Oracle Cloud Infrastructure Documentation

Port requirements

The ports required for communication when using Oracle Cloud Infrastructure Database Migration are described in the following table.

Table 11-5 Database Migration Communication Ports

Initiator Target Protocol Port Purpose

Source database servers

Oracle Cloud Object Store Service

SSL

443

This port allows Data Pump dumps to be uploaded to Oracle Cloud Storage

Database Migration

Oracle Autonomous Database Serverless target

TCP

1522

Allow Oracle client connections to the database over Oracle's SQL*Net protocol

Database Migration

Oracle Autonomous Database on Dedicated Exadata Infrastructure target

TCP

2484

Allow Oracle client connections to the database over Oracle's SQL*Net protocol

Database Migration agent service host

Source and target database servers

TCP

22

SSH Authentication-based operations to run Database Migration operational phases

Source and target database servers should accept incoming connections from the Database Migration agent service host

Not applicable to Autonomous Database targets

Note

Required only for SSH connection.
Note

If you are using a non-default port number (that is, something other than port 1521) for the local listener address, then the non-default port should allow connections.

Configuring Network Security Rules

If you have Oracle Database or Oracle GoldenGate compute instances in private subnets, ensure their subnet security rules or network security groups allow traffic required for Database Migration jobs.

Database Migration allows you to specify a subnet to create a Private Endpoint for Database Migration Connections (Connections). Refer to steps 9 and 10 in Manage connections. For Autonomous Database Connections, the Console pre-populates the subnet field using the Autonomous Database (ADB) subnet; however, you can use the dropdown list to select a different subnet. The corresponding Database Migration API is CreateConnection.

  1. The following EGRESS security rules must be configured for your subnet specified for privateEndpointDetails when creating Database Migration connections:

    Rule Type Stateful Direction Source Port Range Protocol Destination Destination Port Range
    SecurityList No Egress All TCP CIDR (Classless Inter-Domain Routing) of subnet hosting Co-managed database or Oracle Autonomous Database Serverless 1521-1523
    SecurityList No Egress All TCP CIDR of subnet hosting Oracle Autonomous Database on Dedicated Exadata Infrastructure 2484
    SecurityList No Egress All TCP CIDR of subnet hosting Co-managed database
    Note

    Required only for SSH connection.
    		22
    SecurityList No Egress All TCP CIDR of subnet hosting Oracle GoldenGate compute instance 443

  2. The following INGRESS security rules must be configured for the subnets hosting your databases or Oracle GoldenGate compute instances:

    Subnet Hosting Co-managed System

    Rule Type Stateful Direction Source Port Range Protocol Destination Destination Port Range
    SecurityList No Ingress CIDR of subnet specified for PrivateEndpoint for Database Migration Connection (Connection) All TCP 1521-1523
    SecurityList No Ingress CIDR of subnet specified for PrivateEndpoint for Database Migration Connection (Connection)
    Note

    Required only for SSH connection.
    		All TCP 22

    Subnet Hosting ADB-S

    Rule Type Stateful Direction Source Port Range Protocol Destination Destination Port Range
    SecurityList No Ingress CIDR of subnet specified for PrivateEndpoint for Database Migration Connection (Connection) All TCP 1521-1523

    Subnet Hosting ADB-D

    Rule Type Stateful Direction Source Port Range Protocol Destination Destination Port Range
    SecurityList No Ingress CIDR of subnet specified for PrivateEndpoint for Database Migration Connection (Connection) All TCP 2484

    Subnet Hosting Oracle GoldenGate Compute Instance

    Rule Type Stateful Direction Source Port Range Protocol Destination Destination Port Range
    SecurityList No Ingress CIDR of subnet specified for PrivateEndpoint for Database Migration Connection (Connection) for target database All TCP 443

  3. Additionally, if you have configured Network Security Groups (NSGs) for ADB-S or Oracle GoldenGate compute instances, then the following INGRESS rules must be set for the Network Security Groups:

    NSG Associated With ADB-S

    Rule Type Stateful Direction Source Port Range Protocol Destination Destination Port Range
    NSG rule No Ingress CIDR of subnet specified for PrivateEndpoint for Database Migration Connection (Connection) All TCP 1521-1523

    NSG Associated With Oracle GoldenGate Compute Instance

    Rule Type Stateful Direction Source Port Range Protocol Destination Destination Port Range
    NSG rule No Ingress CIDR of subnet specified for PrivateEndpoint for Database Migration Connection (Connection) for target database All TCP 443

Network security groups (NSGs) are associated with individual virtual network interface cards (VNIC), ADBs, compute instances, and so on. You can configure INGRESS and EGRESS NSG rules.

Security lists apply to entire subnet.

You can use both security lists and NSGs. In this case, a union of security list rules and NSG rules is applied.

For more details, see Comparison of Security Lists and Network Security Groups and If You Use Both Security Lists and Network Security Groups

Private Endpoint Support

CreateConnection supports the following use cases for databases with private IP addresses:

  1. Database is in subnetA and customer specifies subnetB to create a PrivateEndpoint:

    • SubnetA must allow INGRESS from subnetB for relevant ports

    • SubnetB must allow EGRESS to subnetA for relevant ports

  2. Database is in subnetA and customer selects subnetA to create a PrivateEndpoint

    • SubnetA’s INGRESS rules must not prohibit subnetA as source for relevant ports

    • SubnetA’s EGRESS rules must not prohibit subnetA as destination for relevant ports

Parent topic: Reference