improve serverless dms doc

tidb-cloud/integrate-tidbcloud-with-aws-dms.md

@@ -0,0 +1,149 @@
+---
+title: Integrate TiDB Cloud with AWS DMS
+summary: Learn how to migrate data from or into TiDB Cloud.
+---
+
+# Integrate TiDB Cloud with AWS DMS
+
+[AWS Database Migration Service (AWS DMS)](https://aws.amazon.com/dms/) is a cloud service that makes it possible to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data from or into TiDB Cloud clusters. This document describes how to connect AWS DMS to TiDB Cloud clusters.
+
+## Prerequisites
+
+### An AWS account with enough access
+
+You are expected to have an AWS account with enough access to manage DMS-related resources. If not, refer to the following AWS documents:
+
+- [Sign up for an AWS account](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_GettingStarted.SettingUp.html#sign-up-for-aws)
+- [Identity and access management for AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/security-iam.html)
+
+### A TiDB Cloud account and a TiDB cluster
+
+You are expected to have a TiDB Cloud account and a TiDB Serverless or TiDB Dedicated cluster. If not, refer to the following documents to create one:
+
+- [Create a TiDB Serverless cluster](/tidb-cloud/create-tidb-cluster-serverless.md)
+- [Create a TiDB Dedicated cluster](/tidb-cloud/create-tidb-cluster.md)
+
+## Network configuration
+
+Before creating DMS resources, you need to configure network properly to ensure DMS can communicate with TiDB Cloud clusters. If you are unfamiliar with AWS, contact AWS Support. We give several possible configurations here.
+
+<SimpleTab>
+<div label="TiDB Serverless">
+
+For TiDB Serverless, your clients can connect to clusters via public endpoint or private endpoint. 
+
+To [connect via public endpoint](/tidb-cloud/connect-via-standard-connection-serverless.md), the DMS replication instance need to access the Internet.
+
+- Deploy the replication instance in public subnets and enable **Public accessible**. For more information, see [Configuration for internet access](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#vpc-igw-internet-access).
+
+- Deploy the replication instance in private subnets and route traffic in the private subnets to public subnets. In this case, you need at least three subnets, two private subnets, and one public subnet. The two private subnets form a subnet group where the replication instance lives. Then you need to create a NAT gateway in the public subnet and route traffic of the two private subnets to the NAT gateway. For more information, see [Access the internet from a private subnet](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html#public-nat-internet-access).
+
+To connect via private endpoint, [set up a private endpoint](/tidb-cloud/set-up-private-endpoint-connections-serverless.md) first and deploy the replication instance to private subnets.
+</div>
+
+<div label="TiDB Dedicated">
+
+For TiDB Dedicated, your clients can connect to clusters via public endpoint, private endpoint, or VPC peering. 
+
+To [connect via public endpoint](/tidb-cloud/connect-via-standard-connection.md), the DMS replication instance need to access the Internet. You need to also add the public IP of the replication instance or NAT gateway to the cluster's [IP access list](/tidb-cloud/configure-ip-access-list.md).
+
+- Deploy the replication instance in public subnets and enable **Public accessible**. For more information, see [Configuration for internet access](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#vpc-igw-internet-access).
+
+2. Deploy the replication instance in private subnets and route traffic in the private subnets to public subnets. In this case, you need at least three subnets, two private subnets, and one public subnet. The two private subnets form a subnet group where the replication instance lives. Then you need to create a NAT gateway in the public subnet and route traffic of the two private subnets to the NAT gateway. For more information, see [Access the internet from a private subnet](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html#public-nat-internet-access).
+
+To connect to a TiDB Dedicated cluster via private endpoint, [set up a private endpoint](/tidb-cloud/set-up-private-endpoint-connections.md) first and deploy the replication instance to private subnets.
+
+To connect to a TiDB Dedicated cluster via VPC peering, [set up a VPC peering connection](/tidb-cloud/set-up-vpc-peering-connections.md) first and deploy the replication instance to private subnets.
+</div>
+</SimpleTab>
+
+## Create an AWS DMS replication instance
+
+1. Go to the [Replication instances](https://console.aws.amazon.com/dms/v2/home#replicationInstances) page in the AWS DMS console, and switch to the corresponding region. It is recommended to use the same region for AWS DMS as TiDB Cloud.
+
+   ![Create replication instance](/media/tidb-cloud/integration-aws-dms-1.png)
+
+2. Click **Create replication instance**.
+
+3. Fill in an instance name, ARN, and description.
+
+4. Configure the instance:
+    - **Instance class**: select an appropriate instance class. For more information, see [Choosing replication instance types](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Types.html).
