Oracle Cloud Infrastructure Architect

1Z0-932
Cloud Architect
Cloud Architect

• Has good understanding of cloud computing concepts

Cloud Architect

• Knows all components of Cloud Infrastructure

Cloud Architect

• Builds highly resilient infrastructure in cloud

Cloud Architect

• Translates on-premises infrastructure to cloud based infrastructure

Cloud Architect

• Is responsible to Architect cloud solutions

Overview of Cloud Computing
From Probable to Inevitable !
Traditional Model – On-Premise Model
What is Cloud Computing?

Cloud Computing refers to the

on-demand delivery of IT resources
over Internet with pay-as-you-go model
How does Cloud Computing work?

• Cloud Vendors like - Oracle, AWS, Microsoft –

provides IT Resources on RENT
• You access and use IT Resources over Internet
and pay for usage
• Cloud vendor maintains and manages IT
Resources
Benefits of Cloud Computing
What is Different?

Monitoring
APP Development
Networking
Storage
Connection Procedures
Servers
Who should Learn Cloud Computing?

Every IT Professional !
Cloud Computing Services

• Infrastructure-as-a-Service (IaaS)
• Provides virtualized Infrastructure over Internet

• Platform-as-a-Service (PaaS)
• Provides a Platform for Application Dev & Run
• Software-as-a-Service (SaaS)
• Provides Software on subscription basis
Cloud Computing Services
Cloud Computing Services

End Users

Software Developers

IT administrators
On-Premise Vs Cloud

On-Premise
Cloud Computing Deployment Models

• Public Cloud
• Private Cloud
• Hybrid Cloud

• Owned and Operated by You • Owned and Operated by Vendor

• Single Tenant • Multi Tenant
Public Cloud Vendors
Overview of Oracle Cloud Services
About Oracle Cloud

• Oracle Cloud is a Public Cloud Platform that provides services across

• Software as a Service (SaaS)
• Platform as a Service (Paas)
• Infrastructure as a Service (IaaS)

https://cloud.oracle.com
Oracle Cloud Services
Payment Plans

1. Pay As You Go
▪ Use and Pay
▪ billed on actual usage
▪ prepayment is not required
2. Monthly Flex
▪ Pay and Use
▪ fixed commitment of minimum 1 year
▪ has a minimum monthly charge
▪ Provides significant discounts
Oracle Universal Credit Pricing

• Oracle Universal Credit Pricing

• https://cloud.oracle.com/en_US/ucpricing

OCPU
= one physical core of Intel Xeon processor with hyper threading enabled
or
= one physical core of an Oracle SPARC processor
Cost Estimator

• https://cloud.oracle.com/en_US/cost-estimator
Demo

• Estimating Monthly Cost for Oracle Database Cloud Service

Oracle Cloud Subscription

1. Trial (Free)
2. Paid (Purchased)
Oracle Cloud Subscription - Trial
Oracle Cloud Subscription - Trial

• 30-day validity with US $300 free credits

• Can use up to 30 days or till expiration of free credits - whichever comes first
• Applies to eligible Services under: IaaS & PaaS
• Upgrade to Paid account at any time during the promotion period or within 7
days of the promotion expiration.
Oracle Cloud Subscription - Paid
Signing up for Trial Cloud Account
Signing up for Trail Cloud Account
Signing up for Trail Cloud Account

For China, Hong Kong,

Japan, South Korea,
Malaysia, Philippines,
Thailand and Vietnam,
pick North America as
the Default Data Region.

For India, Maldives,

Pakistan, pick EMEA as
the Default Data Region.
Signing up for Trail Cloud Account
Signing up for Trail Cloud Account
Signing up for Trail Cloud Account
Getting Started with Oracle Cloud Services
Signing into Oracle Cloud Account
1

2
Signing into Oracle Cloud Account

4
3
Enter your Cloud
Account Name
My Services Dashboard
My Services Dashboard

• Oracle's My Services dashboard is a place to check the overall status of your

purchased services and manage your accounts or subscriptions, including
Oracle Cloud Infrastructure
Viewing Available Services
Viewing Available Services
Viewing Available Services
Viewing Available Services
Customizing Dashboard
Customizing Dashboard
Setting Notification Preferences
Setting Notification Preferences
Setting Notification Preferences
Setting Language and Time zone Preferences
Setting Language and Time zone Preferences
Setting Language and Time zone Preferences

3
2
Introduction to Oracle Cloud Infrastructure (OCI)
What is Oracle Cloud Infrastructure?

