Before you begin

What you need

Here are the prerequisites required to deploy Oracle GoldenGate Maximum Availability Hub:

Oracle Cloud Account
Access to an assigned Oracle Cloud Tenant
Policies to create compute node resources within the Oracle Cloud Tenant
Local SSH/RSA Key

Create an SSH/RSA Key

To work with the Oracle Cloud Infrastructure once the Oracle GoldenGate Compute Node is built, you have to provide a SSH Public Key during the interview process that will allow you to log in to the node once built.

In order to build your SSH keys, perform the following steps:

Open a Terminal window and start the key generation program by typing the following command:
```
$ ssh-keygen
```
Enter the path to store this file. By default, this gets saved in your home directory under a hidden folder called .ssh. Change this default location, if required.
```
Enter file in which to save the key (/Users/johndoe/.ssh/id_rsa): <Return>
```

Enter a passphrase for using your key.

Enter passphrase (empty for no passphrase): <passphrase>

Re-enter the passphrase to confirm it.

Enter same passphrase again: <passphrase>

Check the results.

The key fingerprint (a colon separated series of 2 digit hexadecimal values) is displayed. Check if the path to the key is correct. In the above example, the path is /Users/johndoe/.ssh/id_rsa.pub. You have now created a public or private key pair.

Note: For generating key pair on Windows platform, refer to Creating a Key Pair section in Oracle Cloud Infrastructure Documentation.

Required policies

Review the following information before you proceed:

Add the following required policies before you deploy the Oracle GoldenGate Maximum Availability Hub stack. You may need assistance from your Service administrator to add these policies to your compartment.

Allow group <ggowner> to manage instance-family in compartment <compartment-name>
Allow group <ggowner> to manage orm-family in compartment <compartment-name>
Allow group <ggowner> to manage volume-family in compartment <compartment-name>
Allow group <ggowner> to use virtual-network-family in compartment <compartment-name>
Allow group <ggowner> to manage public-ips in compartment <compartment-name>
Allow group <ggowner> to use tag-namespaces in tenancy
Allow group <ggowner> to inspect compartments in tenancy

Where <ggowner> is an example for a group and <compartment-name> is an example of a compartment. The following are permission names: instance-family, orm-family, volume-family, virtual-network-family, and public-ips.

Use one of the following examples to assign privileges required for VIP reassignment

Create a dynamic group, OracleIdentityCloudService/VIP-Reassignment, with the following rule for any compartment that requires access:
```
Any {Instance.compartment.id  = '<Compartment OCID>'}
```
For each compartment listed, add the following required policy for the dynamic group to use APIs to reassign the VIP to another instance in failover events:
```
Allow dynamic-group 'OracleIdentityCloudService'/'VIP-Reassignment' to { PRIVATE_IP_READ, PRIVATE_IP_UPDATE, VNIC_ASSIGN, VNIC_UNASSIGN, VNIC_ATTACHMENT_READ, INSTANCE_INSPECT } in compartment <child_compartment_name>
```
Instances created by the Oracle GoldenGate Maximum Availability Hub stack are tagged with the tag namespace, GG_DEV, and tag key, ogg-high-availability.

Create the tag namespace, GG_DEV in the compartment in which you deploy Oracle GoldenGate Maximum Availability Hub. Create the tag key definition ogg-high-availability in the GG_DEV namespace. Create a dyamic group, OracleIdentityCloudService/VIP-Reassignment-Tag, with the following matching rule to group all instances tagged with the given namespace and tag key:
```
tag.GG_DEV.ogg-high-availability.value
```
Add the following required policy for the dynamic group that assigns privileges to all instances with this namespace and tag, enabling them to reassign the VIP address to other instances. For example:
```
Allow dynamic-group 'OracleIdentityCloudService'/'VIP-Reassignment-Tag' to { PRIVATE_IP_READ, PRIVATE_IP_UPDATE, VNIC_ASSIGN, VNIC_UNASSIGN, VNIC_ATTACHMENT_READ, INSTANCE_INSPECT } in compartment <child_compartment_name>
```

To manage Oracle GoldenGate passwords in OCI Vault, the following policy is required:

Allow dynamic-group 'OracleIdentityCloudService'/'VIP-Reassignment-Tag' to { PRIVATE_IP_READ, PRIVATE_IP_UPDATE, VNIC_ASSIGN, VNIC_UNASSIGN, VNIC_ATTACHMENT_READ, INSTANCE_INSPECT, SECRET_BUNDLE_READ, SECRET_UPDATE } in compartment <compartment_name>

If the VIP-Reassignment-Tag dynamic group consists of Oracle GoldenGate Maximum Availability Hub instances in compartment A and OCI Vault is in compartment B, ensure that SECRET_BUNDLE_READ, SECRET_UPDATE are assigned to instances in compartment A as follows:

Allow dynamic-group 'OracleIdentityCloudService'/'VIP-Reassignment-Tag' to { SECRET_BUNDLE_READ, SECRET_UPDATE } in compartment B.

