FAQ About Network Security

What Security Measures Does DTS Provide?

DTS provides security measures from the following three dimensions:

• Account security

  Based on the complete account permission management system of eSurfing Cloud, DTS implements strict tenant isolation and fine-grained access control for all resources, ensuring user account security, data security, and operational security.

• Network security

  Leveraging virtual private clouds (VPCs), DTS implements network isolation for resources of different users.

  Leveraging network access control lists (ACLs) and security groups, DTS implements security control for inbound and outbound network traffic of databases and DTS instances.

• Data transmission security

  DTS supports SSL-encrypted connections between source databases and destination databases to ensure data security during migration and synchronization.

How Can I Troubleshoot Network Interruptions Occur During Data Migration?

If a network interruption occurs during data migration, the DTS instance automatically retries to connect to the destination data store. If the connection is not restored after 20 minutes, DTS set the task to the Abnormal status. After the network connection is restored, you can go to the instance details page and click Start Task to restart the task. DTS then continues to transmit the data based on the transmission progress before the network interruption occurred.

How Can I Configure VPC Security Groups to Enable Network Connection?

Because the DTS instance and the destination database instance are deployed in the same VPC, use the same subnet, and are added to the same VPC security group, the DTS instance and the destination database instance can be connected by default. Therefore, to enable network connection for data migration, you need only to configure the security groups associated with the source database instance and the DTS instance separately.

Check the security group associated with the DTS instance

Create an outbound rule for the VPC security group associated with the DTS instance to allow traffic from the IP address and open the port of the source database instance. This allows the DTS instance to access the source database instance.

1. Go to the DTS instance details page to view the security group associated with the DTS instance.
   

2. Go to the VPC console, find the security group on the Security Group page, and then click Add Rule to add an outbound rule to allow the IP address and the port of the source database instance. If the IP address and port of the source database instance are already allowed, you do not need to add them again.

Configure the Security Group Associated with the Source Database Instance

Create an inbound rule for the VPC security group associated with the source database instance to allow access from the IP address of the DTS instance and open the port of the source database instance to allow the DTS instance to access the source database instance over the port.

1. Go to the DTS instance details page to view the IP address of the DTS instance.
   

2. Go to the console of the database service, such as MySQL, find the source database instance, and then view the security group associated with the instance.

3. Go to the VPC console, find the security group on the Security Group page, and then click Add Rule to add an inbound rule to allow the IP address of the DTS instance and open the port of the source database instance.
   

How Can I Troubleshoot an Issue of Network Connection Between a DTS Instance and a Database?

Before data migration, enable network connection and configure security rules required in the current scenario. For information about network connection scenarios, see Getting Started.

Note that because the DTS instance and the destination database instance are deployed in the same VPC, network connection between the DTS instance and the destination database instance is enabled by default. This section describes methods of troubleshooting issues of network connection between a source database instance and a DTS instance.

In-VPC Database Migration

By default, network connection between instances in the same VPC is enabled. If you do not set special configurations and the instances are associated with the same security group, you do not need to check the VPC security group configurations of the instances. Otherwise, check the security group rules of the source database instance and the DTS instance.

• Check the security group associated with the source database instance
  Check whether an inbound rule that allows access from the IP address of the DTS instance and opens the port of the source database instance exists. Such an inbound rule allows the source database instance to be accessed by the DTS instance.

• Check the security group associated with the DTS instance
  Check whether an outbound rule that allows the IP address of the DTS instance and the port of the source database instance exists. Such an outbound rule allows the DTS instance to access the source database instance.

Cross-cloud Database Migration

Databases can be migrated across clouds over the Internet. To migrate a database across clouds, you need to perform the following steps:

1. When purchasing a DTS instance, specify Public EIP as the network access mode.

   

2. Request a public endpoint for the source database instance. For example, if the source database instance in an Alibaba Cloud ApsaraDB RDS for MySQL instance, you must request a public endpoint for the database instance to allow database access over the Internet because ApsaraDB RDS for MySQL does not offer public endpoints for databases by default. For more information, see the documentation of the source database service.

After you complete the preceding steps, check the configurations of the security groups associated with the source database instance and the DTS instance separately to see whether the public IP address of the source database instance and the public EIP of the DTS instance are allowed. For more information, see In-VPC database migration.

On-premises Database Migration

On-premises databases can be migrated to eSurfing Cloud over the Internet. The procedure is similar to the procedure of cross-cloud database migration. To migrate an on-premises database, you must pay attention to the following items:

1. The on-premises database must be bound to a public IP address to allow the DTS instance to access the on-premises database over the Internet.

2. The on-premises database server and the data center firewall must allow access from the public EIP of the DTS instance and outbound traffic over the port of the on-premises database.

3. An outbound security group rule of the DTS instance must be created to allow outbound traffic from the public EIP of the DTS instance. For more information, see In-VPC database migration.

ECS-hosted Database Migration

You can troubleshoot a network connection issue occurred during the migration of a database hosted on an Elastic Cloud Server (ECS) instance according to the scenario. You must check whether the ECS instance and the destination database instance are deployed in the same VPC.

1. Same VPC: By default, the network connection is enabled. You need to check the security group rules.

2. Same resource pool but different VPCs: 1. Make sure that the CIDR block of the subnet to which the ECS instance IP address belongs is not conflicted with the CIDR block of the subnet to which the destination database instance IP address belongs. 2. Connect the ECS instance and the destination database instance by VPC peering.

3. Different resource pools and different VPCs: Resources in different resource pools can be connected only over the Internet. Therefore, you must request a public IP address for the source database instance, and the network access mode of the DTS instance must be set to Public EIP.

4. For information about how to check security group rules, see In-VPC database migration.

How Can I Enable Network Connection If the Source Database Instance and the Destination Database Instance are in Different VPCs?

If the source database instance and the destination database instance are deployed in different VPCs, you need to check whether they are in the same resource pool and then use the correct method to connect them.

• Same resource pool
  If the source database instance and the destination database instance are in the same resource pool, you can connect them by VPC peering. Note that you must make sure that there is no conflict between the CIDR blocks of the subnets to which the source database instance IP address and the destination database instance IP address belong.

• Different resource pools
  If the source database instance and the destination database instance are in different resource pools, they can be connected only over the Internet. To use a DTS instance to migrate data, you must request a public IP address for the source database instance to allow access over the Internet and set the network access mode of the DTS instance to Public EIP when purchasing the DTS instance.
  You must configure the following security group rules according to the scenario: an inbound rule of the security group associated with the source database instance to allow the IP address of the DTS instance and open the port of the source database instance, and an outbound rule of the security group associated with the DTS instance to allow the IP address of the DTS instance and the port of the source database instance.

What's the Bandwidth Quota of the Public EIP of a DTS Instance?

A DTS instance does not come with an EIP. You must bind an EIP to the DTS instance. You can use an existing EIP or purchase a new EIP on eSurfing Cloud Elastic IP. You specify the bandwidth of the EIP when you are purchasing the EIP.

By default, Elastic IP supports a bandwidth range from 1 Mbit/s to 300 Mbit/s. You can also submit a ticket to increase the bandwidth to 2,000 Mbit/s. For more information, see the Elastic IP documentation.

Does DTS Support Cross-account Database Migration?

Yes, DTS supports this feature.

Yes, DTS supports cross-account database migration. You can use a DTS instance to migrate your database if the source database and the destination database allow the DTS instance to connect to and access them over the specified networks.

For network access, DTS supports VPC networks and EIP-based Internet access.

DTS uses JDBC connections to connect to databases. You need only to make sure that the account that you use for database migration is granted the required permissions.