Oracle Base Database Service (formerly DB System) is OCI’s IaaS-level Oracle Database offering — you provision a VM or Bare Metal shape, OCI installs and manages Oracle Database, and you retain full DBA control. Understanding its HA architecture is essential for designing systems that meet enterprise RPO/RTO targets.
Shape Selection and Its HA Implications
Base Database Service runs on two shape families:
- VM shapes (VM.Standard, VM.Optimized) — single or 2-node RAC.
- Bare Metal shapes (BM.DenseIO) — single instance with local NVMe, high IOPS.
For high availability, the critical shape decision is whether to provision a 2-node RAC or a single-instance + Data Guard architecture. These are not equivalent:
| Model | RTO | RPO | Use Case |
|---|---|---|---|
| Single Instance | Minutes (manual failover) | Dependent on DG protection mode | Dev/Test |
| Data Guard (1+1) | Seconds to minutes (auto or manual) | Zero (sync) or near-zero (async) | Production, standard HA |
| 2-node RAC | Seconds (automatic) | Zero (shared storage) | High-concurrency OLTP |
| RAC + Data Guard | Seconds + geographic DR | Zero or near-zero | MAA Gold/Platinum |
Data Guard Associations in OCI
OCI has first-class support for Data Guard through the Data Guard Association resource. This provisions and manages the standby system, redo transport, and observer automatically.
Creating a Data Guard Association via OCI Console
When you create a Data Guard Association, OCI:
- Provisions the standby DB System (or uses an existing one).
- Configures redo transport between primary and standby.
- Optionally provisions and starts the Fast-Start Failover Observer.
# OCI CLI: create a Data Guard association
oci db data-guard-association create with-new-db-system \
--database-id <primary_db_ocid> \
--creation-type "NewDbSystem" \
--database-admin-password <password> \
--protection-mode "MAXIMUM_AVAILABILITY" \
--transport-type "SYNC" \
--availability-domain "AD-2" \
--subnet-id <standby_subnet_ocid> \
--display-name "prod-standby"
Protection Modes
| Mode | Transport | Commit Behaviour | RPO |
|---|---|---|---|
MAXIMUM_PERFORMANCE |
ASYNC | Primary does not wait | Seconds |
MAXIMUM_AVAILABILITY |
SYNC | Primary waits for at least one standby to acknowledge | Zero (with SYNC) |
MAXIMUM_PROTECTION |
SYNC | Primary halts if standby unreachable | Zero (strict) |
For production systems on OCI within a region (same or adjacent ADs), use MAXIMUM_AVAILABILITY with SYNC transport. The intra-region network latency on OCI is typically < 2ms, making synchronous transport practical without measurable performance impact on typical OLTP workloads.
For cross-region DR, use MAXIMUM_PERFORMANCE with ASYNC — the inter-region latency makes synchronous transport impractical.
MAA Tiers and OCI Mapping
Oracle Maximum Availability Architecture (MAA) defines four tiers:
| Tier | Target RTO | Target RPO | OCI Implementation |
|---|---|---|---|
| Bronze | Hours | Hours | Single instance, manual backup restore |
| Silver | Minutes | Seconds to minutes | Single instance + Data Guard ASYNC |
| Gold | Seconds | Zero | RAC or Data Guard SYNC + FSFO |
| Platinum | Sub-second | Zero | RAC + Active Data Guard + FSFO |
Most enterprise production workloads should target Gold minimum. On OCI this means:
- Data Guard Association with
MAXIMUM_AVAILABILITYprotection mode. - Fast-Start Failover enabled with a dedicated observer (on a third AD or compute shape).
- Active Data Guard licence for read-only standby offload.
Fast-Start Failover (FSFO) on OCI
FSFO enables fully automatic failover without DBA intervention. The observer monitors the primary and, if it becomes unreachable, instructs the standby to take over.
FSFO Topology on OCI
The observer must run on a host that can independently reach both the primary and standby. On OCI:
- Deploy the observer on a separate compute instance in a third AD (if three ADs are available in the region).
- Use a small VM shape (VM.Standard.E4.Flex with 1 OCPU) — the observer is a lightweight DGMGRL process.
# On the observer host: start the observer
dgmgrl sys/<password>@primary_tns
DGMGRL> ENABLE FAST_START FAILOVER;
DGMGRL> START OBSERVER FILE=/u01/app/oracle/observer.ora LOGFILE=/u01/app/oracle/observer.log;
Verifying FSFO status
-- On the primary
SELECT fs_failover_status, fs_failover_observer_present, fs_failover_observer_host
FROM v$database;
FS_FAILOVER_STATUS FS_FAILOVER_OBSERVER_PRESENT FS_FAILOVER_OBSERVER_HOST
--------------------------- ---------------------------- ---------------------------
SYNCHRONIZED YES observer.subnet.vcn.oraclevcn.com
Active Data Guard: Offloading Read Workloads
With Active Data Guard (ADG), the physical standby is open read-only while redo apply continues. This is a powerful way to offload reporting, analytics, and backup operations from the primary.
-- On standby: verify Active Data Guard is open
SELECT open_mode, database_role FROM v$database;
OPEN_MODE DATABASE_ROLE
-------------------- ----------------
READ ONLY WITH APPLY PHYSICAL STANDBY
OCI Data Guard associations automatically open the standby in read-only mode when ADG is licensed.
Connection String for Application-level ADG Routing
Use Oracle Application Continuity and connection load balancing to route read-only transactions to the standby automatically:
# tnsnames.ora entry with ADG routing
PROD_PRIMARY =
(DESCRIPTION =
(FAILOVER = ON)
(ADDRESS = (PROTOCOL = TCP)(HOST = primary-scan)(PORT = 1521))
(CONNECT_DATA = (SERVICE_NAME = prod_rw)(SERVER = DEDICATED)))
PROD_READONLY =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = standby-scan)(PORT = 1521))
(CONNECT_DATA = (SERVICE_NAME = prod_ro)(SERVER = DEDICATED)))
Backup Integration with OCI Object Storage
OCI DB System backup integrates natively with OCI Object Storage. RMAN is configured automatically to write backups to an OCI-managed Object Storage bucket.
-- Verify RMAN channel configuration on OCI
RMAN> SHOW ALL;
For RPO-sensitive systems, configure incremental-merge backups to reduce MTTR:
# OCI CLI: configure automatic backup retention
oci db database update \
--database-id <db_ocid> \
--db-backup-config '{"autoBackupEnabled": true, "recoveryWindowInDays": 30, "autoBackupWindow": "SLOT_TWO"}'
Operational Checklist for Gold-Tier OCI Database
- Data Guard Association created with
MAXIMUM_AVAILABILITY+SYNC. - FSFO observer deployed on a separate compute instance in a third AD.
- Active Data Guard open for read-only standby (if ADG licensed).
- Automatic backups enabled with 30-day retention to OCI Object Storage.
- OCI Notifications configured to alert on Data Guard lag > 60 seconds.
- DB System security list: restrict port 1521 to application subnets only; use private subnets.
- Enable Oracle Database Vault and Oracle Audit Vault for compliance workloads.