AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2025-08-13 · Documentation low

File: transform/latest/userguide/transform-vmware-migrate-network.md

Summary

Added documentation for IP migration strategies (IP retention, static assignment, dynamic assignment), DNS considerations, and VPC CIDR modification steps. Expanded details about security group conversion from NSX policies.

Security assessment

The change adds documentation about security group generation from NSX policies and their association mechanisms, which is a security feature. However, there is no evidence of addressing a specific security vulnerability - the DHCP limitation note describes current functionality rather than patching a security issue.

Diff

diff --git a/transform/latest/userguide/transform-vmware-migrate-network.md b/transform/latest/userguide/transform-vmware-migrate-network.md
index 89fd88a7d..c8d79e87a 100644
--- a//transform/latest/userguide/transform-vmware-migrate-network.md
+++ b//transform/latest/userguide/transform-vmware-migrate-network.md
@@ -5 +5 @@
-Generate VPC configurationTag network resourcesSecurity group association
+Network topologiesIP migration approachesGenerate VPC configurationTag network resourcesSecurity group association
@@ -27,0 +28,2 @@ For NSX networks, AWS Transform segments the network based on Tier-1 routers: It
+## Network topologies
+
@@ -44,0 +47,30 @@ For both topologies AWS Transform doesn’t open the communication to the intern
+## IP migration approaches
+
+AWS Transform offers three IP addressing strategies for your migration:
+
+  * **IP Address Retention:** Keep original IP addresses during migration. Ideal for lift-and-shift scenarios with legacy applications that have hard-coded IP dependencies or existing firewall rules.
+
+  * **Static IP Assignment:** Assign new fixed IP addresses from your VPC CIDR block. You can modify VPC CIDR ranges during migration, and AWS Transform automatically propagates changes to subnets, route tables, and security groups. Best for applications requiring predictable network behavior, DNS management, or IP-based access control. IPs persist across instance restarts using Elastic Network Interfaces (ENIs).
+
+  * **Dynamic IP Assignment (AWS DHCP):** Automatically assign IPs from subnet pools at instance launch. Optimal for cloud-native applications, auto-scaling workloads, and container orchestration (ECS, EKS, ASGs). Reduces operational overhead but requires applications to use DNS or service discovery.
+
+
+
+
+IP strategy is set at the wave level, with the option to override specific instances through inventory file customization.
+
+### DNS and network considerations
+
+Your DNS strategy should align with your IP addressing choice:
+
+  * **Static IP DNS:** DNS entries point directly to fixed IPs, simplifying resolution for legacy systems but requiring manual updates when IPs change.
+
+  * **Dynamic IP DNS:** Services accessed via DNS names that resolve to current IPs, supporting auto-scaling and failover through Route 53 or Cloud Map service discovery.
+
+  * **Hybrid DNS Architecture:** Enterprise pattern using on-premises DNS initially, implementing conditional forwarders between on-premises and Route 53 during migration, then gradually transitioning to Route 53 post-migration.
+
+
+
+
+For NSX environments, AWS Transform automatically converts security policies and gateway policies to Security Groups, associating them with network interfaces based on VM external IDs and IP addresses. However, for DHCP assignments in NSX environments, automatic Security Group generation is currently limited because IP addresses aren't known until instance launch.
+
@@ -62,0 +95,6 @@ For both topologies AWS Transform doesn’t open the communication to the intern
+In this step you can choose to modify your VPC CIDRs.
+
+    1. In the **Generated VPCs** list provide your CIDRs
+
+    2. Choose the **Regenerate network** button and review the results.
+