Oracle Data Safe supports an Oracle Database on Amazon RDS. Oracle Data Safe sits on its own Virtual Cloud Network (VCN) within your working region on the Oracle Cloud Infrastructure (OCI) Network. To register a target database with Data Safe you must ensure that you have the appropriate permissions enabled through Oracle Cloud Infrastructure Identity and Access Management (IAM) which will be assigned to you by your administrator. This includes permission to register a target database with Oracle Data Safe, and permission to use or create either an Oracle Data Safe on-premises connector or private endpoint.

The registration of Active Data Guard associated databases is supported for Amazon RDS for Oracle. This allows you to audit the primary database and its standby databases as a single target with multiple unified audit trails.

When registering an Oracle Database on Amazon RDS there are two connectivity options: through a Data Safe private endpoint or through an on-premises connector. If you intend to connect your an Oracle Database on Amazon RDS through a private endpoint, you must have an established network peering connection, between your OCI tenancy and your Amazon cloud environment prior to registering your target database. 

Private Endpoint 

Registering a target database through a private endpoint requires the private endpoint to sit within a private subnet on your VCN. During target registration with a private endpoint you can either select an existing endpoint (as one private endpoint can be used to register multiple target databases) or create a new one. However, there can only be one private endpoint per VCN.

The connection between the private endpoint and your Oracle Database on Amazon RDS can be either a TCP or TLS connection. If you choose TLS and client authentication is enabled on your target database, you need to download the Amazon Web Services (AWS) region certificate, upload the truststore and keystore files, and provide the wallet's password during target registration. In your AWS environment, you will additionally need to configure the SSL option group to enable SSL connection and modify the inbound rules on port 2484 (opened by default) on Amazon RDS to allow for TLS connection.

The traffic from the private endpoint will be routed through a Dynamic Routing Gateway (DRG) that sits on your VCN. The traffic will then travel to your database through the pre-established network peering connection.

Security rules are required to allow communication between the private endpoint and your target database. You can configure the rules in network security groups (NSGs), which is recommended, or security lists (SLs). The egress rule, which needs to be configured in the private endpoint's NSG or SL, allows the private endpoint (from any port) to send requests to the target database IP address on its port. For security rules within Oracle Cloud Infrastructure, you can let the Amazon RDS for Oracle registration wizard configure the security rules for you or you can do it manually.

When registering a target database through an on-premises connector Oracle recommends that you install the on-premises connector on a different host machine than the target database, although you can install it on the same machine, if needed. You will need to download the on-premises connector install bundle from Data Safe post registration. This install bundle will be run on the host machine where you intend the on-premises connector to sit. In a production environment, Oracle recommends that you install the same on-premises connector on two Linux hosts for high availability. If one of your hosts goes down due to system failure or maintenance, Oracle Data Safe connections automatically fail over to the on-premises connector running on the other host, and the on-going Oracle Data Safe operations are not affected. Once the on-premises connector has been properly installed and connected to the Oracle Database, Oracle Data Safe will be able to send requests to your Oracle Database on Amazon RDS by routing the request through the Cloud Connections Manager that sits on the Data Safe VCN. The connection between the Cloud Connections Manager and the on-premises connector is an encrypted TLS tunnel that is established from the on-premises connector. 

During target registration with on-premises connector you can either select an existing on-premises connector (as one connector can support multiple target databases) or create a new one. 

The connection between the on-premises connector and your Oracle Database on Amazon RDS can be either a TCP or TLS connection. If you choose TLS, make sure that in your AWS environment, you configure the SSL option group to enable SSL connection and modify the inbound rules on port 2484 (opened by default) on Amazon RDS to allow for TLS connection.