• OCI - is a set of complementary cloud services that enable you to build and run
a wide range of applications and services in a highly available hosted
environment.
OCI Services

• Archive Storage • File Storage

• Audit • IAM
• Block Volume • Internet Intelligence
• Compute • Load Balancing
• Container Engine • Networking
• Data Transfer • Object Storage
• Database • Registry
• DNS • Search
• Email Delivery • Storage Gateway
OCI Services
OCI Architecture
Accessing OCI Services

• Console
• The Console is an easy-to-use, browser-based interface.
• CLI
• The command line interface (CLI) provides both quick access and full functionality
without the need for programming
• Oracle Cloud Infrastructure APIs
• These APIs are typical REST APIs that use HTTPS requests and responses. The REST API
provides the most functionality, but requires programming expertise
• SDK
• The Oracle Cloud Infrastructure SDKs offer tools to interact with various services
without having to create a framework.
Authentication and Authorization

• Each service in Oracle Cloud Infrastructure integrates with IAM for

authentication and authorization, for all interfaces (Console, CLI, SDK, and API).
• An administrator in your organization needs to set up Groups, Compartments,
and Policies that control which users can access which services, which
resources, and the type of access.
Security Credentials

• You use different types of security credentials when you work with OCI
• Console Password – used to login to Console
• API Signing Keys – used to sign API requests
• Instance SSH Keys – used to access compute instance through SSH Client
• Auth Token – used to authenticate with third-party APIs that do not support OCI
signature based authentication
Service Limits

• The service limit is the quota or allowance set on a resource

• When you sign up for Oracle Cloud Infrastructure, a set of service limits are
configured for your tenancy
• You can request to raise a service limit
• Some limits can not be raised
Getting Started with Oracle Cloud Infrastructure
Accessing OCI Console

1. cloud.oracle.com → my cloud services → my home → OCI

2. https://console.us-ashburn-1.oraclecloud.com
Overview of OCI Services

• https://apexapps.oracle.com/pls/apex/f?p=44785:141:13069806071913::::P141_PAGE_ID,P141_SECTION_ID:521,3649
OCI Concepts & Terminology
Data Regions & Availability Domains

• Oracle Cloud Infrastructure is hosted in Data Regions and Availability Domains

* Announced plans for 12 more new Data Regions

Data Regions & Availability Domains

• A Data Region is a geographic area, and an Availability Domain is one or

more Data Centers located within a Region
• Regions are completely independent of other regions and can be separated by
vast distances—across countries or even continents.
• Each Data Region has at least 3 fault-independent Availability Domains
• Each Availability Domain contains an independent Data Center with power,
cooling and network isolation
• Availability Domains are interconnected with Low latency and High-bandwidth
interconnect
Data Regions & Availability Domains
Data Regions & Availability Domains
Fault Domain

• A fault domain is a grouping of hardware and infrastructure within an

availability domain.
• Fault domains let you distribute your instances so that they are not on the
same physical hardware within a single availability domain.
• A hardware failure or Compute hardware maintenance that affects one fault
domain does not affect instances in other fault domains
• When carrying out maintenance on the underlying compute hardware, Oracle
Cloud Infrastructure ensures that only a single fault domain is impacted at one
time to guarantee availability of your instances in the remaining fault domains.
• Each availability domain contains three fault domains.
Fault Domain
Resource Availability

• OCI resources that you create may be – Global across regions, within a single
region, within a single Availability Domain
• Global Resources – Compartments, API Signing keys, Users, Groups, Policies…
• Regional Resources – Buckets, images, load balancers,VCNs, Security lists, route
tables, volume backups ….
• Availability Domain specific resources – Subnets, Instances, DB Systems,
Volumes…
Resource Identifiers

• OCI Resources are identified by using different ways

• Oracle Cloud IDs (OCID)

• Every Oracle Cloud Infrastructure resource has an Oracle-assigned unique ID called an
Oracle Cloud Identifier (OCID)

Syntax:
ocid1.<RESOURCE TYPE>.<REALM>.[REGION][.FUTURE USE].<UNIQUE ID>

Example:
ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f44n2b2m2yt2j6rx32uzr4h25vqstifsfdsq
Resource Identifiers

• Name and Description (IAM only)

• The IAM service requires you to assign a unique, unchangeable name to each of your
IAM resources (users, groups, policies, and compartments)
• You can use these names instead of the OCID when writing a policy

Example:
Allow group <GROUP NAME> to manage all-resources in compartment <COMPARTMENT NAME>
Resource Identifiers

• Display Name
• For most of the Oracle Cloud Infrastructure resources you create (other than those in
IAM), you can optionally assign a display name.
• It can be a friendly description or other information that helps you easily identify the
resource.
• The display name does not have to be unique, and you can change it whenever you
like.
• The Console shows the resource's display name along with its OCID.
Resource Tags

• Tagging allows you to define keys and values and associate them with
resources. You can then use the tags to help you organize and list resources
based on your business needs.
Identity and Access Management (IAM)
What is IAM?

• Oracle Cloud Infrastructure Identity and

Access Management (IAM) lets you control
who has access to your cloud resources.
• With IAM , you can control what type of
access a group of users have and to which
specific resources.
IAM Workflow

• In general, here’s the process an IAM administrator in your organization needs

to follow:
1. Define users, groups, and one or more compartments to hold the cloud resources
for your organization.
2. Create one or more policies, each written in the policy language.
3. Place users into the appropriate groups depending on the compartments and
resources they need to work with.
4. Provide the users with the one-time passwords that they need in order to access
the Console and work with the compartments.
Authentication and Authorization

• Each service in Oracle Cloud Infrastructure integrates with IAM for

authentication and authorization, for all interfaces (the Console, SDK or CLI,
and REST API).
• An Administrator in your organization needs to set up Groups, Compartments,
and Policies that control which users can access which services, which
resources, and the type of access
• Policies control who can create new users, create and manage the cloud
network, launch instances, create buckets, download objects, etc.
• To use Oracle Cloud Infrastructure, you must be given the required type of
access in a policy written by an administrator, whether you're using
the Console or the REST API with an SDK, CLI, or other tool
Components of IAM
Components of IAM

