Set up Oracle GoldenGate on Oracle AI Database@Azure

Learn to create an OCI GoldenGate deployment on Oracle AI Database@Azure. In this Quickstart, you create two multicloud bridges in the Azure Portal, a resource anchor and a network anchor, and then create the OCI GoldenGate deployment and connections in Oracle Cloud.

Note: Currently, deployment and connection creation is only supported in the Oracle Cloud console.

Learn what Azure and OCI regions support Oracle AI Database@Azure.

Before you begin

To successfully complete this quickstart, ensure you have resources and access:

• For Azure:

  • An active Azure subscription linked to Oracle AI Database@Azure

  • An existing Virtual Network (VNET) in the target region

  • A delegated subnet within the VNET for Oracle AI Database@Azure

    Tip: Review Azure advanced network features before creating the delegated subnet. GoldenGate deployments may require connectivity to an Azure private endpoint or to an Oracle AI Database cluster in a peered virtual network in a different region. Advanced network features cannot be activated retroactively on existing resources — you must terminate and redeploy any affected resources. Register the required features in Azure before creating the delegated subnet. Registration is required per Azure subscription.

  • Required roles: Network contributor and either Contributor or a custom multicloud role

  • The VNET and delegated subnet names noted so you can reference them later in this quickstart

  • Your Azure Availability Zone Mapping noted so you can reference it later in Task 2. It must exactly match the value you enter when creating the OCI GoldenGate deployment.

• For Oracle Cloud:

  • An Oracle Cloud tenancy linked to Oracle AI Database@Azure that was provisioned after October 7, 2025

  • An Oracle Cloud tenancy administrator role, or membership in the odbaa-goldengate-administrators group

  • (Optional) A Vault with at least one master encryption key, used to store the GoldenGate administrator password secret

  • GoldenGate service quota and limits (including Vaults, Keys, Secrets, and Load Balancer for public endpoint) confirmed in the target region

    Tip: You can view current limits and usage in the Oracle Cloud console. Enter Limits, Quota and Usage in the Oracle Cloud console search bar. You can request a service limit increase from this page, if needed. Ensure that you select the ORACLEDBATAZURE subscription when reviewing limits for Oracle AI Database@Azure resources.

  • Required policies and groups:

    • odbaa-goldengate-administrators

    • Policies:

      allow <domain-name>/<group-name> to manage secret-family in <location>
      allow <domain-name>/<group-name> to manage vaults in <location>
      allow <domain-name>/<group-name> to manage keys in <location>

    • Dynamic group named goldengate-deployments with use policies for secrets, keys, and vaults

    Note: Oracle Cloud provides a shell script that automates the creation of Oracle Cloud IAM groups and policies. Refer to the GoldenGate section in Prerequisites for Oracle AI Database@Azure for more information.

Task 1: Set up the environment

Learn about Resource and Network Anchors.

1. Create the Resource Anchor.

   After successful creation, Oracle Cloud automatically creates a compartment with the same name as the Resource Anchor. Create your OCI GoldenGate deployment and other related resources in this compartment.

   1. In the Azure Portal, confirm the Resource Anchor status is Active.

   2. In the Oracle Cloud console, confirm the compartment created appears with the same name as the Resource Anchor.

2. Create the Network Anchor.

   1. In the Azure Portal, verify the Azure logical zone mapping for your subscription. Run the az account list command. Learn more.

      Azure logical zones differ from physical availability zones. Deployment creation requires this mapping to correctly align resources. For more information, see What are availability zones?

   2. In the Oracle Cloud console, confirm the Network Anchor-mapped subnet is visible in the linked compartment, and that its state is Available.

   3. Ensure the required network ports and DNS configuration are in place to enable communication between GoldenGate and Oracle AI Database@Azure, and other Azure and OCI source or target systems.

   4. Ensure Network Security Groups (NSGs), security lists, and routing rules allow traffic between OCI and Azure resources.

   5. Proper DNS configuration is required to enable name resolution between OCI GoldenGate and Oracle AI Database@Azureresources. For more information about DNS setup and networking requirements, see DNS Resolution for Network Anchors.

