University Student Guide S105681GC10 Learn more from Oracle University et education orace.com‘opyiahe ©202, Orden eaten rong coe Tne same rate mote Sees myo en er your canes tee epee me tse se seme bP ‘rt Say prt rain pa en port anon or ete ti casnotn whl opr wou cere uatstan OS ‘Melromaten onde dca chang wos near natwratas basa yy Fr psp Reno eine estrcted Rahs Notce US GOVERIENT ENO USERS Cate roms cng ry paige ree Sloe. yoga ended salen achteden eh. 2 ediestrs ‘feampegrmn sa nes amo Sorc St Cre st anes or scl eaeelna aoa costco eto free ‘Lapua danansto® pn sspears Saco patronage spec oper gate Sach eee opacbon, don elas, ‘Se decenre mecenon spurte nim wok afer cbastatlon Oe pears cua ay apsng sem rege ata oybapsrs essed ‘alter sme on vena rama, on ocr chert. Otceorover seamen reer ae Olean suo ots mats ‘Sect nee carne pce oe Teme Boeing eS Gowran et Oad Ca sae ae Sls pete Caf suse NS ‘Sheree panectneus Cowart Cras snd oa agit aceasta nor aie termes may betaderark at ta pact cne ‘Stersuont ne A Eye anse i gs naman rpc kan acne Chit epee ator fe pen cnn. ‘Thr Pry Content Products ae Serves Diner ‘deamon ny ara no rer ote pac nd eso thr na Cent and aie se and el oor2e2021Table of Contents OCI Introduction Introduction ‘Complete Cloud Infrastructure Platform Hybrid Cloud, Mult-Cloud infrastructure Services ‘Comprehensive Database Services Broad Data Management and Data Science Capabilities Manage, Secore, and Operate at Scale Build and Run Cloud Native Applications and Extend Existing Apps Robust Oracle Analyties and Third-Party Support Comprehensive Horizontal and Industry Saa8 Portfolio, Complete Cloud Infrastructure Platform OCI Architecture OCI Architecture Cloud Regions, Hybrid Cloud, Mult-cloud ‘Choosing a Region Availability Domains Fault Domains Avoid Single Points of Failure High Availablity Design Identity and Access Management (IAM) Introduction. ‘What is OCI LAM? OCI Identity Concepts Resources, Oracle Cloud Infrastructure Architect Associate Workshop 3How to identify an OCI resource? OCT resource Example OCIDs ‘Auth Prineipals ‘Auth AuthZ Subjects Clause ‘Actions clause Common Policies ‘Common Policies Compartments ‘Compartment Resource Compartments ‘Compartments Access Interaction of Resources Movement of Resources Multiple Regions Nested Compartments Set Quotas and Budgets on Compartments Policy Inheritance and Attachment Policy Inheritance Policy Attachment Examples Advanced Policies Oracle Cloud Infrastructure Architect Associate Workshop 4 7Permissions Example ‘Tag Based Access Control “Tagrbased Access Control Example Dynamic Groups ‘Terms Resource Principals Patterns Infrastructure Principals Stacked Principals Ephemeral Principals Dynami Groups Policies Networking Introduction to Virtual Cloud Network ‘Objectives ‘Oracle Cloud Infrastructure Architecture Virtual Cloud Network (VCN) DR Notation ‘CIDR: Example IP Adairess Range for Your VON Subnet Summary ‘Virtual Cloud Network Objectives Multiple VNICs on Virtual Machines Private IP Addresses Public P Oracle Cloud infrastructure Architect Associate Workshop 5Bring Your Own IP Address (BYOIP) 13 2 Summary i © VEN Security n5 © Objectives 16 5 Security List St) uy Network Security Group (886) 18 SLs NSG 9 Statefl Security ales 20 Stateless Security Rules at Bastion Host, mm Summary 123 ‘Ven Connectivity 14 Objectives 35 Connectivity Options 26 ‘YPN Connect See) 17 ‘VPN Connect (IPS) Coniston Workfiow 18 FestConnect 29 FastConnest~Use cases 180 FastConnect Connectivity Providers rt Dyce VPN and FastConneet 2 summary 133 sal Cloud Network ~ Gateways and Route Tables 134 Objectives 185 VEN Gateways 186 2 Ronte Table 198 | Local Pering (Within Regions) Remote Peering (Across Region) 4539 | Leal VON Peering (Within Region) 40 5 Remote VON Pering (Across Regions) ut Summary of OCI Network Connectivity Options ma ‘Ofacle Cloud infrastructure Architect Associate Workshop 6‘Transit Routing: Hub and spoke “Transit Routing: Associate Route Tables ‘Transit Routing: Private Access to Oracle Services Summary DNS Service ‘Objectives Domain Name System(DNS) ‘OCIDNS Management Capabilities of OCI DNS. Private DNS ‘Trafic Management ‘When should I use DNS Traffic Management? ‘Trafic Management Steering Policies Summary Load Balancer ‘Objectives Primer ‘OCT Load Balancing Service (OCT Flexible Load Balancer Fixed to Flexible Load Balancer HTTP/2 Support on Flexible Load Balancer Public Load Balancer Public Load Balancer (Regional Subnets) Public Load Balancer (AD-Specific Subnets) Private Load Balancer Private Load Balancer (Using Regional Subnets) Private Load Balancer (AD-Spectie Subnets) Policies, Health Checks. ‘Load Balancing Policies ‘Oracle Cloud infrastructure Architect Associate Workshop 7Health Cheek Summary DRG Enhancements (Transit Hub) DRG Enhancements Transit Hub DRG Enhancements. DRG Enhancements Use Cases DRG Attachments DRG Upgrade DRG Routing Engine DRG: Import Policies & Route Tables DRG Enhancements: Remote On Ramp/Transit Routing DRG Enhancements: Redundancy Option DRG Enhancements: ECMP (Active/ Active) Support DRG and Lg Firewall Network Visualizer ‘Network Visualizer Demonstration Network Visualizer ‘Network Visualizer, Symbols, ane Conventions Example ‘Network Visualizer Network Visualizer (Demo) Inter-Region Latency Inter-Region Latency Demonstration Inter-Region Latency Dashboard Realm and Region Keys ter-Region Lateney - Demo “Compute Compute Choices Oracle Cloud Infrastructure Architect Associate Workshop 8. 175 176 17 178 19 181 182 183, 184, 186 187 188 189 190 wo 102 194 195, 196 199 200 203 204 205 205OCT Compute Service Shapes Bare Metal, VM, and Dedicated Hosts Bare Metal (GPU Hardware (GPU-Based Instances Compute Image Options Instance Images Image Sources ‘Oracle-Provided Images ‘Custom Images Bring Your Own Image (BYOD) Image Import/Export Instance Configurations, Pools, Autoscaling Instance Configurations and Pools Use Cases ‘Compute Autosealing Configuring Autosealing Autosealing in (OS Management with Oracle Cloud Infrastructure Introduction to OS Management Service (0S Management Service Why 0S Management Service? (0S Management for Oracle Linux Enterprise-Class Oracle Linux Support ‘Oracle Cloud Management Service (OSMS) for Oracle Linux ‘0 Management Service: Instance Details Instance: Available Package Updates Instance: Software Sources ‘Oracle Cloud infrastructure Architect Associate Workshop 9‘Create Managed Instance Groups: Fleet Management ‘Common Vulnerabilities and Exposures Scheduled Jobs ‘0S Management: Metrics and Alarms (0S Management for Windows (08 Management Service for Windows Server Instances Available Windows Server Updates. Preemptible Instances Preemptible Instances reemptible instanees creation Burstable Instances Burstable Instances Burstable Instances Creation Example Scenarios ‘Moving a Compute Instance to a New Host Relocating an VM Instance Live Migration Reboot Migration Manual Migration ‘VM Recovery Due to Infrastructure Failure Capacity Reservation ‘Capacity Reservation Example Scenarios Support and Limitations Dedieated Virtual Machine Hosts Dedicated Vietual Machine Hosts Example Scenarios Available shapes defined by host type Oracle Cloud Infrastructure Architect Associate Workshop 10. 235 236 237 238 239 240 an 242 243 245, 248 247 249 250 251 252 253 255 257 258 259 260 261 262Limitations Run Command Run Command Example Scenarios Before you start using Run-command Run Command Block Storage Block Storage ‘Oct Storage Local NVMe SSD Devioes SLA for NVMe Performance Block Volume Storage Service Block Volume Service ‘Creating and Attaching a Bloek Volume Detaching and Deleting Block Volumes Block Volume Flexible Performance Adjustment Backup and Restoration ‘Backup and Restoration 18a Block Volume ‘Block and Boot Volume Online Resize Resizing Block and Boot Volume Offline Resize Volume Groups ‘Volume Groups Boot Volumes Boot Volumes (Custom Boot und Block Volumes Boot Volumes Res ‘Oracle Cloud infrastructure Architect Associate Workshop 11Cloning 292 Bo tone 293 | ackup vs clone 294 © cross-Reqion Volume Replication 295 ©" Grass-osion Replication 298 © Enabling Volume Repl 207 © attaching a Volume to Multiple Instances 298 © Muitpt attachment 299 5 Attaching a volume from the instance 300 Attaching a volume from the volume 301 ‘Object Storage 02 Object Storage 302 ‘Oracle Cloud Infastrctre Storage Services 303 (OCt Objet Storage 304 ‘Oct Objet Storage Scenarios 205, ‘OCK Objet Storage: Features 308 Object Storage: Resources 307 Object Storage Tiers 308 Auto-tiering 309 Object Storage Tiers 310 ‘OCF Objet Storage Autotering 32 Auto-tiering possible scenarios 313, Managing Access and Authentication 3u4 Managing Access and Authentication 315 5 Lifecycle Management 316 a Object Lifecycle Management 37 5 Object Storage Replication and Cross-region Copy 318 ‘OCI Objet Storage Replication 319 Oracle Cloud Infrastructure Architect Associate Workshop 12Limitations Gross-Region Copy ‘Versioning Versioning Versioning integration with other features Data Retention Data Retention ‘Object Storage Data Retention Data retention integration with other features Logging Logging Enabling Logging File Storage File Storage ‘Oracle Cloud Infrastructure Storage Services What is file storage? File Storage - Use Cases (OCT File Storage Service Features. (OCT File Storage Service Concepts Mounting an OCI Fle System Security Four distinet and separate layers of security (OCI File Storage Service Seeurity Export Options. In-Transit Eneryption Snapshot and Cloning File Storage Snapshot File Storage Cloning Concepts Oracle Cloud Infrastructure Architect Associate Workshop 13Database Autonomous Database Concepts Oracle Autonomous Database Oracle Autonomous Database - Key Features ‘Autonomous Database: Fully Managed ‘Autonomous Database: Automated Tuning ‘Autonomous Database: Fully Elastic ull Support of Database Heosystem Autonomous Database: Deployment Options ‘Autonomous Database ‘Autonomous Optimizations - Specialized by Workload Autonomous Database Administration Oracle Autonomous Database Autonomous Database Pull Database Lifeeyele Automation Complete Database Automation Provision an Autonomous Database ‘Autonomous Database ~ Dedicated Deploy an autonomous database with a private endpoint Connecting tothe Autonomous Database Predefined Services for Autonomous Databases Autonomous Database ~ Fully Elastic ‘Autonomous Database ~ Fully Managed ‘Autonomous Database (ADB) Cloud ~ Backup & Recovery Securing Autonomous Database (ADB) Monitoring ‘Autonomous Database Cloud ~ Cloning Oracle Data Pump Exports from Oracle Autonomous Database Oracle Cloud Infrastructure Architect Associate Workshop 14 359 360 361 362 363 365 367 368 370 a7 37 373 375 376Database Systems - Concepts Oracle Database Systems Database Editions (Options) Virtual Machine & Bare Metal (Options) DB Systems Virtual Machine (VM) Database (DB) Systems Bare Metal DB Systems DB Systems Storage Architecture Database Systems - Administration ‘Oracle Database Systems Network Setup for DB Systems (Creating DB Systems ‘Creating DB Systems (Bare Metal) Creating DB Systems. Managing DB Systems Managing Databases Backup/Restore Oracle Data Guard ‘OCT Security Features: Overview for Database Service ‘MySQL Database Service - Concepts MySQL Database Service MySQL Database Service: Ease of Use MySQL Database Service: Security MySQL Database Service: Fully Managed Database Service In-Memory, Query-Processing Engine HeatWave Architecture - Overview NoSQL. Database Service - Concepts "NoSQL Database Service ‘Oracle Cloud infrastructure Architect Associate Workshop 15Configurable ACID 42 4 Extreme Availabilty Through Fault Containment Zones a3 © MR Tables with Cross-Region Service 44 © Security 45 Easy Online Blatie Expansion and Contraction 46 © Change Data Capture a7 § HTTP Access 48 “Security ee © Introduetion 409 © Shared Security Model 0 Security Services at Cloud Guard 423 ‘Cloud Guard 34 Scenario: Public Bucket 426 Security Zones and Security Advisor 427 Security Zones 8 Security Advisor 29 ‘Vulnerability Seanning 430 ‘Vulnerability Scanning 431 Vault 432 ‘OCI Vault 433 Keys Basie Coneapts 434 Vast 435, ‘Vault Deep Dive 436 © oct Vault Servie Summary 47 {Vault Storage Options 98 | Centralized Key Management 339 ‘createa Key 440 ‘Oracle Cloud Infrastructure Architect Associate Workshop 16Rotate a Key Key Management ~ Design Considerations ‘Vault Secrets, (OCT Vault Services What's Secret? “Secret” Questions Secret Management in OCI Vault Example Use Case: Application Runtime Create Secret Use a Secret Web Application Firewall ‘Web Application Firewall (WAF) ‘oct WAF Bastion ‘OCT Bastion Observability and Management Introduetion ‘Observabilty & Management Monitoring Monitoring Service Metres ‘Alarms Logging Logsing Logging Analyties Logging Analytics Events Service vents Service ‘Oracle Cloud infrastructure Architect Associate Workshop 17Rules Actions Operations Insights ‘Operations Insights ‘Capacity Planning Oracle SQL Warehouse Application Performance “Application Performance Features ‘Oracle Cloud infrastructure Architect Associate Workshop 18. 470 an 473 474 45 476 a7 478ae * Be oR BY 1) 4 Oe ORACLE University Oracle Cloud Infrastructure Introduction OCI Introduction» Complete Cloud Infrastructure Platform Eye ea Analytics PrCE es} DET ag ep "Ras Pat a cal Pestic ns) Mesure Cloud regions | Cloud@Customer | Hybrid Cloud | Multi-cloudCloud Regions, Hybrid Cloud, Multi-Cloud \ nal 0 comet as — ‘Oracle Cloud infrastructure Architect Associate Workshop 21 5 Poetcneens eae Oe eked eerie) Et oad_ Powerful Core Infrastructure ServicesComprehensive Database ServicesBroad Data Management and Data Science CapabilitiesManage, Secure, and Operate at ScaleBuild and Run Cloud Native Applications and Extend Existing Apps ie] & Commercial regions | Gov regions | Cloud@Customer | Multi-cloud | Hybrid | MigrationRobust Oracle Analytics and Third-Party Support ey ie] & Commercial regions | Gov regions | Cloud@Customer | Multi-cloud | Hybrid | MigrationComprehensive Horizontal and Industry SaaS Portfolio ie] & eos ey eC one Come ena eter ua Oe een acnplete Cloud Infrastructure Platform Appintegration Business indurtrySaas | Business Analytics ie] & Commercial regions | Gov regions | Cloud@Customer | Multi-cloud | Hybrid | MigrationORACLE University Oracle Cloud Infrastructure OCI Architecture OCI IntroductionOCI Architecture Fault Domains (FD) Oracle Cloud Infrastructure Architect Associate Workshop 31Cloud Regions, Hybrid Cloud, Multi-cloud e =45 TEE Sear oe Ra tel af Raneran Ra ae cue = Oct ‘Oracle Cloud infrastructure