Deploy Oracle E-Business Suite on Oracle Database@Azure

For large enterprises moving to the cloud, particularly those with complex Oracle E-Business Suite deployments and associated applications, a multicloud architecture partner provides a strategic advantage.

Leveraging both Microsoft Azure and Oracle Cloud Infrastructure (OCI) through Oracle Database@Azure provides optimal performance and resilience. This architecture, designed with help from Apps Associates for a large customer, deploys Oracle E-Business Suite applications on Microsoft Azure while harnessing the unparalleled database capabilities of Oracle Database@Azure.

With their expertise as a certified Oracle Cloud Service Provider, Apps Associates empowers clients to achieve seamless cloud adoption. Their comprehensive, end-to-end guidance includes strategic Oracle Cloud service selection, accurate sizing and cost estimation, thorough migration planning and execution, and reliable post-migration support or transition. Through detailed workload metric analysis during the assessment phase, they deliver data-driven recommendations for architecture, instance sizing, and resource optimization.

The following diagram shows a simplified overview of the network architecture.

Description of the illustration ebs-db-azure-arch-overview.png

ebs-db-azure-arch-overview-oracle.zip

Architecture

This architecture follows Microsoft Azure landing zone best practices and employs multiple subscriptions to logically separate shared and workload resources.

The highly-scalable network topology uses Azure Virtual WAN hub or secured virtual hub, simplifying the deployment of complex hub-and-spoke networks. The network infrastructure facilitates seamless routing across Azure regions, between virtual networks, and to on-premises locations by using ExpressRoute, point-to-site VPN, and site-to-site VPN, all secured by Azure Firewall.

The following diagram illustrates the architecture:

Description of the illustration ebs-db-azure-arch.png

ebs-db-azure-arch-oracle.zip

The architecture has the following Oracle Cloud Infrastructure (OCI) components:

• Region

  An OCI region is a localized geographic area that contains one or more data centers, hosting availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an OCI region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping classless inter-domain routing (CIDR) blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• Route table

  Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.

• Security list

  For each subnet, you can create security rules that specify the source, destination, and type of traffic that is allowed in and out of the subnet.

• Network security group (NSG)

  NSGs act as virtual firewalls for your cloud resources. With the zero-trust security model of OCI you control the network traffic inside a VCN. An NSG consists of a set of ingress and egress security rules that apply to only a specified set of virtual network interface cards (VNICs) in a single VCN.

• Oracle Database@Azure

  Oracle Database@Azure is the Oracle Database service (Oracle Exadata Database Service on Dedicated Infrastructure and Oracle Autonomous Database Serverless) running on OCI, deployed in Microsoft Azure data centers. The service offers features and price parity with OCI. Purchase the service on Azure Marketplace.

  Oracle Database@Azure integrates Oracle Exadata Database Service, Oracle Real Application Clusters (Oracle RAC), and Oracle Data Guard technologies into the Azure platform. Users manage the service on the Azure console and with Azure automation tools. The service is deployed in Azure Virtual Network (VNet) and integrated with the Azure identity and access management system. The OCI and Oracle Database generic metrics and audit logs are natively available in Azure. The service requires users to have an Azure subscription and an OCI tenancy.

  Autonomous Database is built on Oracle Exadata infrastructure, is self-managing, self-securing, and self-repairing, helping eliminate manual database management and human errors. Autonomous Database enables development of scalable AI-powered apps with any data using built-in AI capabilities using your choice of large language model (LLM) and deployment location.

  Both Oracle Exadata Database Service and Oracle Autonomous Database Serverless are easily provisioned through the native Azure Portal, enabling access to the broader Azure ecosystem.

• Exadata Database Service on Dedicated Infrastructure

  Oracle Exadata Database Service on Dedicated Infrastructure enables you to leverage the power of Exadata in the cloud. Oracle Exadata Database Service delivers proven Oracle Database capabilities on purpose-built, optimized Oracle Exadata infrastructure in the public cloud. Built-in cloud automation, elastic resource scaling, security, and fast performance for all Oracle Database workloads helps you simplify management and reduce costs.

