Migrate an Amazon RDS for Oracle database to another AWS account and AWS Region using AWS DMS for ongoing replication - AWS Prescriptive Guidance

Migrate an Amazon RDS for Oracle database to another AWS account and AWS Region using AWS DMS for ongoing replication

Created by Durga Prasad Cheepuri (AWS) and Eduardo Valentim (AWS)

Environment: PoC or pilot

Source: Databases: Relational

Target: Amazon RDS for Oracle

R Type: Relocate

Workload: Oracle

Technologies: Migration; Databases

AWS services: Amazon RDS

Summary

Warning: IAM users have long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed.

This pattern walks you through the steps for migrating an Amazon Relational Database Service (Amazon RDS) for Oracle source database to a different AWS account and AWS Region. The pattern uses a DB snapshot for a one-time full data load, and enables AWS Database Migration Service (AWS DMS) for ongoing replication.

Prerequisites and limitations

Prerequisites

  • An active AWS account that contains the source Amazon RDS for Oracle database, which has been encrypted using a non-default AWS Key Management Service (AWS KMS) key

  • An active AWS account in a different AWS Region from the source database, to use for the target Amazon RDS for Oracle database

  • Virtual private cloud (VPC) peering between the source and target VPCs

  • Familiarity with using an Oracle database as a source for AWS DMS

  • Familiarity with using an Oracle database as a target for AWS DMS 

Product versions

Architecture

Source and target technology stacks

  • Amazon RDS for Oracle DB instance

Ongoing replication architecture

Tools

Tools used for one-time full data load:

  • Amazon RDS DB snapshot - Amazon RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. When you create a DB snapshot, you need to identify which DB instance you are going to back up, and then give your DB snapshot a name so you can restore from it later. The amount of time it takes to create a snapshot varies with the size of your databases. Because the snapshot includes the entire storage volume, the size of files, such as temporary files, also affects the amount of time it takes to create the snapshot. For more information about using DB snapshots, see Creating a DB Snapshot in the Amazon RDS documentation.

  • KMS key for Amazon RDS encryption - When you create an encrypted DB instance, you can also supply the KMS key identifier for your encryption key. If you don't specify a KMS key identifier, Amazon RDS uses your default encryption key for your new DB instance. AWS KMS creates your default encryption key for your AWS account. Your AWS account has a different default encryption key for each AWS Region. For this pattern, the Amazon RDS DB instance should be encrypted using the non-default KMS key. For more information about using KMS keys for Amazon RDS encryption, see Encrypting Amazon RDS Resources in the Amazon RDS documentation.

Tools used for ongoing replication:

  • AWS DMS - This pattern uses AWS DMS to replicate ongoing changes and to keep the source and target databases in sync. For more information about using AWS DMS for ongoing replication, see Working with an AWS DMS Replication Instance in the AWS DMS documentation.

Best practices

< Author remove these notes: Provide a list of guidelines and recommendations that can help users implement this pattern more effectively.>

Epics

TaskDescriptionSkills required

Prepare the source Oracle DB instance.

Let the Amazon RDS for Oracle DB instance run in ARCHIVELOG mode, and set the retention period. For details, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Amazon-Managed.

DBA

Set supplemental logging for the source Oracle DB instance.

Set database-level and table-level supplemental logging for the Amazon RDS Oracle DB instance. For details, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Amazon-Managed.

DBA

Update the KMS key policy in the source account.

Update the KMS key policy in the source AWS account to allow the target AWS account to use the encrypted Amazon RDS KMS key. For details, see https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-external-accounts.

SysAdmin

Create a manual Amazon RDS DB snapshot of the source DB instance.

AWS IAM user

Share the manual, encrypted Amazon RDS snapshot with the target AWS account.

For details, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html.

AWS IAM user
TaskDescriptionSkills required

Attach a policy.

In the target AWS account, attach an AWS Identity and Access Management (IAM) policy to the root IAM user, to allow the IAM user to copy an encrypted DB snapshot using the shared AWS KMS key.

SysAdmin

Switch to the source AWS Region.

AWS IAM user

Copy the shared snapshot.

In the Amazon RDS console, in the Snapshots pane, choose Shared with Me, and select the shared snapshot. Copy the snapshot to the same AWS Region as the source database by using the Amazon Resource Name (ARN) for the KMS key used by the source database. For details, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html.

AWS IAM user

Switch to the target AWS Region, and create a new KMS key.

AWS IAM user

Copy the snapshot.

Switch to the source AWS Region. In the Amazon RDS console, in the Snapshots pane, choose Owned by Me, and select the copied snapshot. Copy the snapshot to the target AWS Region by using the KMS key for the new target AWS Region.

AWS IAM user

Restore the snapshot.

Switch to the target AWS Region. In the Amazon RDS console, in the Snapshots pane, choose Owned by Me. Select the copied snapshot and restore it to an Amazon RDS for Oracle DB instance. For details, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html.

AWS IAM user
TaskDescriptionSkills required

Create an Oracle user with the appropriate permissions.

Create an Oracle user with the required privileges for Oracle as a source for AWS DMS. For details, see https://docs.aws.amazon.com/dms/latest/userguide./CHAP_Source.Oracle.html.

DBA

Configure the source database for Oracle LogMiner or Oracle Binary Reader.

DBA
TaskDescriptionSkills required

Create an Oracle user with the appropriate permissions.

Create an Oracle user with the required privileges for Oracle as a target for AWS DMS. For details, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Oracle.html#CHAP_Target.Oracle.Privileges.

DBA
TaskDescriptionSkills required

Create a replication instance in the target AWS Region.

Create a replication instance in the VPC of the target AWS Region. For details, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_GettingStarted.html#CHAP_GettingStarted.ReplicationInstance.

AWS IAM user

Create source and target endpoints with required encryption, and test connections.

For details, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_GettingStarted.html#CHAP_GettingStarted.Endpoints.

DBA

Create replication tasks.

For the migration type, choose ongoing replication. For the change data capture (CDC) start point, use the Oracle system change number (SCN) when the Amazon RDS snapshot was taken for full load, or the timestamp when the full load was taken. For TargetTablePrepMode, choose DO_NOTHING. If the task has large binary object (LOB) data tables, choose Limited LOB mode, and set the max LOB size to the maximum size of the LOB data in the table. Enable logging. Group tables that are related through keys into a single task. If there are tables with a large amount of LOB data and the table has no relationship with other tables, create a separate task for it with the LOB settings described previously. For details, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_GettingStarted.html#CHAP_GettingStarted.Tasks.

IAM user

Start the tasks and monitor them.

For details, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Monitoring.html.

AWS IAM user

Enable validation on the task if needed.

Note that enabling validation does have a performance impact on the replication. For details, see https://docs.aws.amazon.com/dms/latest/userguide./CHAP_Validating.html

AWS IAM user

Related resources