Managing Exadata Database Services in Azure

After provisioning an OracleDB@Azure resource, for example an Oracle Exadata Infrastructure or an Oracle Exadata VM Cluster or an Oracle Exascale VM Cluster, you can use the Microsoft Azure blade for a limited set of management functions, and those functions are described in this document.

Note

There are prerequisites that must be completed before you can provision Exadata Database Services. You need to complete the following:
  1. An existing Azure subscription
  2. An Azure VNet with a subnet delegated to the Oracle Database@Azure service (Oracle.Database/networkAttachments)
  3. Permissions in Azure to create resources in the region, with the following conditions:
    • No policies prohibiting the creation of resources without tags, because the OracleSubscription resource is created automatically without tags during onboarding.
    • No policies enforcing naming conventions, because the OracleSubscription resource is created automatically with a default resource name.
  4. Purchase OracleDB@Azure in the Azure portal.
  5. Select your Oracle Cloud Infrastructure (OCI) account.
For more detailed documentation, including optional steps, see Onboarding with Oracle Database@Azure.

Common Management Functions from the Microsoft Azure Blade

The following management functions are available for all resources from the Microsoft Azure blade for that resource.

Additional Management Functions for Oracle Exadata Database Service on Exascale Infrastructure

Access the Resource Blade

These are the steps to access the resource blade for Exadata Database Services.

  1. From the Microsoft Azure portal, select Oracle Database@Azure application.
  2. From the left menu, select Oracle Exadata Database Service Service or Oracle Exadata Database Service on Exascale Infrastructure.
  3. If the blade lists and manages several resources, select the resource type at the top of the blade. For example, the Oracle Exadata Database Service blade accesses both Oracle Exadata Infrastructure and Oracle Exadata VM Cluster resources, and the Oracle Exadata Database Service on Exascale Infrastructure blade accesses both Vm Clusters and Exascale storage vaults.

List Status for All Resources of the Same Type

These are the steps to list status for all Exadata Database Services.

  1. Follow the steps to Access the Resource Blade.
  2. Resources will be shown in the list as Available, Failed, or Provisioning.
  3. Access the specifics of that resource by selecting the link in the Name field in the table.

Provision a New Resource

These are the steps to provision a new resource for Exadata Database Services.

  1. Follow the steps to Access the Resource Blade.
  2. Select the + Create icon at the top of the blade.
  3. Follow the provisioning flow for the resource.

Refresh the Blade's Info

These are the steps to refresh the blade info for Exadata Database Services.

  1. Follow the steps to Access the Resource Blade.
  2. Select the Refresh icon at the top of the blade.
  3. Wait for the blade to reload.

Delete an Oracle Exadata VM Cluster or an Oracle Exascale VM Cluster

These are the steps to delete an Oracle Exadata VM Cluster or Oracle Exascale VM Cluster for Exadata Database Services.

Note

For each Oracle Exadata Infrastructure, only one Exadata VM Cluster and one Exascale VM Cluster can be deleted at a time.
  1. Follow the steps to Access the Resource Blade.
    Note

    To delete an Exadata VM Cluster, access to Oracle Exadata Database Service blade. To delete an Exascale VM Cluster, access to Oracle Exadata Database Service on Exascale Infrastructure blade.
  2. You can remove a single or multiple resources from the blade by selecting the checkbox on the left side of the table. Once you have selected the resource(s) to remove, you can then select the Delete icon at the top of the blade.
  3. You can also remove a single resource by selecting the link to the resource from the Name field in the table. From the resource's detail page, select the Delete icon at the top of the blade.
  4. Wait until the Exadata VM Cluster or Exascale VM Cluster is deleted in the Azure Portal.
    Note

    Termination is still processing even though it disappears from the Azure Portal.
  5. Go to OCI (Follow the steps to Access the OCI console) and navigate to the Exadata VM Cluster or Exascale VM Cluster page. Depending on how long you have waited to do this step, the resource may still be terminating.
  6. Wait until the termination completes.
  7. Confirm that the associated Exadata Infrastructure is in the Available status. Repeat the process for other Exadata VM Clusters and Exascale VM Clusters (if necessary).

Delete an Oracle Exadata Infrastructure

These are the steps to delete an Oracle Exadata Infrastructure for Exadata Database Services.