• Object storage

  OCI Object Storage provides access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store data directly from the internet or from within the cloud platform. You can scale storage without experiencing any degradation in performance or service reliability.

  Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

This architecture has the following Microsoft Azure components:

• Azure availability zone

  Azure availability zones are physically separate locations within an Azure region, designed to ensure high availability and resiliency by providing independent power, cooling, and networking.

• Azure Virtual Network (VNet)

  Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure virtual machines (VMs), to securely communicate with each other, the internet, and on-premises networks.

• Azure availability sets

  Availability sets are logical groupings of VMs that reduce the chance of correlated failures bringing down related VMs at the same time.

• Recovery Service Vault

  Recovery Service Vault is an Azure service that stores backup data, such as server and virtual machine configurations, workstation data, and Azure SQL database data, in an organized way.

• Azure DNS

  Azure DNS is a cloud-based domain name system (DNS) service that provides fast and reliable domain name resolution for Azure resources and external domains. It allows users to host their DNS zones in Azure, ensuring high availability and low-latency query responses. The service integrates with Azure Resource Manager for seamless management and supports features such as custom DNS records, traffic routing, and private DNS zones. Azure DNS does not support domain registration but works with third-party registrars for end-to-end domain management.

• Azure Firewall

  Azure Firewall is a cloud-native, stateful firewall security service that provides network and application-level protection for resources in Microsoft Azure. It offers high availability and scalability, ensuring secure and controlled traffic flow across Azure Virtual Networks. With built-in threat intelligence and filtering capabilities, it allows administrators to define rules for inbound and outbound traffic. Azure Firewall integrates with Azure Security Center and other security services to enhance network security and compliance.

• Azure ExpressRoute

  Azure ExpressRoute is a service that enables private connections between on-premises data centers and Microsoft Azure, bypassing the public internet. This results in higher security, reliability, and faster speeds with consistent latencies. ExpressRoute connections can be established through a connectivity provider using various methods such as point-to-point ethernet, any-to-any (IP VPN), or virtual cross-connections. When integrating with on-premises data centers, ExpressRoute allows seamless extension of your network into the cloud, facilitating hybrid cloud scenarios, disaster recovery, and data migration with enhanced performance and security.

• Azure Virtual WAN

  Azure Virtual WAN (VWAN) is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface.

• Azure secure hub

  An Azure secure hub, also known as a secured virtual hub, is an Azure Virtual WAN hub enhanced with security and routing policies managed by Azure Firewall Manager. It simplifies the creation of hub-and-spoke and transitive network architectures by integrating native security services for traffic governance and protection. This setup automates traffic routing, eliminating the need for user-defined routes. Organizations can use a secure hub to filter and secure traffic between virtual networks, branch offices, and the internet, ensuring robust security and streamlined network management.

• NFS

  Network File System (NFS) is a distributed file system protocol that allows you to access and share files over a network as if they were on a local disk. NFS enables seamless file sharing between Linux, UNIX, and Windows systems and supports remote storage access. NFS operates over TCP/IP and uses a client-server architecture, where a server provides file systems that clients can mount. It is commonly used for network storage, virtualization, and cloud environments due to its scalability and ease of integration.

• Azure NetApp

  Azure NetApp Files is a data storage and cloud solution, powered by NetApp, that provides high-performance storage, data management, and hybrid cloud services. Its storage systems, such as ONTAP, offer scalability, efficiency, and security for enterprise workloads, including databases, virtualization, and AI applications. NetApp integrates with major cloud providers like Azure, AWS, and Google Cloud to enable seamless hybrid and multicloud deployments. With features like snapshots, deduplication, and disaster recovery, NetApp helps businesses optimize storage and data protection strategies. For this design we are using NetApp for the Oracle E-Business Suite application servers and for better security between production and non-production instances for cloning.

