Migrate data from a SQL Server without internet access to RDS for SQL Server via a bastion host - Data Transmission Service

Use this guide when the server running your self-managed SQL Server database cannot reach the Internet directly but does reach the Internet through a bastion host. The solution installs a proxy gateway on the bastion host and a backup gateway on the database server, then uses Data Transmission Service (DTS) to run the migration.

If the server can reach the Internet directly, use the physical protocol gateway method instead. See Migrate data from a self-managed SQL Server database to an ApsaraDB RDS for SQL Server instance by using a physical protocol gateway.

How it works

The proxy gateway on the bastion host acts as an intermediary between the database server and DBS cloud storage over the Internet.

During backup: The backup gateway on the database server sends data to the proxy gateway on the bastion host, which forwards it to Database Backup (DBS) cloud storage over the Internet.
During restoration: The proxy gateway retrieves data from DBS cloud storage and delivers it to the backup gateway on the database server.

Prerequisites

Before you begin, ensure that you have:

Self-managed SQL Server database

A database running one of these versions: SQL Server 2019, 2017, 2016, 2014, 2012, 2008 R2, or 2005
A database hosted on an ECS instance, in a data center, or on a third-party cloud server (cannot be an RDS instance)
No HTTP_PROXY or HTTPS_PROXY environment variables configured on the database server
Important
If these environment variables are set, the system uses the proxy specified by them instead of the proxy gateway on the bastion host, causing network connection failures.

ApsaraDB RDS for SQL Server instance

An RDS instance running one of these versions: SQL Server 2019, 2017, 2016, 2012, or 2008 R2
An RDS instance running the same major engine version as the self-managed database, or a later one

Access and permissions

An AccessKey pair (AccessKey ID and AccessKey secret). DBS uses this pair to authenticate, register, and publish the backup gateway. For more information, see Create an AccessKey pair.
If a RAM user adds the backup gateway, the AliyunDBSFullAccess policy attached to that RAM user. For more information, see Grant permissions to RAM users.
By default, these permissions are granted to your Alibaba Cloud account when you activate Data Disaster Recovery. After you add a backup gateway, all RAM users under your account can use it in the Data Disaster Recovery console.
The Sysadmin role assigned to the NT AUTHORITY\SYSTEM account. AliyunDBSAgent uses this account by default. Run the following SQL statement to grant the role:
```
ALTER SERVER ROLE [sysadmin] ADD MEMBER [NT AUTHORITY\SYSTEM]
GO
```
(Linux bastion host only) Java Runtime Environment (JRE) 1.8 installed on the database server. Download JRE 1.8 from the official Oracle website.

Step 1: Install a proxy gateway on the bastion host

Install the proxy gateway on the bastion host — either Windows or Linux.

Windows

Go to the Data Migration page in one of the following ways. DTS console DMS console
1. Log on to the DMS console.
2. In the top navigation bar, go to Data + AI > DTS (DTS) > Data Migration.
3. From the drop-down list next to Data Migration Tasks, select the region where the instance resides.
The steps may vary depending on the mode and layout of the DMS console. For more information, see Simple mode and Customize the layout and style of the DMS console.
Click Create Task.
On the Configure Source and Destination Databases page, set Database Type to SQLServer and Access Method to Physical Protocol, then click Create Physical Protocol Gateway.
In the Deployment Command dialog box, configure Region of Backup Gateway and Network Type of Backup Gateway, then copy the download link and download the installation package.
- Internet: Data Disaster Recovery connects to the database using a public IP address. - ECS Private Network/VPC: Data Disaster Recovery connects to the database using an Alibaba Cloud Express Connect circuit.
Install the proxy gateway on the Windows bastion host.
1. Double-click setup.exe in the downloaded package.
2. Select an installation language and click OK.
3. Click Next.
4. Accept the license agreement and click Next.
5. Select Proxy Gateway and click Next.
6. Select an installation directory, click Next, then click Yes. > Note: The default installation path is C:\Program Files (x86)\aliyun\dbs_agent.
7. Click Next to install the proxy gateway base files.
8. Click Next > Done.
Open Task Manager to verify that the proxy gateway is running.

