Reference
Reference

Domain 4: Implement Oracle Database@Azure (30%)

This is the heaviest domain on the exam, accounting for approximately 15 questions. Oracle Database@Azure is the flagship multicloud offering and the exam tests deep knowledge of its architecture, onboarding, provisioning, HA/DR, and management.

4.1 Architecture: Colocation Model

Oracle Database@Azure is not a cross-cloud connection. OCI infrastructure is physically deployed inside Microsoft Azure data centers. This is a critical distinction from OCI Interconnect (which connects separate OCI and Azure regions via ExpressRoute/FastConnect).

+----------------------------------------------------------+
|                   Azure Data Center                       |
|                                                           |
|  +------------------+    +-----------------------------+  |
|  | Azure Services   |    | OCI Infrastructure          |  |
|  |                  |    | (Child Site)                |  |
|  | - AKS            |    |                             |  |
|  | - App Services    |    | - Exadata X9M Hardware     |  |
|  | - Azure VNet     |<-->| - OCI VCN (delegated subnet)|  |
|  | - Azure Monitor  |    | - Oracle RAC                |  |
|  | - Key Vault      |    | - Autonomous DB             |  |
|  +------------------+    +-----------------------------+  |
|         |                          |                      |
+---------|--------------------------|----- ----------------+
          |                          |
          |                    Control Plane
          |                    Connection
          |                          |
          |              +-----------v-----------+
          |              | OCI Region            |
          |              | (Parent Site)         |
          |              |                       |
          |              | - Control Plane       |
          |              | - OCI IAM             |
          |              | - Operations/Patching |
          |              +-----------------------+

Key architectural facts (Oracle Database@Azure Architecture):

  • The Oracle hardware inside the Azure data center is called the Child Site. It operates in isolated, secure areas within a specific Azure availability zone.
  • The Parent Site is the OCI regional data center containing the control plane. It is always in the same country and close geographic proximity to the child site (e.g., Azure East US in Virginia pairs with OCI US East in Ashburn).
  • All Oracle hardware is operated and managed exclusively by OCI personnel. Azure customers cannot directly access the underlying Exadata infrastructure.
  • Oracle Database@Azure runs on Exadata X9M hardware: minimum 2 database servers + 3 storage servers (quarter-rack configuration), scalable up to 32 database servers + 64 storage servers (Microsoft Learn FAQ).

Control Plane vs. Data Plane

This separation is a likely exam topic:

Aspect Control Plane Data Plane
Location OCI Parent Site (OCI regional data center) Azure Child Site (inside Azure data center)
Purpose Service management, patching, operations, monitoring Application data, database queries, transactions
Latency impact None on application performance Within Azure regional latency envelope
Who accesses OCI operations team Customer applications, database users
Network path OCI backbone to Azure Azure VNet (private IP, delegated subnet)

Exam trap: The OCI control plane connection has zero impact on application-to-database latency. The control plane is used only for management operations (patching, updates, monitoring). Your application traffic stays entirely within the Azure data center (Microsoft Learn FAQ).

Network Architecture

  • Oracle Database@Azure uses Azure Virtual Network (VNet) for networking, managed within the Azure environment (Microsoft Learn Overview).
  • Subnet delegation provides private IP addresses from customer VNets as database endpoints. Applications connect to the database using standard Azure networking; there is no public internet traversal.
  • Application-to-database latency in the same availability zone: approximately 300 microseconds. Cross-AZ: approximately 500 microseconds (Oracle MAA for Database@Azure).
  • The Oracle Interconnect for Azure provides the backbone connection between the OCI Parent Site and the Azure Child Site for control plane operations and for Data Guard replication traffic when using OCI VCN peering.

Exam trap: Database@Azure is fundamentally different from OCI Interconnect. OCI Interconnect connects two separate clouds via ExpressRoute/FastConnect with cross-cloud latency. Database@Azure has the database inside Azure with no cross-cloud application latency.

