Connect to Azure Data Lake Storage

Learn to create a connection to Azure Data Lake Storage to use as a target with OCI GoldenGate.

Note: If you’re connecting to Azure Storage (ADLS) with private endpoints using Azure Entra ID authentication, note that OCI GoldenGate uses the Oracle Services Network (OSN) NAT Gateway to obtain the tokens required for Azure Storage Entra ID authentication. You can create a support request to obtain the public IP address of the GoldenGate Service NAT Gateway in your OCI region, and then whitelist that IP address in your Azure VNet rules.

Before you begin

Ensure that you:

• Review how OCI GoldenGate connects to your source and targets.

• Configure the required policies to enable secure Vault and Secrets access, such as use secrets, use vaults, and read secret-bundles. For more information, see Minimum recommended policies.

Create the connection

To create an Azure Data Lake Storage connection

1. From the OCI GoldenGate Overview page, select Connections.

   You can also select Create Connection under the Get started section and skip to step 3.

2. On the Connections page, select Create Connection.

3. On the Create Connection page, complete the fields as follows:

   1. For Name, enter a name for the connection.

   2. (Optional) For Description, enter a description that helps you distinguish this connection from others.

   3. (For GoldenGate on Multicloud only) Select your Subscription, and then complete the following fields.

      1. From the Compartment dropdown, select the compartment in which the Resource Anchor resides.

      2. Select the Multicloud partner region.

      3. Select your Partner availability zone. The available options populate based on the selected Multicloud partner region.

   4. For Compartment, select the compartment in which to create the connection.

   5. From the Type dropdown, select Azure Data Lake Storage.

   6. For Account name, enter the Azure Cloud Storage Account Name.

   7. Enter an Endpoint.

   8. For Authentication type select from the following:

      • Shared key:

        • Storage Account Key: Select the Storage account key secret. If located in a different compartment, use the dropdown to change compartments. See Manage storage account access keys.

      • Shared access signature:

        • SAS token: Select the SAS token secret. If located in a different compartment, use the dropdown to change compartments. See Create an account SAS.

      • Azure Active Directory:

        Note: Before you configure the Azure Active Directory authentication type, ensure that you register an application in Azure AD App Registrations and assign the appropriate roles, for example “Storage BLOB Data Owner”. See Use the portal to create an Azure AD application and service principal that can access resources.

        • Azure tenant ID, located in Azure Active Directory/ App Registrations, select the application, and enter the Tenant ID.

        • Client ID, located in Azure Active Directory/ App Registrations and select the application.

        • Select the Client secret. If located in a different compartment, use the dropdown to change compartments.

      Note:

      • Secrets are credentials such as passwords, certificates, SSH keys, or authentication tokens that you use with OCI services. To create a secret, see Creating a secret. Ensure that you:

        • Select Manual secret generation.

        • Paste the credentials into Secret contents.

      • If you prefer not to use password secrets, ensure that you deselect Use secrets in vault in the Security section under Advanced Options, located at the bottom of this form.

      • When you need to update the Secret content, ensure that you:

        • Create a new Secret version using the Plain-Text template and provide the updated content. For more information, see Updating a Secret’s Content.

        • Refresh the connection to clear cached Secret content.

   9. For Azure authority host, enter the Microsoft Entra ID endpoint used for authentication and authorization.

   10. Expand Show advanced options. You can configure the following options:

       • Security

         • Deselect Use vault secrets you prefer not to use password secrets for this connection. If not selected:

           • Select Use Oracle-managed encryption key to leave all encryption key management to Oracle.

           • Select Use customer-managed encryption key to select a specific encryption key stored in your OCI Vault to encrypt your connection credentials.

       • Network connectivity

         • Shared endpoint, to share an endpoint with the assigned deployment. You must allow connectivity from the deployment's ingress IP.

         • Dedicated endpoint, for network traffic through a dedicated endpoint in the assigned subnet in your VCN. You must allow connectivity from this connection's ingress IPs.

           Note:

           • If a dedicated connection remains unassigned for seven days, then the service converts it to a shared connection.
           • Learn more about Oracle GoldenGate connectivity.

       • Security attributes: Add security attributes to control access to this connection using Zero Trust Packet Routing (ZPR).

       • Tags: Add tags to organize your resources.

4. Select Create.

After the connection is created, it appears in the Connections list. Ensure that you assign the connection to a deployment to use it in a data replication.

Next steps

• Assign a connection to a deployment
• Manage connections

Troubleshoot connection issues

Most Azure Data Lake Storage connection issues happen because of Azure Data Lake Storage private endpoint configurations.

The following are common connectivity related error messages that you could encounter in the Replicat report file:

•     =ERROR 2023-08-04 07:23:08.000008 [main] - Exception during initialisation of Azure blob service client for account[ociggtest].
      com.azure.storage.blob.models.BlobStorageException: Status code 400, "{"error":{"code":"InvalidUri","message":"The request URI is invalid.
  <pre class="copy"><code>
  -</code></pre>nocopybutton
      =ERROR 2023-08-01 20:23:24.000861 [main] - The Event Handler Framework failed to initialise.
  <pre class="copy"><code>
  -</code></pre>nocopybutton
      =ERROR 2023-08-04 08:13:30.000477 [main] - Exception during initialization of Azure blob service client for account[ociggtest].
      com.azure.storage.blob.models.BlobStorageException:Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
  

If you’re using Azure Data Lake Storage private endpoints and having issues with connection and/or replication, ensure that you:

• Check your OCI - Azure Interconnect details. Refer to Step-by-Step Guide: Interconnecting Oracle Cloud Infrastructure and Microsoft Azure.

• Follow the steps outline in OCI GoldenGate ADLS Connections with Private End Points

• Configure your ADLS Private Endpoint Connection in Azure with target sub-resource BLOB. OCI GoldenGate only supports BLOB, so the connection fails if it is configured with dfs or other sub-resource types.

Known issues

Test connection issue for Azure Data Lake Storage connections configured with Azure Entra ID authentication

You may experience issues when attempting to test Azure Data Lake Storage connections configured with Azure Entra ID authentication.

Workaround: You can ignore the error and proceed to create and run an Azure Data Lake Storage Replicat.