Oracle on Amazon RDS
Amazon RDS supports DB instances running one of several editions of Oracle Database. You can create DB instances and DB snapshots, point-in-time restores and automated or manual backups. DB instances running Oracle can be used inside a VPC. You can also enable various options to add additional features to your Oracle DB instance. Amazon RDS currently supports Multi-AZ deployments for Oracle as a high-availability, failover solution. For more information about the supported Oracle versions, see Appendix: Oracle Database Engine Release Notes
In order to deliver a managed service experience, Amazon RDS does not provide shell access to DB instances, and it restricts access to certain system procedures and tables that require advanced privileges. Amazon RDS supports access to databases on a DB instance using any standard SQL client application such as Oracle SQL Plus. Amazon RDS does not allow direct host access to a DB instance via Telnet or Secure Shell (SSH).
When you create a DB instance, the master account that you use to create the instance gets DBA user privileges (with some limitations). Use this account for any administrative tasks such as creating additional user accounts in the database. The SYS user, SYSTEM user, and other administrative accounts are locked and cannot be used.
Before creating a DB instance, you should complete the steps in the Setting Up for Amazon RDS section of this guide.
Common Management Tasks for Oracle on Amazon RDS
These are the common management tasks you perform with an Amazon RDS Oracle DB instance, with links to relevant documentation for each task:
|Task Area||Relevant Documentation|
Instance Classes, Storage, and PIOPS
If you are creating a DB instance for production purposes, you should understand how instance classes, storage types, and Provisioned IOPS work in Amazon RDS.
A production DB instance should use Multi-AZ deployments. Multi-AZ deployments provide increased availability, data durability, and fault tolerance for DB instances.
Virtual Private Cloud (VPC)
If your AWS account has a default VPC, then your DB instance is automatically created inside the default VPC. If your account does not have a default VPC, and you want the DB instance in a VPC, you must create the VPC and subnet groups before you create the DB instance.
By default, DB instances are created with a firewall that prevents access to them. You therefore must create a security group with the correct IP addresses and network configuration to access the DB instance. The security group you create depends on what EC2 platform your DB instance is on, and whether you will be accessing your DB instance from an EC2 instance.
In general, if your DB instance is on the EC2-Classic platform, you will need to create a DB security group; if your DB instance is on the EC2-VPC platform, you will need to create a VPC security group.
If your DB instance is going to require specific database parameters, you should create a parameter group before you create the DB instance.
If your DB instance is going to require specific database options, you should create an option group before you create the DB instance.
Connecting to Your DB Instance
After creating a security group and associating it to a DB instance, you can connect to the DB instance using any standard SQL client application such as Oracle SQL Plus.
Backup and Restore
You can configure your DB instance to take automated backups, or take manual snapshots, and then restore instances from the backups or snapshots.
You can monitor an Oracle DB instance by using CloudWatch Amazon RDS metrics, events, and enhanced monitoring.
You can access the log files for your Oracle DB instance.
There are also advanced tasks and optional features for working with Oracle DB instances. For more information, see the following documentation:
For information on common DBA tasks for Oracle on Amazon RDS, see Appendix: Common DBA Tasks for Oracle.
For information on Oracle GoldenGate support, see Appendix: Using Oracle GoldenGate with Amazon RDS.
For information on Siebel Customer Relationship Management (CRM) support, see Installing a Siebel Database on Oracle on Amazon RDS.
Limits for Oracle DB Instances
DB Instances Class Restrictions for Oracle Databases
Some instance classes do not work well with Oracle databases because the system resources allocated to the DB instance do not meet the recommended configuration for an Oracle database. For example, the db.t1.micro DB instance class has limited resources and is recommended for testing only. If you choose to use a "micro" DB instance class with Oracle, you should use a db.t2.micro DB instance class. For more information about DB instance classes, see DB Instance Class.
The "micro" DB instance classes only support certain versions. The following versions are supported:
The db.t1.micro DB instance class only supports Oracle versions 220.127.116.11, 18.104.22.168, and 22.214.171.124.
The db.t2.micro DB instance class is recommended for use with Oracle versions 126.96.36.199 and 188.8.131.52.
