Configure Recovery Service

This article provides information about configuring the Oracle Database Autonomous Recovery Service for use with the Oracle Base Database Service.

Oracle Database Autonomous Recovery Service is a fully managed, standalone, and centralized cloud backup solution for Oracle Cloud Infrastructure (OCI) databases.

For more information about Recovery Service, see About Oracle Database Autonomous Recovery Service.

Prerequisite Configuration Checklist for Recovery Service

This checklist describes the prerequisite tasks that you must complete before you can use Recovery Service as the backup destination for the databases in your tenancy.

1. Assign Policies to Allow Access to Recovery Service and Related Resources
2. Review Networking Service Permissions to Configure a Subnet
3. Review Subnet Size Requirements and Security Rules for Recovery Service Subnet
4. Create a Recovery Service Subnet in the Database VCN
5. Register Recovery Service Subnet
6. Ensure that the Recovery Service Subnet Can Communicate with Oracle Services
7. Ensure that Your Database Has TDE Fully Configured
8. Turn Off Any Manual Operational Backups

Assign Policies to Allow Access to Recovery Service and Related Resources

Assign policy statements such that the supported OCI Database Services can use Recovery Service for data protection.

In the Console, use the Policy Builder to quickly assign the policies required to use Recovery Service in your tenancy. In the Policy Builder, select Autonomous Recovery Service as the Policy Use Case, and then select these predefined policy templates:

• Ability to do all things with Autonomous Recovery Service
• Let users manage protection policies in Autonomous Recovery Service
• Let users manage Autonomous Recovery Service subnets

Ability to do all things with Autonomous Recovery Service

The Ability to do all things with Autonomous Recovery Service policy template includes all the policy statements required to provide permissions for the supported database services to use Recovery Service, and for Recovery Service to use the network resources to access databases in a VCN.

You can either select the policy template or add these policy statements using the manual editor in the Policy Builder.

Table - Policy Statements Required for Using Recovery Service

Policy Statement	Create In	Purpose
Allow service database to manage recovery-service-family in tenancy	Root compartment	Enables the OCI Database Service to access protected databases, protection policies, and Recovery Service subnets within your tenancy.
Allow service database to manage tagnamespace in tenancy	Root compartment	Enables the OCI Database Service to access the tag namespace in a tenancy.
Allow service rcs to manage recovery-service-family in tenancy	Root compartment	Enables Recovery Service to access and manage protected databases, Recovery Service subnets, and protection policies within your tenancy.
Allow service rcs to manage virtual-network-family in tenancy	Root compartment	Enables Recovery Service to access and manage the private subnet in each database VCN within your tenancy. The private subnet defines the network path for backups between a database and Recovery Service.
Allow group admin to manage recovery-service-family in tenancy	Root compartment	Enables users in a specified group to access all Recovery Service resources. Users belonging to the specified group can manage protected databases, protection policies, and Recovery Service subnets.

Let users manage protection policies in Autonomous Recovery Service

The Let users manage protection policies in Autonomous Recovery Service policy template grants permissions for users in a specified group to create, update, and delete protection policy resources in Recovery Service.

You can either select the policy template or add this policy statement using the manual editor in the Policy Builder.

Table - Policy Statement for Managing Protection Policies

Policy Statement	Create In	Purpose
Allow group {group name} to manage recovery-service-policy in compartment {location}	Compartment that owns the protection policies.	Enables all users in a specified group to create, update, and delete protection policies in Recovery Service.

Consider this example. This policy grants the RecoveryServiceUser group with the permissions to create, update, and delete protection policies in ABC compartment.

Allow group RecoveryServiceUser to manage recovery-service-policy in compartment ABC

Let users manage Autonomous Recovery Service Subnets

The Let users manage Autonomous Recovery Service subnets policy template grants permissions for users in a specified group to create, update, and delete Recovery Service subnet resources.

You can either select the policy template or add this policy statement in the Policy Builder.

Table - Policy Statement for Managing Recovery Service Subnets

Policy Statement	Create In	Purpose
Allow Group {group name} to manage recovery-service-subnet in compartment {location}	Compartment that owns the Recovery Service subnets.	Enables all users in a specified group to create, update, and delete Recovery Service subnets.

Consider this example. This policy grants the RecoveryServiceAdmin group with the permissions to manage Recovery Service subnets in ABC compartment.

Allow group RecoveryServiceAdmin to manage recovery-service-subnet in compartment ABC

For more information about policies, see Managing Policies.

About Using a Private Subnet for Recovery Service

Recovery Service uses a private subnet inside a virtual cloud network (VCN) where your database resides. The private subnet defines the network path for backups between your database and Recovery Service.

Oracle recommends that your database VCN must have a single private subnet dedicated for backups to Recovery Service. Your Oracle Cloud database can reside in the same private subnet used by Recovery Service, or in a different subnet within the same VCN.

You can either create a private subnet or use a preexisting subnet in your database VCN. Oracle recommends that you use a subnet size of /24 (256 IP addresses).

Note:

Select an IPv4-only subnet for Recovery Service in your database VCN. Do not select an IPv6-enabled subnet as Recovery Service does not support using an IPv6-enabled subnet.

The database VCN requires security rules to allow backup traffic between your database and Recovery Service. Security rules must include stateful ingress rules to allow destination ports 8005 and 2484. You can use these Networking service features to implement security rules:

• Security Lists: A security list allows you to add security rules at the subnet level. In your database VCN, select the security list that is used for the Recovery Service subnet, and add the ingress rules to allow destination ports 8005 and 2484.
• Network Security Groups: Network security groups (NSGs) enable granular control over security rules that apply to individual VNICs in a VCN. Recovery Service supports these options to configure security rules using NSGs:
  • To implement network isolation, create one NSG for the database VNIC (add egress rules to allow ports 2484 and 8005) and a separate NSG for Recovery Service (add ingress rules to allow ports 2484 and 8005).
  • Create and use a single NSG (with egress and ingress rules) for the database VNIC and Recovery Service.

Note:

If you have configured a security list and an NSG within your database VCN, then the rules defined in the NSGs takes precedence over the rules defined in a security list.

After you create a private subnet in the database VCN, assign the security rules and then register the subnet as a Recovery Service subnet in Recovery Service. If you have created NSGs to implement security rules, then you must also ensure to associate the Recovery Service NSG with the Recovery Service subnet.

Note:

Oracle recommends using a private subnet for your backups. However, it is possible to use a public subnet.

For more information, see:

• Security Lists
• Network Security Groups
• VCN and Subnet Management

Review Subnet Size Requirements and Security Rules for Recovery Service Subnet

The security rules are necessary to allow backup traffic between a database and Recovery Service.

Note:

Select an IPv4-only subnet for Recovery Service in your database VCN. Do not select an IPv6-enabled subnet as Recovery Service does not support using an IPv6-enabled subnet.

Table - Subnet size requirements and ingress rules for a private subnet used by Recovery Service

Item	Requirements
Recommended subnet size	/24 (256 IP addresses)
General ingress rule 1: Allow HTTPS traffic from Anywhere	This rule allows backup traffic from your OCI Database to Recovery Service. Stateless: No (all rules must be stateful) Source Type: CIDR Source CIDR: CIDR of the VCN where the database resides IP Protocol: TCP Source Port Range: All Destination Port Range: 8005
General ingress rule 2: Allows SQLNet Traffic from Anywhere	This rule allows recovery catalog connections and real-time data protection from your OCI Database to Recovery Service. Stateless: No (all rules must be stateful) Source Type: CIDR Source CIDR: CIDR of the VCN where the database resides IP Protocol: TCP Source Port Range: All Destination Port Range: 2484

Note:

If you use network security groups (NSG) to implement security rules or if your database VCN restricts network traffic between subnets, then ensure to add an egress rule for ports 2484 and 8005 from the database NSG or subnet to the Recovery Service NSG or subnet that you create.

Review Networking Service Permissions to Configure a Subnet

Ensure that you have these Networking Service permissions required to create a subnet in the database VCN and to assign security rules for Recovery Service.

