Introduction to Oracle-Managed Disaster Recovery

Failover is the process in which a secondary (standby) instance takes over when the primary working instance fails. Oracle provides a disaster recovery solution that allows you to fail over quickly from natural or human disasters and provide business continuity in your secondary instance. You can also use this solution for planned migrations and switch between instances periodically. Oracle manages nearly all disaster recovery responsibilities automatically for you. Your administrative responsibilities are minimal.

Note:

Oracle-managed disaster recovery is a paid feature. Consult with your sales representative for details.

You don't need to worry about managing DNS changes, load balancing, design-time data synchronization between instances, object storage buckets, and other responsibilities. All message traffic is automatically forwarded to the correct instance. All messaging is bidirectional, meaning you can fail over from one instance to another, and back. Data synchronization between the two instances occurs automatically in near real time to minimize data loss.


Oracle Integration Clients appears at the top. Outbound arrows appear on the left and right sides of the label Oracle Integration Clients. The solid arrow on the left is labeled Primary. The dashed arrow on the right is labeled Secondary. Both arrows connect to separate boxes below, each labeled Oracle Integration. Each box has a subbox inside labeled Integrations. A bidirectional arrow labeled Oracle Synchronization connects between these two boxes. Inbound arrows appear on the bottoms of both Oracle Integration boxes. The solid arrow on the left box is labeled Primary. The dashed arrow on the right box is labeled Secondary. Both arrows are coming from a Connectivity Agent label.

At a high level, the Oracle-managed disaster recovery solution works as follows:
  1. You work in your primary instance (for example, in the Ashburn instance), which then fails and becomes unreachable.
  2. Your administrator logs in to the Oracle Cloud Infrastructure Console for your secondary instance (for example, in the Phoenix instance) and selects to fail over from the Ashburn instance to the Phoenix instance. No other administrator-initiated tasks are required for failover to complete.
  3. Once failover completes, you are prompted to log in to the new primary instance in a different region with the global (regionless) URL and resume work. Data synchronization has occurred in near real time between the two instances since you installed your disaster recovery solution. For this reason, any data loss is minimized.
  4. You work in the instance in Phoenix, which has become the primary instance, until the original primary instance in Ashburn is restored.
  5. Your administrator logs in to the Oracle Cloud Infrastructure Console in either the Ashburn instance or the Phoenix instance and selects to fail over from the Phoenix instance back to the Ashburn instance. No other administrator-initiated tasks are required for failover to complete.
  6. Once failover completes, you are prompted to log in to the instance in the Ashburn instance (which once again becomes the primary instance) and resume work. Because of data synchronization in near real time between the two instances, the data changes you made in the Phoenix instance are visible in the restored Ashburn primary instance.

User Responsibilities

Because Oracle handles nearly all disaster recovery management tasks, your responsibilities as an administer are kept to a minimum. You only have several major responsibilities in an Oracle-managed disaster recovery environment:
Task Description See..
Subscribe to the secondary region Subscribe to the secondary region to ensure that secondary instance creation is successful and configure the necessary policies for any default or defined tags you are using. Perform Preinstallation Tasks
Install primary and secondary instances Select the Enable disaster recovery toggle when installing an instance in the Oracle Cloud Infrastructure Console.

This action creates primary and secondary instances in separate, predetermined regions. Data synchronization between the two instances is automatically configured and occurs in near real time.

 Install and Configure Oracle Integration for Disaster Recovery
Perform prerequisites prior to failover Review the following prerequisites to determine if they apply to your setup:
  • If your connectivity agent is installed in an Oracle Cloud Infrastructure Compute instance that fails, you must have a plan in place that allows for a quick recovery of the connectivity agent.
  • If you are using your own email tenancy, you must manually maintain your email notification details in your primary and secondary instances.
  • If you are using File Server, connections to it must use the port and hostname, rather than the port and IP address.
Perform Failover Prerequisite Tasks
Fail over and fail back between instances in different regions Two types of failover are supported:
  • If your primary instance is unreachable, you click Start Failover in the Oracle Cloud Infrastructure Console of the secondary instance to fail over to that instance.

    Once the original primary instance is restored, you can then fail back to that instance.

  • If you want to perform a planned migration between instances periodically, you click Start Failover in the Oracle Cloud Infrastructure Console of either the primary or secondary instance to fail over to the secondary instance.
Fail Over to the Other Instance
Configure email notification settings after failover After failover occurs, you must configure email notification settings on the Notifications page of the new primary instance. Configure Email Notification Settings After Failover

Understand Failover Behavior

  • Bidirectional data synchronization (replication) is regularly performed in near real time between the two instances to reduce the chance of data loss after failover.
  • Failover is a one instance-to-one instance replication, meaning you can only fail over to a second instance. You cannot fail over to multiple instances.
  • When a failover is performed, the secondary instance takes over the responsibility of providing all features of the primary instance.
  • The primary instance goes into standby mode and becomes a passive listener when the secondary instance becomes active.
  • All traffic that was originally sent to the initial primary instance is forwarded to the new primary instance.
  • The life cycle operations in the standby instance are disabled in the Oracle Cloud Infrastructure Console with the exception of performing a failover.
  • There are no changes in OAuth credentials after failover.
  • Only design-time metadata is synchronized. Runtime tracking data such as that shown in the activity stream, Instance page, and other observability pages is not synchronized with the secondary instance.
  • You log in to primary and secondary instances with a global URL that does not include a region name.
  • If you delete the primary instance, the secondary instance is also deleted.
  • If you start and stop the primary instance, this has no impact on the secondary instance, which simply remains a passive listener.