Oracle Cloud Infrastructure Administration Essentials

Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Student Guide
Ka
rth
ike
y
no an
n- Du
D107965GC20 | D108009
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
Learn more from Oracle University at education.oracle.com

us @o
e ra
th cl
Administration Essentials
is e.
Gu co
Oracle Cloud Infrastructure

ide m)
. ha
sa
Copyright © 2020, Oracle and/or its affiliates.
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print
this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except
where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform,
reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.
The information contained in this document is subject to change without notice and is not warranted to be error-free. If you find any errors,
please report them to us in writing.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States
sa
Government, the following notice is applicable:
. ha
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded,
installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle
data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software
ide m)
documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the
use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle
Gu co
programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware,
is e.
and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and
limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government's use of Oracle cloud
th cl
services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.
e ra
us @o
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
to rai
Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are
se du
trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks
of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
en ik.
lic arth
Third-Party Content, Products, and Services Disclaimer
This documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and
ble (k
its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and
services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be
ra y
responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as
fe m
set forth in an applicable agreement between you and Oracle.

ns isa
tra ra
2010072020
n- Du
no an
y
ike
rth
Ka
Contents
1 Getting Started with Oracle Cloud Infrastructure

Objective 1-2
Oracle Cloud Infrastructure Global Footprint 1-3
sa
OCI Region – HA Building Blocks 1-6
. ha
One AD Regions 1-7
Inside an AD – High Scale, High Performance, Network 1-8
ide m)
Off-box Network Virtualization 1-9
Gu co
Oracle Cloud Infrastructure Services 1-10
is e.
Differentiation 1-12
th cl
e ra
Summary 1-13
us @o
2 Identity and Access Management to rai
Objectives 2-2
se du
Identity and Access Management 2-3

en ik.
Principals 2-5
lic arth
Authentication 2-6
Authorization 2-7
ble (k
Policy Syntax 2-9

ra y
fe m
Verbs and Permissions 2-10

ns isa
Common Policies 2-11

Advanced Policy Syntax 2-13
tra ra
n- Du
Compartment 2-15
Reference Model: Compartments 2-16
no an
When you sign up for OCI 2-17

y
Resource Locations 2-18

ike
Federation 2-19
rth
Policy Inheritance 2-21

Ka
Policy Attachment 2-22

Moving a Compartment to a Different Parent Compartment 2-24
Policy Implications When Moving Compartments 2-25
Tagging 2-29
Tag Namespace 2-30
Working with Defined Tags 2-31
Defined tags work with Policies 2-32
Audit Service 2-33
Summary 2-35
iii
3 Virtual Cloud Network

Objectives 3-2
CIDR Basics 3-4
Virtual Cloud Network (VCN) 3-7
IP Address Range for Your VCN 3-8
Subnet 3-9
Private IP Addresses 3-12
Multiple VNICs on Virtual Machines 3-13
sa
Public IP 3-14
. ha
Public IP Addresses 3-15
Internet Gateway 3-17
ide m)
Route Table 3-18
Gu co
NAT Gateway 3-20
is e.
Service Gateway 3-21
th cl
Dynamic Routing Gateway 3-22
e ra
Local Peering (Within Regions) 3-24
us @o
Remote Peering (Across Regions) 3-25
to rai
Summary of OCI Network Connectivity Options 3-26
se du
Transit Routing: Hub and Spoke 3-28

en ik.
Transit Routing: Private Access to Oracle Services 3-30

lic arth
Security List (SL) 3-32

Network Security Group (NSG) 3-33
ble (k
SL + NSG 3-34
ra y
Stateful Security Rules 3-35

fe m
Stateless Security Rules 3-36

ns isa
Default VCN Components 3-38

tra ra
Internal DNS 3-39

n- Du
VCN Review 3-41

no an
Summary 3-43
y
ike
4 Connectivity to On-Premises Networks

rth
Objectives 4-2
Ka
Connectivity Options 4-3

Dynamic Routing Gateway 4-5
VPN Connect (IPSec) 4-6
VPN Connect (IPSec): Workflow 4-7
VPN Connect: Workflow 4-8
FastConnect 4-9
FastConnect Scenarios 4-10
Virtual Circuit 4-11
FastConnect Use Scenarios 4-12
iv
FastConnect Use Cases 4-13

FastConnect Connectivity Providers 4-14
IPsec VPN and FastConnect 4-15
VPN and FastConnect Pricing 4-16
Summary 4-17
5 Connectivity - FastConnect
Objectives 5-2
sa
Why do you need dedicated connectivity into cloud? 5-3
. ha
FastConnect: Product Overview 5-4
FastConnect Use Cases 5-5
ide m)
FastConnect: Use Scenarios 5-6
Gu co
FastConnect (Private Connection) 5-7
is e.
BGP Advertisement and Traffic-flow CI Icons – White with Captions 5-8
th cl
FastConnect: Use Scenarios 5-9
e ra
FastConnect (Public Peering Connection) 5-10
us @o
BGP Advertisement and Traffic Flow 5-12
Private and Public Peering 5-13
to rai
se du
FastConnect Connectivity Models 5-14

