Oracle Cloud Infrastructure Documentation

Enterprise Performance Management

Oracle Hyperion is an Enterprise Performance Management( EPM) platform used by finance teams for financial close, consolidation, planning, budgeting, forecasting, and profitability analysis. Core Hyperion modules such as HFM (Hyperion Financial Management), Planning, Oracle Essbase, and Financial Reporting rely on a highly available Oracle AI Database backend to store metadata, transactional data, and calculation results. If you want to deploy Oracle Hyperion in AWS or migrate Oracle Hyperion from your data center to AWS, you can plan for a secure, low-latency topology leveraging Oracle AI Database@AWS.

Learn about a reference architecture for running Oracle Hyperion on AWS. The architecture uses Oracle AI Database@AWS for the database layer and Amazon EC2 for the web and application layers. This architecture provides a low-latency configuration because the Oracle AI Database@AWS services run in the same AWS data center.

Currently, Oracle Exadata Database Service on Dedicated Infrastructure is supported with Oracle AI Database@AWS. You can check regional availability matrix to determine supported services by OCI and AWS regions.

This document is intended for cloud architects, infrastructure administrators, and Oracle Enterprise Performance Management administrators responsible for designing, deploying, and operating Hyperion environments. Familiarity with Oracle Hyperion applications, Oracle AI Database, Oracle Cloud Infrastructure (OCI), and Amazon Web Services (AWS) is recommended.

Architecture

This architecture demonstrates the deployment of Oracle Hyperion applications within a single AWS region. For disaster recovery (DR) deployments, a similar architecture can be implemented across multiple AWS regions to support business continuity requirements.

The database tier can be configured using Oracle Active Data Guard with Oracle AI Database@AWS. The Oracle Hyperion application stack including web, application, and Essbase components can use file synchronization mechanisms such as rsync to replicate application artifacts, configuration files, and shared file systems across regions.

For more information on designing and implementing disaster recovery architectures, see Oracle Maximum Availability Architecture for Oracle AI Database@AWS.

This screenshot shows the architecture diagram.

This architecture deploys all components within a single AWS region and highlights important design considerations for Oracle Hyperion on AWS with Oracle AI Database@AWS.

Networking Tier

This architecture describes the deployment of the Oracle Hyperion application in a single Availability Zone in AWS to ensure low latency. The architecture consists of one VPC with a bastion host, a load balancer, and Oracle Hyperion web server and application servers in separate subnets, and an ODB Network with an Oracle AI Database. The ODB Network needs to be peered with the VPC. On-premises networks can be connected through AWS Direct Connect and AWS Transit Gateway for private, low-latency access. Amazon EC2 instances for web server and application servers can be placed in multiple partition groups.

The bastion host is deployed in a public subnet, and all other instances are deployed in private subnets. You can access the instances in private subnets over port 22 through the bastion host or AWS Direct Connect if you set up direct connectivity between your data center and AWS. All instances are active in the two placement groups. The database is hosted in a single Availability Zone, with RAC enabled by default. The database can be deployed in a second Availability Zone with Data Guard enabled for redundancy at the region level.

Networking Design Considerations
  1. Oracle AI Database@AWS supports various networking topologies. For more information, see the Oracle AI Database@AWS Network Topology options to select the one best suited to your organizational needs.
  2. When you design for IP address spaces, plan for Oracle AI Database@AWS ODB network and Exadata dependency requirements. For more information about understanding address space consumption scenarios, see ODB Network Design.
  3. Deploy the application tier in the same Availability Zone as Database for low latency.
  4. For multi-region disaster recovery architectures, consider detailed network connectivity patterns and inter-region routing for Oracle AI Database@AWS. The following are the networking path options for single-region and cross-region deployments. Once the network path is established, Active Data Guard needs to be enabled so that the primary and standby databases stay in sync.
    1. Cross Availability Zone: This is the scenario where multiple Oracle AI Database@AWS services are being deployed across multiple Availability Zones.
      1. Option 1: OCI: You can peer both Virtual Cloud Networks (VCN) that are hosting Oracle AI Database@AWS through Local Peering Gateway (LPG).
      2. Option 2: AWS: You can peer the VPC hosting the App tier to peer with both ODB networks hosting Oracle AI Database@AWS.
      3. Option 3: AWS: You can use the Transit Gateway to connect both ODB networks through Transit VPC. Each ODB network is peered with Transit VPC and both Transit VPCs are connected through Transit Gateway.
    2. Cross Region: This is the scenario where multiple Oracle AI Database@AWS services are being deployed across multiple Regions
      1. Option 1: OCI: You can peer Virtual Cloud Networks (VCN)s across regions leveraging Dynamic Routing Gateway (DRG) and a hub VCN in each of the regions.
      2. Option 2: You can use a Transit Gateway to connect both ODB networks through a transit VPC. Each ODB network is peered with transit VPC and both transit VPCs are connected through the Transit Gateway.
  5. Review the backup and restore prerequisites section early in the design phase to ensure network access requirements are met.
  6. Use Network Security Groups (NSGs) to restrict access to database virtual machines.
    • Allow SSH (port 22) access only through Bastion.
    • Allow database traffic (port 1521) exclusively from approved Oracle Hyperion application subnets and authorized on-premises networks.

