Oracle offers two distinct ways to run its cloud services inside your data centre: Cloud@Customer (targeted appliances for database or compute workloads) and Dedicated Region Cloud@Customer (a complete, self-contained OCI region on-premises). Both keep data on-site, but they differ fundamentally in scope, scale, cost, control model, compliance capability, and vendor commitment. This guide compares their architecture, use cases, management models, compliance and security implications, and the technical and business trade-offs CIOs should weigh when choosing between them.
This guide is part of our Oracle cloud licensing series. For Cloud@Customer pricing, see Cloud@Customer Pricing and Benefits. For BYOL rules, see BYOL on Cloud@Customer. For cloud licensing fundamentals, see Licensing Oracle Software in the Cloud.
Oracle Cloud@Customer refers to Oracle's pre-packaged on-premises cloud services delivered as single-purpose systems installed in the customer's data centre. There are two primary variants.
Exadata Cloud@Customer delivers an Oracle Exadata system as a managed cloud service for database workloads only. It provides high-performance database capabilities including Autonomous Database but is limited to database operations. Compute Cloud@Customer provides on-premises OCI compute and storage services for running application VMs, containers, and middleware. It includes basic OCI infrastructure components but not the entire OCI service catalogue. Both typically connect to Oracle's public cloud for control plane functions. If the external link is lost, core services continue (databases remain accessible, VMs keep running) but management features may be limited until connectivity is restored.
Oracle Dedicated Region Cloud@Customer is a complete, isolated Oracle cloud region installed at the customer site. It consists of multiple racks (initial deployments typically start around 3 to 12 racks), scaling up to dozens as needed. The Dedicated Region brings 100+ Oracle Cloud services (IaaS, PaaS, and even Oracle Fusion SaaS applications) into the data centre. The control plane and management infrastructure reside entirely on-premises. The region does not require constant connectivity to Oracle's public cloud. Oracle built it as an identical copy of a public OCI region behind the customer's firewall, with the same hardware, software stack, SLAs, pricing model, and APIs.
| Dimension | Cloud@Customer (Exadata/Compute) | Dedicated Region |
|---|---|---|
| Physical footprint | 1 to 2 racks (single-purpose appliance) | 3 to 12+ racks (full cloud region) |
| Service scope | Targeted. Database (Exadata) or compute/storage only | 100+ OCI services. Complete IaaS, PaaS, and SaaS |
| Control plane | Partially in Oracle's public cloud. Some external dependency | Fully on-premises. Self-contained, no external dependency |
| Architecture | Purpose-built appliance with OCI service subset | Identical to Oracle public cloud region. Same stack, APIs, SLAs |
| Deployment time | Weeks (single rack delivery and configuration) | Months (multi-rack installation, network integration, testing) |
| Minimum commitment | 1 rack, 4-year term (lower entry point) | Approximately $6M+/year, multi-year term (significant investment) |
Cloud@Customer provides targeted cloud services on a smaller scale. Dedicated Region is a massive on-premises deployment of Oracle's entire cloud environment. The former has a smaller footprint focusing on specific functions with some external dependencies. The latter is a full-fledged private cloud region with total functionality and autonomy. A CIO's choice between them is fundamentally a decision about scope: do you need a specific cloud capability on-premises, or do you need an entire cloud region?
Running mission-critical Oracle databases on Exadata under a cloud subscription model while meeting data residency requirements. Hosting specific enterprise applications (ERP, CRM) on OCI compute in-house. Supporting development and testing in a cloud-like on-premises environment. Database consolidation, low-latency applications, or gradual introduction of cloud management. Ideal when the requirement is narrow and well-defined.
Regulated industries (finance, government, healthcare) with broad data sovereignty requirements across many systems. Large enterprises modernising legacy Oracle applications (PeopleSoft, Siebel, JDE, EBS) with cloud services. Data centre consolidation replacing aging on-premises hardware with cloud-like scalability. Hybrid cloud strategies where the most sensitive or high-performance components run on-site while other workloads run in public OCI.
For Oracle's software licensing rules when running workloads on Cloud@Customer, see Which Oracle Software Can You Run on Cloud@Customer. For BYOL mechanics, see How BYOL Works on Cloud@Customer.
