Zero Data Loss Recovery Appliance FAQ

What is Oracle’s Zero Data Loss Recovery Appliance?

Oracle’s Zero Data Loss Recovery Appliance is an Oracle Engineered System purpose-built for Oracle AI Database protection and cyber resiliency. Co-developed with Oracle AI Database, Recovery Appliance delivers unique capabilities to simplify operational management, improve resource efficiencies, and reduce business risk with fast, predictable zero data loss data recovery.

Recovery automation, backup immutability, and a high availability architecture help you meet organizational requirements to protect and rapidly recover crucial data.

Is a cloud version of Recovery Appliance available?

Yes. Oracle Database Zero Data Loss Autonomous Recovery Service is a fully managed public cloud offering that leverages the same zero data loss technology along with built-in cloud automation. It runs on Recovery Appliances fully managed by Oracle cloud engineers. Recovery Service is available in Oracle’s public cloud (OCI) and multicloud environments—Oracle Database@AWS, Oracle Database@Azure, and Oracle Database@Google Cloud.

What Oracle AI Database versions are supported?

Recovery Appliance supports heterogenous environments running Oracle Database and Oracle AI Database 26ai, Standard and Enterprise Editions.

What interface options are available with Recovery Appliance?

Oracle Enterprise Manager Cloud Control is the recommended user interface to manage and monitor the environment. The Cloud Control plug-in for Recovery Appliance provides a unified view of the entire backup lifecycle for each database, whether backups reside on disk, tape, or another Recovery Appliance.

Although Cloud Control is the recommended user interface for Recovery Appliance administration, Oracle supplies the DBMS_RA PL/SQL package as a command-line alternative. For command-line monitoring and reporting, simply query the Recovery Appliance catalog views.

Can file system data or any non-Oracle databases be backed up to Recovery Appliance?

No, Recovery Appliance is purpose-built for Oracle AI Database protection and cyber resiliency.

What resiliency and fault tolerance are built into the appliance architecture?

Recovery Appliance, an Oracle Engineered System, delivers a resilient architecture with integrated software, compute, and storage servers and in-built Oracle Maximum Availability Architecture (MAA) best practices with no single point of failure. Based on the Oracle Exadata architecture, Recovery Appliance inherits its proven reliability, scalability, redundancy, and performance characteristics.

The Recovery Appliance is designed to be fault-isolated from the production database it protects. If a cyberattack hits the production database, Recovery Appliance is not compromised.

How does enabling real-time redo transport enhance resiliency?

Recovery Appliance has natively integrated Oracle Data Guard redo transport technology, reducing Recovery Point Objective (RPO) to less than a second instead of the time since last backup, which could be 15 minutes, a few hours, or even a full day. For continuous transaction protection and recovery without data loss, simply enable real-time redo transport on protected databases. As the database generates redo changes in memory, redo is automatically sent to Recovery Appliance, which validates the redo blocks. When a database log switch occurs, Recovery Appliance automatically creates a compressed archived log backup and catalogs it.

What happens if real-time redo transport is enabled and connectivity to the appliance is lost?

If the redo stream terminates unexpectedly, Recovery Appliance closes the incoming redo stream and creates a partial archived redo log file backup, thereby protecting transactions up to the last change received. When Recovery Appliance detects that the redo stream has restarted, it automatically retrieves all missing archived redo log files from the protected database to preserve the intended recovery window defined by the user.

If redo logs are already on the Recovery Appliance, are incremental backups still needed?

Yes. Daily incremental backups make the recovery process faster and more efficient than restoring and applying days or weeks of archived log backups during recovery.

If real-time redo transport is enabled, are archived log backups still needed?

No. Recovery Appliance protects database transactions as they occur, creating archived log backups automatically when a database log switch occurs. Since archived log backups already reside on Recovery Appliance, it eliminates the need to perform and send periodic archived log backups to the appliance.

Is a cyber vault strategy with air-gapped replication supported?

Yes, Recovery Appliance supports continuous replication for disaster recovery or high availability purposes and air-gapped replication for cyber vault configurations. Network connectivity to Recovery Appliance deployed in a cyber vault is controlled by a firewall/gateway. This creates an “air gap” that limits the amount of time that the environment is network-accessible, thereby reducing the attack vector.

Recovery Appliance’s incremental forever backup strategy helps minimize the vault’s online window since only incremental changes are replicated after an initial full backup. Use built-in access controls and Enterprise Manager to create secure configurations wherein no single user has 100% access to all environments (e.g. primary Recovery Appliance, replicas, and cyber vault). Restore to a clean room or another environment when needed.

Can backups to the Recovery Appliance be taken on a Data Guard standby database?

