Migrate self-managed SQL Server to RDS for SQL Server using a physical gateway - ApsaraDB RDS

Use the physical gateway-based migration feature of Data Transmission Service (DTS) to migrate a self-managed SQL Server database to ApsaraDB RDS for SQL Server. Physical gateway migration uses the native physical backup protocol to transfer data as blocks, making it faster than logical migration and suitable for large databases.

This topic covers two network scenarios — direct Internet access and bastion host — so you can follow the path that matches your environment.

Choose a migration scenario

Scenario	When to use	Steps
Scenario 1: Direct Internet access	The server where the self-managed database runs has direct access to the Internet	1. Install the Database Backup Service (DBS) backup gateway on the database server. 2. Create a DTS migration task using Physical Protocol.
Scenario 2: Bastion host	The database server has no Internet access but connects through a bastion host	1. Install a proxy gateway on the bastion host. 2. Install the DBS backup gateway on the database server, pointing to the proxy gateway. 3. Create a DTS migration task using Physical Protocol.

For a comparison between physical gateway migration and logical migration, see Appendix: Physical gateway migration vs. logical migration.

Prerequisites

Scenario 1: Direct Internet access

Before you begin, ensure that you have:

A self-managed SQL Server database running SQL Server 2005, 2008 R2, 2012, 2014, 2016, 2017, or 2019. The database can reside on an ECS instance, in a data center, or on a third-party cloud server. Cloud databases are not supported.
An ApsaraDB RDS for SQL Server instance running SQL Server 2008 R2, 2012, 2016, 2017, or 2019, with the same or a later engine version than the source database.
An AccessKey ID and AccessKey Secret for backup gateway identification and registration. See Create an AccessKey pair.
(If using a RAM user) The AliyunDBSFullAccess permission granted to the RAM user. See Grant permissions to a RAM user.

Scenario 2: Bastion host

Before you begin, ensure that you have:

A self-managed SQL Server database running SQL Server 2005, 2008 R2, 2012, 2014, 2016, 2017, or 2019. The database can reside on an ECS instance, in a data center, or on a third-party cloud server. Cloud databases are not supported.
An ApsaraDB RDS for SQL Server instance running SQL Server 2008 R2, 2012, 2016, 2017, or 2019, with the same or a later engine version than the source database.
An AccessKey ID and AccessKey Secret for backup gateway identification and registration. See Create an AccessKey pair.
(If using a RAM user) The AliyunDBSFullAccess permission granted to the RAM user. See Grant permissions to a RAM user.
(If the bastion host runs Linux) Java Runtime Environment (JRE) 1.8 installed on the database server. Download from the Oracle official website.
The HTTP_PROXY and HTTPS_PROXY environment variables not set on the database server. If these variables are set, the system uses the specified proxy instead of the installed gateway, causing connection failures.

Limitations

Review these limitations before you start. Violations cause migration failures.

Source database limitations

Only SQL Server on Windows is supported. The desktop OS must be Windows XP or later; the server OS must be Windows Server 2003 or later.
The source database size cannot exceed the remaining storage of the destination RDS instance.
The source database name cannot match the destination database name on the RDS instance.
The following database names are reserved and cannot be used as the source database name:
```
master, tempdb, msdb, model, distribution, rdscore, sys_info
```
Network requirements for the source database:
- If the firewall is disabled and the database runs on an ECS instance, connect over a virtual private cloud (VPC) or the Internet.
- If the firewall is disabled and the database does not run on an ECS instance, connect over the Internet.
- If the firewall is enabled, allow requests from *.aliyuncs.com.

Version compatibility

The destination RDS instance must run the same or a later engine version than the source:

Version order: 2019 > 2017 > 2016 > 2012 > 2008 R2 > 2005
Edition order: Enterprise Edition (Developer) > Standard Edition > Web > Express

The following table shows which source editions can migrate to which destination editions:

Source edition	Supported destination edition
Developer, Standard, Web, Express	Enterprise Edition
Standard, Web, Express	Standard Edition
Web, Express	Web

Different RDS instance types also support different numbers of databases. Make sure the number of databases you migrate does not exceed the limit.

