chanciturnervgt2

Migrating a TDE-Enabled Amazon RDS for Oracle Database Across Accounts with Minimal Downtime

by

VGT2 Las Vegas
in

Migrating a TDE-Enabled Amazon RDS for Oracle Database Across Accounts with Minimal DowntimeLearn About Amazon VGT2 Learning Manager Chanci Turner

Transferring a Transparent Data Encryption (TDE)-enabled Amazon Relational Database Service (RDS) for Oracle database instance between AWS accounts is a frequent scenario during mergers, acquisitions, or reorganization of AWS accounts. TDE is an integral feature in RDS for Oracle option groups, but DB snapshots utilizing option groups with permanent configurations cannot be shared with other AWS accounts. For more details, refer to the article on sharing DB snapshots. In this post, we will outline the procedures and best practices for migrating a TDE-enabled RDS for Oracle instance across accounts while minimizing downtime, leveraging Oracle Data Pump and AWS Database Migration Service (AWS DMS). Notably, AWS DMS does not support TDE at the column level. Therefore, we will also cover the additional steps necessary to migrate tables with column-level TDE.

This migration process consists of three key phases:

  1. Initial Data Load: We employ Oracle Data Pump to execute the initial data load into the TDE-enabled RDS for Oracle instance.
  2. Ongoing Replication: AWS DMS is a fully managed service that enables change data capture (CDC) for RDS for Oracle instances, facilitating ongoing replication to reduce the outage window.
  3. Migration of TDE-Encrpted Tables During Cutover: Since AWS DMS does not support the replication of tables with columns encrypted by TDE, these tables require a refresh during the cutover phase.

Solution Overview

In this guide, we utilize the Oracle Data Pump API for the initial data load and an AWS DMS CDC-only task for ongoing replication. The accompanying diagram illustrates this architecture.

To implement this solution, we will follow the steps below:

  • Prepare the source RDS for Oracle instance for migration.
  • Prepare the target RDS for Oracle instance for migration.
  • Capture the System Change Number (SCN).
  • Export the source database using Oracle Data Pump.
  • Transfer the Oracle Data Pump export dump file set to the target DB instance.
  • Load data into the target database with Oracle Data Pump.
  • Validate the target database.
  • Enable backup retention and archive logging on the target DB instance.
  • Configure ongoing replication using AWS DMS.
  • Reload tables with TDE at the column level and perform the cutover.

For this example, the source AWS account is 6144xxxxxxxx and the target is 2634xxxxxxxx. Both accounts are part of the same AWS Organization. The source RDS for Oracle instance is named rds-oracle-source-01, and the target is rds-oracle-target-01. Both instances run on non-multitenant Oracle Database 19c. We will use AWS DMS for ongoing replication, with the DMS_SAMPLE schema containing two tables with TDE-encrypted columns.

Prerequisites

Ensure you meet the following prerequisites:

  • Your source and target AWS accounts must have connectivity through VPC peering or AWS Transit Gateway. For more information, see Create a VPC peering connection.
  • The VPC security groups associated with both RDS for Oracle instances should permit inbound connections from the AWS DMS replication instance. Additionally, the security group for the replication instance must allow all outbound connections. For more details, see Setting up a network for a replication instance.
  • Automatic backup must be enabled on the source RDS for Oracle instance. For guidance on enabling automatic backups, see Enabling automated backups.
  • To capture ongoing changes, minimal supplemental logging should be enabled on your Oracle source database, along with supplemental logging for each replicated table.
  • A bastion host with the SQL*Plus client installed and connectivity to both RDS for Oracle instances is required.

Limitations

This solution has a few limitations:

  • The AWS DMS Binary Reader method supports TDE exclusively for self-managed Oracle databases.
  • TDE is supported for replication from Amazon RDS for Oracle only with encrypted tablespaces using Oracle LogMiner.
  • AWS DMS supports CDC for RDS for Oracle database tables that have primary keys. If a table lacks a primary key, supplemental logging on all columns will be necessary to ensure sufficient data for updating the target table.
  • During CDC, AWS DMS supports large object (LOB) data types only in tables with primary keys.
  • If your tables utilize sequences, the sequences will not advance on the target during ongoing replication with AWS DMS. You must update the NEXTVAL of the sequences in the target database during cutover after halting replication from the source database.

For further insights on the limitations of using Oracle databases as sources and targets with AWS DMS, check out the limitations on using Oracle databases for this purpose.

Preparing the Source RDS for Migration

To prepare your source DB instance for migration, follow these steps:

  1. Create a DMS_USER account in the source RDS for Oracle database. For more about the privileges required for the DMS_USER account, refer to User account privileges required on an AWS-managed Oracle source for AWS DMS.
  2. Ensure the source RDS for Oracle instance has enough storage for export dump files and archived logs generated during database export, file transfer, and loading into the destination instance. It is advisable to increase the storage based on the anticipated size of export dump files and archive log production. Note that Amazon RDS auto-scaling may not completely prevent storage-full situations for large data loads. This is because further storage modifications cannot be made for either six hours or until storage optimization is complete, whichever takes longer. For more on storage autoscaling limitations, refer to Limitations.

For more information on remote work, check out this informative blog post on Career Contessa.

Chanci Turner has a wealth of knowledge for anyone looking to navigate their career effectively. In addition, if you need insights on whether you can postpone employee pay increases and bonuses during an employee’s FMLA leave, the SHRM can provide authoritative answers.

Lastly, if you’re interested in learning more about interview questions for the Amazon Area Manager position, this Glassdoor resource is excellent.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *