Build Azure DevOps CI/CD Pipelines with Oracle Base Database Service
A split stack is when a workload is deployed across both clouds, the application in this case on Microsoft Azure, with the Oracle Database service deployed on Oracle Cloud Infrastructure (OCI).
An application stack-to-stack is when one full stack comprising of the application and database in Azure interoperates and shares data with another full stack (app and Oracle Database) residing in OCI.
For various business and technical considerations, you may choose to allocate your cloud workloads across Oracle Cloud and Microsoft Azure. To ensure the security and minimize latency, there is a requirement for a secure interconnection between Oracle Cloud and Azure Cloud environments.
Oracle and Microsoft have created a private cross-cloud connection (Oracle Interconnect for Microsoft Azure) between Oracle Cloud Infrastructure and Microsoft Azure in specific regions. The Oracle Interconnect for Microsoft Azure allows you to set up cross-cloud workloads without the traffic between the clouds going over the internet.
Consequently, users can build and deploy Azure DevOps CI/CD Pipelines with Oracle Base Database Service on Oracle Cloud Infrastructure and configure the supporting virtual networking infrastructure resources to enable this split-stack deployment for a high performance and high availability solution.
Note:
Oracle Database 23c is now available on the Oracle Base Database Service. Oracle Database 23c accelerates Oracle's mission to make it simple to develop and run all data-driven applications. Key focus areas include JSON, Graphs, Microservices, and Developer productivity.
Oracle Database 23c aims to empower developers and simplify the use of Artificial Intelligence (AI) in the database for developer productivity, alongside a range of enhancements in a database known for its exceptionally high availability, outstanding performance, and robust security features.
Architecture
In this reference architecture, you will build and deploy CI/CD Pipelines using Azure DevOps with Oracle Base Database Service.
The application and database source code are hosted on Azure DevOps code repository or Github or similar. A user commits changes into the code repository which triggers the CI pipeline. This phase includes running unit tests, integration tests, static code analysis, and also testing of containers within the Azure Kubernetes Service (AKS) cluster to verify deployment readiness.
Once testing is complete, the build pipeline creates Docker images and pushes them to the Azure container registry. These build artifacts then initiate the CD pipeline. In the CD phase, the artifacts are deployed to AKS where end-to-end and system tests are run to ensure microservices operate correctly within the Kubernetes environment and the Oracle Database. Staging and production environments, using strategies like blue/green or canary deployments, are then initiated for zero downtime deployment of the new changes.
A key component of this architecture is the Oracle Database Operator, which manages the lifecycle of the Oracle Database, automating tasks such as provisioning, scaling, backups, updates, and maintenance. This integration ensures efficient database management and seamless interaction between the microservices in AKS and the Oracle Database. Microservices securely connect to the Oracle Database over an Interconnect using Azure ExpressRoute and Oracle FastConnect, maintaining a secure and reliable database connection, with credentials managed via Azure Key Vault.
Metrics, logs, and tracing of the entire CI/CD process are observed continuously using tools like Azure Monitor, OCI and Oracle Database's Unified Observability OpenTelemetry framework which provides traces from the entry point of the application residing on Azure, across all subsystems, and into the Oracle Database ensuring the performance and reliability of both the microservices and the database. This approach ensures a robust, efficient, and scalable solution for deploying and managing modern applications in a cloud-native environment.
The following diagram illustrates this reference architecture.
oracle-base-database-azure-arch-oracle.zip
The architecture has the following components:
- Tenancy
A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Compartment
Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.
- Availability domains
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Fault domains
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
- Load balancer
The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.
- Security list
For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.
- Service gateway
The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.
- FastConnect
Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.
- Oracle Base Database Service
Oracle Base Database Service is an Oracle Cloud Infrastructure (OCI) database service that enables you to build, scale, and manage full-featured Oracle databases on virtual machines. Oracle Base Database Service uses OCI Block Volumes storage instead of local storage and can run Oracle Real Application Clusters (Oracle RAC) to improve availability.
- Object storage
Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.
- Identity and Access Management (IAM)
Oracle Cloud Infrastructure Identity and Access Management (IAM) is the access control plane for Oracle Cloud Infrastructure (OCI) and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within the identity domain. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.