Oracle 12c with Amazon RDS
Amazon RDS supports Oracle version 12c, such as Oracle version 184.108.40.206.v2. Oracle version 220.127.116.11.v2 is the latest supported version and includes Oracle Enterprise Edition and Oracle Standard Edition Two. Oracle version 12c brings over 500 new features and updates from the previous version. This section covers the features and changes important to using Oracle 12c on Amazon RDS. For a complete list of the changes, see the Oracle 12c documentation.
Oracle 12c includes sixteen new parameters that impact your Amazon RDS DB instance, as well as eighteen new system privileges, several no longer supported packages, and several new option group settings. The following sections provide more information on these changes.
Amazon RDS Parameter Changes for Oracle 12c
Oracle 12c includes sixteen new parameters in addition to several parameters with new ranges and new default values.
The following table shows the new Amazon RDS parameters for Oracle 12c:
CONNECTION_BROKERS = broker_description[,...]
Specifies connection broker types, the number of connection brokers of each type, and the maximum number of connections per broker.
TABLESPACE, TABL, ALL, NONE
Displays the options that are set for table or tablespace level compression inheritance.
Specifies the cache section target size for automatic big table caching, as a percentage of the buffer cache.
Enables the database to track read and write access of all segments, as well as modification of database blocks, due to DMLs and DDLs.
INMEMORY_CLAUSE_DEFAULT enables you to specify a default In-Memory Column Store (IM column store) clause for new tables and materialized views.
NO MEMCOMPRESS,MEMCOMPRESS FOR DML,MEMCOMPRESS FOR QUERY, MEMCOMPRESS FOR QUERY LOW,MEMCOMPRESS FOR QUERY HIGH,MEMCOMPRESS FOR CAPACITY,MEMCOMPRESS FOR CAPACITY LOW,MEMCOMPRESS FOR CAPACITY HIGH
PRIORITY LOW,PRIORITY MEDIUM,PRIORITY HIGH,PRIORITY CRITICAL,PRIORITY NONE
INMEMORY_FORCE allows you to specify whether tables and materialized view that are specified as INMEMORY are populated into the In-Memory Column Store (IM column store) or not.
INMEMORY_MAX_POPULATE_SERVERS specifies the maximum number of background populate servers to use for In-Memory Column Store (IM column store) population, so that these servers do not overload the rest of the system.
ENABLE (default), DISABLE
INMEMORY_QUERY is used to enable or disable in-memory queries for the entire database at the session or system level.
INMEMORY_SIZE sets the size of the In-Memory Column Store (IM column store) on a database instance.
0 to 50
INMEMORY_TRICKLE_REPOPULATE_SERVERS_PERCENT limits the maximum number of background populate servers used for In-Memory Column Store (IM column store) repopulation, as trickle repopulation is designed to use only a small percentage of the populate servers.
STANDARD (default), EXTENDED
Controls the maximum size of VARCHAR2, NVARCHAR2, and RAW.
TRUE (default), FALSE
Enables or disables all of the adaptive optimizer features.
Controls reporting-only mode for adaptive optimizations.
Maps names of existing files to new file names.
1-max of memory
Specifies a limit on the aggregate PGA memory consumed by the instance.
Instructs the database instance to run itself within the specified operating system processor group.
Enables or disables the spatial vector acceleration, part of spacial option.
Determines whether transactions within a particular session can have a temporary undo log.
Enables the multithreaded Oracle model, but prevents OS authentication.
1 MB - 30 MB
Specifies the size of SGA queue for unified auditing.
Determines how dedicated servers are spawned.
