This document provides a reference architecture to help you build theinfrastructure to run Oracle PeopleSoft applications on Compute EngineVMs with low-latency connectivity toOracle Database@Google Cloud (Oracle CloudInfrastructure Exadata databases that run within Google Cloud). OraclePeopleSoft is a suite of enterprise applications for human capital management,campus solutions, and enterprise resource planning.

The intended audience for this document is cloud architects and administratorsof Oracle databases and Oracle PeopleSoft applications. The document assumesthat you're familiar with Oracle PeopleSoft applications and Oracledatabases.

Architecture

The following diagram shows an architecture where Oracle PeopleSoft applicationsrun on Compute Engine VMs in a Google Cloudregion and use Oracle Exadata databases in the same Google Cloud region.

The architecture in the preceding diagram includes the following components:

Products used

This reference architecture uses the following Google Cloud products:

• Compute Engine: A secure and customizable compute service that lets youcreate and run VMs on Google's infrastructure.
• Cloud Load Balancing: A portfolio of high performance, scalable, global andregional load balancers.
• Google Cloud Armor: A network security service that offers web applicationfirewall (WAF) rules and helps to protect against DDoS and application attacks.
• Virtual Private Cloud (VPC): A virtual system that provides global, scalablenetworking functionality for your Google Cloud workloads. VPC includesVPC Network Peering, Private Service Connect, private services access, andShared VPC.
• Cloud Interconnect: A service that extends your external network to theGoogle network through a high-availability, low-latency connection.
• Partner Interconnect: A service that provides connectivity betweenyour on-premises network and your Virtual Private Cloud networks and other networksthrough a supported service provider.
• Cloud VPN: A service that securely extends your peer network to Google'snetwork through an IPsec VPN tunnel.
• Cloud NAT: A service that provides Google Cloud-managedhigh-performance network address translation.
• Backup and DR Service: A secure, centrally-managed backup and recovery servicefor Google Cloud workloads that helps protect backup data from malicious oraccidental deletion.
• Cloud DNS: A service that provides resilient, low-latency DNS servingfrom Google's worldwide network.

This reference architecture uses the following Oracle products:

• Oracle PeopleSoft: A suite of enterprise applications for human capital management, campussolutions, and enterprise resource planning.
• Exadata Database Service on Dedicated Infrastructure: A service that letsyou run Oracle Database instances on Exadata hardware that's dedicated for you.
• VCN and subnets: A VCN is a virtual and private network for resources in an OCIregion. A subnet is a contiguous range of IP addresses with a VCN.
• Dynamic Routing Gateway: A virtual router for traffic between a VCN and externalnetworks.
• Object Storage: A service for storing large amounts of structured andunstructured data as objects.
• Service Gateway: A gateway to let resources in a VCN access specific Oracleservices privately.

You're responsible for procuring licenses for the Oracle products that youdeploy in Google Cloud, and you're responsible for complying with theterms and conditions of the Oracle licenses.

Design considerations

This section describes design factors, best practices, and designrecommendations that you should consider when you use this referencearchitecture to develop a topology that meets your specific requirements forsecurity, reliability, operational efficiency, cost, and performance. When youbuild the architecture for your workload, also consider the best practices andrecommendations in theGoogle Cloud Well-Architected Framework.

• Availability of Google Cloud services in each region. For moreinformation, seeProducts available by location.
• Availability of Compute Engine machine types in each region. Formore information, seeRegions and zones.
• End-userlatency requirements.
• Cost of Google Cloud resources.
• Cross-regional data transfer costs.
• Regulatory requirements.
• Sustainability requirements.

Some of these factors and requirements might involve trade-offs. Forexample, the most cost-efficient region might not have the lowestcarbon footprint. For more information, seeBest practices for Compute Engine regions selection.

Database migration

When you plan to migrate on-premises databases to Oracle Database@Google Cloud,assess your current database environment and get configuration and sizingrecommendations by using theDatabase Migration Assessment (DMA) tool.

For information about the procedure and tools that you can use to migrate Oracledatabases to Google Cloud, see theOracle Migration Methods Advisor.

Before you use the migrated databases in a production environment, verifyconnectivity from your applications to the databases.

Storage options

For the Compute Engine VMs in the architecture, you can useHyperdisk orPersistent Disk boot volumes. Hyperdisk volumes provide better performance,flexibility, and efficiency than Persistent Disk. WithHyperdisk Balanced,you can provision IOPS and throughput separately and dynamically, which lets youtune the volume to a wide variety of workloads.

To store application binaries, useFilestore.Files that you store in aFilestore Regional instance are replicated synchronously across three zones within theregion.This replication helps to ensurehigh availability and robustness against zone outages. For robustness against region outages, youcan replicate a Filestore instance to a different region. Formore information, seeInstance replication.

