Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery manages the transition of infrastructure, platforms, and applications between OCI regions from around the globe with a single click using OCI Console, CLI, and REST API.
OCI Identity and Access Management (IAM) lets you control who has access to your cloud resources. You can control the type of access a group of users has and which specific resources. It is recommended to write policies to enforce least privilege and gradually adding permission when required. We are going to assign only the required policies for using Full Stack DR to securely manage and control access to OCI resources. For more details refer to best practices of IAM in OCI.
In this blog post, we will go through the process of an OCI administrator creating various OCI IAM components like users, groups, dynamic groups, policies, etc., which are required to use Full Stack DR and other IAM policies to interact with OCI core services. Refer to OCI IAM documentation to understand more about various IAM components. Finally, we will verify accessing Full Stack DR by logging into the newly created OCI user.
a. Login to the OCI console with administrator credentials and select your home region.
b. From the menu, navigate to Identity & Security ->Domains-> Default Domain->Users->Create user. Provide First name, Last name, Email id, and click Create
You will get an email (provided above) about activating the user account and must follow the instructions to activate the account.
a. Login to the OCI console with administrator credentials and select your home region.
b. From the menu, navigate to Identity & Security ->Domains-> Default Domain->Groups->Create group. Provide Name, Description, and select users to assign this group. You should select the user, which you created in Step 1 and click Create.
a. Login to the OCI console with administrator credentials and select your home region.
b. From the menu, navigate to Identity & Security -> Policies-> Create Policy. Provide Name, Description, Compartment, Policy Builder, enable Show manual editor and add the Policy below.
Select the right compartment details where you will create the Policy. In this example, I am selecting compartment "suraj"
Allow group FullStackDRGroup to manage disaster-recovery-family in compartment suraj
You should use the correct group name (created in step 2) and compartment name in the policy syntax.
In the policy syntax, I have provided “manage disaster-recovery-family” access for using Full Stack DR. If you need to have granular access to different Full Stack DR resource types, you have that option as well. Refer to Full Stack DR policies documentation for more details and modify the policies accordingly.
Full Stack DR implements disaster recovery workflows by managing other OCI resources such as Computes, Databases, Block Storage, Object Storage, Functions,Vaults, Virtual Cloud Network, and more.
We will add these below policies to the policy "fullstackdr-policy" created in step 3. Policies can be modified depending on the resource types (members) which are used with Full Stack DR. Please note the last two policy statements are related to OKE cluster member type, you must replace the respective OKE cluster OCID's. If you are not using OKE member type, you can exclude those last two policy statments.
Allow group FullStackDRGroup to manage buckets in compartment suraj
Allow group FullStackDRGroup to manage objects in compartment suraj
Allow group FullStackDRGroup to manage databases in compartment suraj
Allow group FullStackDRGroup to manage autonomous-database-family in compartment suraj
Allow group FullStackDRGroup to manage instance-family in compartment suraj
Allow group FullStackDRGroup to manage instance-agent-command-family in compartment suraj
Allow group FullStackDRGroup to manage volume-family in compartment suraj
Allow group FullStackDRGroup to manage object-family in compartment suraj
Allow group FullStackDRGroup to read virtual-network-family in compartment suraj
Allow group FullStackDRGroup to use subnets in compartment suraj
Allow group FullStackDRGroup to use vnics in compartment suraj
Allow group FullStackDRGroup to use network-security-groups in compartment suraj
Allow group FullStackDRGroup to use private-ips in compartment suraj
Allow group FullStackDRGroup to read fn-app in compartment suraj
Allow group FullStackDRGroup to read fn-function in compartment suraj
Allow group FullStackDRGroup to use fn-invocation in compartment suraj
Allow group FullStackDRGroup use tag-namespaces in compartment suraj
Allow group FullStackDRGroup read vaults in compartment suraj
Allow group FullStackDRGroup read secret-family in compartment suraj
Allow group FullStackDRGroup to manage load-balancers in compartment suraj
Allow group FullStackDRGroup to manage network-load-balancers in compartment suraj
Allow group FullStackDRGroup to manage file-family in compartment suraj
Allow group FullStackDRGroup to manage cluster-family in comparment suraj
Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader',
request.principal.cluster_id = '<Cluster_OCID>'}
Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator',
request.principal.cluster_id = '<Cluster_OCID>'}
a. Login to the OCI console with administrator credentials and select your home region.