4.2 Onboarding

Automated Onboarding (Primary Exam Focus)

The fully-automated onboarding is faster and more convenient. It is the primary path tested on the exam. The process starts at https://signup.multicloud.oracle.com/azure (Oracle Automated Onboarding Docs).

Prerequisites:

Requirement Details
Azure AD role (minimum one) Application Administrator, Cloud Application Administrator, Privileged Role Administrator, or Global Administrator
Azure subscription access Must be assigned as Owner on each subscription to be linked
Azure AD user record Must contain a last name and a valid email address
OCI account Existing account's home region must support Oracle Interconnect for Azure; OR create new account during onboarding

Exam trap: The prerequisite roles are specific. A Contributor or Reader role on the subscription is not sufficient. The user must be a subscription Owner AND hold one of the four specific Azure AD admin roles.

Step-by-step flow:

  1. Azure user navigates to the signup URL and logs in with Azure credentials
  2. Grants OracleDB for Azure initial permissions
  3. Clicks "Start fully automated configuration"
  4. Accepts Oracle Database Service (ODS) enterprise application permissions
  5. Selects one or more Azure subscriptions to link
  6. Either signs up for a new OCI account OR enters existing OCI account credentials
  7. Automated backend process runs (3-5 minutes)

What the automation does (8 operations):

Step What Happens
1 Creates Oracle Database Service (ODS) enterprise application and custom roles in Azure AD
2 Grants ODS application permissions in each selected Azure subscription
3 Creates OracleDB for Azure custom groups in Azure AD
4 Creates Multicloud Link (MCL) configuration in the OCI tenancy
5 Updates MCL with configuration settings for each linked subscription
6 Establishes private link via Oracle Interconnect for Azure
7 Federates Azure AD to OCI IAM with selective user synchronization
8 Redirects browser to OracleDB for Azure portal

IAM Federation: What Syncs and What Does Not

This is a high-probability exam question:

Syncs to OCI IAM Does NOT Sync
Azure AD users who are members of OracleDB for Azure custom groups Azure AD users NOT in those groups
Only users with valid last name AND valid email Users with missing last name or email
Group membership for access control All other Azure AD directory data

Exam trap: Federation is selective, not a full directory sync. Only users explicitly added to OracleDB for Azure custom groups in Azure AD get federated to OCI IAM. This is a security boundary.

Post-Onboarding Access

  • Initially, only the Azure user who completed onboarding can access the portal.
  • To add users, an Azure admin must add Azure users/groups to the OracleDB for Azure custom groups created during onboarding OR assign OracleDB for Azure custom roles to users.

Manual (Guided) Onboarding

Guided onboarding exists for organizations whose security policies prohibit granting the full set of permissions required by the automated process. Key differences:

Aspect Automated Guided
Speed 3-5 minutes, single flow Multi-step, longer process
Permissions required Full permissions to ODS enterprise app Fewer permissions; discrete tasks
User involvement Minimal after initial consent More manual steps per task
Use case Standard enterprise Restrictive security policies

The guided path breaks the three onboarding stages (account linking, subscription linking, federation) into discrete manual tasks. The end result is identical, but the administrator performs each step individually rather than granting blanket permissions.

Account Linking: Azure Subscriptions to OCI

  • Each Azure subscription links to the OCI tenancy through the Multicloud Link (MCL).
  • Azure subscriptions map to OCI resources through the MCL configuration settings.
  • Multiple Azure subscriptions can be linked in a single onboarding session.

4.3 Provisioning Database Services

Oracle Exadata Database Service (ExaDB-D)

The primary enterprise database service on Database@Azure. Runs on dedicated Exadata X9M infrastructure.

