Cross Tenancy and Cross-Region Cloning

You can clone an Autonomous AI Database instance from one tenancy, source tenancy, to a different tenancy (destination tenancy).

Parent topic: Clone, Move, or Upgrade an Autonomous AI Database Instance

About Cross Tenancy Cloning

When you create a cross tenancy clone you can either select that the clone is created in the same region as the source tenancy or in a different region than the source tenancy (cross-region).

Note:

The cross tenancy cloning option is only available using the CLI or the Autonomous AI Database REST APIs. This option is not available using the Oracle Cloud Infrastructure Console.

Note the following for cross tenancy cloning:

  • All clone types are supported: the cloned database can be a Full clone, a Metadata clone, or a Refreshable clone.

  • A clone can be created from a source Autonomous AI Database instance or from a backup (using the latest backup, a specified backup, or by selecting a long-term backup).

  • The source Autonomous AI Database instance can use either the ECPU or OCPU compute model. Depending on your workload type, you can clone from a source that uses the OCPU compute model to a clone that uses the ECPU compute model (this is allowed for the Data Warehouse and the Transaction Processing workload types).

  • The cloned database can be in the same region or in a different region (cross-region).

  • By default a cross tenancy clone inherits the source database's encryption method, either Oracle-managed encryption keys or customer-managed encryption keys.

  • When the source database uses customer-managed encryption keys, you have several options for the encryption keys on a cloned database. See Cross Tenancy Cloning Encryption Key Options for more information.

Parent topic: Cross Tenancy and Cross-Region Cloning

Prerequisites for Cross Tenancy Cloning

Describes prerequisites for creating a cross tenancy clone where the source database is in one tenancy and the cloned database is in a different tenancy.

You must run the commands to create a cross tenancy clone on the destination tenancy. Before you create a cross tenancy clone you need to define OCI Identity and Access Management groups and policies on the source tenancy, the tenancy that contains the instance you are cloning, and on the destination tenancy. The groups and policies you define allow you to run commands to create the clone on the destination tenancy and allow the destination tenancy to contact the source tenancy where the source Autonomous AI Database instance resides.

The OCI Identity and Access Management groups and policies you add support the following:

  • A member of a group in the source tenancy allows a group in the destination tenancy to access (read) the source Autonomous AI Database instance on the source tenancy.

    You do not need to allow other actions on the source Autonomous AI Database instance (for example, start, stop terminate, or any write operations).

  • A member of a group in the destination tenancy is allowed to create a clone in the destination tenancy using the Autonomous AI Database instance in the source tenancy as the clone source.

    On the destination tenancy you also add a policy that allows a group to manage the Autonomous AI Database instance on the source tenancy. For example, this policy allows the group to create the clone database, and allows a refreshable clone to run commands that contact the source tenancy, such as Refresh and Disconnect.

To create a cross tenancy clone use OCI Identity and Access Management to create the required groups and to define the policies that authorize cross tenancy cloning:

  1. Create a group on the destination tenancy that contains the user that will be allowed to create a clone.
    1. On the destination tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
    2. Under Identity click Domains and select an identity domain (or create a new identity domain).
    3. Under Identity domain, click Groups.
    4. To add a group, click Create group.
    5. On the Create group page, enter a Name and a Description.

      For example, enter the Name: DestinationGroup.

    6. On the Create group page, click Create.
    7. Click Create to save the group.
    8. On the Group page, click Assign user to groups and select the users you want to add to the group.
    9. Click Add.
    10. On the Group page, from the Group information tab copy the OCID for use in Step 2.
  2. On the source tenancy, define OCI Identity and Access Management policies for the source Autonomous AI Database instance.
    1. On the source tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
    2. Under Identity, click Policies.
    3. To write a policy, click Create Policy.
    4. On the Create Policy page enter a Name and a Description.
    5. On the Create Policy page, select Show manual editor.
    6. In the policy builder, add policies so that the group in the destination tenancy is allowed to create a clone using an Autonomous AI Database instance on the source tenancy as the clone source.

      For example, define the following generic policies:

      define tenancy DestinationTenancy as ocid1.tenancy.oc1..unique_ID
define group DestinationGroup as ocid1.group.region1..unique_ID
admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family
       in compartment ocid1.compartment.region1..unique_ID 
       where target.id = 'oc1.autonomousdatabase.oc1..unique_ID'

      This policy specifies the following:

      • Line 1: the OCID is the OCID of the destination tenancy. This is the tenancy where you are going to create the clone.