Other limitations

During migration, data can be written incrementally to the source database. Stop writing data before the workload switchover to prevent inconsistency.
The RDS instance is temporarily unavailable during incremental migration. Switch over workloads only after incremental migration completes.
Database backups are not available while a physical migration task is in progress. To back up databases during migration, enable COPY_ONLY.
You can migrate a single database, multiple databases, or the entire instance.
FILESTREAM and FileTables columns cannot be migrated.
Memory-optimized tables cannot be migrated.
In-memory online transaction processing (OLTP) and database mirroring are incompatible. If in-memory databases are enabled on the source, the destination cannot be an instance running RDS High Availability Edition.

Scenario 1: Self-managed database with Internet access

Step 1: Install the backup gateway on the database server

The DBS backup gateway (AliyunDBSAgent) connects the source database to DTS. Install it on the server where the source database runs.

Preparations

Before you install:

Grant the sysadmin role to the NT AUTHORITY\SYSTEM account, which is the default startup account for AliyunDBSAgent:

ALTER SERVER ROLE [sysadmin] ADD MEMBER [NT AUTHORITY\SYSTEM]
GO

Usage notes

Usage notes:

Install the backup gateway in the same region as the destination RDS instance.
AliyunDBSAgent sets the recovery model of the migrated database to Full. If data is continuously written to the database, this may exhaust disk space. After migration completes, run the following command to reset the recovery model:
```
ALTER DATABASE <database_name> SET RECOVERY Simple;
```

Install the backup gateway:

Go to the DTS console.
In the left-side navigation pane, click Data Migration and select a region.
Click Create Task. On the Configure Source And Destination Databases page, select SQL Server > Physical Protocol, then click Create Physical Protocol Gateway.
In the Installation Command dialog box, configure Region Of Backup Gateway and Network Type Of Backup Gateway, then copy the installation command and download the installation package.
Select Public Network to access the gateway over the Internet. Select ECS Private Network/VPC to access the gateway over an Alibaba Cloud Express Connect circuit.
Install the DBS backup gateway (AliyunDBSAgent) on the Windows database server: To verify the installation, check the log file at C:\Program Files\aliyun\dbs_agent\logs\agent.log. A heartbeat message similar to the following confirms success:
1. Double-click setup.exe in the downloaded package.
2. Select an installation language, click OK
3. Accept the terms of the agreement and click Next.
4. Select DBS Backup Gateway and click Next.
5. Select an installation directory, click Next, then click OK.
6. Select Backup Gateway Region, enter the AccessKey ID and AccessKey Secret, then click Next. > Important: > - The gateway region must match the region of the destination RDS instance. > - The AccessKey pair is stored in plaintext in .\config\dbs-agent.conf in the installation directory.
7. Confirm the component package and click Next. Installation takes 1–5 minutes.
8. Click Done.
In the Installation Command dialog box of the DTS console, click Installed.
Verify that the backup gateway service is running:
1. Open the Windows Run dialog box, enter services.msc, and click OK.
2. In the service manager, check whether AliyunDBSAgent is running. If not, right-click AliyunDBSAgent and select Start
The system starts the backup gateway by default. You can also start and stop AliyunDBSAgent in the service manager.
View the new backup gateway in the Data Disaster Recovery (DBS) console:
To go to the Backup Gateways page of the Data Disaster Recovery console, perform the following steps:
1. Log on to Data Management (DMS) 5.0Data Management (DMS) 5.0Data Management (DMS) 5.0.
2. Click the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Data Disaster Recovery (DBS) > Backup Gateway. > Note: In DMS normal mode, choose Security and disaster recovery (DBS) > Data Disaster Recovery (DBS) > Backup Gateway in the top navigation bar.
3. Click Refresh in the upper-right corner. The new gateway appears with a name that starts with DTS_.

Step 2: Create a DTS migration task

Go to the DTS console.
In the left-side navigation pane, click Data Migration and select a region.

Click Create Task and configure the source and destination databases:

Section	Parameter	Description
(General)	Task Name	Enter a name that identifies the task. The name does not need to be unique.
Source Database	Select Existing Connection	If the source database is already saved in Database Connection Management, select it from the list to skip manual entry.
	Database Type	Select SQL Server.
	Access Method	Select Physical Protocol.
	Instance Region	The region where the source database resides.
	Physical Protocol Gateway (DBS Backup Gateway)	Select the backup gateway installed in Step 1.
	Domain Name Or IP	Default: `localhost`.
	Port	The SQL Server port. Default: 1433.
Destination Database	Select Existing Connection	If the destination instance is already saved in Database Connection Management, select it from the list.
	Database Type	Default: SQL Server.
	Access Method	Default: Alibaba Cloud Instance.
	Instance Region	The region where the RDS instance resides.
	Instance ID	The ID of the RDS for SQL Server instance.
	Database Account	An account with read and write permissions. See Create an account and modify permissions as needed.
	Database Password	The password for the database account.
	Connection Method	Select Non-encrypted if Secure Sockets Layer (SSL) encryption is disabled; select SSL-encrypted if SSL is enabled. DTS automatically trusts the server certificate.

Click Test Connectivity and Proceed.
Important
Add the CIDR blocks of DTS servers to the whitelist of the source database before proceeding. See Add the CIDR blocks of DTS servers. Adding external CIDR blocks carries security risks — enhance password strength and restrict port access accordingly.

Configure migration objects:

Parameter	Description
Task Stages	Select Full Data Migration for a one-time migration. To minimize downtime, also select Incremental Data Migration. If you skip incremental migration, stop writing data to the source database during migration to preserve consistency.
Source Objects	Select the databases or tables to migrate. Click to move them to Selected Objects. You can migrate a single database, multiple databases, or the entire instance.
Selected Objects	The objects selected for migration.

Click Next: Advanced Settings and configure:

Parameter	Description
Monitoring and Alerting	Select Yes to receive notifications when the task fails or migration latency exceeds the threshold. Configure the alert threshold and notification settings as described in Configure monitoring and alerting.
Retry Time For Failed Connections	How long DTS retries failed connections before the task fails. Valid values: 10–1,440 minutes. Default: 720 minutes. Set this to more than 30 minutes. If multiple tasks share the same source or destination, the most recently set value applies. DTS charges continue during retries. We recommend that you release the DTS instance at the earliest opportunity after the source database and destination instance are released.

Parameter

Description

Monitoring and Alerting

Select Yes to receive notifications when the task fails or migration latency exceeds the threshold. Configure the alert threshold and notification settings as described in Configure monitoring and alerting.

Retry Time For Failed Connections

How long DTS retries failed connections before the task fails. Valid values: 10–1,440 minutes. Default: 720 minutes. Set this to more than 30 minutes. If multiple tasks share the same source or destination, the most recently set value applies. DTS charges continue during retries. We recommend that you release the DTS instance at the earliest opportunity after the source database and destination instance are released.

Click Next: Save Task Settings and Precheck.
- DTS runs a precheck before starting. The migration task starts only after the precheck passes. - If the precheck fails, click View Details next to the failed item, fix the issue, and run the precheck again. - For alert items that can be safely ignored, click View Alert Details > Confirm And Ignore > OK > Run Precheck Again. Ignoring alerts may cause data inconsistency.
When Success Rate reaches 100%, click Next: Purchase Instance.
On the Purchase page, accept the Data Transmission Service (Pay-as-you-go) Terms Of Service and click Buy And Start. Confirm in the dialog box. To monitor progress, click the migration task on the Data Migration page and view the Task Management page.
You can also track full and incremental migration progress on the Backup And Restoration > Backup Data Upload History page of the destination instance in the RDS console.
When full migration reaches 100% and incremental migration is running, go to the Task Management > Incremental Migration page and click Migrate To Cloud.
In the Are You Sure You Want To Migrate To The Cloud dialog box, click Switch Now and wait for the task to complete.
Important
Stop writing data to the source database before triggering the switchover to prevent data inconsistency. The switchover takes several minutes.

