Oracle Cloud Infrastructure Documentation

Configure

This topic explains the required permissions to create Virtual Network, Subnets, Network Security Group, and Virtual Machine to connect Oracle AI Database@Azure from Azure Virtual Machine.

Required Permissions

The table lists the permissions required to create Azure VM and configure connectivity. If you already have permissions that exceed these requirements, no additional role assignment is necessary.

Task Cloud Persona Permissions

Create Virtual Network, Virtual Machine and Configure connectivity between the Azure Virtual Machine.

Azure

Infrastructure Admin

Built-in roles: Resource Group Contributor, Network Contributor and Virtual Machine Contributor.

Custom Role:

{
  "Name": "Custom-VM-Network-Minimal",
  "IsCustom": true,
  "Description": "Least-privilege role for deploying VNet/subnets/delegation, NSGs, NICs/PIPs, and a VM via ARM/Bicep.",
  "Actions": [
    "Microsoft.Resources/deployments/",
    "Microsoft.Network/virtualNetworks/",
    "Microsoft.Network/networkSecurityGroups/",
    "Microsoft.Network/networkInterfaces/",
    "Microsoft.Network/publicIPAddresses/",
    "Microsoft.Compute/virtualMachines/",
    "Microsoft.Compute/disks/",
    "Microsoft.Compute/availabilitySets/read",
    "Microsoft.Compute/locations//publishers/read",
    "Microsoft.Compute/locations//publishers/artifacttypes/offers/read",
    "Microsoft.Compute/locations//publishers/artifacttypes/offers/skus/read",
    "Microsoft.Compute/locations//publishers/artifacttypes/offers/skus/versions/read",
    "Microsoft.Resources/subscriptions/locations/read",
    "Microsoft.Authorization/roleAssignments/read",
    "Microsoft.Network/locations//capabilities/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}/resourceGroups/{resourceGroup-name}"
  ]
}

View Database VM Cluster and Database details

OCI

Infrastructure Admin
Custom Polices:
allow group <group-name> to read database-family in compartment <compartment-name>
allow group <group-name> to read autonomous-database-family in compartment <compartment-name>
allow group <group-name> to read vm-cluster-family in compartment <compartment-name>
allow group <group-name> to read exadata-infrastructure-family in compartment <compartment-name>
allow group <group-name> to read db-systems in compartment <compartment-name>

Modify NSG rules

OCI

Network Admin
Custom Polices:
allow group <group-name> to manage network-security-groups in compartment <compartment-name>

Jump Box

A Jump Box virtual machine is required to connect to Oracle AI Database@Azure resources that are configured with private IP addresses.

Create Azure Windows VM

  1. In the Azure portal, navigate to the Overview page for your Oracle AI Database@Azure resources. For example: Exadata Database or Exascale Database.
  2. Obtain the VNet details for the Oracle Database integrated via a Delegated Subnet Design or Network Anchor Design.
  3. Create a new Azure Windows VM with a public IP in a public subnet within the same VNet that contains the Oracle Database.

To connect to the Oracle Database VM using SSH or to establish a database connection, ensure the required tools and libraries are installed before initiating the connection.

SSH Connection

SSH library is available on Windows VM and no additional tools are required.

Database Connection with GUI

Download and install Oracle SQL Developer on Azure Windows VM.

Network Security Group (NSG)

To allow ingress traffic, enable the required ports in the Network Security Group for connections from the Azure VM to the Oracle Database.

SSH Connection

For SSH connectivity, ensure that TCP protocol port 22 is enabled for ingress traffic originating from the subnet CIDR that contains the Azure VM.

Note

If default NSG rule (Ingress all TCP from Azure VNET) exists which allows port 22 from Azure VM, then you do not need to configure new rules.

This screenshot shows how to create security rules.

Add Ingress TCP 22 Port Rule (Optional)

These steps describe how to add an ingress rule to allow TCP port 22.

  1. On Azure portal, navigate to Oracle AI Database@Azure resources such as Exadata Database or Exascale Database, and then select the Overview of the resource.
  2. Select the Go to OCI link.
  3. Select the Client network security groups link from the Network section in OCI Console.
  4. Switch to the Security rules tab.
  5. Select the Add Rule button, and then enter the following information:
    1. Select Ingress as Direction.
    2. Select CIDR as Source Type.
    3. Enter the CIDR for the Azure Windows VM in the Source CIDR field.
    4. Select TCP as IP Protocol.
    5. Select All as Source Port Range.
    6. Enter 22 (Listener Port) as Destination Port Range.
    7. In the Description, you can enter a description that helps you to identify it.

      For example: Allow SSH Ingress traffic from Azure VM Subnet.

    This screenshot shows how to add a rule.

Database Connection

A database connection requires TCP 1521 / TCPS 1522 (ADB-S TLS) port to be enabled to allow ingress traffic from the subnet CIDR that contains the Azure VM.

Note

If default NSG rule (Ingress all TCP from Azure VNET) exists and allows ports 1521 and 1522 from the Azure VM, then you do not need to configure new rules.This screenshot shows how to add security rules.

Add Ingress TCP 1521 Port Rule (Optional)

These steps describe how to add an ingress rule to allow TCP port 1521.

  1. On Azure portal, navigate to Oracle AI Database@Azure resources such as Exadata Database or Exascale Database, and then select the Overview of the resource.
  2. Select the Go to OCI link.
  3. Select the Client network security groups link from the Network section in OCI Console.
  4. Switch to the Security rules tab.
  5. Select the Add Rule button, and then enter the following information:
    1. Select Ingress as Direction.
    2. Select CIDR as Source Type.
    3. Enter the CIDR for the Azure Windows VM in the Source CIDR field.
    4. Select TCP as IP Protocol.
    5. Select All as Source Port Range.
    6. Enter 1521 or 1522 (Listener Port) as Destination Port Range.
    7. In the Description, you can enter a description that helps you to identify it.

      For example: Allow the database connection from the Azure VM.

    This screenshot shows how to add a rule.

Connect to Jump Box

Connect to Azure Windows VM to initiate a connection to the Oracle Database VM and Oracle Database.

  1. In the Azure portal, navigate to the Windows VM you created.
  2. On the Overview page, select the Connect button in the action bar.
  3. Follow the steps to sign in. For more information, see Connect to Virtual Machine.