using the following settings:
      # Only allow the Database Migration Service user to connect.
      AllowUsers TUNNEL_ACCOUNT_USERNAME
      
      # Send keep-alive packets every 60 seconds to ensure that
      # the tunnel doesn't close during the migration
      ServerAliveInterval=60
      
      # Optional: Force key-based authentication
      PasswordAuthentication no
      
      # Enables Database Migration Service to connect from a different host
      PermitTunnel yes
      GatewayPorts yes
    5. Run the ssh command to start the tunnel.

      Before using any of the command data below, make the following replacements:

      • TUNNEL_SERVER_SSH_PORT with the port number where your server is listening for SSH connections.
      • SOURCE_DATABASE_PRIVATE_IP with the private IP address of your source database. The SSH server needs to be able to reach that IP.
      • SOURCE_DATABASE_PORT with the port number where your source database is listening for connections. The default port number for TCP connections on Oracle is 1433.
      • USERNAME with the name of the user account that will be running the tunnel. This is a separate account from TUNNEL_ACCOUNT_USERNAME.
      • TUNNEL_SERVER_PUBLIC_IP with the public IP of your SSH tunnel server.
      ssh -N -L \
      TUNNEL_SERVER_SSH_PORT:SOURCE_DATABASE_PRIVATE_IP:SOURCE_DATABASE_PORT \
      USERNAME@TUNNEL_SERVER_PUBLIC_IP
  3. At a later stage, when you create the source connection profile, do the following:
    1. In the Define connection details section, use your instance's endpoint name for the source database IP.
    2. In the Define connectivity method section, select Forward-SSH tunnel.
    3. Provide the public IP address or hostname of your SSH server.
    4. Provide the port that you designated for the SSH connections on the tunnel server.
    5. Enter the username for the user you created for Database Migration Service to connect as (that is, the value of TUNNEL_ACCOUNT_USERNAME).
    6. From the Authentication method drop-down menu, select the authentication method you want to use with TUNNEL_ACCOUNT_USERNAME:
      • If you want to use the user password, select Password and enter TUNNEL_ACCOUNT_USERNAME password in the form.
      • If you configured your SSH server to use key-based authentication, select Private/Public key pair and upload the private key you generated in with the ssh-keygen command.

Configure private connectivity with VPC peering

To use private connectivity with Amazon RDS for Oracle sources, you need to have a Cloud VPN or Cloud Interconnect configured in the same VPC network where you intend to create the private connectivity configuration for Database Migration Service. If you can't create the private connectivity configuration in the VPC network where you have your Cloud VPN or Cloud Interconnect, then you also need a reverse proxy Virtual Machine (VM) on Compute Engine to establish the connection.

If you can't use Cloud VPN or Cloud Interconnect, we recommend that you use the forward-SSH tunnel or the IP allowlist connectivity methods instead.

To use private connectivity with VPC peering and Cloud VPN, follow these steps:

  1. Set up direct connectivity with Cloud VPN to your Amazon RDS for PostgreSQL instance.

    For more information, see Create HA VPN connections between Google Cloud and AWS in the Cloud VPN documentation.

  2. Optional: If you can't create the private connectivity configuration in the same VPC network where you have the Cloud VPN, create a reverse proxy Virtual Machine (VM) on Compute Engine to forward the connections between VPCs.
  3. In Database Migration Service, create a private connectivity configuration to peer with the VPC network where you have your Cloud VPN.
  4. At a later stage, when you create the source connection profile, do the following:
    1. In the Define connection details section, enter the private IP of your source Amazon RDS instance.
    2. In the Define connectivity method section, select Private connectivity (VPC peering).
    3. From the drop-down menu, select the private connectivity configuration you created in the previous step.