Oracle Cloud Infrastructure Documentation

Configure

This topic explains the required steps to configure connectivity between the AWS Virtual Private Cloud (VPC) and the ODB Network for Oracle Database@AWS.

  1. Required Permissions
  2. Configuring Routing
  3. Configure DNS Resolution
  4. Allow CIDR to ODB Network

Required Permissions

Table 1-1 Required Permissions to Configure Connectivity

Task Cloud Persona Permissions
Configure connectivity between the AWS VPC and the ODB Network for Oracle Database@AWS AWS  
To create route rule in App VPC's route table, the following EC2 IAM permissions are required.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateRoute",
            "Action": [
                "ec2:DescribeRouteTables",
                "ec2:CreateRoute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
For connectivity:
To create outbound endpoint in Route 53, the following Route 53 Resolver IAM permissions are required. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Route53Resolver",
            "Action": [
                "route53resolver:CreateResolverEndpoint",
                "route53resolver:CreateResolverRule",
                "route53resolver:AssociateResolverRule",
                "route53resolver:GetResolverEndpoint",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:AssociateResolverEndpointIpAddress",
                "route53resolver:DisassociateResolverEndpointIpAddress",
                "route53resolver:TagResource",
                "route53resolver:UntagResource",
                "route53resolver:DisassociateResolverRule",
                "route53resolver:ListResolverRules",
                "route53resolver:ListResolverEndpointIpAddresses",
                "route53resolver:ListResolverRuleAssociations",
                "route53resolver:ListTagsForResource"

            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
EC2 IAM:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2Operations",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:AssignPrivateIpAddresses",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:CreateTags",
                "ec2:DescribeAvailabilityZones",
                "ec2:GetSecurityGroupsForVpc"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
To configure security rules in security group, EC2 IAM permissions are required.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2SecurityOperations",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeSecurityGroupRules"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Note

Before you start to configure the connectivity between the AWS VPC and the ODB network for Oracle Database@AWS, you must download the latest AWS CLI . For more information, see Installing or updating to the latest version of the AWS CLI.
  1. Use the latest AWS CLI and run the following command:
    aws --version
  2. Make sure that you are using AWS CLI version 2.27.47 or higher. For example, you will see the following output after running the previous command:
    aws-cli/2.27.47 Python/3.13.5 Darwin/24.5.0 source/x86_64
  3. Run the following command to confirm that you have access to the --odb-network-arn parameter:
    aws ec2 create-route help
  4. Verify that [--odb-network-arn <value>] parameter appears in the help SYNOPSIS for the create-route API: 
    create-route
[--destination-prefix-list-id <value>]
[--vpc-endpoint-id <value>]
[--transit-gateway-id <value>]
[--local-gateway-id <value>]
[--carrier-gateway-id <value>]
[--core-network-arn <value>]
[--odb-network-arn <value>]

Configuring Routing

This section outlines the creation of a route rule in the route table for enabling traffic to be routed to the Oracle Database@AWS through the ODB network. You must create an identical route rule in all route tables associated with the subnets from which you intend to access Oracle Database.

Create Route Rule Targeting the ODB Network

Set your AWS environment variables with Access Key and Secret Access Key:
  1. If your operating system is Linux, use the following script to configure environment variable for the AWS CLI.
    $ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEKEY
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLESECRETKEY
$ export AWS_DEFAULT_REGION=<region-code>
  2. If your operating system is Windows, use the following script to configure environment variable for the AWS CLI. 
    $ set AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEKEY
$ set AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLESECRETKEY
$ set AWS_DEFAULT_REGION=<region-code>
  3. Navigate to VPC dashboard and select Your VPCs from the Virtual private cloud in AWS console. This screenshot shows the main route table.
  4. Select the Resource map tab, and then select the route table that is associated with the subnet.
  5. From Oracle Database@AWS dashboard, select ODB networks, and then select your ODB network that you are using.
  6. Select the Summary tab to view details of ODB network ARN and Client subnet CIDR range.This screenshot shows the ODB network ARN.This screenshot shows the Client Subnet CIDR range
  7. Use the latest AWS CLI to run the following command. This command will create a new route in the application VPC's route table. This route directs application traffic route for the client subnet CIDR through the ODB network.
    Note

