Oracle Cloud Crisis Migration: Keeping an SIS Alive When the Campus Isn't Reachable
Situation
In June 2025, the regional conflict with Iran escalated to the point where physical access to the American International School of Riyadh campus became unreliable. For most of the school's operations that was an inconvenience. For the technology stack, it was an existential problem. Our PowerSchool SIS — the system of record for 1,600+ students and 300+ staff — was running on-premises, in a server room on a campus we could not count on entering.
I run the whole technology organisation at AIS-R, and at that moment what was at risk was not abstract. Parents needed to see attendance and communication from the school during a period when families were anxious. Teachers needed grade entry and rostering to continue. Leadership needed to make decisions based on live enrolment data. If the SIS went dark, the school's ability to function as an institution went with it.
Two constraints shaped everything that followed. The first was the PowerSchool admin console itself was unavailable during the move — the very tool I would normally use to reconfigure a deployment at this scale was out of reach for parts of the window. The second was that I was executing this solo, remotely, with minimal staff and a narrow window in which network conditions were stable enough to push data out of the campus.
Action
I chose Oracle Cloud Infrastructure as the target. The decision was not ideological — it was driven by region (Jeddah OCI region with low latency to Riyadh), the commercial posture I could negotiate under time pressure, and the fact that OCI's networking primitives let me reproduce the on-prem topology closely enough that I would not have to redesign integrations mid-crisis.
I started with topology. I stood up a VCN in the Jeddah region with a public subnet for the load balancer and a private subnet for the SIS and database tiers. The OCI Load Balancer terminates TLS; the internal servers never see :443 directly. I provisioned compute to match the on-prem capacity profile and laid in a private endpoint so that later integrations (Odoo, ClassLink, Zenda) would attach to a stable internal address rather than a public one.
Data migration was the part I spent the most time thinking about. With the PowerSchool admin UI partially unavailable, I worked at the database and filesystem layer — snapshotting the on-prem instance during a quiet window, shipping the backup over a dedicated tunnel, and restoring into the OCI database tier. I validated by record counts per table and by spot-checking high-cardinality entities (students, sections, enrolments) rather than trusting a green log line.
The failover plan was dual-track. I kept the on-prem instance read-capable as long as network allowed, and I brought the OCI instance up in parallel in a staging posture. Once I had validated the restore, I cut DNS over to the OCI load balancer with a short TTL I had pre-lowered 48 hours earlier. That pre-lowering of TTL is the kind of small step that looks like nothing until the day you need propagation to happen in minutes.
The integration I was most worried about was SSO. ClassLink was the identity hub for students, staff, and parent portals. Re-plumbing SSO meant updating the SAML endpoints in ClassLink to point at the new PowerSchool URL, re-issuing the signing certificate on the OCI side, and testing the round-trip for each user class before announcing the cutover. I did that testing with a small group of administrators first, then teachers, then opened the gates.
Outcome
The cutover held. During the crisis window, SIS availability for parents, students, and staff remained at functional levels — teachers kept entering grades and attendance, parents continued to receive communications, and leadership retained live access to enrolment and rostering data. We did not lose a school day to the SIS being unreachable. The on-prem hardware became recoverable-at-leisure rather than a single point of failure we were staring at.
Downstream integrations — Odoo for finance and operations, ClassLink for identity, Zenda for payments — continued to resolve against the new endpoints within hours of the DNS cutover. The OCI footprint has since become the permanent home of the SIS, not a temporary hedge.
Lessons
If I had to give one lesson to another head of school or director of learning in the Gulf, it would be this: the question is not whether your SIS is backed up. The question is whether you can run your SIS without physical access to the building it lives in. In this region, that is not a paranoid question. The answer determines whether your school continues to function as an institution during a week you did not plan for.
On-prem is not a disaster recovery strategy. A cloud target you have already practiced cutting over to is.
The second, quieter lesson is about admin tooling. When the vendor's own admin console is unavailable, you need to be comfortable one layer down — at the database, the filesystem, the network. Schools that treat their SIS as a black box will find that the black box does not open on the day they need it to.