Specification Details
Hardware Exadata X9M
Minimum config (quarter-rack) 2 database servers + 3 storage servers
Maximum config 32 database servers + 64 storage servers
Isolation Node-level (dedicated infrastructure)
Scaling Scale up/down OCPUs and storage within the Exadata system
RAC support Yes, Oracle RAC supported on Exadata
Supported DB versions 11g through 19c (versions earlier than 19c need upgrade support)
Storage ASM with HIGH redundancy only (not NORMAL)
Storage tiers PMem, NVMe Flash, HDD
Networking RDMA over Converged Ethernet (RoCE)

Exam trap: Only HIGH redundancy ASM is supported on Exadata systems (protection against two simultaneous partner disk failures from two distinct storage servers). NORMAL redundancy is not supported (Microsoft Learn FAQ).

Exadata Database Service on Exascale Infrastructure (ExaDB-XS)

Exascale is a newer, cloud-native architecture that makes Exadata accessible for smaller workloads.

Aspect Standard Exadata (ExaDB-D) Exascale (ExaDB-XS)
Infrastructure model Dedicated racks: you provision specific database and storage servers Cloud-native fabric: you specify ECPUs and storage capacity
Minimum cost Quarter-rack (~$$$) Up to 95% lower minimum infrastructure cost
Storage management Oracle ASM required Smart Storage with Storage Vaults (no ASM needed with 23ai)
Scaling Scale within rack limits Fully elastic, pay-per-use
IOPS charges Standard No extra charge for IOPS
Multi-tenancy Dedicated Shared Exadata infrastructure (multi-tenant)
AI features Standard AI Smart Scan offloads vector search operations to storage (up to 30x faster)

Exascale eliminates the need to provision dedicated database and storage servers. Users interact with VM clusters and Storage Vaults rather than racks. With Oracle Database 23ai, the database accesses storage directly via the Storage Vault, eliminating the intermediary ASM layer.

Oracle Autonomous AI Database

Autonomous Database on Azure is a fully managed, self-driving database service running on shared Exadata infrastructure.

Feature Details
Workload types Transaction Processing (ATP), Data Warehouse (ADW), JSON Database (AJD), APEX Application Development
AI capabilities AI Vector Search (included at no extra charge), Select AI (natural language to SQL), AI Smart Scan
Management Self-patching, self-tuning, self-securing
Lakehouse Autonomous AI Lakehouse supports Apache Iceberg across OCI, AWS, Azure, Google Cloud
Infrastructure Shared Exadata (multi-tenant)

Oracle Base Database Service

Generally available on Azure as of 2025. Runs on virtual machines rather than Exadata infrastructure.

Feature Details
Target workloads Lighter workloads that do not require Exadata features (RAC, Smart Scan, Exadata performance)
DB versions 19c and 23ai
Infrastructure VM-based
Use case Development, testing, smaller production workloads

Azure Marketplace Integration

  • Oracle Database@Azure is purchased through Azure Marketplace via Oracle private offers.
  • Oracle Sales creates an Azure Private Offer; customers accept in the Azure portal.
  • Billing appears on standard Azure invoices alongside other Azure Marketplace services.
  • Microsoft Azure Consumption Commitments (MACC): Eligible for MACC decrement. However, Azure Credits (ACO) cannot be used to purchase Oracle Database@Azure.
  • BYOL: Existing Oracle Database licenses can be brought. Unlimited License Agreements (ULAs) also supported.
  • Oracle Support Rewards: Accrue the same rewards as when using OCI directly.
  • Ingress/egress for managed services: Occurs via Azure/OCI backbone and does not incur charges. Standard VNet traffic is charged at Azure prices.

Exam trap: MACC is eligible, but Azure Credits (ACO) are not. This distinction is testable.

4.4 High Availability and Disaster Recovery

Oracle MAA Reference Architectures

Oracle MAA has evaluated and endorsed Database@Azure for both Silver and Gold reference architectures (Oracle MAA Blog).