3. Configure OCI IAM policies. If you haven't yet created groups and policies required, you can select from the following options:

   • If your tenancy was created after October 7, 2025, then IAM policies are already created for you. Skip to Task 2 to create your deployment and connections.

   • (Recommended) Use the Oracle Cloud Shell automation script to create the IAM group and all required policies in a single step. In the Oracle Cloud console, open Cloud Shell from the Developer Tools menu in the global navigation bar, and then run the goldengate_iam_cloud_shell.sh script found in the GoldenGate section of Prerequisites for Oracle AI Database@Azure.

   • Manually create the required policies in the Oracle Cloud console. Refer to the GoldenGate section of Prerequisites for Oracle AI Database@Azure for the full list of custom policies.

4. In the Oracle Cloud console navigation menu, select Identity & Security, then Domains. Select your domain, then User management, to confirm that the odbaa-goldengate-administrators group exists.

5. Select Policies from the Identity & Security resource menu. Confirm that all required GoldenGate policies exist.

Task 2: Create the OCI GoldenGate deployment

Before you create deployments, review the example OCI GoldenGate topologies and plan out the appropriate number and types of resources you need to create.

1. In the Console navigation menu, select Oracle AI Database, and then select GoldenGate.

2. On the Deployments page, select Create deployment.

3. In the Create deployment panel, enter a name and optionally, a description.

4. For Subscription, select ORACLEDBATAZURE. This ensures the deployment is billed to your Microsoft Azure Consumption Commitment (MACC). Selecting a different subscription will result in incorrect billing and the deployment will not appear in the Azure Portal.

5. For Compartment, select the compartment the Resource Anchor created. Its name must match your Resource Anchor name exactly. Do not use the root compartment or any other compartment.

6. For Choose a deployment type, select Data replication.

7. From the Select a technology dropdown, select one of the following technology types:

   • Oracle AI Database

   • Big Data

   • MySQL

   • PostgreSQL

   • Microsoft SQL Server

   • IBM Db2 for i

   • IBM Db2 for z/OS

   See what's supported to learn which databases and technologies you can use as OCI GoldenGate sources and targets.

8. For Version, the latest version is automatically selected. Select Change version to select a different version.

   Note: Learn more about versions.

9. Select one of the following options:

   • Development or testing: Sets up a deployment with recommended defaults for a development or testing environment. The minimum number of OCPUs is 1.

   • Production: Sets up a deployment with recommended default of 4 OCPUs with auto-scaling enabled for a production environment. The minimum number of OCPUs needed is 3, with auto-scaling enabled.

   Note: For more information on OCPU configuration and scaling, see Sizing considerations for Data Replication deployments.

10. For Select OCPU enter the number or select Change shape to use the slider to choose the number of Oracle Compute units (OCPUs) to use.

11. (Optional) Select Auto scaling.

    Note: Auto scaling enables OCI GoldenGate to scale up to three times the number of OCPUs you specify for OCPU Count, up to 24 OCPUs. For example, if you specify your OCPU Count as 2 and enable Auto Scaling, then your deployment can scale up to 6 OCPUs. If you specify your OCPU Count as 20 and enable Auto Scaling, OCI GoldenGate can only scale up to 24 OCPUs.

12. From the Subnet in <Compartment> dropdown, select the subnet mapped to your Network Anchor from Task 1, step 2. This ensures that cross cloud communication between Azure and OCI. Selecting any other subnet isolates the deployment from your Azure VNet.

13. Choose a License type:

    • License included, to subscribe to a new software license for the service.

    • Bring your own license (BYOL), to bring existing Oracle GoldenGate licenses to the service. Enable BYOL OCPU limit to control the number of OCPUs covered by BYOL. The minimum number of OCPUs covered is 1.

14. For GoldenGate instance name, enter the name that the deployment will assign to the GoldenGate deployment instance upon creation.

15. For Credential store, select GoldenGate, for GoldenGate to manage users.

16. Enter the GoldenGate Administrator user name.

17. For Use password secret in vault, you can either:

    • Deselect this option to enter the administrator password as plain text, and then confirm the password entry.

    • Leave this option selected to use a password secret. Select a password secret in your compartment or select Change compartment to select one in a different compartment. You can also create a new password secret.