Architect Associate Workshop 32Choosing a Region we Choose a region closest to your users for lowest latency peo New cloud services and highest eee are made available performance! based on regional Mopar Mepis demand, regulatory HAM aaS compliance, resource leaes availabilty, and other requirements. factors. Oracle Cloud Infrastructure Architect Associate Workshop 33Isolated from each other, fault tolerant, unlikely to fail simultaneously Availability Domains Physical infrastructure not shared MULTTAD OC REGION ‘Availabilty Domain 1 ‘Avalabiliy Domain 2 ‘valabilty Domain 3 eo 3 3 ‘Oracle Cloud infrastructure Architect Associate Workshop 34Each Availability Domain has three Fault Domains (FD). Fault + Logical data center within an AD i Domains { Resources placed in different FDs will not share single points 5 of hardware f 5 ‘MULTTAD OCIREGION 8 Tali Domain Talay Domain? ecbity oman Far] [Ra] [ak Fae] [Fa] [Fa Fam] [Fam] [Fak carain'| | panama] | oorans| | | | oarans| | orain2| | oomana] | || oonans] |oorain2| | nora QO||O/|0 Oracle Cloud Infrastructure Architect Associate Workshop 35.Fault In any region, resources in at most ONE fault domain are Domains isolated at the fault domain level. being actively changed at any point in time. This means that availability problems caused by change procedures are You can control the placement of your compute or database instances to fault domains at instance “launch” time. THOLTTAD OG REGION, ‘alabiliy Domain 1 valabity Domain? ‘lability Domain Fak] [ak] [Fa Fak) [Fak] [Fam Fook] [Fak [Fou coamain’ || oemsin2 | oaman | coomain’ | | oomain2| | oomains vomaint| | oomsin2 | | bomains o)|\o ‘Oracle Cloud infrastructure Architect Associate Workshop 36Design your architecture to deploy instances that perform the same tasks Avoid Single In different Fault Domains (in one AD regions) Z Points of 2 In different Availability Domains for multiple AD regions ry Oracle Cloud Infrastructure Architect Associate Workshop 37Design your architecture to deploy instances that perform the same tasks Avoid Single In different Fault Domains in one AD regions Points of Failure Coeyriant® 2021 Oracle andor ts aia ‘Oracle Cloud infrastructure Architect Associate Workshop 38High Availability Design erect IE Fault Domai Availability Domains on Availability, Management, and Performance ‘Oracle Cloud infrastructure Architect Associate Workshop 39ER). 2 a Ee a ORACLE University Oracle Cloud Infrastructure Introduction Identity and Access Managementa What is OCI LAM? ese IAM = Identity and Access Management Service Fine-grained Access Control ‘AuthN - Who are you? AuthZ - What permissions do you have? ‘Oracle Cloud Infrastructure Architect Associate Workshop 41OCI Identity Concepts‘£21 | QQo + -Goh— A be] — (Fa) ae Groups Policies Compartments Resources Users é US sd OCI Identity Concepts‘S| ol = © Resources (ele Cloud objects =F fe] @ = Oracle Cloud Infrastructure Architect Associate Workshop 44 ER 1 oo i i= co co E©) How to identify an Y OCI resource? Oracle Cloud infrastructure Architect Associate Workshop 45—_| Unique oc [Eg resource Cc NU Oracle-assigned identifier Oracle Cloud ID (OCID) ocidl... [REGION] [.FUTURE USE] . Oracle Cloud Infrastructure Architect Associate Workshop 46.Example OCIDs PACT) ocidl.tenancy.ocl..aaaaaaaa ba3pvéwker4jqae5£44n2b2m2yt 2) 6rx32uzr4n25vastifsidsa Block Volume ocidl .volume.ocl.eu-frankfurt- 1. abtheljrwbqhmad266k1jreyhbd4p 23lmcwb4por6yigvx6lmxymneyevhia Oracle Cloud infrastructure Architect Associate Workshop 47. iER: 2 a a a ORACLE University Oracle Cloud Infrastructure AuthN Identity and Access ManagementPrincipals ° ~ im | 1AM Users Resource Principals Collection Same type of access of users to resources Group Oracle Cloud Infrastructure Architect Associate Workshop 49.AuthN IAM authentication - User name, Password UsemametAuthN API Signing Key aoa Using OCI API + SDK/CLI Sees eeoe RSA key pair (PEM)Oracle-generated token strings AuthN Auth Tokens Authenticate third party APIsae * Be oR BY 1) 4 Oe ORACLE University Oracle Cloud Infrastructure AuthZ Identity and Access ManagementAuthZ SY What permissions do you have? AuthZ in OCI- IAM Policies — sabes ee res =I rena Gime) [tn ‘Oracle Cloud infrastructure Architect Associate Workshop 54Subjects Clause Subjects are a clause for the various ways that an authenticated actor can be addressed: + By membership in an Identity registered group (e.g. “group Admins”, “group id cid. group.oct...") } | ee objectstorage-us-sanjose-1") + Asawildcard, with “any-user" (any request. from the tenancy) + More than one name or group can be named in Subjects element. These can be chained by kind (e.g., "group Alice, Bob") Oracle Cloud infrastructure Architect Associate Workshop 55Actions Clause i § Services define one or more Permissions that any given g ‘API call will require. 