Oracle Database at Azure
Setup, Architecture & What's Different from AWS
Same Exadata. Completely Different Architecture.
If you read our Oracle Database at AWS guide, you already understand the concept: Oracle Exadata hardware physically inside a cloud provider's data center, managed by Oracle, connected to your workloads via a private network link.
Oracle Database at Azure (ODP — Oracle Database Service for Azure) follows the same model. But almost everything underneath is different: the networking uses Azure ExpressRoute instead of a VPC endpoint, identity uses Microsoft Entra ID (formerly Azure AD) instead of AWS IAM, billing integrates into your Azure invoice rather than a separate Oracle invoice, and the latency profile, support boundaries, and deployment regions are all distinct.
This guide walks you through the architecture differences, step-by-step provisioning via both Azure Portal and CLI, networking setup with Azure Virtual Network peering, Entra ID integration, pricing comparison against Azure SQL and the AWS equivalent, and an honest assessment of when Oracle Database@Azure beats Oracle Database@AWS and vice versa.
🎯 Who This Is For
Cloud architects and DBAs evaluating Oracle Database@Azure for workloads already on Microsoft Azure — particularly those running .NET applications, Power BI, Azure Data Factory, or Azure Kubernetes Service that need an Oracle backend.
What Is Oracle Database at Azure (ODP)?
Oracle Database@Azure — formally called Oracle Database Service for Azure or ODP — is a partnership announced in September 2023 and reaching GA in early 2024. Oracle Exadata X9M hardware racks are physically co-located inside Microsoft Azure data centers, connected to your Azure Virtual Network through Azure ExpressRoute at sub-2ms latency.
The key architectural difference from Oracle Database at AWS: on AWS, you connect via a VPC endpoint (a software-defined construct). On Azure, the connection is a dedicated ExpressRoute circuit — a physical-layer private connection provisioned by Microsoft between the Oracle Exadata infrastructure and your Azure VNet. This gives slightly more predictable latency but requires ExpressRoute to be provisioned in your Azure subscription.
Available Services
Service | Shape | Min Config | Best For |
Oracle Autonomous Database Serverless | ECPU-based | 2 ECPUs, 1 TB | OLTP, Analytics, JSON, APEX |
Oracle Autonomous Database on Dedicated Exadata | Exadata X9M | Quarter Rack | Enterprise OLTP, strict isolation |
Oracle Exadata Database Service | Exadata X9M | Quarter Rack | Custom DB workloads, RAC |
Oracle Base Database Service | VM shapes | 1 OCPU, 256 GB | Dev/Test, SMB workloads |
Oracle Database at Azure vs Oracle Database at AWS — Key Differences
Dimension | Oracle DB@Azure (ODP) | Oracle DB@AWS |
Network link | Azure ExpressRoute (dedicated circuit) | AWS VPC Endpoint (software-defined) |
Identity | Microsoft Entra ID + OCI IAM | AWS IAM + OCI IAM |
Billing | Integrated into Azure invoice (MACC eligible) | Separate Oracle invoice |
Management plane | Azure Portal + OCI Console | OCI Console only |
Latency to app tier | < 2ms (ExpressRoute) | < 1ms (VPC Endpoint) |
Primary GA regions | East US, Germany West Central | US East (N. Virginia) |
Azure Marketplace | Yes — one-click from Azure Portal | No — via OCI Console |
MACC consumption | Yes — counts toward Azure spend commitment | No |
💡 MACC Is a Big Deal
If your organization has a Microsoft Azure Consumption Commitment (MACC), Oracle Database@Azure spend counts toward it. This means you can use existing Azure budget for Oracle — a significant procurement advantage that Oracle DB@AWS cannot offer.
Network Architecture: ExpressRoute Deep Dive
The network topology for Oracle Database at Azure is more complex than the AWS equivalent because it uses ExpressRoute rather than a VPC endpoint. Understanding this is essential before provisioning.
Layer 1 — Physical co-location: Oracle Exadata X9M racks sit inside Azure data centers on dedicated floor space leased by Oracle. Microsoft provides power, cooling, and physical security. Oracle operates the hardware.
Layer 2 — ExpressRoute circuit: An Azure ExpressRoute circuit is provisioned between the Oracle Exadata infrastructure and Microsoft's network edge. This is a dedicated private circuit — not a shared tunnel, not the public internet. Oracle provisions this on your behalf when you create an ODP resource.
Layer 3 — Virtual Network Gateway: In your Azure subscription, an ExpressRoute Virtual Network Gateway connects your Azure Virtual Network to the ExpressRoute circuit. This gateway must be provisioned in the same region as your ODP resource.
