Configure Oracle Data Guard for Oracle Exadata Database Service on Dedicated Infrastructure

Data Guard for Oracle Exadata Database Service on Dedicated Infrastructure supports Oracle-managed keys and customer-managed keys for Transparent Data Encryption (TDE). Oracle-managed keys use password based wallets to store and manage TDE keys, while customer-managed keys enable you to store and manage TDE keys in OCI Vault. By default, Oracle Exadata Database Service on Dedicated Infrastructure uses Oracle-managed keys.

Verify Security Policies and Dynamic Groups

If your database uses OCI Vault to store customer-managed keys, you must follow the steps below to verify all required security policies and dynamic groups are properly configured. You can skip this section if your database uses Oracle-managed keys.

  1. In the OCI console, navigate to the main menu and click Identity & Security.
  2. Click Dynamic Groups.
    On newer tenancies, click Domains, and then click Dynamic Groups.
  3. Verify a dynamic group is configured with a rule similar to the following:
    {resource.compartment.id = 'ocid1.of_comparment_where_exadata_database_on_dedicated_infrastructure_are_configured’}
  4. Navigate to Identity & Security, and then click Policies.
    Verify a security policy exists with the following rules:
    Allow service keymanagementservice to manage vaults in tenancy
Allow dynamic-group Dynamic_Group_from_step_2 to use vaults in compartment 
compartment_name_where_OCI_Vault_is_configured
Allow dynamic-group Dynamic_Group_from_step_2 to manage keys in tenancy

Verify OCI Vault Replication

If you are configuring Oracle Data Guard between two regions, and your database uses customer-managed keys, a Virtual Private Vault must be replicated between the two regions. You can skip this section if your database uses Oracle-managed keys. These steps describe how to verify your Virtual Private Vault is being replicated across both regions.

  1. Navigate to the OCI menu, and click Identity & Security.
  2. Click Vault.
  3. In the list of available vaults, verify the column Virtual Private is set to yes for the vault to be used for the databases in the Data Guard Association.
    If a vault does not exist yet, click Create Vault, and provide a name for the vault. Select the Make it a virtual private vault option, and then click Create Vault.
  4. Verify the Virtual Private Vault is replicated to the region where the standby database will be created:
    1. Navigate to the OCI menu, and select Identity & Security.
    2. Click Vault.
    3. Select the vault to be used for the databases in the Data Guard Association.
      If Vault Replication is enabled for this vault, the vault page will display the Replication Role and Replication Details. If no Replication information is displayed, the vault is not being replicated.
  5. To replicate the vault to another region, click Replicate Vault. Select the region where the standby database will be configured, then click Create Replica.
    The vault is replicated to the other region and will be available to create a Data Guard Associations after a few minutes.
  6. Verify any existing keys for existing databases were replicated from the source vault to the replica vault.
  7. On the source vault, create new keys for new databases and verify they are replicated to the replica vault.

Configure In-Region Oracle Data Guard

These steps describe how to enable Oracle Data Guard for Oracle Exadata Database Service on Dedicated Infrastructure databases in the same region.

  1. Navigate to the OCI menu, and click Oracle Database.
  2. Click Oracle Exadata Database Service on Dedicated Infrastructure.
  3. Select the compartment where the Oracle Exadata Database Service on Dedicated Infrastructure VM cluster is configured.
  4. Select the VM cluster where the database to be configured with Oracle Data Guard is located.
  5. Click the database name to select the database.
  6. Under Resources, click Data Guard Associations.
  7. Click Add Standby. An Add standby window will open, your database version determines the options displayed. Databases version 11g and 12c support Data Guard Associations, while versions 19c and newer support Data Guard Groups. Select whether to configure a Data Guard Association, or a Data Guard Group.
  8. Configure the Data Guard options:
    • Peer Region: The region for the selected database is displayed by default. Use this region for the Oracle Data Guard configuration.
    • Availability Domain: The availability domain for the selected database is displayed by default. Use this availability domain if the standby database is to be configured on the same availability domain as the primary database. Otherwise, select a different availabiity domain.
    • Exadata Infrastructure: Select the Exadata Infrastructure where the standby will be running.
    • Data Guard Peer resource type: Select VM cluster.
    • VM Cluster: Select the VM cluster where the standby database will be running. If the standby database will be running on a VM cluster on a different compartment, select the corresponding compartment. By default, the same compartment as the primary database is selected.
    • Data Guard Type: Select Data Guard or Active Data Guard. Active Data Guard may require an additional license.
    • Protection Mode: Select Max Performance or Max Availability.
    • Transport: Synchronous or Asynchronous depending on the Protection Mode selection. If the Protection Mode is Max Performance, the Transport is Asynchronous. If the Protection Mode is Max Availability, the Transport is Synchronous.
    • Database Home: Select existing or create a new database home. Ensure the database home runs the same Oracle database software version and patches as the primary.
    • Database Unique Name: (Optional) Provide a database unique name for the peer standby database. If no database unique name is provided, by default the OCI interface will automatically configure a database unique name for the standby database.
    • Password: Provide the sys password for the primary database. The sys password and TDE Wallet password must be the same when using Oracle-managed keys.
    • TDE Password: Enter the TDE password for the primary database. The sys and TDE password may be the same when using Oracle Managed Keys.
  9. Click Add Standby.
After the work request is complete, a new database is created in the standby VM Cluster, and a Data Guard Group or Association is created between the two databases. The new database is configured as a standby database.

Configure Cross Region Oracle Data Guard

These steps describe how to enable Oracle Data Guard for Oracle Exadata Database Service on Dedicated Infrastructure databases in different regions.

