Professional Documents
Culture Documents
Oracle Cloud Infrastructure Architect
Oracle Cloud Infrastructure Architect
1Z0-932
Cloud Architect
Cloud Architect
Monitoring
APP Development
Networking
Storage
Connection Procedures
Servers
Who should Learn Cloud Computing?
Every IT Professional !
Cloud Computing Services
• Infrastructure-as-a-Service (IaaS)
• Provides virtualized Infrastructure over Internet
• Platform-as-a-Service (PaaS)
• Provides a Platform for Application Dev & Run
• Software-as-a-Service (SaaS)
• Provides Software on subscription basis
Cloud Computing Services
Cloud Computing Services
End Users
Software Developers
IT administrators
On-Premise Vs Cloud
On-Premise
Cloud Computing Deployment Models
• Public Cloud
• Private Cloud
• Hybrid Cloud
https://cloud.oracle.com
Oracle Cloud Services
Payment Plans
1. Pay As You Go
▪ Use and Pay
▪ billed on actual usage
▪ prepayment is not required
2. Monthly Flex
▪ Pay and Use
▪ fixed commitment of minimum 1 year
▪ has a minimum monthly charge
▪ Provides significant discounts
Oracle Universal Credit Pricing
OCPU
= one physical core of Intel Xeon processor with hyper threading enabled
or
= one physical core of an Oracle SPARC processor
Cost Estimator
• https://cloud.oracle.com/en_US/cost-estimator
Demo
1. Trial (Free)
2. Paid (Purchased)
Oracle Cloud Subscription - Trial
Oracle Cloud Subscription - Trial
2
Signing into Oracle Cloud Account
4
3
Enter your Cloud
Account Name
My Services Dashboard
My Services Dashboard
3
2
Introduction to Oracle Cloud Infrastructure (OCI)
What is Oracle Cloud Infrastructure?
• OCI - is a set of complementary cloud services that enable you to build and run
a wide range of applications and services in a highly available hosted
environment.
OCI Services
• Console
• The Console is an easy-to-use, browser-based interface.
• CLI
• The command line interface (CLI) provides both quick access and full functionality
without the need for programming
• Oracle Cloud Infrastructure APIs
• These APIs are typical REST APIs that use HTTPS requests and responses. The REST API
provides the most functionality, but requires programming expertise
• SDK
• The Oracle Cloud Infrastructure SDKs offer tools to interact with various services
without having to create a framework.
Authentication and Authorization
• You use different types of security credentials when you work with OCI
• Console Password – used to login to Console
• API Signing Keys – used to sign API requests
• Instance SSH Keys – used to access compute instance through SSH Client
• Auth Token – used to authenticate with third-party APIs that do not support OCI
signature based authentication
Service Limits
• https://apexapps.oracle.com/pls/apex/f?p=44785:141:13069806071913::::P141_PAGE_ID,P141_SECTION_ID:521,3649
OCI Concepts & Terminology
Data Regions & Availability Domains
• OCI resources that you create may be – Global across regions, within a single
region, within a single Availability Domain
• Global Resources – Compartments, API Signing keys, Users, Groups, Policies…
• Regional Resources – Buckets, images, load balancers,VCNs, Security lists, route
tables, volume backups ….
• Availability Domain specific resources – Subnets, Instances, DB Systems,
Volumes…
Resource Identifiers
Syntax:
ocid1.<RESOURCE TYPE>.<REALM>.[REGION][.FUTURE USE].<UNIQUE ID>
Example:
ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f44n2b2m2yt2j6rx32uzr4h25vqstifsfdsq
Resource Identifiers
Example:
Allow group <GROUP NAME> to manage all-resources in compartment <COMPARTMENT NAME>
Resource Identifiers
• Display Name
• For most of the Oracle Cloud Infrastructure resources you create (other than those in
IAM), you can optionally assign a display name.
• It can be a friendly description or other information that helps you easily identify the
resource.
• The display name does not have to be unique, and you can change it whenever you
like.
• The Console shows the resource's display name along with its OCID.
Resource Tags
• Tagging allows you to define keys and values and associate them with
resources. You can then use the tags to help you organize and list resources
based on your business needs.
Identity and Access Management (IAM)
What is IAM?
• Resource
• Users
• Groups
• Compartments
• Tenancy
• Policy
• Home Region
Resource
• The cloud objects that your company's employees create and use when
interacting with Oracle Cloud Infrastructure
• Examples:
• compute instances
• block storage volumes
• virtual cloud networks (VCNs)
• subnets
• route tables
Users
• The root compartment that contains all of your organization's Oracle Cloud
Infrastructure resources
• Oracle automatically creates your company's tenancy for you
• Directly within the Tenancy are your IAM entities (users, groups,
compartments, and some policies)
• You place the other types of cloud resources (e.g., instances, virtual networks,
block storage volumes, etc.) inside the compartments that you create
Tenancy & Compartments
Compartments
PaaS
Root
Services
• When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for
you in one region. This is your home region.
