AWS Migration Hub: Lift-and-Shift Migration Strategy and Tools (2026)

Migrating on-premises workloads to AWS is one of the highest-impact engineering decisions a company can make. Done right, it reduces capital expenditure, improves resilience, and unlocks cloud-native capabilities. Done poorly, it creates downtime, spiralling costs, and technical debt. AWS Migration Hub provides a single pane of glass to plan, track, and execute migrations at scale — integrating with Application Migration Service (MGN), Database Migration Service (DMS), and the broader AWS discovery toolchain. This guide covers every layer of a production migration in 2026: strategy selection, tooling, agent installation, cutover, database migration, schema conversion, and post-migration validation.

The 7 Rs Migration Strategy
AWS Migration Hub: Centralized Tracking
Discovery: AWS Application Discovery Service
Application Migration Service (MGN): How Replication Works
MGN Agent Installation and Replication Configuration
Cutover Workflow: Test, Validate, Cut
Database Migration Service (DMS)
DMS Task Creation: Full-Load, CDC, and Hybrid
Schema Conversion Tool (SCT)
Migration Evaluator: TCO and Rightsizing
Post-Migration Validation
Common Pitfalls

1. The 7 Rs Migration Strategy

AWS defines seven migration patterns — commonly called the "7 Rs" — that map source workloads to appropriate migration approaches. Choosing the right R for each application is the most consequential decision in your migration plan.

Strategy Definitions

Retire — Decommission applications that are no longer needed. Typically 10–20% of a legacy portfolio. Reduces migration scope immediately.
Retain — Leave workloads on-premises for now. Used for apps with regulatory constraints, recent hardware investment, or planned rewrites. Revisit in 12–24 months.
Rehost (Lift and Shift) — Move VMs or physical servers to EC2 with no code changes. Fastest path to AWS. Use AWS MGN. Best for large legacy estates where speed matters more than optimisation.
Replatform (Lift, Tinker, and Shift) — Minimal changes to leverage cloud features. Examples: move to RDS instead of self-managed MySQL, switch to Elastic Beanstalk instead of raw EC2. No core architecture changes.
Repurchase — Replace on-premises software with a SaaS equivalent. E.g., migrate from on-prem CRM to Salesforce, or from self-hosted email to Microsoft 365.
Refactor / Re-architect — Redesign the application to be cloud-native. Decompose monoliths into microservices, adopt Lambda, ECS, or EKS. Highest cost and effort; highest long-term ROI.
Relocate — Move VMware workloads to VMware Cloud on AWS without converting VMs to EC2. Preserves VMware tooling and operational processes.

Decision Matrix

Signal	Recommended R	Primary Tool
App is unused / redundant	Retire	—
Compliance lock-in / recent capex	Retain	—
Standard OS workload, no code changes needed	Rehost	AWS MGN
Self-managed DB, switch to managed	Replatform	AWS DMS
Vendor software with SaaS equivalent	Repurchase	Marketplace / SaaS
Monolith → microservices roadmap	Refactor	ECS / EKS / Lambda
VMware vSphere on-premises	Relocate	VMware Cloud on AWS

Tip: Run Migration Evaluator before assigning Rs. Its rightsizing data often reveals that 15–25% of servers are candidates for Retire or Retain, meaningfully shrinking the active migration scope.

2. AWS Migration Hub: Centralized Tracking Dashboard

AWS Migration Hub aggregates migration status from MGN, DMS, and third-party tools (CloudEndure, ATADATA) into a single console. It does not perform migrations itself — it tracks them. Before using any migration tool, you must set a home region for Migration Hub. All migration data is stored in that region and cannot be changed later.

Setting the Home Region (AWS CLI)

# List available home regions
aws migrationhub-config describe-home-region-controls \
  --region us-east-1

# Set home region (one-time, irreversible per account)
aws migrationhub-config create-home-region-control \
  --home-region us-east-1 \
  --target '{"Type": "ACCOUNT"}' \
  --region us-east-1

# Confirm home region is set
aws migrationhub-config get-home-region \
  --region us-east-1

Note: The home region must be set before you install the Application Discovery Service agent or create any MGN source servers. Once set, all progress tracking data flows to this region automatically.

