What should a database specialist do to meet this requirement?
Set up a VPN connection to encrypt the traffic over the Direct Connect connection.
Modify the DMS replication instance by disabling the publicly accessible option.
Delete the DMS replication instance. Recreate the DMS replication instance with the publicly accessible option disabled.
Create a new replication VPC subnet group with private subnets. Modify the DMS replication instance by selecting the newly created VPC subnet group.
Explanations:
Setting up a VPN connection over Direct Connect encrypts traffic but does not address the issue of making the DMS replication instance inaccessible from public IP addresses.
While modifying the DMS replication instance to disable the publicly accessible option is a valid action, this alone doesn’t guarantee that the instance won’t be accessible via public IP if it was created with the option enabled.
Recreating the DMS replication instance with the publicly accessible option disabled ensures that the replication instance is not accessible via public IP addresses, as required by the security team.
Modifying the replication instance by selecting a new VPC subnet group may place the instance in private subnets, but this doesn’t necessarily ensure that the instance is not publicly accessible unless the publicly accessible option is also explicitly disabled.
I assess that the answer is:
Delete the DMS replication instance. Recreate the DMS replication instance with the publicly accessible option disabled.