Note

Ensure all Exadata VM Clusters or Exascale VM Clusterin the Exadata Infrastructure are in the Terminated status in OCI.
  1. Go to Azure (Follow the steps to Access the OCI console) and navigate to the Exadata Infrastructure page to check that all Exadata VM Clusters or Exascale VM Clusters are terminated.
  2. Once verified, from the Azure Portal and delete the Exadata Infrastructure. Once it is removed, no additional actions or wait time is required.

Change Assigned VM Nodes

These are the steps to change assigned VM nodes for Exadata Database Services.

  1. Follow the steps to Access the Resource Blade.
  2. Select the link to the resource from the Name field in the table.
  3. From the resource's overview page, select the Settings > Virtual machines link on the left menu.
  4. To change the virtual machine (VMs), select the Remove icon. The Remove virtual machine panel opens. Select the VM to edit from the VM cluster drop-down list. Select the DB servers from the drop-down list. Both drop-down lists only populate with available VMs, and the database servers on the VM selected. Select the Submit button to commit the VM changed, or the Cancel button to cancel the operation.

Add, Manage, or Delete Resource Tags

These are the steps to add, manage, or delete resource tags for Exadata Database Services.

  1. Follow the steps to Access the Resource Blade.
  2. You can access the resource tags in two different ways:
    1. You can select the link to the resource from the Name field in the table, and then from the resource's overview page, select the Tags section.
    2. You can click the three dots ... located at the end of the Name field in the table, and then select Edit tags.
  3. To create a new tag, enter values in the Name and Value fields.
  4. To edit an existing tag, change the value in the existing tag's Value field.
  5. To delete an existing tag, select the Trashcan icon at the right-side of the tag.

Manage Oracle Exadata VM Cluster or Oracle Exascale VM Cluster VMs

These are the steps to add, refresh, remove, start, stop, or restart Oracle Exadata VM Cluster or Oracle Exascale VM Cluster virtual machines for Exadata Database Services.

  1. Follow the steps to Access the resource blade.
  2. To access an Exadata VM Cluster, navigate to the Oracle Exadata Database Service blade. To access an Exascale VM Cluster, navigate to the Oracle Exadata Database Service on Exascale Infrastructure blade.
  3. Select the link to the resource from the Name field in the table.
  4. From the resource's overview page, select the Settings section, and then click on the Virtual machines link located on the left-side menu.
  5. To add a virtual machine (VM), select the Add icon, specify a number of VMs that you want to add, and then click on the Submit button.
  6. To refresh a virtual machine (VM), select the Refresh icon.
  7. To remove a virtual machine (VM), select the Remove icon. From the dropdown list, select the VM that you want to remove from your cluster, and then click on the Submit button.
  8. To start a virtual machine (VM), select the Start icon. The Start virtual machine panel opens. Select the VM to start from the Virtual machine drop-down list. The drop-down list only populates with any unavailable VMs. Select the Submit button to start that VM, or the Cancel button to cancel the operation.
  9. To stop a virtual machine (VM), select the Stop icon. The Stop virtual machine panel opens. Select the VM to stop from the Virtual machine drop-down list. The drop-down list only populates with any available VMs. NOTE: Stopping a node may disrupt ongoing back-end software operations and database availability. Select the Submit button to stop that VM, or the Cancel button to cancel the operation.
  10. To restart a virtual machine (VM), select the Restart icon. The Restart virtual machine panel opens. Select the VM to restart from the Virtual machine drop-down list. The drop-down list only populates with any available VMs. NOTE: Restarting shuts down the node and then starts it. For single-node systems, databases are offline while the reboot is in progress. Select the Submit button to restart that VM, or the Cancel button to cancel the operation.

Access the OCI Console

These are the steps to access the OCI console for Exadata Database Services.

  1. Follow the steps to Access the resource blade.
  2. Select the link to the resource from the Name field in the table.
  3. From the Overview section, select the Go to OCI link on the OCI Database URL field.
  4. Login to OCI.
  5. Manage the resource from within the OCI console.

Perform a Connectivity Test

These are the steps to perform a connectivity test for Exadata Database Services.