Cloud@Customer solves a narrow problem or complies with one set of requirements. Dedicated Region fundamentally transforms and outsources the operation of an entire on-premises data centre to Oracle's cloud model. Choose Cloud@Customer when the need is specific and well-bounded. Choose Dedicated Region when you foresee broad cloud service adoption on-premises. Starting with Cloud@Customer for a specific workload and later expanding to Dedicated Region is possible, but the transition involves significant replanning. If broad adoption is the likely destination, starting with Dedicated Region may be more efficient than adding Cloud@Customer appliances incrementally.
In both offerings, Oracle retains responsibility for managing the infrastructure and cloud services while the customer controls their data and usage. However, the degree of control differs significantly.
| Aspect | Cloud@Customer | Dedicated Region |
|---|---|---|
| Infrastructure management | Oracle manages hardware, patching, and software updates for the appliance | Oracle manages end-to-end operations of the entire region. Updates, scaling, security patching across all services |
| Customer workload control | Full control over VMs, databases, OS, middleware, and applications | Cloud-style self-service. Provision resources via OCI console/APIs, but no access to underlying infrastructure |
| Patch scheduling | Customer can influence patch timing within Oracle's maintenance windows | Oracle coordinates region upgrades with customer but manages the process |
| Data sovereignty | Data resides on-premises. Some management metadata transits to Oracle's cloud | All control plane and data plane on-premises. No data or configuration leaves the premises |
| Oracle access controls | Oracle Operator Access Control. Customer approves/denies Oracle engineer access | Same Operator Access Control plus full audit logging within the isolated region |
| Management paradigm | Hands-on control of specific services (DBAs manage databases directly) | Cloud-style management (DBAs use cloud service interfaces rather than logging into servers) |
Cloud@Customer offers more hands-on control over specific services but with limited scope. Dedicated Region offers hands-off infrastructure (Oracle-managed everything) with full cloud breadth. In both cases, CIOs control their applications and data placement but cede low-level infrastructure management to Oracle. The practical question is whether your teams prefer direct server-level access (Cloud@Customer) or are ready to adopt cloud-style management through consoles and APIs (Dedicated Region). Organisations with established DBA teams who manage databases at the OS level may find the Cloud@Customer model more familiar. Organisations moving toward cloud-native operations will find Dedicated Region's model aligns better with that direction.
Both Cloud@Customer and Dedicated Region keep data on-premises, but compliance capability differs in scope.
Both solutions ensure sensitive data stays in your data centre. Dedicated Region goes further. Since the control plane and metadata are also local, no system information or service telemetry is sent to an external cloud. This satisfies the strictest national security and government requirements for complete sovereignty.
A Dedicated Region can be certified to the same breadth of compliance standards as Oracle's public cloud (ISO 27001, SOC 2, PCI-DSS, HIPAA) because it runs the same services. Cloud@Customer compliance scope is narrower. It focuses on the specific deployed service (database security controls for Exadata, for example) rather than a full-stack certification.
Both offerings are single-tenant dedicated hardware (unlike public cloud where tenants share systems). Cloud@Customer provides a dedicated rack. Dedicated Region provides an entire dedicated region. This isolation enhances compliance since resources are not shared with other organisations.
Cloud@Customer requires some management connectivity to Oracle's cloud, which may concern organisations with strict no-external-connectivity policies. Dedicated Region can operate fully disconnected by special arrangement, making it the answer for extreme isolation requirements.
If your regulatory requirement is data residency for specific databases or applications, Cloud@Customer satisfies that need. If your requirement is complete sovereignty with no data, metadata, or telemetry leaving the premises, Dedicated Region is the only option. The distinction matters for defence, intelligence, central banking, and government organisations where even management plane connectivity to external systems may violate policy. Before selecting either option, map your specific regulatory requirements to the compliance capabilities of each deployment model. The difference between "data stays on-premises" and "everything stays on-premises" is significant for organisations under strict sovereignty mandates.
Both deployments use a shared security model: Oracle secures the cloud infrastructure while the customer secures their data, user access, and integration points. The security capabilities are identical to Oracle Cloud. The difference is scope.
Both include built-in encryption for data at rest and in transit. Customers can use OCI Vault for key management and IAM for access control, even in on-premises deployments. Data never leaves the premises except for off-site backups if configured.
