ODB Network Design
Learn about Oracle AI Database@AWS's ODB Network requirements and find reference information for network design.
An ODB network is a private and isolated network that hosts the Oracle Exadata VM Clusters and Autonomous VM Clusters within a specified AWS Availability Zone (AZ). The ODB network consists of a CIDR range of IP addresses. The ODB network maps directly to the network that exists within the Oracle Cloud Infrastructure (OCI) child site, thus serving as the means of communication between AWS and OCI. In Oracle Multicloud architecture, the ODB network is designed to accommodate and provide network connectivity for the OCI components that are part of Oracle AI Database@AWS.
The ODB network is a private network, and by default, doesn't have connectivity to AWS VPCs, on-premises networks or the internet. ODB peering is a user-created network connection that enables traffic to be routed privately between an Amazon VPC and an ODB network. In Oracle Multicloud architecture, traffic between your applications in the VPC and the Oracle database in the ODB network is routed privately through ODB Peering without moving over the public internet.
The ODB network requires a client subnet CIDR for Exadata VM Cluster and Autonomous VM Cluster creation. The network also requires a backup subnet CIDR for Exadata VM Cluster creation to route the traffic for Oracle-managed backups from Exadata Database Service to the backup destination.
The following section describes the CIDR requirements and planning required when creating the ODB network.
Client subnet CIDR requirements
The minimum CIDR size for the client subnet is /27, and the maximum size is /16. The following table shows IP addresses consumed by the Oracle AI Database@AWS service and the infrastructure components for the client subnet CIDR:
| Number of IP addresses | Consumed by | Summary |
|---|---|---|
| 6 | Oracle AI Database@AWS | These IP addresses are reserved regardless of how many VM clusters you provision in the ODB network. Oracle AI Database@AWS consumes the following:
|
| 3 | Each VM cluster | These IP addresses are reserved for Single Client Access Names (SCANs) regardless of how many VMs are present in each VM cluster. |
| 4 | Each VM | Each VM created consumes 4 IP addresses. |
|
1 (optional 1) |
OCI DNS listening endpoint (optional) OCI DNS forwarding endpoint |
The ODB network creates one OCI DNS listening endpoint to forward DNS traffic from AWS to OCI. (Optionally, you can create an OCI DNS forwarding endpoint to forward DNS traffic from OCI to AWS.) |
Backup subnet CIDR requirements
The minimum CIDR size for the backup subnet is /28, and the maximum size is /16. The following table shows IP addresses consumed by the Oracle AI Database@AWS service and the infrastructure components for the backup subnet CIDR:
| Number of IP addresses | Consumed by | Summary |
|---|---|---|
| 3 | Oracle AI Database@AWS | These IP addresses are reserved regardless of how many VM clusters you provision in the ODB network. Oracle AI Database@AWS consumes the following:
|
| 3 | Each VM | Each VM created consumes 3 IP addresses. |
IP consumption scenarios
The following table explains how IP addresses are consumed in the ODB network for various VM clusters configurations.
| Configuration | Client subnet IPs consumed | Client subnet minimum CIDR | Backup subnet IPs consumed | Backup subnet minimum CIDR |
|---|---|---|---|---|
| 1 VM cluster with 2 VMs | 18 (6 service + 3 cluster + 4*2 + 1) | /27 CIDR range, 32 IPs | 9 (3 service + 3*2) | /28 CIDR range, 16 IPs |
| 1 VM cluster with 3 VMs | 22 (6 service + 3 cluster + 4*3 + 1) | /27 CIDR range, 32 IPs | 12 (3 service + 3*3) | /28 CIDR range, 16 IPs |
| 1 VM cluster with 4 VMs | 26 (6 service + 3 cluster + 4*4 + 1) | /27 CIDR range, 32 IPs | 15 (3 service + 3*4) | /28 CIDR range, 16 IPs |
| 1 VM cluster with 8 VMs | 42 (6 service + 3 cluster + 4*8 + 1) | /26 CIDR range, 64 IPs | 27 (3 service + 3*8) | /27 CIDR range, 32 IPs |
VM Cluster Scenarios: Client Subnet CIDR
The following table shows how many instances of each configuration are possible with a particular client subnet CIDR range. This table doesn't show all possible scenarios.
| Scenario (VM Cluster configuration) | Number of VM Clusters with /27 (32 IPs) | Number of VM Clusters with /26 (64 IPs) | Number of VM Clusters with /25 (128 IPs) | Number of VM Clusters with /24 (256 IPs) | Number of VM Clusters with /23 (512 IPs) | Number of VM Clusters with /22 (1024 IPs) |
|---|---|---|---|---|---|---|
| 1 VM Cluster with 2 VMs (17 IPs) | 1 | 3 | 7 | 15 | 30 | 60 |
| 1 VM Cluster with 3 VMs (21 IPs) | 1 | 3 | 6 | 12 | 24 | 48 |
| 1 VM Cluster with 4 VMs (25 IPs) | 1 | 2 | 5 | 10 | 20 | 40 |
| 2 VM Cluster with 2 VMs each (28+ IPs) | 1 | 2 | 4 | 9 | 18 | 36 |
| 2 VM Cluster with 3 VMs each (36 IPs) | 0 | 1 | 3 | 7 | 14 | 28 |
| 2 VM Cluster with 4 VMs each (44 IPs) | 0 | 1 | 2 | 5 | 11 | 23 |
VM Cluster Scenarios: Backup Subnet CIDR
The following table shows how many instances of each configuration are possible with a particular backup subnet CIDR range. This table doesn't show all possible scenarios.
| Scenario (VM Cluster configuration) | Number of VM Clusters with /27 (32 IPs) | Number of VM Clusters with /26 (64 IPs) | Number of VM Clusters with /25 (128 IPs) | Number of VM Clusters with /24 (256 IPs) | Number of VM Clusters with /23 (512 IPs) | Number of VM Clusters with /22 (1024 IPs) |
|---|---|---|---|---|---|---|
| 1 VM Cluster with 2 VMs (9 IPs) | 3 | 7 | 14 | 28 | 56 | 113 |
| 1 VM Cluster with 3 VMs (12 IPs) | 2 | 5 | 10 | 21 | 42 | 85 |
| 1 VM Cluster with 4 VMs (15 IPs) | 2 | 4 | 8 | 17 | 34 | 68 |
| 2 VM Cluster with 2 VMs each (15 IPs) | 2 | 4 | 8 | 17 | 34 | 68 |
| 2 VM Cluster with 3 VMs each (21 IPs) | 1 | 3 | 6 | 12 | 24 | 48 |
| 2 VM Cluster with 4 VMs each (27 IPs) | 1 | 2 | 7 | 9 | 18 | 37 |
Considerations
- An ODB network supports up to 45 ODB peering connections.
- An AWS placement group is created after setting up an ODB network. To learn how to place an Amazon EC2 instance into the created placement group, see AWS documentation for High Performance Networking.
- If the ODB network is in US East (N. Virginia) or US West (Oregon), and the network was created before February 7, 2026, then you must upgrade the network before adding ODB peering. Upgrade requires you to fully recreate your ODB network. Deletion of more than 1 ODB peering. To upgrade, you need to fully recreate your ODB network. Deletion of an ODB network requires you to delete all Exadata VMs but doesn't require you to delete or recreate your Exadata Infrastructure.
Restrictions for IP Addresses
The following restrictions apply for the CIDR range of the ODB network subnets:
- Valid private IPv4 CIDR ranges required: The CIDR block must be private and IPv4. For example, 10.0.0.0/16, 172.16.0.0/16, 192.168.1.0/26.
-
Restricted CIDR blocks
The following IP addresses can't be used for an ODB network:
- 100.64.0.0/10 - Reserved for the cluster interconnect by OCI automation
- 169.254.0.0/16 - Oracle Cloud reserved range CIDR
- 224.0.0.0 - 239.255.255.255 - Reserved Class D
- 240.0.0.0 - 255.255.255.255 - Reserved Class E
- Restricted associations: You can't use the VPC CIDR ranges in the Restricted associations column in the table in IPv4 CIDR block association restrictions.
- You can't overlap the IP address CIDR ranges of the client subnets and backup subnets.
- You can't overlap the IP address CIDR ranges of the client and backup subnets with the VPC CIDR ranges used to connect to the ODB network.
- You can't overlap the IP address CIDR ranges of the client and backup subnets with any of the existing VPC CIDR ranges in a region for the "buyer" or "owner" AWS Account. See AWS Account for details on these account types.
- You can't overlap the IP address CIDR ranges allocated for the Client subnets and Backup subnets with on-premises or other networks required to connect to the ODB network through AWS Transit Gateway or AWS Cloud WAN.
Network security groups (NSGs)
Oracle AI Database@AWS uses Oracle-managed NSGs for system-level communication and default client connectivity in an ODB network. Review these behaviors before modifying NSG rules or attaching VM clusters.
Depending on the resource and network configuration, Oracle-managed NSGs can include the following NSGs:
EXA_STATIC_NSGEXA_1521_ADJUSTABLE_NSGEXA_BACKUP_STATIC_NSGEXA_BACKUP_ADJUSTABLE_NSGADB_STATIC_NSGADB_1521_2484_ADJUSTABLE_NSGDNS_NSGZRCV_NSG
- Oracle-managed NSGs: The service automatically creates and manages NSGs (Static, Adjustable, DNS and ZRCV) as part of ODB network configuration. These NSGs support required service functionality, including intra-cluster communication, SCAN listeners, ICMP traffic, and related service dependencies. Security rules are automatically populated based on peered CIDRs, and Oracle-managed NSGs are automatically attached to VM clusters.
- Automation and reconciliation: During ODB network modify and update operations, the system reconciles Oracle-managed NSGs to the expected baseline state. Manually added rules can be removed, modified rules can revert to their original state, and default rules that were removed can be re-applied. This behavior is expected and ensures consistency, stability, and supportability of the service.
- Customer access: By default, the adjustable NSG allows access from all peered CIDRs and environments to Oracle AI Database@AWS resources. Review this default access model against your security requirements before using it.
- Recommended approach: For customer-specific connectivity and stricter security requirements, use customer-managed (custom) NSGs. Create custom NSGs, define only the required ingress and egress rules, attach the custom NSGs to the VM clusters, and detach the default adjustable NSGs from the VM clusters. This approach provides full and persistent control over security rules while avoiding conflicts with automation reconciliation behavior.
Don't modify or override Oracle-managed static NSGs. These NSGs are intended for system-level communication, including intra-cluster traffic within the client subnet. Don't delete or detach Oracle-managed NSGs (Static, Adjustable).
NSG Security Rules
The following security rules are added for every NSG.
EXA_STATIC_NSG
Establishes baseline Exadata connectivity for client and backup CIDRs.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Ingress | Client Subnet | ICMP |
Type: All Code: All |
Ingress Rule to Allow all ICMP traffic | ||
| Ingress | Backup Subnet | ICMP |
Type: All Code: All |
Ingress Rule to Allow all ICMP traffic | ||
| Ingress | Client Subnet | TCP |
Source Port: All Destination Port: All |
Ingress Rule to Allow all TCP traffic | ||
| Ingress | Backup Subnet | TCP |
Source Port: All Destination Port: All |
Ingress Rule to Allow all TCP traffic | ||
| Egress | Client subnet | All protocols | Allow egress to client subnet | |||
| Egress | Backup subnet | All protocols | Allow egress to backup subnet | |||
| Egress | OCI Object Storage | TCP |
Source Port: ALL Destination Port: 443 |
Egress rule to allow access to Object Storage |
EXA_1521_ADJUSTABLE_NSG
Supports Exadata access from application subnets and AWS CSP CIDRs using default ports and service integrations.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Egress | App Subnet | All | Allow egress to app subnets | |||
| Ingress | App Subnet | ICMP |
Type: 3 Code: All |
Ingress Rule to Allows connectivity error messages | ||
| Ingress | App Subnet | TCP |
Source Port: all Destination Port 1521 |
Ingress rule to allow TCP SQL*NET traffic | ||
| Ingress | App Subnet | TCP |
Source Port: all Destination Port 2484 |
Ingress rule to allow TCP(SSL) SQL*NET traffic | ||
| Ingress | Service, VPC, CIDR | TCP |
Source Port: all Destination Port 2484 |
Zero ETL Ingress rule to allow TCP SQL*NET traffic | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: all Destination Port 443 |
Rule required for OCI service to communicate to AWS KMS Service | ||
| Egress | Service. VPC, CIDR | TCP |
Source Port: all Destination Port 443 |
Rule required for OCI service to communicate to AWS STS Service |
EXA_BACKUP_STATIC_NSG
Supports backup, recovery, and Autonomous Recovery Service private endpoint workflows using trusted CIDRs.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Egress | Client subnet | All protocols | Allow egress for both client subnet | |||
| Egress | Backup subnet | All protocols | Allow egress for both client and backup subnet | |||
| Ingress | Client Subnet | ICMP |
Type: 3 Code: All |
Ingress Rule to Allows connectivity error messages | ||
| Ingress | Backup Subnet | ICMP |
Type: 3 Code: All |
Ingress Rule to Allows connectivity error messages | ||
| Ingress | Client Subnet | ICMP |
Type: 3 Code: 4 |
Ingress Rule to Allow Path MTU Discovery fragmentation messages
|
||
| Ingress | Backup Subnet | ICMP |
Type: 3 Code: 4 |
Ingress Rule to Allow Path MTU Discovery fragmentation messages
|
||
| Ingress | Client Subnet | TCP |
Source Port: All Destination Port: 22 |
Ingress Rule to Allow SSH traffic | ||
| Ingress | Backup Subnet | TCP |
Source Port: All Destination Port: 22 |
Ingress Rule to Allow SSH traffic | ||
| Egress | OCI Object Storage | TCP |
Source Port: ALL Destination Port: 443 |
Egress rule to allow access to Object Storage | ||
| Egress | zrv_nsg | TCP | 2484 | RCV Private Endpoint Egress Rules | ||
| Egress | zrv_nsg | TCP | 8005 | RCV Private Endpoint Egress Rules |
