Enable disaster recovery with Oracle FLEXCUBE data storage

Regulations often require banks to store and handle data in-country. This makes it difficult to set up reliable disaster recovery strategies, but region-to-region backups can solve this problem.

Banks have a critical need to protect their data from system failures and other disasters. Banks are also subject to a wide variety of regulations, including regulations that restrict where they can store their data. Even in cases where banks are able to store data in the cloud, that data must often reside in the same country or region as the bank. This makes it difficult to reliably back up data for disaster recovery.

Oracle Cloud Infrastructure (OCI) is available in many regions, which makes it possible to set up region-to-region replication that provides complete disaster recovery while still keeping your data in a particular geography. For instance, you could host your primary cloud service in the US West region and copy your backup data to the US East region. In the case of a critical failure, the whole system can fail over to the US East region, which will enable all services on demand. This satisfies regulatory concerns while also ensuring that both sites are extremely unlikely to experience problems at the same time.

Architecture

This architecture uses cross-region replication for disaster recovery. FLEXCUBE data from the active region is regularly backed up to a second region, which will activate if the first region fails.

Description of the illustration flexcube-disaster-recovery-flow.png

Oracle Autonomous Transaction Processing (ATP) uses Automatic Storage Management (ASM) to store blocks and files in Oracle Cloud Infrastructure Object Storage. Storage policies are applied to the data in Object Storage to create a time series backup. This backup is automatically replicated to the secondary region, where a cloned instance of FLEXCUBE can be restored during a failover event.

The following diagram illustrates the architecture topology.

Description of the illustration flexcube-disaster-recovery.png

flexcub-disaster-recovery-oracle.zip

In this architecture, we use Oracle Cloud Infrastructure Storage Gateway to provide an NFS target. Any on-premises application can then write to that NFS target, which will in turn write the data to Object Storage.

You an also use Oracle Cloud Infrastructure FastConnect to provide secure and efficient transfer, and to transfer other data (such as Database data) to Object Storage directly.

To set up Storage Gateway:

1. Install Storage Gateway on a compute instance, either in OCI or on-premises.
2. Create a file system on Storage Gateway that uses Object Storage to save and retrieve data.
3. Map Storage Gateway's exposed NFS mount point to any host that supports an NFSv4 client. The Storage Gateway mount point maps to an Object Storage bucket with the same name.

In addition to easy backups, Storage Gateway provides the following features:

• Automated object deletion

  When you delete files from Storage Gateway's file system, the corresponding object in Object Storage is automatically deleted.

• Cache pinning

  Pin files to the file system cache for quick access.

• Health check

  Automated health check of services and resources, local storage, file system cache, metadata storage, and log storage.

• Cloud sync

  Integrated utility to store and retrieve files from Object Storage.

The architecture has the following components:

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

• Compartment

  Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

• Region

  An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Virtual cloud network (VCN) and subnet

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• Load balancer

  The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

• Service gateway

  The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

• Site-to-Site VPN

  Site-to-Site VPN provides IPSec VPN connectivity between your on-premises network and VCNs in Oracle Cloud Infrastructure. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.

• FastConnect

  Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.

• Cloud Guard

  You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

• Object storage

  Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• Autonomous Transaction Processing

  Oracle Autonomous Transaction Processing is a self-driving, self-securing, self-repairing database service that is optimized for transaction processing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ from the architecture described here.

• Object Storage Policy
  • Lifecycle policies

    Ensure that your policies match your retention rules, and that you conform to any applicable Service Level Agreements (SLAs).

  • Immutable Object

    Ensures no changes are made to objects once they are committed to storage. This helps protect you from ransomware attacks, operator errors, and other application errors.

  • Object Versioning (Optional)

    Object versioning may be enforced to ensure that previous backups may be restored. This may be required by your SLAs.

  • Bucket Replication

    All data is replicated automatically to an alternate region, ensuring SLA objectives are met.

• VCN

  When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

  Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

  After you create a VCN, you can change, add, and remove its CIDR blocks.

  When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

  Use regional subnets.

• Cloud Guard

  Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

  Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

  You can also use the Managed List feature to apply certain configurations to detectors.

Considerations

When enabling cross-regional disaster recovery for FLEXCUBE, consider these factors.

• Performance

  You can use FastConnect or IPSec VPN to manage costs, depending on the amount of data you are transferring. Files that need frequent access can be stored in the Object Storage standard tier for faster access.

• Security

  By default, Oracle Cloud encrypts all objects placed in the Object Storage buckets. For additional security, you can also encrypt these objects using customer-managed keys.

• Availability

  While Object Storage is highly available, it is subject to regional failures. This architecture demonstrates how to configure cross-region replication to protect against such failures.

• Cost

  Pricing varies depending on the selected Object Storage tier. Some objects also have retention requirements, and violating those requirements can trigger extra charges. You should carefully consider which tier best suits your needs.

• Migrating to OCI

  If migrating from an on-premises solution, note that Storage Gateway flattens nested directories. Your file system directory structure is retained through object metadata and prefixes. This may change how you search files when stored as objects.

Deploy

These resources will help you set up your OCI environment and install and configure FLEXCUBE. You will have to set up the rest of the architecture manually.

Use this Terraform module to provision a minimal infrastructure on OCI. It creates a VCN, along with optional NAT, Internet and Service Gateways, and an optional Bastion Host.

1. Go to GitHub for OCI Base.
2. Clone or download the repository to your local computer.
3. Follow the instructions in the README document.

Use this reference to help you deploy FLEXCUBE.

1. Go to GitHub.
2. Follow the instructions on the page.

Explore More

Learn more about deploying applications in Oracle Cloud Infrastructure.

Review these additional resources:

• Best practices framework for Oracle Cloud Infrastructure

• Storage Gateway Documentation
• Object Storage Documentation

Acknowledgments

• Author: Michael Rutledge