      Note: Oracle strongly recommends OCI Vault secrets for all non-evaluation deployments. Secrets provide:

      • Centralized password lifecycle management — rotate the secret without recreating the deployment
      • Audit trail — all secret access is logged in OCI Audit
      • Encryption at rest — the secret value is encrypted with your own master key, not platform-managed keys
      • Least-privilege access — only the GoldenGate dynamic group can access the secret, not individual users If you start with plain-text, you can migrate to a Vault-backed secret later. Just edit the deployment and update the password selection.

      To create a new password secret:

      1. Select Create password secret.

      2. In the Create secret panel, enter a name for the secret, and optionally, a description.

      3. Select a compartment from the Compartment dropdown in which to save your secret.

      4. Select a vault in the current compartment, or select Change compartment to select a vault in a different compartment.

      5. Select an Encryption key.

         Note: Only AES keys, Software protected keys, and HSM keys are supported. RSA and ECDSA keys are not supported for GoldenGate password secret keys.

      6. Enter a password 8 to 30 characters in length, containing at least 1 uppercase, 1 lowercase, 1 numeric and 1 special character. The special characters must not be '$', '^' or '?'.

      7. Confirm the password.

      8. Select Create.

18. (Optional) Under Advanced options, in the Network tab, select Enable GoldenGate console public access only if you have a specific requirement for public access. Private endpoints are recommended for production workloads.

19. Select Create. After a few minutes, the deployment status becomes Active.

    Note:

    • While the service creates the deployment, you can create your source and target connections (Task 2).

    • If the deployment status shows Creating for more than 30 minutes, check the deployment's Work Requests for possible errors.

20. In the Azure Portal, navigate to your Resource Group and confirm the GoldenGate deployment appears as a linked resource under the Resource Anchor.

Task 3: Create connections

You must create connections to your source and target data sources, and then assign them to your OCI GoldenGate deployment for use in a data replication.

Learn more about connections and what’s supported.

1. From the OCI GoldenGate Overview page, select Connections.

   You can also select Create Connection under the Get started section and skip to step 3.

2. On the Connections page, select Create Connection.

3. On the Create Connection page, complete the fields as follows:

   1. For Name, enter a name for the connection.

   2. (Optional) For Description, enter a description that helps you distinguish this connection from others.

   3. For Subscription, select ORACLEDBATAZURE.

   4. From the Compartment dropdown, select your resource anchor-mapped compartment.

   5. Select the Multicloud partner region.

   6. Select your Partner availability zone. The available options populate based on the selected Multicloud partner region.

      Note: Ensure that you select the correct physical availability zone where OCI GoldenGate is available. Use the az account list command to verify and choose the appropriate availability zone.

4. From the Type dropdown, select the connection type to create, and then complete the rest of the fields as needed.

5. Select Create.

After the connection is Active, assign it to your deployment. Repeat this task to create additional connections as needed.

Task 4: Access the deployment console

After the deployment becomes Active, you can access the deployment console using a bastion host or command-line tools, depending on your network configuration.

For deployments created with public access enabled, you can access the deployment console directly from its deployment details page.

For deployment without public access enabled, direct access to a deployment that uses a private endpoint is not available. You must connect through a bastion host using one of the following methods:

• OCI Bastion, to securely access private OCI GoldenGate deployments using SSH port forwarding. OCI Bastion provides restricted and time-bound access to resources without exposing them to the public internet.

• Use Azure Windows VM with a public IP in a public subnet within the same VNet that contains the Oracle Goldengate on Oracle AI Database@Azure deployment.

See Connect to OCI GoldenGate using a private IP for instructions on how to use OCI Bastion to connect to your deployment.

As an alternative to the web console, you can use the Admin Client to access and manage the deployment. Admin Client is a command line utility that you can use to configure and manage GoldenGate deployments and processes. For more information, see Using Admin client.

Next steps

If you successfully launched and logged in to your OCI GoldenGate deployment console(s), you’re ready to build your data replication processes.

• Explore the OCI GoldenGate deployment console

• Add an Extract for Oracle AI Database

If you encounter issues with any of the Tasks in this quickstart, see GoldenGate on Oracle AI Database@Azure Known Issues for troubleshooting help.