    If your operating system is Windows, include the caret symbol ^ at the beginning of the command before running it. If your operating system is Linux, include the slash symbol / at the beginning of the command before running it. 
    aws ec2 create-route --destination-cidr-block <OCI_CLIENT_SUBNET_CIDR> --route-table-id
      <ROUTE_TABLE_ID> --odb-network-arn <ODB_NETWORK_ARN> --region <REGION>

Configure DNS Resolution

This topic explains the required steps to configure DNS resolution.

When the ODB network is created, two private resolver endpoints are deployed in the corresponding VCN. One endpoint serves as a listening address and the other as a forwarding address. However, DNS resolution is not enabled by default. You can enable DNS resolution from AWS to OCI or from OCI to AWS by following the configuration detailed below.

  • To resolve the Oracle Database FQDN from an AWS VPC, you need to configure a Route 53 outbound endpoint and create a resolver rule to forward domain name DNS queries to the ODB network listening endpoint. You must obtain your DNS listener IP and Domain name information from your ODB network.This screenshot shows how to obtain your DNS listener IP and Domain name information.

    Route 53 Outbound Endpoint Configuration
    1. From the AWS console, navigate to Route 53.
    2. From the left menu, expand the Resolver section, and then select Outbound endpoints.
    3. Select the Create outbound endpoint button, and then complete the following substeps:
      1. Enter a descriptive name in the Endpoint name field. The endpoint name can have up to 64 characters consisting of a-z, A-Z, 0-9, space, underscore (_), and hyphen (-).
      2. From the dropdown list, select the VPC to use for resolving DNS queries (typically the VPC where your EC2 application is running).
      3. From the Security group for this endpoint dropdown list, select an existing security group.
      4. From the dropdown list, select Endpoint Type and Protocols for this endpoint such as Endpoint type (IPv4) and the protocols (Do53).
      5. From the IP Addresses section, select at least two IP addresses for the outbound endpoint. It is recommended to select two different Availability Zones and Subnets. The default option Use an IPv4 address that is selected automatically is selected from the IPv4 address section.
      6. From the Tags section, you can add tags to outbound endpoints to organize and identify them.
      This screenshot shows the Route 53 Outbound Endpoint Configuration steps.
    Note

    Create a security group dedicated to Route 53 endpoints, allowing TCP and UDP traffic on port 53 from anywhere.
    Route 53 Resolver Rule Configuration
    1. From the AWS console, navigate to Route 53.
    2. From the left menu, expand the Resolver section, and then select Rules.
    3. Select the Create rule button, and then complete the following substeps:
      1. Enter a descriptive name in the Name field. The rule name can have up to 64 characters consisting of a-z, A-Z, 0-9, space, underscore (_), and hyphen (-).
      2. From the Rule type dropdown list, select the Forward option.
      3. In the Domain name field, specify the domain name. For example, the default domain name which is oraclevcn.com, or the custom domain name defined during the ODB network creation.
      4. From the VPCs that use this rule dropdown list, you can associate the rule with the VPC which you want to forward DNS queries to your network.
      5. From the Outbound endpoint dropdown list, select the outbound endpoint that you previously created.
      6. From the Tags section, you can add tags to rules to organize and identify them.
      This screenshot shows the Route 53 Resolver Rule Configuration steps.
    Test the DNS Resolution
    1. From the AWS console, navigate to EC2.
    2. From the left menu, expand the Instances section, and then select your instance checkbox from the list.
    3. Select the Connect button at the top to connect to the instance.
    4. For example, you can select the Virtual machine DNS name, and then in a Linux instance, execute the following command:
      nslookup hostname
  • To resolve AWS domain names from Oracle Database, you need to configure a Route 53 inbound endpoint and create a resolver rule to forward domain name DNS queries from OCI to AWS.
    Note

    The Route 53 private hosted zone is linked to your application or transit VPC.