Oracle's Operator Access Control allows customers to approve or deny Oracle support personnel access to the maintenance infrastructure in both offerings. This ensures Oracle cannot access customer systems without explicit consent.
Oracle handles security patching for firmware, hypervisors, and cloud service software. In Dedicated Region, updates are delivered on-site as they are in public cloud. This ensures the on-premises region receives security fixes as soon as Oracle releases them. Cloud@Customer receives similar regular patch cycles.
Both support the same OCI network segmentation features (VCNs, security lists, network security groups). Because traffic between internal users and cloud services does not traverse the internet, external threat exposure is reduced. Dedicated Region includes the full OCI security service stack (web application firewalls, threat detection) while Cloud@Customer has a more limited security service set appropriate to its narrower scope.
Both offerings deliver enterprise-grade security identical to Oracle's public cloud. The key difference is breadth. Dedicated Region includes the full OCI security service stack (WAF, threat intelligence, security zones, cloud guard) because it runs the complete OCI platform. Cloud@Customer security is focused on the specific deployed service. For organisations that need comprehensive security monitoring, threat detection, and automated response across multiple workload types, Dedicated Region provides these capabilities natively. For organisations with a narrower security scope focused on database or compute protection, Cloud@Customer is sufficient.
| Trade-Off | Cloud@Customer | Dedicated Region |
|---|---|---|
| Breadth vs specificity | Addresses today's specific need precisely. May require additional deployments if requirements expand | Future-proof platform with 100+ services. Avoids "needing something unavailable" risk |
| Cost and commitment | Lower entry point (1 rack, 4-year term). Suitable for targeted, bounded requirements | Approximately $6M+/year minimum. Justified only for large portfolios or broad cloud adoption on-premises |
| Control vs convenience | More direct, hands-on control over specific services. Familiar management for DBAs/admins | Cloud-style management by Oracle. Less staff effort, but requires trust and acceptance of standardised operations |
| Deployment speed | Weeks to deliver and configure. Faster time-to-value for specific projects | Months for multi-rack installation, network integration, and testing. Larger organisational disruption |
| Vendor lock-in | Narrower lock-in. Can still use other vendors for applications and infrastructure. Easier to unwind | Deeper lock-in. Vast portions of IT environment on one vendor's platform. Harder to exit but single-vendor simplicity |
| Scaling | Limited to the appliance's capacity. Adding more capability requires additional deployments | Scales within the region. Add racks as needed. Oracle manages capacity expansion |
Cloud@Customer has a lower entry point but can become expensive if multiple appliances are deployed over time to address expanding requirements. Dedicated Region has a higher initial commitment but may deliver better value per workload when running many services. The right calculation compares the 5-year TCO of deploying multiple Cloud@Customer appliances incrementally against the 5-year TCO of a Dedicated Region that absorbs all workloads from day one. Factor in staff costs (Dedicated Region reduces operational overhead), facility costs (power, cooling, space for multiple racks), and the opportunity cost of limitations (services unavailable on Cloud@Customer that would need alternative solutions). See our Oracle Contract Negotiation Service for independent pricing analysis.
To determine the right path, CIOs should evaluate four critical questions.
1. Are your requirements limited to databases or a few applications, or do you foresee broad adoption of cloud services on-premises? If narrow, Cloud@Customer is likely sufficient. If broad, Dedicated Region avoids the inefficiency of deploying multiple separate appliances.
2. Do you have the budget and long-term vision for a private cloud region? Dedicated Region requires $6M+ annual commitment and multi-year terms. This is justified only for large-scale transformation. If the budget is constrained or the cloud strategy is still evolving, Cloud@Customer provides a lower-risk entry point.
3. How important is complete autonomy with no external dependencies? If strict no-external-connectivity policies apply, Dedicated Region's fully local control plane is necessary. If some management connectivity to Oracle's cloud is acceptable, Cloud@Customer works.
4. Will a single-purpose solution meet long-term needs, or will you need additional capabilities over time? If expansion is likely, starting with Dedicated Region may be more efficient than adding Cloud@Customer appliances incrementally.
Both Cloud@Customer and Dedicated Region deliver cloud benefits on-premises. The decision is about choosing the vehicle that best fits the enterprise's scale, regulatory environment, budget, and strategic direction. Cloud@Customer is the right choice when the requirement is specific, bounded, and cost-sensitive. Dedicated Region is the right choice when the requirement is broad, sovereignty is paramount, and the organisation is ready to commit to Oracle as a strategic cloud platform. Neither is inherently better. The best choice depends entirely on the enterprise's circumstances. For independent advisory on Oracle cloud commercial terms, see our Oracle Contract Negotiation Service.
Oracle Cloud@Customer is a family of on-premises cloud services delivered as single-purpose systems installed in the customer's data centre. Exadata Cloud@Customer provides managed database services (including Autonomous Database) on Oracle Exadata hardware. Compute Cloud@Customer provides OCI compute and storage services for running VMs, containers, and middleware. Both are managed by Oracle but the data remains on-premises, meeting data residency requirements while delivering cloud subscription economics. See Cloud@Customer Pricing and Benefits for detailed pricing information.
Oracle Dedicated Region Cloud@Customer is a complete, isolated Oracle Cloud Infrastructure (OCI) region installed at the customer's site. It includes 100+ OCI services (IaaS, PaaS, and SaaS), a fully on-premises control plane with no external dependency, and the same hardware, software stack, SLAs, and APIs as Oracle's public cloud. It typically requires 3 to 12+ racks and a minimum commitment of approximately $6M+ per year on a multi-year term.
Cloud@Customer has a lower entry point: 1 rack with a 4-year term. Dedicated Region requires approximately $6M+ per year with a multi-year commitment. The right cost comparison is not entry point alone but 5-year total cost of ownership. Multiple Cloud@Customer appliances deployed over time can exceed the cost of a single Dedicated Region that absorbs all workloads. Factor in operational staff costs (Dedicated Region reduces overhead), facility costs, and the cost of workarounds for services unavailable on Cloud@Customer.
Yes. Both Cloud@Customer and Dedicated Region support Oracle's BYOL programme. You can apply existing on-premises Oracle licence entitlements to reduce cloud subscription costs. However, BYOL rules are complex and the conversion ratios between on-premises licence metrics (Processor, NUP) and cloud metrics (OCPU) require careful calculation. See How BYOL Works on Cloud@Customer for detailed mechanics.
Both keep data on-premises. Dedicated Region provides stricter sovereignty because the control plane and all metadata also remain on-premises. No system information or telemetry is sent to an external cloud. Cloud@Customer requires some management connectivity to Oracle's public cloud, meaning management metadata may transit external systems. For organisations with strict no-external-connectivity policies (defence, intelligence, central banking), Dedicated Region is the only option that satisfies complete sovereignty requirements.
Cloud@Customer typically deploys in weeks (single rack delivery and configuration). Dedicated Region takes months due to multi-rack installation, network integration, security configuration, and comprehensive testing. The longer deployment timeline for Dedicated Region reflects its significantly larger scope. CIOs should plan for 3 to 6 months or more for a Dedicated Region deployment, including site preparation, network readiness, and Oracle's installation and validation process.
Yes, but the transition involves significant replanning. Cloud@Customer and Dedicated Region are different deployment models with different architectures. Migrating workloads from Cloud@Customer to Dedicated Region requires planning, testing, and potential re-architecture. If broad cloud adoption on-premises is the likely long-term destination, starting directly with Dedicated Region may be more efficient than deploying Cloud@Customer appliances incrementally and later consolidating.
Cloud@Customer provides targeted services: Exadata Cloud@Customer delivers database services (including Autonomous Database), and Compute Cloud@Customer provides compute and storage. Dedicated Region provides 100+ OCI services including full IaaS (compute, storage, networking), full PaaS (database, middleware, containers, analytics), and even Oracle Fusion SaaS applications. See Which Oracle Software Can You Run on Cloud@Customer for the complete service matrix.
Redress Compliance provides independent Oracle cloud licensing advisory for enterprises evaluating Cloud@Customer, Dedicated Region, and hybrid OCI deployments. We analyse licensing implications, negotiate commercial terms, benchmark pricing, and ensure your cloud agreement is structured for long-term value.
Oracle Advisory ServicesCloud@Customer evaluation. Dedicated Region analysis. BYOL optimisation. Contract negotiation. 100% vendor-independent.