PuglieseWeb
  • Home
  • Software development
    • Cloud Data Security Principles
      • Separation of Duties (SoD)
      • Security Controls and Data Protection Framework
      • Vaultless Tokenization
    • Multi-cloud strategies
    • DMS
      • How CDC Checkpoints Work
      • Oracle to PostgreSQL Time-Window Data Reload Implementation Guide
      • Join tables separate PostgreSQL databases
      • Multi-Stage Migration Implementation Plan
      • Notes
      • Oracle Golden Gate to PostgreSQL Migration
      • Step-by-Step CDC Recovery Guide: Oracle to PostgreSQL Migration
    • AWS Pro
      • My notes
        • Data Migration Strategy
        • OpsWorks VS CloudFormation
      • Implementation Guides
        • AWS Lambda Scaling and Concurrency Optimization Guide
        • Understanding Cross-Account IAM Roles in AWS
        • HA TCP with Redundant DNS
        • Understanding 429 (Too Many Requests) & Throttling Pattern
        • EC2 Auto Scaling Log Collection Solutions Comparison
        • AWS PrivateLink Implementation Guide for Third-Party SaaS Integration
        • AWS Cross-Account Network Sharing Implementation Guide
        • Cross-Account Route 53 Private Hosted Zone Implementation Guide
          • Route 53
            • Routing Policies
              • Using a Weighted Routing Policy
              • Simple Routing Policy
              • Multivalue Answer Routing
            • Latency Routing Policy
            • Route 53 Traffic Flow
        • Direct Connect Gateway Implementation Guide
        • CICD for Lambda
        • AWS IAM Identity Center Integration with Active Directory
        • AWS Transit Gateway Multi-Account Implementation Guide
          • AWS Multi-Account Network Architecture with Infrastructure Account
      • Links
      • Cloud Adoption Framework
      • Data Stores
        • Data Store Types and Concepts in AWS
        • S3
          • Amazon S3 (Simple Storage Service)
            • Bucket Policies
          • Managing Permissions in Amazon S3
          • Amazon Glacier: AWS Archive Storage Service
          • Lab: Querying Data in Amazon S3 with Amazon Athena
          • LAB: Loading Data into a Redshift Cluster
        • Attached Storage
          • EBS
          • AWS Elastic File System (EFS): From Sun Microsystems to Modern Cloud Storage
          • AWS FSx Service Guide
          • Amazon Storage Gateway Guide
        • Databases
          • Amazon Storage Gateway Guide
          • Amazon RDS (Relational Database Service)
          • Aurora DB
          • Dynamo DB
          • Document DB
          • Amazon Redshift Overview
          • Data Pipeline
            • Data Lake VS Lake Formation
          • AWS Data Preparation Services
          • Amazon Neptune
          • Amazon ElastiCache
          • AWS Specialized Database Services
          • LAB - Deploy an Amazon RDS Multi-AZ and Read Replica in AWS
      • Networking
        • Concept
        • Basics
          • VPC
            • VPC endpoints
              • Interface Endpoint VS Elastic Network Interface (ENI)
            • PrivateLink
              • PrivateLink SAAS Use case
            • Transit Gateway
            • 5G Networks
            • VPN CloudHub
            • VPC security
            • VPC peering
            • VPC Endpoint
            • Route Table (and Routers)
            • Network Access Control List (NACL)
            • Network Security Group
            • NAT Gateway
              • NACL vs NAT
          • Elastic Load Balancing (ELB)
            • Gateway Load Balancer (GWLB)
          • CIDR ranges examples
          • Enhanced Networking
          • Elastic Fabric Adapter (EFA)
          • Elastic Network Interface (ENI)
        • Network to VPC Connectivity
          • Transit VS Direct Connect Gateway
          • Direct Connect
            • VIF (Virtual Interfaces)
            • VIF VS ENI
            • Customer Routers VS Customer Gateways
        • VPC-to-VPC
        • NAT & Internet Gateway
        • Routing
          • IPv4 Address Classes and Subnet Masks
          • VPC's DNS server
          • Transit VPC VS Transit Gateway
          • Example Routing tables configuration
          • Cross-regions failover
        • Enhanced Networking
        • Hybrid and Cross-Account Networking
        • AWS Global Accelerator
        • Route 53
        • Cross-Account Route 53
        • CloudFront SSL/TLS and SNI Configuration
        • ELB
        • Lab: Creating a Multi-Region Network with VPC Peering Using SGs, IGW, and RTs
        • LAB - Creating a CloudFront Distribution with Regional S3 Origins
        • Lab: Creating and Configuring a Network Load Balancer in AWS
        • Lab: Troubleshooting Amazon EC2 Network Connectivity
        • Lab: Troubleshooting VPC Networking
      • Security
        • Cloud Security
          • IAM
            • SCIM
            • Use case 1
          • Core Concepts of AWS Cloud Security
            • OAuth VS OpenID Connect
          • Understanding User Access Security in AWS Organizations
          • Exploring Organizations
          • Controlling Access in AWS Organizations
            • SCP (Service Control Policy) implementation types
        • Network Controls and Security Groups
          • Firewalls
            • Network Controls and Security Groups Overview
          • AWS Directory Services
          • AWS Identity and Access Management (IAM) and Security Services
            • ASW Identity Sources
          • AWS Resource Access Manager (RAM): Cross-Account Resource Sharing
            • AWS App Mesh
        • Encryption
          • History and Modern Implementation of Encryption in AWS
          • Secret Manager
          • DDoS Attacks and AWS Protection Strategies: Technical Overview
          • AWS Managed Security Services Overview
          • IDS and IPS
          • AWS Service Catalog
      • Migrations
        • Migration Concepts
          • Hybrid Cloud Architectures
          • Migration Strategies
        • Migration Application
          • Services and Strategies
          • AWS Data Migration Services
          • Network Migrations and Cutovers
            • Network and Broadcast Addresses
            • VPC DNS
          • AWS Snow Family
      • Architecting to scale
        • Scaling Concepts and Services
          • Auto-Scaling
          • Compute Optimizer
          • Kinesis
          • DynamoDB Scaling
          • CloudFront Part Duex
            • CloudFront's Behavior
            • Lambda@Edge and CloudFront Functions
        • Event-Driven Architecture
          • SNS and Fan-out Architecture
            • SNS & outbox pattern
          • AWS Messaging Services: SQS and Amazon MQ
          • Lab: Scaling EC2 Using SQS
          • Lambda
          • Scaling Containers in AWS
          • Step Function and Batch
          • Elastic MapReduce
          • AWS Data Monitoring and Visualization Services
      • Business Continuity
        • AWS High Availability and Disaster Recovery
        • AWS Disaster Recovery Architectures
        • EBS Volumes
        • AWS Compute Options for High Availability
        • AWS Database High Availability Options
        • AWS Network High Availability Options
        • Lab: Connect Multiple VPCs with Transit Gateway
        • Deployment and Operations Management
          • Software Deployment Strategies
            • AWS CI/CD
            • Elastic Beanstalk
              • Elastic Beanstalk and App Runner
            • CloudFormation
            • Cross-Account Infrastructure Deployment
              • Example Code Pipeline
            • AWS Container Services
            • AWS API Gateway
            • LAB: Understanding CloudFormation Template Anatomy
          • Management Tool
            • Config and OpsWorks
            • System Manager
            • Enterprise Apps
            • AWS Machine Learning Landscape
            • AWS IoT Services
      • Cost Management and Optimization
        • Concepts
        • AWS Cost Optimization Strategies
        • AWS Tagging and Resource Groups
        • Managing Costs Across AWS Accounts
        • AWS Instance Purchasing Options
        • AWS Cost Management Tools
      • Others
        • SCPs vs AWS Config
        • Questions notes
        • Comparison of Deployment Strategies in AWS
        • Bedrock vs EMR
        • Software Deployment Strategies
    • AWS
      • Others
        • AWS Example architectures
          • Gaming application
          • Digital Payment System
            • Marketplace Application
            • Analytics & Reporting System MVP
            • Reporting System 2
            • Data Pipeline
            • Monitoring and visualization solution for your event-driven architecture (EDA) in AWS.
              • Visualize how services are linked together for each business flow
              • Visualize flow and metrics
            • Reporting
            • Data
        • AWS Key Learning
        • AWS NFRs
          • AWS Integration Pattern Comparison Matrix
          • AWS 99.999% Architecture
        • AWS Best Practices
          • use S3 for data migration
          • Principle of centralized control
          • For CPU Spikes in DB use RDS Proxy
          • API Security
          • Lambda VS ECS
          • Use CloudFront for Dynamic content
        • ECS Sizing
        • AWS Q&A
          • AWS Prep
          • prepexam
          • Big Data/ AI Q&A
          • DB Q&A
          • AWS Application Servers Q&A
          • General Q&A
          • VPC Q&A
      • DRs
      • AI, Analytics, Big Data, ML
        • EMR
          • Flink
          • Spark
          • Hadoop
            • Hive
        • Extra
          • Glue and EMR
          • Redshift Use Cases
        • AI
          • Media Services (Elastic Transcoder, Kinesis)
          • Textract
          • Rekognition (part of the exam)
          • Comprehend
          • Kendra
          • Fraud Detector
          • Transcribe, Polly, Lex
          • Translate
          • Time-series and Forecast
        • Big Data
          • Processing & Analytics
            • Amazon Athena VS Amazon Redshift
            • Athena & AWS Glue: Serverless Data Solutions
          • BigData Storage Solutions
          • EMR
        • Business intelligence
        • Sagemaker
          • SageMaker Neo
          • Elastic Inference (EI)
          • Integration patterns with Amazon SageMaker
          • Common Amazon SageMaker Endpoint usage patterns
          • Real-time interfaces
          • ML Example
        • Machine Learning
          • Data Engineering
            • Understanding Data Preparation
            • Feature Engineering: Transforming Raw Data into Powerful Model Inputs
            • Feature Transformation and Scaling in Machine Learning
            • Data Binning: Transforming Continuous Data into Meaningful Categories
          • Exploratory Data Analysis
            • Labs
              • Perform Feature Engineering Using Amazon SageMaker
            • Categorical Data Encoding: Converting Categories to Numbers
            • Text Feature Extraction for Machine Learning
            • Feature Extraction from Images and Speech: Understanding the Fundamentals
            • Dimensionality Reduction and Feature Selection in Machine Learning
          • Modelling
            • Prerequisites for Machine Learning Implementation
            • Classification Algorithms in Machine Learning
            • Understanding Regression Algorithms in Machine Learning
            • Time Series Analysis: Fundamentals and Applications
            • Clustering Algorithms in Machine Learning
      • Databases
        • Capturing data modification events
        • Time-Series Data (Amazon Timestream)
        • Graph DBs
          • Amazon Neptune
        • NoSQL
          • Apache Cassandra (Amazon Keyspaces)
          • Redshift
            • Redshift's ACID compliance
          • MongoDB (Amazon DocumentDB)
          • DynamoDB
            • Additional DynamoDB Features and Concepts
            • DynamoDB Consistency Models and ACID Properties
            • DynamoDB Partition Keys
          • Amazon Quantum Ledger DB (QLDB)
        • RDS
          • DR for RDS
          • RDS Multi-AZ VS RDS Proxy
          • Scaling Relational Databases
          • Aurora Blue/Green deployments
          • Aurora (Provisioned)
          • Amazon Aurora Serverless
        • Sharing RDS DB instance with an external auditor
      • Caching
        • DAX Accelerator
        • ElastiChache
        • CloudFront (External Cache)
        • Global Accelerator (GA)
      • Storages
        • S3
          • MFA Delete VS Object Lock
          • S3 Standard VS S3 Intelligent-Tiering
        • Instance Storage
        • EBS Volumes
          • Burst Capacity & Baseline IOPS
          • Provisioned IOPS vs GP3
          • EBS Multi-Attach
        • Snapshots
        • AWS Backup
        • File Sharing
          • FSx (File system for Windows or for Lustre)
          • EFS (Elastic File System)
      • Migration
        • Migration Hub
        • Application Discovery Service
        • Snow Family
        • DMS
        • SMS (Server Migration Service)
        • MGN (Application Migration Service)
        • Transfer family
        • DataSync
        • Storage Gateway
          • Volume gateway
          • Tape Gateway
          • File Gateway
          • Storage Gateway Volume Gateway VS Storage Gateway File Gateway
        • DataSync VS Storage Gateway File Gateway
      • AWS Regional Practices and Data Consistency Regional Isolation and Related Practices
      • Front End Web application
        • Pinpoint
        • Amplify
        • Device Farm
      • Glossary
      • Governance
        • Well-Architected Tool
        • Service Catalog and Proton
          • AWS Service Catalog
          • AWS Proton
        • AWS Health
        • AWS Licence Manager
        • AWS Control Tower
        • AWS Trusted Advisor
        • Saving Plans
        • AWS Compute Optimizer
        • AWS CUR
        • Cost Explorer and Budgets
        • Directory Service
        • AWS Config
        • Cross-Account Role Access
        • Resource Access Manager (RAM)
        • Organizations, Accouts, OU, SCP
      • Automation
        • System Manager (mainly for inside EC2 instances)
        • Elastic Beanstalk (for simple solutions)
        • IaC
          • SAM
          • CloudFormation
            • !Ref VS !GetAtt
            • CloudFormation examples
      • Security
        • Identity Management Services
          • IAM
            • Identity, Permission, Trust and Resource Policies
              • IAM Policy Examples
              • Trust policy