Bastion Host

The AWS bastion host is a managed service that provides a secure and controlled entry point to AWS virtual networks from outside AWS.

AWS Bastion is deployed in a dedicated subnet (AWSBastionSubnet) and enables secure access to virtual machines in private subnets that are not directly reachable from the public internet. By using AWS Bastion, the architecture maintains a single, known access point that can be centrally monitored and audited while avoiding the need to expose public IP addresses or open inbound ports on individual virtual machines.

In this architecture, AWS Bastion does not require a public IP address on the target virtual machines. Administrative access is established over TLS (port 443) through the AWS portal or supported native clients. Network Security Groups on the target subnets do not require inbound SSH or RDP rules, which further reduces the attack surface. Access to AWS Bastion can be restricted and governed by using AWS role-based access control (RBAC) and AWS Active Directory authentication.

AWS Bastion enables administrators to connect to virtual machines in private subnets by using SSH for Linux and RDP for Windows. Connections are initiated from the administrator's local workstation and proxied through the bastion service, ensuring that credentials and sessions are not exposed to the public network.

By centralizing administrative access and eliminating direct VM exposure, AWS Bastion enhances security while preserving operational access to private workloads.

Oracle Hyperion Application Tier

All components in the Oracle Hyperion application tier are configured to connect to active Oracle AI Database instances deployed on Oracle AI Database@AWS. The application tier hosts the core Oracle Hyperion EPM services responsible for financial consolidation, planning, analytics, data integration, and financial close management. These components are distributed across multiple virtual machines to support high availability, scalability, and security.

The Hyperion application tier includes the following core components:
  • Core Hyperion EPM Components
    • Foundation Services:

      Provides the shared infrastructure layer for Hyperion EPM, including user provisioning, security, authentication, metadata management, and lifecycle management. Foundation Services enables centralized governance across all Hyperion applications.

    • Hyperion Financial Management (HFM):

      A web-based application used for financial consolidation, statutory reporting, and financial analysis. HFM supports complex ownership structures, currency translation, inter-company eliminations, and audit controls.

    • Hyperion Planning:

      Supportsenterprise budgeting, forecasting, and driver-based planning. Planning applications enable scenario modeling, workflow approvals, and integration with calculation rules for what-if analysis.

    • Oracle Essbase:

      A high-performance multidimensional analytic server that enables fast aggregations, calculations, and ad-hoc analysis. Essbase underpins many planning, forecasting, and reporting use cases.

    • Financial Data Quality Management, Enterprise Edition (FDMEE):

      Manages data integration and data quality, including mapping, validation, and loading of financial data from source systems into Hyperion applications.

    • Profitability and Cost Management:

      Enables cost allocation, profitability analysis, and performance measurement across products, customers, channels, and business units.

    • Financial Close Management (FCM):

      Financial Close Management orchestrates and monitors the end-to-end financial close process by managing tasks, dependencies, approvals, and reconciliations. It provides real-time visibility into close status, enforces standardized close procedures, and supports audit-ability across entities and reporting periods.

    • Tax Management:

      Hyperion Tax Management supports tax provisioning, compliance, and reporting by centralizing tax calculations and data collection. It enables organizations to manage current and deferred tax positions, comply with regulatory requirements, and reduce manual effort through automated work-flows and controls.

    • Financial Reporting:

      Hyperion Financial Reporting delivers highly formatted, production-quality financial statements, management reports, and disclosures. It supports statutory, regulatory, and management reporting requirements, with reusable report definitions and secure access across finance stakeholders.

  • Web and Application Server Components
    • Oracle HTTP Server (OHS):

      Acts as the web entry point for Hyperion EPM applications, handling incoming HTTP/HTTPS requests and typically fronted by an Amazon Elastic Load Balancing (ELB).

    • Oracle WebLogic Server:

      Hosts Hyperion EPM web applications and services, including Foundation, Planning, HFM, FDMEE, and Workspace components. WebLogic domains are commonly deployed across multiple nodes for high availability.

Amazon Elastic File System (EFS) is used to host shared Hyperion software binaries, configuration files, logs, and application artifacts. A centralized NFS file system can be mounted across Hyperion web, application, and Essbase servers to ensure consistency and simplify software maintenance. Amazon Elastic File System Provisioned Throughput or EFS Elastic Throughput is recommended over baseline throughput configurations to deliver higher throughput and lower latency.

Database Tier

For high availability requirements, we recommend using one of the following Oracle AI Database@AWS options to set up Oracle Hyperion database instances:
  • Oracle Exadata Database Service on Dedicated Infrastructure

The database instances are configured for high availability with Oracle Real Application Clusters (RAC) enabled. To achieve availability zone redundancy for the database, use Oracle Active Data Guard in synchronous mode to replicate the database across availability zones.

