About Migrating Oracle Cloud Infrastructure Volume Data Across Tenancies
Migrating data aross tenancies can be a challenging task, but with proper planning and by using well-tested processes, you can migrate data from one tenancy to another safely, securely, and with little downtime.
- Migrate data across multiple customer tenancies.
- Migrate data to new tenancies for operational/business reasons, such as moving service providers.
- Protect against ransomware attacks.
Understand Migration Methods
You can use either of the following options to migrate data stored on your OCI volumes, including both boot and block volumes.
- Cross Tenancy Cloning; for data migrations within an Availability Domain (AD)
- Cross Tenancy Restore; for data migrations across ADs
Cross Tenancy Cloning
OCI only exposes logical ADs to customers. Logical AD to actual physical AD mapping is defined per tenancy and can vary between tenancies. So, even though a volume is listed as stored in AD1 in old tenancy, the cross tenancy cloned volume could be in AD3 in the new tenancy. Thus, after cloning, it will feel as if the volume has moved between ADs, where, in fact, it actually resides on the same physical AD. If you want to migrate to a specific AD in the same region, you can use cross tenancy restore instead of cloning.
Cross Tenancy Restore
Understand Required Permissions
The permissions required to perform these operations are strictly controlled by OCI identity policies. The Admit policy should be defined in the old tenancy and the corresponding Endorse policy should be defined in the new tenancy. This will allow users to run cross tenancy operations.
- You should only configure cross-tenancy identities for other tenancy users on an on-demand basis and then with utmost care. You should then remove these identities immediately after the cross-tenancy operations are completed.
- Only grant permissions that are required for running the cross-tenancy operations.
- Never grant write, update, or delete permissions to cross-tenancy users and add conditions for all incoming requests based in IAM policies.