Scenario 2: Self-managed database without Internet access (bastion host)

In this scenario, a proxy gateway on the bastion host forwards data between the database server and DTS cloud storage. The database server itself has no direct Internet access.

Step 1: Install the proxy gateway on the bastion host

Install the proxy gateway on the bastion host first. The backup gateway on the database server (Step 2) routes through this proxy.

Before you install:

Grant the sysadmin role to the NT AUTHORITY\SYSTEM account:

ALTER SERVER ROLE [sysadmin] ADD MEMBER [NT AUTHORITY\SYSTEM]
GO

Usage notes

Usage notes:

Install the proxy gateway and backup gateway in the same region as the destination RDS instance.
AliyunDBSAgent sets the recovery model of the migrated database to Full. After migration completes, reset it if needed:
```
ALTER DATABASE <database_name> SET RECOVERY Simple;
```

Windows bastion host

Go to the DTS console.
In the left-side navigation pane, click Data Migration and select a region.
Click Create Task. On the Configure Source And Destination Databases page, select SQL Server > Physical Protocol, then click Create Physical Protocol Gateway.
In the Installation Command dialog box, configure Region Of Backup Gateway and Network Type Of Backup Gateway, then copy the installation link and download the installation package.
Important
- Save this download link separately — you need it again in Step 2 to install the backup gateway on the database server. - Select Public Network for Internet access or ECS Private Network/VPC for Express Connect access.
Install the proxy gateway on the Windows bastion host:
1. Double-click setup.exe in the downloaded package.
2. Select an installation language and click OK.
3. Click Next.
4. Accept the terms of the agreement and click Next.
5. Select Proxy Gateway and click Next.
6. Select an installation path and click Next, then click Yes. > Note: The default installation path is C:\Program Files (x86)\aliyun\dbs_agent.
7. Click Next to install the proxy gateway base file.
8. After the base file installs, click Next > Done.
Open Task Manager in Windows to verify that the proxy gateway process is running.
Proceed to Step 2 to install the backup gateway on the database server.

Linux bastion host

Log on to Data Management (DMS) 5.0Data Management (DMS) 5.0Data Management (DMS) 5.0.
Click the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Data Disaster Recovery (DBS) > Backup Gateway.
In DMS normal mode, choose Security and disaster recovery (DBS) > Data Disaster Recovery (DBS) > Backup Gateway in the top navigation bar.
Click Install Backup Gateway in the upper-right corner.
Select Network Type Of Backup Gateway, copy the installation command, and save the download link separately — you need it in Step 2.
Important
Select Public Network for Internet access or ECS Private Network/VPC for Express Connect access.
Run the installation command on the Linux bastion host. The system downloads and runs the installation package:
1. Select an installation language (0 for Chinese, 1 for English).
2. Enter 1 to read the gateway protocol, then 1 to accept it.
3. Select the component to install. Enter N to install a proxy gateway (DG), then Y to confirm. `` Enter Y for Yes, N for No: N -- DG -- Enter Y for Yes, N for No: Y Done! ``
4. Enter 1 to continue.
5. Select an installation path. Press Enter to use the default /usr/local/aliyun/dbs_agent, or enter a custom path.
6. Enter 1 to start the installation. Installation takes 1–5 minutes.
```
[root@iZbp****** ~]# wget -O aliyunDBSAgentInstaller.jar https://aliyun-dbs.oss-cn-hangzhou-internal.aliyuncs.com/installer/0.0.141/aliyunDBSAgentInstaller-0.0.141.jar && sudo java -Dregion=cn-hangzhou -jar aliyunDBSAgentInstaller.jar
```
Follow the interactive prompts:
Verify that the proxy gateway is running:
```
ps aux | grep app_aliyun_proxy
```
The following output confirms the proxy gateway is installed and running:
```
root     1****  0.0  0.5 7*****  9*** ?        Ssl  16:06   0:00 /usr/local/aliyun/daili_dbs_agent/dist/app_aliyun_proxy/app_aliyun_proxy -addr :9797 -logdir /usr/local/aliyun/daili_dbs_agent/logs
```
If you encounter an error you cannot resolve, contact support via the Data Disaster Recovery DingTalk group (group ID: 35585947).
Proceed to Step 2 to install the backup gateway on the database server.

