Cloud/ AWS / AWS Certified Solutions Architect โ€” Professional (SAP-C02) / SAP-C02 Migration Planning: The 7 Rs, Tooling & Hybrid Networking

AWS Amazon Web Services Professional Step 4 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 4 โ€” Migration Planning

Somewhere around a third of the Professional exam is, in one form or another, a migration question dressed up in different scenario clothing. Thatโ€™s not an accident โ€” moving an existing estate to AWS, or between AWS accounts and Regions, is where the messy realities of an enterprise (legal contracts on software licenses, a mainframe nobody wants to touch, a 200 TB file share, a security team that wonโ€™t approve public internet transfer of customer data) collide with clean architecture diagrams. This step builds the decision framework you need when a scenario hands you an inventory of a thousand workloads and asks what happens to each one.


The 7 Rs: A Decision Tree, Not a List to Memorize

Every migration question ultimately reduces to picking one of seven dispositions for a given workload. Memorizing the list gets you nowhere on its own โ€” you need to know which signals in a scenario point to which R.

Is the workload still needed?
โ”‚
โ”œโ”€โ”€ No, nobody uses it โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ RETIRE
โ”‚
โ”œโ”€โ”€ Yes, but it can't move (regulatory, or already
โ”‚ on a contract that outlasts the migration) โ”€โ”€โ”€โ”€โ”€โ–ถ RETAIN
โ”‚
โ””โ”€โ”€ Yes, it needs to move. How much change can you invest?
โ”‚
โ”œโ”€โ”€ None โ€” move as-is โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ REHOST ("lift and shift")
โ”‚
โ”œโ”€โ”€ Just the location, not the platform
โ”‚ (e.g. VMware Cloud on AWS) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ RELOCATE
โ”‚
โ”œโ”€โ”€ Replace it with a SaaS/COTS product โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ REPURCHASE
โ”‚
โ”œโ”€โ”€ Minor optimizations during the move
โ”‚ (managed DB instead of self-hosted DB) โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ REPLATFORM
โ”‚
โ””โ”€โ”€ Full redesign to be cloud-native โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ REFACTOR / RE-ARCHITECT

The exam signal words are worth drilling. โ€œMove quickly with minimal changes, deadline in 60 daysโ€ almost always means rehost. โ€œReduce operational overhead of patching the database, but donโ€™t touch the applicationโ€ means replatform (self-managed MySQL on EC2 to RDS for MySQL, same engine, managed service). โ€œThe vendor is discontinuing support for our on-prem CRMโ€ means repurchase โ€” youโ€™re not migrating the old thing, youโ€™re buying its SaaS replacement. โ€œLegal requires this data stay in a specific facility for three more yearsโ€ means retain. Scenarios rarely say the word โ€œrehostโ€ outright; they describe the constraint and expect you to name the R.

A cost-governance angle that Professional questions like to fold in: rehosted workloads are the ones you immediately evaluate for Reserved Instances or Savings Plans once steady-state usage is observed, because a lift-and-shift doesnโ€™t change the consumption pattern โ€” it just changes where the servers live.


Migration Tooling by Workload Type

Workload TypePrimary ToolWhat It Actually Does
Physical/virtual servers, whole-OSAWS Application Migration Service (MGN)Continuous block-level replication to a staging area, then a cutover with minimal downtime
Relational/NoSQL databasesAWS Database Migration Service (DMS)Continuous replication with change data capture; Schema Conversion Tool handles engine translation for heterogeneous migrations
Large file systems, ongoing syncDataSyncOnline transfer with automatic checksumming, useful for NFS/SMB shares and recurring incremental syncs
Managed file transfer (SFTP/FTPS partners)AWS Transfer FamilyFully managed SFTP/FTPS/FTP endpoints backed by S3 or EFS, for external partner integrations that canโ€™t change protocol
Massive offline datasets, poor connectivitySnow Family (Snowball, Snowball Edge, Snowmobile)Physical device shipped to your site, filled, shipped back; Snowball Edge also runs compute at the edge during transfer

MGN deserves particular attention because it replaced the older Server Migration Service as the default lift-and-shift tool, and the exam expects you to know the mechanism: it installs a lightweight agent, continuously replicates disk blocks to a staging subnet in your target AWS account, and lets you test-launch the replicated servers without affecting the ongoing replication or the source environment. Cutover is a final sync followed by launching production instances from the fully replicated state โ€” this is what makes downtime measured in minutes rather than the hours a traditional backup-and-restore migration requires.