Key Migration Hub Concepts

Applications — Logical groupings of servers that migrate together (e.g., a 3-tier web app: web tier, app tier, DB tier).
Servers — Individual discovered or manually added source machines.
Migration Tasks — Linked MGN or DMS tasks associated with each server.
Progress States — Not Started → In Progress → Completed. Drill down per server for detailed status.

3. Discovery: AWS Application Discovery Service

Before migrating, you need an inventory of what you have: servers, software, network dependencies, and resource utilisation. AWS Application Discovery Service (ADS) provides two collection modes.

Agentless Discovery (via Discovery Connector)

The Discovery Connector is a VMware virtual appliance deployed in your vCenter. It collects VM metadata (CPU, memory, disk, OS) and network connections without touching individual VMs. Best for VMware environments where installing agents is impractical.

Deploy OVA to vCenter (download from Migration Hub console)
Configure vCenter credentials in the connector UI
Data appears in Migration Hub within 15 minutes
No agent installation required on guest VMs
Does not collect running processes or installed software

Agent-Based Discovery

The Discovery Agent runs on each Linux or Windows server and collects detailed telemetry: running processes, installed software, inbound/outbound network connections, and performance metrics over time. Required for physical servers or non-VMware hypervisors.

# Install Discovery Agent on Linux (Amazon Linux / RHEL / CentOS)
curl -o aws-discovery-agent.tar.gz \
  https://s3.us-west-2.amazonaws.com/aws-discovery-agent.us-west-2/linux/latest/aws-discovery-agent.tar.gz

tar -xzf aws-discovery-agent.tar.gz

sudo bash install -r us-east-1 \
  -k <AWS_ACCESS_KEY_ID> \
  -s <AWS_SECRET_ACCESS_KEY>

# Verify agent is running
sudo systemctl status aws-discovery-daemon

Best Practice: Run discovery for a minimum of 2 weeks before planning migrations. This captures weekly batch job patterns, end-of-month processing spikes, and true peak resource utilisation — preventing undersized EC2 selections.

Exporting Discovery Data

# Start an export of discovered data
aws discovery start-export-task \
  --region us-east-1

# Check export status
aws discovery describe-export-tasks \
  --region us-east-1

# The export generates CSV files in an S3 bucket:
# - servers.csv, processes.csv, connections.csv, performance-data.csv

4. Application Migration Service (MGN): How Replication Works

AWS Application Migration Service (MGN) — formerly CloudEndure Migration — is the primary AWS tool for rehosting (lift-and-shift). It performs continuous block-level replication from source servers to AWS, enabling near-zero downtime cutover.

Replication Architecture

MGN Agent installed on source server. Reads block-level disk data.
Encrypted data streams to a Replication Server (a temporary EC2 instance in your account) over TCP port 1500.
Replication Server writes data to EBS staging volumes — exact block-level copies of source disks.
During cutover, MGN converts staging volumes into a Launch Template and boots the target EC2 instance.
The replication server and staging volumes are automatically terminated after cutover.

Initial Setup via AWS CLI

# Initialize MGN in your account (one-time)
aws mgn initialize-service \
  --region us-east-1

# Create a replication configuration template
aws mgn create-replication-configuration-template \
  --replication-server-instance-type t3.small \
  --replication-servers-security-groups-ids sg-0abc123def456789 \
  --staging-area-subnet-id subnet-0123456789abcdef0 \
  --staging-area-tags Key=Purpose,Value=MGN-Staging \
  --use-dedicated-replication-server false \
  --bandwidth-throttling 0 \
  --region us-east-1

Network Requirement: Source servers must reach the replication endpoint on TCP 443 (for MGN API) and TCP 1500 (for data replication). If using AWS Direct Connect or VPN, ensure these ports are permitted in your on-premises firewall. See our AWS VPC Networking guide and Direct Connect guide for connectivity setup.