MAA Silver: High Availability

+------------------------------------------+
|          Azure Availability Zone          |
|                                           |
|  +-------------------------------------+ |
|  | Exadata VM Cluster                   | |
|  |                                      | |
|  | +----------+  +----------+           | |
|  | | RAC      |  | RAC      |           | |
|  | | Instance |  | Instance |           | |
|  | | (Node 1) |  | (Node 2) |           | |
|  | +----------+  +----------+           | |
|  |                                      | |
|  | Shared Exadata Storage               | |
|  +-------------------------------------+ |
|                    |                      |
|          Backup to Autonomous             |
|          Recovery Service                 |
+------------------------------------------+
Component Specification
Database Oracle RAC on ExaDB-D
HA mechanism RAC provides local HA within the Exadata VM cluster
Backup Autonomous Recovery Service (incremental forever strategy)
Scope Single availability zone, single Exadata cluster
Application placement Same AZ as database for lowest latency (~300 microseconds)
Backup throughput Baseline: 4 TB/hr backup, 8.7 TB/hr restore (2-node cluster, 16+ OCPUs)
Optimized throughput Up to 42 TB/hr backup with increased RMAN channels

Autonomous Recovery Service features:

  • Incremental forever backup strategy: eliminates weekly full backups, provides virtual full backup copy
  • Real-time data protection
  • Policy-driven lifecycle management
  • Built-in malware protection

MAA Gold: Disaster Recovery

+-------------------+         +-------------------+
| Azure AZ1         |         | Azure AZ2         |
|                   |         |                   |
| +---------------+ |  Active | +---------------+ |
| | Primary       | |  Data   | | Standby       | |
| | ExaDB-D       |<--------->| ExaDB-D        | |
| | (RAC)         | |  Guard  | | (RAC)         | |
| +---------------+ |         | +---------------+ |
|                   |         |                   |
| Separate VNet     |         | Separate VNet     |
| (no CIDR overlap) |         | (no CIDR overlap) |
+-------------------+         +-------------------+
        |                              |
        +----------- VNet ------------+
        |           Peering            |
+-------v---------+
| Application Tier |
| (AKS, min 2 AZs)|
+------------------+
Component Specification
Primary Oracle RAC on ExaDB-D in AZ1
Standby Oracle RAC on ExaDB-D in AZ2 (or different region)
Replication Oracle Active Data Guard (recommended over standard Data Guard)
Failover Fast-Start Failover via Data Guard Observer
Networking Separate VNets with non-overlapping IP CIDR ranges
Application tier Spans minimum 2 AZs (e.g., AKS cluster)

Cross-AZ network performance (measured London region):

Metric OCI VCN Peering Azure Global VNet
RTT latency 1.2 ms 1.2 ms
Single-process throughput 13 Gb/sec 13 Gb/sec
Max parallel throughput (X11M) 70 Gb/sec 70 Gb/sec

Cross-region network performance (Ashburn to London):

Metric OCI VCN Peering Azure Global VNet
RTT latency ~76 ms ~76 ms
Single-process throughput 1.57 Gb/sec 0.85 Gb/sec
Max parallel throughput (X11M) 60 Gb/sec 45 Gb/sec

Exam trap: For cross-region Data Guard, OCI VCN peering is recommended over Azure VNet peering. OCI peering provides up to 600% higher bandwidth in some scenarios. Data Guard redo transport is single-process per instance, so the single-process throughput difference matters. Additionally, OCI peering offers the first 10 TB/month free egress for cross-region traffic.

Peering strategies:

  • Cross-AZ: Use OCI Local Peering Gateways (LPG)
  • Cross-region: Use OCI Dynamic Routing Gateways (DRG). Limitation: only one DRG per VCN; a hub VCN is required for multiple standby databases.

