Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Alexander Hofstetter, Daniel Hillinger - Trivadis

Trivadis
Trivadis

This document summarizes an Oracle Databases as a Managed Service on AWS presentation by Daniel Hillinger and Alexander Hofstetter. It discusses using RDS for Oracle databases on AWS, including security features, migration options, and some caveats. RDS provides automated backups, monitoring, and high availability capabilities for Oracle databases in AWS without needing to manage the underlying infrastructure.

1 of 38
Download to read offline
daniel8192.wordpress.com @daniel8192 @lxdba Oracle Databases as Managed Service at AWS Yes it Works! Daniel Hillinger, Alexander Hofstetter
Alexander Hofstetter • Senior Consultant and Trainer, Trivadis Germany, Munich • Working in IT since 2005 • Latest Projects • AWS Cloud Architect • Automation (Ansible) • Go Development @lxdba
Daniel Hillinger • Workspace Munich • Focus: • Oracle (RAC, Grid Infrastructure, Exadata, Dataguard) • Unix/Linux (OEL, RedHat, Solaris) • Azure (Automation, Design and Security) @daniel8192 daniel8192.wordpress.com
Agenda • AWS • RDS • RDS Oracle • Security • Migration • Caveats • Project Experience • Conclusions
AWS
AWS – Virtual Private Cloud (VPC) Overview
AWS – VPC • a VPC is a private section of AWS within a specific Region • You can create AWS resources there • You can manage access to those resources • There is a specific CIDR per VPC
AWS – VPC Subnets • a Subnet is within one available zone within one region • There two types of subnets: • Public • Privat • Inside a Subnet you can launch AWS Resources like: • EC2 • RDS • Subnets CIDR must be in the VPC CIDR Range
RDS
RDS - Relational Database Service • Managed service from AWS for Relational Databases Products: • Aurora • MySQL • MariaDB • PostgreSQL • Oracle • Microsoft SQL Server
RDS - Relational Database Service Functinallity provided across all different RDS- products: • Setup • Backup and Restore • Monitoring • Infrastructure Security • Multi-AZ deployments (High availability) • Performance Insights
Setup • Infrastructure as Code: Easy automatic setup with cloudformation • Or manual with AWS console • 20-30 minutes • Create from Snapshot with Property DBSnapshotIdentifier • Predefined standards • Test Databases
Backup and Restore • Daily snapshots transferred to S3 • Transaction logs transferred to S3 every 5 minutes → RPO = 5 minutes • The maximum number of retained automated backups in one region is 20 • Softlimit of 100 manual snapshots • Point in time recovery always in a new RDS instance
Backup and Restore Scenario Action RTO (max) RPO EC2 instance crash None – atomatically restart 30 min 0 EC2 or EBS unrecoverable error Manual restore (can automatically trigger) Unknown 5 min AZ disruption (permanent) Manual restore (can automatically trigger) Unknown 5 min
Backup and Restore – Recommandations • Stored in different region • Transfer to a different account • Automate your recovery (with AWS Lambda)
RDS Multi-AZ Deployments • High availabilliy solution • DNS switch (TTL 5 seconds) • Not cross-region • Failover 60-120 seconds (120 -240 our experience) Failover Conditions: • Loss of availability in primary Availability Zone • Loss of network connectivity to primary • Compute unit failure on primary • Storage failure on primary • Manual
Monitoring • RDS Events • via Console 24h • Via aws-cli or API 14d • Database log files (ADR) • Amazon RDS Enhanced Monitoring (Hypervisor/OS Monitoring) • Automatic CloudWatch integration for Metrics / Alarms / Logs • Performance Insights
RDS - Oracle