  1. In your OCI tenancy, select the region where the primary database is configured.
  2. Create a Remote Peering Connection for the VCN where the primary database is configured:
    1. Select Networking, then select Virtual Cloud Networks
    2. Select Customer Connectivity.
    3. Select Dynamic Routing Gateway. Select an existing Dynamic Routing Gateway (DRG), or create a new Dynamic Routing Gateway if one does not already exist.
    4. From the Dynamic Routing Gateway menu, select Virtual Cloud Networks Attachments. Create a Virtual Cloud Networks Attachment if one does not already exist.
    5. From the Dynamic Routing Gateway menu, select Remote Peering Connection Attachments, then click Create Remote Peering Connection. Enter a name for the Remote Peering Connection, and click Create Remote Peering Connection.
      This creates a Remote Peering Connection Attachment in Peering Status New (not peered). The Remote Peering Connection Attachment includes the required routing from the primary database's VCN to the DRG.
  3. Create a route from the primary database's VCN to the standby database's VCN:
    1. From the OCI menu, select Networking, then select Virtual Private Networks. Select the VCN for the primary database's region.
    2. From the VCN menu, select Route Tables, then select the route table for the private subnet.
    3. Add a route to the VCN where the standby database will be configured.
      For example, if the standby database will be configured in a VCN where the IP address is 10.1.0.0/16, then add a route for destination 10.1.0.0/16 using the DRG.
  4. Add an Ingress Security Rule to the Private Network Security List to allow connections to port 1521 from the network where the standby database is configured (using the example above, network 10.1.0.0/16).
  5. Select the region where the standby database will run.
  6. Create a Remote Peering Connection for the VCN where the standby database will be configured:
    1. From the OCI menu select Networking, then select Virtual Cloud Networks.
    2. Select Customer Connectivity.
    3. Select Dynamic Routing Gateway, then select an existing DRG. Create one if one does not already exist, and select the new DRG.
    4. From the Dynamic Routing Gateway menu, select Virtual Cloud Networks Attachments. Create a VCN Attachment if one does not already exist.
    5. From the Dynamic Routing Gateway menu, select Remote Peering Connection Attachments, then click Create Remote Peering Connection. Enter a name for the Remote Peering Connection, and click Create Remote Peering Connection.
      A new Remote Peering Connection Attachment in Peering Status New (not peered) is created. The Remote Peering Connection Attachment will include the required routing from the standby database's VCN to the DRG. Take note of the Remote Peering Connection OCID, which will be used during the peering step.
  7. Create a route from the standby database's VCN to the primary database's VCN:
    1. From the OCI menu, click Networking, then click Virtual Private Networks. Select the VCN for the region where the standby database will be configured.
    2. From the Virtual Cloud Networks menu, click Route Tables, then select the route table for the private subnet.
    3. Add a route to the VCN where the primary database is configured.
      For example, if the primary database is running on a VCN where the IP address is 10.0.0.0/16, add a route for destination 10.0.0.0/16 using the DRG.
  8. Add an Ingress Security Rule to the Private Network Security List to allow connections to port 1521 from the VCN where the primary database is configured (using the example above, from network 10.0.0.0/16).
  9. In the primary database's region, navigate to the OCI menu, and select Networking. Click Virtual Cloud Networks, then select the VCN for the network where the primary database is running.
  10. Click Remote Peering Connections Attachments.
    The Remote Peering Connection created in step 2.e will display in Peering Status New (not peered).
  11. Click the Remote Peering Connection name.
    The Remote Peering Connection details are displayed.
  12. From the Remote Peering Conection details page, click Establish Connection.
    A new window will open.
  13. Select the region where the standby database will be running, and the OCID of the standby remote peer connection (OCID from step 6.e.)
    If peering is successful, the Peering Status will change from New, to Pending, to Peered.
    Network communication between the two regions' VCNs is now established, and cross-region Data Guard can be configured.
  14. From the OCI menu, click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
  15. Select the compartment where the primary database VM cluster is configured.
  16. Select the VM cluster that includes the database to be configured with Oracle Data Guard.
  17. Click the database name to select the database.
  18. Under Resources, click Data Guard Associations.
  19. Click Add Standby. An Add standby window will open, your database version determines the options displayed. Databases version 11g and 12c support Data Guard Associations, while versions 19c and newer support Data Guard Groups. Select whether to configure a Data Guard Association, or a Data Guard Group.
  20. Configure the Data Guard options:
    • Region: Select the region where the standby database will be running. A different region must be provided because this is a cross-region Oracle Data Guard configuration.
    • Availability Domain: Select the availability domain where the standby Oracle Exadata Database Service on Dedicated Infrastructure is deployed.
    • Exadata Infrastructure: Select the Exadata Infrastructure where the standby will be running.
    • VM Cluster: Select the VM cluster where the standby database will be running. If the standby database will be running on a VM cluster on a different compartment, select the corresponding compartment. By default, the same compartment as the primary database is selected.
    • Data Guard Type: Select Data Guard or Active Data Guard. Active Data Guard may require an additional license.
    • Protection Mode: Select Max Performance. This is the only supported option for cross region Data Guard.
    • Transport: Select asynchronous. This is the only supported option for cross-region Data Guard.
    • Database Home: Select existing or create a new database home. Ensure the database home runs the same Oracle database software version and patches as the primary.
    • Database Unique Name: (Optional) Enter a database unique name for the peer standby database. If no database unique name is entered, by default the OCI interface will autmatically configure a database unique name for the standby database.
    • Password: Provide the sys password for the primary database. The sys password and TDE wallet password must be the same when using Oracle managed keys.
    • TDE Password: Enter the TDE password for the primary database. The sys and TDE password may be the same when using Oracle Managed Keys.
  21. Click Add Standby.
After the work request is complete, a new database is created in the standby VM Cluster, and a Data Guard Group or Association is created between the two databases. The new database is configured as a standby database.