Several parameter have new value ranges for Oracle 12c on Amazon RDS. The following table shows the old and new value ranges:
os | db [, extended] | xml [, extended]
os | db [, extended] | xml [, extended] | true | false
Starts with 11.0.0
Starts with 10.0.0
PERMITTED | PREFERRED | ALWAYS | IGNORE | FORCE
PERMITTED | ALWAYS | IGNORE | FORCE
8.0.0 to 18.104.22.168
8.0.0 to 22.214.171.124
0 to parallel_max_servers
CPU_COUNT * PARALLEL_THREADS_PER_CPU * 2 to parallel_max_servers
One parameters has a new default value for Oracle 12c on Amazon RDS. The following table shows the new default value:
Oracle 12c Default Value
Oracle 11g Default Value
Amazon RDS System Privileges for Oracle 12c
Several new system privileges have been granted to the system account for Oracle 12c. These new system privileges include:
ALTER ANY CUBE BUILD PROCESS
ALTER ANY MEASURE FOLDER
ALTER ANY SQL TRANSLATION PROFILE
CREATE ANY SQL TRANSLATION PROFILE
CREATE SQL TRANSLATION PROFILE
DROP ANY SQL TRANSLATION PROFILE
EM EXPRESS CONNECT
EXEMPT DDL REDACTION POLICY
EXEMPT DML REDACTION POLICY
EXEMPT REDACTION POLICY
REDEFINE ANY TABLE
SELECT ANY CUBE BUILD PROCESS
SELECT ANY MEASURE FOLDER
USE ANY SQL TRANSLATION PROFILE
Amazon RDS Options for Oracle 12c
Several Oracle option changed between Oracle 11g and Oracle 12c, though most of the options remain the same between the two versions. The Oracle 12c changes include:
Oracle Enterprise Manager Express (EM Express) replaced Oracle Enterprise Manager DB Control. For more information see Oracle Database 12c: EM Database Express.
The option XMLDB is installed by default in Oracle 12c. It is no longer an option that you need to install.
The Oracle APEX Listener has been renamed to Oracle Rest Data Service (ORDS). ORDS is installed on a separate EC2 instance just as the APEX Listener was in version 11g. The process for installing ORDS is not the same as when installing APEX Listener. For instructions on installing ORDS, see Oracle APEX on Amazon RDS Oracle 12c.
APEX and APEX Dev no longer have a dependency on XMLDB since XMLDB is installed by default.
Amazon RDS PL/SQL Packages for Oracle 12c
Oracle 12c includes a number of new built-in PL/SQL packages. The packages included with Amazon RDS Oracle 12c include the following:
The CTX_ANL package is used with AUTO_LEXER and provides procedures for adding and dropping a custom dictionary from the lexer.
The DBMS_APP_CONT package provides an interface to determine if the in-flight transaction on a now unavailable session committed or not, and if the last call on that session completed or not.
The DBMS_AUTO_REPORT package provides an interface to view SQL Monitoring and Real-time Automatic Database Diagnostic Monitor (ADDM) data that has been captured into Automatic Workload Repository (AWR).
The DBMS_GOLDENGATE_AUTH package provides subprograms for granting privileges to and revoking privileges from GoldenGate administrators.
The DBMS_HEAT_MAP package provides an interface to externalize heatmaps at various levels of storage including block, extent, segment, object and tablespace.
The DBMS_ILM package provides an interface for implementing Information Lifecycle Management (ILM) strategies using Automatic Data Optimization (ADO) policies.
The DBMS_ILM_ADMIN package provides an interface to customize Automatic Data Optimization (ADO) policy execution.
The DBMS_PART package provides an interface for maintenance and management operations on partitioned objects.
The DBMS_PRIVILEGE_CAPTURE package provides an interface to database privilege analysis.
The DBMS_QOPATCH package provides an interface to view the installed database patches.
The DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application.
The DBMS_SPD package provides subprograms for managing SQL plan directives (SPD).
The DBMS_SQL_TRANSLATOR package provides an interface for creating, configuring, and using SQL translation profiles.
The DBMS_SQL_MONITOR package provides information about real-time SQL Monitoring and real-time Database Operation Monitoring.
The DBMS_SYNC_REFRESH package provides an interface to perform a synchronous refresh of materialized views.
The DBMS_TSDP_MANAGE package provides an interface to import and manage sensitive columns and sensitive column types in the database, and is used in conjunction with the DBMS_TSDP_PROTECT package with regard to transparent sensitive data protection (TSDP) policies. DBMS_TSDP_MANAGE is available with the Enterprise Edition only.
The DBMS_TSDP_PROTECT package provides an interface to configure transparent sensitive data protection (TSDP) policies in conjunction with the DBMS_TSDP_MANAGE package. DBMS_TSDP_PROTECT is available with the Enterprise Edition only.
The DBMS_XDB_CONFIG package provides an interface for configuring Oracle XML DB and its repository.
The DBMS_XDB_CONSTANTS package provides an interface to commonly used constants. Users should use constants instead of dynamic strings to avoid typographical errors.
The DBMS_XDB_REPOS package provides an interface to operate on the Oracle XML database Repository.
The DBMS_XMLSCHEMA_ANNOTATE package provides an interface to manage and configure the structured storage model, mainly through the use of pre-registration schema annotations.