Editions and Options Editions available: • Standard Edition One|Two: License Included, Bring-Your-Own License • Standard Edition: Bring-Your-Own-License • Enterprise Edition: Bring-Your-Own License EE Options available: • Advanced Security (Transparent Data Encryption, Native Network Encryption) • Partitioning • Management Packs (Diagnostic, Tuning) • Advanced Compression • Total Recall
Common DBA System Tasks • Killing / disconnecting a Session • Cancelling a SQL Statement in a Session • Enabling and Disabling Restricted Sessions • Flushing the Shared Pool / Buffer Cache • Granting / revoking SELECT or EXECUTE Privileges to SYS Objects • Granting Privileges to Non-Master Users • Creating Custom Functions to Verify Passwords Features wrapped into PL/SQL package rdsadmin.rdsadmin_util Use “clean” session for rdsadmin_util, alter session could lead to silently fail
RMAN- Recovery Manager • Validating DB Instance Files • Enabling and Disabling Block Change Tracking • Crosschecking Archived Redo Logs • Backing Up Archived Redo Logs • Performing a Full Database Backup • Performing an Incremental Database Backup • Performing a Tablespace Backup
Upgrades • Fully automated Upgrades • 18c available since 08/2019 Current Version Upgrade Supported 12.2.0.1 18.0.0.0 12.1.0.2 18.0.0.0, 12.2.0.1 11.2.0.4 18.0.0.0, 12.2.0.1, 12.1.0.2v5+
Patching • Base on RUs but with additional paches • OJVM RU included • Available 4-6 weeks after release • No special patches available • If Minor Version Upgrades is enabled → automatic patching • Set Maintenance Window!
Support • No access to CSI when License included ! • Support only from AWS • Not possible to deliver requested files, anyway
Security
Encryption In Transit • Native Network Encryption (SQLNET) or • Secure Sockets Layer (SSL) At Rest • TDE with AWS KMS (key/wallet managed by Amazon)
AWS – VPC Security Groups Network ACL Inbound Rule Network ACL Outbound Rule Security Group Inbound Security Group Outbound + Traffic from Inbound Subnet Subnet
Security • Not integrated into AWS Identity and Access management (IAM) • Logging into Cloudwatch • Label security is available • Common DBA tasks are wrapped into plsql procedures and can be granted to other users • Like killing a session
{ 'engine': 'oracle', 'host': 'mydatabase.abcdefg.eu-central-1.rds.amazonaws.com', 'password': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'port': 1521, 'username': 'adminuser' } AWS Secretsmanger • Can be integrated into AWS Secretsmanager • Connection informantion automatically attached to the secret • Automatic rotation possible • Admin-User and Application-User • Modify Lambda for the rotation • Available since 08/2018
Migration
Migration • Oracle SQL Developer • Datapump • Export/Import • SQL*Loader • Oracle Materialized Views • AWS DMS (Data Migration Services) • No zero-downtime migration methods • No rman • No dataguard pyhsical and logical • No Transportable Tablespaces
Caveats
Caveats • No external Jobs possible • No special patches possible • Only limited OJVM functionallity • No direct Oracle support • Useless rman
Project Experience
Project Experience • Reboot caused by option group change • Only highlevel analysis of instance failures possible • AWS Support needed • Configure Maintenance Window • Use aws-cli, some infomation only available with it • Follow AWS recommendation for Tablespaces • auto-extend enabled • no maximum size, limited by the rds storage limit • Adjust default sga and pga parameter • Connection over DC/VPN
Conclusions
Conclusions • Very fast and easy to use • Less DBA knowledge • High security possible • Vendor lockin • Data loss possible
Questions and answers … Alexander Hofstetter Daniel Hillinger

