# VPC Lattice for Oracle Database@AWS
VPC Lattice powers AWS managed service integrations for [Oracle Database@AWS](https://docs.aws.amazon.com/odb/latest/UserGuide/what-is-odb.html) (ODB) and provides you with simplified connectivity between the ODB network, AWS VPCs and on premise. To support this connectivity, VPC Lattice provisions the following entities on your behalf:
**Default service network**
The default service network uses the naming convention `default-odb-network-randomHash`
**Default service-network endpoint**
There is no name for this AWS resource.
**Resource gateway**
The resource gateway uses the naming convention `default-odb-network-randomHash`
VPC Lattice supports AWS managed service integrations, referred to as *managed integrations* to your ODB network. By default, Oracle Cloud Infrastructure (OCI) Managed Backup to Amazon S3 is enabled. You can choose to enable self-managed access to Amazon S3 and Zero-ETL.
Once you create your ODB network, you can view the provisioned resources using the AWS Management Console or AWS CLI. The following example command lists the ODB network's default managed integrations and any other resources you might have for this service network:
```
aws vpc-lattice list-service-network-resource-associations \
--service-network-identifier default-odb-network-randomHash
```
## Considerations
The following considerations apply to VPC Lattice for Oracle Database@AWS:
+ You can't delete the default service network, service-network endpoint, resource gateway, or any ODB managed integrations provisioned by VPC Lattice. To delete these entities, delete your ODB network or disable the managed integrations.
+ Clients can only access the managed integrations in the ODB network. Clients outside the ODB network, such as in your VPCs, cannot use these managed integrations to access S3 or Zero-ETL.
+ You can't connect to any of the managed integrations outside of the ODB network provisioned by VPC Lattice.
+ All traffic to Amazon S3 goes through the default service-network endpoint and standard processing charges for accessing resources apply. All Zero-ETL traffic goes over the resource gateway and standard data processing charges for resources that you share apply. For more information, see [VPC Lattice pricing](https://aws.amazon.com/vpc/lattice/pricing/).
+ There are no hourly charges for Oracle Database@AWS managed integrations.
+ You can manage the resources provisioned by VPC Lattice just like any other service network. You can share the default service network with other AWS accounts or organizations, and add new endpoints, VPC associations, VPC Lattice services and resources to the default network.
+ The following permissions are required for VPC Lattice to provision Oracle Database@AWS resources:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowODBEC2andLatticeActions",
"Action": [
"ec2:DescribeVpcs",
"ec2:CreateTags",
"ec2:DescribeAvailabilityZones",
"ec2:CreateOdbNetworkPeering",
"ec2:DeleteOdbNetworkPeering",
"ec2:ModifyOdbNetworkPeering",
"ec2:DescribeVpcEndpointAssociations",
"ec2:CreateVpcEndpoint",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeVpcEndpoints",
"vpc-lattice:CreateServiceNetwork",
"vpc-lattice:DeleteServiceNetwork",
"vpc-lattice:GetServiceNetwork",
"vpc-lattice:CreateServiceNetworkResourceAssociation",
"vpc-lattice:DeleteServiceNetworkResourceAssociation",
"vpc-lattice:GetServiceNetworkResourceAssociation",
"vpc-lattice:CreateResourceGateway",
"vpc-lattice:DeleteResourceGateway",
"vpc-lattice:GetResourceGateway",
"vpc-lattice:CreateServiceNetworkVpcEndpointAssociation"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowSLRActionsForLattice",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"vpc-lattice.amazonaws.com"
]
}
}
}
]
}
```
------
To use VPC Lattice for Oracle Database@AWS, we recommend that you are familiar with [service networks](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-networks.html), [service-network associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html), and [resource gateways](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-gateway.html) in VPC Lattice.
**Topics**
+ [Oracle Cloud Infrastructure (OCI) Managed Backup to Amazon S3](vpc-lattice-oci-managed-backup.md)
+ [Amazon S3 access](vpc-lattice-oci-s3-access.md)
+ [Zero-ETL for Amazon Redshift](vpc-lattice-oci-zero-etl.md)
+ [Access and share VPC Lattice entities](vpc-lattice-oci-entities.md)
# Oracle Cloud Infrastructure (OCI) Managed Backup to Amazon S3
When you create an Oracle Database@AWS database, VPC Lattice creates a resource configuration called `odb-managed-s3-backup-access`. This resource configuration represents an OCI managed backup of your databases to Amazon S3 and only enables connectivity to Amazon S3 buckets owned by OCI. Traffic between the ODB Network and S3 never leaves the Amazon network.
