Multicloud Oracle Database@Google Cloud - How to create & access Oracle Autonomous Database 23ai on Google Cloud

In this article, we will see how to create Oracle Autonomous Database 23ai instance, Network, Subnets, Firewalls, Windows VMs, Bastion Host, Firewalls, etc., on the Google Cloud platform GPC, leveraging the best of both cloud worlds, Google Cloud, and Oracle Cloud OCI. Oracle Database@Google Cloud gives customers direct access to Oracle database services running on OCI and deployed in Google Cloud data centres. This new offering is designed to help customers accelerate their migration to the cloud so they can modernize their IT environments and take advantage of Google Cloud infrastructure, tooling, and AI services, including data and analytics, Vertex AI, and the company’s Gemini foundation models. This Partnership helps customers simplify cloud migration, Multicloud deployment, and management.

Table of Contents

1. Acknowledgements
2. Pre-requirements
3. Login to Google Cloud Platform
4. Understanding Google Cloud console and command line interface
5. Install gcloud
6. Login to gcloud through command line interface
7. Create SSH Keys
8. Add an SSK key to the Compute Engine Metadata
9. Create a VPC Network using gcloud
10. Create Private Subnet
11. Create Public Subnet
12. Create Common Firewall Rules (INGRESS direction)
13. Create Bastion Firewall Rules (EGRESS direction)
14. Create Bastion Instance
15. Create Windows VM
16. Create Oracle Autonomous Database 23ai on Google Cloud
17. Access Oracle Autonomous Database on Oracle Cloud
18. Get Access Database Actions & Oracle APEX URL
19. Install Windows App and access Windows Machine using Remote Desktop
20. Find Database Version using SQL Worksheet
21. Access Oracle APEX and SQL Workspace
22. Architecture
23. What's Next?
24. Conclusion

01. Acknowledgements

I want to thank Marty Gubar , Bo English-Wiczling and my team. Without their guidance & suggestions, this article would not have been possible.

02. Pre-requirements

You should have access to the Google Cloud platform and Oracle Cloud access to create Login and manage (Create, Update & Delete) the following resources; if not, you should work with your tenancy administrator to provide you the following.

1. Network (VPC as called in Google Cloud) or (VCN as used in Oracle Cloud)
2. Subnets
3. Firewalls
4. Compute Engine, Virtual Machines (VMs), Storage
5. Oracle Autonomous Database (Oracle Database@Google)
6. Your Oracle Cloud tenancy/account should be mapped to your Google Cloud account/project

03. Login to Google Cloud Platform

Log in to Google Cloud Platform , You might be asked to log out from your personal account and log in to your organisation account in case you have different account for Google Cloud account.

If you login as a different user who is not entitled to GCP then you would see this error message.

Sign out and sign in as Google user with Google Cloud account access

If you have setup enabled 2-factor authentication (SMS or Mobile Authenticator), you would need to Approve it. Now we are in Google Cloud, Click on Console

Change the Project name next to Google Cloud if required

Now, we are all set to move to the next step. If you cannot login, please reach out to your Google Cloud administrator

04. Understanding Google Cloud, GCP console command line interface

Google Cloud

Google Cloud consists of a set of physical assets, such as computers and hard disk drives, and virtual resources, such as virtual machines (VMs), that are contained in data centers around the globe. Each data center location is in a region. Regions are available in Asia, Australia, Europe, Africa, the Middle East, North America, and South America. Each region is a collection of zones, which are isolated from each other within the region. Each zone is identified by a name that combines a letter identifier with the name of the region. For example, zone a in the East Asia region is named asia-east1-a.

read more.

Orchestrate Google Cloud resources granularly and at scale

Google Cloud CLI supports over 8,000 commands to provide complete management and control over nearly all Google Cloud services and products. The CLI also provides preview command sets for early access to pre-release Google Cloud products.

read more.

Oracle Database@Google Cloud

Accelerate innovation and cloud migration with OCI Oracle Database services running in Google Cloud. Quickly build and modernize applications with capabilities such as Oracle Database 23ai AI Vector Search and Google’s Vertex AI.

read more.

05. Install gCloud

Scripting with gcloud

If you work with Google Cloud Platform (GCP), chances are you’ve probably used either the web-based Console or the command-line based Cloud SDK to manage resources and applications hosted on GCP. If you’ve downloaded Cloud SDK, which comes with the gcloud command-line tool , you might consider scripting with gcloud to get more out of your GCP usage!

Simple Gcloud script to list virtual machine instances running in Google Cloud

gcloud compute instances list --format=text --limit=1        

Install gcloud on your laptop of desktop machine, please read gcloud installation guide

This is the installation on my iMac machine

-- Download and extract
wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz

-- Install Google Cloud SDK
./google-cloud-sdk/install.sh

[/Users/username/.zshrc] has been updated.

cd /Users/username/Workarea/MultiCloud/gcloud/google-cloud-sdk

-- Set source environment
source ~/.zshrc        

Reality check: enter gcloud in the terminal

gcloud        

06. Login to Google Cloud SDK through command line interface

gcloud auth login        

This will open web browser to authenticate, Select the Google account associated with GCP

Click Continue

07. Create SSH Keys

Set Project Name: (required first time), replace your <project-name> as seen on Google Cloud Console.

gcloud config set project <project-name>
# Updated property [core/project].        

Create and RSA format of SSH Key pair using SSH KeyGen

cd /Users/username/.ssh/
-- replace <key-file> and <key-name>
ssh-keygen -t rsa -f ~/.ssh/<key-file> -C <key-name>

-- for example 
-- ssh-keygen -t rsa -f ~/.ssh/madhu-keyfile -C madhukey
-- this will create private and public files        

This will create a pair of open SSH Private and Public Key (.pub)

08. Add an SSK key to the the Compute Engine Metadata

-- replace <key-file> with the one that you created  

gcloud compute project-info add-metadata --metadata-from-file ssh-keys=/Users/username/.ssh/<key-file>.pub

-- for example --
-- gcloud compute project-info add-metadata --metadata-from-file ssh-keys=/Users/madhusudhanrao/.ssh/madhu-keyfile.pub        

Reality check: Search for Metadata

Access Google Metadata URL, Click on SSH Tab

https://console.cloud.google.com/compute/metadata?authuser=0

09. Create a VPC Network using gcloud

A VPC network does the following:

• Provides connectivity for your Compute Engine virtual machine (VM) instances .
• Offers native internal passthrough Network Load Balancers and proxy systems for internal Application Load Balancers.
• Connects to on-premises networks by using Cloud VPN tunnels and VLAN attachments for Cloud Interconnect.
• Distributes traffic from Google Cloud external load balancers to backends.

-- replace <vpc-network-name> as per your network choice
gcloud compute networks create <vpc-network-name> --subnet-mode=custom

-- For example
-- gcloud compute networks create indretail-network --subnet-mode=custom        

Reality check: Search for VPC

Please note we have just created a Network without any other parameters like Subnet or Firewalls associated with that network

You can also list the networks using gcloud as shown below

gcloud compute networks list        

List Regions

At this point its important to make a list of regions available

gcloud compute regions list        

You will get a list of regions that are available as shown below, we will need to use this region later in our article to replace <region-name>

10. Create Private Subnet

List Subnets, its important that CIDR range should not overlap with each other

-- list existing subnets to check for a range that we can use 

gcloud compute networks subnets list

-- for example 
-- default               us-central1              default              10.128.0.0/20   IPV4_ONLY        

Create new subnet pass network name and CIDR range as shown below

Replace the following <private-subnet-name>, <network-name>, <region-name> and <priv-cidr-ip>

gcloud compute networks subnets create <private-subnet-name> --network <network-name> --region <region-name> --range <priv-cidr-ip>/24 --enable-private-ip-google-access        

for example

gcloud compute networks subnets create indretail-private-subnet-us-east4 --network indretail-network --region us-east4 --range 192.168.8.0/24 --enable-private-ip-google-access        

You should see gcloud response as

# Created [https://www.googleapis.com/compute/v1/projects/<project-name>/regions/us-east4/subnetworks/indretail-private-subnet-us-east4].

# NAME                               REGION    NETWORK            RANGE           STACK_TYPE  IPV6_ACCESS_TYPE  INTERNAL_IPV6_PREFIX  EXTERNAL_IPV6_PREFIX
# indretail-private-subnet-us-east4  us-east4  indretail-network  x.x.x.y/24  IPV4_ONLY        

11. Create Public Subnet

Similarly create a Public Subnet, Most important use a different CIDR range and it should not overlap

Replace the following <public-subnet-name>, <network-name> and <pub-cidr-ip>

gcloud compute networks subnets create <public-subnet-name> --network <network-name> --region <region-name> --range <pub-cidr-ip>/24 --enable-private-ip-google-access        

for example

gcloud compute networks subnets create indretail-public-subnet-us-east4 --network indretail-network --region us-east4 --range 192.168.9.0/24 --enable-flow-logs --enable-private-ip-google-access        

Reality check: on Subnet Creation

12. Create Common Firewall Rules (INGRESS directions)

Firewall for commonly used Network ports

Replace <allow-network-common-ports> and <network-name>

gcloud compute firewall-rules create <allow-network-common-ports> \
    --direction=INGRESS \
    --priority=1000 \
    --network=<network-name> \
    --action=ALLOW \
    --rules=tcp:22,tcp:80,tcp:443,tcp:1522,tcp:3389 \
    --source-ranges=0.0.0.0/0 \
    --description="Allow SSH, HTTP, HTTPS, Autonomous DB, and RDP access"
    --target-tags=bastion        

for example -

gcloud compute firewall-rules create allow-indretail-network-common-ports \
    --direction=INGRESS \
    --priority=1000 \
    --network=indretail-network \
    --action=ALLOW \
    --rules=tcp:22,tcp:80,tcp:443,tcp:1522,tcp:3389 \
    --source-ranges=0.0.0.0/0 \
    --description="Allow SSH, HTTP, HTTPS, Autonomous DB, and RDP access"
    --target-tags=bastion        

13. Create Bastion Firewall Rules (EGRESS Direction)

Firewall for Bastion Host ports

Replace <allow-network-bastion-egress> and <network-name>

gcloud compute firewall-rules create <allow-network-bastion-egress> \
    --direction=EGRESS \
    --priority=1000 \
    --network=<network-name> \
    --action=ALLOW \
    --rules=tcp:22,tcp:80,tcp:443,tcp:1522,tcp:3389 \
    --destination-ranges=0.0.0.0/0 \
    --target-tags=bastion        

For example -

gcloud compute firewall-rules create allow-indretail-network-bastion-egress \
    --direction=EGRESS \
    --priority=1000 \
    --network=indretail-network \
    --action=ALLOW \
    --rules=tcp:22,tcp:80,tcp:443,tcp:1522,tcp:3389 \
    --destination-ranges=0.0.0.0/0 \
    --target-tags=bastion        

Reality Check:

14. Create Ubuntu Bastion Host Instance

What is Bastion Host?

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks , so named by analogy to the bastion , a military fortification. The computer generally hosts a single application or process, for example, a proxy server or load balancer , and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet . (source wikipedia)

Replace <bastion-host-name>, <public-subnet-name> (created earlier) , <bastion-host-device-name>, <region-name>. Select VM Instance in Google Cloud search bar

gcloud compute instances create <bastion-host-name> \
    --zone=<region-name> \
    --machine-type=e2-micro \
    --subnet=<public-subnet-name> \
    --network-tier=PREMIUM \
    --maintenance-policy=MIGRATE \
    --image-family=ubuntu-2004-lts \
    --image-project=ubuntu-os-cloud \
    --boot-disk-size=20GB \
    --boot-disk-type=pd-balanced \
    --boot-disk-device-name=<bastion-host-device-name> \
    --tags=bastion         

For example -

gcloud compute instances create indretail-bastion-host \
    --zone=us-east4-a \
    --machine-type=e2-micro \
    --subnet=indretail-public-subnet-us-east4 \
    --network-tier=PREMIUM \
    --maintenance-policy=MIGRATE \
    --image-family=ubuntu-2004-lts \
    --image-project=ubuntu-os-cloud \
    --boot-disk-size=20GB \
    --boot-disk-type=pd-balanced \
    --boot-disk-device-name=indretail-bastion-host-device \
    --tags=bastion         

Reality Check:

15. Create Windows VM

Replace <windows-vm-name>, <network-name>, <region-name> and <public-subnet-name> below

gcloud compute instances create <windows-vm-name> \
    --image-family windows-2022 \
    --image-project windows-cloud \
    --machine-type e2-standard-4 \
    --zone <region-name> \
    --network <network-name> \
    --network-tier=PREMIUM \
    --subnet <public-subnet-name> \
    --boot-disk-size 50GB \
    --boot-disk-type pd-ssd \
    --enable-display-device \
    --tags=bastion         

for example -

gcloud compute instances create indretail-winvm \
    --image-family windows-2022 \
    --image-project windows-cloud \
    --machine-type e2-standard-4 \
    --zone us-east4-a \
    --network indretail-network \
    --network-tier=PREMIUM \
    --subnet indretail-public-subnet-us-east4 \
    --boot-disk-size 50GB \
    --boot-disk-type pd-ssd \
    --enable-display-device \
    --tags=bastion         

Get Password for the Windows VM

Replace <windows-vm>, <region-name> with the one that you just created.