The DBMS_XMLSTORAGE_MANAGE package provides an interface to manage and modify XML storage after schema registration has been completed.
The DBMS_XSTREAM_ADM package provides interfaces for streaming database changes between an Oracle database and other systems. XStream enables applications to stream out or stream in database changes.
The DBMS_XSTREAM_AUTH package provides subprograms for granting privileges to and revoking privileges from XStream administrators.
The UTL_CALL_STACK package provides an interface to provide information about currently executing subprograms.
The following features are not supported for Oracle 12c on Amazon RDS:
Real Application Clusters (RAC)
Data Guard / Active Data Guard
Cloud Control (called Oracle Enterprise Manager Grid Control in previous Oracle versions)
Automated Storage Management
Oracle Label Security
Several Oracle 11g PL/SQL packages are not supported in Oracle 12c. These packages include:
Oracle 11g with Amazon RDS
The following list shows the Oracle 11g features supported by Amazon RDS; for a complete list of features supported by each Oracle 11g edition, go to Oracle Database 11g Editions.
Flashback Table, Query and Transaction Query
Virtual Private Database
Comprehensive support for Microsoft .NET, OLE DB, and ODBC
Automatic Memory Management
Automatic Undo Management
Star Query Optimization
Summary Management - Materialized View Query Rewrite
Oracle Data Redaction (version 126.96.36.199 or later)
Import/Export and sqlldr Support
Oracle Enterprise Manager Database Control
Oracle XML DB (without the XML DB Protocol Server)
Oracle Application Express
Automatic Workload Repository for Enterprise Edition (AWR). For more information, see Working with Automatic Workload Repository (AWR)
Datapump (network only)
Native network encryption (part of the Oracle Advanced Security feature)
Transparent data encryption (Oracle TDE, part of the Oracle Advanced Security feature)
Oracle database engine features that are not currently supported include the following:
Real Application Clusters (RAC)
Real Application Testing
Data Guard / Active Data Guard
Oracle Enterprise Manager Grid Control
Automated Storage Management
Oracle Label Security
Oracle XML DB Protocol Server
Network access utilities such as utl_http, utl_tcp, utl_smtp, and utl_mail, are not supported at this time.
The Oracle database engine uses role-based security. A role is a collection of privileges that can be granted to or revoked from a user. A predefined role, named DBA, normally allows all administrative privileges on an Oracle database engine. The following privileges are not available for the DBA role on an Amazon RDS DB instance using the Oracle engine:
Create any directory
Drop any directory
Grant any privilege
Grant any role
When you create a DB instance, the master account that you use to create the instance gets DBA user privileges (with some limitations). Use this account for any administrative tasks such as creating IAM user accounts. The SYS user, SYSTEM user, and other administrative accounts are locked and cannot be used.
Amazon RDS Oracle supports SSL/TLS encrypted connections as well as the Oracle Native Network Encryption (NNE) option to encrypt connections between your application and your Oracle DB instance. For more information about using SSL with Oracle on Amazon RDS, see Using SSL with an Oracle DB Instance. For more information about the Oracle Native Network Encryption option, see Oracle Native Network Encryption.
Using SSL with an Oracle DB Instance
Secure Sockets Layer (SSL) is an industry standard protocol used for securing network connections between client and server. After SSL version 3.0, the name was changed to Transport Layer Security (TLS), but it is still often referred to as SSL and we refer to the protocol as SSL. Amazon RDS supports SSL encryption for Oracle DB instances. Using SSL, you can encrypt a connection between your application client and your Oracle DB instance. SSL support is available in all AWS regions for Oracle.
You enable SSL encryption for an Oracle DB instance by adding the Oracle SSL option to the option group associated with the DB instance. Amazon RDS uses a second port, as required by Oracle, for SSL connections which allows both clear text and SSL-encrypted communication to occur at the same time between a DB instance and an Oracle client. For example, you can use the port with clear text communication to communicate with other resources inside a VPC while using the port with SSL-encrypted communication to communicate with resources outside the VPC.
For information about enabling the Oracle SSL option and configuring an Oracle client to use SSL, see Oracle SSL.
You cannot use both SSL and Oracle native network encryption (NNE) on the same instance. If you use SSL encryption, you must disable any other connection encryption.
