Amazon RDS for Oracle Destination Setup Guide Private Preview

Follow our setup guide to connect Amazon RDS for Oracle database as a destination to Fivetran.

Prerequisites

To connect Amazon RDS for Oracle to Fivetran, you need the following:

An Amazon RDS for Oracle database v19c or higher
Your database host's IP address (for example, 1.2.3.4) or domain (your.server.com)
Your database's port (usually 1521 for unencrypted connections and 2484 for connections encrypted using SSL or TLS)
A Fivetran role with the Create Destinations or Manage Destinations permissions

Setup instructions

Choose your deployment model

Before setting up your destination, decide which deployment model best suits your organization's requirements. This destination supports both SaaS and Hybrid deployment models, offering flexibility to meet diverse compliance and data governance needs.

See our Deployment Models documentation to understand the use cases of each model and choose the model that aligns with your security and operational requirements.

You must have an Enterprise or Business Critical plan to use the Hybrid Deployment model.

Choose connection method

Decide whether to connect Fivetran to your Oracle database directly or using an SSH tunnel.

Connect directly (TLS required)

This is the simplest connection method where Fivetran connects directly to your Oracle database. To enable a direct connection, configure your firewall and any other access control systems to allow incoming connections to your Oracle database host and port (usually 1521) from Fivetran IP addresses for your region. The exact steps depends on how your Oracle database is hosted — whether on a cloud platform, on-premises, or in a hybrid environment.

You must enable TLS on your database to connect to Fivetran directly. You can do this either with a client wallet or without a client wallet, depending on your database configuration.

Connect via SSH (TLS optional)

In this connection method, Fivetran connects to a separate server in your network that provides an SSH tunnel to your Oracle database. You must use SSH if your database resides in an inaccessible subnet.

To connect using an SSH tunnel, follow our SSH connection instructions.

If you also want to enable end-to-end encryption with TLS, see the setup instructions for TLS with a client wallet or without a client wallet in Oracle documentation.

Allow Fivetran to access your database

Grant our data processing servers access to your database server. The steps depend on whether your database instance is inside a Virtual Private Cloud (VPC):

If your instance is in a VPC, configure the VPC security groups and network access control lists (ACLs) to allow incoming connections from Fivetran IP addresses.
If your instance is not in a VPC, you only need to configure the security groups to allow access from Fivetran IP addresses.

Configure security group

These instructions assume that your database instance is in a VPC. If your database instance is not in a VPC, you can still follow them as configuring a security group outside a VPC follows a nearly identical process.

Log in to your Amazon RDS dashboard.
Select the database instance you want to connect to Fivetran.
A panel of details for your Oracle instance appears. In the Connectivity & security section, find the database's port number and make a note of it. You will need the port number to configure Fivetran.
(If you're connecting directly) In the Security column, verify that the Public Accessibility value is Yes.
IMPORTANT: If you're connecting using an SSH tunnel, skip this step. You do not have to make your database publicly accessible.
Click the link to your database's security group.
On the Security Groups page, click on the security group ID.
On the Inbound tab, click Edit inbound rules.
Click Add Rule. This creates a new Custom TCP Rule at the bottom of the list.
Fill in the new Custom TCP Rule.
- In the Port Range field, enter your database's port number that you copied in step 2 of this section (usually 1521).
- What you enter in the Source Custom IP field depends on whether you're connecting directly or using an SSH tunnel.
  - If you're connecting directly, enter Fivetran's IPs for your database's region.
  - If you're connecting using an SSH tunnel, enter {your-ssh-tunnel-server-ip-address}/32.
- (Optional) Enter a brief description in the Description field.
Click Save rules.

Configure network ACLs (VPCs only)

If your database is not in a VPC, skip to the next step.

Return to the instance details page.
In the Connectivity and security section, click the link to the VPC.
On the Your VPCs page, click the VPC ID.
In the Details section, click the Main network ACL link.
Click the Network ACL ID.
Select the Inbound Rules tab.
If you have a default VPC that was automatically created by AWS, the settings already allow all incoming traffic. To verify that the settings allow incoming traffic, confirm that the Source value is 0.0.0.0/0 and that the ALLOW entry is listed above the DENY entry.
If your inbound rules don't include an ALL - 0.0.0.0/0 - ALLOW entry, edit the rules to allow the Source to access the port number of your database instance. (The port will be 1521 for direct connections, unless you changed the default.) For additional help, see Amazon documentation.
- If you are connecting directly, enter Fivetran IPs for your database's region.
- If you are connecting using an SSH tunnel, enter {your-ssh-tunnel-server-ip-address}/32.

