Join me at the RMOUG Training Days where I’ll be presenting

Transitioning to Amazon Web Services, a

DBA’s perspective

February 18 – 20, 2020 | Westin Westminster Hotel | Westminster, CO www.rmoug.org

 Timothy Mishek
State of Colorado
timothymishek@yahoo.com
Oracle OCP 12c
Oracle OCP 11g
Oracle Performance Tuning Expert 11g
 Agenda
Introduction

Overview of AWS

Networking and Security in AWS

Database Options using RDS

Getting Started with EC2

AWS Command Line Interface

Additional Topics
 Session Goals
Develop an understanding of how to set up an Have a better understanding of how to
AWS environment transition DBA knowledge to AWS

Ease the fear associated with using something

new

Build confidence by exploring new options

Take away information that can actually be used
as a DBA
Overview of Amazon Web Services
 What is AWS?
• Amazon Web Services (AWS) is a secure cloud services platform, offering
compute power, database storage, content delivery and other functionality
to help businesses scale and grow.
• The top 10 Amazon AWS customers are be Netflix, NASA, Expedia, Slack,
Samsung, Adobe, Nokia, Comcast, Airbnb, Lionsgate. Some other
prominent customers are Yelp, Dow Jones, Novartis, Pfizer, Kellogg's,
Vodafone, Adobe, Siemens, Expedia, Philips, Unilever
• AWS GovCloud (US) is an AWS Region designed to address specific
regulatory and compliance requirements of US government agencies at the
federal, state, and local level, as well as contractors, educational
institutions, and other US customers that run sensitive workloads in the
cloud.
 AWS, Getting Started

Regions - An AWS Region is a geographical location mapped to physical data

centers in that region. Every region is physically isolated from and independent of
every other region in terms of location, power, water, and possible acts of nature.

Availability Zones - Inside each region, you will find two or more availability zones
with each zone hosted in separate data centers from another zone. These exist on
totally separate internal infrastructure.

VPC – Virtual Private Cloud is the network isolated area where the AWS services
are located. S3 buckets and Dynamo DB are examples of AWS services that exist
outside of a VPC.
 Common AWS Options

All services live an operate within the AWS cloud. Management and
administration is accomplished within the cloud by using workspaces.

All services are in the cloud but are managed outside of the VPC. This would
include database management, server management etc. The connections are
established through a AWS direct connect or a VPN.

Hybrid architecture mixes both on premises and cloud services. AWS direct
connect or VPN are options, but direct connect is preferred.
Networking in AWS
 Networking Basics in AWS
• The networks between availability zones have to be in a different subnet.
• VPC peering can be used to establish connectivity between VPC’s Note:
peering can only be used one to one between two VPC’s
• Transit gateways are used to simplify connection to multiple VPC’s
• NAT is used to translate from a private IP to a public IP
• Security Groups and NACL’s are used to secure network traffic
• As a best practice, private addressing and unique ip ranges are
recommended.
• Setting up network routes in AWS. Routes can be set up for both private
and public routing.
 IP Addressing in AWS
• RFC 1918 defines the private addressing range. The addresses in this
range are not available for public use and are not found publicly on
the internet. https://tools.ietf.org/html/rfc1918
• 192.168.0.0 - 192.168.255.255 (65,536 IP addresses)
• 172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)
• 10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)
• AWS recommends using these ranges in a VPC
 Subnets in AWS
• AWS uses Classless Inter-Domain Routing or CIDR notation when
defining subnets.
• An example to CIDR notation 192.168.56.0/24 In this example, there
would be 255 address available assuming one address is used for the
network router.
• 192.168.56.0 with a subnet mask of 255.255.255.0 would translate to
192.168.56.0/24
• To determine the available addresses use the following formula using
the above example: 2 ^ (32 – 24)
• /28 is the highest number you can go to in AWS.
 AWS Routing
• Routing to an Internet gateway. Public subnets are created by adding a
route to the subnet route table to an internet gateway.
• Routing to a NAT device. This enables instances in a private subnet to
connect to the internet.
• Routing to a Private Gateway. An AWS Site-to-Site VPN connection enables
instances in your VPC to communicate with your own network using a
virtual private gateway.
• VPC Peering. A network connection between two VPCs that allows routing
traffic between them using private IPv4 addresses. Instances in either VPC
can communicate with each other as if they are part of the same network.
• Transit Gateway. A alternative to VPC Peering that simplifies networking to
multiple VPCs.
 Security Groups and NACLs

