What is OCI Full Stack DR:
OCI Full Stack Disaster Recovery (Full Stack DR) provides a fully automated and comprehensive disaster recovery orchestration solution for all the layers of a full stack cloud application, including infrastructure, database, and the application middle tier. Using Full Stack DR, you can easily recover your full stack applications across OCI regions or availability domains within the same region.
Benefits of OCI Full Stack DR:
Lower operating expenses - Full Stack DR lowers operating expenses by reducing the time and number of people required to complete DR run time operations.
DR for existing systems - Customers don’t need to reconfigure or redeploy existing business systems before configuring Full Stack DR to orchestrate complex recovery processes automatically.
Reduce Complexity - Full Stack DR uses built-in intelligence to automatically generate DR plans for the compute, storage, database and networking components.
Disaster Recovery at Scale - Full Stack DR provides the same simple process to execute DR operations for all your business systems with minimal human interaction.
Features of OCI Full Stack DR:
It is a fully Managed Service, and it has tight integration with OCI Core Services like OCI Compute, Oracle Database Services, OCI Storage, and OCI Load Balancer.
Provides great flexibility - Can integrate with Oracle/Non-Oracle applications and databases that are deployed in any DR topology.
Offers various choices of DR plans and DR plans are customisable according to application requirements.
Provides built-in prechecks to validate the readiness of the DR plan.
Execute and monitor all the DR plan operations from a Single pane of glass.
Pre-requisites of using OCI Full Stack DR:
Full Stack DR are currently available in these OCI regions. Both Production and DR infrastructure, database and applications must be hosted in any of those regions. Full Stack DR supports both inter and intra-regional deployments.
You should have all the steps required to recover your business systems.
You should either script (any language) or use OCI Functions for any customisations required as part of the overall DR plan. You can refer to our GitHub repo for sample scripts.
Refer to the documentation for preparing other OCI services that you plan to integrate with Full Stack DR.
Getting started with OCI Full Stack DR:
OCI Identity and Access Management (IAM) lets you control who has access to your cloud resources. You can control the type of access a group of users has and which specific resources.
We will go through the process of an OCI administrator creating various OCI IAM components like User, Group, Dynamic group, Policy, etc., which are required to use Full Stack DR and other IAM policies required to interact with OCI core services. Refer to OCI IAM documentation to understand more about various IAM components. Finally, we will verify accessing Full Stack DR by logging into the newly created OCI user.
1. Create a user for Full Stack DR
a. Login to the OCI console with administrator credentials and select your home region.
b. From the hamburger menu, navigate to Identity & Security ->Domains-> Default Domain->Users->Create user. Provide First name, Last name, Email id, and Create.
You will get an email (provided above) about activating the user account and must follow the instructions to activate the account.
2. Create a group
a.Login to the OCI console with administrator credentials and select your home region.
b.From the hamburger menu, navigate to Identity & Security ->Domains-> Default Domain->Groups->Create group. Provide Name, Description, and Select users to assign this group. You should select the User, which you created in Step 1 and Create.
3. Create a policy and provide access to Full Stack DR
a. Login to the OCI console with administrator credentials and select your home region.
b. From the hamburger menu, navigate to Identity & Security -> Policies-> Create Policy. Provide Name, Description, Compartment, Policy Builder enable Show manual editor and add the below Policy
Select the right compartment details where you will create the Policy. In this example, I am selecting compartment "suraj"
Allow group FullStackDRGroup to manage disaster-recovery-family in compartment suraj
You should use the correct group name (created in step 2) and compartment name in the policy syntax.
Regarding the Full Stack DR, I have provided "manage" disaster-recovery-family access. Suppose if you need to have granular access to different full stack DR resource types, you can do that.Refer to Full Stack DR policies documentation for more details and modify the policies accordingly.
4. Add policies to access other OCI services
Full Stack DR implements DR workflows by managing other OCI resources such as Compute, Database, Block Storage, File Storage, Load Balancer, Object Storage, Functions,Vault, Virtual Cloud Network, and more.
We are going to add these below policies to the policy "fullstackdr-policy" created in step 3.
Allow group FullStackDRGroup to manage buckets in compartment suraj
Allow group FullStackDRGroup to manage objects in compartment suraj
Allow group FullStackDRGroup to manage databases in compartment suraj
Allow group FullStackDRGroup to manage autonomous-databases in compartment suraj
Allow group FullStackDRGroup to manage instance-family in compartment suraj
Allow group FullStackDRGroup to manage instance-agent-command-family in compartment suraj
Allow group FullStackDRGroup to manage volume-family in compartment suraj
Allow group FullStackDRGroup to read virtual-network-family in compartment suraj
Allow group FullStackDRGroup to use subnets in compartment suraj
Allow group FullStackDRGroup to use vnics in compartment suraj
Allow group FullStackDRGroup to use network-security-groups in compartment suraj
Allow group FullStackDRGroup to use private-ips in compartment suraj
Allow group FullStackDRGroup to read fn-app in compartment suraj
Allow group FullStackDRGroup to read fn-function in compartment suraj
Allow group FullStackDRGroup to use fn-invocation in compartment suraj
Allow group FullStackDRGroup use tag-namespaces in compartment suraj
Allow group FullStackDRGroup read vaults in compartment suraj
Allow group FullStackDRGroup read secret-family in compartment suraj
Allow group FullStackDRGroup to manage load-balancers in compartment suraj
Allow group FullStackDRGroup to manage network-load-balancers in compartment suraj
Allow group FullStackDRGroup to manage file-family in compartment suraj
a. Login to the OCI console with administrator credentials and select your home region.
b. From the hamburger menu, navigate to Identity & Security -> Policies->Select the policy created in Step 3-> Select Edit Policy Statements->Policy Builder->Advanced
Copy the list of policies as above and hit save changes. Verify whether all the added policies are reflected correctly.
You should use the correct group name (created in step 2) and compartment name in the policy syntax.
Refer to the complete set of services that currently Full Stack DR has integration with, and based on the documentation, you can provide restrictive access to other OCI services.
5. Create a Dynamic Group and modify the policy
Full Stack DR has the functionality of a User-Defined Plan group, using which you can create steps to execute commands in the OCI compute instance. Dynamic groups allow you to group OCI compute instances as "principal" actors (similar to user groups). You can then create policies to permit instances to make API calls against OCI Services.
a. Login to the OCI console with administrator credentials and select your home region.
b.From the hamburger menu, navigate to Identity & Security ->Domains-> Default Domain->Dynamic Groups->Create dynamic group. Provide Name, Description, Matching rules-> Match any rules defined below -> In Rule 1, provide the below details. Make sure you modify your compartment OCID -> Create
6. Verify Full Stack DR access
Considering that we have set up all the necessary prerequisites, you should be able to log into the OCI console as the user (created in step 1) and verify the Full Stack DR functionality. Make sure you have the necessary user credentials for proceeding further.
a. Login to the OCI console with user credentials and select your home region.
b. From the hamburger menu, navigate to Migration and Disaster Recovery->Disaster Recovery->DR Protection Groups
Now you should be able to Create a DR protection group and start working with the service.
Conclusion:
This article provides an in-depth look at Oracle Cloud Infrastructure's Full Stack Disaster Recovery (Full Stack DR), a fully automated disaster recovery solution for all layers of a full stack cloud application. The article discusses the benefits of Full Stack DR, such as lower operating expenses, disaster recovery for existing systems, and reduced complexity. It also features a detailed guide on how to get started with Full Stack DR, including creating a user, group, and policy for Full Stack DR, and verifying access. The article concludes with the promise of future discussions on various components and use cases of Full Stack DR.
Thanks for reading.