• Home region is where your IAM resources reside.
• All IAM resources are global and available across all regions, but the master set
of definitions reside in a single region - the home region
• You must make changes to your IAM resources in your home region. The
changes will be automatically propagated to all regions
Scope of IAM Resources
• Managing Regions
• Managing Tenancy
• Managing Compartments
• Managing Users
• Managing Groups
• Managing Policies
Managing Regions - Demo
• Creating Compartments
• View Details of a Compartment
• Renaming a Compartment
• View contents of a Compartment
Managing Users - Demo
• Create User
• Add user to group
• Remove user from group
• Delete user
Managing Groups - Demo
• Create Group
• Add user to group
• Remove user from group
• Delete group
Managing Policies
Policies
• A policy is a document that specifies who can access which Oracle Cloud
Infrastructure resources that your company has, and how
• A policy simply allows a group to work in certain ways with specific types
of resources in a particular compartment
• Policies are designed to allow access; there's no explicit "deny" when you write
a policy.
• a policy can be attached to only one compartment
Policy Syntax
subject
group <group_name> | group id <group_ocid> | dynamic-group <dynamic-group_name> | dynamic-group id<dynamic-group_ocid> | any-user
Verb
Inspect | read | use | manage
Resource Type
• An individual resource-type (e.g., vcns, subnets, instances, volumes, etc.)
• A family resource-type (e.g., virtual-network-family, instance-family, volume-family, etc.)
• all-resources: Covers all resources in the compartment (or tenancy).
Location
tenancy | compartment <compartment_name> | compartment id <compartment_ocid>
Conditions
• Syntax for a single condition: variable =|!= value
• Syntax for multiple conditions: any|all {<condition>,<condition>,...}
Common Policies - Examples
• Create Policy
• Listing the policies
• Updating the Policy
• Deleting Policy
Virtual Cloud Network (VCN)
What is VCN?
VCN
Allowed VCN Size and Address Ranges
• Subdivisions of a VCN
• Resides in a single Availability Domain
• Can be Public or Private
VNIC
• An optional virtual router that you can add to your VCN to provide a path for
network traffic between your VCN and the Internet
Dynamic Routing Gateway (DRG)
• An optional virtual router that you can add to your VCN to provide a path
for private network traffic between your VCN and on-premises network
• You can use it with other Networking components and a router in your on-
premises network to establish a connection via IPSec VPN or Oracle Cloud
Infrastructure FastConnect.
• It can also provide a path for private network traffic between your VCN and
another VCN in a different region
Service Gateway
• An optional virtual router that you can add to your VCN to provide a path
for private network traffic between your VCN and a Public Oracle Cloud
Infrastructure service such as Object Storage.
• For example:
DB Systems in a private subnet in your VCN can back up data to Object Storage without
needing public IP addresses or access to the internet
Local Peering Gateway
• An optional virtual router that you can add to your VCN to provide a path
for private network traffic between your VCN and another VCN in the same
region.
Remote Peering Connection
• A component that you can add to a DRG to provide a path for private network
traffic between your VCN and another VCN in a different region.
Security Lists
• Virtual firewall rules for your VCN to control traffic at packet level
• Provides Ingress and Egress rules that specify the types of traffic allowed in and
out of the instances
• A packet in question is allowed if any rule in any of the lists allows the traffic
• Configured at the subnet level, which means that all instances in a given subnet
are subject to the same set of rules
• Each VCN has a default security list.
• A Subnet automatically has the default security list associated with it if you
don't specify a security list
• Each subnet can have multiple security lists associated with it, and each list can
have multiple rules
Security Lists
• After you create a subnet, you can't change the security lists associated with it.
However, you can change the rules in the lists.
• Security lists are regional entities
• Security lists are not enforced for traffic involving the 169.254.0.0/16 CIDR
block, which includes services such as iSCSI and instance metadata.
Stateful Vs Stateless Rules
• When you create a security list rule, you choose whether it’s a stateful or
stateless rule.
• Stateful
• when an instance receives traffic matching the stateful ingress rule, the response is
tracked and automatically allowed back to the originating host, regardless of any
egress rules applicable to the instance and vice versa.
• Stateless
• response traffic is not automatically allowed. To allow the response traffic for a
stateless ingress rule, you must create a corresponding stateless egress rule.
