AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2026-04-25 · Documentation low

File: transform/latest/userguide/transform-vmware-migrate-network.md

Summary

Updated documentation for AWS Transform network migration, including pluralization of 'security groups' in headings, added details on security group referencing, expanded mapping strategies (MAP, MAP_DHCP, SKIP), and added note about IP assignment options.

Security assessment

The changes add detailed documentation about security group mapping strategies and security group referencing behavior, which are security features. However, there is no evidence in the diff that these changes address a specific security vulnerability, weakness, or incident. The changes appear to be routine documentation improvements and clarifications.

Diff

diff --git a/transform/latest/userguide/transform-vmware-migrate-network.md b/transform/latest/userguide/transform-vmware-migrate-network.md
index f71b24386..bf3d7a888 100644
--- a//transform/latest/userguide/transform-vmware-migrate-network.md
+++ b//transform/latest/userguide/transform-vmware-migrate-network.md
@@ -7 +7 @@
-Step 1: Source network mappingStep 2: Additional configuration filesStep 3: Network topologiesStep 4: Security group mappingStep 5: Review VPC configurationsStep 6: Network diagramStep 7: Configure resource taggingStep 8: Deploy networkNetwork deletionConfiguration file extraction
+Step 1: Source network mappingStep 2: Additional configuration filesStep 3: Network topologiesStep 4: Security groups mappingStep 5: Review VPC configurationsStep 6: Network diagramStep 7: Configure resource taggingStep 8: Deploy networkNetwork deletionConfiguration file extraction
@@ -21 +21 @@ To migrate your network, follow these steps:
-  4. Select security groups mapping strategy
+  4. Select a security groups mapping strategy
@@ -154 +154 @@ If you want fine-grained control over the communication between the VPCs, choose
-## Step 4: Security group mapping
+## Step 4: Security groups mapping
@@ -161,0 +162,15 @@ AWS Transform makes a best effort to create security groups that match your sour
+**Security group referencing**
+
+When generating security groups, AWS Transform uses security group referencing where supported. Security group referencing sets security rules based on another security group ID rather than specific IP address ranges (CIDR blocks). This approach provides more flexible and maintainable security configurations.
+
+In AWS, security group rules can only reference other security groups within the same VPC, or in a connected VPC within the same Region, including across accounts. You cannot reference a security group in a non-connected VPC or across Regions. For connected VPCs, only inbound rules support cross-VPC security group references — outbound rules must use CIDR-based rules. How AWS Transform creates security group rules depends on your chosen network topology:
+
+  * **Hub and Spoke:** Transit Gateway provides network connectivity between VPCs. AWS Transform creates security groups using referencing for both within-VPC and cross-VPC/cross-account ingress rules. Cross-VPC/cross-account egress (outbound) rules use CIDR-based rules.
+
+  * **Isolated VPCs:** There is no network connectivity between VPCs. AWS Transform creates security groups using referencing for within-VPC rules only. All cross-VPC and cross-account rules use CIDR-based rules.
+
+
+
+
+CIDR-based rules are also used when source configurations are not symmetric.
+
@@ -164 +179,3 @@ Choose one of the following security group mapping strategies:
-  * **MAP:** Translate rules from your source environment. Only static IP assignment is supported with this strategy (see IP migration approaches below).
+  * **MAP:** Translates security rules from your source environment to AWS security groups and rules. Use this option for migrations using static IP addressing.
+
+  * **MAP_DHCP (Translate with DHCP support):** Translates security rules from your source environment with DHCP compatibility. Because DHCP assigns IP addresses dynamically from the subnet's CIDR range, cross-VPC egress rules are widened to match the full destination subnet CIDR. A narrower CIDR would block DHCP-assigned IPs that fall outside that range — review these rules post-migration. Use this option for DHCP support with cross-VPC Transit Gateway communication. Also works with static IPs, but may produce broader rules than MAP.
@@ -166 +183 @@ Choose one of the following security group mapping strategies:
-  * **SKIP:** Do not translate rules from your source environment. No security groups are generated. Both static and dynamic (DHCP) IP assignment are available. For RVTools source environments without additional configuration files, AWS Transform automatically uses SKIP.
+  * **SKIP:** Does not translate security rules. Configure AWS security groups manually post-migration. Works with both static IP and DHCP environments. For RVTools source environments without additional configuration files, AWS Transform automatically uses SKIP.
@@ -170,0 +188,4 @@ Choose one of the following security group mapping strategies:
+###### Note
+
+Your mapping strategy determines your IP assignment options. MAP supports static IP only. MAP_DHCP and SKIP support both static and DHCP.
+