When you design storage for your workloads, consider the functionalcharacteristics of the workloads, resilience requirements, performanceexpectations, and cost goals. For more information, seeDesign an optimal storage strategy for your cloud workload.

Oracle Database@Google Cloud network design

Choose a network design that meets your business and technical requirements. Forexample, you can use a single VPC network or multiple VPC networks. For moreinformation, seeLearn about selecting network topologies for Oracle Database@Google Cloud.

When you assign IP address ranges for the client and backup subnets to be usedfor the Exadata VM Clusters, consider the minimum subnet size requirements. Formore information, seePlan for IP Address Space in Oracle Database@Google Cloud.

Security, privacy, and compliance

This section describes factors to consider when you use this referencearchitecture to design a topology in Google Cloud that meets the securityand compliance requirements of your workloads.

Protection against external threats

To protect your application against threats like distributed-denial-of-service(DDoS) attacks and cross-site scripting (XSS), you can use Google Cloud Armorsecurity policies. Each policy is a set of rules that specifies certainconditions that should be evaluated and actions to take when the conditions aremet. For example, a rule could specify that if the source IPaddress of the incoming traffic matches a specific IP address or CIDR range,then the traffic must be denied. You can also apply preconfigured webapplication firewall (WAF) rules. For more information, seeSecurity policy overview.

External access for VMs

In the reference architecture that this document describes, theCompute Engine VMs don't need inbound access from the internet. Don'tassignexternal IP addresses to the VMs. Google Cloud resources that have only a private, internal IPaddress can still access certain Google APIs and services by usingPrivate Service Connect or Private Google Access. For moreinformation, seePrivate access options for services.

To enable secure outbound connections from Google Cloud resources thathave only private IP addresses, like the Compute Engine VMs in thisreference architecture, you can useSecure Web Proxy orCloud NAT.

For the subnets that are used by the Exadata VMs, Oracle recommends that youassign private IP address ranges.

Service account privileges

For the Compute Engine VMs in the architecture, instead of using thedefault service accounts, we recommend that you create dedicated serviceaccounts and specify the resources that the service account can access. Thedefault service account has a broad range of permissions, including some thatmight not be necessary. You can tailor dedicated service accounts tohave only the essential permissions. For more information, seeLimit service account privileges.

SSH security

To enhance the security of SSH connections to the Compute Engine VMs inyour architecture, implementIdentity-Aware Proxy (IAP) andCloud OS Login API.IAP lets you control network access based on user identity andIdentity and Access Management (IAM) policies. Cloud OS Login API lets you controlLinux SSH access based on user identity and IAM policies. Formore information about managing network access, seeBest practices for controlling SSH login access.

Data encryption

By default, the data that's stored in Hyperdisk,Persistent Disk, and Filestore is encrypted usingGoogle-owned and Google-managed encryption keys. As an additional layer of protection,you can choose to encrypt the Google-owned and managed key by usingkeys that you own and manage in Cloud Key Management Service (Cloud KMS). For moreinformation, seeAbout disk encryption for Hyperdisk and Persistent Disk volumes andEncrypt data with customer-managed encryption keys for Filestore.

By default, Exadata databases useTransparent Data Encryption (TDE),which lets you encrypt sensitive data that's stored in tables and tablespaces.

Network security

To control network traffic between the resources in the architecture, you mustconfigure appropriateCloud Next Generation Firewall (NGFW) policies.

For the web server VMs, ensure that the ingress policy's source field includes the following:

• The CIDR of the load balancer'sproxy-only subnet.
• The CIDR blocks of thehealth check probes.

Oracle Exadata security and compliance

Oracle Exadata Database Service includes Oracle Data Safe, which helps youmanage security and compliance requirements for Oracle databases. You can useOracle Data Safe to evaluate security controls, monitor user activity, and masksensitive data. For more information, seeManage Database Security with Oracle Data Safe.

More security considerations

When you build the architecture for your workload, consider the platform-levelsecurity best practices and recommendations that are provided in theEnterprise foundations blueprint andGoogle Cloud Well-Architected Framework: Security, privacy, and compliance.

Reliability

This section describes design factors to consider when you use this referencearchitecture to build and operate reliable infrastructure for your deployment inGoogle Cloud.

Robustness of the application layer against VM failures

If one of two VMs that host each Oracle PeopleSoft component fails, theapplication continues to be available. Requests are routed to the other VM.

Sometimes a VM might be running and available, but there might be issues withthe Oracle Peoplesoft component itself. The component might freeze, crash, ornot have enough memory. In these scenarios, the VM won't respond toload-balancer health checks, and the load balancer won't route traffic to theunresponsive VM.