• Default is Stateful
Firewall Rules
• VCN uses route tables to send traffic out of the VCN (for example, to the
internet or to your on-premises network)
• When routing traffic, Oracle uses a subnet's route table only if the destination
IP address is not within the VCN's CIDR block.
• No route rules are required in order to enable traffic within the VCN itself.
• If there is no route rule that matches the network traffic you intend to route
outside the VCN, the traffic is dropped (blackholed).
DHCP options
• Each instance has a primary VNIC that's created during instance launch and
cannot be removed.
• You can add secondary VNICs to an existing instance
• Every VNIC has a private IP address from the associated subnet's CIDR
• The private IP address does not change during the lifetime of the instance and
cannot be removed. You can also add secondary private IPs to a VNIC.
How IP Addresses are Assigned?
• If the VNIC is in a public subnet, then each private IP on that VNIC can have
a public IP assigned to it at your discretion.
• There are two types of public IPs: ephemeral and reserved.
• An ephemeral public IP exists only for the lifetime of the private IP it's assigned
to.
• A reserved public IP exists as long as you want it to. You maintain a pool of
reserved public IPs and allocate them to your instances at your discretion. You
can move them from resource to resource in a region as you need to
Connectivity Choices
• Access to Internet
• Access to Public OCI Services
• Access to on-premises Network
• Access to another VCN
• Connection to Cloud Infrastructure Classic
• Connection to other Clouds with Libreswan
Typical Networking Scenarios
• Public Subnets
• Private Subnets with an IPSec VPN
• Public and Private Subnets
Public Subnets
Private Subnets with a VPN
Public and Private Subnets with a VPN
Compute Service
Overview of Compute Service
• Oracle Cloud Infrastructure Compute Service lets you provision and manage
compute hosts, known as Instances
• OCI offers two types of Instances
• Bare Metal Instances
• Virtual Machine Instances
Bare Metal Instance
• A bare metal compute instance gives you dedicated physical server access for
highest performance and strong isolation
Virtual Machine Instance
• Image
• A template of a virtual hard drive that determines the operating system and other
software for an instance.
• OCI uses images to launch Instances
• You can use Oracle provided Images or create your own custom images
• Compute Shape
• A template that determines the number of CPUs, amount of memory, and other
resources allocated to a newly created instance
• Key Pair (for Linux Instances)
• A security mechanism required for Secure Shell (SSH) access to an instance. Before
you launch an instance, you’ll need at least one key pair.
Volume Types
• Volume device that contains the image used to boot a Compute instance.
• When you launch a virtual machine (VM) or bare metal instance, a new boot
volume for the instance is created in the same compartment. That boot volume
is associated with that instance until you terminate the instance.
• When you terminate the instance, you can preserve the boot volume and its
data
• Boot volumes are encrypted by default, same as other block storage volumes
• When you launch an instance you can specify whether to use the selected
image's default boot volume size, or you can specify a custom size up to 32 TB
• You can't change the boot volume size after launching an Instance.
Block Volumes
• When you launch an instance you can specify whether to use the selected
image's default boot volume size, or you can specify a custom size up to 32 TB
• Once you've launched the instance, you can't change the boot volume size.
• When you launch a virtual machine (VM) or bare metal instance based on an
Oracle-provided image or custom image, you have the option of specifying a
custom boot volume size. In order to take advantage of the larger size, you
must first extend the root (Linux-based images) or system (Windows-based
images) partition.
Volume Attachments Types
• The trade-off is that IOPS performance for iSCSI attachments is greater than
that for paravirtualized attachments, so you need to consider your
requirements when selecting a volume's attachment type.
• Volumes are only accessible to instances in the same availability domain
• Block Volume uses the Advanced Encryption Standard (AES) algorithm with 256
bit key for encryption. Block volumes are encrypted at rest. Backups are also
encrypted.
• Block volumes can be created in sizes ranging from 50 GB to 32 TB in 1
GB increments. By default, Block Volume volumes are 1 TB.
• You can attach upto 32 volumes per instance
Instance Metadata - Linux
• After you connect to an instance using SSH, issue any of the following GET
requests. You'll get back a response that includes all of the instance
information, only the custom metadata, or only the custom metadata for the
specified key name, respectively.
• curl -L http://169.254.169.254/opc/v1/instance/curl -L
http://169.254.169.254/opc/v1/instance/metadata/curl -L
http://169.254.169.254/opc/v1/instance/metadata/<key-name>
In the example <key-name>, is ssh_authorized_keys, user_data, or any custom key name that you provided
when you launched the instance.
Instance Metadata - Windows
• After you connect to a Windows instance, you can open an Internet browser
such as Microsoft Edge or Internet Explorer, Google Chrome, or Mozilla Firefox,
and then navigate to the following URLs:
• http://169.254.169.254/opc/v1/instance/
• http://169.254.169.254/opc/v1/instance/metadata/
• http://169.254.169.254/opc/v1/instance/metadata/<key-name>
Stopping and Starting an Instance
• In addition to using the API and Console, you can stop and restart instances
using the commands available in the operating system when you are logged in
to the instance. Stopping an instance from within the instance does not stop
billing for that instance. If you stop an instance this way be sure to also stop it
from the Console or API.
Object Storage
Overview of Object Storage
• Some of the ways that you can use Object Storage include:
• Big Data/Hadoop
• as the primary data repository for big data.
• Object Storage offers a scalable storage platform that lets you store large data sets
and operate seamlessly on those data sets.
• The HDFS connector provides connectivity to various big data analytic engines like
Apache Spark and MapReduce. This connectivity enables the analytics engines to
work directly with data stored in Object Storage
• Backup/Archive
• You can use Object Storage to preserve backup and archive data that must be stored
for an extended duration to adhere to various compliance mandates.
Use cases for Object Storage
• Content Repository
• You can use Object Storage as your primary content repository for data, images, logs,
and video. You can reliably store and preserve this data for a long time, as well as
serve this content directly from Object Storage. The storage scales as your data
storage needs scale.
• Log Data
• You can use Object Storage to preserve application log data so that you can
retroactively analyze this data to determine usage pattern and/or debug issues
Object Storage Features
• Strong Consistency
• When a read request is made, Object Storage always serves the most recent copy of
the data that was written to the system.
• Durability
• Object Storage is a regional service and is available across all the availability
domains within a region.
• Data is stored redundantly across multiple storage servers and across
multiple availability domains.
• Object Storage actively monitors data integrity using checksums and automatically
detects and repairs corrupt data.
• Object Storage actively monitors and ensures data redundancy. If a redundancy loss is
detected, Object Storage automatically creates additional data copies.
Object Storage Features
• Encryption
• Object Storage employs 256-bit Advanced Encryption Standard (AES-256) to encrypt
object data on the server.
• Each object is encrypted with its own key. Object keys are encrypted with a master
encryption key that is frequently rotated.
• Encryption is enabled by default and cannot be turned off.
Object Storage Resources
• Object
• Any type of data, regardless of content type, is stored as an object. The object is
composed of the object itself and metadata about the object. Each object is stored in
a bucket.
• You can't edit or append data to an object, but you can replace the entire object
• You can use the Console to upload objects up to 5 GiB in size.
• You can use the CLI or API to upload objects up to 10 TiB in size.
• Bucket
• A logical container for storing objects.
• A bucket is associated with a single compartment that has policies that determine
what actions a user can perform on a bucket and on all the objects in the bucket.
• Bucket names must be unique within your tenancy
Object Storage Resources
• Namespace
• A logical entity that serves as a top-level container for all buckets and objects,
• Each tenancy is provided one unique and uneditable Object Storage namespace that
is global, spanning all compartments and regions.
Storage Tiers
• When you create a bucket, you also decide which tier is appropriate for object
storage:
• Standard - for data to which you need fast, immediate, and frequent access.
• Archive - for data to which you seldom or rarely access but that must be
retained and preserved for long periods of time
Pre-Authenticated Requests
• Data Transfer Service allows you to transfer data offline to Oracle Cloud
Infrastructure.
• Easy to use
• Faster data uploads compared to over-the-wire data transfer.
• Moving data over the public internet is not always feasible due to high network
costs, unreliable network connectivity, long transfer times, and security
concerns.
Data Transfer Disk
• You send your data as files on encrypted commodity hard disk drives to an
Oracle transfer site.
• Operators at the Oracle transfer site upload the files into your
designated Object Storage bucket in your tenancy.
• This transfer solution requires you to source and purchase the disks used to
transfer data to Oracle Cloud Infrastructure.
• The disks are shipped back to you after the data is successfully uploaded.
Data Transfer Appliance
• The Data Transfer Utility is the command-line software that Oracle provides for
you to prepare transfer disks/applicances for your data and for shipment to
Oracle
Load Balancing
Overview of Load Balancing
• The Load Balancing service enables you to create a public or private load
balancer within your VCN.
• A public load balancer has a public IP address that is accessible from the
internet.
• A private load balancer has an IP address from the hosting subnet, which is
visible only within your VCN.
Public Load Balancer
• To accept traffic from the internet, you create a public load balancer.
• The service assigns it a public IP address that serves as the entry point for incoming
traffic.
• A public load balancer is regional in scope and requires two public subnets, each in a
separate availability domain. You cannot specify a private subnet for your public load
balancer
• One subnet hosts the primary load balancer and the other hosts a standby load
balancer to ensure accessibility even during an availability domain outage.
• Each load balancer requires one private IP address from its host subnet.
• The Load Balancing service attaches a floating public IP address to one of the specified
subnets.
• If there is a failure in that subnet's availability domain, the load balancer and public IP
address switch to the other subnet
Private Load Balancer
• To isolate your load balancer from the internet and simplify your security posture, you
can create a private load balancer.
• The Load Balancing service assigns it a private IP address that serves as the entry point
for incoming traffic.
• When you create a private load balancer, the service requires only one private subnet to
host both the primary and standby load balancers.
• The assigned floating private IP address is local to the specified subnet.
• The load balancer is accessible only from within the VCN that contains the associated
subnet, or as further restricted by your security list rules.
• A private load balancer is local to the availability domain that contains the hosting
subnet
• If there is an availability domain outage, the load balancer has no failover.
Load Balancing Concepts
• Backend Server
• An application server responsible for generating content in reply to the incoming TCP
or HTTP traffic
• Backend Set
• A logical entity defined by a list of backend servers, a load balancing policy, and a
health check policy. The backend set determines how the load balancer directs traffic
to the collection of backend servers.
• Health Checks
• A test to confirm the availability of backend servers.
• If a server fails the health check, the load balancer takes the server temporarily out of
rotation. If the server subsequently passes the health check, the load balancer returns
it to the rotation.
Load Balancing Concepts
• Listener
• A logical entity that checks for incoming traffic on the load balancer's IP address. You
configure a listener's protocol and port number
• Load Balancing Policy
• A load balancing policy tells the load balancer how to distribute incoming
traffic to the backend servers – Round robin, Least Connections, IP Hash
Demo
• DB Systems
• Bare Metal and Virtual Machine DB Systems
• Exadata DB Systems
• Autonomous Databases
• Autonomous Transaction Processing
• Autonomous Data Warehouse
License Types
• Oracle Cloud Infrastructure supports a licensing model with two license types:
• License Included - the cost of the cloud service includes a license for
the Database service
• Bring Your Own License (BYOL) - Oracle Database customers with an Unlimited
License Agreement or Non-Unlimited License Agreement can use their license
with Oracle Cloud Infrastructure. You do not need separate on-premises
licenses and cloud licenses
Supported Editions and Versions
• Exadata DB Systems
• Exadata DB systems require Enterprise Edition - Extreme Performance
• Exadata DB systems support the following software releases:
• Oracle Database 18c Release 1 (18.0)
• Oracle Database 12c Release 2 (12.2)
• Oracle Database 12c Release 1 (12.1)
• Oracle Database 11g Release 2 (11.2)
Supported Editions and Versions
• Launch DB system
• Check the status of DB system
• Start, stop, reboot of DB system
• Connecting to DB system
• Updating the OS of DB system (Kernel Updates)
• Patching DB system
• Monitoring a Database – using EM Express or EM DB Control
• Backup, Recovery
Domain Name System (DNS)
What is DNS Service?
• The Oracle Cloud Infrastructure Domain Name System (DNS) service lets
you create and manage your DNS zones.
• You can create zones, add records to zones, and allow Oracle Cloud
Infrastructure's edge network to handle your domain's DNS queries.
DNS Components
• Domain
• Domain names identify a specific location or group of locations on the Internet as a
whole
• Zone
• A zone is a portion of the DNS namespace. A Start of Authority record (SOA) defines a
zone.
• Resource Records
• A record contains specific domain information for a zone. Each record type contains
information called record data (RDATA)
Working of DNS
OCI CLI
OCI CLI
• The command line interface (CLI) is a tool that enables you to work with Oracle
Cloud Infrastructure objects and services
• The CLI provides the same core functionality as the Console, plus additional
commands. Some of these commands, such as the ability to run scripts, extend
the Console's functionality.
CLI Architecture
• The CLI is built on Python (version 2.7.5 or 3.5 or later), running on Mac,
Windows, or Linux
• The Python code makes calls to Oracle Cloud Infrastructure APIs to provide the
functionality implemented for the various services.
Installing CLI – using the CLI Installer
• The installer uses a script to install the CLI and programs that are required.
• List regions
• oci iam region list
• oci iam region list --output table
• List compartments in Tenancy
• oci iam compartment list –c TENENCY-OCID
• List users in root compartment
• oci iam user list –c ROOT-COMPARTMENT-OCID
Using OCI CLI - Examples