-- Get/Reset Windows VM password
gcloud compute reset-windows-password <windows-vm> --zone=<region-name>

-- Make Note of windows username and password

-- for example
gcloud compute reset-windows-password indretail-winvm --zone=us-east4-a        

Reality Check:

Now we are all set to create Oracle Autonomous Database 23ai on Google Cloud

16. Create Oracle Autonomous Database 23ai on Google Cloud

Refer Autonomous Database Parameters for gCloud

Replace Autonomous <database-name>, <display-name>, <region-name>, <project-id>, <network-name>, remember CIDR should be unique so replace <cidr>, storage size, compute count, <license-type>, <workload-type>

Important: Please check the available parameters and modify accordingly

gcloud oracle-database autonomous-databases create <database-name>  \
    --location=<region-name> \
    --display-name= <display-name> \
    --database=<database-name> \
    --network=projects/<project-id>/global/networks/<network-name> \
    --cidr=<cidr>/24 \
    --properties-data-storage-size-tb=1 \
    --properties-db-edition=enterprise-edition \
    --admin-password=123Abcdwelcome \
    --properties-compute-count=2 \
    --properties-db-version=23ai \
    --properties-license-type=<license-type> \
    --properties-db-workload=<workload-type>        

Example create autonomous database gcloud below

gcloud oracle-database autonomous-databases create indretail23aidw \
    --location=us-east4 \
    --display-name=indretail23aidw \
    --database=indretail23aidw \
    --network=projects/adb-pm-prod/global/networks/indretail-network \
    --cidr=192.168.10.0/24 \
    --properties-data-storage-size-tb=1 \
    --properties-db-edition=enterprise-edition \
    --admin-password=123Abcdwelcome \
    --properties-compute-count=2 \
    --properties-db-version=23ai \
    --properties-license-type=bring-your-own-license \
    --properties-db-workload=DW        

Reality check:

Search for OracleDatabase@Google and select Autonomous Database

We should now see our Oracle Autonomous Database 23ai created

Now we are all set to create Oracle Autonomous Database 23ai on Google Cloud

17. Manage Oracle Autonomous Database in Oracle Cloud

Click on Manage in OCI button on Google Cloud

Autonomous Database Created in Google Cloud is now visible in Oracle Cloud

18. Get Access Database Actions & Oracle APEX URL

If we try to click on Database actions, we will get following error message

Database actions uses a private IP address that is only accessible from a compute instance running with the virtual cloud network (VCN) used by the Autonomous Database. Copy and paste the following access URL into a browser running on a compute instance in the VCN        

Copy Database Actions URL

Click on Tool configuration tab and copy Oracle APEX URL

Copy the Access & Oracle APEX URLs and Paste it after logging into remote desktop machine created on Google Cloud

We will use RDP to access Oracle Database Actions in the next section

19. Install Windows App and access Windows Machine using Remote Desktop

I will be installing Windows App on my Mac Machine, feel free to use any other desktop client that you would like.

Windows App is your gateway to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs, securely connecting you to Windows devices and apps.

You can use Windows App on many different types of devices on different platforms and form factors, such as desktops and laptops, tablets, smartphones, and through a web browser. When using a web browser on a desktop or laptop, you can connect without having to download and install any software.

From your Google Cloud, download RDP file

Open the downloaded RDP file from Windows App and Login, please refer previous sections for username & passwords

Copy Paste the Database URL from previous step

Select SQL option to run SQL commands

-- Check Database Version

SELECT * FROM V$VERSION

-- This will show Oracle Database 23ai Enterprise Edition        

20. Access Oracle APEX and SQL Workspace

Copy Paste Oracle APEX URL in the Windows VM

Congratulations !, Now we are all set with Oracle Autonomous Database 23ai on Google Cloud - Oracle Database@Google Cloud, now we can leverage best of both cloud worlds.

21. Oracle Database @ Google Cloud - Architecture

Updated on Oct 17th, 2024: Reference Architectural products used and configuration might vary during implementation. Boxes in grey background are shown as high-level scope considerations not covered in this article.

22. Whats Next? - Coming soon

Multicloud demo Oracle Database@Google Cloud

Please check my next article on this.

Related Article

23. Conclusion

In this article, we saw how Oracle Database 23ai could be created in the Google Cloud platform, leveraging the best of both cloud worlds, Google Cloud and Oracle Cloud.

Read more on

Oracle and Google Cloud Announce a Groundbreaking Multicloud Partnership

Thanks for reading, liking and sharing

Regards, Madhusudhan Rao