Layer 4 — Your Azure VNet: Your Azure VMs, AKS pods, App Service instances, and Azure Functions connect to Oracle DB through the VNet — same as any other Azure service. No special Oracle client configuration beyond the wallet.
Latency Profile
Connection | Typical Latency | Notes |
Azure VM → Oracle DB@Azure (same AZ) | < 2ms | ExpressRoute dedicated circuit |
Azure VM → Oracle DB@AWS | 30–80ms | Cross-cloud, public internet or FastConnect |
Azure VM → Azure SQL Managed Instance | < 1ms | Native Azure, no ExpressRoute needed |
On-premises → Oracle DB@Azure | 5–30ms | Via your existing ExpressRoute to Azure |
AKS Pod → Oracle DB@Azure | < 2ms | Same VNet, standard pod networking |
Prerequisites
Azure Requirements
● Azure subscription with Owner or Contributor role
● Azure CLI 2.x installed: az --version
● An Azure Virtual Network (VNet) in the target region with at least one subnet
● An ExpressRoute Virtual Network Gateway deployed in your VNet (Standard SKU minimum)
● Microsoft Entra ID tenant with permissions to create service principals
● Azure subscription linked to Oracle — done via Azure Marketplace (one-time setup)
OCI Requirements
● An OCI tenancy (trial or paid) — Oracle provisions ODP resources in OCI behind the scenes
● OCI CLI installed and configured: oci --version
● Oracle account linked to your Azure subscription via the ODP onboarding flow
Step 1: Link Azure Subscription to Oracle via Marketplace
Navigate to Azure Portal → Marketplace → search 'Oracle Database@Azure' → Subscribe. This creates the cross-cloud trust relationship and provisions the ExpressRoute connectivity.
#Verify ODP provider is registered in your Azure subscription
az provider register --namespace Oracle.Database
az provider show --namespace Oracle.Database --query "registrationState"
#Expected: "Registered"
Step 2: Create ExpressRoute Virtual Network Gateway
This is the most time-consuming step — provisioning an ExpressRoute gateway takes 20–45 minutes. Do this first.
#Create gateway subnet (required naming — must be GatewaySubnet)
az network vnet subnet create \
--resource-group myRG \
--vnet-name myVNet \
--name GatewaySubnet \
--address-prefixes 10.0.255.0/27
#Create public IP for gateway
az network public-ip create \
--resource-group myRG \
--name oracle-er-gateway-pip \
--sku Standard \
--allocation-method Static
#Create ExpressRoute Virtual Network Gateway (takes 20-45 minutes)
az network vnet-gateway create \
--resource-group myRG \
--name oracle-er-gateway \
--vnet myVNet \
--gateway-type ExpressRoute \
--sku Standard \
--public-ip-address oracle-er-gateway-pip \
--no-wait # Run async, check status with az network vnet-gateway show
Step-by-Step: Provisioning Oracle Autonomous Database on Azure
Step 3: Create ODP Resource via Azure Portal
Once the ExpressRoute gateway is provisioned, navigate to Azure Portal → Create a resource → Oracle Database@Azure → Autonomous Database.
Field | Value | Notes |
Subscription | Your Azure subscription | Must have ODP registered |
Resource Group | oracle-prod-rg | Create new or use existing |
Name | prod-adb-azure-01 | Display name in Azure Portal |
Region | East US | Must match your ExpressRoute gateway region |
Database Name | PRODADB01 | Uppercase, 1-14 chars |
Workload Type | Transaction Processing | Or Data Warehouse / JSON / APEX |
Database Version | 23ai | Latest — recommended |
ECPU Count | 2 | Minimum; auto-scales if enabled |
Storage | 1 TB | Minimum; auto-scales |
Admin Password | Use Azure Key Vault reference | Never hardcode — see Step 4 |
Virtual Network | myVNet | Must have ExpressRoute gateway |
Subnet | oracle-subnet | Dedicated subnet recommended |
License Type | License Included | Or BYOL if you have Oracle licenses |
Step 4: Store Credentials in Azure Key Vault
Unlike Oracle Database@AWS where you download a wallet ZIP, Oracle Database@Azure integrates with Azure Key Vault for credential management.
#Create Key Vault (if not existing)
az keyvault create \
--name oracle-prod-kv \
--resource-group oracle-prod-rg \
--location eastus \
--enable-rbac-authorization true
#Store the ADB admin password
az keyvault secret set \
--vault-name oracle-prod-kv \
--name "adb-admin-password" \
--value "YourSecurePassword2026!"
