Cross Tenancy and Cross-Region Cloning

You can clone an Autonomous Database instance from one tenancy, source tenancy, to a different tenancy (destination tenancy).

About Cross Tenancy Cloning

When you create a cross tenancy clone you can either select that the clone is created in the same region as the source tenancy or in a different region than the source tenancy (cross-region).

Note

The cross tenancy cloning option is only available using the CLI or the Autonomous Database REST APIs. This option is not available using the Oracle Cloud Infrastructure Console.

Note the following for cross tenancy cloning:

  • All clone types are supported: the cloned database can be a Full clone, a Metadata clone, or a Refreshable clone.

  • A clone can be created from a source Autonomous Database instance or from a backup (using the latest backup, a specified backup, or by selecting a long-term backup).

  • The source Autonomous Database instance can use either the ECPU or OCPU compute model. Depending on your workload type, you can clone from a source that uses the OCPU compute model to a clone that uses the ECPU compute model (this is allowed for the Data Warehouse and the Transaction Processing workload types).

  • The cloned database can be in the same region or in a different region (cross-region).

  • The cross tenancy cloning option does not support cloning with customer managed keys on the source. See Manage Encryption Keys on Autonomous Database for more information on customer managed keys.

Prerequisites for Cross Tenancy Cloning

Describes prerequisites for creating a cross tenancy clone where the source database is in one tenancy and the cloned database is in a different tenancy.

You must run the commands to create a cross tenancy clone on the destination tenancy. Before you create a cross tenancy clone you need to define OCI Identity and Access Management groups and policies on the source tenancy, the tenancy that contains the instance you are cloning, and on the destination tenancy. The groups and policies you define allow you to run commands to create the clone on the destination tenancy and allow the destination tenancy to contact the source tenancy where the source Autonomous Database instance resides.

The OCI Identity and Access Management groups and policies you add support the following:

  • A member of a group in the source tenancy allows a group in the destination tenancy to access (read) the source Autonomous Database instance on the source tenancy.

    You do not need to allow other actions on the source Autonomous Database instance (for example, start, stop terminate, or any write operations).

  • A member of a group in the destination tenancy is allowed to create a clone in the destination tenancy using the Autonomous Database instance in the source tenancy as the clone source.

    On the destination tenancy you also add a policy that allows a group to manage the Autonomous Database instance on the source tenancy. For example, this policy allows the group to create the clone database, and allows a refreshable clone to run commands that contact the source tenancy, such as Refresh and Disconnect.

To create a cross tenancy clone use OCI Identity and Access Management to create the required groups and to define the policies that authorize cross tenancy cloning:

  1. Create a group on the destination tenancy that contains the user that will be allowed to create a clone.
    1. On the destination tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
    2. Under Identity click Domains and select an identity domain (or create a new identity domain).
    3. Under Identity domain, click Groups.
    4. To add a group, click Create group.
    5. On the Create group page, enter a Name and a Description.

      For example, enter the Name: DestinationGroup.

    6. On the Create group page, click Create.
    7. Click Create to save the group.
    8. On the Group page, click Assign user to groups and select the users you want to add to the group.
    9. Click Add.
    10. On the Group page, from the Group information tab copy the OCID for use in Step 2.
  2. On the source tenancy, define OCI Identity and Access Management policies for the source Autonomous Database instance.
    1. On the source tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
    2. Under Identity, click Policies.
    3. To write a policy, click Create Policy.
    4. On the Create Policy page enter a Name and a Description.
    5. On the Create Policy page, select Show manual editor.
    6. In the policy builder, add policies so that the group in the destination tenancy is allowed to create a clone using an Autonomous Database instance on the source tenancy as the clone source.

      For example, define the following generic policies:

      define tenancy DestinationTenancy as ocid1.tenancy.oc1..unique_ID
      define group DestinationGroup as ocid1.group.region1..unique_ID
      admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family
             in compartment ocid1.compartment.region1..unique_ID 
             where target.id = 'oc1.autonomousdatabase.oc1..unique_ID'

      This policy specifies the following:

      • Line 1: the OCID is the OCID of the destination tenancy. This is the tenancy where you are going to create the clone.

      • Line 2: the OCID is the OCID of the group to which the user who will create the clone belongs. This is the OCID you created in Step 1.

      • Line 3: The first OCID is the OCID of the compartment where the source database resides. The second OCID, after the where clause, is the OCID of the source Autonomous Database instance.

      Note

      The where clause is optional and provides a more fine grained way to grant access to a specific database.

