This document describes the prerequisites for deploying an Oracle Database workload on Google Cloud using Workload Manager.
You must first meet the prerequisites for using the Guided Deployment Automation tool before deploying an Oracle Database workload.
| Prerequisite | Description |
|---|---|
| Google Cloud network resources | Create or select a VPC network and subnetwork for your Oracle Database deployment, and enable Private Google Access. |
| Service accounts | Create the required service accounts for the deployment and make sure that the service accounts have all the roles required for deploying your workload. For more information, see Service accounts. |
| Secrets for Oracle Database workload | To store and manage passwords for your database, you must use secrets created using Secret Manager. For more information, see Secrets for Oracle Database workload. |
| Quotas | Make sure that you have sufficient resource quota in your project to deploy the Oracle database. For more information, see Quotas. |
| Cloud Storage bucket | Create a Cloud Storage bucket in the project in which you want to host your Oracle software installation files. For more information, see Cloud Storage bucket. |
VPC network and subnet
If your project has a default VPC network, don't use it for creating a deployment. Instead, we recommend that you create your own VPC network so that the only firewall rules in effect are those that you create explicitly for the network. Create a VPC network and subnet or contact your Google Cloud organization's networking team.
During the deployment process, Workload Manager automatically creates the necessary firewall rules for the deployment.
Enable Private Google Access
To make sure that your VM can access Google Cloud APIs and services, such as Cloud Monitoring, without needing an internet route you must enable Private Google Access for the VM's subnet.
To learn how to enable Private Google Access, see Private Google Access configuration.
Service accounts
Workload Manager uses the following service accounts for your Oracle deployment:
Workload Manager service account: This service account is used to grant required IAM roles and permissions to the Workload Manager for creating deployments. Workload Manager service account requires the following roles for an Oracle deployment:
Service account Required roles Service-PROJECT_ID@gcp-sa-workloadmanager.iam.gserviceaccount.com - Cloud Infrastructure Manager Admin (
roles/config.admin) - Logs Viewer (
roles/logging.viewer) - Service Account User (
roles/iam.serviceAccountUser) - Workload Manager Service Agent (
roles/workloadmanager.serviceAgent) - Secret Manager Secret Accessor (
roles/secretmanager.secretAccessor) - Storage Object Viewer (
roles/storage.objectViewer) - Compute Network Viewer (
roles/compute.networkViewer)
- Cloud Infrastructure Manager Admin (
User-managed service account: This service account is attached to your deployment and it calls other APIs and services to create the Google Cloud resources required for the deployment, such as VMs, disks, firewall rules, and Artifact Registry repositories.
Compute Engine service account: This service account is attached to the database VMs that are created during the deployment process.
Depending on your application and configuration, Workload Manager might prompt you to grant any missing IAM roles and permissions to your service account.
Secrets for Oracle Database workloads
The Guided Deployment Automation tool uses Secret Manager to store passwords needed during the deployment process, such as the passwords for user accounts. Plain text passwords are prohibited in accordance with our Terraform best practices.
Before creating an Oracle Database deployment, create the following two secrets:
- Secret for Oracle database credentials. This includes passwords for
SYSandSYSTEMusers. If you're using Oracle multitenant, this includes the password for thePDBADMINuser. - Secret for database monitoring credentials. If you're using Cloud Monitoring, this secret includes the password that is used by the Agent for Compute Workloads to authenticate your database for metric collection.
You must create secrets in the same project in which you're deploying the Oracle workload. To learn how to create a secret, see Create and access a secret using Secret Manager.
To ensure that the secrets meet the Oracle password requirements, follow these guidelines:
- Password must be between 8 to 30 characters.
- Must contain at least one uppercase letter.
- Must contain at least one lowercase letter.
- Must contain at least one digit.
- Must contain at least one special character (# $ @ % * _ + = -).
- Must not contain common disallowed words, such as "oracle".
After successful deployment, you can modify or assign new passwords to these users.
Quotas
Google Cloud uses quotas to protect and control the number of resources that a particular account or organization can use. Oracle Database workloads often consume a large portion of resources. Given the size of the databases and applications, you might experience quota issues during the deployment process.
To avoid quota issues, do the following:
- View available resource quota for your project.
- If needed, request a higher quota value or contact your project administrator.
Cloud Storage bucket
Create an empty Cloud Storage bucket to be used to host the Oracle software installation files during the deployment process. The bucket must exist within the project in which you're creating the deployment.
What's next
- Learn how to deploy an Oracle Database workload.