Data Guard Configuration

After network peering is established:

  1. Enable Data Guard from Oracle Database details page
  2. Select standby Availability Domain or Region
  3. Select standby Exadata Infrastructure and VM Cluster
  4. Choose Data Guard or Active Data Guard (MAA recommends Active Data Guard)
  5. Select protection mode and redo transport type matching RTO/RPO requirements
  6. Use the same custom database software image for standby

Active Data Guard advantages over standard Data Guard:

  • Automatic block repair
  • Application continuity
  • Offload read-mostly workloads to standby for scalability

Data Guard Observer and Fast-Start Failover

  • Observer performs automatic failover when conditions permit
  • Low-footprint Oracle Call Interface client, built into DGMGRL CLI
  • Provides quorum (second vote) to prevent split-brain
  • Currently requires manual configuration (not automated through cloud provisioning)
  • Deploy on a separate VM, preferably in a separate location or application network

Data Guard switchover timing: Application downtime of 30 seconds to a few minutes (comparable to OCI deployments).

Oracle GoldenGate

Available as a managed service on Database@Azure in select regions (see regional availability table). Used for:

  • Real-time replication for migration to Database@Azure
  • Active-active configurations across regions
  • Heterogeneous replication from non-Oracle sources

GoldenGate requires a separate license (not included in Oracle Database@Azure private offers).

Backup and Recovery Options

Method Details
Autonomous Recovery Service Managed backup to OCI Object Storage or Azure; incremental forever strategy
Automated backups OCI Object Storage (standard for hot data, archive for cold data)
Self-managed RMAN Customer-managed Oracle Recovery Manager backups
Azure NetApp Files Attach ANF volumes to Exadata VMs for self-managed backup targets

BCDR traffic: Uses the Azure/OCI backbone and does not incur additional charges from Azure.

Zero Downtime Migration (ZDM)

Oracle ZDM migrates on-premises Oracle databases to Database@Azure with minimal downtime. It is free of charge.

Workflow Type Description
Physical Online Direct Data Transfer with Data Guard; near-zero downtime
Physical Offline RMAN-based; requires downtime window
Logical Online GoldenGate-based replication; near-zero downtime
Logical Offline Data Pump-based; requires downtime window

ZDM requirements:

  • ZDM host: separate VM running Oracle Linux 7/8 or RHEL 8, 100 GB free storage
  • Connectivity: on-premises to Azure via ExpressRoute or Site-to-Site VPN
  • Target: Provisioned ExaDB-D placeholder database on Database@Azure

The physical online workflow provisions a placeholder target, sets up Data Guard Broker between source and target, performs the migration, and cleans up automatically.

4.5 Multicloud Landing Zone for Azure

The OCI Multicloud Landing Zone for Azure provides Terraform/OpenTofu modules that deploy a complete Database@Azure environment. The reference implementation is in the terraform-oci-multicloud-azure GitHub repository.

Four Terraform Providers

Provider Purpose
AzureRM Manages Azure Resource Manager resources (VNets, subnets, resource groups)
AzureAD Handles Azure Active Directory operations (groups, roles, app registrations)
AzAPI Azure API interactions for advanced configurations (Azure Verified Modules)
OCI Oracle Cloud Infrastructure resources (Exadata infrastructure, VCN, IAM)

What the Landing Zone Deploys

The modules are organized into three functional layers:

Layer Resources Deployed
IAM SSO federation between OCI and Azure AD, RBAC roles and groups for Database@Azure, ODS enterprise application
Networking Cross-cloud VNet/VCN connectivity, delegated subnets, peering gateways
Database Exadata infrastructure, VM clusters, Autonomous databases, pluggable databases

Available Templates

Template Description
azurerm-oci-exadata-quickstart Quickstart Exadata with OCI LZ modules (AzureRM provider)
avm-oci-exadata-quickstart Exadata with Azure Verified Modules (AzAPI) + OCI LZ modules
azurerm-oci-adbs-quickstart Autonomous Database with OCI LZ modules
az-oci-sso-federation SSO federation between OCI and Azure AD
az-oci-rbac-n-sso-fed SSO + role/group management combined
az-odb-rbac Roles and groups required for Database@Azure
az-oci-exa-pdb Full stack: networks, Exadata, VM clusters, databases