• Resource
• Users
• Groups
• Compartments
• Tenancy
• Policy
• Home Region
Resource

• The cloud objects that your company's employees create and use when
interacting with Oracle Cloud Infrastructure
• Examples:
• compute instances
• block storage volumes
• virtual cloud networks (VCNs)
• subnets
• route tables
Users

• User – is an individual employee or system that

needs to manage or use your company's Oracle
Cloud Infrastructure resources like Instances,
Storage Volumes, VCNs etc…
• Users have one or more IAM credentials
Groups

• Group - a collection of users who all need the

same type of access to a particular set of
resources or compartment
Compartment

• A collection of related resources.

• Compartments are a fundamental component of Oracle Cloud
Infrastructure for organizing and isolating your cloud resources.
• You use compartments to clearly separate resources for the purposes of
measuring usage and billing, access , and isolation (separating the resources for
one project or business unit from another)
• The administrator will create compartments and corresponding IAM policies to
control which users in your organization have access to which compartments
Tenancy

• The root compartment that contains all of your organization's Oracle Cloud
Infrastructure resources
• Oracle automatically creates your company's tenancy for you
• Directly within the Tenancy are your IAM entities (users, groups,
compartments, and some policies)
• You place the other types of cloud resources (e.g., instances, virtual networks,
block storage volumes, etc.) inside the compartments that you create
Tenancy & Compartments

Oracle Public Cloud

Company A Tenancy Company B Tenancy

Compartments

PaaS
Root
Services

Dev Test PROD

Tenancy & Compartments
Resources Created in Your Tenancy by Oracle

• Oracle automatically creates a compartment named

ManagedCompartmentForPaaS in your tenancy for the Oracle Cloud
Infrastructure resources that you create through the Platform Services.
• You can't choose another compartment for Oracle to use.
• Oracle also creates the following IAM policies to allow Oracle Platform Services
access to the resources.
• PSM-root-policy - attached to the root compartment of your tenancy.
• PSM-mgd-comp-policy – attached to the ManagedCompartmentForPaaS
compartment
Policy

• A policy is a document that specifies who can access

which OCI resources and how
• A policy simply allows a group to work in certain ways with
specific types of resources in a particular compartment
• Access is granted at the group and compartment level
• You can write policies to control access to all of
the services within OCI
Home Region

• When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for
you in one region. This is your home region.
• Home region is where your IAM resources reside.
• All IAM resources are global and available across all regions, but the master set
of definitions reside in a single region - the home region
• You must make changes to your IAM resources in your home region. The
changes will be automatically propagated to all regions
Scope of IAM Resources

• Users, groups, dynamic groups, federation providers, and compartments –

reside in Tenancy (root compartment)
• Policies – can reside either in the Tenancy (root compartment) or other
compartments depending on where the policy is attached
• users, groups, dynamic groups, compartments, tag namespaces, federation
providers, and policies are global and available across all regions
Managing IAM Resources

• Managing Regions
• Managing Tenancy
• Managing Compartments
• Managing Users
• Managing Groups
• Managing Policies
Managing Regions - Demo

• View list of Regions

• Subscribe to a Region
Managing Tenancy - Demo

• Viewing Tenancy details

• Observing OCID of your Tenancy
Managing Compartments - Demo

• Creating Compartments
• View Details of a Compartment
• Renaming a Compartment
• View contents of a Compartment
Managing Users - Demo

• Create User
• Add user to group
• Remove user from group
• Delete user
Managing Groups - Demo

• Create Group
• Add user to group
• Remove user from group
• Delete group
Managing Policies
Policies

• A policy is a document that specifies who can access which Oracle Cloud
Infrastructure resources that your company has, and how
• A policy simply allows a group to work in certain ways with specific types
of resources in a particular compartment
• Policies are designed to allow access; there's no explicit "deny" when you write
a policy.
• a policy can be attached to only one compartment
Policy Syntax

• Allow <subject> to <verb> <resource-type> in <location> where <conditions>

subject
group <group_name> | group id <group_ocid> | dynamic-group <dynamic-group_name> | dynamic-group id<dynamic-group_ocid> | any-user
Verb
Inspect | read | use | manage
Resource Type
• An individual resource-type (e.g., vcns, subnets, instances, volumes, etc.)
• A family resource-type (e.g., virtual-network-family, instance-family, volume-family, etc.)
• all-resources: Covers all resources in the compartment (or tenancy).
Location
tenancy | compartment <compartment_name> | compartment id <compartment_ocid>
Conditions
• Syntax for a single condition: variable =|!= value
• Syntax for multiple conditions: any|all {<condition>,<condition>,...}
Common Policies - Examples

• Let the Help Desk manage users

• Allow group HelpDesk to manage users in tenancy
• Let Auditors inspect your resources
• Allow group Auditors to inspect all-resources in tenancy
• Allow group Auditors to read instances in tenancy
• Allow group Auditors to read audit-events in tenancy
• Let Network Admins manage a cloud network
• Allow group NetworkAdmins to manage virtual-network-family in tenancy
Common Policies - Examples

• Let users launch Instances

• Allow group InstanceLaunchers to manage instance-family in compartment ABC
• Allow group InstanceLaunchers to use volume-family in compartment ABC
• Allow group InstanceLaunchers to use virtual-network-family in compartment XYZ
• Let DBAs manage Database Systems
• Allow group DatabaseAdmins to manage database-family in tenancy
• Restrict Admin Access to a specific region
• Allow group Phoenix-Admins to manage all-resources in tenancy where request.region='phx'
Managing Policies - Demo

• Create Policy
• Listing the policies
• Updating the Policy
• Deleting Policy
Virtual Cloud Network (VCN)
What is VCN?

• VCN is the virtual version of a traditional physical network

• Includes subnets, route tables, and gateways - on which your instances run
• Resides within a single Region but can cross multiple Availability Domains
• When you work with OCI, one of the first steps is to set up a Virtual Cloud
Network (VCN) for your cloud resources

VCN
Allowed VCN Size and Address Ranges

• A VCN covers a single, contiguous IPv4 CIDR block of your choice.

• The allowable VCN size range is /16 to /30
• After you've created a VCN or subnet, you can't change its size
• The Networking service reserves the first two IP addresses and the last one in
each subnet's CIDR
• For your VCN, Oracle recommends using one of the private IP address ranges
specified in RFC 1918(10.0.0.0/8, 172.16/12, and 192.168/16).
• The VCN's CIDR must not overlap with your on-premises network or another
VCN you peer with. The subnets in a given VCN must not overlap with each
other.
Networking Concepts
Subnets

• Subdivisions of a VCN
• Resides in a single Availability Domain
• Can be Public or Private
VNIC

• Virtual Network Interface card (VNIC) - attaches to an instance and resides in a

subnet to enable a connection to the subnet's VCN
• Each instance has a primary VNIC that's created during instance launch
• You can add secondary VNICs to an existing instance
Internet Gateway

• An optional virtual router that you can add to your VCN to provide a path for
network traffic between your VCN and the Internet
Dynamic Routing Gateway (DRG)

• An optional virtual router that you can add to your VCN to provide a path
for private network traffic between your VCN and on-premises network
• You can use it with other Networking components and a router in your on-
premises network to establish a connection via IPSec VPN or Oracle Cloud
Infrastructure FastConnect.
• It can also provide a path for private network traffic between your VCN and
another VCN in a different region
Service Gateway

• An optional virtual router that you can add to your VCN to provide a path
for private network traffic between your VCN and a Public Oracle Cloud
Infrastructure service such as Object Storage.
• For example:
DB Systems in a private subnet in your VCN can back up data to Object Storage without
needing public IP addresses or access to the internet
Local Peering Gateway

• An optional virtual router that you can add to your VCN to provide a path
for private network traffic between your VCN and another VCN in the same
region.
Remote Peering Connection

• A component that you can add to a DRG to provide a path for private network
traffic between your VCN and another VCN in a different region.
Security Lists

• Virtual firewall rules for your VCN to control traffic at packet level
• Provides Ingress and Egress rules that specify the types of traffic allowed in and
out of the instances
• A packet in question is allowed if any rule in any of the lists allows the traffic
• Configured at the subnet level, which means that all instances in a given subnet
are subject to the same set of rules
• Each VCN has a default security list.
• A Subnet automatically has the default security list associated with it if you
don't specify a security list
• Each subnet can have multiple security lists associated with it, and each list can
have multiple rules
Security Lists

• After you create a subnet, you can't change the security lists associated with it.
However, you can change the rules in the lists.
• Security lists are regional entities
• Security lists are not enforced for traffic involving the 169.254.0.0/16 CIDR
block, which includes services such as iSCSI and instance metadata.
Stateful Vs Stateless Rules

• When you create a security list rule, you choose whether it’s a stateful or
stateless rule.
• Stateful
• when an instance receives traffic matching the stateful ingress rule, the response is
tracked and automatically allowed back to the originating host, regardless of any
egress rules applicable to the instance and vice versa.
• Stateless
• response traffic is not automatically allowed. To allow the response traffic for a
stateless ingress rule, you must create a corresponding stateless egress rule.
• Default is Stateful
Firewall Rules

• Controls packet-level traffic in/out of an instance.

• Configured firewall rules directly on the instance itself.
• Firewall rules and security lists both operate at the instance level.
• However, security lists are configured at the subnet level and Firewall rules are
configured at Instance level.
• When troubleshooting access to an instance, make sure both the security lists
rules and instance's firewall rules are set correctly.
Route Tables

• Provides mapping for the traffic from VCN

• Have rules that specifies a destination CIDR block and the target for any traffic
that matches that CIDR
• Your VCN comes with a default route table that has no rules.
• If you don't specify otherwise, every subnet uses the VCN's default route table
• Each subnet in a VCN uses a single route table
• You can't change the subnet’s route table after the subnet is created. However,
you can change the routing rules in the route table.
Route Tables

• VCN uses route tables to send traffic out of the VCN (for example, to the
internet or to your on-premises network)
• When routing traffic, Oracle uses a subnet's route table only if the destination
IP address is not within the VCN's CIDR block.
• No route rules are required in order to enable traffic within the VCN itself.
• If there is no route rule that matches the network traffic you intend to route
outside the VCN, the traffic is dropped (blackholed).
DHCP options

• Configuration information that is automatically provided to the instances when

they boot up like:
• Private IP address
• DNS Server
• Search Domain
• Each VCN comes with a default set of DHCP options
• If you don't specify otherwise, every subnet uses the VCN's default set of
DHCP options that applies to all instances in the subnet.
Default Components of VCN

• Your VCN automatically comes with these default components:

• Default Route table
• Default Security List
• Default set of DHCP Options
• You can’t delete these default components. However, you can change their
contents (for example, the rules in the default security list). And you can create
more of each kind of component in your VCN
Default Components of VCN

• Each subnet always has these components associated with it:

• One route table
• One or more security lists
• One set of DHCP options
• During subnet creation, you can choose which route table, security list, and set
of DHCP options are associated with the subnet. If you don't specify a
particular component, the VCN's default component is automatically used.
• After you associate a particular route table, security list, or set of DHCP options
with a subnet (whether it’s the default or not), you can’t change that
association. But as mentioned before, you can change the contents of the
component.
Public and Private Subnets

• Subnet can be Public or Private.

• Public subnet - instances in a public subnet are allowed to have public IP
addresses and can access internet.
• Private subnet - instances in a private subnet will not have public IP addresses
and hence can not access internet.
How IP Addresses are Assigned?

• Each instance has a primary VNIC that's created during instance launch and
cannot be removed.
• You can add secondary VNICs to an existing instance
• Every VNIC has a private IP address from the associated subnet's CIDR
• The private IP address does not change during the lifetime of the instance and
cannot be removed. You can also add secondary private IPs to a VNIC.
How IP Addresses are Assigned?

• If the VNIC is in a public subnet, then each private IP on that VNIC can have
a public IP assigned to it at your discretion.
• There are two types of public IPs: ephemeral and reserved.
• An ephemeral public IP exists only for the lifetime of the private IP it's assigned
to.
• A reserved public IP exists as long as you want it to. You maintain a pool of
reserved public IPs and allocate them to your instances at your discretion. You
can move them from resource to resource in a region as you need to
Connectivity Choices

• Access to Internet
• Access to Public OCI Services
• Access to on-premises Network
• Access to another VCN
• Connection to Cloud Infrastructure Classic
• Connection to other Clouds with Libreswan
Typical Networking Scenarios

• Public Subnets
• Private Subnets with an IPSec VPN
• Public and Private Subnets
Public Subnets
Private Subnets with a VPN
Public and Private Subnets with a VPN
Compute Service
Overview of Compute Service

• Oracle Cloud Infrastructure Compute Service lets you provision and manage
compute hosts, known as Instances
• OCI offers two types of Instances
• Bare Metal Instances
• Virtual Machine Instances
Bare Metal Instance

• A bare metal compute instance gives you dedicated physical server access for
highest performance and strong isolation
Virtual Machine Instance

• A Virtual Machine (VM) is an independent computing environment that runs

on top of physical bare metal hardware
• VMs are ideal for running applications that do not require the performance and
resources (CPU, memory, network bandwidth, storage) of an entire physical
machine.
Components for Launching Instances

• Image
• A template of a virtual hard drive that determines the operating system and other
software for an instance.
• OCI uses images to launch Instances
• You can use Oracle provided Images or create your own custom images
• Compute Shape
• A template that determines the number of CPUs, amount of memory, and other
resources allocated to a newly created instance
• Key Pair (for Linux Instances)
• A security mechanism required for Secure Shell (SSH) access to an instance. Before
you launch an instance, you’ll need at least one key pair.
Volume Types

• There are two types of volumes for your Instance

• Boot volume: volume device that contains the image used to boot a Compute
instance.
• Block volume: A detachable block storage device that allows you to dynamically
expand the storage capacity of an instance.
Boot Volume

• Volume device that contains the image used to boot a Compute instance.
• When you launch a virtual machine (VM) or bare metal instance, a new boot
volume for the instance is created in the same compartment. That boot volume
is associated with that instance until you terminate the instance.
• When you terminate the instance, you can preserve the boot volume and its
data
• Boot volumes are encrypted by default, same as other block storage volumes
• When you launch an instance you can specify whether to use the selected
image's default boot volume size, or you can specify a custom size up to 32 TB
• You can't change the boot volume size after launching an Instance.
Block Volumes

• A common usage of Block Volume is adding storage capacity to an Oracle Cloud

Infrastructure instance.
• Once you have launched an instance, you can:
• create a block storage volume
• attach the volume to an instance
• connect to the volume from your instance's guest OS using iSCSI
• The volume can then be mounted and used by your instance.
• To move your volume to another instance:
• unmount the drive from the initial instance
• terminate the iSCSI connection
• attach it to the second instance
Using Block Volumes

• Additionally, Block Volume volumes offer a high level of data durability

compared to standard, attached drives. All volumes are automatically
replicated for you, helping to protect against data loss.
Extending a Root or System Partition

