This document summarizes an Oracle Databases as a Managed Service on AWS presentation by Daniel Hillinger and Alexander Hofstetter. It discusses using RDS for Oracle databases on AWS, including security features, migration options, and some caveats. RDS provides automated backups, monitoring, and high availability capabilities for Oracle databases in AWS without needing to manage the underlying infrastructure.
Report
Share
Report
Share
1 of 38
Download to read offline
More Related Content
TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Alexander Hofstetter, Daniel Hillinger - Trivadis
2. Alexander Hofstetter
• Senior Consultant and Trainer, Trivadis
Germany, Munich
• Working in IT since 2005
• Latest Projects
• AWS Cloud Architect
• Automation (Ansible)
• Go Development
@lxdba
7. AWS – VPC
• a VPC is a private section of AWS within a specific Region
• You can create AWS resources there
• You can manage access to those resources
• There is a specific CIDR per VPC
8. AWS – VPC Subnets
• a Subnet is within one available zone within one region
• There two types of subnets:
• Public
• Privat
• Inside a Subnet you can launch AWS Resources like:
• EC2
• RDS
• Subnets CIDR must be in the VPC CIDR Range
10. RDS - Relational Database Service
• Managed service from AWS for Relational Databases
Products:
• Aurora
• MySQL
• MariaDB
• PostgreSQL
• Oracle
• Microsoft SQL Server
11. RDS - Relational Database Service
Functinallity provided across all different RDS- products:
• Setup
• Backup and Restore
• Monitoring
• Infrastructure Security
• Multi-AZ deployments (High availability)
• Performance Insights
12. Setup
• Infrastructure as Code: Easy automatic setup with cloudformation
• Or manual with AWS console
• 20-30 minutes
• Create from Snapshot with Property DBSnapshotIdentifier
• Predefined standards
• Test Databases
13. Backup and Restore
• Daily snapshots transferred to S3
• Transaction logs transferred to S3 every 5 minutes → RPO = 5 minutes
• The maximum number of retained automated backups in one region is 20
• Softlimit of 100 manual snapshots
• Point in time recovery always in a new RDS instance
14. Backup and Restore
Scenario Action RTO (max) RPO
EC2 instance crash None – atomatically
restart
30 min 0
EC2 or EBS
unrecoverable error
Manual restore (can
automatically
trigger)
Unknown 5 min
AZ disruption
(permanent)
Manual restore (can
automatically
trigger)
Unknown 5 min
15. Backup and Restore – Recommandations
• Stored in different region
• Transfer to a different account
• Automate your recovery (with AWS Lambda)
16. RDS Multi-AZ Deployments
• High availabilliy solution
• DNS switch (TTL 5 seconds)
• Not cross-region
• Failover 60-120 seconds (120 -240 our experience)
Failover Conditions:
• Loss of availability in primary Availability Zone
• Loss of network connectivity to primary
• Compute unit failure on primary
• Storage failure on primary
• Manual
17. Monitoring
• RDS Events
• via Console 24h
• Via aws-cli or API 14d
• Database log files (ADR)
• Amazon RDS Enhanced Monitoring (Hypervisor/OS Monitoring)
• Automatic CloudWatch integration for Metrics / Alarms / Logs
• Performance Insights
19. Editions and Options
Editions available:
• Standard Edition One|Two: License Included, Bring-Your-Own License
• Standard Edition: Bring-Your-Own-License
• Enterprise Edition: Bring-Your-Own License
EE Options available:
• Advanced Security (Transparent Data Encryption, Native Network Encryption)
• Partitioning
• Management Packs (Diagnostic, Tuning)
• Advanced Compression
• Total Recall
20. Common DBA System Tasks
• Killing / disconnecting a Session
• Cancelling a SQL Statement in a Session
• Enabling and Disabling Restricted Sessions
• Flushing the Shared Pool / Buffer Cache
• Granting / revoking SELECT or EXECUTE Privileges to SYS Objects
• Granting Privileges to Non-Master Users
• Creating Custom Functions to Verify Passwords
Features wrapped into PL/SQL package rdsadmin.rdsadmin_util
Use “clean” session for rdsadmin_util, alter session could lead to silently fail
21. RMAN- Recovery Manager
• Validating DB Instance Files
• Enabling and Disabling Block Change Tracking
• Crosschecking Archived Redo Logs
• Backing Up Archived Redo Logs
• Performing a Full Database Backup
• Performing an Incremental Database Backup
• Performing a Tablespace Backup
22. Upgrades
• Fully automated Upgrades
• 18c available since 08/2019
Current Version Upgrade Supported
12.2.0.1 18.0.0.0
12.1.0.2 18.0.0.0, 12.2.0.1
11.2.0.4 18.0.0.0, 12.2.0.1, 12.1.0.2v5+
23. Patching
• Base on RUs but with additional paches
• OJVM RU included
• Available 4-6 weeks after release
• No special patches available
• If Minor Version Upgrades is enabled → automatic patching
• Set Maintenance Window!
24. Support
• No access to CSI when License included !
• Support only from AWS
• Not possible to deliver requested files, anyway
26. Encryption
In Transit
• Native Network Encryption (SQLNET) or
• Secure Sockets Layer (SSL)
At Rest
• TDE with AWS KMS (key/wallet managed by Amazon)
27. AWS – VPC Security Groups
Network ACL
Inbound Rule
Network ACL
Outbound Rule
Security Group
Inbound
Security Group
Outbound + Traffic
from Inbound
Subnet
Subnet
28. Security
• Not integrated into AWS Identity and Access management (IAM)
• Logging into Cloudwatch
• Label security is available
• Common DBA tasks are wrapped into plsql procedures and can be granted to other users
• Like killing a session
29. {
'engine': 'oracle',
'host': 'mydatabase.abcdefg.eu-central-1.rds.amazonaws.com',
'password': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
'port': 1521,
'username': 'adminuser'
}
AWS Secretsmanger
• Can be integrated into AWS Secretsmanager
• Connection informantion automatically attached to the secret
• Automatic rotation possible
• Admin-User and Application-User
• Modify Lambda for the rotation
• Available since 08/2018
35. Project Experience
• Reboot caused by option group change
• Only highlevel analysis of instance failures possible
• AWS Support needed
• Configure Maintenance Window
• Use aws-cli, some infomation only available with it
• Follow AWS recommendation for Tablespaces
• auto-extend enabled
• no maximum size, limited by the rds storage limit
• Adjust default sga and pga parameter
• Connection over DC/VPN