A prerequisite for Active Data Guard is to establish a private networking path between availability zones, either through:
  • AWS backbone connectivity using TGW, or
  • OCI backbone connectivity using VCN peering with Local Peering Gateways or Dynamic Routing Gateways.

A prerequisite is to define a networking path through the AWS backbone by peering VNets, or through the OCI backbone by peering VCNs by using local peering gateways. Port 1521 is open for communication with Oracle Active Data Guard. Data Guard transport services use port 1521 to transmit redo log files for Oracle Active Data Guard. For detailed networking design considerations, see Maximum Availability Architecture (MAA).

Backup and Recovery

Automated database backups can be configured using Oracle Autonomous Recovery Service, Amazon S3 or OCI Object Storage, depending on the selected database service and recovery requirements.

Data Encryption

For data in transit, Oracle AI Database@AWS services are accessible only through encrypted communication channels. By default, the Oracle Net client is configured to use encrypted sessions, ensuring that all database connections are protected in transit.

Oracle AI Database@AWS protects data at rest using Transparent Data Encryption (TDE), which is enabled by default with no customer configuration required. TDE automatically encrypts database files, redo and undo logs, backups, and other persistent data when written to storage, and transparently decrypts the data when accessed by authorized processes. Encryption is managed using a hierarchical key model, where a master encryption key protects tablespace keys that in turn encrypt the data.

Oracle AI Database@AWS supports both Oracle-managed and customer-managed key options for TDE. With Oracle-managed keys, encryption keys are generated, stored, and managed automatically by Oracle. With customer-managed keys, customers can centrally control key lifecycle management, rotation, and auditing by integrating with OCI Vault, Oracle Key Vault, or AWS Key Management Service (KMS).

Note

Cross-region Oracle Data Guard is not supported when customer-managed encryption keys are stored in AWS Key Management Service (KMS).

Migration to Oracle AI Database@AWS

Oracle Zero Downtime Migration (ZDM) provides multiple migration work-flows for moving Hyperion databases to Oracle AI Database@AWS.

Migration to Exadata Database
  • Physical Online Migration:

    The physical online migration workflow supports migrations between the same database versions and platforms. This approach uses direct data transfer and the restore from service method to create the target database, avoiding the use of intermediate backup storage. Oracle Data Guard is used to keep the source and target databases synchronized, enabling a minimal-downtime migration.

  • Physical Offline Migration:

    The physical offline migration workflow supports migrations between the same database versions and platforms. The target database is created using Recovery Manager (RMAN) backup and restore. Amazon Elastic File System or Amazon S3 is used to provide an NFS file share for storing RMAN backup files during the migration process.

  • Logical Online Migration:

    The logical online migration workflow supports migrations between the same or different database versions and platforms. This workflow uses Oracle Data Pump export and import to create the target database. Amazon Elastic File System or Amazon S3 provides an NFS file share to store the Data Pump dump files. Oracle Golden Gate is used to synchronize the source and target databases, enabling a minimal-downtime migration.

  • Physical Offline Migration:

    The logical offline migration workflow supports migrations between the same or different database versions and platforms. The target database is created using Oracle Data Pump export and import. Amazon Elastic File System or Amazon S3 provides an NFS file share to store the Data Pump dump files used during the migration.

Components Overview

Component Purpose
Oracle AI Database@AWS Oracle AI Database@AWS provides Oracle Exadata Database deployed and operated in AWS with native AWS integration. It combines Oracle Exadata Database performance and Oracle AI Database capabilities with AWS networking, security, and consumption models. The offering includes Oracle Exadata Database Service on Dedicated Infrastructure for hosting database layer for Oracle Hyperion.
AWS Load Balancer AWS Load Balancer distributes incoming traffic across web or application servers and continuously monitors back-end health probes to send traffic only to healthy instances. This ensures even traffic distribution, high availability, and automatic failover without application.
AWS Bastion AWS Bastion enables secure RDP and SSH access to virtual machines over HTTPS without requiring public IP addresses. It improves security by centralizing administrative access and reducing exposure to inbound internet threats.
Autonomous Recovery Service Autonomous Recovery Service provides automated backup, continuous data protection, and fast recovery for Oracle AI Database(s). It reduces data loss and recovery time by autonomously managing backups, validation, and restore operations.
Object Storage Object Storage provides durable, scalable storage for unstructured data using a bucket-and-object model. It is commonly used for backups, archival, and data sharing with built-in security and lifecycle controls.
OCI Vault OCI Vault provides centralized management of encryption keys and secrets using Oracle-managed HSMs. It enables strong security, key rotation, and access control for protecting data across OCI services.
Amazon Elastic File System A fully managed, scalable NFS-based file storage service from AWS that provides shared file system access to multiple compute instances across Availability Zones.
Amazon S3 A highly durable and scalable object storage service used to store and retrieve unlimited amounts of data from anywhere
AWS Key Management Service (KMS) AWS Key Management Service (KMS) is a managed security service that simplifies creating, controlling, and managing cryptographic keys to encrypt data across AWS services and applications.

Learn more