5. MGN Agent Installation and Replication Configuration

Linux Agent Installation

# Download and install MGN agent on Linux
wget -O ./aws-replication-installer-init.py \
  https://aws-application-migration-service-us-east-1.s3.amazonaws.com/latest/linux/aws-replication-installer-init.py

sudo python3 aws-replication-installer-init.py \
  --region us-east-1 \
  --aws-access-key-id AKIAIOSFODNN7EXAMPLE \
  --aws-secret-access-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
  --no-prompt

# Verify replication agent is running
sudo systemctl status aws-replication-agent

Windows Agent Installation (PowerShell)

# Download MGN agent installer for Windows
Invoke-WebRequest `
  -Uri "https://aws-application-migration-service-us-east-1.s3.amazonaws.com/latest/windows/AwsReplicationWindowsInstaller.exe" `
  -OutFile "C:\Temp\AwsReplicationWindowsInstaller.exe"

# Install silently
Start-Process -FilePath "C:\Temp\AwsReplicationWindowsInstaller.exe" -ArgumentList @(
  "--region", "us-east-1",
  "--aws-access-key-id", "AKIAIOSFODNN7EXAMPLE",
  "--aws-secret-access-key", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "--no-prompt"
) -Wait -NoNewWindow

Configuring Launch Template After Initial Sync

Once the agent is installed and initial replication reaches "Healthy" state (typically 1–4 hours depending on disk size), configure the Launch Template that MGN uses when it boots the target EC2 instance.

# List source servers
aws mgn describe-source-servers \
  --filters IsArchived=false \
  --region us-east-1

# Update launch template for a specific source server
aws mgn update-launch-configuration \
  --source-server-id s-1234567890abcdef0 \
  --target-instance-type-right-sizing-method BASIC \
  --launch-disposition STOPPED \
  --licensing '{"osByol": false}' \
  --region us-east-1

IAM Permissions: The IAM user or role used during agent installation needs AWSApplicationMigrationAgentPolicy attached. For least-privilege, create a dedicated IAM user per migration wave. See our AWS IAM Roles and Policies guide for details.

6. Cutover Workflow: Test Instance → Validate → Cutover

MGN separates the cutover process into two phases: a test launch (no impact to source server) followed by the actual cutover launch. This is the safest migration pattern available.

Cutover Timeline

Phase	Action	Typical Duration	Impact to Source
Initial Sync	Full disk replication to EBS staging	1–8 hours	None (agent reads blocks)
Continuous Replication	Delta changes synced in near-real-time	Ongoing	~2% CPU on source
Test Launch	Boot isolated test EC2 from staging volumes	5–15 min	None
Test Validation	Verify app functionality, connectivity, data	1–4 hours	None
Mark as Ready	Signal readiness in MGN console	Instant	None
Cutover Launch	Final sync + boot production EC2	5–20 min	Source can be shut down
DNS Cutover	Update Route 53 / load balancer targets	0–5 min (TTL-dependent)	Brief traffic switchover
Finalize	Archive source server in MGN, decommission	Whenever ready	Source decommissioned

Triggering Test and Cutover via CLI

# Launch test instance
aws mgn start-test \
  --source-server-ids s-1234567890abcdef0 \
  --region us-east-1

# Check job status
aws mgn describe-jobs \
  --filters SourceServerIDs=s-1234567890abcdef0 \
  --region us-east-1

# After validation, launch cutover
aws mgn start-cutover \
  --source-server-ids s-1234567890abcdef0 \
  --region us-east-1

# Finalize (archives source server, terminates replication resources)
aws mgn finalize-cutover \
  --source-server-id s-1234567890abcdef0 \
  --region us-east-1

Rollback Strategy

If the cutover launch fails or validation reveals issues, MGN supports rollback:

During test phase: terminate the test instance — source server is untouched and replication continues.
During cutover: if source server is still running, revert DNS, scale up source, and let replication re-sync the delta. MGN keeps replication active until you call finalize-cutover.
After finalize: restore from the EBS snapshot that MGN creates automatically at cutover time (retained for 30 days by default).

Critical: Do not call finalize-cutover until you have validated the migrated instance is fully functional in production. Finalize is irreversible — it terminates the replication server and staging volumes.

7. Database Migration Service (DMS): Supported Sources and Targets

AWS Database Migration Service migrates relational databases, data warehouses, NoSQL stores, and other data sources to AWS with minimal downtime. It supports both homogeneous migrations (e.g., MySQL → RDS MySQL) and heterogeneous migrations (e.g., Oracle → Aurora PostgreSQL).