Create Fivetran user

Connect to your Oracle database as an Admin user with the SYSDBA privilege.
Create a Fivetran user in the pluggable database (PDB).
Grant the following privileges to the Fivetran user to enable full access for setup, data operations, and testing within the PDB:
- CREATE USER: Allows creation of users and schemas within the PDB.
- DROP USER: Allows deletion of created users and schemas, and is required for setup tests.
- CREATE ANY TABLE: Allows creation of tables in any schema within the PDB.
- DROP ANY TABLE: Allows deletion of tables in any schema within the PDB.
- ALTER ANY TABLE: Allows modification of tables in any schema.
- DELETE ANY TABLE: Allows deletion of data from tables in any schema.
- UPDATE ANY TABLE: Allows updating of data in tables across schemas.
- SELECT ANY TABLE: Allows reading data from tables in any schema.
- CREATE ANY INDEX: Allows creation of indexes in any schema. This privilege is required for creating primary keys.
- DROP ANY INDEX: Allows deletion of indexes, including those created for primary keys.
- INSERT ANY TABLE: Allows inserting data into tables in any schema.
- UNLIMITED TABLESPACE: Allows writing data to tables without tablespace usage restrictions.
The ANY privileges are required because the Fivetran user cannot write data to the schema it creates by default. To allow the user to read from and write to its own schema, you must grant the privileges listed above.

Complete Fivetran configuration

Log in to your Fivetran account.
Go to the Destinations page and click Add destination.
Enter a Destination name of your choice and then click Add.
Select Amazon RDS for Oracle as the destination type.
Enter a Destination schema prefix of your choice. Fivetran will apply this prefix to every replicated schema.
You cannot change the prefix after setting up the connection.
In the Host field, enter your database's host URL (for example, abc.xyz.us-east-1.rds.amazonaws.com).
Enter the Port number for your database. The default is usually 1521 for unencrypted connections and 2484 for connections secured with SSL or TLS encryption.
Enter the username of the Fivetran User you created.
In Oracle, usernames are case-sensitive. Make sure you enter the exact username in this field.
Enter the Password for the Fivetran user you created.
Enter the name of the Database you want to use as your destination.
(Enterprise and Business Critical accounts only) Select the deployment model of your choice:
- SaaS Deployment
- Hybrid Deployment
If you choose Hybrid Deployment, select an existing Hybrid Deployment Agent in the Select an exising agent drop-down menu or configure a new agent.

For more information about configuring a new agent, see our Hybrid Deployment setup guides.

(Not applicable to Hybrid Deployment) Choose your Connection method:
- Connect directly
- Connect via an SSH
If you selected Connect via an SSH tunnel as the connection method, enter the following information:
- SSH hostname (do not use a load balancer's IP address or hostname)
- SSH port
- SSH user
- If you enabled TLS on your database, set the Require TLS through Tunnel toggle to ON
(Not applicable to Hybrid Deployment) Choose the Data processing location. Depending on the plan you are on and your selected cloud service provider, you may also need to choose a Cloud service provider and cloud region as described in our Destinations documentation.
Choose your Timezone.
(Optional for Business Critical accounts and SaaS Deployment) To enable regional failover, set the Use Failover toggle to ON, and then select your Failover Location and Failover Region. Make a note of the IP addresses of the secondary region and safelist these addresses in your firewall.
Click Save & Test.

Fivetran tests and validates the Amazon RDS for Oracle destination connection. On successful completion of the setup tests, you can sync your data using Fivetran connectors to the Amazon RDS for Oracle destination.

In addition, Fivetran automatically configures a Fivetran Platform Connector to transfer the connection logs and account metadata to a schema in this destination. The Fivetran Platform Connector enables you to monitor your connections, track your usage, and audit changes. The connector sends all these details at the destination level.

Setup tests

Fivetran performs the following Amazon RDS for Oracle connection tests:

The Connecting to SSH Tunnel Test validates the SSH tunnel details you provided in the setup form and checks whether Fivetran can connect to your database through the tunnel. We skip this test if you are not using an SSH tunnel.
The Connecting to Host Test validates the database credentials you provided in the setup form. It also verifies that the database host is publicly accessible and checks connectivity to the host.
The Validating Certificate Test prompts you to select the TLS certificate Fivetran should use. Once selected, it validates the certificate and checks if a secure TLS connection to your database can be established. We skip this test if you chose to connect through an SSH tunnel and set the Require TLS through Tunnel toggle to OFF.
The Validating Database Version Test verifies that your Oracle database version is 19c. The test passes only if the version matches.
The Permission Test checks whether the Fivetran user has the permissions to do the following:
- Create a user
- Create a table with a primary key
- Create staging temporary tables
- Insert a record into the main table
- Run a MERGE query
- Update and delete a record
- Drop the table and schema
- Alter the schema

The tests may take a few minutes to finish running.

Destination Overview

API Destination Configuration

Documentation Home