Set up the source and target databases for replication

Before you can start replicating data, you should prepare the source or target database to support Oracle GoldenGate. For more information about steps to prepare your Oracle AI Database, see Prepare Database for Oracle GoldenGate.

Create a custom Virtual Cloud Network (VCN)

You can use an existing VCN or create one when you deploy the Oracle GoldenGate Maximum Availability Hub stack, but ensure that the VCN includes the following network configurations.

Note: Whether you create a custom VCN or use an existing one, ensure that you’re in the same compartment as the instances, or a child compartment of the same parent that hosts the instances. Instances cannot be in an unrelated parent compartment from the VCN compartment.

Before you begin

Take note of the following:

When you create your VCN, you must create both a client subnet and a cluster subnet. The client subnet can be either public, which allows public access to instances created in the subnet, or private, which prohibits public IP address for instances created in the subnet. The cluster subnet is used only for internal communication between clusters, and must be private.
If your client subnet is public, you must create and use an Internet Gateway. If your client subnet is private, then you must create and use a NAT Gateway.
Two sets of security lists and route table rules are required, one set for the client subnet and one set for the cluster subnet. You can use the default security list and route table created when you create the subnet, and create a second security list and route table for the other subnet, or create two new security lists and route tables for each subnet, ensuring that the required ingress, egress, and route table rules are included as documented below.

To create a custom VCN:

Log in to the Oracle Cloud console with your Oracle Cloud account, if you’re not already logged in.
Create the VCN:
1. Open the Oracle Cloud navigation menu, select Networking, and then select Virtual cloud networks.
2. On the Virtual Cloud Networks in Compartment page, select Create VCN.
3. In the Create Virtual Cloud Network panel, complete the following fields:
  1. For Name, enter a name for the VCN, such as VCN01.
  2. Select a compartment in which to create the VCN.
  3. For IPv4 CIDR Blocks, enter an IPv4 CIDR block such as, 10.10.0.0/16, and then press Enter on your keyboard.
4. Select Create VCN.
Create Gateways:
- Create an Internet Gateway, if the client subnet’s access type is public:
  1. On the Virtual Cloud Network details page, select Gateways.
  2. Under Internet Gateways, select Create Internet Gateway.
  3. On the Create Internet Gateway page, enter a name for the Internet Gateway, such as igwy01, and then select Create Internet Gateway.
- Create a NAT Gateway for the cluster subnet, or if the client subnet’s access type is private:
  1. On the Virtual Cloud Network details page, select Gateways.
  2. Under NAT Gateways, select Create NAT Gateway.
  3. On the Create NAT Gateway page, enter a name for the NAT Gateway, such as ngwy01, and then select Create NAT Gateway.
Create Route Tables and add Route Rules:
1. Create a Route Table for the client subnet:
  1. On the Virtual Cloud Network details page, select Routing, and then under Route tables, select Create Route Table.
  2. On the Create Route Table page, enter a name for the Route Table, such as client_rt01, and then select Create.
  3. Select the newly created route table.
  4. On the Route Table Details page, select Route Rules, and then Add Route Rules.
  5. On the Add Route Rules page, complete the fields as follows:
    1. For Target Type, select:
      - Internet Gateway, if your client subnet is public.
      - NAT Gateway, if your client subnet is private.
    2. For Destination CIDR Block, enter 0.0.0.0/0
    3. For Target, select the Target Type you selected in step 1 from the dropdown.
  6. Select Add Route Rules.
2. Create a Route Table for the cluster subnet:
  1. Return to the Routing page, and then select Create Route Table.
  2. On the Create Route Table page, enter a name for the Route Table, such as cluster_rt01, and then select Create.
  3. Select the newly created route table.
  4. On the Route Table Details page, select Route Rules, and then Add Route Rules.
  5. On the Add Route Rules page, complete the fields as follows:
    1. For Target Type, select NAT Gateway.
    2. For Destination CIDR Block, enter 0.0.0.0/0
    3. For Target, select NAT Gateway from the dropdown.
  6. Select Add Route Rules.
Create Security Lists:
1. Use the breadcrumb to return to the VCN details page.
2. On the Virtual Cloud Network details page, select Security.
3. Create a Security List for the client subnet:
  1. Select Create Security List.
  2. On the Create Security List page, complete the fields as follows:
    1. For Name, enter client_sl01.
    2. Under Allow Rules for Ingress, select + Another Ingress Rule.
    3. For Ingress Rule 1,
      1. For Source Type, select CIDR.
      2. For Source CIDR, enter 10.10.0.0/24.
      3. For IP Protocol, select ICMP from the dropdown.
      4. For Type, enter 8.
      5. For Description, enter Required for ACFS replication.
      6. Select + Another Ingress Rule
    4. For Ingress Rule 2,
      1. For Source Type, select CIDR.
      2. For Source CIDR, enter the client subnet CIDR. For example, 10.10.0.0/24.
      3. For Source Port Range, enter All
      4. For Destination Port Range, enter All.
      5. For IP Protocol, select TCP from the dropdown.
      6. For Description, enter Required for GI communication.
      7. Select + Another Ingress Rule
    5. For Ingress Rule 3,
      1. For Source Type, select CIDR.
      2. For Source CIDR,
        
        If the client subnet is public, enter 0.0.0.0/0.
        