5 ee ey esac 2 | I []| These are documented and bundled into convenient k “verb resource” pairs (e.g, “inspect objects”, “manage ; Resource Kind objects") for Actions clauses. 3 Permissions necessary to observe, «inspect objects» 5 inspect enumerate and monitor, w/o access to _learn details about objects stored in buckets - quantity, confirmation 5 Confidential information of object existence, etc without getting access to the object itself Ba Permissions necessary to access but not «read objects» alter resources Reads the contents of the object aa Permissions to modify pre-existing ‘areencrypt objects» resources, re-encrypt objects using a different key version manage Permissions to do anything to the «create objects» Be resource kind Create or delete objects ‘Oracle Cloud infrastructure Architect Associate Workshop 56Actions clause th Subjects Ra Ger ties > © ions in Placement where Condition inspect | |al/-Fesources database-family db-systems, db-nodes, db-homes, databases, read | |, pa instances, instance-images, volume- Lacy attachments, console-histories object-family buckets, objects, use ¥ ity. 3 Virtual-network-famity Yer: Subnet, route-tables, security-ists, dhcp ‘options, and many more resources manage | | volume-family Volumes, volume-attachments, volume-backups Oracle Cloud infrastructure Architect Associate Workshop 57ER: 2 a a a ORACLE University Oracle Cloud Infrastructure Common Policies Identity and Access ManagementCommon Policies ‘ORACLE CLOUD INFRASTRUCTURE REGION alah Domain Network Admins manage a cloud network Allow group NetworkAdmins to manage virtual-network-family in tenancy Users launch compute instances Allow group InstanceLaunchers t f Compartment ABC ae Bot Data lock volume manage instance-family in compartment ABC Allow group InstanceLaunchers t: use volume-family in compartment ABC Allow group InstanceLaunchers to use virtual-network-family in compartment XYZ ‘Oracle Cloud infrastructure Architect Associate Workshop 59ORACLE University Oracle Cloud Infrastructure Compartments Identity and Access ManagementCollection of related resources Compartment Tenancy/ Root Compartment Compartment Network Root Compartment can hold all the cloud resources Gi Best practice: Create dedicated compartments to isolate resources. ‘Oracle Cloud Infrastructure Architect Associate Workshop 61 Isolate and control accessEach resource belongs to a single compartment ‘ompartment B Resource Compartments ooo oe eee) Virtual Machine ‘Oracle Cloud infrastructure Architect Associate Workshop 62Compartments Access -ompartment A a | fel Qo x& | ih S+— & Groups. Policies, | Block Storage Users + Policies = Access to CompartmentsResources can interact with other resources in different compartments. ‘Compartment A [Compartment B Interaction of Resources Virtual Cloud Network Virtual Machine Oracle Cloud Infrastructure Architect Associate Workshop 64Movement of Resources Resources can be moved from one compartment to another. Virtual Machine ‘Oracle Cloud infrastructure Architect Associate Workshop 65 ooo; —~———_+- Virtual MachineRE Multiple Regions {Oracle Cloud Infrastructure Services Region -PHK Region (AD [CompanyA Tenancy 8 Compartment A. a Resources from multiple regions can be in the same compartment. Oracle Cloud Infrastructure Architect Associate Workshop 66Tenancy (root compartment) | Nested Compartments oe ee > ‘Oracle Cloud infrastructure Architect Associate Workshop 67e Virtual VirtualCloud Load ‘Network Balancer Set Quotas and Budgets on Compartments Oracle Cloud Infrastructure Architect Associate Workshop 68.ae * Be oR BY 1) 4 Oe ORACLE University Oracle Cloud Infrastructure Policy Inheritance and Attachment Identity and Access ManagementCN Le Policy Inheritance = Concept of inheritance: Compartments inherit any policies from = their parent compartment ~ OC hasa built-in policy for Administrators: Allow group Administrators to manage all-resources in tenancy — Because of Policy Inheritance, the Administrators group can also do anything in any of the compartments in the tenancyPolicy Inheritance = Three levels of compartments: A, B, and C — Policies that apply to resources in compartment A also apply to resources in compartments B and C. — Pa, policy in compartment A: Allow group NetworkAdmins to manage virtual-network-family in compartment A — Policy Psallows the group NetworkAdmins to manage VCNs in compartments A, B, and C. Oracle Cloud infrastructure Architect Associate Workshop 71 Tenancy (root compartment) Le, | ase <<Policy Attachment Concept of attachment: When you create a policy, you must attach it to a compartment (or tenancy). = Where you attach it controls who can then modify it or delete it «= Attach it to tenancy (root compartment) * Anyone with access to manage policies in the tenancy can then change or delete it * Anyone with access only to a child compartment cannot modify or delete