• When you launch an instance you can specify whether to use the selected
image's default boot volume size, or you can specify a custom size up to 32 TB
• Once you've launched the instance, you can't change the boot volume size.
• When you launch a virtual machine (VM) or bare metal instance based on an
Oracle-provided image or custom image, you have the option of specifying a
custom boot volume size. In order to take advantage of the larger size, you
must first extend the root (Linux-based images) or system (Windows-based
images) partition.
Volume Attachments Types

• There are two types of volume attachments:

• iSCSI: A TCP/IP-based standard used for communication between a volume and
attached instance.
• Paravirtualized: A virtualized attachment available for VMs.
• If you specify iSCSI as the volume attachment type, you must connect and
mount the volume from the instance for the volume to be usable.
• Paravirtualized attachments simplify the process of configuring your block
storage by removing the extra commands required before connecting to an
iSCSI-attached volume.
Volume Attachments Types

• The trade-off is that IOPS performance for iSCSI attachments is greater than
that for paravirtualized attachments, so you need to consider your
requirements when selecting a volume's attachment type.
• Volumes are only accessible to instances in the same availability domain
• Block Volume uses the Advanced Encryption Standard (AES) algorithm with 256
bit key for encryption. Block volumes are encrypted at rest. Backups are also
encrypted.
• Block volumes can be created in sizes ranging from 50 GB to 32 TB in 1
GB increments. By default, Block Volume volumes are 1 TB.
• You can attach upto 32 volumes per instance
Instance Metadata - Linux

• After you connect to an instance using SSH, issue any of the following GET
requests. You'll get back a response that includes all of the instance
information, only the custom metadata, or only the custom metadata for the
specified key name, respectively.
• curl -L http://169.254.169.254/opc/v1/instance/curl -L
http://169.254.169.254/opc/v1/instance/metadata/curl -L
http://169.254.169.254/opc/v1/instance/metadata/<key-name>
In the example <key-name>, is ssh_authorized_keys, user_data, or any custom key name that you provided
when you launched the instance.
Instance Metadata - Windows

• After you connect to a Windows instance, you can open an Internet browser
such as Microsoft Edge or Internet Explorer, Google Chrome, or Mozilla Firefox,
and then navigate to the following URLs:
• http://169.254.169.254/opc/v1/instance/
• http://169.254.169.254/opc/v1/instance/metadata/
• http://169.254.169.254/opc/v1/instance/metadata/<key-name>
Stopping and Starting an Instance

• In addition to using the API and Console, you can stop and restart instances
using the commands available in the operating system when you are logged in
to the instance. Stopping an instance from within the instance does not stop
billing for that instance. If you stop an instance this way be sure to also stop it
from the Console or API.
Object Storage
Overview of Object Storage

• The Oracle Cloud Infrastructure Object Storage service is an internet-scale,

high-performance storage platform that offers reliable and cost-efficient data
durability.
• The Object Storage service can store an unlimited amount of unstructured data
of any content type, including analytic data and rich content, like images and
videos.
• Object Storage is a regional service and is not tied to any specific compute
instance
• You can access data from anywhere
Use cases for Object Storage

• Some of the ways that you can use Object Storage include:
• Big Data/Hadoop
• as the primary data repository for big data.
• Object Storage offers a scalable storage platform that lets you store large data sets
and operate seamlessly on those data sets.
• The HDFS connector provides connectivity to various big data analytic engines like
Apache Spark and MapReduce. This connectivity enables the analytics engines to
work directly with data stored in Object Storage
• Backup/Archive
• You can use Object Storage to preserve backup and archive data that must be stored
for an extended duration to adhere to various compliance mandates.
Use cases for Object Storage

• Content Repository
• You can use Object Storage as your primary content repository for data, images, logs,
and video. You can reliably store and preserve this data for a long time, as well as
serve this content directly from Object Storage. The storage scales as your data
storage needs scale.
• Log Data
• You can use Object Storage to preserve application log data so that you can
retroactively analyze this data to determine usage pattern and/or debug issues
Object Storage Features

• Strong Consistency
• When a read request is made, Object Storage always serves the most recent copy of
the data that was written to the system.
• Durability
• Object Storage is a regional service and is available across all the availability
domains within a region.
• Data is stored redundantly across multiple storage servers and across
multiple availability domains.
• Object Storage actively monitors data integrity using checksums and automatically
detects and repairs corrupt data.
• Object Storage actively monitors and ensures data redundancy. If a redundancy loss is
detected, Object Storage automatically creates additional data copies.
Object Storage Features

• Encryption
• Object Storage employs 256-bit Advanced Encryption Standard (AES-256) to encrypt
object data on the server.
• Each object is encrypted with its own key. Object keys are encrypted with a master
encryption key that is frequently rotated.
• Encryption is enabled by default and cannot be turned off.
Object Storage Resources

• Object
• Any type of data, regardless of content type, is stored as an object. The object is
composed of the object itself and metadata about the object. Each object is stored in
a bucket.
• You can't edit or append data to an object, but you can replace the entire object
• You can use the Console to upload objects up to 5 GiB in size.
• You can use the CLI or API to upload objects up to 10 TiB in size.
• Bucket
• A logical container for storing objects.
• A bucket is associated with a single compartment that has policies that determine
what actions a user can perform on a bucket and on all the objects in the bucket.
• Bucket names must be unique within your tenancy
Object Storage Resources

• Namespace
• A logical entity that serves as a top-level container for all buckets and objects,
• Each tenancy is provided one unique and uneditable Object Storage namespace that
is global, spanning all compartments and regions.
Storage Tiers

• When you create a bucket, you also decide which tier is appropriate for object
storage:
• Standard - for data to which you need fast, immediate, and frequent access.
• Archive - for data to which you seldom or rarely access but that must be
retained and preserved for long periods of time
Pre-Authenticated Requests

• Pre-authenticated requests provide a way to let users access a bucket or an

object without having their own credentials, as long as the request creator has
permissions to access those objects.
Data Transfer Service
What is Data Transfer Service?

• Data Transfer Service allows you to transfer data offline to Oracle Cloud
Infrastructure.
• Easy to use
• Faster data uploads compared to over-the-wire data transfer.
• Moving data over the public internet is not always feasible due to high network
costs, unreliable network connectivity, long transfer times, and security
concerns.
Data Transfer Disk

• You send your data as files on encrypted commodity hard disk drives to an
Oracle transfer site.
• Operators at the Oracle transfer site upload the files into your
designated Object Storage bucket in your tenancy.
• This transfer solution requires you to source and purchase the disks used to
transfer data to Oracle Cloud Infrastructure.
• The disks are shipped back to you after the data is successfully uploaded.
Data Transfer Appliance

• Oracle-supplied storage appliance

• You send your data as files on secure, high-capacity, Oracle-supplied storage
appliances to an Oracle transfer site.
• Operators at the Oracle transfer site upload the data into your
designated Object Storage bucket in your tenancy.
• This solution supports data transfer when you are migrating a large volume of
data and when using disks is not a practical alternative.
Data Transfer Job

• A transfer job is the logical representation of a data migration to Oracle Cloud

Infrastructure.
• A transfer job represents the collection of files that you want to transfer and
signals the intention to upload those files to Oracle Cloud Infrastructure
• A transfer job consists of one or more transfer packages that each contain one
or more transfer disks/appliances
Data Transfer Utility

• The Data Transfer Utility is the command-line software that Oracle provides for
you to prepare transfer disks/applicances for your data and for shipment to
Oracle
Load Balancing
Overview of Load Balancing

• The Oracle Cloud Infrastructure Load Balancing service provides automated

traffic distribution from one entry point to multiple servers reachable from
your virtual cloud network (VCN).
• A load balancer improves resource utilization, facilitates scaling, and helps
ensure high availability.
How Load Balancing works?

• Load balancer receives the requests

from clients
• Load balancer distributes the client
request to backend sets
Public and Private Load Balancers

• The Load Balancing service enables you to create a public or private load
balancer within your VCN.
• A public load balancer has a public IP address that is accessible from the
internet.
• A private load balancer has an IP address from the hosting subnet, which is
visible only within your VCN.
Public Load Balancer

• To accept traffic from the internet, you create a public load balancer.
• The service assigns it a public IP address that serves as the entry point for incoming
traffic.
• A public load balancer is regional in scope and requires two public subnets, each in a
separate availability domain. You cannot specify a private subnet for your public load
balancer
• One subnet hosts the primary load balancer and the other hosts a standby load
balancer to ensure accessibility even during an availability domain outage.
• Each load balancer requires one private IP address from its host subnet.
• The Load Balancing service attaches a floating public IP address to one of the specified
subnets.
• If there is a failure in that subnet's availability domain, the load balancer and public IP
address switch to the other subnet
Private Load Balancer

• To isolate your load balancer from the internet and simplify your security posture, you
can create a private load balancer.
• The Load Balancing service assigns it a private IP address that serves as the entry point
for incoming traffic.
• When you create a private load balancer, the service requires only one private subnet to
host both the primary and standby load balancers.
• The assigned floating private IP address is local to the specified subnet.
• The load balancer is accessible only from within the VCN that contains the associated
subnet, or as further restricted by your security list rules.
• A private load balancer is local to the availability domain that contains the hosting
subnet
• If there is an availability domain outage, the load balancer has no failover.
Load Balancing Concepts

• Backend Server
• An application server responsible for generating content in reply to the incoming TCP
or HTTP traffic
• Backend Set
• A logical entity defined by a list of backend servers, a load balancing policy, and a
health check policy. The backend set determines how the load balancer directs traffic
to the collection of backend servers.
• Health Checks
• A test to confirm the availability of backend servers.
• If a server fails the health check, the load balancer takes the server temporarily out of
rotation. If the server subsequently passes the health check, the load balancer returns
it to the rotation.
Load Balancing Concepts

• Listener
• A logical entity that checks for incoming traffic on the load balancer's IP address. You
configure a listener's protocol and port number
• Load Balancing Policy
• A load balancing policy tells the load balancer how to distribute incoming
traffic to the backend servers – Round robin, Least Connections, IP Hash
Demo