Supported Sources and Targets (2026)

Source	Common AWS Target	Notes
Oracle	Aurora PostgreSQL, RDS Oracle	SCT required for hetero migrations
SQL Server	Aurora MySQL, RDS SQL Server	SCT for schema conversion
MySQL / MariaDB	RDS MySQL, Aurora MySQL	Homogeneous — no SCT needed
PostgreSQL	RDS PostgreSQL, Aurora PostgreSQL	Homogeneous — no SCT needed
MongoDB	Amazon DocumentDB	Supports full-load only for large datasets
SAP ASE (Sybase)	Aurora MySQL, RDS PostgreSQL	SCT required
IBM Db2	RDS PostgreSQL, Aurora PostgreSQL	SCT required
Amazon S3	Redshift, Aurora	Useful for bulk historical data loads

Creating a Replication Instance

# Create DMS replication instance
aws dms create-replication-instance \
  --replication-instance-identifier prod-migration-repl \
  --replication-instance-class dms.r6i.xlarge \
  --allocated-storage 100 \
  --vpc-security-group-ids sg-0abc123def456789 \
  --replication-subnet-group-identifier my-dms-subnet-group \
  --multi-az false \
  --engine-version 3.5.3 \
  --publicly-accessible false \
  --region us-east-1

Sizing the Replication Instance: Use dms.r6i.xlarge (4 vCPU, 32 GB RAM) for most production migrations under 1 TB. For large tables or high-throughput CDC, consider dms.r6i.2xlarge. See our AWS RDS guide for target database sizing.

8. DMS Task Creation: Full-Load, CDC, and Hybrid

Migration Modes

Full Load — Copies all existing data from source to target. Source database continues running. After load completes, a final delta sync is needed. Use for short maintenance windows.
CDC Only (Change Data Capture) — Replicates ongoing changes only. Used when you have already bulk-loaded the target by other means (e.g., native database export/import).
Full Load + CDC — Copies all data, then automatically transitions to CDC once the initial load completes. The recommended approach for most migrations — minimal downtime, no manual handoff.

Table Mapping Rules (JSON)

Table mapping rules define which schemas and tables to include or exclude, and allow column transformations.

{
  "rules": [
    {
      "rule-type": "selection",
      "rule-id": "1",
      "rule-name": "include-all-tables",
      "object-locator": {
        "schema-name": "PROD_SCHEMA",
        "table-name": "%"
      },
      "rule-action": "include"
    },
    {
      "rule-type": "selection",
      "rule-id": "2",
      "rule-name": "exclude-audit-logs",
      "object-locator": {
        "schema-name": "PROD_SCHEMA",
        "table-name": "AUDIT_%"
      },
      "rule-action": "exclude"
    },
    {
      "rule-type": "transformation",
      "rule-id": "3",
      "rule-name": "lowercase-schema",
      "rule-action": "convert-lowercase",
      "rule-target": "schema",
      "object-locator": {
        "schema-name": "%"
      }
    }
  ]
}

Creating a Replication Task via CLI

aws dms create-replication-task \
  --replication-task-identifier prod-full-load-cdc \
  --source-endpoint-arn arn:aws:dms:us-east-1:123456789012:endpoint:source-endpoint-id \
  --target-endpoint-arn arn:aws:dms:us-east-1:123456789012:endpoint:target-endpoint-id \
  --replication-instance-arn arn:aws:dms:us-east-1:123456789012:rep:prod-migration-repl \
  --migration-type full-load-and-cdc \
  --table-mappings file://table-mapping.json \
  --replication-task-settings '{"TargetMetadata":{"TargetSchema":"","SupportLobs":true,"FullLobMode":false,"LobChunkSize":64},"FullLoadSettings":{"TargetTablePrepMode":"DROP_AND_CREATE","CreatePkAfterFullLoad":false},"Logging":{"EnableLogging":true}}' \
  --region us-east-1

Monitoring DMS Task Progress (Python boto3)

import boto3
import time

dms = boto3.client('dms', region_name='us-east-1')

TASK_ARN = 'arn:aws:dms:us-east-1:123456789012:task:prod-full-load-cdc'

def poll_task_status(task_arn, interval=30):
    while True:
        response = dms.describe_replication_tasks(
            Filters=[{'Name': 'replication-task-arn', 'Values': [task_arn]}]
        )
        task = response['ReplicationTasks'][0]
        status = task['Status']
        stats = task.get('ReplicationTaskStats', {})

        print(f"Status: {status} | "
              f"Tables loaded: {stats.get('TablesLoaded', 0)} | "
              f"Tables loading: {stats.get('TablesLoading', 0)} | "
              f"Tables errored: {stats.get('TablesErrored', 0)} | "
              f"Elapsed: {stats.get('ElapsedTimeMillis', 0) / 1000:.0f}s")

        if status in ('stopped', 'failed', 'load-complete-replication-ongoing'):
            print(f"Task reached terminal/CDC state: {status}")
            break

        time.sleep(interval)

poll_task_status(TASK_ARN)

9. Schema Conversion Tool (SCT): Oracle to PostgreSQL and SQL Server to Aurora

AWS Schema Conversion Tool (SCT) automates the conversion of database schemas from one engine to another. It handles DDL statements (tables, views, indexes, sequences) and attempts to convert stored procedures, functions, and triggers — flagging anything that requires manual rewriting.