EXA_BACKUP_ADJUSTABLE_NSG
Enables cross-cloud backups to Amazon S3, isolated from static backup flows.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Ingress | App Subnet | ICMP |
Type: 3 code: All |
Ingress Rule to Allow Path MTU Discovery fragmentation messages | ||
| Ingress | App Subnet | ICMP |
Type: 3 code: 4 |
Ingress Rule to Allows connectivity error messages | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: ALL Destination Port: 443 |
Rule required for OCI managed database backups to Amazon S3 | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: ALL Destination Port: 443 |
Rule required for customer access to Amazon S3 | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: ALL Destination Port: 443 |
Rule required for Cross Region Restore from Amazon S3 | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: ALL Destination Port: 443 |
Rule required for Cross Region Restore from Amazon S3 |
ADB_STATIC_NSG
Enables trusted, static client and backup access for Autonomous AI Database without exposing service-driven CIDRs.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Ingress | Client Subnet | ICMP |
Type: All Code: All |
Ingress Rule to allow all ICMP traffic | ||
| Egress | Client Subnet | ICMP |
Type: All Code: All |
Egress Rule to allow all outbound ICMP traffic | ||
| Ingress | Client Subnet | TCP | ALL | Ingress Rule to Allow all TCP traffic | ||
| Egress | Client Subnet | TCP | ALL | Egress rule to allow all outbound tcp traffic | ||
| Egress | All IAD Services In Oracle Services Network | TCP | ALL | Egress rule to allow access to Object Storage |
ADB_1521_2484_ADJUSTABLE_NSG
Provides secure Autonomous AI Database access from application and AWS CSP networks while supporting APEX, Zero ETL, and AWS service integrations.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Egress | App Subnet | All | Allow egress to app subnets | |||
| Ingress | App Subnet | ICMP |
Type: 3 Code: All |
Ingress Rule to Allows connectivity error messages | ||
| Ingress | App Subnet | TCP |
Source Port: all Destination Port 1521 |
Ingress rule to allow TCP SQL*NET traffic | ||
| Ingress | App Subnet | TCP |
Source Port: all Destination Port 2484 |
Ingress rule to allow TCP(SSL) SQL*NET traffic | ||
| Ingress | App Subnet | TCP |
Source Port: all Destination Port 443 |
Ingress Rule to Allow APEX traffic | ||
| Ingress | App Subnet | TCP |
Source Port: all Destination Port 6200 |
Ingress rule to allow ONS and FAN traffic | ||
| Ingress | Service, VPC, CIDR | TCP |
Source Port: all Destination Port 2484 |
Zero ETL Ingress rule to allow TCP SQL*NET traffic | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: all Destination Port 443 |
Rule required for OCI managed database backups to Amazon S3 | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: all Destination Port 443 |
Rule required for customer access to Amazon S3 | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: all Destination Port 443 |
Rule required for OCI service to communicate to AWS KMS Service | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: all Destination Port 443 |
Rule required for OCI service to communicate to AWS STS Service | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: ALL Destination Port: 443 |
Rule required for Cross Region Restore from Amazon S3 | ||
| Egress | Service, VPC, CIDR | TCP |
Source Port: ALL Destination Port: 443 |
Rule required for Cross Region Restore from Amazon S3 |
DNS_NSG
Centralizes DNS access for application and service traffic, including Zero ETL.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Ingress | App Subnet | TCP |
Source Port: All Destination Port 53 |
TCP ingress rules for DNS | ||
| Ingress | App Subnet | UDP |
Source Port: All Destination Port 53 |
UDP ingress rules for DNS | ||
| Ingress | Service, VPC, CIDR | TCP |
Source Port: All Destination Port 53 |
Zero ETL TCP ingress rules for DNS | ||
| Ingress | Service, VPC, CIDR | UDP |
Source Port: All Destination Port 53 |
Zero ETL UDP ingress rules for DNS |
ZRCV_NSG
Protects the Zero Data Loss Autonomous Recovery Service private endpoint by allowing ingress only from approved backup NSGs.
| Direction | Source | Destination | Protocol | Port | More options | Description |
|---|---|---|---|---|---|---|
| Ingress | EXA_BACKUP_STATIC_NSG | TCP |
Source Port: All Destination Port: 2484 |
RCV Private Endpoint Ingress Rules | ||
| Ingress | EXA_BACKUP_STATIC_NSG | UDP |
Source Port: All Destination Port: 8005 |
RCV Private Endpoint Ingress Rules |