add aws dms intergration doc

tidb-cloud/integrate-tidbcloud-with-aws-dms.md

@@ -0,0 +1,147 @@
+---
+title: Integrate TiDB Cloud with AWS DMS
+summary: Learn how to migrate data from/into TiDB Cloud.
+---
+
+# Integrate TiDB Cloud with AWS DMS
+
+[AWS Database Migration Service (AWS DMS)](https://aws.amazon.com/dms/) is a cloud service that makes it possible to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data from or into TiDB Cloud clusters. This document describes how to connect AWS DMS to TiDB Cloud clusters.
+
+## Prerequisites
+
+### An AWS account with enough access
+
+You are expected to have an AWS account with enough access to manage DMS related resources. If you do not have, refer to the following AWS documents:
+
+- [Sign up for an AWS account](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_GettingStarted.SettingUp.html#sign-up-for-aws)
+- [Identity and access management for AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/security-iam.html)
+
+### A TiDB Cloud account and a TiDB cluster
+
+You are expected to have an account and a cluster in TiDB Cloud. If you do not have any, refer to the following to create one:
+
+- [Create a TiDB Serverless cluster](/tidb-cloud/create-tidb-cluster-serverless.md)
+- [Create a TiDB Dedicated cluster](/tidb-cloud/create-tidb-cluster.md)
+
+## Network configuration
+
+Before creating DMS resources, you need to configure network properly to ensure DMS can communicate with TiDB Cloud clusters. If you are not familiar with AWS, please contact AWS Support. We give several possible configurations here.
+
+<SimpleTab>
+<div label="TiDB Serverless">
+For TiDB Serverless, clients can connect to clusters via public endpoint or private endpoint. 
+
+To [connect via public endpoint](/tidb-cloud/connect-via-standard-connection-serverless.md), the DMS replication instance need to access the Internet.
+
+1. You can deploy the replication instance in public subnets and turn **Public accessible** on. Refer to [Configuration for internet access](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#vpc-igw-internet-access).
+
+2. You can deploy the replication instance in private subnets and route traffic in the private subnets to public subnets. In this case, you need at least three subnets, two private subnets and one public subnet. The two private subnets forms a subnet group where the replication instance lives in. Then you need to create a NAT gateway in the public subnet and route traffic of the two private subnets to the NAT gateway. Refer to [Access the internet from a private subnet](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html#public-nat-internet-access).
+
+To connect via private endpoint, [setup a private endpoint](/tidb-cloud/set-up-private-endpoint-connections-serverless.md) first and deploy the replication instance to private subnets.
+</div>
+
+<div label="TiDB Dedicated">
+For TiDB Dedicated, clients can connect to clusters via public endpoint, private endpoint or VPC peering. 
+
+To [connect via public endpoint](/tidb-cloud/connect-via-standard-connection.md), the DMS replication instance need to access the Internet. You need to also add the public IP of the replication instance or NAT gateway to the cluster's [IP access list](/tidb-cloud/configure-ip-access-list.md).
+
+1. You can deploy the replication instance in public subnets and turn **Public accessible** on. Refer to [Configuration for internet access](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#vpc-igw-internet-access).
+
+2. You can deploy the replication instance in private subnets and route traffic in the private subnets to public subnets. In this case, you need at least three subnets, two private subnets and one public subnet. The two private subnets forms a subnet group where the replication instance lives in. Then you need to create a NAT gateway in the public subnet and route traffic of the two private subnets to the NAT gateway. Refer to [Access the internet from a private subnet](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html#public-nat-internet-access).
+
+To connect via private endpoint, [setup a private endpoint](/tidb-cloud/set-up-private-endpoint-connections.md) first and deploy the replication instance to private subnets.
+
+To connect via VPC peering, [set up a VPC peering connection](/tidb-cloud/set-up-vpc-peering-connections.md) first and deploy the replication instance to private subnets.
+</div>
+</SimpleTab>
+
+## Create an AWS DMS replication instance
+
+1. Go to the [Replication instances](https://console.aws.amazon.com/dms/v2/home#replicationInstances) page in the AWS DMS console, and switch to the corresponding region. It is recommended to use the same region for AWS DMS as TiDB Cloud.
+
+   ![Create replication instance](/media/tidb-cloud/integration-dws-dms-1.png)
+
+2. Click **Create replication instance**.
+
+3. Fill in an instance name, ARN, and description.
+
+4. Fill in the instance configuration:
+    - **Instance class**: select an appropriate instance class. Refer to [Choosing replication instance types](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Types.html).