      For example, set these policies on the source tenancy to allow cross tenancy cloning:

      define tenancy DestinationTenancy as ocid1.tenancy.oc1..aaa_example_rcyx2a
      define group DestinationGroup as ocid1.group.oc1..aaa_example_6vctn6xsaq
      admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family in compartment 
         ocid1.compartment.region1..bbb_example_rcyx2b where target.id = 'oc1.autonomousdatabase.oc1.aaaabbbbcccc'

      This policy specifies a user in the DestinationGroup of the DestinationTenancy can read from a specific Autonomous Database instance in the specified compartment (on the source tenancy). To create a cross tenancy clone the policy only needs to allow read on the source Autonomous Database instance.

    7. Click Create to save the policy.
  3. Define policies on the destination tenancy.
    1. On the destination tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
    2. Under Identity, click Policies.
    3. To write a policy, click Create Policy.
    4. On the Create Policy page enter a Name and a Description.
    5. On the Create Policy page, select Show manual editor.
    6. In the policy builder, add policies so that a group is endorsed to manage Autonomous Databases on the source tenancy.

      For example:

      Define tenancy SourceTenancy as ocid1.tenancy.oc1..unique_ID
      Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy

      This policy specifies the following:

      • Line 1: The OCID is the source tenancy OCID. This is the tenancy where the source Autonomous Database instance resides.

      • Line 2: Specifies that the DestinationGroup group can manage Autonomous Databases in the source tenancy.

    Notes for defining policies on the destination tenancy:

    • For the following policy:

      Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy

      This policy allows the group DestinationGroup to create Autonomous Databases and Autonomous Database clones in the source tenancy. You can limit cloning permissions so that the group can only clone Autonomous Databases but cannot create Autonomous Databases, or further limit permission to only create a particular type of clone: Full Clone, Metadata Clone, or Refreshable Clone. See IAM Permissions and API Operations for Autonomous Database for more information and examples.

    • If these polices are revoked, cross tenancy cloning is no longer allowed.

See Getting Started with Policies for more information.

Create a Cross Tenancy or Cross-Region Clone

Shows the steps to create a cross tenancy clone when the source database and the cloned database are in the same region, or when the source database and the cloned database are in different regions (cross-region).

These steps cover creating a Full clone or a Metadata clone. See Create a Cross Tenancy or Cross-Region Refreshable Clone for details on creating a cross tenancy refreshable clone.

Note

The cross tenancy cloning option is only available using the CLI or the Autonomous Database REST APIs. This option is not available using the Oracle Cloud Infrastructure Console.

To create a cross tenancy clone:

  1. Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.
  2. On the tenancy where you want to create the clone, on the destination tenancy in the destination region, use the CLI or call the REST API with a valid clone type FULL or METADATA and provide the OCID of the source database, where the source database resides in a different tenancy (the source tenancy).

    For example, with the CLI:

    oci db autonomous-database create-from-clone 
          --clone-type metadata 
          --compartment-id ocid1.tenancy.oc1..unique_ID 
          --source-id ocid1.autonomousdatabase.oc1.iad.unique_ID
          --db-name dbnameclone 
          --admin-password password 
          --data-storage-size-in-tbs 1
          --compute-model ECPU 
          --compute-count 4

    See create-from-clone for more information.

    Use the CreateAutonomousDatabase API to create a cross tenancy clone.

    See the following for additional information on the REST API:

Create a Cross Tenancy Clone from a Backup

Shows the steps to create a cross tenancy clone from a backup.

These steps cover creating a Full clone or a Metadata clone. See Create a Cross Tenancy or Cross-Region Refreshable Clone for details on creating a cross tenancy refreshable clone.

Note

The cross tenancy cloning option is only available using the CLI or the Autonomous Database REST APIs. This option is not available using the Oracle Cloud Infrastructure Console.

To create a cross tenancy clone from a backup:

  1. Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.
  2. On the tenancy where you want to create the clone, on the destination tenancy in the destination region, use the CLI or call the REST API with a valid clone type FULL or METADATA and provide the OCID of the backup (on the source tenancy), where the source database resides in a different tenancy (the source tenancy).
    Note

    See Create a Cross Tenancy or Cross-Region Refreshable Clone to create a cross tenancy refreshable clone.

    For example, with the CLI:

    oci db autonomous-database create-from-backup-timestamp 
         --autonomous-database-id ocid1.autonomousdatabase.oc1.iad.anuw_example
         --clone-type full 
         --compartment-id ocid1.tenancy.oc1..fcue4_example
         --admin-password password 
         --compute-model ECPU 
         --compute-count 2 
         --db-name ExampleTest1
         --timestamp 2023-12-15T19:30:00Z 
         --data-storage-size-in-tbs 1

    See create-from-backup-timestamp and create-from-backup-id for more information.

    Use the CreateAutonomousDatabase API to create a cross tenancy clone by cloning from a backup of an existing Autonomous Database.

    See the following for information on the REST API: