Managing Regions

This topic describes the basics of managing your region subscriptions. For more information about regions in Oracle Cloud Infrastructure, see Regions and Availability Domains. For information about Platform Services regions, see Managing Platform Services Regions.

This section contains the following topics.

Required IAM Policy

If you're in the Administrators group, then you have the required access to manage region subscriptions.

If you're new to policies, see IAM Policies Overview,.

The Home Region

When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for you in one region. This is your home region. Your home region is where your IAM resources are defined. When you subscribe to another region, your IAM resources are available in the new region. However, the definitions reside in your home region and can only be changed there.

Important

Your home region contains your account information and identity resources. You can't make changes after your tenancy is provisioned. If you're unsure which region to select as your home region, contact your sales representative before you create your account.

Resources that you can create and update only in the home region are:

  • Users
  • Groups
  • Policies
  • Compartments
  • Dynamic groups
  • Federation resources

When you use the API to update your IAM resources, you must use the endpoint for your home region. (See What is the tenancy home region? How do I find my tenancy home region?) IAM automatically propagates the updates to all regions in your tenancy.

When you use the Console to update your IAM resources, the Console sends the requests to the home region for you. You don't need to switch to your home region first. IAM then automatically propagates the updates to all regions in your tenancy.

Note

IAM Updates Aren't Immediate Across All Regions

When you create or update an IAM resource, be aware that it might take several minutes for the changes in your home region to become available in all regions.

When you subscribe your tenancy to a new region, you can replicate the home region in one or more alternate regions. If you home region is down, you can sign in to the tenancy. Full IAM functionality is limited until the home region is back up. To subscribe to a new region, see Subscribing to an Infrastructure Region.

The policies from the home region are enforced in the new region. To limit access for groups of users to specific regions, you can write policies to grant access to specific regions only. For an example policy, see Restrict admin access to a specific region.
Note

Provisioning SaaS Applications and Geo-Regions

SaaS applications are provisioned in the geo-region specified on your order.

After creating a cloud account to add your subscription, a Default identity domain is created in the home region. For SaaS applications, the home region isn't the provisioning location. SaaS applications are provisioned in the Data Center region (sometimes called the geo-region) specified on your order. For example, the North America geo-region includes three regions (Ashburn, Phoenix, and Toronto).

Note

Depending on the SaaS application, the application user credentials might also be stored at the same home region as the Default identity domain.

In some cases, the home region displayed in the Console may be different than the Data Center Region that you selected or is identified in your order for your Services. The information stored in your home region consists of only cloud services administrator credentials that are shared with Oracle to create and manage the Oracle Cloud account and is information that is required to log in to your account. Your Oracle Application services production and backup data remain permanently stored by Oracle only in the Data Center Region that is identified in your order.

For more information about identity domains, see Managing Identity Domains

Find Out More

Can an individual user subscribe to a region?

A region subscription is at the tenancy level. An administrator can subscribe the tenancy to a region. All IAM polices are enforced in the new region, so all users in the tenancy will have the same access and permissions in the new region.

Can I see my existing resources in the new region?

When you select a region in the Console, you are shown a view of the resources in your selected region. Most cloud resources (instances, VCNs, buckets, etc.) exist only in a specific region, so you only see them when you select the region where they were created. The exception is IAM resources: compartments, users, groups, and policies are global across all regions. See also Working Across Regions.

How do my service limits apply to the new region?

Service limits can be scoped to the tenant level, the region level, or the availability domain level. When you subscribe to a new region, you get access to the region and its availability domains. Service limits apply accordingly. The service limits page lists the scope of each resource limit.

Can I restrict access to a specific region?

Yes. You can write policies that grant permissions in a specified region only.

Can I change my home region?

No. Oracle assigns your home region and you can't change it. See also: What is the tenancy home region? How do I find my tenancy home region?