      • Line 2: the OCID is the OCID of the group to which the user who will create the clone belongs. This is the OCID you created in Step 1.

      • Line 3: The first OCID is the OCID of the compartment where the source database resides. The second OCID, after the where clause, is the OCID of the source Autonomous AI Database instance.

      Note:

      The where clause is optional and provides a more fine grained way to grant access to a specific database.

      For example, set these policies on the source tenancy to allow cross tenancy cloning:

      define tenancy DestinationTenancy as ocid1.tenancy.oc1..aaa_example_rcyx2a
define group DestinationGroup as ocid1.group.oc1..aaa_example_6vctn6xsaq
admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family in compartment 
   ocid1.compartment.region1..bbb_example_rcyx2b where target.id = 'oc1.autonomousdatabase.oc1.aaaabbbbcccc'

      This policy specifies a user in the DestinationGroup of the DestinationTenancy can read from a specific Autonomous AI Database instance in the specified compartment (on the source tenancy). To create a cross tenancy clone the policy only needs to allow read on the source Autonomous AI Database instance.

    7. Click Create to save the policy.
  3. Define policies on the destination tenancy.
    1. On the destination tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
    2. Under Identity, click Policies.
    3. To write a policy, click Create Policy.
    4. On the Create Policy page enter a Name and a Description.
    5. On the Create Policy page, select Show manual editor.
    6. In the policy builder, add policies so that a group is endorsed to manage Autonomous AI Databases on the source tenancy.

      For example:

      Define tenancy SourceTenancy as ocid1.tenancy.oc1..unique_ID
Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy

      This policy specifies the following:

      • Line 1: The OCID is the source tenancy OCID. This is the tenancy where the source Autonomous AI Database instance resides.

      • Line 2: Specifies that the DestinationGroup group can manage Autonomous AI Databases in the source tenancy.

    Notes for defining policies on the destination tenancy:

    • For the following policy:

      Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy

      This policy allows the group DestinationGroup to create Autonomous Databases and Autonomous Database clones in the source tenancy. You can limit cloning permissions so that the group can only clone Autonomous Databases but cannot create Autonomous Databases, or further limit permission to only create a particular type of clone: Full Clone, Metadata Clone, or Refreshable Clone. See IAM Permissions and API Operations for Autonomous AI Database for more information and examples.

    • If these polices are revoked, cross tenancy cloning is no longer allowed.

See Getting Started with Policies for more information.

Parent topic: Cross Tenancy and Cross-Region Cloning

Create a Cross Tenancy or Cross-Region Clone

Shows the steps to create a cross tenancy clone when the source database and the cloned database are in the same region, or when the source database and the cloned database are in different regions (cross-region).

Cross-region cloning is not supported in the free tier or for Autonomous Database for Developers instances.

These steps cover creating a Full clone or a Metadata clone. See Create a Cross Tenancy or Cross-Region Refreshable Clone for details on creating a cross tenancy refreshable clone.

Note:

The cross tenancy cloning option is only available using the CLI or the Autonomous AI Database REST APIs. This option is not available using the Oracle Cloud Infrastructure Console.

To create a cross tenancy clone:

  1. Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.
  2. On the tenancy where you want to create the clone, on the destination tenancy in the destination region, use the CLI or call the REST API with a valid clone type FULL or METADATA and provide the OCID of the source database, where the source database resides in a different tenancy (the source tenancy).

    For example, with the CLI:

    oci db autonomous-database create-from-clone 
      --clone-type metadata 
      --compartment-id ocid1.tenancy.oc1..unique_ID 
      --source-id ocid1.autonomousdatabase.oc1.iad.unique_ID
      --db-name dbnameclone 
      --admin-password password 
      --data-storage-size-in-tbs 1
      --compute-model ECPU 
      --compute-count 4

    See create-from-clone for more information.

    Use the CreateAutonomousDatabase API to create a cross tenancy clone.

    See the following for additional information on the REST API:

Parent topic: Cross Tenancy and Cross-Region Cloning

Create a Cross Tenancy Clone from a Backup

Shows the steps to create a cross tenancy clone from a backup.

These steps cover creating a Full clone or a Metadata clone. See Create a Cross Tenancy or Cross-Region Refreshable Clone for details on creating a cross tenancy refreshable clone.