Yes, an incremental forever strategy can be used when backing up from the primary or standby databases. If backups are performed on both the primary and standby, each Recovery Appliance has backups and redo information for the same database. As a result, either appliance can be used for RMAN restore and recovery operations.

What security best practices are built into the appliance?

Recovery Appliance platform uses a defense-in-depth architecture that follows security best practices including:

• Limited code employed with a trimmed list of installed packages so only essential services run on appliance
• Oracle Integrated Lights Out Manager (ILOM) for secure lights-out management
• Audit record of all login and configuration changes
• Exadata disk scrubbing and Exadata checksum checks
• Enabled firewalls (iptables) on storage servers
• Enabled auditing of OS users
• Enforced hardened password policies

How can Recovery Appliance minimize typical attack vectors and reduce the surface area of attack?

While deployments use a client/server architecture, connectivity is inherently minimized to only Oracle databases rather than a wide variety of applications with varying security protocols. Communication between protected databases (clients) and Recovery Appliance is orchestrated by RMAN, which controls all data movement for backup and recovery operations.

Recovery Appliance accepts incoming backups only from pre-enrolled databases with an authorized virtual private catalog (VPC) user account (i.e., database administrator) configured by an appliance administrator. During ingest, all backups are validated (readable by RMAN) before being stored on disk. No .exe files—a typical attack vector—would be accepted.

Standardizing operational management with an incremental forever backup strategy across all Oracle databases helps eliminate the overhead and risk of using diverse database scripts across the environment. Recovery Appliance delivers cloud-scale performance and scalability, enabling you to consolidate data protection for tens, hundreds, or thousands of Oracle databases, thereby reducing the surface area of attack.

Does Recovery Appliance have separation of duties and role-based access?

Yes. Recovery Appliance environments consist of three primary user groups—Cloud Control administrators, database administrators (DBAs), and Recovery Appliance administrators. The user model has a separation of duties; the roles for databases, Recovery Appliance, and for any related appliances are segregated from each other. Each user group can be granted access for tasks associated with their role—no users can access other systems that they don’t have privileges for. This allows organizations to implement security protocols such as no single user having modification rights on production and backup data.

Larger environments may include multiple Recovery Appliances with one replicating to another for disaster recovery and/or a cyber vault. Each Recovery Appliance maintains its own set of authorized users and protection policies, which may align with or differ from the upstream appliance.

Refer to the documentation for more details.

Can users with SYSDBA privileges override Recovery Appliance protection policy settings?

No. Backups of protected databases are managed throughout their lifecycle based on their associated protection policy defined on Recovery Appliance. A DBA issuing RMAN DELETE OBSOLETE or DELETE DATABASE ALONG WITH BACKUPS could impact locally managed backups (if any) but would have no effect on backups under Recovery Appliance management—whether they reside on Recovery Appliance or have been copied to alternative media.

How is root access on the appliance safeguarded?

Organizations with strict security and compliance requirements can fortify operations and reduce exposure to a single user account by requiring a user quorum for system or root access. Once configured, root access may be granted to an administrator for a defined period only if two other administrators approve the request.

Refer to the documentation to learn more about securing operations with user quorum requirements.

If Oracle Transparent Data Encryption (TDE) is implemented, what is the impact on backup storage consumption?

Recovery Appliance’s integration with TDE data formats provides the unique benefit of space-efficient data protection—databases are compressed during backup for faster performance with less storage consumption. Backup compression coupled with an incremental forever strategy helps maximize efficiency, keep backup storage consumption to a minimum, and lower overall costs.

Are backup encryption keys stored on the appliance?

No. Encryption keys for protected databases secured with TDE are managed by the database and stored in an Oracle Wallet or Oracle Key Vault.

Can Recovery Appliance enforce a requirement that all backups be encrypted?

Yes, this is an optional protection policy setting. Within the protection policy, turn on secure mode to require all backups and redo accepted by Recovery Appliance are encrypted. This setting would be applicable for all protected databases associated with that policy.

Does Recovery Appliance support backup immutability?

Yes. Recovery Appliance protection policies enable you to set a compliance retention period in which deletion or shortening of the retention period is prohibited. Backup immutability can be further applied to archival copies sent from the appliance to OCI or ZFS regulatory compliance buckets for longer-term immutable retention periods.

For more information on backup immutability or setting policies to address legal hold requirements, refer to the documentation.

How is backup and restore data sent securely over the network?

Recovery Appliance uses Transport Layer Security (TLS) for end-to-end communication encryption. TLS between a Recovery Appliance and client databases uses certificates that authenticate and encrypt communication. Refer to the documentation for more details.

Can non-routable networks be used to isolate backup and restore data in transit?

Yes. Recovery Appliance supports VLAN-tagging for network segregation. Use VLAN-tagged networks to isolate backup and restore traffic for protected databases with non-routable network zones.

