Configure

This topic explains the required steps to configure connectivity between the AWS Virtual Private Cloud (VPC) and the ODB Network for Oracle Database@AWS.

Table 1-1 Required Permissions to Configure Connectivity

Task Cloud Persona Permissions

Configure connectivity between the AWS VPC and the ODB Network for Oracle Database@AWS

AWS

Task	Cloud	Persona	Permissions
Configure connectivity between the AWS VPC and the ODB Network for Oracle Database@AWS	AWS		To create route rule in App VPC's route table, the following EC2 IAM permissions are required. `{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateRoute", "Action": [ "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "" } ] }` To create outbound endpoint in Route 53, the following Route 53 Resolver IAM* permissions are required. { "Version": "2012-10-17", "Statement": [ { "Sid": "Route53Resolver", "Action": [ "route53resolver:CreateResolverEndpoint", "route53resolver:CreateResolverRule", "route53resolver:AssociateResolverRule", "route53resolver:GetResolverEndpoint", "route53resolver:ListResolverEndpoints", "route53resolver:AssociateResolverEndpointIpAddress", "route53resolver:DisassociateResolverEndpointIpAddress", "route53resolver:TagResource", "route53resolver:UntagResource", "route53resolver:DisassociateResolverRule", "route53resolver:ListResolverRules", "route53resolver:ListResolverEndpointIpAddresses", "route53resolver:ListResolverRuleAssociations", "route53resolver:ListTagsForResource" ], "Effect": "Allow", "Resource": "" } ] } EC2 IAM: `{ "Version": "2012-10-17", "Statement": [ { "Sid": "Ec2Operations", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:AssignPrivateIpAddresses", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:CreateTags", "ec2:DescribeAvailabilityZones", "ec2:GetSecurityGroupsForVpc" ], "Effect": "Allow", "Resource": "" } ] }` To configure security rules in security group, EC2 IAM permissions are required. `{ "Version": "2012-10-17", "Statement": [ { "Sid": "Ec2SecurityOperations", "Action": [ "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeSecurityGroupRules" ], "Effect": "Allow", "Resource": "*" } ] }`

To create route rule in App VPC's route table, the following EC2 IAM permissions are required.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateRoute",
            "Action": [
                "ec2:DescribeRouteTables",
                "ec2:CreateRoute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

To create outbound endpoint in Route 53, the following Route 53 Resolver IAM permissions are required.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Route53Resolver",
            "Action": [
                "route53resolver:CreateResolverEndpoint",
                "route53resolver:CreateResolverRule",
                "route53resolver:AssociateResolverRule",
                "route53resolver:GetResolverEndpoint",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:AssociateResolverEndpointIpAddress",
                "route53resolver:DisassociateResolverEndpointIpAddress",
                "route53resolver:TagResource",
                "route53resolver:UntagResource",
                "route53resolver:DisassociateResolverRule",
                "route53resolver:ListResolverRules",
                "route53resolver:ListResolverEndpointIpAddresses",
                "route53resolver:ListResolverRuleAssociations",
                "route53resolver:ListTagsForResource"

            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

EC2 IAM:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2Operations",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:AssignPrivateIpAddresses",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:CreateTags",
                "ec2:DescribeAvailabilityZones",
                "ec2:GetSecurityGroupsForVpc"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

To configure security rules in security group, EC2 IAM permissions are required.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2SecurityOperations",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeSecurityGroupRules"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Note

Before you start to configure the connectivity between the AWS VPC and the ODB network for Oracle Database@AWS, you must download the latest AWS CLI . For more information, see Installing or updating to the latest version of the AWS CLI.

Use the latest AWS CLI and run the following command:
```
aws --version 
```
Make sure that you are using AWS CLI version 2.27.47 or higher. For example, you will see the following output after running the previous command:
```
aws-cli/2.27.47 Python/3.13.5 Darwin/24.5.0 source/x86_64 
```
Run the following command to confirm that you have access to the --odb-network-arn parameter:
```
aws ec2 create-route help
```

Verify that [--odb-network-arn <value>] parameter appears in the help SYNOPSIS for the create-route API:

create-route
[--destination-prefix-list-id <value>]
[--vpc-endpoint-id <value>]
[--transit-gateway-id <value>]
[--local-gateway-id <value>]
[--carrier-gateway-id <value>]
[--core-network-arn <value>]
[--odb-network-arn <value>]

Configure Routing

This section outlines the creation of a route rule in the route table for enabling traffic to be routed to the Oracle Database@AWS through the ODB network. You must create an identical route rule in all route tables associated with the subnets from which you intend to access the Oracle Database.

Create Route Rule Targeting the ODB Network

Set your AWS environment variables with Access Key and Secret Access Key:

If your operating system is Linux, use the following script to configure environment variable for the AWS CLI.

$ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEKEY
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLESECRETKEY
$ export AWS_DEFAULT_REGION=<region-code>

If your operating system is Windows, use the following script to configure environment variable for the AWS CLI.

$ set AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEKEY
$ set AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLESECRETKEY
$ set AWS_DEFAULT_REGION=<region-code>

Navigate to VPC dashboard and select Your VPCs from the Virtual private cloud in AWS console.
Select the Resource map tab, and then select the route table that is associated with the subnet.
From Oracle Database@AWS dashboard, select ODB networks, and then select your ODB network that you are using.
Select the Summary tab to view details of ODB network ARN and Client subnet CIDR range.
Use the latest AWS CLI to run the following command. This command will create a new route in the application VPC's route table. This route directs application traffic route for the client subnet CIDR through the ODB network.
Note

If your operating system is Windows, include the caret symbol ^ at the beginning of the command before running it. If your operating system is Linux, include the slash symbol / at the beginning of the command before running it.
```
aws ec2 create-route --destination-cidr-block <OCI_CLIENT_SUBNET_CIDR> --route-table-id
      <ROUTE_TABLE_ID> --odb-network-arn <ODB_NETWORK_ARN> --region <REGION>
```

Oracle Cloud Infrastructure Documentation

Configure