Use SSL/TLS certificates to encrypt network connections

Every connection Database Migration Service makes to your source database can be configured to use Secure Socket Layer/Transport Security Layer (SSL/TLS) encryption. This page provides an overview of available SSL/TLS encryption variants and the steps required to use them for your migration job.

SSL/TLS is mainly recommended for connections created over public networks where you need to expose a public IP address and port for your database. Regardless of which network connectivity method you use, your scenario might require that you use additional encryption.

Destination database connections are always encrypted by Database Migration Service. You don't need to configure additional certificates for those connections.

To understand how Database Migration Service uses SSL/TLS encryption, it's important to remember that with regards to network connectivity, Database Migration Service is considered the client and your database (either source or destination database) is the server. Database Migration Service supports the following encryption variants:

None
When Database Migration Service establishes a connection with your database, it doesn't send any SSL configuration string. It doesn't present any client certificates to the server, and it also doesn't verify any server certificates.
TLS

When Database Migration Service connects to your database, it declares that the connection is established over a secured channel. Database Migration Service doesn't present a client certificate to the server, but it does validate the server certificate authority (CA) to make sure that it's connecting to the right host. This prevents person-in-the-middle attacks.

To use TLS authentication, you must provide the x509 PEM-encoded certificate of the certificate authority (CA) that signed your database server certificate.

What's next