Robustness against zone or region outages

If a zone or region outage occurs, the application is unavailable. To reduce thedowntime caused by such outages, you can implement the following approach:

• Maintain a passive (failover) replica of the application stack in anotherGoogle Cloud region or zone.
• Create a standby Exadata Infrastructure instance with the required ExadataVM Clusters in the same zone that has the passive replica of the applicationstack. UseOracle Active Data Guard for data replication and automatic failover to the standby Exadatadatabases. If your application needs a lower recovery point objective (RPO),you can back up and recover the databases by usingOracle Autonomous Recovery Service.
• If an outage occurs in the primary region or zone, use the database replicaor backup to restore the database to production and to activate theapplication in the failover region or zone.
• If the passive replica is in a different region, useCloud DNS routing policies to route traffic to the external load balancer in that region.

For more information, seeOracle Maximum Availability Architecture (MAA) for Oracle Database@Google Cloud.

Oracle manages the infrastructure in Oracle Database@Google Cloud. For informationabout the service level objectives (SLOs) for Oracle Exadata Database Service onDedicated Infrastructure, seeService Level Objectives for Oracle PaaS and IaaS Public Cloud Services.

VM capacity planning

To make sure that capacity for Compute Engine VMs is available when VMsneed to be provisioned, you can createreservations. A reservation providesassured capacity in a specific zone for a specified number of VMs of a machinetype that you choose. A reservation can be specific to a project, or sharedacross multiple projects. For more information about reservations, seeChoose a reservation type.

Oracle Exadata capacity

You can scale Exadata Infrastructure by adding database servers and storageservers as needed. After you add the required database servers or storageservers to Exadata Infrastructure, to be able to use the additional CPU orstorage resources, you must add the capacity to the associated Exadata VMcluster. For more information, seeScaling Exadata Compute and Storage.

Data durability

You can use Backup and DR Service to create, store, and manage backups ofCompute Engine VMs. Backup and DR stores backup data in itsoriginal, application-readable format. When required, you can restore workloadsto production by directly using data from long-term backup storage withouttime-consuming data-movement or preparation activities. For more information,seeBackup and DR for Compute Engine instance backups.

To ensure the durability of data in your Filestore instances, youcan createbackups and snapshots of the instance or useBackup and DR for Filestore and file systems.

By default, backups of databases in Oracle Exadata Database Service onDedicated Infrastructure are stored in OCI Object Storage. To achieve a lowerRPO, you can backup and recover the databases by usingOracle Autonomous Recovery Service.

More reliability considerations

When you build the cloud architecture for your workload, review thereliability-related best practices and recommendations that are provided in thefollowing documentation:

• Google Cloud infrastructure reliability guide
• Patterns for scalable and resilient apps
• Designing resilient systems
• Google Cloud Well-Architected Framework: Reliability

Cost optimization

This section provides guidance to optimize the cost of setting up and operatinga Google Cloud topology that you build by using this referencearchitecture.

VM machine types

To help you optimize the resource utilization of your VM instances,Compute Engine providesmachine type recommendations.Use the recommendations to choose machine types that match your workload'scompute requirements. For workloads with predictable resource requirements, youcan customize the machine type to your needs and save money by usingcustom machine types.

Oracle product licenses

You're responsible for procuring licenses for the Oracle products that youdeploy on Compute Engine, and you're responsible for complying with theterms and conditions of the Oracle licenses. For more information, seeLicensing Oracle Software in the Cloud Computing Environment.

Oracle Exadata database licensing

When you create an Exadata VM Cluster, you can either bring your own license(BYOL) or use a license that you purchased as part of yourGoogle Cloud Marketplace order for Oracle Database@Google Cloud.

Networking charges for data transfer between your applications and OracleExadata databases that are within the same region are included in the price ofthe Oracle Database@Google Cloud offering.

More cost considerations

When you build the architecture for your workload, also consider the generalbest practices and recommendations that are provided inGoogle Cloud Well-Architected Framework: Cost optimization.

Operational efficiency

This section describes the factors to consider when you use this referencearchitecture to design a Google Cloud topology that you can operateefficiently.

Oracle Linux images

For your VMs, you can useOracle Linux images that are available in Compute Engine or you canimport Oracle Linux images that you build and maintain.

You can also create and usecustom OS images that include the configurations and software that your applications require.Group your custom images into a custom image family. An image family alwayspoints to the most recent image in that family, so your instance templates andscripts can use that image without you having to update references to a specificimage version. Regularly update your custom images to include the securityupdates and patches that are provided by the OS vendor.