Table - Networking Service Permissions Required to Create a Private subnet and Configure Security Rules for Recovery Service

Operation	Required IAM Policies
Configure a private subnet in a database VCN	use vcns for the compartment which the VCN is in use subnets for the compartment which the VCN is in manage private-ips for the compartment which the VCN is in manage vnics for the compartment which the VCN is in manage vnics for the compartment which the database is provisioned or is to be provisioned in

Alternatively, you can create a policy that allows a specified group with broader access to networking components.

For example, use this policy to allow a NetworkAdmin group to manage all networks in any compartment in a tenancy.

Example - Policy for Network Administrators

Allow group NetworkAdmin to manage virtual-network-family in tenancy

Create a Recovery Service Subnet in the Database VCN

Use the OCI Console to configure a private subnet for Recovery Service in your database virtual cloud network (VCN).

1. In the navigation menu, select Networking, and then select Virtual cloud networks to display the Virtual Cloud Networks page.
2. Select the VCN in which your database resides.

3. Use these steps to create a Recovery Service subnet with a security list. If you choose to use network security groups, then skip this step.

   1. Under Resources, select Security Lists.
   2. Select the security list that is used for the VCN. You must add two ingress rules to allow destination ports 8005 and 2484.

   3. Click Add Ingress Rules and add these details to set up a stateful ingress rule that allows HTTPS traffic from anywhere:

      • Source Type: CIDR
      • Source CIDR: Specify the CIDR of the VCN where the database resides.
      • IP Protocol: TCP
      • Source Port Range: All
      • Destination Port Range: 8005
      • Description: Specify an optional description of the ingress rule to help manage the security rules.

   4. Click Add Ingress Rule and add these details to set up a stateful ingress rule that allows SQLNet traffic from anywhere:

      • Source Type: CIDR
      • Source CIDR: Specify the CIDR of the VCN where the database resides.
      • IP Protocol: TCP
      • Source Port Range: All
      • Destination Port Range: 2484
      • Description: Specify an optional description of the ingress rule to help manage the security rules.

      Note:

      Select an IPv4-only subnet for Recovery Service in your database VCN. Do not select an IPv6-enabled subnet as Recovery Service does not support using an IPv6-enabled subnet.
   5. In the Virtual Cloud Networks Details page, click Create Subnet.
   6. Create a private subnet or select a private subnet that already exists in the database VCN. Oracle recommends a subnet size of /24 (256 IP addresses) for the private subnet.
   7. In the Subnet Details page, under Resources select Security Lists. Add the security list that includes the ingress rules to allow destination ports 8005 and 2484.

      Note:

      If your database VCN restricts network traffic between subnets, then ensure to add an egress rule for ports 2484 and 8005 from the database subnet to the Recovery Service subnet that you create.

4. Use these steps to create a Recovery Service subnet with network security groups (NSG).

   1. Under Resources, select Network Security Groups.

   2. Click Create Network Security Group. Use one of these supported methods to configure security rules using NSGs:

      • To implement network isolation, create one NSG for the database VNIC (add egress rules to allow ports 2484 and 8005) and a separate NSG for Recovery Service (add ingress rules to allow ports 2484 and 8005).
      • Create and use a single NSG (with egress and ingress rules) for the database VNIC and Recovery Service.

      The Network Security Group page lists the NSGs that you create.

5. After you create the Recovery Service subnet in the database VCN, proceed to register the subnet as a Recovery Service subnet. Oracle recommends that you register a single Recovery Service subnet per VCN. If you have implemented security rules using NSGs, then you must also ensure to add the Recovery Service NSG to the Recovery Service subnet.

Register Recovery Service Subnet

After you have created a private subnet for Recovery Service in your database VCN, use this procedure to register the subnet in Recovery Service.

Multiple protected databases can use the same Recovery Service subnet. In order to ensure that the required number of IP addresses are available to support the Recovery Service private endpoints, you can assign multiple subnets to a Recovery Service subnet that is used by more than one protected database.

Note:

Select an IPv4-only subnet for Recovery Service in your database VCN. Do not select an IPv6-enabled subnet as Recovery Service does not support using an IPv6-enabled subnet.