that policy * Attach to child compartment * Anyone with access to manage the policies in that compartment can change or delete it z Oracle Cloud Infrastructure Architect Associate Workshop 72Policy Attachment You want to create a policy to allow NetworkAdmins to manage VCNs in compartment C i. & Pes 5 Tenancy Allow group NetworkAdnins to manage virtual-network-family in - (root compartment) compartment A:B:C 2 Ree Allow group NetworkAdmins to manage virtual-network-family in compartment B:C Allow group NetworkAdmins to manage virtual-network- in compartment Allow group NetworkAdmins to manage virtual-network-family in compartment Oracle Cloud Infrastructure Architect Associate Workshop 73ER: 2 a a a ORACLE University Oracle Cloud Infrastructure Conditional Policies Identity and Access Managementvata NTRS 8PM, Conditional Policies N ‘allow ‘Subjects to ‘Actions | lh z ee * A Condition clause enables more complicated and fine-grain access control * Broadly, a condition evaluates to True, False or Not Applicable * Use variables when adding conditions to a policy * Variables are hierarchically named, prefixed accordingly with either request or target followed by a(.) — request - used for attributes about the request itself. E.g., request.user.id should contain the CCID of the user who made the request —— target - used for attributes about the resource/target of interest. E.g., an UpdateUser request may include target.user.id and targetuser.name Oracle Cloud infrastructure Architect Associate Workshop 75.Conditions = Syntax for a single condition: variable =|!= value : Every condition returns true or false * [inverts the result » Syntax for multiple conditions: anylall {,....} * any: A condition set that starts with any is a disjunctive - logical OR - set of sub- conditions. Any condition within the { } that results in true means that the condition is true. * all: A condition set that starts with all is a conjunctive - logical AND - set of sub- conditions. Every condition within the { } must be true for the condition to be true, ‘Oracle Cloud infrastructure Architect Associate Workshop 76 LTWON << Conditions Type of values used in conditions i Type Examples 5 String johnsmith@example.com' : ‘ocid1.compartment.oc!..aaaaaaaaph...ctehngg756a" 2 single quotation marks are required around the value Pattern. /HR*/ (matches strings that start with "HR") 7*HR/ (matches strings that end with "HR 7*HR*/_ (matches strings that contain "HR") Oracle Cloud infrastructure Architect Associate Workshop 77Ce ON <== Examples Policy allows PHX-Admins to manage all aspects of all resources in US West. Allow group PHX-Admins to manage all-resources in tenancy where request .region= "phx" Policy enables the NetworkAdmins group to manage cloud networks in any compartment except the one specified Allow group NetworkAdmins to manage virtual-network-family in tenancy where target.compartment.id != ‘ocidl’ Policy limits Autonomous Database access to databases and backups for a specific workload type Allow group ADB-Admins to manage autonomous-database in tenancy where target.workloadType = ‘workload_type’ i race Cloud ntastrctureArchtet Aetociate Workehop 78 Baae * Be oR BY 1) 4 Oe ORACLE University Oracle Cloud Infrastructure Advanced Policies Identity and Access ManagementPermissions = Permissions = atomic units of AuthZ that control a user's ability to perform operations on resources = Verbs simplify the process of granting multiple related permissions that cover a broad set of access, Policy (verb + resource-type) = access to one or more predefined permissions, = Policy (e.g. inspect volumes) = access to a permission called VOLUME_INSPECT » Each API operation requires the caller to have access to one or more permissions: Verb + (7 Resource type. Inspect Volumes Read Volumes Use Volumes. Manage Volumes \VOLUME_INSPECT \VOLUME_UPDATE nis VOLUME. INSPECT Permission VOLUME_INSPECT VOLUME_INSPECT VOLUME_UPDATE YOrOME-WAUTE VOLUME WRITE 1E_CREATE ae \VOLUME_DELETE \VOLUME_MOVE Soe eter eee SE ar oracle Clo nastuctue Architect Asoeate Workshop 80 BaOO NN <= Example Group XYZ to list, create, write, update, or move block volumes, but not delete them Allow group XYZ to manage groups in NSPE enancy where any { reques reques! 