Oracle Exadata database administration

Oracle manages the physical database servers, storage servers, and networkinghardware in Oracle Exadata Database Service on Dedicated Infrastructure. You canmanage the Exadata Infrastructure instances and the Exadata VM Clusters throughthe OCI or Google Cloud interfaces. You create and manage databasesthrough the OCI interfaces. The Google Cloud console pages forOracle Database@Google Cloud include links that you can use to go directly to therelevant pages in the OCI console. To avoid the need to sign in again to OCI,you can configureidentity federation between OCI and Google Cloud.

Observability for Oracle applications

To implement observability for Oracle workloads deployed in Google Cloud,you can useGoogle Cloud Observability services orOracle Enterprise Manager.Choose an appropriate monitoring strategy depending on your requirements andconstraints. For example, if you run other workloads in Google Cloud inaddition to Oracle workloads, then you can use Google Cloud Observability services tobuild a unified monitoring dashboard for all of the workloads.

Oracle documentation and support

Oracle products that run on Compute Engine VMs have similar operationalconcerns as Oracle products that run on-premises. However, you don't need tomanage the underlying compute, networking, and storage infrastructure. Forguidance about operating and managing Oracle products, see the relevant Oracledocumentation.

For information about Oracle's support policy for Oracle Database instancesthat you deploy in Google Cloud, seeOracle Database Support for Non-Oracle Public Cloud Environments (Doc ID 2688277.1).

More operational considerations

When you build the architecture for your workload, consider the general bestpractices and recommendations for operational efficiency that are described inGoogle Cloud Well-Architected Framework: Operational excellence.

Performance optimization

This section describes the factors to consider when you use this referencearchitecture to design a topology in Google Cloud that meets theperformance requirements of your workloads.

Compute performance

Compute Engine offers a wide range of predefined and customizablemachine types for the workloads that you run on VMs. Choose an appropriatemachine type based on your performance requirements. For more information, seeMachine families resource and comparison guide.

Network performance

Compute Engine has a per-VM limit for egressnetwork bandwidth.This limit depends on the VM's machine type and whether traffic is routedthrough the same VPC network as the source VM. For VMs withcertain machine types, you can get a higher maximum egress bandwidth by enablingTier_1 networking. For more information, seeConfigure per VM Tier_1 networking performance.

Network traffic between the application VMs and the Oracle Exadatanetwork is routed through a low-latency Partner Interconnectconnection that Google sets up.

Exadata Infrastructure usesRDMA over Converged Ethernet (RoCE) for high bandwidth and low latency networking among its database servers andstorage servers. The servers exchange data directly in main memory withoutinvolving the processor, cache, or operating system.

To optimize the latency between your application and the database, deploy theapplication in the same zone where you create the Exadata Infrastructureinstance.

More performance considerations

When you build the architecture for your workload, consider the general bestpractices and recommendations that are provided inGoogle Cloud Well-Architected Framework: Performance optimization.

What's next

• Cloud Transformation with Google Cloud and Oracle
• Oracle documentation
  • Overview of Oracle Database@Google Cloud
  • Oracle Maximum Availability Architecture (MAA) for Oracle Database@Google Cloud
  • Plan for IP Address Space in Oracle Database@Google Cloud
  • Learn about selecting network topologies for Oracle Database@Google Cloud
  • Deploy Oracle Database@Google Cloud
  • Oracle MAA Reference Architectures
• Google documentation
  • Oracle Database@Google Cloud overview
  • Available configurations for Oracle Database@Google Cloud
  • Migrate Oracle-based applications to Google Cloud and simplify operations
• For more reference architectures, diagrams, and best practices, explore theCloud Architecture Center.

Contributors

Author:Kumar Dhanagopal | Cross-Product Solution Developer

Other contributors:

• Andy Colvin | Database Black Belt Engineer, Oracle on Google Cloud
• Balazs Pinter | Staff Partner Solutions Architect
• Biju Narayanan | Senior Director, Applications Development (Oracle)
• Bikash Kar | Project Leader, Application Development (Oracle)
• Celia Antonio | Database Customer Engineer
• Charles Elliott | Head of Industry Architects
• Gustavo Jimenez | Senior Staff Partner Solutions Architect
• Hari G I | Senior Principal Software Engineer (Oracle)
• Jignesh Patel | Customer Engineer
• Jon Pawlowski | Partner Engineer
• Karteek Kotamsetty | Lead Customer Engineer
• Kenny He | Customer Engineer, Data Specialist
• Majed Al-Halaseh | Customer Engineer, Infrastructure Modernization
• Marc Fielding | Data Infrastructure Architect
• Maria Zuliani | Customer Engineer, Database Specialist
• Michelle Burtoft | Senior Product Manager
• Nelson Gonzalez | Product Manager
• Sean Derrington | Group Product Manager, Storage