Add security content to DMS FAQ

Author: rwestMSFT

articles/dms/faq.yml

@@ -5,12 +5,12 @@ metadata:
   services: database-migration
   author: croblesm
   ms.author: roblescarlos
-  ms.reviewer: craigg
+  ms.reviewer: randolphwest
   ms.service: dms
   ms.workload: data-services
   ms.custom: mvc
   ms.topic: faq
-  ms.date: 02/20/2020
+  ms.date: 03/28/2023
 title: FAQ about using Azure Database Migration Service
 summary: This article lists commonly asked questions about using Azure Database Migration Service together with related answers.
 
@@ -38,7 +38,7 @@ sections:
           When migrating from SQL Server, supported sources for Azure Database Migration Service are SQL Server 2005 through SQL Server 2019. If you are using Azure Data Studio with SQL Migration extension, supported sources are SQL Server 2008 through SQL Server 2022.
 
       - question: |
-          When using Azure Database Migration Service, what’s the difference between an offline and an online migration?
+          When using Azure Database Migration Service, what's the difference between an offline and an online migration?
         answer: |
           You can use Azure Database Migration Service to perform offline and online migrations. With an *offline* migration, application downtime starts when the migration starts. With an *online* migration, downtime is limited to the time to cut over at the end of migration. We suggest that you test an offline migration to determine whether the downtime is acceptable; if not, do an online migration.
           
@@ -48,18 +48,67 @@ sections:
       - question: |
           How does Azure Database Migration Service compare to other Microsoft database migration tools such as the Database Migration Assistant (DMA) or SQL Server Migration Assistant (SSMA)?
         answer: |
-          Azure Database Migration Service is the preferred method for database migration to Microsoft Azure at scale. For more detail on how Azure Database Migration Service compares to other Microsoft database migration tools and for recommendations on using the service for various scenarios, see the blog posting [Differentiating Microsoft’s Database Migration Tools and Services](https://techcommunity.microsoft.com/t5/microsoft-data-migration/differentiating-microsoft-s-database-migration-tools-and/ba-p/368529).
+          Azure Database Migration Service is the preferred method for database migration to Microsoft Azure at scale. For more detail on how Azure Database Migration Service compares to other Microsoft database migration tools and for recommendations on using the service for various scenarios, see the blog posting [Differentiating Microsoft's Database Migration Tools and Services](https://techcommunity.microsoft.com/t5/microsoft-data-migration/differentiating-microsoft-s-database-migration-tools-and/ba-p/368529).
           
       - question: |
           How does Azure Database Migration Service compare to the Azure Migrate offering?
         answer: |
-          Azure Migrate assists with migration of on-premises virtual machines to Azure IaaS. The service assesses migration suitability and performance-based sizing, and it provides cost estimates for running your on-premises virtual machines in Azure. Azure Migrate is useful for lift-and-shift migrations of on-premises VM-based workloads to Azure IaaS VMs. However, unlike Azure Database Migration Service, Azure Migrate isn’t a specialized database migration service offering for Azure PaaS relational database platforms such as Azure SQL Database or Azure SQL Managed Instance.
+          Azure Migrate assists with migration of on-premises virtual machines to Azure IaaS. The service assesses migration suitability and performance-based sizing, and it provides cost estimates for running your on-premises virtual machines in Azure. Azure Migrate is useful for lift-and-shift migrations of on-premises VM-based workloads to Azure IaaS VMs. However, unlike Azure Database Migration Service, Azure Migrate isn't a specialized database migration service offering for Azure PaaS relational database platforms such as Azure SQL Database or Azure SQL Managed Instance.
 
       - question: |
           Does Database Migration Service store customer data?
         answer: |
           No. Database Migration Service does not store customer data.
 
