DMS Replication Instance Has Multi-AZ Enabled

Overview

This check verifies that AWS Database Migration Service (DMS) replication instances have Multi-AZ (Multi-Availability Zone) enabled. Multi-AZ deployment creates a standby replica in a different Availability Zone, providing automatic failover if the primary instance becomes unavailable.

Risk

Without Multi-AZ enabled, your DMS replication instance is vulnerable to:

Service interruption: A single Availability Zone failure can halt your database migration completely
Extended downtime: Recovery from an AZ failure requires manual intervention and can take significant time
Data integrity issues: Replication gaps or rollbacks may occur if a failure happens mid-migration
Increased cutover risk: Migration tasks may stall, complicating database cutover windows

Remediation Steps

Prerequisites

You need permission to modify DMS replication instances in your AWS account.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dms:ModifyReplicationInstance",
        "dms:DescribeReplicationInstances"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

Open the AWS DMS Console
In the left navigation, click Replication instances
Select the replication instance you want to modify
Click the Modify button
Scroll to the Multi-AZ section
Check the box to enable Multi-AZ
Choose whether to apply changes immediately or during the next maintenance window
Click Modify to save your changes

Note: Enabling Multi-AZ may cause a brief outage if you choose to apply immediately. Plan accordingly for production workloads.

AWS CLI (optional)

List existing replication instances

First, identify which replication instances need Multi-AZ enabled:

aws dms describe-replication-instances \
  --region us-east-1 \
  --query 'ReplicationInstances[*].[ReplicationInstanceIdentifier,MultiAZ,ReplicationInstanceArn]' \
  --output table

Enable Multi-AZ on a replication instance

aws dms modify-replication-instance \
  --replication-instance-arn arn:aws:dms:us-east-1:<ACCOUNT_ID>:rep:<REPLICATION_INSTANCE_ID> \
  --multi-az \
  --apply-immediately \
  --region us-east-1

Replace:

<ACCOUNT_ID> with your AWS account ID
<REPLICATION_INSTANCE_ID> with your replication instance identifier

To apply during the next maintenance window instead:

aws dms modify-replication-instance \
  --replication-instance-arn arn:aws:dms:us-east-1:<ACCOUNT_ID>:rep:<REPLICATION_INSTANCE_ID> \
  --multi-az \
  --no-apply-immediately \
  --region us-east-1

CloudFormation (optional)

CloudFormation template

AWSTemplateFormatVersion: '2010-09-09'
Description: DMS Replication Instance with Multi-AZ enabled

Parameters:
  ReplicationInstanceIdentifier:
    Type: String
    Description: Unique identifier for the replication instance
  ReplicationInstanceClass:
    Type: String
    Default: dms.t3.medium
    Description: The compute and memory capacity of the replication instance
  SubnetGroupIdentifier:
    Type: String
    Description: The name of the replication subnet group
  VpcSecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: Security groups for the replication instance

Resources:
  DMSReplicationInstance:
    Type: AWS::DMS::ReplicationInstance
    Properties:
      ReplicationInstanceIdentifier: !Ref ReplicationInstanceIdentifier
      ReplicationInstanceClass: !Ref ReplicationInstanceClass
      ReplicationSubnetGroupIdentifier: !Ref SubnetGroupIdentifier
      VpcSecurityGroupIds: !Ref VpcSecurityGroupIds
      MultiAZ: true
      PubliclyAccessible: false
      AutoMinorVersionUpgrade: true

Outputs:
  ReplicationInstanceArn:
    Description: ARN of the DMS replication instance
    Value: !Ref DMSReplicationInstance

Deploy the stack

aws cloudformation deploy \
  --template-file dms-replication-instance.yaml \
  --stack-name dms-replication-instance \
  --parameter-overrides \
    ReplicationInstanceIdentifier=my-replication-instance \
    SubnetGroupIdentifier=my-subnet-group \
    VpcSecurityGroupIds=sg-12345678 \
  --region us-east-1

Terraform (optional)

Terraform configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "replication_instance_id" {
  description = "Unique identifier for the replication instance"
  type        = string
}

variable "replication_instance_class" {
  description = "The compute and memory capacity of the replication instance"
  type        = string
  default     = "dms.t3.medium"
}

variable "replication_subnet_group_id" {
  description = "The name of the replication subnet group"
  type        = string
}

variable "vpc_security_group_ids" {
  description = "Security groups for the replication instance"
  type        = list(string)
}

resource "aws_dms_replication_instance" "main" {
  replication_instance_id     = var.replication_instance_id
  replication_instance_class  = var.replication_instance_class
  replication_subnet_group_id = var.replication_subnet_group_id
  vpc_security_group_ids      = var.vpc_security_group_ids

  # Enable Multi-AZ for high availability
  multi_az = true

  # Security best practices
  publicly_accessible = false

  # Keep DMS engine updated
  auto_minor_version_upgrade = true

  tags = {
    Name = var.replication_instance_id
  }
}

output "replication_instance_arn" {
  description = "ARN of the DMS replication instance"
  value       = aws_dms_replication_instance.main.replication_instance_arn
}

Apply the configuration

terraform init
terraform plan
terraform apply

Modify existing instance

To enable Multi-AZ on an existing Terraform-managed instance, add or update the multi_az argument:

resource "aws_dms_replication_instance" "main" {
  # ... existing configuration ...

  multi_az = true  # Add or change this line
}

Then run terraform apply to apply the change.

Verification

After enabling Multi-AZ, verify the change was applied:

Open the AWS DMS Console
Select your replication instance
In the Details tab, confirm Multi-AZ shows as Yes

CLI verification

aws dms describe-replication-instances \
  --region us-east-1 \
  --filters Name=replication-instance-id,Values=<YOUR_INSTANCE_ID> \
  --query 'ReplicationInstances[0].[ReplicationInstanceIdentifier,MultiAZ]' \
  --output table

The output should show True for the Multi-AZ column.

Additional Resources

Notes

Cost impact: Multi-AZ doubles the cost of your replication instance since AWS maintains a standby replica
Maintenance windows: Consider scheduling the change during a maintenance window for production instances
Brief outage: Enabling Multi-AZ may cause a brief outage (typically a few minutes) if applied immediately
Subnet requirements: Your replication subnet group must span at least two Availability Zones for Multi-AZ to work
Instance class: Multi-AZ is supported on all DMS replication instance classes

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

List existing replication instances​

Enable Multi-AZ on a replication instance​

CloudFormation template​

Deploy the stack​

Terraform configuration​

Apply the configuration​

Modify existing instance​

Verification​

Additional Resources​

Notes​