# Amazon S3 access
In addition to the OCI Managed Backup to Amazon S3, you can create a managed integration that enables access to Amazon S3 from the ODB network. When you modify the Oracle Database@AWS network to enable the Amazon S3 Access managed integration, VPC Lattice provisions a resource configuration called `odb-s3-access` in the default service network. You can use this integration to access Amazon S3 for your own needs including self-managed backups or restores. You can establish perimeter control by providing an auth policy.
## Considerations
The following are considerations for the Amazon S3 Access managed integration:
+ You can create only one Amazon S3 Access managed integration for the ODB network.
+ This managed integration enables access to Amazon S3 from the ODB network only, and not from other VPC associations or service-network endpoints in the default service network.
+ You can't access S3 buckets in different AWS Regions.
## Enable the Amazon S3 Access managed integration
Use the following command to enable the Amazon S3 Access managed integration:
```
aws odb update-odb-network \
--odb-network-id odb-network-id \
--s3-access ENABLED
```
## Secure access with an auth policy
You can secure access to S3 buckets by defining an auth policy using the ODB API. The following example policy grants access to specific S3 buckets owned by a specific organization.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Policy1515115909152",
"Statement": [
{
"Sid": "GrantAccessToMyOrgS3",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::awsexamplebucket1",
"arn:aws:s3:::awsexamplebucket1/*"
],
"Condition": {
"StringNotEquals": {
"aws:ResourceOrgID": "o-abcd1234"
}
}
}
]
}
```
------
**Note**
The `aws:SourceVpc`, `aws:SourceVpce`, and `aws:VpcSourceIp` condition keys aren't supported for S3 bucket policies when using ODB managed integrations.
# Zero-ETL for Amazon Redshift
You can use the service network provisioned by VPC Lattice to enable [Zero-ETL](https://docs.aws.amazon.com/redshift/latest/mgmt/zero-etl-using.html). This managed integration connects your ODB network databases to Amazon Redshift to help analyze data across different databases. You can initiate the Zero-ETL setup using AWS Glue integration APIs and use the ODB APIs to turn on the managed integration and setup the network path. For more information, see [Zero-ETL integration with Amazon Redshift](https://docs.aws.amazon.com/odb/latest/UserGuide/zero-etl-integration.html).
## Considerations
The following are considerations for the managed Zero-ETL integration:
+ If you enable the managed Zero-ETL integration, you can only use Zero-ETL to access instances in your ODB network. Other services and resources associated with your service network are isolated from Zero-ETL.
# Access and share VPC Lattice entities
You can also connect your ODB network to services, resources, and other clients in VPCs using VPC Lattice. These connectivity options are powered through the default service network, resource gateway, and service-network endpoint provisioned by VPC Lattice.
## Access VPC Lattice services and resources
To access other entities, associate services or resources that you own, or are shared with you, to the default service network. Clients in the ODB network can access the services or resources through the default service-network endpoint.
### Considerations
The following are considerations for connecting to other VPC Lattice entities:
+ You can add new service-network endpoints, VPC associations, VPC Lattice resources and services to the service network, but you can't modify the resources provisioned by VPC Lattice on behalf of the ODB network. These must be managed through the Oracle Database@AWS APIs.
## Share your ODB network through VPC Lattice
You can share your ODB network resources with clients in other VPCs, accounts or on premises. To get started, create a resource configuration for the resources that you want to share. The resource configurations must use the default resource gateway for your ODB network. You can then associate the resources with your default service network.
Clients in other VPCs or AWS accounts that you've shared your service network with can access these resources through their own service network endpoints or VPC associations. For more information, see [Manage associations for a VPC Lattice resource configuration](resource-configuration-associations.md).
### Considerations
The following are considerations for sharing your ODB network:
+ We recommend only sharing ODB network instances as IP-based resources.
+ VPC Lattice doesn't support OCI's Single Client Access Name (SCAN) listener DNS.