DMSโ€™s Schema Conversion Tool (SCT) matters specifically for heterogeneous migrations โ€” Oracle to Aurora PostgreSQL, SQL Server to Aurora MySQL โ€” where the schema, stored procedures, and proprietary SQL dialect need translation before replication can even begin. Homogeneous migrations (SQL Server to SQL Server, just moving location or to RDS) skip most of that translation work, which is why the exam sometimes tests whether youโ€™d reach for SCT unnecessarily โ€” you wouldnโ€™t, for a same-engine move.

Choosing between DataSync and Snow Family usually comes down to bandwidth math the question will imply rather than state directly: a stated data volume against a stated (or clearly limited) network connection either supports an online transfer within the migration window or it doesnโ€™t. When it doesnโ€™t โ€” satellite offices, ships, remote facilities, or simply datasets in the hundreds of terabytes to petabytes against modest bandwidth โ€” physical transfer via Snow Family wins even though it feels counterintuitive to ship a physical box in a cloud-native course.


Wave Planning: Sequencing a Thousand-Workload Migration

No enterprise migrates everything simultaneously, and the exam tests whether you know how to sequence dependencies correctly, not just which tool to use per workload.

Wave 0 โ€” Foundation (weeks 1-4)
Landing zone, networking (VPC, Direct Connect/VPN), IAM, logging baseline
Wave 1 โ€” Low-risk, low-dependency (weeks 5-10)
Dev/test environments, internal tools, stateless web tier pilots
Wave 2 โ€” Core dependencies (weeks 11-20)
Shared databases, Active Directory, internal APIs consumed by later waves
Wave 3 โ€” Business-critical (weeks 21-30)
Customer-facing production systems, payment processing
Wave 4 โ€” Complex/high-risk (weeks 31+)
Mainframe-adjacent systems, workloads with unresolved licensing questions

The pattern to internalize: you migrate the things other things depend on before the things that depend on them, and you migrate low-risk workloads early to build organizational muscle memory and validate the landing zone before betting anything customer-facing on it. A scenario describing โ€œthe migration team wants to prove the process works before touching productionโ€ is describing Wave 1, and any answer that jumps straight to migrating the payment system first should be treated as wrong regardless of how technically sound that individual migration might be.

The AWS Migration Hub ties this together operationally โ€” it aggregates migration status across MGN, DMS, and other tools into a single tracking view, which matters once you have dozens of workloads in flight across different waves and tools simultaneously and someone in a steering committee asks โ€œwhatโ€™s actually done.โ€


Hybrid Architecture During the Transition

Migrations take months to years, not a weekend, which means for most of that period youโ€™re running a hybrid estate โ€” some workloads on-prem, some in AWS, and they need to communicate as if they were on one network.

On-Premises Data Center AWS
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Core apps (not yet โ”‚ Direct Connect โ”‚ Migrated workloads โ”‚
โ”‚ migrated) โ”‚โ—€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถโ”‚ VPC โ”‚
โ”‚ โ”‚ (private, โ”‚ โ”‚
โ”‚ Storage Gateway โ”‚ consistent โ”‚ S3 (backed by โ”‚
โ”‚ appliance โ”‚ low latency) โ”‚ Storage Gateway) โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”‚
โ””โ”€โ”€ VPN (backup path / lower-priority traffic)

Direct Connect gives you a private, consistent-latency circuit to AWS instead of routing hybrid traffic over the public internet โ€” important for both performance and for compliance requirements that specifically prohibit sensitive data traversing the public internet, even encrypted. Most enterprise migrations pair a primary Direct Connect circuit with a VPN as a lower-cost failover path, since Direct Connect provisioning can take weeks and a single circuit is a single point of failure the exam expects you to recognize as unacceptable at this scale โ€” a resilient design uses two Direct Connect circuits from different providers/locations, or Direct Connect plus VPN failover, never one.

Storage Gateway bridges on-premises applications that expect local file or block storage to S3-backed durability without an application rewrite. The three types map cleanly to use cases: File Gateway presents an NFS/SMB share backed by S3 (good for on-prem apps reading/writing files during a phased migration), Volume Gateway presents iSCSI block storage with either cached volumes (working set local, full data in S3) or stored volumes (full data local, async backup to S3), and Tape Gateway replaces a physical tape backup process with a virtual tape library backed by S3 and Glacier โ€” useful when a companyโ€™s existing backup software expects to talk to tape and rewriting that isnโ€™t in scope for the migration itself.


Exam Focus: What Questions Test From This Step