Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Enable Snapshot Policy Restoration and Customer-Managed Keys for File System with OCI Full Stack Disaster Recovery

Introduction

Oracle Cloud Infrastructure Full Stack Disaster Recovery (OCI Full Stack DR) orchestrates the transition of compute, database, and applications between Oracle Cloud Infrastructure (OCI) regions from around the globe with a single click. Customers can automate the steps needed to recover one or more business systems without redesigning or re-architecting existing infrastructure, databases, or applications and without the need for specialized management or conversion servers.

Initial Deployment Architecture

• 1 x Moving compute on the primary region (vmapp01).

• 1 x Volume group in primary region containing boot and block volume for vmapp01. `

• 1 x File system in primary region (fsvmap01).

Note: Primary region is Frankfurt and standby region is London.

Objectives

Configure the newly introduced feature in OCI Full Stack DR that enables the application of custom encryption keys and snapshot policy settings for file system that are members of a DR protection group.

This tutorial aims to guide users through the process of configuring the newly introduced feature in OCI Full Stack DR that enables the application of custom encryption keys and snapshot policy to file system within a protection group.

The following tasks will be covered in this tutorial.

• Task 1: Add the compute instance vmapp01 to primary DR protection group.
• Task 2: Add the volume group vgapp01 to primary DR protection group.
• Task 3: Add the file system fsvmap01 to primary DR protection group.
• Task 4: Generate a switchover plan.
• Task 5: Run the switchover plan.
• Task 6: Verify the encryption key and snapshot policy on new file system.

Prerequisites

• This tutorial assumes the DR protection groups already exist.

• Create policy-based snapshots for OCI File Storage. For more information, see Policy-Based Snapshots and Scheduling.

• Customer managed key for OCI File Storage. For more information, see Encrypting a File System.

• This tutorial assumes the reader has administrator privileges and the required Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) policies for OCI Full Stack DR are already in place. For more information, see Configuring Identity and Access Management (OCI IAM) policies to use Full Stack DR and Policies for Full Stack Disaster Recovery.

Task 1: Add the Compute Instance (vmapp01) to Primary DR Protection Group

1. In the primary DR protection group (DRPG_CMK_SP_FSS_FRA), select Members and Add member.

   

2. Add the compute VM (vmapp01) as a member.

   

   

Task 2: Add the Volume Group (vgapp01) to Primary DR Protection Group

1. In the primary DR protection group (DRPG_CMK_SP_FSS_FRA), select Members and add the volume group (vgapp01) as a member.

   

Task 3: Add the File System (fsvmap01) to Primary DR Protection Group

1. In the primary DR protection group (DRPG_CMK_SP_FSS_FRA), select Members and add the file system (fsvmap01) as a member.

   

   Note: A new section with the destination snapshot policy, destination vault and destination encryption will be presented.

Task 4: Generate a Switchover Plan

Switchover plan is a type of DR plan that performs a planned transition of services from the primary DR protection group to the standby DR protection group.

Create a switchover plan in standby DR protection group (DRPG_CMK_SP_FSS_LON).

1. Select Plans and click Create plan.

   

2. Enter Name as Switchover and select Plan type as Switchover (planned).

   

3. Click Create.

   

Task 5: Run the Switchover Plan

Note:

• The DR plans in the standby region should all be active at this point, which means OCI Full Stack DR can execute the active failover, switchover and DR drill plans even if a catastrophic event causes an outage at the primary region. Switchovers are disruptive and require an outage. Therefore, this task can be performed at a later point in time when an outage can be scheduled to execute the switchover plan in the current standby region.

• If you cannot complete this step now, do not forget to complete this task at some point in the future.

Run the prechecks for the switchover plan created in Task 4 in the current standby region, then run the switchover plan if the prechecks succeed. Run prechecks as an independent operation first as a best practice.

1. Open the switchover plan in the standby region.

2. Click Run Prechecks.

3. Again, click Run Prechecks in the confirmation box to continue.

   

   Ensure the prechecks complete successfully as shown in the following image. You may need to remediate any failed precheck steps at this point and then run the precheck again until all steps succeed.

   

4. To run the switchover plan, click Execute plan.

5. Again, click Execute plan in the confirmation box to continue.

   Monitor the plan execution to ensure all steps in the plan succeed.

   

   The following image shows the successful completion of the switchover plan. However, you may encounter failed steps even though the prechecks completed successfully; there is a chance steps will fail as the recovery steps are being executed in reality. Remediate any failed steps and try again.

   

Task 6: Verify the Encryption Key and Snapshot Policy on New File System

Go to the standby region, navigate to Storage, File Storage and look for fsvmap01. You will see that the customer encryption key and snapshot policy were applied to the file system.

Next Steps

There are two best practices that should be incorporated into the normal day-to-day operations to help ensure the readiness of your DR plans.

• Regular periodic execution of prechecks.
• Regular periodic execution of DR Drills.

Think about scheduling weekly prechecks of all DR plans in the standby DR Protection Group. Prechecks can be run at any time and have zero impact on production workloads. This will help ensure the integrity of your DR plans, catching missing member resources, missing networks, the inability to find expected scripts called by user-defined steps, etc.

Another very important way of validating the readiness of your DR is to schedule periodic DR drills once a month or quarter. DR drills also have zero impact on production workloads, but give you the ability to validate recovery of compute, storage, Oracle databases and backend sets for load balancers in the standby region with the click of a single button. For more information, see:

• OCI Full Stack Disaster Recovery expands its built-in capabilities for database and storage
• OCI Full Stack Disaster Recovery Support for OCI Load Balancer
• OCI Full Stack Disaster Recovery Introduces DR Drills

Related Links

• Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery

• Add a File System to a Disaster Recovery Protection Group

• OCI Full Stack DR Documentation

• Join #full-stack-dr slack channel

Acknowledgments

• Author - Raphael Teixeira (Principal member of technical staff for Full Stack DR engineering)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Enable Snapshot Policy Restoration and Customer-Managed Keys for File System with OCI Full Stack Disaster Recovery

G33286-01

Copyright ©2025, Oracle and/or its affiliates.