Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Enable Backup Policy Restoration and Customer-Managed Keys for OCI Block Storage with OCI Full Stack Disaster Recovery
Introduction
Oracle Cloud Infrastructure Full Stack Disaster Recovery (OCI Full Stack DR) orchestrates the transition of compute, database, and applications between Oracle Cloud Infrastructure (OCI) regions from around the globe with a single click. Customers can automate the steps needed to recover one or more business systems without redesigning or re-architecting existing infrastructure, databases, or applications and without the need for specialized management or conversion servers.
Initial Deployment Architecture
-
1 x Moving compute on the primary region (
vmapp01). -
1 x Volume group in primary region containing boot and block volume for
vmapp01.
Note: Primary region is Frankfurt and standby region is London.
Objectives
Configure the newly introduced feature in OCI Full Stack DR that enables the application of custom encryption keys and backup policy settings for volume groups that are members of a DR protection group.
The following tasks will be covered in this tutorial.
- Task 1: Add the compute instance
vmapp01to primary DR protection group. - Task 2: Add the volume group
vgapp01to primary DR protection group. - Task 3: Generate a switchover plan.
- Task 4: Execute the switchover plan.
- Task 5: Verify the backup policies and encryption on new volume groups and volumes.
Prerequisites
-
This tutorial assumes the DR protection groups already exist.
-
Backup policy for volume groups. For more information, see Assigning a Backup Policy to a Volume or Volume Group.
-
Customer-managed key for OCI Block Storage. For more information, see Block Volume Encryption
Note: Replicated vaults from one region to a second region cannot be used to encrypt disks on the standby region.
-
The reader has administrator privileges and the required Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) policies for OCI Full Stack DR are already in place. For more information, see Configuring Identity and Access Management (IAM) policies to use Full Stack DR and Policies for Full Stack Disaster Recovery.
Task 1: Add the Compute Instance (vmapp01) to Primary DR Protection Group
-
In the primary DR protection group (
DRPG_CMK_BKP_FRA), select Members and click Add member.
-
Add the compute VM (
vmapp01) as a member.
Task 2: Add the Volume Group (vgapp01) to Primary DR Protection Group
-
In the primary DR protection group (
DRPG_CMK_BKP_FRA), select Members and add the volume group (vgapp01) as a member.
Note: A new section with the destination backup policy and encryption will be presented.
-
Once you select the backup policy you want to apply to the volume group, you will be asked for three options while applying the encryption keys, select one and click Add.
-
Option 1: Do not update encryption keys for volumes in this volume group.
This option will not apply an encryption key to the volume group or the volumes in the destination region.
-
Option 2: Use common encryption key for all volumes in this volume group.
This option will apply a single common encryption key to all volumes that belong to the volume group, in the destination region.
-
Option 3: Customize volume encryption keys.
This option will assign a unique key to each volume that belongs to the volume group, in the destination region.
-
Task 3: Generate a Switchover Plan
Switchover plan is a type of DR plan that performs a planned transition of services from the primary DR protection group to the standby DR protection group.
Create a switchover plan in standby DR protection group (DRPG_CMK_BKP_LON).
-
Select Plans and click Create plan.
-
Enter Name as Switchover and select Plan type as Switchover (planned).
-
Click Create.
Task 4: Execute the Switchover Plan in Standby DR Protection Group
Note:
The DR plans in the standby region should all be active at this point, which means OCI Full Stack DR can execute the active failover, switchover and DR drill plans even if a catastrophic event causes an outage at the primary region. Switchovers are disruptive and require an outage. Therefore, this task can be performed at a later point in time when an outage can be scheduled to execute the switchover plan in the current standby region.
If you cannot complete this task now, do not forget to complete this task at some point in the future.
Run the prechecks for the switchover plan created in Task 3 in the current standby region, then run the switchover plan if the prechecks succeed. Execute prechecks as an independent operation first as a best practice.
-
Open the switchover plan in the standby region.
-
Click Run Prechecks.
-
Again, click Run Prechecks in the confirmation window to continue.
Ensure the prechecks complete successfully as shown in the following image. You may need to remediate any failed precheck steps at this point and then run the precheck again until all steps succeed.
-
To run the switchover plan, click Execute plan.
-
Again, click Execute plan in the confirmation window to continue.
Monitor the plan execution to ensure all steps in the plan succeed.
The following image shows the successful completion of the switchover plan. However, you may encounter failed steps even though the prechecks completed successfully; there is a chance steps will fail as the recovery steps are being executed in reality. Remediate any failed steps and try again.
Task 5: Verify the Backup Policies and Encryption on New Volume Groups and Volumes
-
Go to the standby region, navigate to Storage, Volume Groups and look for
vgapp01. You will see that the backup policy was applied to the volume group.
-
Go to Boot Volumes and verify that the Encryption key was applied.
Next Steps
There are two best practices that should be incorporated into the normal day-to-day operations to help ensure the readiness of your DR plans.
- Regular periodic execution of prechecks.
- Regular periodic execution of DR Drills.
Think about scheduling weekly prechecks of all DR plans in the standby DR Protection Group. Prechecks can be run at any time and have zero impact on production workloads. This will help ensure the integrity of your DR plans, catching missing member resources, missing networks, the inability to find expected scripts called by user-defined steps and so on.
Another very important way of validating the readiness of your DR is to schedule periodic DR drills once a month or quarter. DR drills also have zero impact on production workloads, but give you the ability to validate recovery of compute, storage, Oracle databases and backend sets for load balancers in the standby region with the click of a single button. For more information, see:
- OCI Full Stack Disaster Recovery expands its built-in capabilities for database and storage
- OCI Full Stack Disaster Recovery Support for OCI Load Balancer
- OCI Full Stack Disaster Recovery Introduces DR Drills
Related Links
-
Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery
-
Join #full-stack-dr slack channel
Acknowledgments
- Author - Raphael Teixeira (Principal member of technical staff for Full Stack DR engineering)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Enable Backup Policy Restoration and Customer-Managed Keys for OCI Block Storage with OCI Full Stack Disaster Recovery
G33189-01
Copyright ©2025, Oracle and/or its affiliates.