Security group Network ACL

Operates at the instance level
Supports allow rules only
Is stateful: Return traffic is automatically allowed,
regardless of any rules
We evaluate all rules before deciding whether to allow We process rules in number order when deciding
traffic
Applies to an instance only if someone specifies the
security group when launching the instance, or
associates the security group with the instance later
on
Operates at the subnet level
Supports allow rules and deny rules
Is stateless: Return traffic must be explicitly allowed by
rules
whether to allow traffic
Automatically applies to all instances in the subnets
that it's associated with (therefore, it provides an
additional layer of defense if the security group rules
are too permissive)
Database Options Using RDS
 What is RDS?
• Amazon Relational Database Service (Amazon RDS) makes it easy to set up,
operate, and scale a relational database in the cloud. It provides cost-
efficient and resizable capacity while automating time-consuming
administration tasks such as hardware provisioning, database setup,
patching and backups. It frees you to focus on your applications so you can
give them the fast performance, high availability, security and compatibility
they need.
• Amazon RDS is available on several database instance types - optimized for
memory, performance or I/O - and provides you with six familiar database
engines to choose from, including Amazon Aurora, PostgreSQL, MySQL,
MariaDB, Oracle Database, and SQL Server. You can use the AWS Database
Migration Service to easily migrate or replicate your existing databases to
Amazon RDS.
 RDS Benefits
Easy to administer
Highly scalable
Available and durable
Fast
Secure
Inexpensive
Creating an RDS Instance

On the initial RDS Instance screen, choose Create database

After all the configuration options have been chosen, click Create database
RDS Administration - Oracle
 RDS Oracle Administration
• The SYS and SYSTEM users are not available for administration
purposes
• When the database is created, an administration user is created. This
is the user that is required for administration functions.
• A series of packages are used for common DBA tasks.
• RMAN is not supported for restoring a databases, however it can be
used for backups.
• Filesystem locations for database files cannot be changed.
• Option groups can be set up for S3 bucket locations.
 RDSADMIN User
• RDSADMIN is the schema owner where all the administration
packages live.
 RDSADMIN Packages
• This is a closer look at the RDSADMIN packages used for
administration.
 Looking at Log files in RDS
• Looking at log files is done through querying the
rdsadmin.tracefile_listing table.

set serveroutput on
exec rdsadmin.manage_tracefiles.refresh_tracefile_listing;
select * from rdsadmin.tracefile_listing;
SELECT text FROM
table(rdsadmin.rds_file_util.read_text_file('BDUMP','alert_ORCL.log'));
 RDS Trace File Listing
select * from rdsadmin.tracefile_listing order by filename;
 Viewing the Alert Log File
• SELECT text FROM
table(rdsadmin.rds_file_util.read_text_file('BDUMP','alert_ORCL.log'));
 Redo Logs in RDS
• Redo logs: adding, sizing, dropping
• Adding a redo log
select GROUP#, BYTES, STATUS from V$LOG;
exec rdsadmin.rdsadmin_util.add_logfile(bytes => 536870912);
• Switching a log file
exec rdsadmin.rdsadmin_util.switch_logfile;
• Dropping a log file
exec rdsadmin.rdsadmin_util.drop_logfile(grp => 1);
 Tablespaces in RDS
• Tablespaces in RDS create big file data files by default.
• Data files use Oracle Managed files by default.
create tablespace tbstest datafile size 50M;
create temporary tablespace temptbstest tempfile size 50M;
create tablespace tbstest datafile size 50M autoextend on next 1m max
size 32G;
 Database Auditing
• select * from dba_obj_audit_opts where owner='SYS' and object_name='AUD$';

• exec rdsadmin.rdsadmin_master_util.audit_all_sys_aud_table;

• exec rdsadmin.rdsadmin_master_util.audit_all_sys_aud_table(p_by_access =>

true);

• exec rdsadmin.rdsadmin_master_util.audit_all_sys_aud_table(p_by_access =>

false);

