Optional ReadonlyactivationAgent activation key retrieved via HTTP GET to the agent IP (port 80) or from the DataSync console. Keys expire in 30 minutes. If omitted and VPC config is provided, MDAA treats this as a first-pass deployment (creates VPC endpoint and security group only).
Use cases: Agent registration; Two-stage deployment (omit for first pass, provide for second)
AWS: DataSync agent activation key for ActivateAgent API call
Validation: Optional; format XXXXX-XXXXX-XXXXX-XXXXX-XXXXX; expires 30 minutes after generation
ReadonlyagentIP address of the DataSync agent host. Used to create security group ingress rules allowing agent control traffic (TCP 1024-1064) and data transfer (TCP 443) to the VPC endpoint.
Use cases: Security group rule automation; Agent-to-VPC endpoint connectivity
AWS: Agent IP for security group ingress rules on the DataSync VPC endpoint
Validation: Required; must be valid IPv4 address
Optional ReadonlysecuritySecurity group ID for protecting data transfer task subnets. If omitted and VPC config is provided, MDAA creates a security group with required ingress rules (TCP 443 and TCP 1024-1064 from agent IPs).
Use cases: Externally managed security groups; Custom network security policies
AWS: EC2 security group for DataSync agent and task ENI protection
Validation: Optional; if omitted, MDAA creates security group when VPC config is specified
ReadonlysubnetSubnet ID where DataSync creates elastic network interfaces (ENIs) for data transfer tasks. Deploy agents in different subnets/AZs for resiliency. The agent must be able to route to all four ENIs created per task in this subnet.
Use cases: Private network deployment; Multi-AZ resiliency; ENI placement for data transfer
AWS: EC2 subnet for DataSync agent ENIs and VPC endpoint placement
Validation: Required; must be existing subnet ID within the specified VPC
Optional ReadonlyvpcVPC endpoint ID for private agent-to-service communication via AWS PrivateLink. If omitted and VPC config is provided, MDAA creates a VPC endpoint automatically. Use this when the VPC endpoint is managed outside MDAA.
Use cases: Pre-existing VPC endpoint reuse; Externally managed PrivateLink endpoints
AWS: VPC endpoint ID for DataSync PrivateLink connectivity (e.g. vpce-01234d5aff67890e1)
Validation: Optional; if omitted, MDAA creates VPC endpoint when VPC config is specified
DataSync agent configuration for on-premises to AWS data transfer. Agents must be deployed externally (EC2 with DataSync AMI or hypervisor) before activation. Two-stage deployment: omit activationKey on first pass to create VPC endpoint and security group, then add activationKey on second pass to register the agent. Activation keys expire in 30 minutes.
Use cases: On-premises storage migration; Hybrid cloud data sync; Multi-AZ agent resiliency
AWS: DataSync agent registration with VPC endpoint and security group configuration
Validation: agentIpAddress and subnetId required; activationKey required for agent registration (second pass)