        If the client subnet is private, enter 10.10.0.0/24
      3. For Source Port Range, enter All
      4. For Destination Port Range, enter 22.
      5. For IP Protocol, select TCP from the dropdown.
      6. For Description, enter Required for SSH.
    6. For Ingress Rule 4,
      1. For Source Type, select CIDR.
      2. For Source CIDR,
        
        If the client subnet is public, enter 0.0.0.0/0.
        
        If the client subnet is private, enter 10.10.0.0/24
      3. For Source Port Range, enter 443
      4. For Destination Port Range, enter 443.
      5. For IP Protocol, select TCP from the dropdown.
      6. For Description, enter Required for web access to GoldenGate.
    7. Under Allow Rules for Egress, select + Another Egress Rule.
    8. For Egress Rule 1,
      1. For Destination Type, select CIDR.
      2. For Destination CIDR, enter 0.0.0.0/0.
      3. For IP Protocol, select All Protocols.
  3. Select Create Security List.
4. Create a Security List for the cluster subnet.
  1. Select Create Security List.
  2. On the Create Security List page, complete the fields as follows:
    1. For Name, enter cluster_sl01.
    2. Under Allow Rules for Ingress, select + Another Ingress Rule.
    3. For Ingress Rule 1,
      1. For Source Type, select CIDR.
      2. For Source CIDR, enter 10.10.1.0/24.
      3. For IP Protocol, select ICMP from the dropdown.
      4. For Type, enter All.
      5. For Code, enter All.
      6. Select + Another Ingress Rule
    4. For Ingress Rule 2,
      1. For Source Type, select CIDR.
      2. For Source CIDR, enter 10.10.1.0/24.
      3. For Source Port Range, enter All.
      4. For Destination Port Range, enter All.
      5. For IP Protocol, select TCP from the dropdown.
      6. Select + Another Ingress Rule
    5. For Ingress Rule 3,
      1. For Source Type, select CIDR.
      2. For Source CIDR, enter 10.10.1.0/24.
      3. For Source Port Range, enter All.
      4. For Destination Port Range, enter All.
      5. For IP Protocol, select UDP from the dropdown.
      6. Select + Another Ingress Rule
    6. Under Allow Rules for Egress, select + Another Egress Rule.
    7. For Egress Rule 1,
      1. For Destination Type, select CIDR.
      2. For Destination CIDR, enter 0.0.0.0/0.
      3. For IP Protocol, select All Protocols.
    8. Select Create Security List.
Create the client subnet:
1. Use the breadcrumb to return to the VCN details page.
2. On your Virtual Cloud Network details page, select Subnets.
3. In the Subnets list, select Create Subnet.
4. On the Create Subnet page, complete the following fields:
  1. For Name, enter a name for the subnet, such as clientsubnet001.
  2. For Create in Compartment, select the compartment in which to create the subnet.
  3. For Subnet Type, select Regional.
  4. For IPv4 CIDR Blocks, enter 10.10.0.0/24.
  5. For Route Table in Compartment, select the client Route Table created in step 4a (client_rt01).
  6. (Optional) For Subnet Access, select one of the following:
    - Publict Subnet, to allow public IP addresses for instances created in this subnet.
    - Private Subnet, to prohibit public IP addresses for instances created in this subnet.
  7. For Security Lists, select the client Security List created in step 5c (client_sl01).
5. Select Create Subnet.
Create the cluster subnet:
1. On your Virtual Cloud Network details page, select Create Subnet.
2. On the Create Subnet page, complete the following fields:
  1. For Name, enter a name for the subnet, such as clustersubnet001.
  2. For Create in Compartment, select the compartment in which to create the subnet.
  3. For IPv4 CIDR Blocks, enter an IPv4 CIDR block such as, 10.10.1.0/24.
  4. For Route Table in Compartment, select the client Route Table created in step 4b (cluster_rt01).
  5. For Subnet Access, select Private Subnet.
  6. For Security Lists, select the client Security List created in step 5d (client_sl01).
3. Select Create Subnet.
Create a private view:
1. Use the Oracle Cloud console search bar to search for private view.
2. In the search results, under Services, select Private views (DNS Management).
3. On the Private views page, select Create private view.
4. On the Create private view page, enter goldengate_dns_view, and then select Create.
Create a zone:
1. In the DNS management menu, select Private Zones.
2. On the Private zones page, and then select Create zone.
3. On the Create private zone page, enter goldengatevcn.com, and then select Create.
4. Ensure that the DNS private view selected is the private view created in step 8, and then select Create.
Update the associated DNS resolver:
1. Use the Previous arrow to return to the Networking menu, and then select Virtual cloud networks.
2. On the Virtual Cloud Networks page, select your VCN.
3. On the Virtual Cloud Network details page, in the VCN information card, locate DNS Resolver, and select the VCN name.
4. On the Private resolver details page, select Associated private views, and then Manage private views.
5. In the Manage private views panel, select the DNS private view created in step 8 from the dropdown, and then select Save changes.