Typical SCT Workflow

Install SCT on a laptop or EC2 instance with connectivity to both source and target databases.
Create a new project, specify source engine (Oracle 19c) and target engine (Aurora PostgreSQL 15).
Connect to source database — SCT loads the schema tree.
Run the Assessment Report. SCT categorises objects as: automatically converted, converted with minor issues, or requires manual intervention.
Review the action items. Oracle-specific syntax like CONNECT BY, DBMS_* packages, and ROWNUM require manual PostgreSQL equivalents.
Apply converted schema to target Aurora PostgreSQL instance.
Fix flagged objects manually — these are typically 5–20% of procedures in complex Oracle schemas.

Common Oracle → PostgreSQL Conversion Patterns

Oracle	PostgreSQL Equivalent
`ROWNUM <= 10`	`LIMIT 10`
`SYSDATE`	`CURRENT_TIMESTAMP`
`NVL(col, val)`	`COALESCE(col, val)`
`SEQUENCE.NEXTVAL`	`nextval('sequence_name')`
`CONNECT BY PRIOR`	`WITH RECURSIVE` CTE
`DBMS_OUTPUT.PUT_LINE`	`RAISE NOTICE`
`VARCHAR2(n)`	`VARCHAR(n)`
`NUMBER(p,s)`	`NUMERIC(p,s)`

SQL Server → Aurora MySQL: SCT handles most T-SQL stored procedures, but MERGE statements, TRY/CATCH blocks, and CROSS APPLY require manual rewrites in MySQL syntax. Plan for a 2–4 week schema remediation sprint for complex SQL Server applications.

10. Migration Evaluator: TCO Analysis and Rightsizing

AWS Migration Evaluator (formerly TSO Logic) analyses your on-premises infrastructure and produces a Total Cost of Ownership (TCO) comparison against AWS. It ingests data from discovery agents, VMware vCenter exports, or manual inventory files.

Data Collection Options

Agentless Collector — VMware vCenter integration, collects for 2–4 weeks.
Import template — Upload a spreadsheet of server specs, utilisation, and costs.
ADS integration — Pulls directly from Application Discovery Service if already deployed.

What the Evaluator Report Contains

On-premises total cost: hardware refresh, software licences, power, cooling, facilities, operations.
AWS right-sized cost: EC2, EBS, data transfer — using Reserved Instance and Savings Plan pricing.
Licence optimisation: identifies SQL Server and Windows licences that can be brought to AWS (BYOL) or replaced with Linux + Aurora to eliminate licence cost entirely.
Savings summary: typical outcome is 30–60% cost reduction over 3 years.

Cost Tip: Migration Evaluator frequently surfaces SQL Server Standard or Enterprise licence costs as the single largest on-premises expense. Migrating to Aurora PostgreSQL eliminates these costs entirely. Combine with AWS cost optimization strategies post-migration for maximum savings.

11. Post-Migration Validation: CloudWatch Metrics and Performance Baselines

Migration is not complete when the instance boots. You must verify that the migrated workload performs equivalently to on-premises and that all integrations are functional.

Validation Checklist

Application starts cleanly — no missing libraries, environment variables, or config files.
All inbound ports are reachable from expected clients (verify Security Group rules).
Outbound connectivity to dependent services (databases, APIs, LDAP, NTP) works.
Scheduled tasks and cron jobs are running.
Log files are writing to expected paths — or redirected to CloudWatch Logs.
Licence servers are reachable (for licensed software).
Backup agent is configured for EBS snapshots.