  1. Follow the steps to Access the OCI console.
  2. In the OCI console, navigate to the Pluggable Database Details page for the database you want to test.
  3. Select the PDB connection button.
  4. Select Show link to expand the details for the Connection Strings.
  5. Open Oracle SQL Developer. If you don't have SQL Developer installed, download SQL Developer and install.
  6. Within SQL Developer, open a new connection with the following information.
    1. Name - Enter a name of your choice used to save your connection.
    2. Username - Enter SYS.
    3. Password - Enter the password used when creating the PDB.
    4. Role - Select SYSDBA.
    5. Save Password - Select the box if you security rules allow. If not, you will need to enter the PDB password every time you use this connection in SQL Developer.
    6. Connection Type - Select Basic.
    7. Hostname - Enter one of the host IPs from the Connection Strings above.
    8. Port - The default is 1521. You only need to change this if you have altered default port settings for the PDB.
    9. Service Name - Enter the SERVICE_NAME value from the host IP you previously selected. This is from the Connection Strings above.
    10. Select the Test button. The Status at the bottom of the connections list, should show as Success. If the connection is not a success, one or more of the Hostname, Port, and Service Name fields is incorrect, or the PDB is not currently running.
    11. Select the Save button.
    12. Select the Connect button.

Manage Network Security Group (NSG) Rules

These are the steps to manage network security group (NSG) rules for Exadata Database Services.

  1. Follow the steps to access the Access the Resource Blade.
  2. Select the link to the resource from the Name field in the table.
  3. From the resource's detail page, select the Go to OCI link on the OCI network security group URL field.
  4. Login to OCI.
  5. Manage the NSG rules from within the OCI console.
  6. For additional information on NSG rules and considerations within OracleDB@Azure, see the Automatic Network Ingress Configuration section of Troubleshooting and Known Issues for Exadata Database Services for Azure.

Request Increased Storage or ECPU Limits

These are the steps to request increased storage or ECPU limits for Exadata Database Services.

  1. From the Oracle Database@Azure home, select Overview.
  2. Select the View Oracle Subscription button.
  3. Select the default subscription.
  4. From the left menu for the default subscription, click on the Help section, and then Support + Troubleshooting.
  5. In the Tell us about the issue to get solutions and support field, enter Oracle Database@Azure, and then select the Go button.
  6. In the Which service are you having an issue with? drop-down field, select Databases / Oracle Database@Azure from the list.
  7. Select the Next button.
  8. In the message that appears, select the OCI Support portal link.
  9. Follow the steps as discussed in the Support for OracleDB@Azure process.

Support for OracleDB@Azure

These are the steps to obtain support for OracleDB@Azure.

  1. Follow the steps to Access the OCI Console.
  2. From the OCI console, there are two ways to access support resources.
    1. At the top of the page, select the Help (?) icon at the top-right of the menu bar.
    2. On the right-side of the page, select the floating Support icon. NOTE: This icon can be moved by the user, and the precise horizontal location can vary from user to user.
  3. You have several support options from here, including documentation, requesting help via chat, visiting the Support Center, posting a question to a forum, submitting feedback, requesting a limit increase, and creating a support request.
  4. If you need to create a support request, select that option.
  5. The support request page will auto-populate with information needed by Oracle Support Services, including resource name, resource OCID, service group, service, and several other items dependent upon the specific OracleDB@Azure resource.
  6. Select the support option from the following options:
    1. Critical outage for critical production system outage or a critical business function is unavailable or unstable. You or an alternate contact must be available to work this issue 24x7 if needed.
    2. Significant impairment for critical system or a business function experiencing severe loss of service. Operations can continue in a restricted manner. You or an alternate contact are available to work this issue during normal business hours.
    3. Technical issue where functionality, errors, or a performance issue impact some operations.
    4. General guidance where a product or service usage question, product or service setup, or documentation clarification is needed.
  7. Select the Create Support Request button.
  8. The support ticket is created. This ticket can be monitored within the OCI console or via My Oracle Support (MOS).

Manage Exascale Database Vaults on Oracle Exadata Database Service on Exascale Infrastructure

These are the steps to view, and delete an Exascale storage vaults on Oracle Exadata Database Service on Exascale Infrastructure(ExaDB-XS).

  1. To view Oracle Exascale DB Storage Vault, navigate to the Oracle Exadata Database Service on Exascale Infrastructure blade, and then select Exascale storage vaults. Select the link from the vault Name field to view information of Oracle Exascale DB Storage Vault.
  2. To delete Oracle Exascale DB Storage Vault, navigate to the Oracle Exadata Database Service on Exascale Infrastructure blade, and then select Exascale storage vaults. Select the link from the vault Name field to view the Overview page. Select the Delete button to delete the vault, and then click on the Yes to confirm the deletion.

Request a Limit Increase for OracleDB@Azure

Learn how to request a service limit increase.