+  - name: Security
+    questions:
+      - question: |
+          What services are created and consumed when an instance of DMS is created and run?
+        answer: |
+          The following list contains the resources that are created behind the scenes when a DMS instance is created.
+          
+          * Azure VM
+          * Storage container
+          * Service Bus topic
+          * Storage tables
+
+      - question: |
+          How is metadata and client data extracted from source and written to target?
+        answer: |
+          User has to extract the metadata, that is, the schema manually using the `pg_dump` command line utility, and restored using `pg_restore`.
+
+          For client data, DMS internally uses `pg_dump` and `pg_restore` for initial load and logical decoding for CDC.
+
+      - question: |
+          Are there any public endpoints used?
+        answer: |
+          While creating DMS (Classic), users are asked to provide the network configuration. Based on the public or private VNet used, DMS uses those endpoints accordingly.
+
+      - question: |
+          Is all data encrypted in transit and at rest?
+        answer: |
+          The source and target connection have properties 'Trust server certificate' (default `false`) and 'Encrypt Connection' (default `true`). At rest, data is encrypted based on the storage encryption selected.
+
+      - question: |
+          Do all Azure services that underpin DMS (Classic) use private endpoints?
+        answer: |
+          No, they aren't using private endpoints. But each resource is dedicated / scoped to that particular DMS (Classic) instance, and protected with SAS keys.
+
+      - question: |
+          Do all Azure services that underpin DMS (Classic) make use of CMK for data at rest?
+        answer: |
+          CMK can't be used for data at rest.
+
+      - question: |
+          What type of encryption is used for data in transit?
+        answer: |
+          All communication between resources and compute VMs uses TLS 1.2. The DMS (Classic) portal page has a configuration page where this setting can be managed.
+
+      - question: |
+          Is there any data that isn't protected by CMK, and what type of data? For instance, metadata, logs, and so on.
+        answer: |
+          No, CMK isn't supported.
+
   - name: Setup
     questions:
       - question: |
@@ -83,19 +132,19 @@ sections:
           You may also need to include the port source that SQL Server is listening on the allowlist. By default, it's port 1433, but the source SQL Server may be configured to listen on other ports as well. In this case, you need to include those ports on the allowlist as well. You can determine the port that SQL Server is listening on by using a Dynamic Management View query:
           
           ```sql
-              SELECT DISTINCT
-                  local_tcp_port
-              FROM sys.dm_exec_connections
-              WHERE local_tcp_port IS NOT NULL
+          SELECT DISTINCT
+              local_tcp_port
+          FROM sys.dm_exec_connections
+          WHERE local_tcp_port IS NOT NULL;
           ```
           
           You can also determine the port that SQL Server is listening by querying the SQL Server error log:
           
           ```sql
-              USE master
-              GO
-              xp_readerrorlog 0, 1, N'Server is listening on'
-              GO
+          USE master;
+          GO
+          xp_readerrorlog 0, 1, N'Server is listening on';
+          GO
           ```
           
       - question: |
@@ -112,8 +161,8 @@ sections:
           
           1. Create a target database(s).
           2. Assess your source database(s).
-              * For homogenous migrations, assess your existing database(s) by using [DMA](https://www.microsoft.com/download/details.aspx?id=53595).
-              * For heterogeneous migrations (from compete sources), assess your existing database(s) with [SSMA](/sql/ssma/sql-server-migration-assistant). You also use SSMA to convert database objects and migrate the schema to your target platform.
+             * For homogenous migrations, assess your existing database(s) by using [DMA](https://www.microsoft.com/download/details.aspx?id=53595).
+             * For heterogeneous migrations (from compete sources), assess your existing database(s) with [SSMA](/sql/ssma/sql-server-migration-assistant). You also use SSMA to convert database objects and migrate the schema to your target platform.
           3. Create an instance of Azure Database Migration Service.
           4. Create a migration project specifying the source database(s), target database(s), and the tables to migrate.
           5. Start the full load.
@@ -123,7 +172,7 @@ sections:
   - name: Troubleshooting and optimization
     questions:
       - question: |
-          I’m setting up a migration project in DMS, and I’m having difficulty connecting to my source database. What should I do?
+          I'm setting up a migration project in DMS, and I'm having difficulty connecting to my source database. What should I do?
         answer: |
           If you have trouble connecting to your source database system while working on migration, create a virtual machine in the same subnet of the virtual network with which you set up your DMS instance. In the virtual machine, you should be able to run a connect test, such as using a UDL file to test a connection to SQL Server or downloading Robo 3T to test MongoDB connections. If the connection test succeeds, you shouldn't have an issue with connecting to your source database. If the connection test doesn't succeed, contact your network administrator.
 
@@ -143,4 +192,5 @@ sections:
 additionalContent: |
 
   ## Next steps
-     For an overview of the Azure Database Migration Service and regional availability, see the article [What is the Azure Database Migration Service](dms-overview.md).
+
+  - [What is the Azure Database Migration Service](dms-overview.md).