#Grant your app's managed identity access to the secret
az role assignment create \
--role "Key Vault Secrets User" \
--assignee <managed-identity-object-id> \
--scope /subscriptions/<sub-id>/resourceGroups/oracle-prod-rg/providers/Microsoft.KeyVault/vaults/oracle-prod-kv
Step 5: Download Wallet and Test Connectivity
#Download wallet via OCI CLI (ODP resources appear in OCI too)
oci db autonomous-database generate-wallet \
--autonomous-database-id <adb-ocid> \
--password "WalletPassword2026!" \
--file ~/wallets/prod-adb-azure.zip
mkdir -p ~/wallets/prod-adb-azure
unzip ~/wallets/prod-adb-azure.zip-d ~/wallets/prod-adb-azure
#Test connection from an Azure VM in the same VNet
export TNS_ADMIN=~/wallets/prod-adb-azure
sql ADMIN/YourSecurePassword2026!@prodadb01_high
#Verify platform
SELECT platform_name, version_full FROM v\(database d, v\)instance i;
Step 6: Connect from .NET / C# Application
Oracle Database@Azure is designed with Azure-native workloads in mind — particularly .NET applications. Use Oracle.ManagedDataAccess.Core:
// Install NuGet: Oracle.ManagedDataAccess.Core
// dotnet add package Oracle.ManagedDataAccess.Core
using Oracle.ManagedDataAccess.Client;
using Azure.Identity;
usingAzure.Security.KeyVault.Secrets;
// Retrieve password from Key Vault (Managed Identity auth)
var kvClient = new SecretClient(
new Uri("https://oracle-prod-kv.vault.azure.net/"),
new DefaultAzureCredential() // Uses Managed Identity in Azure, local creds in dev
);
var secret = await kvClient.GetSecretAsync("adb-admin-password");
// Build connection string
var connString = $"User Id=ADMIN;Password={secret.Value.Value};" +
"Data Source=prodadb01_high;" +
"Connection Timeout=30;Pooling=true;Min Pool Size=5;Max Pool Size=50;";
// Set wallet location
OracleConfiguration.TnsAdmin = "/path/to/wallet";
OracleConfiguration.WalletLocation = "/path/to/wallet";
using var conn = new OracleConnection(connString);
await conn.OpenAsync();
Console.WriteLine($"Connected: {conn.ServerVersion}");
Microsoft Entra ID Integration
One of the most compelling features of Oracle Database at Azure is native Microsoft Entra ID (formerly Azure AD) authentication for Oracle DB users. Your employees can log into Oracle using their corporate Entra ID credentials — no separate Oracle passwords to manage.
Enable Entra ID Authentication on ADB
-- Connect as ADMIN and enable Entra ID authentication EXEC DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH( provider => 'AZURE_AD', params => JSON_OBJECT( 'azure_tenant_id' VALUE '', 'azure_app_id' VALUE '' ) );
-- Create a mapped Oracle user for an Entra ID user CREATE USER "user@yourdomain.com" IDENTIFIED EXTERNALLY AS 'user@yourdomain.com'; GRANT CONNECT, CREATE TABLE TO "user@yourdomain.com";
-- Create a mapped Oracle role for an Entra ID group CREATE ROLE "Oracle-DBAs" IDENTIFIED EXTERNALLY AS 'Oracle-DBAs'; -- Now assign permissions to the role; all members of the Entra group inherit them
🔐 Security Win
With Entra ID auth, DBA offboarding is instant — remove them from the Entra group and they immediately lose Oracle DB access. No hunting for Oracle passwords to revoke. No separate Oracle user lifecycle management.
Azure-Native Integrations
Oracle Database@Azure integrates with the broader Azure ecosystem in ways that Oracle Database@AWS does not — because Azure Portal surfaces ODP as a first-class Azure resource.