Oracle Version Management
DB Engine Version Management is a feature of Amazon RDS that enables you to control when and how the database engine software running your DB instances is patched and upgraded. This feature gives you the flexibility to maintain compatibility with database engine patch versions, test new patch versions to ensure they work effectively with your application before deploying in production, and perform version upgrades on your own terms and timelines.
Amazon RDS periodically aggregates official Oracle database patches using an Amazon RDS-specific DB Engine version. To see a list of which Oracle patches are contained in an Amazon RDS Oracle-specific engine version, go to Appendix: Oracle Database Engine Release Notes.
Taking advantage of the DB Engine Version Management feature of Amazon RDS is easily accomplished using the ModifyDBInstance API call or the modify-db-instance AWS command line utility. Your DB instances are upgraded to minor patches by default (you can override this setting).
Deprecation of Oracle 188.8.131.52 and 184.108.40.206
On November 15, 2016, Amazon RDS is retiring support for Oracle versions 220.127.116.11 and 18.104.22.168. Oracle is no longer providing patches for these versions. To provide the best experience for AWS customers, we are retiring these versions.
We recommend that before November 1, 2016, you upgrade any DB instances that use Oracle version 22.214.171.124 or 126.96.36.199 to Oracle version 188.8.131.52. For instructions on how to upgrade an Oracle DB instance, see Modifying a DB Instance Running the Oracle Database Engine.
Amazon RDS also supports Oracle version 12c. For more information, see Oracle 12c with Amazon RDS.
Amazon RDS will retire support for Oracle versions 184.108.40.206 and 220.127.116.11 according to the following schedule:
After August 1, 2016, you will no longer be able to create DB instances that use Oracle version 18.104.22.168 or 22.214.171.124.
Beginning on November 1, 2016, DB instances that use Oracle version 126.96.36.199 or 188.8.131.52 will be automatically scheduled for an upgrade to version 184.108.40.206 during the next maintenance window.
On November 15, 2016, any remaining DB instances that use Oracle version 220.127.116.11 or 18.104.22.168 will be immediately upgraded to version 22.214.171.124.
There are two types of licensing options available for using Amazon RDS for Oracle.
Bring Your Own License (BYOL)
In this licensing model, you can use your existing Oracle Database licenses to run Oracle deployments on Amazon RDS. To run a DB instance under the BYOL model, you must have the appropriate Oracle Database license (with Software Update License and Support) for the DB instance class and Oracle Database edition you wish to run. You must also follow Oracle's policies for licensing Oracle Database software in the cloud computing environment. For more information on Oracle's licensing policy for Amazon EC2, go to Licensing Oracle Software in the Cloud Computing Environment.
In the License Included service model, you do not need separately purchased Oracle licenses; AWS holds the license for the Oracle Database software.
Oracle Licensing and Amazon RDS
Amazon RDS currently supports the following Oracle Database Editions under each of the licensing models below:
BYOL: Standard Edition Two (SE2), Standard Edition One (SE1), Standard Edition (SE) and Enterprise Edition (EE)
To run a DB instance under the BYOL model, you must have the appropriate Oracle Database license (with Software Update License & Support) for the DB instance class and Oracle Database edition you wish to run.You must follow Oracle's policies for licensing Oracle Database software in the cloud computing environment. DB instances reside in the Amazon EC2 environment, and Oracle's licensing policy for Amazon EC2 is located here.
Under this model, you will continue to use your active Oracle support account and contact Oracle directly for Oracle Database specific service requests. If you have an active AWS Premium Support account, you can contact AWS Premium Support for Amazon RDS specific issues. Amazon Web Services and Oracle have multi-vendor support process for cases which require assistance from both organizations.
License Included: Standard Edition One (SE1)
In the "License Included" service model, you do not need separately purchased Oracle licenses; the Oracle Database software has been licensed by AWS.
In this model, if you have an active AWS Premium Support account, you should contact AWS Premium Support for both Amazon RDS and Oracle Database specific service requests.
Using OEM, APEX, TDE, and other options
Most Amazon RDS DB engines support option groups that allow you to select additional features for your DB instance. Oracle DB instances support several options, including OEM, TDE, APEX, and Native Network Encryption. For a complete list of supported Oracle options, see Appendix: Options for Oracle Database Engine. For more information about working with option groups, see Working with Option Groups.