1. Create 2 Instances in two different ADs of your VCN

2. Stop & Disable Firewall service in the Instances
3. # service iptables stop
4. Start and enable Apache Webserver on the instances
• # service httpd start
• # chkconfig httpd on
• # chkconfig --list|grep httpd
• httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
5. Create /var/www/html/index.html file
6. Create LB, Backend Set, Backend, Backend Servers and Listener
OCI Database Service
Overview of OCI Database Service

• The Database service offers autonomous and user-managed Oracle Database

solutions.
• Autonomous databases are preconfigured, fully-managed environments that
are suitable for either transaction processing or for data warehouse workloads.
• User-managed solutions are bare metal, virtual machine, and Exadata DB
systems that you can customize with the resources and settings that meet your
needs.
Database Service

• DB Systems
• Bare Metal and Virtual Machine DB Systems
• Exadata DB Systems
• Autonomous Databases
• Autonomous Transaction Processing
• Autonomous Data Warehouse
License Types

• Oracle Cloud Infrastructure supports a licensing model with two license types:
• License Included - the cost of the cloud service includes a license for
the Database service
• Bring Your Own License (BYOL) - Oracle Database customers with an Unlimited
License Agreement or Non-Unlimited License Agreement can use their license
with Oracle Cloud Infrastructure. You do not need separate on-premises
licenses and cloud licenses
Supported Editions and Versions

• Exadata DB Systems
• Exadata DB systems require Enterprise Edition - Extreme Performance
• Exadata DB systems support the following software releases:
• Oracle Database 18c Release 1 (18.0)
• Oracle Database 12c Release 2 (12.2)
• Oracle Database 12c Release 1 (12.1)
• Oracle Database 11g Release 2 (11.2)
Supported Editions and Versions

• Bare Metal and Virtual Machine DB Systems

• Supported DB Editions
• Standard Edition
• Enterprise Edition
• Enterprise Edition - High Performance
• Enterprise Edition - Extreme Performance
• Supported DB versions
• Oracle Database 18c Release 1 (18.1)
• Oracle Database 12c Release 2 (12.2)
• Oracle Database 12c Release 1 (12.1)
• Oracle Database 11g Release 2 (11.2)
Demo

• Launch DB system
• Check the status of DB system
• Start, stop, reboot of DB system
• Connecting to DB system
• Updating the OS of DB system (Kernel Updates)
• Patching DB system
• Monitoring a Database – using EM Express or EM DB Control
• Backup, Recovery
Domain Name System (DNS)
What is DNS Service?

• The Oracle Cloud Infrastructure Domain Name System (DNS) service lets
you create and manage your DNS zones.
• You can create zones, add records to zones, and allow Oracle Cloud
Infrastructure's edge network to handle your domain's DNS queries.
DNS Components

• Domain
• Domain names identify a specific location or group of locations on the Internet as a
whole
• Zone
• A zone is a portion of the DNS namespace. A Start of Authority record (SOA) defines a
zone.
• Resource Records
• A record contains specific domain information for a zone. Each record type contains
information called record data (RDATA)
Working of DNS
OCI CLI
OCI CLI

• The command line interface (CLI) is a tool that enables you to work with Oracle
Cloud Infrastructure objects and services
• The CLI provides the same core functionality as the Console, plus additional
commands. Some of these commands, such as the ability to run scripts, extend
the Console's functionality.
CLI Architecture

• The CLI is built on Python (version 2.7.5 or 3.5 or later), running on Mac,
Windows, or Linux
• The Python code makes calls to Oracle Cloud Infrastructure APIs to provide the
functionality implemented for the various services.
Installing CLI – using the CLI Installer

• The installer uses a script to install the CLI and programs that are required.

1. Open PowerShell console

2. Run the following scripts and respond to the prompts
1. Set-ExecutionPolicy RemoteSigned
2. powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((New-Object
System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/oracle/oci-
cli/master/scripts/install/install.ps1’))”
Installing CLI – using the CLI Installer
Installing CLI – using the CLI Installer
Installing CLI – using the CLI Installer
Configuring CLI

1. Open Windows Command prompt and type the following command:

• oci setup config
2. When prompted, supply the following details
• OCID of the user for which you want to configure OCI
• OCID of the Tenancy
• Region name
• Create/reuse RSA key pair and upload the Public Key to IAM - procedure
Configuring CLI
Configuring CLI
Using OCI CLI - Examples

• List regions
• oci iam region list
• oci iam region list --output table
• List compartments in Tenancy
• oci iam compartment list –c TENENCY-OCID
• List users in root compartment
• oci iam user list –c ROOT-COMPARTMENT-OCID
Using OCI CLI - Examples

• Creating Compute Instance

oci compute instance launch
-- availability-domain “EMIr:PHX-AD-1”
- c ocid1.compartment.oc1..aaaaaaaal3gzijdlieqeyg35nz5zxil26astxxhqol2pgeyqdrggnx7jnhwa
-- shape “VM.Standard1.1”
-- display-name “Instance 1 for sandbox”
-- image-id ocid1.image.oc1.phx.aaaaaaaaqutj4qjxihpl4mboabsa27mrpusygv6gurp47kat5z7vljmq3puq
-- subnet-id ocid1.subnet.oc1.phx.aaaaaaaaypsr25bzjmjyn6xwgkcrgxd3dbhiha6lodzus3gafscirbhj5bpa