How do protected databases connect and communicate with the appliance?

Protected databases use the Zero Data Loss Recovery Appliance Backup Module (libra) included with a standard database installation, making it easy to establish the appliance as your backup destination. This module is an Oracle-supplied SBT library that RMAN uses to transfer backup data over the network to the Recovery Appliance.

Is an Oracle Recovery Manager (RMAN) catalog required?

No. Recovery Appliance has a fully managed, built-in catalog that provides all the advantages of a RMAN catalog while also handling metadata for Recovery Appliance policies, settings, and operations. However, you can import existing RMAN catalogs into the appliance’s catalog or use the RMAN REGISTER DATABASE command.

What is the patching process for the Recovery Appliance?

Recovery Appliance releases quarterly patch bundles that include any necessary software and firmware updates. As an Oracle Engineered System, Oracle Platinum Services delivers a proactive patch deployment process to keep your appliance optimally maintained. For more information on this complimentary service and the remote patching assistance it provides, refer to My Oracle Support Doc ID 2063633.1.

During restore, do DBAs need to specify the “restore from” location (e.g. disk, tape, cloud, replica)?

No. Recovery Appliance keeps track of backups, replicas and, archival copies along with the retention associated with each. It will automatically initiate restore from the optimal source. For example, if the backup no longer resides on your local Recovery Appliance (the initial backup location) but is on a replica and on tape, restore will be directly from the replica as its generally faster than tape—no user intervention needed.

How can administrators proactively monitor the appliance health and protection status of databases?

The Recovery Appliance home page in Cloud Control provides a current overview of the environment and activity, prominently displaying any warnings, alerts, and errors. The Cloud Control incident and event notification framework is natively integrated within the appliance, enabling you to effectively manage any issues that arise and track them until resolution.

Can automatic alerts be generated to notify administrators of pressing or potential issues?

Yes. Beyond the home page dashboard, alerts can be sent to stakeholders based on user-defined parameters within the Enterprise Manager metric and collection settings page for Recovery Appliance. This page includes categories such as system health, protected databases, and storage. Administrators can modify how often metrics are collected (defaults are generally 5 or 15 minutes) and establish warning and critical thresholds to trigger alerts.

Refer to Monitoring the Recovery Appliance for more information.

Does Recovery Appliance offer out-of-the-box reports?

Yes. Recovery Appliance provides a selection of detailed and summary reports to help effectively manage, proactively plan, and keep key stakeholders informed about performance, capacity, current protection status, and risk exposure. Reports are built into Oracle Analytics Publisher and can be accessed on demand or scheduled and automatically sent to your management team.

Oracle Analytics Publisher is available as a component of the complete Oracle Analytics Server suite, or as an independently installed Oracle Analytics Publisher component. Refer to Accessing Recovery Appliance Reports for more information.

What are the minimum and maximum Recovery Appliance configurations?

A Recovery Appliance RA23 or RA23-Z base rack consists of 2 compute and 3 storage servers. Additional storage servers may be added incrementally up to a total of 17 storage servers in a full rack. A single Recovery Appliance configuration can scale up to 18 full racks with 36 compute servers and as many as 306 storage servers.

For additional details, refer to the Recovery Appliance datasheet (PDF).

What is the difference between Recovery Appliance RA23 and RA23-Z configurations?

Recovery Appliance RA23 and RA23-Z configurations are identical except for the capacity and number of High Capacity (HC) disks per storage server. A RA23 storage server delivers 92 TB1 of capacity with 12 HC drives. In comparison, RA23-Z storage servers are cost-optimized with 6 HC disks and 45 TB¹ of capacity each for customers that need less capacity and throughput.

Can RA23 and RA23-Z storage servers be used in the same Recovery Appliance?

No. A single Recovery Appliance configuration must use the same storage servers: RA23 or RA23-Z. However, both can be leveraged in replicated environments—backups can be replicated from Recovery Appliance RA23 to RA23-Z or vice versa.

Does performance scale linearly as more racks are added to the configuration?

Yes. Each additional Recovery Appliance rack includes 2 compute servers, increasing available throughput and performance. For example, multi-racking 3 into one Recovery Appliance configuration gives you the compute power and throughput of 6 compute servers and the capacity of 9 to 51 storage servers. While storage servers can be scaled up within a single rack from a minimum of 3 up to 17, each rack always has 2 compute servers—which is all that is needed to effectively power operations for maximum rack capacity.

Can additional storage servers be added while the Recovery Appliance is online?

Yes. Adding Recovery Appliance storage servers does not require downtime and can be done while the appliance is online.

Can Exadata be directly connected to Recovery Appliance for faster backup/restore?