+    - **Engine version**: use the default configuration.
+    - **High Availability**: select **Single-AZ** or **Multi-AZ** based on your business needs.
+
+5. Configure the storage in the **Allocated storage (GiB)** field.
+
+6. Configure connectivity and security. Check previous section for network configuration.
+    - **Network type - new**: select **IPv4**.
+    - **Virtual private cloud (VPC) for IPv4**: select the VPC that you need.
+    - **Replication subnet group**: choose a subnet group for your replication instance.
+    - **Public accessible**: set it based on your network configuration.
+
+    ![Connectivity and security](/media/tidb-cloud/integration-aws-dms-2.png)
+
+7. Configure the **Advanced settings**, **Maintenance**, and **Tags** if needed, and then click **Create replication instance** to finish the instance creation.
+
+> **Note:**
+>
+> AWS DMS also supports serverless replications. For detailed steps, see [Creating a serverless replication](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Serverless.Components.html#CHAP_Serverless.create). Unlike replication instances, AWS DMS serverless replications do not provide the **Public accessible** option.
+
+## Create TiDB Cloud DMS endpoints
+
+For connectivity, the steps for using TiDB Cloud clusters as a source or as a target are similar, but DMS does have some different database setting requirements for source and target. For more information, see [Using MySQL as a source](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.MySQL.html) or [Using MySQL as a target](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.MySQL.html). When using a TiDB Cloud cluster as a source, you can only **Migrate existing data** because TiDB does not support MySQL binlog.
+
+<SimpleTab>
+<div label="TiDB Serverless">
+
+1. Go to the [Endpoints](https://console.aws.amazon.com/dms/v2/home#endpointList) page in the AWS DMS console, and switch to the corresponding region.
+
+    ![Create endpoint](/media/tidb-cloud/integration-aws-dms-3.png)
+
+2. Click **Create endpoint** to create the target database endpoint.
+
+3. Select **Source endpoint** or **Target endpoint**.
+
+4. Fill in the **Endpoint identifier** and ARN, and then select **Source engine** or **Target engine** as **MySQL**.
+
+5. Choose **Provide access information manually** and fill in TiDB Serverless cluster information:
+   - **Server name**: `HOST` of TiDB Serverless cluster.
+   - **Port**: `PORT` of TiDB Serverless cluster.
+   - **User name**: User of TiDB Serverless cluster for migration. Make sure it meets DMS requirements.
+   - **Password**: Password of the TiDB Serverless cluster user.
+   - **Secure Socket Layer (SSL) mode**: If you are connecting via public endpoint, it is highly recommended to set the mode to **verify-full** to ensure transport security. If you are connecting via private endpoint, you can set the mode to **none**.
+   - **CA certificate**: [ISRG Root X1 certificate](https://letsencrypt.org/certs/isrgrootx1.pem). For more information, see [TLS Connections to TiDB Serverless](/tidb-cloud/secure-connections-to-serverless-clusters.md).
+
+    ![Provide access information manually](/media/tidb-cloud/integration-aws-dms-4.png)
+
+6. If the endpoint to be created is a **Target endpoint**, set **Extra connection attributes** to `Initstmt=SET FOREIGN_KEY_CHECKS=0;`.
+
+7. Configure the **KMS Key** and **Tags** if needed. Click **Create endpoint** to finish the instance creation.
+</div>
+
+<div label="TiDB Dedicated">
+
+1. Go to the [Endpoints](https://console.aws.amazon.com/dms/v2/home#endpointList) page in the AWS DMS console, and switch to the corresponding region.
+
+    ![Create endpoint](/media/tidb-cloud/integration-aws-dms-3.png)
+
+2. Click **Create endpoint** to create the target database endpoint.
+
+3. Select **Source endpoint** or **Target endpoint**.
+
+4. Fill in the **Endpoint identifier** and ARN, and then select **Source engine** or **Target engine** as **MySQL**.
+
+5. Choose **Provide access information manually** and fill in TiDB Dedicated cluster information:
+   - **Server name**: `HOST` of TiDB Dedicated cluster.
+   - **Port**: `PORT` of TiDB Dedicated cluster.
+   - **User name**: User of TiDB Dedicated cluster for migration. Make sure it meets DMS requirements.
+   - **Password**: Password of TiDB Dedicated cluster user.
+   - **Secure Socket Layer (SSL) mode**: If you are connecting via public endpoint, we highly recommend setting it to **verify-full** to ensure transport security. If you are connecting via private endpoint, you can set it to **none**.
+   - **CA certificate**: Get the CA certificate according to [TLS Connections to TiDB Dedicated](/tidb-cloud/tidb-cloud-tls-connect-to-dedicated.md).
+
+    ![Provide access information manually](/media/tidb-cloud/integration-aws-dms-4.png)
+
+6. If it's **Target endpoint**, set **Extra connection attributes** to `Initstmt=SET FOREIGN_KEY_CHECKS=0;`.
+
+7. Configure the **KMS Key** and **Tags** if needed. Click **Create endpoint** to finish the instance creation.
+</div>
+</SimpleTab>

tidb-cloud/migrate-from-mysql-using-aws-dms.md

@@ -181,6 +181,8 @@ If you encounter any issues or failures during the migration, you can check the
 