+    - **Engine version**: use the default configuration.
+    - **High Availability**: select **Single-AZ** or **Multi-AZ** based on your business needs.
+
+5. Configure the storage in the **Allocated storage (GiB)** field.
+
+6. Configure connectivity and security. Check previous section for network configuration.
+    - **Network type - new**: select **IPv4**.
+    - **Virtual private cloud (VPC) for IPv4**: select the VPC that you need.
+    - **Replication subnet group**: choose a subnet group for your replication instance.
+    - **Public accessible**: set it based on your network configuration.
+
+    ![Connectivity and security](/media/tidb-cloud/integration-dws-dms-2.png)
+
+7. Configure the **Advanced settings**, **Maintenance**, and **Tags** if needed. Click **Create replication instance** to finish the instance creation.
+
+> **Note:**
+>
+> AWS DMS also supports Serverless. You can refer to [Creating a serverless replication](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Serverless.Components.html#CHAP_Serverless.create) for steps. Unlike replication instances, AWS DMS Serverless replications do not have **Public accessible** property.
+
+## Create TiDB Cloud DMS endpoints
+
+For connectivity, there is not much difference between using TiDB Cloud clusters as source or target. But DMS does have some different database setting requirements for source and target. Refer to [Using MySQL as a source](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.MySQL.html) or [Using MySQL as a target](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.MySQL.html). When using TiDB Cloud clusters as source, you can only **Migrate existing data** since TiDB doesn't support MySQL binlog.
+
+<SimpleTab>
+<div label="TiDB Serverless">
+
+1. Go to the [Endpoints](https://console.aws.amazon.com/dms/v2/home#endpointList) page in the AWS DMS console, and switch to the corresponding region.
+
+    ![Create endpoint](/media/tidb-cloud/integration-dws-dms-3.png)
+
+2. Click **Create endpoint** to create the target database endpoint.
+
+3. Select **Source endpoint** or **Target endpoint**.
+
+4. Fill in the **Endpoint identifier** and ARN. Select **Source engine** or **Target engine** as **MySQL**.
+
+5. Choose **Provide access information manually** and fill in TiDB Serverless cluster information:
+   - **Server name**: `HOST` of TiDB Serverless cluster.
+   - **Port**: `PORT` of TiDB Serverless cluster.
+   - **User name**: User of TiDB Serverless cluster for migration. Make sure it meets DMS requirements.
+   - **Password**: Password of TiDB Serverless cluster user.
+   - **Secure Socket Layer (SSL) mode**: If you are connecting via public endpoint, we highly recommend setting it to **verify-full** to ensure transport security. If you are connecting via private endpoint, you can set it to **none**.
+   - **CA certificate**: [ISRG Root X1 certificate](https://letsencrypt.org/certs/isrgrootx1.pem). You can learn more in [TLS Connections to TiDB Serverless](/tidb-cloud/secure-connections-to-serverless-clusters.md).
+
+    ![Provide access information manually](/media/tidb-cloud/integration-dws-dms-4.png)
+
+6. If it's **Target endpoint**, set **Extra connection attributes** to `Initstmt=SET FOREIGN_KEY_CHECKS=0;`.
+
+7. Configure the **KMS Key** and **Tags** if needed. Click **Create endpoint** to finish the instance creation.
+</div>
+
+<div label="TiDB Dedicated">
+
+1. Go to the [Endpoints](https://console.aws.amazon.com/dms/v2/home#endpointList) page in the AWS DMS console, and switch to the corresponding region.
+
+    ![Create endpoint](/media/tidb-cloud/integration-dws-dms-3.png)
+
+2. Click **Create endpoint** to create the target database endpoint.
+
+3. Select **Source endpoint** or **Target endpoint**.
+
+4. Fill in the **Endpoint identifier** and ARN. Select **Source engine** or **Target engine** as **MySQL**.
+
+5. Choose **Provide access information manually** and fill in TiDB Dedicated cluster information:
+   - **Server name**: `HOST` of TiDB Dedicated cluster.
+   - **Port**: `PORT` of TiDB Dedicated cluster.
+   - **User name**: User of TiDB Dedicated cluster for migration. Make sure it meets DMS requirements.
+   - **Password**: Password of TiDB Dedicated cluster user.
+   - **Secure Socket Layer (SSL) mode**: If you are connecting via public endpoint, we highly recommend setting it to **verify-full** to ensure transport security. If you are connecting via private endpoint, you can set it to **none**.
+   - **CA certificate**: Get the CA certificate according to [TLS Connections to TiDB Dedicated](/tidb-cloud/tidb-cloud-tls-connect-to-dedicated.md).
+
+    ![Provide access information manually](/media/tidb-cloud/integration-dws-dms-4.png)
+
+6. If it's **Target endpoint**, set **Extra connection attributes** to `Initstmt=SET FOREIGN_KEY_CHECKS=0;`.
+
+7. Configure the **KMS Key** and **Tags** if needed. Click **Create endpoint** to finish the instance creation.
+</div>
+</SimpleTab>

tidb-cloud/migrate-from-mysql-using-aws-dms.md

@@ -181,6 +181,8 @@ If you encounter any issues or failures during the migration, you can check the
 