  Azure NetApp Files is used for Oracle E-Business Suite shared appl-top technology and also as backup storage for Oracle databases using RMAN.

  A designated virtual network used exclusively by Azure NetApp locates all the storage in a central location.

• SFTP

  Secure file transfer protocol (SFTP) is a network protocol that enables secure file transfer over secure shell (SSH), ensuring encryption and data integrity. Unlike traditional FTP, SFTP protects data during transmission by encrypting both commands and files, preventing unauthorized access. It supports authentication methods such as passwords, SSH keys, and multifactor authentication for enhanced security. SFTP is widely used for secure file sharing in enterprises, cloud environments, and automated data transfers.

• Resource groups

  In Azure, a resource group is a logical container that holds related resources and that allows you to manage those resources as a single unit, simplifying deployment, monitoring, and access control.

  • Rg-hub

    Rg-hub is an Azure resource group for Azure secure hub resources

  • Rg-dmz

    Rg-dmz is an Azure resource group for DMZ resources

  • Rg-anf

    Rg-anf is an Azure resource group for Azure NetApp Files

  • Rg-shared

    Rg-shared is an Azure resource group for shared services that are deployed in this architecture. Example: DNS

  • Rg-ebs

    Rg-odaa is an Azure resource group for load balancing, application, and backup resources.

  • Rg-odaa

    Rg-odaa is an Azure resource group for Oracle Database@Azure resources

• ANF-subnet

  Azure delegated subnet for Azure NetApp Files deployment inside the virtual network of database resources so that the oracle database backup time is improved.

• Connectivity subscription

  An Azure subscription is a logical container in Azure used to provision and manage related business or technical resources, serving as a single billing unit and administrative boundary.

  Connectivity subscription is the central location in a hub-spoke network topology where the secured hub and shared resources reside. The on-premises dedicated Express Route connection is connected to the central hub which connects to the spoke networks.

• Workload Subscription

  All of the workload-related resources are provisioned under the workload subscription.

Recommendations

Use the following recommendations as a starting point to deploy Oracle E-Business Suite on Oracle Database@Azure.

Your requirements might differ from the architecture described here.

• Subscription
  • You need at least one Azure subscription with a purchase offer for Oracle Database@Azure. This architecture uses two subscriptions to deploy multiple Oracle Database@Azure instances in different regions (subscriptions).
  • Make sure that you have access to an OCI tenancy.
  • Make sure that you have an active Oracle Database@Azure multicloud link between the Azure and OCI (this connection is created by default when you provision Oracle Database@Azure and is managed by Oracle).
  • Make sure that you have adequate Oracle Exadata Database Service limits prior to provisioning.
• Deployment
  • The application VMs are deployed on Azure infrastructure while databases are deployed on OCI with Exadata infrastructure located inside the Azure data centers.
  • Make sure that the onboarding process for Oracle Database@Azure is complete before provisioning the Oracle Database@Azure.
  • Primary and standby database subnets should be in distinct VNets configured with non-overlapping CIDR blocks.
  • Ensure the physical locations of the Azure VMs and Oracle VM Clusters are the same. Logical locations are different than the physical locations.
  • The application tier (VMs, and so on) should leverage availability sets so that coordinated VMs won’t be affected by a common error.
  • For multiregion deployments, the same architecture is deployed in both the regions.
• Network
  • You need at least one Azure VNet to provision Oracle Database@Azure. You can, however, use multiple VNets. This architecture uses different VNets to deploy multiple Oracle Database@Azure instances in different regions (subscriptions).
  • Use separate VNets for application, database, and NetApp storage.
  • This architecture leverages dedicated VNets for Azure NetApp Files, applications, and databases. For better application performance, peer the Azure NetApp Files VNet with the application and database VNets. For database backup performance, provision Azure NetApp Files inside the database VNet.
  • All the traffic, except for storage, should go through the Azure Firewall for better security.
  • Higher latencies and performance degradation can occur when Azure NetApp Files is NFS-mounted over hub-and-spoke topology where the network traffic is routed through a firewall. To avoid storage latencies, peer the VNets so that VNet peering takes precedence over hub-spoke connectivity.
  • The IP CIDR blocks for any Azure VNets and OCI virtual cloud networks (VCNs) must not overlap.
  • The CIDR blocks for any Azure VNets must not overlap with on-premises networks.
  • Primary and standby database subnets should be in distinct VNets configured with non-overlapping CIDR blocks.
  • You need delegated subnets for Oracle Database@Azure and Azure NetApp Files.