 ## See also
 
+- If you want a more general reference on how to connect AWS DMS to TiDB Serverless or TiDB Dedicated, see [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md).
+
 - If you want to migrate from MySQL-compatible databases, such as Aurora MySQL and Amazon Relational Database Service (RDS), to TiDB Cloud, it is recommended to use [Data Migration on TiDB Cloud](/tidb-cloud/migrate-from-mysql-using-data-migration.md).
 
 - If you want to migrate from Amazon RDS for Oracle to TiDB Serverless Using AWS DMS, see [Migrate from Amazon RDS for Oracle to TiDB Serverless Using AWS DMS](/tidb-cloud/migrate-from-oracle-using-aws-dms.md).

tidb-cloud/migrate-from-oracle-using-aws-dms.md

@@ -81,8 +81,6 @@ After you finish executing the SQL script, check the data in Oracle. The followi
 
 5. Click **Generate Password** to generate a password and copy the generated password.
 
-6. Select your preferred connection method and operating system, and then connect to your cluster using the displayed connection string.
-
 ## Step 5. Create an AWS DMS replication instance
 
 1. Go to the [Replication instances](https://console.aws.amazon.com/dms/v2/home#replicationInstances) page in the AWS DMS console, and switch to the corresponding region.
@@ -91,6 +89,10 @@ After you finish executing the SQL script, check the data in Oracle. The followi
 
     ![Create AWS DMS Instance](/media/tidb-cloud/aws-dms-from-oracle-to-tidb-8.png)
 
+> **Note:**
+>
+> For detailed steps on creating an AWS DMS replication instance to work with TiDB Serverless, see [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md).
+
 ## Step 6. Create DMS endpoints
 
 1. In the [AWS DMS console](https://console.aws.amazon.com/dms/v2/home), click the `Endpoints` menu item on the left pane.
@@ -105,6 +107,10 @@ After you finish executing the SQL script, check the data in Oracle. The followi
 
     ![Create AWS DMS Target endpoint](/media/tidb-cloud/aws-dms-from-oracle-to-tidb-10.png)
 
+> **Note:**
+>
+> For detailed steps on creating a TiDB Serverless DMS endpoint, see [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md).
+
 ## Step 7. Migrate the schema
 
 In this example, AWS DMS automatically handles the schema, since the schema definition is simple.
@@ -148,3 +154,4 @@ If you encounter any issues or failures during the migration, you can check the
 ## See also
 
 - [Migrate from MySQL-Compatible Databases Using AWS DMS](/tidb-cloud/migrate-from-mysql-using-aws-dms.md)
+- [Integrate TiDB Cloud with AWS DMS](/tidb-cloud/integrate-tidbcloud-with-aws-dms.md)

tidb-cloud/secure-connections-to-serverless-clusters.md

@@ -45,7 +45,7 @@ TiDB Serverless uses certificates from [Let's Encrypt](https://letsencrypt.org/)
 
 If the client uses the system's root CA stores by default, such as Java and Go, you can easily connect securely to TiDB Serverless clusters without specifying the path of CA roots. However, some drivers and ORMs do not use the system root CA stores. In those cases, you need to configure the CA root path of the drivers or ORMs to your system root CA stores. For example, when you use [mysqlclient](https://github.com/PyMySQL/mysqlclient) to connect a TiDB Serverless cluster in Python on macOS, you need to set `ca: /etc/ssl/cert.pem` in the `ssl` argument.
 
-If you are using a GUI client, such as DBeaver, which does not accept a certificate file with multiple certificates inside, you must download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem.txt) certificate.
+If you are using a GUI client, such as DBeaver, which does not accept a certificate file with multiple certificates inside, you must download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem) certificate.
 
 ### Root certificate default path
 
@@ -85,7 +85,7 @@ In different operating systems, the default storage paths of the root certificat
 
 Windows does not offer a specific path to the CA root. Instead, it uses the [registry](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores) to store certificates. For this reason, to specify the CA root path on Windows, take the following steps:
 
-1. Download the [ISRG Root X1 certificate](https://letsencrypt.org/certs/isrgrootx1.pem.txt) and then save it in a path you prefer, such as `<path_to_ca>`.
+1. Download the [ISRG Root X1 certificate](https://letsencrypt.org/certs/isrgrootx1.pem) and then save it in a path you prefer, such as `<path_to_ca>`.
 2. Use the path (`<path_to_ca>`) as your CA root path when you connect to a TiDB Serverless cluster.
 
 ## FAQs