Use the following steps to register Recovery Service subnet

1. Log in to your OCI tenancy.
2. In the navigation menu, click Oracle Database, and select Database Backups to display the Database Backups page.
3. Click Recovery Service Subnets.
4. In the Compartment field, select a compartment where you want to create the Recovery Service subnet.
5. Click Register Recovery Service subnet, and specify the details.
6. In the Name field, enter a name for the Recovery Service subnet.
7. In the Compartment field, select the compartment where you want to create the Recovery Service subnet.
8. In the Virtual cloud network field, select the database VCN. Click Change Compartment to select a VCN belonging to a different compartment.
9. In the Subnet field, select a private subnet that you have configured for Recovery Service operations in your database VCN. Click Change Compartment to select a private subnet from a different compartment.
10. (Optional) Click +Another Subnet to assign an additional subnet to the Recovery Service subnet. If a single subnet does not contain enough IP addresses to support the Recovery Service private endpoints, then you can assign multiple subnets.

11. Click Show advanced options to configure these additional features:

    • Network security groups
    • Tags

    If you have used a network security group (NSG) to implement security rules for Recovery Service in the database VCN, then you must add the Recovery Service NSG to the Recovery Service subnet. The Recovery Service NSG can reside in the same compartment or in a different compartment. However, the NSG must belong to the same VCN to which the specified subnet belongs.

    1. In the Network security groups section, select Use network security groups to control traffic.
    2. Select the Recovery Service NSG you have created in the database VCN.
    3. Click +Another network security group to associate multiple NSGs (maximum five).

    (Optional) In the Tag Namespace field, consider adding a tag namespace, or tagging the control with an existing tag namespace.

12. Click Register.

You can replace a subnet or add more subnets to support the required number of private endpoints.

Use these steps to update an existing Recovery Service subnet:

1. In the Recovery Service subnet details page, under Resources, click Subnets.
2. Click Add subnets and select the subnets you want to add.
3. To replace an existing subnet, click the Action menu, and select Remove subnet. You can then add another subnet.

Note:

A Recovery Service subnet must be associated with at least one subnet belonging to your database VCN.

Use these steps to manage the network security groups (NSGs) for an existing Recovery Service subnet:

1. In the Network security groups section, click Add network security groups.
2. Select and add the Recovery Service network security groups (maximum five).
3. To remove an NSG, select the resource and click Remove.

Ensure that the Recovery Service Subnet Can Communicate with Oracle Services

The Recovery Service Subnet that you registered needs to communicate with the Recovery Service.

To access the service, the routing table for the private subnet needs to include All IAD Services In Oracle Services Network.

Ensure that Your Database Has TDE Fully Configured

When using the Recovery Service, you must have your database fully TDE encrypted.

For new databases that are born in the cloud, this should already be done. But if you creating a stub database in OCI and migrating a database to an Oracle Database Cloud Service from on-premises, or somewhere else, you might not meet all the criteria. For these databases you should verify that you meet the prerequisites for a backing up to the recovery service. I have a blog post you can find here that will outline what to check for with queries to execute.

You must meet these 3 criteria:

• You need to have WALLET_ROOT configured in the database. If you are still using sqlnet.ora, you need to use dbaascli to properly set WALLET_ROOT for all databases that will be utilizing the Recovery Service. To enable wallet_root SPFILE parameter for an existing database, run:

  dbaascli tde enableWalletRoot

  Note:

  Setting ENCRYPTION_WALLET_LOCATION in sqlnet.ora is not supported and will be deprecated.
• You need to have an encryption key set for the CDB and all PDBs in your database.
• ALL tablespaces must be TDE encrypted before executing your first backup.

Turn Off Any Manual Operational Backups

In some cases, OCI users perform manual operational backups. These backups are run outside the standard tooling and support point-in-time recovery (non-KEEP backups).

If you are running any of these types of operational backups, it is critical that you turn them off at this point. Running operational backups to two different locations can cause issues with both backups and can create data loss scenarios. Therefore, before you enable automatic backups, you must disable manual backup scripts and processes to other storage destinations.

Note:

If you are using the tooling for object storage backups, and switch to the Recovery Service, the switchover will be automated by the tooling, and all of the previous backups will remain available.

---

Title and Copyright Information

Configure Recovery Service

Copyright ©2024,

Oracle and/or its affiliates.