            • IAM roles cannot be attached to IAM Groups
            • AWS IAM Policies Study Guide
            • Cross-Account Access in AWS: Resource-Based Policies vs IAM Roles
            • EC2 instance profile VS Trust policy
          • Cognito
        • STS
        • AI based security
          • GuardDuty
          • Macie (S3)
        • AWS Network Firewall
        • Security Hub
        • Detective (Root Cause Analysis)
        • Inspector (EC2 and VPCs)
        • System Manager Parameter Store
        • Secret Manager
          • Secret Manger VS System Manager's Parameter Store
          • Secret Manager VS AWS KMS
        • Shield
          • DDoS
        • KMS vs CloudHSM
        • Firewall Manager
        • AWS WAF
      • Compute
        • Containers
          • ECS
            • ECS Anywhere
          • EKS
            • EKS Anywhere
          • Fargate
            • ECS Fargate VS EKS Fargate
          • ECR (Elastic Container Registry)
        • EC2
          • EC2 Purchase Options
            • Spot instances VS Spot Fleet
          • EC2 Instance Types
            • T Instance Credit System
          • Auto Scaling Groups (ASG)
          • Launch Template vs. Launch Configuration
          • AMI
          • EC2 Hibernation
        • Lambda
          • Publish VS deploy
      • Data Pipeline
      • ETL
      • AppFlow
      • AppSync
      • Step Functions
      • Batch
        • Spring Boot Batch VS AWS Batch
      • Decoupling Workflow
      • Elastic Load Balancers
      • Monitoring
        • OpenSearch
        • CloudWatch Logs Insights VS AWS X-Ray
        • QuickSight
        • Amazon Managed Service for Prometheus
        • Amazon Managed Grafana
        • CloudWatch Logs Insights
          • CloudWatch Logs Insights VS Kibana VS Grafana
        • CloudWatch Logs
        • CloudTrail
        • CloudWatch
        • X-Ray
      • On-Premises
        • ECS/EKS Anyware
        • SSM Agent
      • Serverless Application Repository
      • Troubleshooting
      • Messaging, Events and Streaming
        • Kinesis (Event Stream)
        • EventBridge (Event Router)
          • EventBridge Rule Example
          • EventBridge vs Apache Kafka
          • EventBridge VS Kinesis(Event Stream)
          • Event Bridge VS SNS
        • SNS (Event broadcaster)
        • SQS (Message Queue)
        • MSK
        • Amazon MQ
        • DLQ
    • Software Design
      • CloudEvents
        • CloudEvents Kafka
      • Transaction VS Operation DBs
      • Event-based Microservices
        • Relations database to event messages
      • Hexagonal Architecture with Java Spring
      • Distributed Systems using DDD
        • Scaling a distributed system
        • Zookeeper
        • Aggregates
        • Bounded Context
      • API Gateway
      • Cloud
        • The Twelve Factors
        • Open Service Broker API
      • Microservices
    • Design technique
    • Technologies
      • Kafka
      • Docker
        • Docker Commands
        • Artifactory
        • Dockerfile
      • ReactJs
        • Progressive Web App (PWA)
        • Guide to File Extensions in React Projects
    • Guides
      • OCP
      • AWS
        • Creating and Assuming an Administrator AWS IAM Role
        • Standing Up an Amazon Aurora Database with an Automatically Rotated Password Using AWS Secrets Manag
        • Standing Up an Apache Web Server EC2 Instance and Sending Logs to Amazon CloudWatch
        • Creating a Custom AMI and Deploying an Auto Scaling Group behind an Application Load Balancer
        • Assigning Static IPs to NLBs with ALB Target Groups
        • Hosting a Wordpress Application on ECS Fargate with RDS, Parameter Store, and Secrets Manager
        • Amazon Athena, Amazon S3, and VPC Flow Logs
      • Creating a CloudTrail Trail and EventBridge Alert for Console Sign-Ins
      • Load Balancer VS Reverse Proxy
      • Health check
      • Load Balancer
      • HTTP Protocol
      • TCP/IP Network Model
      • Event-base Microservices Implementation Guideline
      • How to write a service
      • Observability
      • Kafka Stream
      • Security
        • Securing Properties
          • HashiCorp Vault
      • Kubernates
      • Unix
        • Networking
        • Firewall
        • File system
        • alternatives
      • Setup CentOS 8 and Docker
    • Dev Tools
      • Docker Commands
      • Intellij
      • CheatSheets
        • Unix Commands
        • Vim Command
      • Templates
  • Working for an enterprise
    • Next step
    • Job roles
      • SME role
    • Common issues
Powered by GitBook
On this page
  • Architecture Decision Record: Oracle to PostgreSQL Migration Strategy
  • Context
  • Decision Drivers
  • Options Analysis
  • Decision
  • Network Architecture Diagrams
  • Implementation Plan
  • Security Considerations
  • Monitoring and Validation Strategy
  • Network and TLS Configuration Details