Azure Service | Integration | Use Case |
Azure Monitor | Native metrics forwarding | CPU, storage, sessions, latency dashboards |
Azure Log Analytics | Audit log streaming | SQL audit, login events, security monitoring |
Azure Data Factory | Built-in Oracle connector | ETL pipelines from Oracle to Azure Synapse / Fabric |
Microsoft Fabric | Oracle mirroring (preview) | Real-time Oracle data in OneLake for Power BI |
Azure Backup | Policy-based DB backup | Backup retention management via Azure Portal |
Azure Private DNS | Auto-registered DNS entries | Connect by hostname, no IP management |
Azure Policy | Compliance enforcement | Enforce encryption, backup retention, tagging |
Entra ID | Database user authentication | SSO and group-based Oracle DB access |
Azure Data Factory Oracle Connector
If you use Azure Data Factory for data movement, the Oracle connector works directly with Oracle Database at Azure — no self-hosted integration runtime needed if your ADF is in the same VNet:
// ADF Linked Service JSON (Oracle Database@Azure)
{
"name": "OracleADB_LinkedService",
"type": "Oracle",
"typeProperties": {
"connectionString": {
"type": "SecureString",
"value": "Host=<adb-host>;Port=1522;Sid=<service_name>;User Id=adf_user;"
},
"password": {
"type": "AzureKeyVaultSecret",
"store": { "referenceName": "AzureKeyVaultLinkedService", "type": "LinkedServiceReference" },
"secretName": "adb-adf-password"
}
}
}
Pricing: Oracle Database at Azure vs Oracle Database at AWS vs Azure SQL
Service | Config | Monthly Estimate | Oracle Support | Azure Invoice |
Oracle ADB@Azure Serverless | 2 ECPUs, 1 TB, LI | ~\(800–950/mo | Yes | Yes (MACC) |
Oracle ADB@AWS Serverless | 2 ECPUs, 1 TB, LI | ~\)800/mo | Yes | No (OCI invoice) |
Oracle on Azure VM (DIY) | D8s_v5, EE license | ~\(1,400/mo | No (DIY) | Yes |
Azure SQL Managed Instance | GP, 8 vCores | ~\)900/mo | Microsoft | Yes (MACC) |
Azure SQL Database (vCore) | GP, 8 vCores | ~$700/mo | Microsoft | Yes (MACC) |
💰 MACC Advantage Calculation
If you have a $500K MACC and use Oracle DB@Azure at $900/month, that $10,800/year counts toward your Azure commitment — reducing your at-risk MACC balance. Oracle DB@AWS does NOT count toward MACC. For organizations with large Azure commitments, this can justify a 10–20% price premium over the AWS equivalent.
Oracle DB@Azure vs Oracle DB@AWS — When to Use Which
Scenario | Use Azure | Use AWS | Reason |
App on Azure (.NET, AKS) | ✅ | — | Sub-2ms latency via ExpressRoute; native Azure integrations |
App on AWS (EC2, EKS) | — | ✅ | Sub-1ms latency via VPC endpoint; no cross-cloud routing |
Power BI / Fabric reporting | ✅ | — | Microsoft Fabric Oracle mirroring connects directly |
Azure Data Factory pipelines | ✅ | — | Built-in Oracle connector, same VNet, no SHIR needed |
MACC spend commitment | ✅ | — | Oracle DB@Azure counts toward Azure MACC spend |
Entra ID SSO for Oracle users | ✅ | — | Native Entra ID integration; AWS equivalent is more complex |
Existing AWS workloads | — | ✅ | No cross-cloud networking overhead |
Lowest possible latency | — | ✅ | VPC endpoint < 1ms vs ExpressRoute ~2ms |
Multi-cloud / cloud-agnostic | Both | Both | Same OCI Console manages both; data replication between them possible |
Migration Paths to Oracle Database at Azure
From On-Premises Oracle (Recommended: GoldenGate)
If you have existing Oracle on-premises and want to migrate to Oracle DB@Azure with minimal downtime:
-- Source: your on-premises Oracle DB
-- Target: Oracle ADB@Azure
-- Step 1: Install GoldenGate on-premises and configure Extract
-- (GoldenGate Microservices runs on OCI, accessible from on-prem via ExpressRoute)
-- Step 2: Verify supplemental logging is enabled on source
ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;
ALTER DATABASE ADD SUPPLEMENTAL LOG DATA (PRIMARY KEY) COLUMNS;
-- Step 3: Initial load via Data Pump to Oracle Object Storage
expdp SYSTEM/password SCHEMAS=APP_USER DIRECTORY=DATA_PUMP_DIR \
DUMPFILE=app_%U.dmp PARALLEL=4
-- Step 4: Start GoldenGate replication (catches changes during load)
-- Step 5: Validate row counts and data integrity
-- Step 6: Cutover — stop writes to source, let GoldenGate drain, switch app connection string
From Oracle on Azure VM (Simplest Path)
If you're already running Oracle Database on an Azure Virtual Machine, this is the simplest migration — you're in the same VNet, same region, no cross-cloud complexity:
#Direct Data Pump export from Oracle on Azure VM expdp SYSTEM/password@source_vm_db FULL=Y DUMPFILE=full_export_%U.dmp DIRECTORY=DATA_PUMP_DIR PARALLEL=8
