Migrating an Amazon RDS DB Instance to Another VPC in a Different AWS Account
Migrating an Amazon RDS DB instance to a Virtual Private Cloud (VPC) in a different AWS account is a complex but achievable task, often required for organizational restructuring, account separation, or compliance needs. This blog post outlines a detailed, step-by-step process to migrate an RDS DB instance across AWS accounts while ensuring data integrity and minimizing downtime.
Published May 12, 2025
Before starting, ensure you have:
- Administrative access to both the source and target AWS accounts with IAM permissions for RDS, VPC, EC2, and S3 (for snapshot sharing).
- Source and target VPCs configured in the respective AWS accounts (they can be in the same or different regions).
- A running RDS DB instance in the source account’s VPC.
- Backup of the RDS instance (manual or automated snapshot).
- AWS CLI installed and configured for both accounts (optional, for CLI-based steps).
- Cross-account permissions set up for snapshot sharing.
- Knowledge of the application connecting to the RDS instance to update connection strings post-migration.
Since RDS instances cannot be directly moved across AWS accounts, the migration involves sharing a snapshot from the source account to the target account, restoring it to a new DB instance in the target VPC, and reconfiguring the application. The high-level steps are:
- Create and share a snapshot from the source account.
- Copy the snapshot to the target account (if in a different region).
- Restore the snapshot to a new RDS DB instance in the target account’s VPC.
- Configure the new DB instance.
- Update application connection strings.
- Verify the migration and clean up.
- Log in to the source AWS account and navigate to the RDS service in the AWS Management Console.
- Select the DB instance to migrate.
- Choose Actions > Take snapshot.
- Provide a name (e.g., source-db-snapshot-2025) and click Take Snapshot.
- Wait for the snapshot to become Available.
- Navigate to Snapshots, select the snapshot, and choose Actions > Share snapshot.
- In the Share Snapshot dialog:
- Enter the AWS Account ID of the target account.
- Click Add and then Save.
- If the DB instance is encrypted with a custom KMS key:
- Share the KMS key with the target account using the KMS console or CLI.
- Grant the target account permission to use the key.
Using the AWS CLI in the source account:
CopyCopy
aws rds create-db-snapshot \
--db-instance-identifier source-db-instance \
--db-snapshot-identifier source-db-snapshot-2025
# Create snapshotaws rds create-db-snapshot \
--db-instance-identifier source-db-instance \
--db-snapshot-identifier source-db-snapshot-2025
# Share snapshotaws rds modify-db-snapshot-attribute \
--db-snapshot-identifier source-db-snapshot-2025 \
--attribute-name restore \
--values-to-add target-account-id
For KMS key sharing (if encrypted):
CopyCopyaws kms create-grant \
--key-id arn:aws:kms:region:source-account-id:key/key-id \
--grantee-principal arn:aws:iam::target-account-id:root \
--key-id arn:aws:kms:region:source-account-id:key/key-id \
--grantee-principal arn:aws:iam::target-account-id:root \
--operations "Decrypt" "Encrypt" "GenerateDataKey" "DescribeKey"If the source and target VPCs are in different regions, copy the shared snapshot to the target account’s region:
- Log in to the target AWS account and navigate to the RDS console.
- Go to Snapshots > Shared with Me and locate the shared snapshot.
- Select the snapshot and choose Actions > Copy snapshot.
- Configure the copy:
- Destination region: Select the target region.
- New snapshot identifier: Provide a name (e.g., target-db-snapshot-2025).
- KMS key: Choose a KMS key in the target account/region if the snapshot is encrypted.
- Click Copy Snapshot.
Using the AWS CLI in the target account:
CopyCopyaws rds copy-db-snapshot \
--source-db-snapshot-identifier arn:aws:rds:source-region:source-account-id:snapshot:source-db-snapshot-2025 \
--target-db-snapshot-identifier target-db-snapshot-2025 \
--kms-key-id arn:aws:kms:target-region:target-account-id:key/target-key-id \
--region target-region
--source-db-snapshot-identifier arn:aws:rds:source-region:source-account-id:snapshot:source-db-snapshot-2025 \
--target-db-snapshot-identifier target-db-snapshot-2025 \
--kms-key-id arn:aws:kms:target-region:target-account-id:key/target-key-id \
--region target-region
- In the target account’s RDS console, navigate to Snapshots (or Shared with Me if not copied).
- Select the snapshot (target-db-snapshot-2025 or the shared snapshot).
- Choose Actions > Restore snapshot.
- Configure the new DB instance:
- DB instance identifier: Provide a unique name (e.g., target-db-instance).
- VPC: Select the target VPC.
- Subnet group: Choose a DB subnet group in the target VPC with subnets in at least two Availability Zones.
- Security group: Assign a security group allowing inbound traffic on the database port.
- Other settings: Match the source instance’s settings (instance type, storage, etc.).
- Click Restore DB instance.
- Wait for the new instance to become Available.
Using the AWS CLI:
CopyCopyaws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier target-db-instance \
--db-snapshot-identifier target-db-snapshot-2025 \
--db-subnet-group-name target-vpc-subnet-group \
--vpc-security-group-ids sg-xxxxxxxxxxxxxxxxx \
--db-instance-class db.t3.medium \
--engine mysql \
--region target-region
--db-instance-identifier target-db-instance \
--db-snapshot-identifier target-db-snapshot-2025 \
--db-subnet-group-name target-vpc-subnet-group \
--vpc-security-group-ids sg-xxxxxxxxxxxxxxxxx \
--db-instance-class db.t3.medium \
--engine mysql \
--region target-region
- Verify connectivity: Test access to the new DB instance from the target account’s application or a client.
- Update security groups: Ensure the security group allows traffic from application servers in the target VPC.
- Parameter and option groups: Assign or create parameter and option groups to match the source instance’s configuration.
- Enable backups: Configure automated backups and maintenance windows.
- Retrieve the endpoint of the new DB instance (e.g., target-db-instance.xxxxxxxxxxxx.target-regi..).
- Update the application configuration in the target account to use the new endpoint.
- Test the application to confirm connectivity and functionality.
- Verify data: Run queries to ensure the data in the new DB instance is consistent with the source.
- Monitor performance: Use CloudWatch to verify the new instance’s performance.
- Decommission the source DB instance:
- Stop traffic to the source instance.
- Take a final snapshot.
- Delete the source instance.
- Clean up snapshots:
- Delete the shared snapshot in the source account.
- Delete the copied snapshot in the target account if no longer needed.
- DNS-based switch: Use a CNAME record with a low TTL to redirect traffic to the new endpoint.
- Cross-account replication: For supported engines (e.g., MySQL, PostgreSQL), set up a read replica in the target account’s VPC, promote it, and switch traffic. This requires VPC peering or AWS Transit Gateway.
- Pre-testing: Warm up the new instance with test queries to reduce latency post-switch.
- Snapshot sharing issues: Verify the target account ID and KMS key permissions.
- Cross-region copy failures: Ensure the KMS key is shared and compatible with the target region.
- Connectivity problems: Check security groups, route tables, and NACLs in the target VPC.
- Permission errors: Confirm IAM roles have sufficient permissions for RDS and KMS operations.
Migrating an RDS DB instance to a VPC in a different AWS account requires careful coordination between accounts, including snapshot sharing, cross-region copying, and proper configuration of the target environment.