b. From the menu, navigate to Identity & Security -> Policies-> select the policy created in Step 3-> select Edit Policy Statements->Policy Builder->Advanced
Copy the list of policies as above and hit save changes. Verify whether all the added policies are reflected correctly.
You should use the correct group name (created in step 2) and compartment name in the policy syntax.
Refer to the complete set of services that current integrate with Full Stack DR. Based on the documentation, you can provide restrictive access to other OCI services accordingly.
Full Stack DR has a option to definie more flexible groups called User-Defined Plan groups. You can add user-defined groups and steps to a Disaster Recovery (DR) plan once Full Stack DR has generated the initial DR plan with built-in groups and the default steps. User-Defined Plan groups can be created to execute scripts using Oracle cloud agent on compute instances. For this, we need to create Dynamic group and add right matching rules for the compute instances. Dynamic groups allow you to group OCI compute instances as "principal" actors (similar to user groups). You can then create policies to permit instances to make API calls against OCI Services.
a. Login to the OCI console with administrator credentials and select your home region.
b. From the menu, navigate to Identity & Security ->Domains-> Default Domain->Dynamic Groups->Create Dynamic Group. Provide Name, Description, Matching rules-> Match any rules defined below -> In Rule 1, provide the below details. Make sure you modify your compartment OCID -> click Create . You can narrow it down to specific instances, if so use instance.id.
c.We recommend to create the dynamic group at the specific compartment level. Eg: All {instance.compartment.id = '<compartment_ocid'}
Allow dynamic-group fullstackdr-dg to use instance-agent-command-execution-family in compartment suraj
Allow dynamic-group fullstackdr-dg to manage object-family in compartment suraj
Allow dynamic-group fullstackdr-dg to manage cluster-family in compartment suraj
Full Stack DR uses OCI run command feature to perform tasks like to run iSCSI commands, user-defined scripts ( user-defined plan groups), mounting file system etc. It is essential to prepare the compute instance which is part of the DR protection group with the necessary pre-requisites.
On the compute instance - connect and execute the below commands to provide the ocarun user with admin access.
For Linux, perform the below tasks.
If Windows,perform the below tasks.
You have now set up all of the necessary prerequisites. You should now login into the OCI console as the user (created in step 1) and verify the Full Stack DR functionality. Please make sure you have the necessary user credentials before proceeding further.
a. Login to the OCI console with user credentials and select your home region.
b. From the menu, navigate to Migration and Disaster Recovery->Disaster Recovery->DR Protection Groups
Now you should be able to Create a DR protection group and start working with Full Stack DR.
As part of this blog series, we will discuss various components in OCI Full Stack DR and multiple use cases as well as tips and tricks to take full advantage of Full Stack DR in subsequent blogs. Please stay tuned for the next blog post in the series!!
Full Stack Disaster Recovery OCI Full Stack Disaster Recovery
Full Stack Disaster Recovery Documentation
Suraj Ramesh is a Principal Product Manager at Oracle. He is a member of the Oracle Database High Availability (HA), Scalability, and Maximum Availability Architecture (MAA) Product Management team, which is part of the Product Development of the core Oracle Database technologies.
In his current role, Suraj is responsible as a Product Manager for Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery, General MAA focus, and Oracle DB Online Operations. Suraj is the founding Product Manager for OCI Full Stack DR which was launched in October 2022 at Oracle Cloud World.
Before moving into product management, Suraj worked as a database administrator, cloud Architect, and IT manager. Suraj has completed various professional certifications in Oracle Database and Oracle Cloud and associate certifications in AWS and Azure.