 ## See also
 
+- If you want a more general reference on how to connect AWS DMS to TiDB Serverless or TiDB Dedicated, see [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md).
+
 - If you want to migrate from MySQL-compatible databases, such as Aurora MySQL and Amazon Relational Database Service (RDS), to TiDB Cloud, it is recommended to use [Data Migration on TiDB Cloud](/tidb-cloud/migrate-from-mysql-using-data-migration.md).
 
 - If you want to migrate from Amazon RDS for Oracle to TiDB Serverless Using AWS DMS, see [Migrate from Amazon RDS for Oracle to TiDB Serverless Using AWS DMS](/tidb-cloud/migrate-from-oracle-using-aws-dms.md).

tidb-cloud/migrate-from-oracle-using-aws-dms.md

@@ -81,8 +81,6 @@ After you finish executing the SQL script, check the data in Oracle. The followi
 
 5. Click **Generate Password** to generate a password and copy the generated password.
 
-6. Select your preferred connection method and operating system, and then connect to your cluster using the displayed connection string.
-
 ## Step 5. Create an AWS DMS replication instance
 
 1. Go to the [Replication instances](https://console.aws.amazon.com/dms/v2/home#replicationInstances) page in the AWS DMS console, and switch to the corresponding region.
@@ -91,6 +89,10 @@ After you finish executing the SQL script, check the data in Oracle. The followi
 
     ![Create AWS DMS Instance](/media/tidb-cloud/aws-dms-from-oracle-to-tidb-8.png)
 
+> **Note:**
+>
+> If you want a more thorough reference on creating AWS DMS replication instance to work with TiDB Serverless, refer to [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md).
+
 ## Step 6. Create DMS endpoints
 
 1. In the [AWS DMS console](https://console.aws.amazon.com/dms/v2/home), click the `Endpoints` menu item on the left pane.
@@ -105,6 +107,10 @@ After you finish executing the SQL script, check the data in Oracle. The followi
 
     ![Create AWS DMS Target endpoint](/media/tidb-cloud/aws-dms-from-oracle-to-tidb-10.png)
 
+> **Note:**
+>
+> If you want a more thorough reference on creating TiDB Serverelss DMS endpoint, refer to [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md).
+
 ## Step 7. Migrate the schema
 
 In this example, AWS DMS automatically handles the schema, since the schema definition is simple.
@@ -148,3 +154,4 @@ If you encounter any issues or failures during the migration, you can check the
 ## See also
 
 - [Migrate from MySQL-Compatible Databases Using AWS DMS](/tidb-cloud/migrate-from-mysql-using-aws-dms.md)
+- [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md)

tidb-cloud/secure-connections-to-serverless-clusters.md

@@ -45,7 +45,7 @@ TiDB Serverless uses certificates from [Let's Encrypt](https://letsencrypt.org/)
 
 If the client uses the system's root CA stores by default, such as Java and Go, you can easily connect securely to TiDB Serverless clusters without specifying the path of CA roots. However, some drivers and ORMs do not use the system root CA stores. In those cases, you need to configure the CA root path of the drivers or ORMs to your system root CA stores. For example, when you use [mysqlclient](https://github.com/PyMySQL/mysqlclient) to connect a TiDB Serverless cluster in Python on macOS, you need to set `ca: /etc/ssl/cert.pem` in the `ssl` argument.
 
-If you are using a GUI client, such as DBeaver, which does not accept a certificate file with multiple certificates inside, you must download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem.txt) certificate.
+If you are using a GUI client, such as DBeaver, which does not accept a certificate file with multiple certificates inside, you must download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem) certificate.
 
 ### Root certificate default path
 
@@ -85,7 +85,7 @@ In different operating systems, the default storage paths of the root certificat
 
 Windows does not offer a specific path to the CA root. Instead, it uses the [registry](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores) to store certificates. For this reason, to specify the CA root path on Windows, take the following steps:
 
-1. Download the [ISRG Root X1 certificate](https://letsencrypt.org/certs/isrgrootx1.pem.txt) and then save it in a path you prefer, such as `<path_to_ca>`.
+1. Download the [ISRG Root X1 certificate](https://letsencrypt.org/certs/isrgrootx1.pem) and then save it in a path you prefer, such as `<path_to_ca>`.
 2. Use the path (`<path_to_ca>`) as your CA root path when you connect to a TiDB Serverless cluster.
 
 ## FAQs