# Connect to Application Migration Service data and control planes over a private network
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network"></a>

*Dipin Jain and Mike Kuznetsov, Amazon Web Services*

## Summary
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network-summary"></a>

This pattern explains how you can connect to an AWS Application Migration Service data plane and control plane on a private, secured network by using interface VPC endpoints.

Application Migration Service is a highly automated lift-and-shift (rehost) solution that simplifies, expedites, and reduces the cost of migrating applications to AWS. It enables companies to rehost a large number of physical, virtual, or cloud servers without compatibility issues, performance disruption, or long cutover windows. Application Migration Service is available from the AWS Management Console. This enables seamless integration with other AWS services, such as AWS CloudTrail, Amazon CloudWatch, and AWS Identity and Access Management (IAM).

You can connect from a source data center to a data plane—that is, to a subnet that serves as a staging area for data replication in the destination VPC—over a private connection by using Site-to-Site VPN services, AWS Direct Connect, or VPC peering in Application Migration Service. You can also use [interface VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) powered by AWS PrivateLink to connect to an Application Migration Service control plane over a private network. 

## Prerequisites and limitations
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network-prereqs"></a>

**Prerequisites **
+ **Staging area subnet** – Before you set up Application Migration Service, create a subnet to be used as a staging area for data replicated from your source servers to AWS (that is, a data plane). You must specify this subnet in the [Replication Settings template](https://docs.aws.amazon.com/mgn/latest/ug/template-vs-server.html) when you first access the Application Migration Service console. You can override this subnet for specific source servers in the Replication Settings template. Although you can use an existing subnet in your AWS account, we recommend that you create a new, dedicated subnet for this purpose.
+ **Network requirements** – The replication servers that are launched by Application Migration Service in your staging area subnet have to be able to send data to the Application Migration Service API endpoint at `https://mgn.<region>.amazonaws.com/`, where `<region>` is the code for the AWS Region you are replicating to (for example, `https://mgn.us-east-1.amazonaws.com`). Amazon Simple Storage Service (Amazon S3) service URLs are required for downloading Application Migration Service software.
  + The AWS Replication Agent installer should have access to the Amazon Simple Storage Service (Amazon S3) bucket URL of the AWS Region you are using with Application Migration Service.
  + The staging area subnet should have access to Amazon S3.
  + The source servers on which the AWS Replication Agent is installed must be able to send data to the replication servers in the staging area subnet and to the Application Migration Service API endpoint at `https://mgn.<region>.amazonaws.com/`.

The following table lists the required ports.


| 
| 
| Source | Destination | Port | For more information, see | 
| --- |--- |--- |--- |
| Source data center | Amazon S3 service URLs | 443 (TCP) | [Communication over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#TCP-443) | 
| Source data center | AWS Region-specific console address for Application Migration Service | 443 (TCP) | [Communication between the source servers and Application Migration Service over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#Source-Manager-TCP-443) | 
| Source data center | Staging area subnet | 1500 (TCP) | [Communication between the source servers and the staging area subnet over TCP port 1500](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#Communication-TCP-1500) | 
| Staging area subnet | AWS Region-specific console address for Application Migration Service | 443 (TCP) | [Communication between the staging area subnet and Application Migration Service over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#Communication-TCP-443-Staging) | 
| Staging area subnet | Amazon S3 service URLs | 443 (TCP) | [Communication over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#TCP-443) | 
| Staging area subnet | Amazon Elastic Compute Cloud (Amazon EC2) endpoint of the subnet’s AWS Region | 443 (TCP) | [Communication over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#TCP-443) | 

** Limitations**

Application Migration Service isn’t currently available in all AWS Regions and operating systems.
+ [Supported AWS Regions](https://docs.aws.amazon.com/mgn/latest/ug/supported-regions.html)
+ [Supported operating systems](https://docs.aws.amazon.com/mgn/latest/ug/Supported-Operating-Systems.html)

## Architecture
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network-architecture"></a>

The following diagram illustrates the network architecture for a typical migration. For more information about this architecture, see the [Application Migration Service documentation](https://docs.aws.amazon.com/mgn/latest/ug/Network-Settings-Video.html) and the [Application Migration Service service architecture and network architecture video](https://youtu.be/ao8geVzmmRo).

![\[Network architecture for Application Migration Service for a typical migration\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/21346c0f-0643-4f4f-b21f-fdfe24fc6a8f/images/546598b2-8026-4849-a441-eaa2bc2bf6bb.png)


The following detailed view shows the configuration of interface VPC endpoints in the staging area VPC to connect Amazon S3 and Application Migration Service.