    Route 53 Inbound Endpoint Configuration
    1. From the AWS console, navigate to Route 53.
    2. From the left menu, expand the Resolver section, and then select Inbound endpoints.
    3. Select the Create inbound endpoint button, and then complete the following substeps:
      1. Enter a descriptive name in the Endpoint name field. The endpoint name can have up to 64 characters consisting of a-z, A-Z, 0-9, space, underscore (_), and hyphen (-).
      2. From the Endpoint Category dropdown list, select the Default option.
      3. From the dropdown list, select the VPC to associate with the Route 53 private host zone to resolve.
      4. From the Security group for this endpoint dropdown list, select an existing security group.
      5. From the dropdown list, select Endpoint Type and Protocols for this endpoint such as Endpoint type (IPv4) and the protocols (Do53).
      6. From the IP Addresses section, select at least two IP addresses for the outbound endpoint. It is recommended to select two different Availability Zones and Subnets. The default option Use an IPv4 address that is selected automatically is selected from the IPv4 address section.
      7. From the Tags section, you can add tags to outbound endpoints to organize and identify them.
      This screenshot shows the Route 53 Inbound Endpoint Configuration steps.
    OCI Private Resolver Configuration
    1. From the Oracle Database@AWS dashboard, select ODB networks and then select your ODB network from the list.
    2. Select the OCI resources tab, and then select the VCN ID link which will redirect you to the OCI console.
    3. From the Virtual Cloud Networks section, select the Security tab to create the Security Group to allow traffic.
    4. Select the Create Network Security Group button and then complete following substeps:
      1. Enter a descriptive name in the Name field for your network security group.
      2. From the dropdown list, select your compartment where you want to create your network security group.
      3. From the Tags section, you can add tags to your resources to organize and identify them.
      4. From the Add Security Rules section, select Egress as Direction and select CIDR as Source Type. From the Source dropdown list, select the IP address of your AWS Inbound endpoint. Select the TCP option from the IP Protocol dropdown list. Enter 53 in the Destination Port Range field. Repeat with UDP.
      5. In the Allow field, enter a description that can have up to 255 characters.
      6. Select the Create button to apply the changes.
      This screenshot shows how to add a rule.
    5. Navigate back to Virtual Cloud Networks and then select the Details tab.
    6. From the Details section, select the DNS Resolver link. This screenshot shows how to obtain DNS resolver link.
    7. From the Private resolvers page, select the Endpoints tab and then select the forwarder endpoint to add the Security Group that you created previously.
      1. Select the Network security groups tab.
      2. Select the Manage network security groups button.
      3. From the dropdown list, select your Network security group compartment and Network security group.
      4. Select the Save changes button to apply the changes.
      This screenshot shows how to create NSG.
    8. From the Private resolvers page, select the Rules tab to create a rule to forward the DNS query to AWS Inbound enpoint. Select the Manage rules button, and then complete the following substeps:
      1. Select the Add rule button.
      2. From the Match condition section, select the Domains option as Rule condition.
      3. From the Domains dropdown list, select the Route 53 private zone domain.
      4. The Rule action field is selected as Forward by default.
      5. From the Source endpoint dropdown list, select the forwarder endpoint.
      6. In the Destination IP address field, enter the Route 53 Inbound endpoint IP address.
      7. Choose your Rule order.
      8. Select the Add rule button to save the changes.
      This screenshot shows how to create a rule to forward DNS query.
    Test the DNS Resolution
    1. From the VM Cluster node , perform a DNS resolution by executing the following command:
      nslookup hostname

Allow CIDR to ODB Network

This topic explains the steps required to allow network access to the ODB Network.

To allow network access to the ODB Network for example, from on-premises environments or an AWS subnet, you must update the ODB peering connections to include the peer network CIDR blocks. For more information, follow the Modify ODB Peering Connections steps.This screenshot shows how to allow network access to the ODB Network.