Note:

The cross tenancy cloning option is only available using the CLI or the Autonomous AI Database REST APIs. This option is not available using the Oracle Cloud Infrastructure Console.

To create a cross tenancy clone from a backup:

  1. Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.
  2. On the tenancy where you want to create the clone, on the destination tenancy in the destination region, use the CLI or call the REST API with a valid clone type FULL or METADATA and provide the OCID of the backup (on the source tenancy), where the source database resides in a different tenancy (the source tenancy).

    Note:

    See Create a Cross Tenancy or Cross-Region Refreshable Clone to create a cross tenancy refreshable clone.

    For example, with the CLI:

    oci db autonomous-database create-from-backup-timestamp 
     --autonomous-database-id ocid1.autonomousdatabase.oc1.iad.anuw_example
     --clone-type full 
     --compartment-id ocid1.tenancy.oc1..fcue4_example
     --admin-password password 
     --compute-model ECPU 
     --compute-count 2 
     --db-name ExampleTest1
     --timestamp 2023-12-15T19:30:00Z 
     --data-storage-size-in-tbs 1

    See create-from-backup-timestamp and create-from-backup-id for more information.

    Use the CreateAutonomousDatabase API to create a cross tenancy clone by cloning from a backup of an existing Autonomous Database.

    See the following for information on the REST API:

Parent topic: Cross Tenancy and Cross-Region Cloning

Cross Tenancy Cloning Encryption Key Options

Autonomous AI Database provides several options for the type and location of encryption keys for a cross tenancy clone.

The cross tenancy cloning option is only available using the CLI or the Autonomous AI Database REST APIs. This option is not available using the Oracle Cloud Infrastructure Console.

Note:

By default, a cross tenancy clone inherits the source's encryption key method, either Oracle-managed encryption keys or customer-managed encryption keys. To create a cross tenancy clone that uses customer-managed encryption keys, you must explicitly include the customer-managed encryption key details in OCI CLI command when you create the cross tenancy clone.

When the source database uses customer-managed encryption keys, you have the following options for specifying the encryption key type and location when you create a cross tenancy clone:

Clone Encryption Key Description

Use Same Key as the Source

If you want the cross tenancy clone to use the same customer-managed encryption key, that is the key from the OCI Vault on the source database, you must create the required Oracle Cloud Infrastructure Identity and Access Management dynamic group and policies so that the clone can reach the source tenancy's encryption key, and the encryption key must be in the same region as the cross tenancy clone. See Create Dynamic Group and Policies for Customer Managed Keys with Vault in Different Tenancy than the Database for more information.

Use Different Key with Vault in same Tenancy as Clone

If you want to use a different customer-managed encryption key on the cross tenancy clone, where the encryption key for the cross tenancy clone is in an OCI Vault on the clone's tenancy, you must create the required Oracle Cloud Infrastructure Identity and Access Management dynamic group and policies so that the clone can reach the encryption key, and the encryption key must be in the same region as the clone. See Create Dynamic Group and Policies for Customer Managed Keys with Vault in Same Tenancy as Database for more information.

Use Different Key with Vault in Third Tenancy

If you want to use a different customer-managed encryption key, where the encryption key resides in an OCI Vault on a third tenancy that is not the tenancy of the source database or the tenancy of the cloned database, you must create the required Oracle Cloud Infrastructure Identity and Access Management dynamic group and policies so that the clone can reach the OCI Vault on the remote tenancy and the OCI Vault must be in the same region as the clone. See Create Dynamic Group and Policies for Customer Managed Keys with Vault in Different Tenancy than the Database for more information.

Use Oracle-managed key

If you want to use Oracle-managed keys on the remote clone, while the source database uses customer-managed encryption keys, this option is also supported.

When a cloned database uses customer-managed encryption keys from a remote tenancy:

  • If dynamic group and policies are defined, the Autonomous AI Database details page on the Oracle Cloud Infrastructure Console shows the encryption key name and the key OCID.

  • If the dynamic group and policies are missing (or not valid) or the IAM user in the clone's tenancy do not have sufficient privileges to view the remote key details, the Autonomous AI Database details page shows Encryption key as Customer-managed key.

Note:

Creating a cross tenancy refreshable clone with customer-managed key is not supported.

Parent topic: Cross Tenancy and Cross-Region Cloning