7 reques reques| [se { Allow group XYZ to manage groups in tenancy where } egies cea ac ion fet teciiwe eeiaee! Conditions bases on specific API operations Allow group XYZ to manage groups in tenancy where any ( request .operation='ListVolumes’, 2 request.operation="Getvolume’, equest .operation=‘AttachVolume’ , request .operation="CreateVolume’ , \ request operation='ChangeVolumeCompartment’ } ‘Oracle Cloud Infrastructure Architect Associate Workshop 81 BesCe ON <== Example Group ObjectWriters can inspect and upload objects in any buckets in the compartment ABC { Allow group ObjectWriters to manage objects in } compartment ABC where any {re TE’, r } To limit access to a specific bucket in a particular compartment, add the condition where target.bucket.name="'" Allow group ObjectWriters to manage objects in compartment ABC where 2 all (target.bucket.name ="Bucketa’, | any { 2 ») i Se see ee Baae * Be oR BY 1) 4 Oe ORACLE University Oracle Cloud Infrastructure Tag Based Access Control Identity and Access ManagementTag-based Access Control = Tag-based access control (TBAC) allows to define policies with tags that span compartments, groups, and resources * Scope access based on the tags applied to a resource * TBAC = conditions + set of tag variables * Access can be controlled based on a tag * On the requesting resource (group, dynamic group, or compartment) = Othe target of the request (resource or compartment) Oracle Cloud Infrastructure Architect Associate Workshop 84 SON LEOO NN <= Tag-based Access Control Tag appliedto [Variable ‘Sample policy. requestor allow any-user to manage instances in conparteent HR where request principal group.tag.Operations.Project= ‘Prod’ Group ‘Ay user who belongs toa group that has been tagged with Operations Project=Prod’ can manage instances in HR compartment ‘allow dynanie-group Instancesh to manage object-fanily in compartment HR where request .principal .group. tag.Operations. Pr .ct= ‘Prod? Dynamic Group Instances in dynamic group InstancesA that has been tagged with Operations Project="Proc’ can manage objects in the compartment HR ‘allow dynanic-qroup instancesA to manage cbject~fanily in Compartment HR where request principal .conpartment.tag.operations.Project= *Prod* Compartment Instances in dynamic group InstancesA that also reside in a compartment that hhas been tagged with Operations.Project="Prod’ can manage objects in the tenancy. oracle Cloud ntastrctureArchtet Aetoiate Workehop €5 Bai ON <<< - Tag-based Access Control = [Tagappliedto [Variable ‘Sample policy © {target 8 allow group GroupA to manage all-resources in compartment HR § [Resource target.resourcetag.{tagNamespace}.ftagKey Defnten}=cvoes Pale ows Group to manage ay resource that has ben tagged wth Operations. Project="Prod’ allow group Grou where & targetsesource compartment tag (togNomes | "Prod" pace},{tagkeyDefnition}="" to manage all-resources in comparts -get resource.compartment .tag.Operations Pro} Compartment Policy allows Group to manage any resource in compartment HR that has been tagged with Operations Project= Prod” ce BaON <== Example Rime reset Set up a Test compartment for members of the three projects to share allow any-group to manage all-resources in compartment Test where request .principal.group.tag.EmployeeGroup.Role Sot: ~aaun + Allexisting admin groups with the tag have access to Test compartment + Any new group tagged with EmployeeGroup.Role="Admin’ will have access without updating policy statements oracle Cloud ntastrctureArchtet Aetociate Workshop. €7 goER: 2 a a a ORACLE University Oracle Cloud Infrastructure Dynamic Groups Identity and Access Managementel ON Terms Principal - Identity of the caller trying to access/operate on a resource User - Represents a human in an organization Instance - Represents a unique compute VM host in any OCI tenancy Service - An application developed and operated by OCI, that offers functionality to end customers Resource - unit/instance of an entity exposed by a service - a database, a Load Balancer Oracle Cloud Infrastructure Architect Associate Workshop 89Resource Principals Patterns 2 proisited. Copyright© 2021 Oracie anor Infrastructure Stacked Ephemeral Oracle Cloud infrastructure Architect Associate Workshop 90Infrastructure Principals Analogy + Abirth certificate Key Idea + IAM service feature that enables instances to be authorized actors (or principals) to perform actions on service resources OCI example + Instance Principal ‘Oracle Cloud Infrastructure Architect Associate Workshop 91prohibited. Copyright © 2021 Oracle andlor its aia Stacked Principals Analogy + Requesting a passport, having a birth certificate Key Idea + Projecting one principal on top of another, a service controlling a resource, not the infrastructure, specifies the intention of the resource. + Itrequires infrastructure to be hosting one resource, multiple infrastructures might host same resource for redundancy purpose. OCI example * Oracle Database ‘Oracle Cloud infrastructure Architect Associate Workshop 92Ephemeral Principals Analogy + Abuilding temporarily badge issued valid for the day. Key Idea + Using injected identifiers, a service defines who the holder of a particular credential is for a short period of time. OCI example + Oracle Function ‘Oracle Cloud infrastructure Architect Associate Workshop 93SON LE Dynamic Groups + Allows Infrastructure, Stacked, Ephemeral resource principals to be grouped as “principal actors” (similar