Linux

Log on to the Data Disaster Recovery console.
In the left-side navigation pane, click Backup Gateways. In the top navigation bar, select a region.
Select the region closest to your database. For example, if the database is in the China (Hangzhou) region, select China (Hangzhou).
In the upper-right corner, click Install Backup Gateway.
Configure Backup Gateway Network Type, copy the installation command, and run it on the bastion host. Run the installation command in the Linux terminal. The system downloads and runs the installation package. Example:
1. Select an installation language. Enter 0 for Chinese or 1 for English. `` Select your language 0 [x] chn 1 [ ] eng Input selection: 0 ``
2. Enter 1 to read the gateway license. `` Press 1 to continue, 2 to quit, 3 to redisplay 1 ``
3. Enter 1 to accept the license. `` Press 1 to accept, 2 to reject, 3 to redisplay 1 ``
4. Select the component to install. Enter N to install a proxy gateway (enter Y for a backup gateway), then enter Y to confirm. `` Enter Y for Yes, N for No: N -- DG -- Enter Y for Yes, N for No: Y Done! ``
5. Enter 1 to continue. `` Press 1 to continue, 2 to quit, 3 to redisplay 1 ``
6. Select an installation path. Press Enter to use the default path /usr/local/aliyun/dbs_agent, or enter a custom path and then enter 1 to confirm. `` Select an installation path: [/usr/local/aliyun/dbs_agent] /usr/local/aliyun/daili_dbs_agent Press 1 to continue, 2 to quit, 3 to redisplay 1 ``
7. Confirm the component and enter 1 to start the installation. Installation takes one to five minutes. `` Select the package that you want to install: [x] Pack 'Proxy gateway base file' required Done! Press 1 to continue, 2 to quit, 3 to redisplay 1 ``
- Public Network: Connects to DBS using a public IP address. - ECS Private Network/VPC: Connects to DBS using an Express Connect circuit.
```
[root@iZbp****** ~]# wget -O aliyunDBSAgentInstaller.jar https://aliyun-dbs.oss-cn-hangzhou-internal.aliyuncs.com/installer/0.0.141/aliyunDBSAgentInstaller-0.0.141.jar && sudo java -Dregion=cn-hangzhou -jar aliyunDBSAgentInstaller.jar
```
Follow the interactive prompts:

Run the following command to verify the proxy gateway is running:

ps aux | grep app_aliyun_proxy

Output similar to the following indicates a successful installation:

root     1****  0.0  0.5 7*****  9*** ?        Ssl  16:06   0:00 /usr/local/aliyun/daili_dbs_agent/dist/app_aliyun_proxy/app_aliyun_proxy -addr :9797 -logdir /usr/local/aliyun/daili_dbs_agent/logs
root     2****  0.0  0.0 1*****   9** pts/1    S+   16:08   0:00 grep --color=auto app_aliyun_proxy

If you need help, contact technical support via DingTalk group ID 35585947.

Step 2: Install a backup gateway on the database server

Important

Use the same download link from step 4 of Step 1. Using a different link causes the database server to fail to reach the Internet.

Download the installation package using the download link from step 4 of Step 1.

Install AliyunDBSAgent. To monitor installation progress, check the log at C:\Program Files\aliyun\dbs_agent\logs\agent.log. The following output indicates a successful installation:

Double-click setup.exe in the downloaded package.
Select an installation language, click OK, then click Next.
Accept the license agreement and click Next.
Select Physical Protocol Gateway (DBS Backup Gateway) and click Next.
Select an installation directory, click Next, then click Yes.

Configure the following parameters and click Next.

Parameter	Value
Agent Region	Must match the region of the RDS instance
AccessKey ID	Your AccessKey ID
Access Key Secret	Your AccessKey secret
Proxy Gateway Host	Private IP address of the bastion host (where the proxy gateway installed in Step 1 is running)
Proxy Gateway Port	`9797`

Important

The AccessKey pair is stored in plaintext in .\config\dbs-agent.conf in the installation directory.
After you click Next, the system attempts to connect to the proxy gateway. If the connection fails, verify that the proxy gateway installed in Step 1 is running.

Confirm the component package and click Next. Installation takes approximately one to five minutes.
Click Done.

网关的进程心跳

In the Installation Command dialog box, click Installed.
Verify that the AliyunDBSAgent service is running.
1. Open the Windows Run dialog box, enter services.msc, and press Enter.
2. In the Services window, locate AliyunDBSAgent and check its status. If it is not running, right-click AliyunDBSAgent and select Start.
The system starts the backup gateway automatically. You can also start and stop AliyunDBSAgent from the Services window.
On the Backup Gateways page of the Data Disaster Recovery console, click Refresh to confirm the new backup gateway appears. The gateway name starts with DTS_.

Step 3: Migrate data to the RDS instance

Configure and run the migration task in DTS. For the full procedure, see Procedure.

When configuring the source database, set Physical Protocol Gateway (DBS Backup Gateway) to the backup gateway created in Step 2.

For information about usage notes, migration scope, and supported migration relationships, see Migrate data from a self-managed SQL Server database to an ApsaraDB RDS for SQL Server instance by using a physical gateway.