Considerations

When deploying Oracle E-Business Suite on Oracle Database@Azure, consider these options.

• Disaster recovery

  Disaster recovery is not represented in this architecture. To use Oracle Data Guard for disaster recovery for the database layer, you must provision VPC peering between the regions by using dynamic routing gateway (DRG) and local peering.

• Network setup for Oracle Database@Azure
  • Azure environment: Uses an Azure virtual network for networking and creates VNICs inside a pre-created delegated subnet.
  • OCI environment: Oracle Database@Azure connects to a client subnet within an OCI VCN.
• Client Connectivity

  This network setup allows client connectivity from Azure resources.

• Azure ExpressRoute

  The Azure ExpressRoute cost varies from one region to another and there is more than one SKU available for ExpressRoute. Oracle recommends using the Local configuration, because it has no separate ingress or egress charges, and it starts at the minimum bandwidth of 1 Gbps. The Standard and Premium configurations offer lower bandwidth, but incur separate egress charges in a metered setup.

• Oracle Exadata Database Service on Dedicated Infrastructure
  Cost

  • Deployed infrastructure has a consistent cost and can be shut down at any time (minimum 48 hours is charged).
  • Run time costs are determined by the number of OCPUs assigned to the VM which is scalable.
  • Licensing options include both Bring Your Own License (BYOL) and License Included.
  • Oracle Support Rewards are available for BYOL.
  Performance

  • Customers experience the same performance that they would experience with any other Exadata deployment (Oracle Exadata Database Service, Oracle Exadata Database Service on Cloud@Customer, or on-premises).
  • Latency (one way/round trip) from an Azure VM of any type to Oracle Database@Azure is solely the province of Azure cloud services. The goal is 0.5ms, but can vary due to Azure networking considerations.
  • Oracle does not charge any data egress fees for Oracle Database@Azure, but depending on the Azure architecture, Microsoft may charge data movement fees.
  Availability

  Exadata deployments have a 99.99% service level objective (SLO). Higher numbers can be reached by using a maximum availability architecture (MAA) which can include setting up a disaster recovery site and using backup and restore capabilities such as Oracle Database Autonomous Recovery Service.

Explore More

Learn more about the features of this architecture and about related architectures.

• Well-architected framework for Oracle Cloud Infrastructure

• Learn about Oracle Maximum Availability Architecture for Oracle Database@Azure

• Learn about selecting network topologies for Oracle Database@Azure

• Move to Oracle Database@Azure with Oracle Zero Downtime Migration

• Deploy Oracle Key Vault for Oracle Database@Azure

• Deploy Autonomous Database on Oracle Database@Azure

• Implement cross-region disaster recovery for Exadata Database on Oracle Database@Azure

• Tutorial: Secure your virtual hub using Azure Firewall Manager

• Oracle Cloud Infrastructure Documentation

• Oracle Cloud Cost Estimator

• OCI Service Limits

• Requesting a Service Limit Increase

Acknowledgments

• Authors: Apps Associates Team: Sudhakar Marampally, Mihir Patel

  Oracle Team: Amrita Mukherjee, CCSP

• Contributors: Oracle Team: Robert Lies