Recovery Appliance can be configured with 100 Gb top-of-rack (ToR) switches to create a dedicated backup/recovery network for Exadata-hosted protected databases. This direct connectivity helps optimize overall throughput—which is especially beneficial for large database backup volumes—and eliminate potential congestion delays from going over shared data center backup networks.

Customers with strict security requirements often use this strategy to both boost performance and isolate network traffic for their critical database applications.

How can the solution optimize performance when backing up TDE-encrypted databases?

Recovery Appliance, integrated with the TDE data format, preserves database encryption at-rest, while providing innovative compression and incremental forever backup capabilities to reduce storage consumption. Space-efficient, encrypted backups can achieve up to three times the backup storage savings and twice the backup speed compared to general purpose storage solutions—less data sent over the network and ingested on the appliance.

What replication topologies are supported?

Recovery Appliance supports most replication topologies to address disaster recovery, high availability, and cyber-resiliency requirements.

Refer to Recovery Appliance Replication or Replicating Backups with Recovery Appliance in the documentation and Strengthen Oracle AI Database Cyber Defense and Recovery with Zero Data Loss Air-Gapped Backups for insights on implementing a cyber vault strategy.

Can databases be associated with different protection policies on each appliance in replication configurations?

Yes. Protection policies are defined and managed independently on each Recovery Appliance. Every protected database must be associated with a protection policy defined on every Recovery Appliance where its backups reside—policies can use the same settings or different ones. This provides flexibility and fine-grained control in managing a database backup throughout its lifecycle, which may include multiple locations for varying durations. Backup copies to alternative media may be created on demand or scheduled from any appliance with user-defined retention settings for the copies.

Recovery Appliance catalogs are periodically synchronized automatically, making restores seamless without the need to designate the location where backups currently reside.

Is replication configured by protected database or policy?

Replication is configured at the protection policy level and all backups for protected databases associated with that policy are replicated to the defined downstream appliance. Whether replicating to another appliance for disaster recovery/high availability purposes or to a cyber vault, Recovery Appliance automates the process without the need for user-defined schedules at the policy or database level.

At what interval are backups replicated?

Incoming RMAN backups are automatically and immediately replicated upon receipt without having to be fully ingested on the upstream appliance. Each Recovery Appliance independently validates and catalogs all backups—catalogs are automatically synchronized during periodic background processes. If real-time redo transport is enabled, when a database log switch occurs, the upstream appliance creates an archived log backup which is then replicated.

In cyber vault configurations that have air-gapped network connectivity, Recovery Appliance automatically sends backups when the vault is online and queues backups during closed access periods.

How is connectivity controlled in air-gapped cyber vault configurations?

Oracle Enterprise Manager provides a unified dashboard for your entire Oracle deployment including management, monitoring, and alerting for Recovery Appliance. In cyber vault configurations, best practice guidance is to leverage a separate Enterprise Manager installation for management isolation from production environments.

Opening and closing vault connectivity can be coordinated with Recovery Appliance replication to minimize the amount of time it’s online. A time-based circuit breaker can also be added to the replication gateway to minimize human error that could leave the gateway open for longer than required.

For additional best practices, please refer to Zero Data Loss Recovery Appliance Cyber Security Architecture.

Can backups be replicated between Recovery Appliance RA23 and RA23-Z?

Yes. Any Recovery Appliance, whether running on RA23, RA23-Z, or a previous generation, can replicate to another Recovery Appliance in any supported replication topology.

Refer to the documentation for more information on replication.

What alternative storage solutions are integrated with the appliance for long-term retention?

Recovery Appliance makes it easy to create a robust, multitiered backup strategy with your choice of integrated alternative media including tape, local disk storage, and/or cloud storage:

• Tape: Oracle’s tape backup software is pre-installed, enabling you to implement a tape backup strategy without the added cost of media management software since it allows tape devices to be fiber-attached to the appliance. Alternatively, you can install a third-party backup software module (SBT) to send backup copies over the network to its media server with attached tape drives.
• Local disk storage: You can use ZFS Storage Appliance configured for Oracle Cloud Infrastructure (OCI) Object Storage as a secondary storage tier.
• Cloud: Archive backup copies to OCI Object Storage with the cloud backup SBT module.

How is retention managed and how are older backups purged for archival backup copies?

Recovery Appliance automatically manages backup retention for archival backup copies created on demand or via schedules on the appliance based on user-defined parameters set within the protection policy.

Can KEEP UNTIL or FOREVER type backup copies be generated periodically for compliance needs?

Yes. Many companies have compliance requirements to keep month- or year-end backups for specific periods of time that are beyond standard retention policies. With Recovery Appliance, you can create on demand or schedule an archival backup copy with a specific recovery point and keep until period (e.g., 7 years) to be sent to tape or cloud for long-term storage.

Refer to documentation regarding archival copies for more information.