Was this helpful?

  1. Software development
  2. DMS

Oracle Golden Gate to PostgreSQL Migration

Architecture Decision Record: Oracle to PostgreSQL Migration Strategy

Context

  • Current Environment:

    • Two Oracle database instances in Datacenter A

    • Two Oracle database instances in Datacenter B

    • Oracle GoldenGate performing homogeneous replication between instances

    • Business application using a service name to connect to one Oracle instance at a time

    • TLS not currently enabled between application and Oracle databases

    • AWS Direct Connect already established between on-premises datacenters and AWS

    • Some data is encrypted using Oracle Transparent Data Encryption (TDE)

    • Oracle service provides transparent connection routing to active instances

  • Target Environment:

    • AWS PostgreSQL as the destination database

    • Need for ongoing replication using CDC (Change Data Capture)

    • Desire to enable TLS specifically for the DMS migration path

Decision Drivers

  • Minimize disruption to existing business applications

  • Ensure data consistency during and after migration

  • Enable secure data transfer using TLS for the migration path

  • Leverage existing Oracle GoldenGate infrastructure where beneficial

  • Ensure compatibility between source Oracle systems and target PostgreSQL

Options Analysis

Option 1: Direct AWS DMS with Oracle TLS Source Endpoint

  • Description: Configure AWS DMS to connect directly to one Oracle instance per datacenter with TLS enabled specifically for these connections

  • Advantages:

    • Simpler architecture with direct DMS-to-Oracle connection

    • Can enable TLS specifically for DMS connections

    • Leverages AWS DMS's built-in CDC capabilities

  • Disadvantages:

    • Need to reconfigure if the active Oracle instance changes

    • Requires opening firewall rules from AWS to on-premises

    • Additional load on production databases

Option 2: AWS DMS + Oracle GoldenGate as CDC Source

  • Description: Use existing GoldenGate infrastructure to consolidate changes to a dedicated Oracle instance, which becomes the source for AWS DMS

  • Advantages:

    • Leverages existing GoldenGate replication

    • Isolates migration traffic from production databases

    • Single entry point for AWS DMS regardless of which instance is active

  • Disadvantages:

    • Additional Oracle instance required

    • More complex architecture

    • Potential for slightly increased latency

Option 3: Oracle GoldenGate + AWS DMS with Initial Load Optimization

  • Description: Use AWS DMS for initial load with Oracle GoldenGate handling ongoing CDC to PostgreSQL

  • Advantages:

    • Utilizes GoldenGate's proven replication capabilities

    • Can optimize initial load through DMS parallel processing

    • Potentially better control over transformation logic

  • Disadvantages:

    • Requires GoldenGate license for heterogeneous replication

    • More complex setup and maintenance

    • Requires expertise in both GoldenGate and DMS

Option 4: AWS SCT + DMS with GoldenGate-Isolated Source

  • Description: Use AWS Schema Conversion Tool (SCT) for schema migration, DMS for data migration, with a GoldenGate-replicated Oracle instance as the source

  • Advantages:

    • Comprehensive schema conversion capabilities

    • Isolates production databases from migration workload

    • Can implement TLS just on the dedicated migration path

  • Disadvantages:

    • More components to manage

    • Additional Oracle instance required

    • Requires expertise across multiple tools

Decision

Recommended Approach: Option 2 - AWS DMS + Oracle GoldenGate as CDC Source

This approach provides the best balance of leveraging existing infrastructure, minimizing impact on production systems, and providing a clean migration path with TLS security.