More Related Content

TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Alexander Hofstetter, Daniel Hillinger - Trivadis

  • 1. daniel8192.wordpress.com @daniel8192 @lxdba Oracle Databases as Managed Service at AWS Yes it Works! Daniel Hillinger, Alexander Hofstetter
  • 2. Alexander Hofstetter • Senior Consultant and Trainer, Trivadis Germany, Munich • Working in IT since 2005 • Latest Projects • AWS Cloud Architect • Automation (Ansible) • Go Development @lxdba
  • 3. Daniel Hillinger • Workspace Munich • Focus: • Oracle (RAC, Grid Infrastructure, Exadata, Dataguard) • Unix/Linux (OEL, RedHat, Solaris) • Azure (Automation, Design and Security) @daniel8192 daniel8192.wordpress.com
  • 4. Agenda • AWS • RDS • RDS Oracle • Security • Migration • Caveats • Project Experience • Conclusions
  • 5. AWS
  • 6. AWS – Virtual Private Cloud (VPC) Overview
  • 7. AWS – VPC • a VPC is a private section of AWS within a specific Region • You can create AWS resources there • You can manage access to those resources • There is a specific CIDR per VPC
  • 8. AWS – VPC Subnets • a Subnet is within one available zone within one region • There two types of subnets: • Public • Privat • Inside a Subnet you can launch AWS Resources like: • EC2 • RDS • Subnets CIDR must be in the VPC CIDR Range
  • 9. RDS
  • 10. RDS - Relational Database Service • Managed service from AWS for Relational Databases Products: • Aurora • MySQL • MariaDB • PostgreSQL • Oracle • Microsoft SQL Server
  • 11. RDS - Relational Database Service Functinallity provided across all different RDS- products: • Setup • Backup and Restore • Monitoring • Infrastructure Security • Multi-AZ deployments (High availability) • Performance Insights
  • 12. Setup • Infrastructure as Code: Easy automatic setup with cloudformation • Or manual with AWS console • 20-30 minutes • Create from Snapshot with Property DBSnapshotIdentifier • Predefined standards • Test Databases
  • 13. Backup and Restore • Daily snapshots transferred to S3 • Transaction logs transferred to S3 every 5 minutes → RPO = 5 minutes • The maximum number of retained automated backups in one region is 20 • Softlimit of 100 manual snapshots • Point in time recovery always in a new RDS instance
  • 14. Backup and Restore Scenario Action RTO (max) RPO EC2 instance crash None – atomatically restart 30 min 0 EC2 or EBS unrecoverable error Manual restore (can automatically trigger) Unknown 5 min AZ disruption (permanent) Manual restore (can automatically trigger) Unknown 5 min
  • 15. Backup and Restore – Recommandations • Stored in different region • Transfer to a different account • Automate your recovery (with AWS Lambda)
  • 16. RDS Multi-AZ Deployments • High availabilliy solution • DNS switch (TTL 5 seconds) • Not cross-region • Failover 60-120 seconds (120 -240 our experience) Failover Conditions: • Loss of availability in primary Availability Zone • Loss of network connectivity to primary • Compute unit failure on primary • Storage failure on primary • Manual
  • 17. Monitoring • RDS Events • via Console 24h • Via aws-cli or API 14d • Database log files (ADR) • Amazon RDS Enhanced Monitoring (Hypervisor/OS Monitoring) • Automatic CloudWatch integration for Metrics / Alarms / Logs • Performance Insights
  • 19. Editions and Options Editions available: • Standard Edition One|Two: License Included, Bring-Your-Own License • Standard Edition: Bring-Your-Own-License • Enterprise Edition: Bring-Your-Own License EE Options available: • Advanced Security (Transparent Data Encryption, Native Network Encryption) • Partitioning • Management Packs (Diagnostic, Tuning) • Advanced Compression • Total Recall
  • 20. Common DBA System Tasks • Killing / disconnecting a Session • Cancelling a SQL Statement in a Session • Enabling and Disabling Restricted Sessions • Flushing the Shared Pool / Buffer Cache • Granting / revoking SELECT or EXECUTE Privileges to SYS Objects • Granting Privileges to Non-Master Users • Creating Custom Functions to Verify Passwords Features wrapped into PL/SQL package rdsadmin.rdsadmin_util Use “clean” session for rdsadmin_util, alter session could lead to silently fail
  • 21. RMAN- Recovery Manager • Validating DB Instance Files • Enabling and Disabling Block Change Tracking • Crosschecking Archived Redo Logs • Backing Up Archived Redo Logs • Performing a Full Database Backup • Performing an Incremental Database Backup • Performing a Tablespace Backup
  • 22. Upgrades • Fully automated Upgrades • 18c available since 08/2019 Current Version Upgrade Supported 12.2.0.1 18.0.0.0 12.1.0.2 18.0.0.0, 12.2.0.1 11.2.0.4 18.0.0.0, 12.2.0.1, 12.1.0.2v5+
  • 23. Patching • Base on RUs but with additional paches • OJVM RU included • Available 4-6 weeks after release • No special patches available • If Minor Version Upgrades is enabled → automatic patching • Set Maintenance Window!
  • 24. Support • No access to CSI when License included ! • Support only from AWS • Not possible to deliver requested files, anyway
  • 26. Encryption In Transit • Native Network Encryption (SQLNET) or • Secure Sockets Layer (SSL) At Rest • TDE with AWS KMS (key/wallet managed by Amazon)
  • 27. AWS – VPC Security Groups Network ACL Inbound Rule Network ACL Outbound Rule Security Group Inbound Security Group Outbound + Traffic from Inbound Subnet Subnet
  • 28. Security • Not integrated into AWS Identity and Access management (IAM) • Logging into Cloudwatch • Label security is available • Common DBA tasks are wrapped into plsql procedures and can be granted to other users • Like killing a session
  • 29. { 'engine': 'oracle', 'host': 'mydatabase.abcdefg.eu-central-1.rds.amazonaws.com', 'password': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'port': 1521, 'username': 'adminuser' } AWS Secretsmanger • Can be integrated into AWS Secretsmanager • Connection informantion automatically attached to the secret • Automatic rotation possible • Admin-User and Application-User • Modify Lambda for the rotation • Available since 08/2018
  • 31. Migration • Oracle SQL Developer • Datapump • Export/Import • SQL*Loader • Oracle Materialized Views • AWS DMS (Data Migration Services) • No zero-downtime migration methods • No rman • No dataguard pyhsical and logical • No Transportable Tablespaces
  • 33. Caveats • No external Jobs possible • No special patches possible • Only limited OJVM functionallity • No direct Oracle support • Useless rman
  • 35. Project Experience • Reboot caused by option group change • Only highlevel analysis of instance failures possible • AWS Support needed • Configure Maintenance Window • Use aws-cli, some infomation only available with it • Follow AWS recommendation for Tablespaces • auto-extend enabled • no maximum size, limited by the rds storage limit • Adjust default sga and pga parameter • Connection over DC/VPN
  • 37. Conclusions • Very fast and easy to use • Less DBA knowledge • High security possible • Vendor lockin • Data loss possible
  • 38. Questions and answers … Alexander Hofstetter Daniel Hillinger