to other groups) + Policies permit Dynamic Group principals to make API calls against OCI services + When you create a dynamic group, rather than adding members explicitly to the group, you instead define a set of matching rules to define the group members + Eg, a rule could specify that all instances in a particular compartment are members of the dynamic group. The members can change dynamically as instances are launched and terminated in that compartment.cola NOS SME | Dynamic Groups ‘Any {instance.compartment.id = tocid'} F All {instance.id = ‘ocid1'} r Jany (resource.type = 'dbaas', resource.compartment.id = ‘ocid' } Jany (resource.type = 'fnfunc', resource.compartment.id = ‘ocid' } ‘Oracle Cloud infrastructure Architect Associate Workshop 95ONS <<< i Policies allow dynamic-group InstanceB to manage objects | in tenancy where all { target.bucket.name ‘Log', target.region.name = 'RegionB'} allow dynamic-group DatabaseBackUps to manage objects in tenancy where all { . arget.bucket.name = 'DBBackup', target.region.name = 'RegionA'} ee Baae * Be oR BY 1) 4 Oe ORACLE University Oracle Cloud Infrastructure Introduction to Virtual Cloud Network. Objectives Region, Availability Domain, Fault Domain Virtual Cloud Network Subnets, a Oracle Cloud Infrastructure Architect Associate Workshop 98vale NSIS 20 Oracle Cloud Infrastructure Architecture Regions Availability Domains Fault Domains (FD) == ~~ Oracle Cloud infrastructure Archkect Associate Workshop 99* Virtual, private network set up in the Oracle data centers, with firewall rules and specific types of communication gateways * Resides ina single region * Can have one or more non- overlapping IPv4 CIDR blocks of your choice = CIDR blocks can be modified after VCNs are created Sie Soi eee tethas Coe goCIDR Notation * CIDR stands for Classless Inter-Domain Routing, » ACIDR prefix is represented as A.B.C.D/x » ACIDR prefix has two components, the network address (A.B.C.D) and the network prefix or mask (/x). * Subnetting allows you to divide the CIDR prefix into smaller CIDR prefixes. = Example: — 192.168.1.0/24 means the first 24 bits are the network address. — The last 8 bits are the host address without subnetting. — Network ID: 192.168.1.0 — First Host: 192.168.1.1 — Last Host: 192.168.1.254 ~ Broadcast address: 192.168.1255CIDR: Example 192.1681.0/24 would equate to IP range: 192.16811.0 - 192.168.1.255 = 1286432 168.421-> 27 26 25 24 23 22 2! 20 = 192isrepresentedas 11000000 19216812 11 ]o]oo|ofojo}/1Jo]1Jof1 /2Asubnet mask |1]1]1]1]1)1]4]1]]1]4]1 Logical AND 1]1]0]0|o[0[o]o}/ 10] 10] 1o[oJo} [ofo/o[ofofofo| | [ofo}o]o/o|o[o| 192.168:.0/27 would equate to IP range: 192.168.1.0 - 192168.1.31 = Now same network divided in 8 subnets with 32 hosts each due to the /27 mask (255.255.255.224) 192168144 1] 1]0]0o|o[oJo}/1]0] 10] 1]o/oJo} [ofofofofofojo|1| {ofo]1]o]] JoJo] 727 subnet mask [ol Logical AND 1]1]0]o[o[[oJo]/1]0] [0] 1]o[oJo| 0|1]0|0|o|o\o| = Subnets -2x2x2=8.Hosts-2x2x2x2x2=32 = Subnetworks ~ 1921681.0/27, 192168.1.32/27, 192.1681.64/27...EE IEE IP Address Range for Your VCN Allowable OCI VCN size range is from /16 through /30. 5 10.0.0.0/16 : Recommended t Recommended /16 size é RFC 1918 Range (65,536 IP addresses) RFC 1918 address are assigned to internal hosts inside private networks. It cannot be reached over public internet. Public IP - An IPv4 address that is reachable from Private IP - Unlike public IP, a private IP address the internet. If a resource in your tenancy needs to enables the communication with resources inside > be directly reachable from the internet, it must have the VCN, or with hosts in your on-premises network = a public IP address. but not with the hosts on the internet. 5OL <= . IP Address Range for Your VCN Allowable OCI VCN size range is from /16 through /30. 10.0.0.0/16 Recommended Recommended /16 size RFC 1918 Range (65,536 IP addresses) = Use private IP address ranges specified in RFC 1918 (10.0.0.0/8, 172.16/12, 192168/16). — Any publicly routable range can be used. * VEN reserves the first two IP addresses and the last one in each subnet's CIDR — First host address is the default gateway address Regardless of the number of CIDR blocks, the max number of private IPs you can create within the VCN is 64,000. » Avoid IP ranges that overlap with other on-premises or other cloud networks.eet. ot ae oa ola NSS aE Subnet = Each VCN network is subdivided into subnets. = rooiove * Each subnet has a contiguous range of IPs described in CIDR notation. Subnet IP ranges cannot overlap. » Asubnet can grow or shrink after creation. * Each subnet can be AD specific or Regional (recommended). ~ AD-specific subnet is contained in a single AD in a multi-AD region. ‘ORACLE CLOUD DATA CENTER REGION Regional subnet spans all three ADs in a multi-AD region. i i 5 ‘Oracle Cloud Infrastructure Architect Associate Workshop 105