If you need to increase a service limit for your OracleDB@Azure , see Requesting a Limit Increase for Database Resources.

Scale in from a Two Exascale VM Cluster to a Single Exascale VM Cluster

These are the steps to scale in from a two VM cluster to a single VM cluster.

  1. From the Microsoft Azure portal, select Oracle Database@Azure application.
  2. From the left menu, select Oracle Exadata Database Service on Exascale Infrastructure.
  3. The Vm Clusters section lists available VM clusters. Select your resource from the Vm Clusters list.
  4. From the left menu, select Virtual machines located under the Settings section.
  5. Select the name of your VM, and then select the Remove button. Once the process is complete, the State changes to Terminated.

Azure Key Vault Integration for Oracle Database@Azure

Oracle Database@Azure enables you to leverage Azure Key Vault for storing and managing your database's TDE keys which is also known as master encryption keys (MEKs), in addition to OCI wallet, OCI Vault and Oracle Key Vault. This feature enables Oracle Database@Azure users to utilize Azure Key Vault (AKV) Managed HSM, AKV Premium and AKV Standard for managing TDE MEKs.

Note

This feature is available in the following regions.

Table 1-2

Region
Australia East (Sydney)
Canada Southeast (Toronto)
France central (Paris)
Germany Central (Frankfurt)

Prerequisites:

The following steps must be completed before you can configure Azure Key Vault as Key Management Service at the Exadata VM Cluster level.
  1. You must first complete the registration required for delegated subnets to use advanced network features mentioned in Network planning for Oracle Database@Azure, and then create an Azure Virtual Network with at least one delegated subnet in it to be used by Exadata VM cluster.
  2. Provision an Exadata VM Cluster via the Azure interface. See Provisioning an Exadata VM Cluster for Azure for step-by-step instructions.
  3. Review the networking requirements to determine whether the VM Cluster will connect to Azure KMS via a public network or through private connectivity. For more information, see Connected Machine agent network requirements or Network Requirements for Creating an Identity Connector and KMS Resources for specific steps to follow.
  4. Ensure that the following policy is created before creating the database.
    allow any-user to manage oracle-db-azure-vaults IN tenancy where ALL {
                request.principal.type in ('cloudvmcluster')} 

Create an Identity Connector from the OCI Console

Creating an Identity Connector installs the Azure Arc agent on the Exadata VM Cluster nodes, registering them as Azure Arc-enabled virtual machines. This enables secure communication with the Azure Key Management Service(KMS) using the Azure identity generated by the Arc agent. The Azure Arc agent can communicate with Azure services over either a public network or a private connectivity setup. For more information, see Azure Arc overview.

Note

  • Each Exadata VM Cluster must have an identity connector enabled to access Azure resources. The identity connector establishes either a public or private connection between the Exadata VM Cluster and Azure Key Management Service resources, depending on the roles assigned.
  • To generate an access token for your current Azure account, see az account get-access-token .

There are two ways to create an identity connector. You can either use the Oracle Exadata Database Service on Dedicated Infrastructure interface or the Database Multicloud Integrations interface.

Oracle Exadata Database Service on Dedicated Infrastructure
  1. From the OCI navigation menu , select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure to start the creation process.
    1. From the left menu, select Exadata VM Clusters under Oracle Exadata Database Service on Dedicated Infrastructure.
    2. From the list of Exadata VM Clusters, select the cluster you are using.
    3. Select VM Cluster information, and then navigate to Identity connector located under Multicloud information. Select the Create link.
      Note

      If an identity connector has not been created previously, it is displayed as None.
    4. The Identity connector name, Exadata VM cluster, Azure subscription id, and Azure resource group name are read-only fields and will be populated with values.
    5. Enter your Azure tenant id, and Access token.
    6. Expand the Show advanced options section. The Private connectivity information and Tags sections populate. To enable a private endpoint connection, enter IP address, and DNS Alias.
    7. If you want to add tags for your resources, click the Add tag button, and then enter required values.
    8. Review your selections, and then select the Create button to create an identity connector.
  2. Alternatively, you can create an identity connector from the Database Multicloud Integrations section. For more information , see Create an Identity Connector from the OCI Console .
View the Details of an Identity Connector
  1. From the OCI navigation menu , select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
  2. From the list of Exadata VM Clusters, select the cluster you are using.
  3. Select the VM Cluster information tab.
  4. From the Multicloud information section, confirm that the Identity connector field displays the identity connector created previously.
  5. Select the name of the Identity connector to view General Information and Arc agents details.