Prerequisites

  • Terraform or OpenTofu installed
  • Azure CLI with service principal authentication
  • OCI CLI with token-based (SecurityToken) authentication recommended
  • Python 3.4+ with pip and venv

When to Use Landing Zone vs. Manual Provisioning

Scenario Recommendation
Greenfield deployment, multiple environments Landing zone (repeatable, version-controlled)
Single database, quick proof of concept Azure portal manual provisioning
CI/CD pipeline integration Landing zone with Terraform state management
Strict IaC policy requirements Landing zone (auditable, declarative)
Ad-hoc exploration or learning Azure portal

4.6 OracleDB for Azure Portal

What You Can Do from Azure Side

Capability Azure Portal / APIs
Provision Exadata infrastructure Yes
Provision VM clusters Yes
Provision Autonomous databases Yes
Provision Base Database Yes
Manage infrastructure and VM cluster resources Yes
Monitor via Azure Monitor (metrics for Exadata, Exascale, Autonomous) Yes
View billing and costs Yes (standard Azure invoices)
Terraform/SDK/API automation Yes (AzureRM, AzAPI providers)
Create custom Azure Monitor dashboards Yes
Manage encryption keys via Azure Key Vault Yes (Standard, Premium, Managed HSM)

What Requires OCI Console

Capability OCI Console Required
Container Database (CDB) management tasks Some tasks
Pluggable Database (PDB) management tasks Some tasks
Data Guard configuration Yes (from Oracle Database details page)
Advanced database administration Yes
OCI IAM policy management Yes
Network route table updates for Data Guard Requires OCI support ticket

Exam trap: Most day-to-day provisioning and infrastructure management is done through Azure. But CDB/PDB management and Data Guard configuration require the OCI Console. The exam tests whether you know which operations belong to which portal.

Resource Management Mapping

  • Azure uses subscriptions for billing and resource grouping
  • Azure resource groups contain Database@Azure resources visible in Azure
  • OCI resources are managed through the Multicloud Link (MCL) connecting the Azure subscription to the OCI tenancy
  • Azure Monitor receives database metrics, events, and telemetry natively
  • Microsoft Entra ID (Azure AD) provides federated identity management

Authentication and Authorization

  • Based on SAML and OpenID standards
  • OCI IAM federated with Microsoft Entra ID
  • Azure credentials used for portal access (single sign-on)
  • Data encryption at rest and all traffic encrypted in transit

4.7 Regional Availability

Oracle Database@Azure is available across 34 Azure regions spanning five continents. Each Azure region is paired with a corresponding OCI region for control plane operations.

North America

Azure Region OCI Region ExaDB-D ADB Recovery Svc Exascale BaseDB GoldenGate Zones
East US US East (Ashburn) Y Y Y Y Y Y Dual
East US 2 US East (Ashburn) Y Y Y Y - - Dual
Central US US Midwest (Chicago) Y Y Y Y Y Y Dual
North Central US US Midwest (Chicago) Y Y - - - - Single
South Central US US South (Dallas) Y Y - - - - Dual
West US US West (San Jose) Y Y Y Y Y Y Single
West US 2 US West (Quincy) Y Y Y - Y Y Dual
West US 3 US West (Phoenix) Y Y Y - - - Dual
Canada Central Canada SE (Toronto) Y Y Y Y Y Y Dual
Canada East Canada SE (Montreal) Y Y - - - - Single