#Copy dump files to Azure Blob Storage (then Oracle imports from Object Storage)
azcopy copy "/oracle/datapump/*.dmp" \
"https://mystorageaccount.blob.core.windows.net/migration-container/" \
--recursive
#Import into ADB@Azure via DBMS_DATAPUMP over DBMS_CLOUD -- (Run this on the ADB@Azure instance as ADMIN) BEGIN DBMS_CLOUD.GET_OBJECT( credential_name => 'AZURE_BLOB_CRED', object_uri => 'https://mystorageaccount.blob.core.windows.net/migration-container/full_export_01.dmp', directory_name => 'DATA_PUMP_DIR' ); END;
Best Practices for Production
Category | Best Practice | Why |
Networking | Deploy ODP in a dedicated subnet with NSG rules | Isolate Oracle traffic; NSGs restrict access to app tier only |
Networking | Use Azure Private DNS for Oracle endpoint resolution | Auto-registered — no manual /etc/hosts or DNS entries |
Security | Use Azure Managed Identity for app authentication to Key Vault | No secrets in code; rotates automatically |
Security | Enable Entra ID authentication for human users | Instant offboarding; central identity governance |
Security | Enable Transparent Data Encryption (always-on in ADB) | ADB enforces TDE; verify key management policy |
Cost | Enable auto-pause for dev/test (15-min idle) | ADB stops billing compute when paused — critical for non-prod |
Cost | Set max_cpu_count to cap auto-scaling | Without ceiling, query storm can 10x your monthly bill |
Operations | Forward Oracle audit logs to Azure Log Analytics | Centralised SIEM; compliance reporting via Azure Monitor Workbooks |
Operations | Use Azure Data Factory for all Oracle→Azure data movement | Managed, monitored, no self-hosted integration runtime needed |
Reliability | Enable Autonomous Data Guard (active standby) | RPO < 5 seconds; automatic failover; no extra config in ADB |
BCDR | Configure cross-region ADB clones for DR | Oracle ADB supports refreshable clones across ODP regions |
Common Issues and Fixes
Issue: ExpressRoute Gateway Not Connecting
If the ODP resource is provisioned but the ExpressRoute circuit shows 'Not Connected', the most common cause is the gateway SKU. ODP requires Standard SKU or higher — the Basic SKU is not supported.
#Check ExpressRoute gateway SKU
az network vnet-gateway show \
--resource-group myRG \
--name oracle-er-gateway \
--query "sku.name"
#If output is "Basic", you need to delete and recreate with Standard SKU
#Check circuit provisioning state
az network express-route list \
--resource-group myRG \
--query "[].{Name:name, State:provisioningState, CircuitState:circuitProvisioningState}"
Issue: ORA-12541 from Azure VM
If your Azure VM cannot reach the Oracle endpoint on port 1522, check the Network Security Group (NSG) on both the Oracle subnet and the VM subnet:
#Check NSG rules on the oracle-subnet
az network nsg rule list \
--resource-group myRG \
--nsg-name oracle-subnet-nsg \
--output table
#Required: Allow inbound TCP 1522 from your app subnet
az network nsg rule create \
--resource-group myRG \
--nsg-name oracle-subnet-nsg \
--name Allow-Oracle-TLS \
--priority 100 \
--protocol Tcp \
--destination-port-range 1522 \
--source-address-prefixes 10.0.1.0/24 \
--access Allow
Issue: Entra ID Authentication Failing (ORA-01017)
If Entra ID authentication fails, verify the app registration in Entra ID has the correct API permissions and that the Oracle DB user name exactly matches the Entra UPN (case-sensitive):
-- Verify the mapped Oracle user exists and matches UPN exactly
SELECT username, authentication_type FROM dba_users
WHERE authentication_type = 'EXTERNAL';
-- UPN must be ALL CAPS in Oracle user definition
-- Correct: CREATE USER "USER@YOURDOMAIN.COM" IDENTIFIED EXTERNALLY
-- Wrong: CREATE USER "user@yourdomain.com" IDENTIFIED EXTERNALLY
📌 Subscribe
All posts publish at cloudexplorers.club — no paywalls, no sponsored content. Independent analysis only.
Safe Harbour & Disclaimer
PRICING DISCLAIMER: All prices shown are estimates based on publicly available Oracle Cloud, Microsoft Azure, and AWS pricing pages as of March 2026. Verify current pricing at cloud.oracle.com, azure.microsoft.com/pricing, and aws.amazon.com/pricing before making purchasing decisions.
SAFE HARBOUR: Oracle Database@Azure (ODP) features, regional availability, MACC eligibility, and pricing may change at any time without notice.
NO AFFILIATION: cloudexplorers.club is an independent technical blog not affiliated with Oracle Corporation or Microsoft Corporation. License: CC BY 4.0 — share and adapt with attribution to cloudexplorers.club.