Key benefits for this specific environment:

  • Leverages existing Direct Connect for secure connectivity between AWS and on-premises

  • Enables TLS specifically for the migration path without disrupting existing application connections

  • Isolates migration workload from production databases

  • Creates a single, stable source endpoint for AWS DMS regardless of which production instance is active

Network Architecture Diagrams

Current Application Access (Non-TLS)

┌─────────────────┐                                 ┌─────────────────────────┐
│                 │                                 │    Datacenter A         │
│    Business     │                                 │  ┌─────────────────┐    │
│    Application  │◄───Oracle Service Name──────────┼─►│  Oracle DB A1   │    │
│                 │  (load-balanced, non-TLS)       │  └─────────────────┘    │
└─────────────────┘                                 │                         │
                                                    │  ┌─────────────────┐    │
                                                    │  │  Oracle DB A2   │    │
                                                    │  └─────────────────┘    │
                                                    └─────────────────────────┘
                                                                │
                                                                │ GoldenGate
                                                                │ Replication
                                                                ▼
                                                    ┌─────────────────────────┐
                                                    │    Datacenter B         │
                                                    │  ┌─────────────────┐    │
                                                    │  │  Oracle DB B1   │    │
                                                    │  └─────────────────┘    │
                                                    │                         │
                                                    │  ┌─────────────────┐    │
                                                    │  │  Oracle DB B2   │    │
                                                    │  └─────────────────┘    │
                                                    └─────────────────────────┘

Oracle Service and Connection Proxy Architecture

┌─────────────────┐                                 ┌─────────────────────────┐
│                 │                                 │      Oracle Service     │
│    Business     │◄───────────────────────────────►│  ┌─────────────────┐   │
│    Application  │                                 │  │ Oracle Net      │   │
│                 │                                 │  │ Listener        │   │
└─────────────────┘                                 │  └───────┬─────────┘   │
                                                    │          │             │
                                                    │          ▼             │
                                                    │  ┌─────────────────┐   │
                                                    │  │ Connection      │   │
                                                    │  │ Manager Proxy   │   │
                                                    │  └───────┬─────────┘   │
                                                    └──────────┼─────────────┘
                                                               │
                         ┌────────────────────────────────────┐│┌─────────────────────────────────┐
                         │                                    ││                                  │
                         ▼                                    ▼▼                                  ▼
              ┌─────────────────────────┐        ┌─────────────────────────┐        ┌─────────────────────────┐
              │    Datacenter A         │        │    Datacenter A         │        │    Datacenter B         │
              │  ┌─────────────────┐    │        │  ┌─────────────────┐    │        │  ┌─────────────────┐    │
              │  │  Oracle DB A1   │    │        │  │  Oracle DB A2   │    │        │  │  Oracle DB B1   │    │
              │  └─────────────────┘    │        │  └─────────────────┘    │        │  └─────────────────┘    │
              └─────────────────────────┘        └─────────────────────────┘        └─────────────────────────┘

Oracle Service Components

  1. Oracle Net Listener:

    • Listens for client connection requests

    • Receives initial connection through the service name (e.g., PROD_SERVICE)

    • Forwards connection to the Connection Manager based on the service configuration

  2. Connection Manager Proxy (CMAN):

    • Acts as a proxy between clients and database servers

    • Performs load balancing across available database instances

    • Provides session multiplexing and connection concentration

    • Can implement network access control rules

  3. Service Configuration:

    # Example tnsnames.ora configuration
PROD_SERVICE =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = oracle-cman.example.com)(PORT = 1521))
    (CONNECT_DATA =
      (SERVICE_NAME = PROD_SERVICE)
    )
  )

  4. Migration-Specific Service Configuration:

    • Create a dedicated service for AWS DMS connections

    • Example:

    MIGRATION_SERVICE =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = migration-oracle.example.com)(PORT = 2484))
    (CONNECT_DATA =
      (SERVICE_NAME = MIGRATION_SERVICE)
    )
    (SECURITY =
      (SSL_SERVER_CERT_DN = "CN=migration-oracle.example.com,O=Your Organization")
    )
  )

  5. Configuration for TLS-Only Migration Service:

    • Configure a separate Oracle Net Listener for TLS connections

    • Create a dedicated Connection Manager profile for migration traffic

    • Ensure the migration service points only to the dedicated Oracle instance

    • Apply network access controls to allow only AWS DMS IP ranges

Proposed Migration Architecture with TLS for DMS

┌─────────────────┐                                 ┌─────────────────────────┐
│                 │                                 │     Oracle Service      │
│    Business     │◄───Oracle Service Name──────────┼─►┌─────────────────┐    │
│    Application  │  (load-balanced, non-TLS)       │  │ Connection      │    │
│                 │                                 │  │ Manager Proxy   │    │
└─────────────────┘                                 │  └──────┬──────────┘    │
                                                    └──────────┼───────────────┘
                                                               │
                                  ┌──────────────────────┐     │     ┌──────────────────────┐
                                  │                      │     │     │                      │
                                  ▼                      ▼     ▼     ▼                      ▼
                    ┌─────────────────────────┐   ┌─────────────────────────┐   ┌─────────────────────────┐
                    │    Datacenter A         │   │    Datacenter A         │   │    Datacenter B         │
                    │  ┌─────────────────┐    │   │  ┌─────────────────┐    │   │  ┌─────────────────┐    │
                    │  │  Oracle DB A1   │    │   │  │  Oracle DB A2   │    │   │  │  Oracle DB B1   │    │
                    │  │ (TDE enabled)   │    │   │  │ (TDE enabled)   │    │   │  │ (TDE enabled)   │    │
                    │  └─────────────────┘    │   │  └─────────────────┘    │   │  └─────────────────┘    │
                    └─────────────────────────┘   └─────────────────────────┘   └─────────────────────────┘
                                 │                           │                             │
                                 │                           │                             │
                                 │        GoldenGate         │                             │
                                 └───────────Replication─────┴─────────────────────────────┘
                                                   │
                                                   ▼
┌───────────────────────┐                 ┌─────────────────────────────────┐
│        AWS            │                 │         Dedicated Migration      │
│                       │ AWS Direct      │         Environment              │
│  ┌─────────────────┐  │ Connect         │  ┌───────────────────────────┐  │
│  │                 │  │                 │  │  Oracle TLS Listener      │  │
│  │  DMS            │  │                 │  │  (Port 2484)              │  │
│  │  Replication    │◄─┼─TLS Connection──┼─►│                           │  │
│  │  Instance       │  │ with TDE Wallet │  │  Migration Oracle DB      │  │
│  │                 │  │                 │  │  (TDE Keys Available)     │  │
│  └─────────────────┘  │                 │  └───────────────────────────┘  │
│         │             │                 └─────────────────────────────────┘
│         │             │
│         ▼             │
│  ┌─────────────────┐  │
│  │                 │  │
│  │  PostgreSQL     │  │
│  │  Target with    │  │
│  │  pgcrypto       │  │
│  └─────────────────┘  │
│                       │
└───────────────────────┘

Implementation Plan

1. Prepare the Environment

  • Create a dedicated Oracle instance to serve as the GoldenGate target and DMS source

  • Configure this instance with TLS enabled

  • Ensure network connectivity between AWS and the dedicated Oracle instance

  • Provision AWS DMS replication instance with appropriate specifications

  • TDE Considerations: Set up the Oracle wallet with TDE keys from production databases

2. Configure Oracle Connection Manager and Services

  • Set up Oracle Connection Manager (CMAN) if not already in use

  • Create a dedicated service for AWS DMS connections with TLS enforcement

  • Configure network access control rules to restrict access to the migration service

  • Test connection routing through both standard and TLS-enabled services

3. Configure Oracle GoldenGate

  • Configure GoldenGate to replicate from all Oracle instances to the dedicated instance

  • Verify that all necessary tables and schemas are included in the replication

  • TDE Considerations: Ensure GoldenGate has appropriate wallet access for TDE-encrypted columns

  • Test GoldenGate replication performance and consistency

3. Configure TLS for the Dedicated Oracle Instance

  • Generate TLS certificates for the dedicated Oracle instance

  • Configure Oracle listener for TLS connections

  • Set up Oracle wallet with certificates

  • Test TLS connectivity locally to ensure proper setup

  • Document TLS configuration for future reference

4. Setup AWS Schema Conversion Tool (SCT)

  • Use AWS SCT to convert Oracle schemas to PostgreSQL format

  • Review and adjust any incompatible objects or data types

  • Create the target schema in PostgreSQL

6. Configure AWS DMS

  • Create source endpoint connecting to the dedicated Oracle instance with TLS enabled:

    {  "EndpointIdentifier": "oracle-tde-source",  "EndpointType": "source",  "EngineName": "oracle",  "Username": "dms_user",  "Password": "{{password}}",  "ServerName": "migration-oracle.example.com",  "Port": 2484,  "DatabaseName": "MIGDB",  "SslMode": "verify-full",  "CertificateArn": "arn:aws:dms:region:account:certificate:cert-id",  "ExtraConnectionAttributes": "useLogminerReader=N;useBfile=Y;accessAlternateDirectly=false;useAlternateFolderForOnline=true;oraclePathPrefix=/rdsdbdata/log/;usePathPrefix=/rdsdbdata/log/;replacePathPrefix=true"}

  • Create target endpoint connecting to AWS PostgreSQL

  • Create replication task with appropriate settings for full load + CDC

  • Configure table mappings and transformation rules as needed

  • TDE-specific configuration: Include Oracle wallet location in the DMS task settings

7. PostgreSQL Encryption Setup

  • Install and configure pgcrypto extension for column-level encryption

  • Set up AWS KMS integration for key management

  • Design encryption strategy for sensitive columns

  • Create stored procedures for encryption/decryption operations

8. Migration Execution

  • Perform initial full load while application continues to use Oracle

  • Validate data in PostgreSQL against Oracle source

  • TDE Data Validation: Verify that previously encrypted data is correctly processed

  • Enable ongoing CDC replication

  • Monitor replication lag and data consistency

9. Application Cutover

  • Update application configuration to connect to PostgreSQL

  • Monitor application performance and functionality

  • Maintain Oracle GoldenGate + DMS replication for a rollback period

  • Decommission Oracle infrastructure after successful validation

Security Considerations

  • TLS certificates must be properly configured on the dedicated Oracle instance

  • AWS DMS replication instance should be in a secure VPC with appropriate security groups

  • Leverage existing Direct Connect for secure connectivity between AWS and on-premises

  • Database credentials should be managed through AWS Secrets Manager

  • Audit logging should be enabled on both source and target databases

  • Network ACLs and security groups should be configured to allow only necessary traffic

Monitoring and Validation Strategy

  • Implement checksum validation for critical tables

  • Monitor DMS task metrics through CloudWatch

  • Set up alerts for replication lag exceeding thresholds

  • Regularly validate row counts and sample data between source and target

  • Perform application-level validation tests to ensure business logic integrity

Network and TLS Configuration Details

TLS Configuration for Oracle Migration Source

  1. Certificate Setup:

    • Generate a certificate signing request (CSR) for the dedicated Oracle instance

    • Use an internal CA or AWS Certificate Manager Private CA to sign the certificate

    • Import the certificate and CA chain into an Oracle wallet

  2. Oracle Listener Configuration:

    LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = migration-oracle.example.com)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = migration-oracle.example.com)(PORT = 2484))
    )
  )

WALLET_LOCATION = (SOURCE = (METHOD = FILE)(METHOD_DATA = (DIRECTORY = /oracle/wallet)))
SSL_CLIENT_AUTHENTICATION = FALSE

  3. AWS DMS Source Endpoint Configuration:

    • Use TCPS protocol in the connection string

    • Upload the CA certificate to AWS DMS

    • Configure the endpoint with TLS mode enabled

  4. Direct Connect Configuration:

    • Ensure security groups in AWS VPC allow inbound connections on port 2484 (TCPS)

    • Configure on-premises firewall to allow outbound connections from DMS IP range to Oracle on port 2484

    • Use AWS Direct Connect routing policies to prioritize database migration traffic

PreviousNotesNextStep-by-Step CDC Recovery Guide: Oracle to PostgreSQL Migration

Last updated 1 month ago

Was this helpful?