Europe, Middle East, Africa

Azure Region OCI Region ExaDB-D ADB Recovery Svc Exascale BaseDB GoldenGate Zones
UK South UK South (London) Y Y Y Y Y Y Dual
UK West UK West (Newport) Y Y - Y Y - Single
France Central France Central (Paris) Y Y Y Y Y - Dual
France South France South (Marseille) Y Y Y - - - Single
Germany West Central Germany Central (Frankfurt) Y Y Y Y Y Y Dual
Germany North Germany Central (Frankfurt) Y Y Y Y Y - Single
Italy North Italy North (Milan) Y Y Y Y Y Y Dual
North Europe Ireland (Dublin) Y Y - - - Y Dual
West Europe NL Northwest (Amsterdam) Y Y Y Y Y - Single
Spain Central Spain Central (Madrid) Y Y - - - - Dual
Sweden Central Sweden Central (Stockholm) Y Y Y Y - - Dual
Switzerland North Switzerland North (Zurich) Y Y - - - Y Single
UAE North UAE North (Dubai) Y Y Y - - Y Dual
UAE Central UAE Central (Abu Dhabi) Y Y - - - - Single

Asia Pacific

Azure Region OCI Region ExaDB-D ADB Recovery Svc Exascale BaseDB GoldenGate Zones
Australia East Australia East (Sydney) Y Y Y Y Y Y Dual
Australia Southeast Australia SE (Melbourne) Y Y - - - - Dual
Central India India West (Mumbai) Y Y - - - - Single
South India India South (Chennai) Y Y - - - - Single
Japan East Japan East (Tokyo) Y Y Y Y Y Y Dual
Japan West Japan Central (Osaka) Y Y - - - - Single
Southeast Asia Singapore Y Y Y Y Y Y Dual

South America

Azure Region OCI Region ExaDB-D ADB Recovery Svc Exascale BaseDB GoldenGate Zones
Brazil South Brazil SE (Vinhedo) Y Y Y Y Y - Dual
Brazil Southeast Brazil East (Rio de Janeiro) Y Y - - - - Single

Key observations for the exam:

  • Exadata and Autonomous Database are available in ALL regions.
  • Exascale, BaseDB, Recovery Service, and GoldenGate are available only in select regions.
  • Dual-zone regions support cross-AZ HA/DR (MAA Gold within a single region).
  • Single-zone regions require a paired Dual region for DR.
  • To provision in a region, your OCI tenancy must be subscribed to the target region (Microsoft Learn Regions).

4.8 Exam Focus Areas and Common Traps

Architecture Traps

  1. Database@Azure is NOT OCI Interconnect. The database runs inside Azure, not in a separate OCI region.
  2. The OCI control plane has zero impact on application latency.
  3. Only HIGH redundancy ASM is supported on Exadata (not NORMAL).

Onboarding Traps

  1. Automated onboarding requires one of four specific Azure AD roles (Application Admin, Cloud Application Admin, Privileged Role Admin, Global Admin) PLUS subscription Owner.
  2. IAM federation is selective: only users in OracleDB for Azure custom groups sync to OCI IAM. Not a full directory sync.
  3. Azure AD user records must have a last name and valid email for federation to work.
  4. Guided onboarding produces the same end result as automated; it just requires fewer upfront permissions.

Provisioning Traps

  1. MACC is eligible for Database@Azure; Azure Credits (ACO) are not.
  2. GoldenGate requires a separate license (not included in private offers).
  3. Exascale reduces minimum cost by up to 95% compared to standard Exadata.
  4. Base Database Service supports 19c and 23ai (not just 19c).

HA/DR Traps

  1. For cross-region Data Guard, OCI VCN peering is recommended over Azure VNet peering (higher throughput).
  2. Data Guard Observer requires manual configuration (not automated through cloud provisioning).
  3. Primary and standby must use separate VNets with non-overlapping CIDR ranges.
  4. BCDR traffic over Azure/OCI backbone does not incur additional Azure charges.

Portal Traps

  1. Most provisioning is via Azure portal; CDB/PDB management and Data Guard require OCI Console.
  2. Azure Monitor integration is available for Exadata, Exascale, and Autonomous metrics.
  3. TDE master encryption keys can be managed via Azure Key Vault (Standard, Premium, and Managed HSM tiers).

Landing Zone Traps

  1. The landing zone uses four providers: AzureRM, AzureAD, AzAPI, and OCI.
  2. OCI provider authentication uses SecurityToken (not API key) as recommended method.