Oracle RDS Tunnel Setup Guide

Follow these instructions to replicate your Oracle RDS database to your destination through your SSH Tunnel.

Prerequisites

To connect your Oracle database to Fivetran, you need:

Oracle 11g or above
IP (e.g. 1.2.3.4) or host (your.server.com)
Port (usually 1521)

Enable access

The Fivetran data processing servers will need access to your database server. You will need to configure your VPC Security Groups and Network ACLs (Access Control Lists) to allow incoming connections to your Oracle database host and port (usually 1521) from your SSH tunnel server's IP address

Configure security group

These instructions assume that your instance is in a VPC.

Expand the instance by clicking on the Oracle instance and click the Configuration Details tab:

A panel of details for your read replica will appear.

rds-configuration_tab

Check that Publicly Accessible reads Yes.

rds-publicly-accessible

Write down the read instance's port number (you will need this later), then click the link to its Security Group:

rds-instance-details

In the security group panel, select the "Inbound" tab:

rds-select-inbound-tab

Click edit:

rds-inbound-click-edit

Click "Add Rule":

rds-inbound-click-add-rule

A new Custom TCP Rule gets created at the bottom of the list with a blank space for a Port Range and a Source IP address. For the Port, enter your instance's port number that you wrote down earlier (usually 1521). For the Source, enter a Custom IP of {your-ssh-tunnel-server-ip-address}/32:

rds-inbound-add-rule

Click "Save":

rds-inbound-click-save

Step 3a Configure Network ACLs

Return to the RDS Dashboard and expand the view on the instance:

rds-expand-instance

Click the link to the instance's VPC:

rds-click-vpc

Select the VPC:

rds-select-vpc

In the "Summary" tab, click the "Network ACL" link:

rds-click-network-acl

You will see tabs for Inbound Rules and Outbound Rules. We will need to edit both.

Step 3b Edit inbound rules

Select "Inbound Rules":

rds-click-inbound-rules

If you have a default VPC that was automatically created by AWS, then the settings already allow all incoming traffic as indicated by the Source value 0.0.0.0/0 and the fact that the ALLOW entry is listed above the DENY entry:

rds-all-are-allowed

If your inbound rules don't include an ALL - 0.0.0.0/0 - ALLOW entry, edit the rules to allow {your-ssh-tunnel-server-ip-address}/32 to access the port number of your read replica (usually 5432). Help on ACL configuration can be found here.

Step 3c Edit outbound rules

Select "Outbound Rules":

rds-click-outbound-rules

If your outbound rules don't include an ALL - 0.0.0.0/0 - ALLOW entry, edit the rules to allow outbound traffic to all ports 1024-65535 for destination {your-ssh-tunnel-ip-address}/32

Documentation