Step 2: Install the backup gateway on the database server

Install the DBS backup gateway on the server where the source database runs. During installation, point the gateway to the proxy gateway on the bastion host.

Important

Use the same download link you saved in Step 1. Using a different link causes the database server to fail to connect through the proxy.

Copy the gateway download link from Step 1 and download the package on the database server.
Install the DBS backup gateway (AliyunDBSAgent): To verify the installation, check C:\Program Files\aliyun\dbs_agent\logs\agent.log. A heartbeat message confirms success:
1. Double-click setup.exe in the downloaded package.
2. Select an installation language, click OK, then click Next.
3. Accept the terms of the agreement and click Next.
4. Select DBS Backup Gateway and click Next.
5. Select an installation directory, click Next, then click OK.
6. Select Agent Region, and enter the AccessKey ID, AccessKey Secret, Proxy Gateway Address, and Proxy Gateway Port (default: 9797). Click Next. > Important: > - The gateway region must match the region of the destination RDS instance. > - The AccessKey pair is stored in plaintext in .\config\dbs-agent.conf. > - For Proxy Gateway Address, enter the internal IP address of the bastion host. After you complete this step, the system connects to the proxy gateway. If the connection fails, check the proxy gateway installation.
7. Confirm the component package and click Next. Installation takes 1–5 minutes.
8. Click Done.
In the Installation Command dialog box of the DTS console, click Installed.
Verify that the backup gateway service is running:
1. Open the Windows Run dialog box, enter services.msc, and click OK.
2. In the service manager, check whether AliyunDBSAgent is running. If not, right-click AliyunDBSAgent and select Start.
View the new backup gateway in the DBS console:
To go to the Backup Gateways page of the Data Disaster Recovery console, perform the following steps:
1. Log on to Data Management (DMS) 5.0Data Management (DMS) 5.0Data Management (DMS) 5.0.
2. Click the icon and choose All Features > Security and disaster recovery (DBS) > Data Disaster Recovery (DBS) > Backup Gateway.
3. Click Refresh. The new gateway appears with a name starting with DTS_.

Step 3: Create a DTS migration task

Go to the DTS console.
In the left-side navigation pane, click Data Migration and select a region.

Click Create Task and configure the source and destination databases:

Section	Parameter	Description
(General)	Task Name	Enter a name that identifies the task.
Source Database	Select Existing Connection	If the source database is already saved in Database Connection Management, select it to skip manual entry.
	Database Type	Select SQL Server.
	Access Method	Select Physical Protocol.
	Instance Region	The region where the source database resides.
	Physical Protocol Gateway (DBS Backup Gateway)	Select the backup gateway installed in Step 2.
	Domain Name Or IP	Default: `localhost`.
	Port	The SQL Server port. Default: 1433.
Destination Database	Select Existing Connection	If the destination instance is already saved, select it to skip manual entry.
	Database Type	Default: SQL Server.
	Access Method	Default: Alibaba Cloud Instance.
	Instance Region	The region where the RDS instance resides.
	Instance ID	The ID of the RDS instance.
	Database Account	An account with read and write permissions. See Create an account and modify permissions as needed.
	Database Password	The password for the account.
	Connection Method	Select Non-encrypted if SSL is disabled; select SSL-encrypted if SSL is enabled. DTS trusts the server certificate by default.

Click Test Connectivity and Proceed.
Important
Add the IP addresses of DTS servers to the whitelist of the source database. See Add the CIDR blocks of DTS servers. Restrict port access and strengthen passwords to reduce security exposure.

Select migration objects:

Parameter	Description
Task Stages	Select Full Data Migration for a one-time migration. To minimize downtime, also select Incremental Data Migration. If you skip incremental migration, stop writing data to the source database during migration.
Source Objects	Select the databases or tables to migrate and click to add them to Selected Objects.
Selected Objects	The objects selected for migration.

Click Next: Advanced Settings:

Parameter	Description
Monitoring and Alerting	Select Yes to receive failure or latency alerts. Configure thresholds and notifications as described in Configure monitoring and alerting.
Retry Time For Failed Connections	How long DTS retries failed connections. Valid values: 10–1,440 minutes. Default: 720 minutes. Set this to more than 30 minutes. If multiple tasks share the same source or destination, the most recently set value applies. DTS charges continue during retries. We recommend that you release the DTS instance at the earliest opportunity after the source database and destination instance are released.

Parameter

Description

Monitoring and Alerting

Select Yes to receive failure or latency alerts. Configure thresholds and notifications as described in Configure monitoring and alerting.

Retry Time For Failed Connections

How long DTS retries failed connections. Valid values: 10–1,440 minutes. Default: 720 minutes. Set this to more than 30 minutes. If multiple tasks share the same source or destination, the most recently set value applies. DTS charges continue during retries. We recommend that you release the DTS instance at the earliest opportunity after the source database and destination instance are released.

Click Next: Save Task Settings and Precheck.
- The task starts only after the precheck passes. - If the precheck fails, click View Details, fix the issue, and rerun the precheck. - For alerts that can be safely ignored, click View Alert Details > Confirm Ignore > OK > Run Precheck Again.
When Success Rate reaches 100%, click Next: Purchase Instance.
Accept the Data Transmission Service (Pay-as-you-go) Terms Of Service and click Buy And Start. Confirm in the dialog box.
When full migration reaches 100% and incremental migration is running, go to the Task Management > Incremental Migration page and click Migrate To Cloud.
In the Do You Want To Migrate To Cloud dialog box, click Start Now and wait for the task to complete.
Important
Stop writing data to the source database before triggering the switchover. The switchover takes several minutes.

Appendix: Physical gateway migration vs. logical migration

Item	Physical gateway migration	Logical migration
Migration principle	Uses the native physical backup protocol to write data as blocks	Uses JDBC to capture SQL statements and write them to the destination
OS requirement	Windows only (desktop: Windows XP or later; server: Windows Server 2003 or later)	No limits
Gateway required	Yes — install on the database server	No
Network connectivity	Whether the server on which the self-managed database is deployed can connect to the network of Alibaba Cloud. Suitable solutions are provided based on the current network status: Scenario 1 (direct Internet access) or Scenario 2 (bastion host).	The port to connect to the database must be enabled, or leased line-based connections must be established.
Source database permissions	sysadmin role	SELECT for schema and full migration; sysadmin for incremental migration. See Required permissions
Version requirement	Destination must be the same or a later version than the source	Supports both upgrades and downgrades
Destination availability during migration	Destination is inaccessible	Read and write operations are available
Table type limits	Memory-optimized tables, FILESTREAM, and FileTables cannot be migrated	See Source database limits
Migration source	Self-managed databases (ECS, data center, or third-party cloud)	Self-managed and cloud-hosted databases
Migration efficiency	High	Medium
Extract, transform, load (ETL) support	Not supported	Supported
Table-level data filtering	Not supported	Supported
Database-level data filtering	Supported	Supported