Configure network connectivity to self-hosted Oracle sources

This page describes how to configure network connectivity to self-hosted Oracle sources for heterogeneous Oracle to AlloyDB for PostgreSQL migrations with Database Migration Service.

There are three different methods you can use to configure the necessary network connectivity for migrations from self-hosted Oracle sources:

Configure IP allowlist connectivity

To use the public IP allowlist connectivity method, follow these steps:

  1. Ensure that your source database has an IP address that can be reached from the public internet. You don't need to use the IP address to connect. If you have a DNS record associated with the IP, you can use that instead.
  2. Create an inbound firewall rule on your source database server to accept connections from Database Migration Service. Use the following configuration:
    1. For the rule type, use port.
    2. For the allowed IP address range, add all Database Migration Service public IP addresses for the region where you create the migration job.
    3. Set the protocol to TCP.
    4. Set the port number associated with the rule to the port where your source database is listening for incoming connections. This is the same port number that you need to enter in the source connection profile.

      Oracle server by default use the 1521 port.

    The steps for configuring firewall rules differ depending on what server software you use. For more information, refer to the documentation of your firewall product.

  3. At a later stage, when you create the source connection profile, in the Define connectivity method section, select IP allowlist.

Configure connectivity over a forward-SSH tunnel

To connect to your source database with a Secure Shell (SSH) tunnel, follow these steps:

  1. Create a Virtual Machine (VM) that can open the tunnel between Database Migration Service and your source database. The tunnel server can be any Unix/Linux host that:
    • Can be accessed from the public internet over SSH.
    • Can access the private IP address of your source database.
  2. On the SSH server, create a user account that Database Migration Service can use to connect to to the SSH tunnel.

    For example, on an Ubuntu system, you can use the following commands:

    1. Create a user account:
      adduser TUNNEL_ACCOUNT_USERNAME
    2. Restrict shell access for the user account to enhance security:
      usermod -s /usr/sbin/nologin TUNNEL_ACCOUNT_USERNAME
  3. Decide what authentication method you want Database Migration Service to use when connecting to the tunnel.

    You can use a password, or generate SSH keys in the PEM format that you can later upload to Database Migration Service when you create the source connection profile.

    • If you want to use a password, you don't need to configure anything additional. Remember what password you created for the TUNNEL_ACCOUNT_USERNAME account.
    • If you want to use key-based authentication, you need to generate a private-public key pair. For example, you can use the ssh-keygen utility:
      1. Generate the key pair:
        ssh-keygen -m PEM -f YOUR_KEY_NAME
      2. Copy the public key (YOUR_KEY_NAME.pub) to the ~/.ssh/ directory on your tunnel server.
      3. Save the private key. You need to upload it later to Database Migration Service when you create the source connection profile.
  4. Edit the /etc/ssh/sshd_config file to configure the forward-SSH tunnel to match your organization's requirements. We recommend using the following settings:
    # Only allow the Database Migration Service user to connect.
    AllowUsers TUNNEL_ACCOUNT_USERNAME
    
    # Send keep-alive packets every 60 seconds to ensure that
    # the tunnel doesn't close during the migration
    ServerAliveInterval=60
    
    # Optional: Force key-based authentication
    PasswordAuthentication no
    
    # Enables Database Migration Service to connect from a different host
    PermitTunnel yes
    GatewayPorts yes
  5. Run the ssh command to start the tunnel.

    Before using any of the command data below, make the following replacements:

    • TUNNEL_SERVER_SSH_PORT with the port number where your server is listening for SSH connections.
    • SOURCE_DATABASE_PRIVATE_IP with the private IP address of your source database. The SSH server needs to be able to reach that IP.
    • SOURCE_DATABASE_PORT with the port number where your source database is listening for connections. The default port number for TCP connections on Oracle is 1433.
    • USERNAME with the name of the user account that will be running the tunnel. This is a separate account from TUNNEL_ACCOUNT_USERNAME.
    • TUNNEL_SERVER_PUBLIC_IP with the public IP of your SSH tunnel server.
    ssh -N -L \
    TUNNEL_SERVER_SSH_PORT:SOURCE_DATABASE_PRIVATE_IP:SOURCE_DATABASE_PORT \
    USERNAME@TUNNEL_SERVER_PUBLIC_IP
  6. Create an inbound firewall rule on your SSH tunnel to accept connections from Database Migration Service public IP addresses for the region where you create the migration job.
  7. At a later stage, when you create the source connection profile, do the following:
    1. In the Define connection details section, enter the private IP of your source Oracle instance.
    2. In the Define connectivity method section, select Forward-SSH tunnel.
    3. Provide the public IP address or hostname of your SSH server.
    4. Provide the port that you designated for the SSH connections on the tunnel server.
    5. Enter the username for the user you created for Database Migration Service to connect as (that is, the value of TUNNEL_ACCOUNT_USERNAME).
    6. From the Authentication method drop-down menu, select the authentication method you want to use with the TUNNEL_ACCOUNT_USERNAME user:
      • If you want to use the user password, select Password and enter TUNNEL_ACCOUNT_USERNAME password in the form.
      • If you configured your SSH server to use key-based authentication, select Private/Public key pair and upload the private key you generated in with the ssh-keygen command.

Configure private connectivity with VPC peering

This connectivity method requires that your source database IP address or hostname can be reached from your Google Cloud VPC. Self-hosted sources that reside in networks outside Google Cloud might require that you use additional network components such as Cloud VPN or Cloud Interconnect.

For self-hosted sources in Google Cloud

To use private connectivity with Virtual Private Cloud peering for a source Oracle database hosted on a Compute Engine VM, follow these steps:

  1. Ensure the Virtual Private Cloud network where your VM has an IP address assigned is configured for private services access. For more information, see Configure private services access.
  2. In Database Migration Service, create a private connectivity configuration to peer with the VPC network where you have your Oracle database hosted on a Compute Engine VM.
  3. At a later stage, when you create the source connection profile, do the following:
    1. In the Define connection details section, enter the IP address of the Compute Engine VM where you host the Oracle database.

      You can view the IP address of the VM in the Google Cloud console.

    2. In the Define connectivity method section, select Private connectivity (VPC peering).
    3. From the drop-down menu, select the private connectivity configuration you created in the previous step.

For self-hosted sources outside Google Cloud

To use private connectivity with Virtual Private Cloud peering for a self-hosted Oracle source database that resides in a network outside Google Cloud, follow these steps:

  1. Set up direct connectivity with Cloud VPN to your Oracle source.

    Depending on your network architecture, you might need to set up additional VPN gateways in your system. For more information, see Create HA VPN gateway to a peer VPN gateway in the Cloud VPN documentation.

  2. Optional: If you can't create the private connectivity configuration in the same VPC network where you have the Cloud VPN, create a reverse proxy Virtual Machine (VM) on Compute Engine to forward the connections between VPCs.
  3. In Database Migration Service, create a private connectivity configuration to peer with the VPC network where you have your Cloud VPN.
  4. At a later stage, when you create the source connection profile, do the following:
    1. In the Define connection details section, enter the private IP of your Oracle source.
    2. In the Define connectivity method section, select Private connectivity (VPC peering).
    3. From the drop-down menu, select the private connectivity configuration you created in the previous step.

What's next