-1

I am experimenting with AWS DMS right now. I see that AWS DMS supports both VPC (DMS replication instance has to be confined to a VPC during creation) and interface VPC endpoints.

Question: If a resource can be confined to a VPC, and by default, only other resources within the VPC can access the confined resource, then why do we even need support for interface VPC endpoints?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
user1872325
  • 71
  • 1
  • 9
  • What do you mean by "AWS DMS supports"? Support in what sense? Any link to AWS docs description the support? – Marcin Apr 14 '23 at 07:36
  • Please provide a link to the documentation you are reading. – John Rotenstein Apr 14 '23 at 08:32
  • AWS DMS support for interface VPC endpoints: "To confine your communications with AWS DMS within a single VPC, you can create a VPC interface endpoint that enables you to connect to AWS DMS through AWS PrivateLink. " - from https://docs.aws.amazon.com/dms/latest/userguide/infrastructure-security.html – user1872325 Apr 14 '23 at 09:59
  • How to configure a VPC for the AWS DMS replication instance - https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Creating.html – user1872325 Apr 14 '23 at 10:01

1 Answers1

0

The "interface VPC endpoint" is not for resources that DMS can use. It is for the DMS service itself. It means that you can use AWS CLI/SDK to directly interact with DMS service from within a VPC, without the need for the internet.

Without the interface VPC endpoint, all API calls to the DMS service go through the internet, which may be a security issue.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • When DMS replication instance can be confined to a VPC, cant I directly interact with the DMS service (probably from an EC2 instance within the same VPC) without the need for the Internet ? In that case, why do I need to create a VPC interface endpoint? – user1872325 Apr 14 '23 at 10:12
  • 2
    @user1872325 DMS service has **public endponts** listed [here](https://docs.aws.amazon.com/general/latest/gr/dms.html). You always interact with DMS service through the internet, unless you use VPC interface endpoints. That's why they exist - to not use internet. – Marcin Apr 14 '23 at 10:32
  • @user1872325 How did it go? Is it still unclear what interface VPC endpoint is for DMS? – Marcin May 04 '23 at 00:58