Establishing a CloudWatch Performance Baseline (Python boto3)

import boto3
from datetime import datetime, timedelta

cloudwatch = boto3.client('cloudwatch', region_name='us-east-1')

INSTANCE_ID = 'i-0abc1234def56789'

def get_metric_stats(metric_name, period_hours=24):
    end_time = datetime.utcnow()
    start_time = end_time - timedelta(hours=period_hours)

    response = cloudwatch.get_metric_statistics(
        Namespace='AWS/EC2',
        MetricName=metric_name,
        Dimensions=[{'Name': 'InstanceId', 'Value': INSTANCE_ID}],
        StartTime=start_time,
        EndTime=end_time,
        Period=3600,  # 1-hour granularity
        Statistics=['Average', 'Maximum']
    )
    return response['Datapoints']

# Collect baseline metrics
for metric in ['CPUUtilization', 'NetworkIn', 'NetworkOut', 'DiskReadOps', 'DiskWriteOps']:
    datapoints = get_metric_stats(metric)
    if datapoints:
        avg = sum(d['Average'] for d in datapoints) / len(datapoints)
        maximum = max(d['Maximum'] for d in datapoints)
        print(f"{metric}: avg={avg:.2f}, max={maximum:.2f}")

Setting CloudWatch Alarms Post-Migration

# CPU alarm — alert if CPU stays above 80% for 15 minutes
aws cloudwatch put-metric-alarm \
  --alarm-name "MigratedServer-HighCPU" \
  --metric-name CPUUtilization \
  --namespace AWS/EC2 \
  --dimensions Name=InstanceId,Value=i-0abc1234def56789 \
  --statistic Average \
  --period 300 \
  --evaluation-periods 3 \
  --threshold 80 \
  --comparison-operator GreaterThanThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:migration-alerts \
  --region us-east-1

For comprehensive observability setup, refer to our AWS CloudWatch Monitoring guide.

12. Common Pitfalls in AWS Migrations

1. Windows Licensing Assumptions

MGN replicates the OS, but Windows licences are not automatically transferred. By default, AWS provides a new Windows licence included in the EC2 price. If you bring your own licence (BYOL) via Dedicated Hosts, you must configure this in the MGN Launch Template before cutover. Mixing up licensing post-cutover results in compliance violations or unexpected charges.

2. Underestimating Network Latency Impact

Applications that ran on a LAN with sub-1ms latency between application server and database server often break when database calls now cross a VPC subnet boundary or a VPN. Common symptoms: connection pool exhaustion, timeout errors, N+1 query performance collapse. Mitigate by placing application and database tiers in the same Availability Zone during initial migration, then optimise for multi-AZ resilience after stabilisation.

3. Skipping the Test Launch

Teams under schedule pressure often skip the test launch and cut over directly. This is the leading cause of migration-related outages. The test launch is free, non-disruptive, and takes 15 minutes. Always run it.

4. Insufficient IAM Permissions

MGN and DMS require specific IAM roles (AWSApplicationMigrationAgentPolicy, AmazonDMSVPCManagementRole, AmazonDMSCloudWatchLogsRole). Missing permissions cause silent failures — the agent appears healthy but replication stalls. Validate IAM with IAM Policy Simulator before starting agents.

5. Ignoring DNS TTL Before Cutover

If your application's DNS TTL is 3600 seconds (1 hour), clients will continue hitting the old IP for up to an hour after you update the record. Lower TTL to 60 seconds at least 24 hours before planned cutover, then restore it post-migration.

6. Not Planning for Multi-Account Migrations

Enterprise migrations frequently involve moving workloads from one AWS account to another, not just from on-premises. MGN supports cross-account migrations via IAM role delegation. If your target is a Landing Zone account, set up AWS Organizations and Control Tower first to ensure correct account structure, SCPs, and network connectivity (Transit Gateway, Direct Connect) are in place.

7. DMS CDC Gaps for Unsupported Data Types

DMS CDC relies on source database transaction logs. Some data types — Oracle XMLTYPE, SQL Server FILESTREAM, large BLOBs over 32 MB — are not supported in CDC mode. Identify these columns during the SCT assessment phase and migrate them via a separate bulk export/import process, not through DMS CDC.

8. Forgetting Security Group Egress Rules

New EC2 instances created by MGN inherit the security group specified in the Launch Template, but default egress rules may block outbound traffic your application needs. Common omissions: NTP (UDP 123), LDAP (TCP 389/636), SMTP (TCP 587). Audit required outbound connections during the test launch phase. See our AWS Security Best Practices for egress hardening patterns.