![\[Network architecture for Application Migration Service for a typical migration - detailed view\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/21346c0f-0643-4f4f-b21f-fdfe24fc6a8f/images/bd0dfd42-4ab0-466f-b696-804dedcf4513.png)


## Tools
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network-tools"></a>
+ [AWS Application Migration Service](https://docs.aws.amazon.com/mgn/latest/ug/what-is-application-migration-service.html) simplifies, expedites, and reduces the cost of rehosting applications on AWS.
+ [Interface VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) enable you to connect to services that are powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

## Epics
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network-epics"></a>

### Create endpoints for Application Migration Service, Amazon EC2, and Amazon S3
<a name="create-endpoints-for-mgn-ec2-and-s3"></a>


| Task | Description | Skills required | 
| --- | --- | --- | 
| Configure the interface endpoint for Application Migration Service. | The source data center and staging area VPC connect privately to the Application Migration Service control plane through the interface endpoint that you create in the target staging area VPC. To create the endpoint:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)For more information, see [Access an AWS service using an interface VPC endpoint in the Amazon VPC](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) documentation. | Migration lead | 
| Configure the interface endpoint for Amazon EC2. | The staging area VPC connects privately to the Amazon EC2 API through the interface endpoint that you create in the target staging area VPC. To create the endpoint, follow the instructions provided in the previous story.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html) | Migration lead | 
| Configure the interface endpoint for Amazon S3. | The source data center and staging area VPC connect privately to the Amazon S3 API through the interface endpoint that you create in the target staging area VPC. To create the endpoint, follow the instructions provided in the first story.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)You use an interface endpoint because gateway endpoint connections cannot be extended out of a VPC. (For details, see the [AWS PrivateLink documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html).) | Migration lead | 
| Configure the Amazon S3 Gateway endpoint. | During the configuration phase, the replication server has to connect to an S3 bucket to download the AWS Replication Server’s software updates. However, Amazon S3 interface endpoints do not support private DNS names*,* and there is no way to supply an Amazon S3 endpoint DNS name to a replication server. To mitigate this issue, you create an Amazon S3 gateway endpoint in the VPC that the staging area subnet belongs to, and update the staging subnet’s route tables with the relevant routes. For more information, see [Create a gateway endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3) in the AWS PrivateLink documentation. | Cloud administrator | 
| Configure on-premises DNS to resolve private DNS names for endpoints. | The interface endpoints for Application Migration Service and Amazon EC2 have private DNS names that can be resolved in the VPC. However, you also need to configure on-premises servers to resolve private DNS names for these interface endpoints.There are multiple ways to configure these servers. In this pattern, we tested this functionality by forwarding on-premises DNS queries to the Amazon Route 53 Resolver inbound endpoint in the staging area VPC. For more information, see [Resolving DNS queries between VPCs and your network](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html) in the Route 53 documentation. | Migration engineer | 

### Connect to the Application Migration Service control plane over a private link
<a name="connect-to-the-mgn-control-plane-over-a-private-link"></a>


| Task | Description | Skills required | 
| --- | --- | --- | 
| Install AWS Replication Agent by using AWS PrivateLink. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)Here’s an example for Linux:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)After you have established your connection with Application Migration Service and installed the AWS Replication Agent, follow the instructions in the [Application Migration Service documentation](https://docs.aws.amazon.com/mgn/latest/ug/migration-workflow-gs.html) to migrate your source servers to your target VPC and subnet. | Migration engineer | 

## Related resources
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network-resources"></a>

**Application Migration Service documentation**
+ [Concepts](https://docs.aws.amazon.com/mgn/latest/ug/CloudEndure-Concepts.html)
+ [Migration workflow ](https://docs.aws.amazon.com/mgn/latest/ug/migration-workflow-gs.html)
+ [Quick start guide](https://docs.aws.amazon.com/mgn/latest/ug/quick-start-guide-gs.html)
+ [FAQ](https://docs.aws.amazon.com/mgn/latest/ug/FAQ.html)
+ [Troubleshooting](https://docs.aws.amazon.com/mgn/latest/ug/troubleshooting.html)

**Additional resources**
+ [Rehosting your applications in a multi-account architecture on AWS by using VPC interface endpoints](https://docs.aws.amazon.com/prescriptive-guidance/latest/rehost-multi-account-architecture-interface-endpoints/) (AWS Prescriptive Guidance guide)
+ [AWS Application Migration Service – A Technical Introduction](https://www.aws.training/Details/eLearning?id=71732) (AWS Training and Certification walkthrough)
+ [AWS Application Migration Service architecture and network architecture](https://youtu.be/ao8geVzmmRo) (video)

## Additional information
<a name="connect-to-application-migration-service-data-and-control-planes-over-a-private-network-additional"></a>

**Troubleshooting ***AWS ***Replication Agent installations on Linux servers**

If you get a **gcc** error on an Amazon Linux server, configure the package repository and use the following command:

```
## sudo yum groupinstall "Development Tools"
```