- Audit
The Oracle Cloud Infrastructure Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events. Currently, all services support logging by Oracle Cloud Infrastructure Audit.
This architecture supports the following Microsoft Azure components.
- Microsoft Azure VNet and subnet
Microsoft Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure virtual machines (VM), to securely communicate with each other, the internet, and on-premises networks.
You define the VNet in Azure. It can have multiple non-overlapping CIDR blocks subnets that you can add after your create the VNet. You can segment a VNet into subnets, which you can scope to a region or to availability zones. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VNet. Use VNet to isolate your Azure resources logically at the network level.
- Virtual network gateway
A virtual network gateway allows traffic between an Azure VNet and a network outside Azure, either over the public internet or using ExpressRoute, depending on the gateway type that you specify. This network gateway is not used for the Oracle Database Service for Microsoft Azure Network Link. Instead you can use it to manage networks to on-premises in the VNet where you peered OracleDB for Azure.
- Microsoft Azure Route table (User Defined Route – UDR)
Route tables direct traffic between Azure subnets, VNets, and networks outside Azure.
Virtual route tables contain rules to route traffic from subnets to destinations outside a VNet, typically through gateways. Route tables are associated with subnets in a VNet.
- Microsoft Azure Availability Domain
Azure Availability Domain, or availability set, is a logical grouping of virtual machines.
Recommendations
- VCN
When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.
Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.
After you create a VCN, you can change, add, and remove its CIDR blocks.
When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.
- Security
Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure proactively. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.
For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.
- Cloud Guard
Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.
Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.
You can also use the Managed List feature to apply certain configurations to detectors.
- Security Zones
For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.
- Network security groups (NSGs)
You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.
- Infrastructure as Code (IaC)
You can consider using Terraform to implement Infrastructure as Code to deploy your Azure Resources and Oracle Base Database Service.
Considerations
Consider the following points when planning to deploy this reference architecture.
- Ensure that you have adequate Oracle Base Database Service Limits and OCI Service limits prior to provisioning. For more information, see OCI Service limits and Requesting a Service Limit Increase.
- Planning your network topology:
- You need at least one Azure Virtual Network (VNet) that you can pair with a corresponding OCI Virtual Cloud Network (VCN).
- The CIDR blocks for any Azure VNets and OCI VCNs must not overlap.
- Oracle Interconnect for Microsoft Azure prerequisites:
- An Oracle Cloud account. If you don’t have an account, you can sign up for an Oracle Cloud Free Tier account.
- An Azure account. If don't have an account, you can sign up for an Azure Free Account.
- Required permissions and resources quota to deploy resources as per the topology described in this reference architecture.
- Collect OCI Region, Azure Region, interconnect regions and throughput requirements.
- Networking
The application in Azure and the Oracle Database in OCI must reside in the same geographical region. For example, the application in Azure West European (located in Amsterdam, Netherlands) and the Oracle Database in OCI in the Netherlands Northwest (Amsterdam). A region is a localized geographic area composed of one or more availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or continents).
- Availability
Oracle Base Database Service provides built-in Oracle best practices features. Deploy your database for the best performance, availability, and security using cloud automation, and your system will be optimally configured to provide the highest service levels. It automatically deploys Oracle RAC to provide a scalable, highly available database tuned to run on the Oracle Base Database Service cloud platform. Oracle RAC protects from unplanned failures by spreading work across multiple database instances. In addition, it eliminates downtime for maintenance activities by automatically migrating work off the servers about to undergo maintenance to others that remain online.
Oracle Data Guard provides real-time disaster protection. Should you lose your primary database or data center, you can fail your workload over to a standby site maintained automatically by Oracle Data Guard. Oracle Base Database Service makes it simple to enable Oracle Data Guard with a single API call or a few clicks of the mouse in the UI using cloud automation. Likewise, the automation supports critical use cases like switching your primary database to your Disaster Recovery site, switching back, and re-instating your primary database after a failover.
Oracle Base Database Service supports all the Oracle Maximum Availability (MAA) technologies, which form the high-availability blueprint for Oracle databases in the cloud.