Enable or Disable the Azure Key Management.

This step installs the required library on the Exadata VM Cluster to support Azure Key Vault integration. Ensure that an identity connector is created before enabling Azure Key Management on the Exadata VM Cluster.

  1. Navigate to your existing Exadata VM Cluster from the OCI console, select the VM Cluster information tab.
  2. Under the Multicloud information section, navigate to Azure key management, and then select the Enable link to install a library on your Exadata VM Cluster.
  3. Once the key management is enabled, the status of Azure key management changes from Disabled to Enabled.
  4. To disable Azure key management, select the Disable link, and then confirm your choice by selecting the Disable button.
    Note

    Disabling the Azure key management removes the library installed during enablement, which will impact the availability of databases configured to use it.
Note

Azure key management is configured at the VM cluster level, requiring all databases in the cluster to use the same key management solution. However, databases that use Oracle Wallet can coexist alongside those that use Azure Key Vault within the same cluster.
Create Azure Key Vault (Managed HSM, Premium, and Standard) and Assign Required Roles
Note

Create Azure Key Vault that you want to use for TDE key management.
Note

There are specific roles that must be assigned to the group to grant the necessary permissions for accessing and managing Azure Key Vault Managed HSM, Azure Key Vault Premium, and Azure Key Vault Standard resources.
  1. Create a group and add members.
    Note

    Azure groups allow you to manage users by assigning them the same access and permissions to resources.
    Note

  2. Assign the following roles based on the type of Azure Key Vault:
    • For Azure Key Vault Managed HSMs:
      • Access control (IAM): Assign the Reader role.
      • Local RBAC: Assign the Managed HSM Crypto User and Managed HSM Crypto Officer roles.
    • For Key Vault Premium and Standard: Assign the Reader and Key Vault Crypto Officer roles.

For more information, see Assign Azure roles using the Azure portal.

Register Azure Key Vaults in the OCI Console

Follow the instructions described in the Register Azure Key Vaults in the OCI console documentation to register the vault(s) locally in the OCI.
Note

If you have already registered your vault during the creation of a database in your existing Exadata VM Cluster, you can skip this step.

Create a database in your existing Exadata VM Cluster and choose the Azure Key Vault as the key management.

Follow the instructions described in the To create a database in an existing Exadata Cloud Infrastructure instance documentation, and then select your Key management as Azure Key Vault.

Change the Key Management from Oracle Wallet to Azure Key Vault

Learn how to change encryption keys between different encryption methods.

  1. Navigate to your existing Exadata VM Cluster in the OCI console. Select the Databases tab. Then, select the database resource that you are using.
  2. Select the Database information tab, and then scroll down to Key management section.
  3. In the Encryption section, verify that Key management is set to Oracle Wallet, and then select the Change link.
  4. Enter the following information on the Change key management page.
    • Select your Key management as Azure key vault from the drop-down list.
    • Select your Vault compartment that you are using, and then select your Vault that is available in the compartment.
    • Select the Key compartment that you are using, and then select your Key from the dropdown list.
    • Select the Save changes button to submit.
Note

Changing key management from Azure Key Vault to Oracle Wallet cannot be performed using the API or OCI console. It is only supported through the dbaascli tde fileToHsm command. Additionally, switching between Azure Key Vault and OCI Vault or Oracle Key Vault (OKV) are not supported.
Rotate the Azure Key Vault Encryption Keys of a Container Database (CDB)
  1. From the OCI navigation menu, select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
  2. Navigate to your existing Exadata VM Cluster in the OCI console, select the Databases tab. Then, choose your container database, and then select the Database information tab.
  3. In the Encryption section, verify that Key management is set to Azure Key Vault, and then select the Rotate key link. Select the Rotate button to confirm the key rotation.
Note

Key rotation must be performed from the OCI console. Rotating the key directly from the Azure portal has no effect on the database.
Rotate the Azure Key Vault Encryption Keys of a Pluggable Database (PDB)
  1. From the OCI navigation menu, select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
  2. Select your Exadata VM Cluster, and then select Databases link from the left menu.
  3. Select the Name field of your database you are using, then select Pluggable Databases link under the Resources section.
  4. Select the Name field of the pluggable database you want to use.
  5. The Encryption section displays that the Key management is set as Azure Key Vault. Select the Rotate link, and then select the Rotate button to confirm the rotation of key.