• exec rdsadmin.rdsadmin_master_util.noaudit_all_sys_aud_table;
 Using RMAN in RDS
• Only RMAN backups are currently supported. Database restores cannot be done in RDS using
RMAN.
BEGIN
rdsadmin.rdsadmin_rman_util.backup_database_full(
p_owner => 'SYS',
p_directory_name => 'RMAN_BACKUPS',
p_parallel => 4,
p_section_size_mb => 10,
p_rman_to_dbms_output => FALSE);
END;
/
• Show all the RMAN options
describe RDSADMIN.rdsadmin_rman_util
Getting Started with EC2
 What is EC2?
• Amazon Elastic Compute Cloud (Amazon
EC2) is a web service that provides
secure, resizable compute capacity in
the cloud, designed to make web-scale
cloud computing easier for developers.
• Amazon EC2's simple web service
interface allows you to obtain and
configure capacity with minimal friction.
• Also known as Infrastructure as a
Service (IAAS)
• Allows the deployment and
configuration of an Amazon Machine
Image (AMI)
On the EC2 Dashboard, Choose “Launch Instance” to create an AMI (Amazon Machine Instance)
Choose an AMI with the “Select” button next to the selection
Select an instance type and continue with “Next: Configure Instance Details”. Don’t go to “Review and Launch”
In Step 3, “Number of instances” is set to “1”. The “Network”, “Subnet,” “Auto-assign
Public IP” will be set to the specifics of the VPC. Proceed to “Next: Add Storage”
In Step 4, add the desired storage. Note: additional storage can be added after the instance has been created. Choose
“Next:Add Tags”
Step 5: Add Tags. Tags are added to identify the instance using a Key / Value
Choose the appropriate security group. The default security group has been selected. Security groups can be changed after
the instance has been created. Continue with “Review and Launch”
If all looks correct, continue with “Launch”
Either select and existing Key Pair or create a new key pair. It is important to keep the keys in a
safe place. If the keys are lost, there is no way to get back into the AMI. If creating a new key pair,
“Download Key Pair”. Once complete, “Launch Instances”
Import the *.pem key from the key generated from AWS into putty. After the import, save the public and private keys.
Import the private key under Connection -> SSH -> Auth. Save the session.
Logon to the AMI using the “ec2-user” account. If the keys are set up
correctly, the login id will succeed without at password. Using sudo –i
will enable root level access.
AWS Command Line Interface
AWS CLI
• The AWS Command Line Interface (AWS CLI) is an open source tool that enables
you to interact with AWS services using commands in your command-line shell.
• Requires the CLI tool be installed. Supported clients include Windows, Mac, and
Linux
• CLI Keys are created under the IAM section in AWS console
• Configuration example:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS
Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: ENTER
AWS CLI Examples
Create security group example:
$ aws ec2 create-security-group --group-name my-sg --
description "My security group" { "GroupId": "sg-
903004f8" }
Create RDS instance example:
$aws rds create-db-instance \ --allocated-storage 20 --
db-instance-class db.m1.small \ --db-instance-identifier
test-instance \ --engine mysql \ --enable-cloudwatch-
logs-exports '["audit","error","general","slowquery"]' \
--master-username master \ --master-user-password
secret99
Additional Topics
 Additional AWS services
S3

Route 53

EBS / EFS

IAM

Cloudwatch / Advanced Monitoring

Snapshots

AWS Workspace

Lambda
 Session Summary

Understand the
Introduction to
high level
RDS and how to
aspects of the
transition DBA Introduction to
VPC, EC2 creation Using the AWS
activities for AWS services
networking, and CLI to automate
creation, related to DBA
subnets, configuration AWS operations
maintenance, functions
peering,
and
security groups,
troubleshooting
and NACLs
 AWS References
• https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html
• https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-aws-
resources.html
• https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html
• https://aws.amazon.com/rds/
• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Co
mmonDBATasks.html
• https://aws.amazon.com/premiumsupport/knowledge-center/rds-common-dba-
tasks/
• https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html
• https://docs.aws.amazon.com/cli/latest/reference/rds/
Questions ?
Thank You!

Timothy Mishek
timothymishek@yahoo.com
RMOUG Training Days 2020