en ik.
Fast Connect Concepts 5-15

lic arth
FastConnect Connectivity Options 5-18

Direct to Oracle: Datacenter Colocation (1a) 5-19
ble (k
Direct to Oracle: Dedicated Circuits Using a Network Service Provider (1b) 5-20
ra y
Cross Connects in Models 1a and 1b - Physical Connection 5-21

fe m
Direct to Oracle Logical Connection: Virtual Circuit 5-22

ns isa
How to Set Up a FastConnect Virtual Circuit in Colocation Model? 5-23

tra ra
FastConnect: Connectivity Options 5-25

n- Du
Using an Oracle Network Provider or Exchange Partner 5-26

no an
Using an Oracle Network Provider or Exchange Partner– Layer 2 5-27

y
Using an Oracle Network Provider or Exchange Partner– Layer 3 5-28

ike
FastConnect: Connectivity Partners 5-29

rth
How to Set Up a FastConnect Virtual Circuit with Partner: Demo Example - Megaport
Ka
Layer3 Partner 5-30

1. Set Up OCI Components 5-31
2. Set Up Megaport Connection 5-34
FastConnect Connectivity Resiliency 5-43
FastConnect Redundancy 5-44
Redundancy: Connectivity Model Colocation or colocation via third party Network
Provider 5-46
Redundancy: Connectivity Model Colocation or Colocation via Third-Party Network
Provider 5-47
v
Redundancy: Connectivity Model Oracle Partner (Layer 2) 5-48

Layer 2 Partners : Megaport, Equinix, CenturyLink 5-49
Redundancy: Connectivity Model Oracle Partner (Layer 3) 5-50
Layer 3 Partners: Verizon, BT 5-51
Service Redundancy 5-52
Summary 5-53
6 Load Balancer
sa
Objectives 6-2
. ha
Primer 6-3
OCI Load Balancing Service 6-5
ide m)
Public Load Balancer 6-6
Gu co
Public Load Balancer (Regional Subnets - recommended) 6-8
is e.
Public Load Balancer (AD Specific Subnets) 6-9
th cl
Private Load Balancer 6-10
e ra
Private Load Balancer (Using Regional Subnets) 6-12
us @o
Private Load Balancer (with AD Specific Subnets) 6-13
Policies, Health Checks 6-14
to rai
se du
Load Balancing Policies 6-15

en ik.
Health Check 6-16

lic arth
Summary 6-17
ble (k
7 Compute
ra y
Objectives 7-2
fe m
Bare Metal, VM and Dedicated Hosts 7-3

ns isa
Bare Metal 7-4

tra ra
Bare Metal Instances 7-5

n- Du
Use Cases for AMD EPYC-Based Instances 7-6

no an
Import/Export and BYOI 7-7

y
Oracle-Provided Images 7-8

ike
Custom Images 7-10

rth
Image Import/Export 7-11

Ka
Bring Your Own Image (BYOI) 7-12

Boot Volume 7-13
Boot Volumes 7-14
Custom Boot Volumes 7-15
Custom Image Versus Boot Volume Backup 7-16
Instance Configurations, Pools, Autoscaling 7-17
Instance Configuration and Pool 7-18
Instance Configuration and Pool – Use Cases 7-20
Autoscaling Configurations 7-21
vi
Instance Metadata and Lifecycle 7-22

Instance Metadata 7-23
Instance Life Cycle 7-24
Summary 7-25
8 Oracle Container Engine for Kubernetes

Objectives 8-2
Key Containers/Orchestration Use Cases 8-3
sa
Docker and Kubernetes 8-4
. ha
Docker and Kubernetes Lead the Market 8-5
Container Orchestration and Containers as a Service (CaaS) 8-6
ide m)
Three Ways to Run Kubernetes on Oracle Cloud Infrastructure 8-8
Gu co
Terraform Kubernetes Installer for OCI 8-9
is e.
Container Engine for Kubernetes (OKE): Introduction 8-10
th cl
Kubernetes Challenges 8-11
e ra
Working with OKE and OCIR on OCI 8-12
us @o
OKE/OCIR Pricing and Packaging 8-13
to rai
Oracle Container Engine (OKE) and Registry 8-14
se du
Containers Use Case: Lift & Shift WebLogic Application 8-15

en ik.
Pre-requisites for Creating a K8s Cluster Via Quickstart 8-18

lic arth
OKE Quickstart 8-19

K8s Cluster in minutes... 8-23
ble (k
Accessing the K8s Cluster - Dashboard 8-25

ra y
Accessing the K8s Cluster with kubectl 8-27

fe m
Accessing the Cluster endpoints Through Ingress Controllers 8-28

ns isa
Monitoring via API Gateway Metrics: oci_apigateway 8-29

tra ra
Summary 8-30
n- Du
no an
9 OCI Registry Service

y
Objectives 9-2
ike
Oracle Cloud Infrastructure Registry (OCIR): Introduction 9-3

rth
Working with OKE and OCIR on OCI 9-4

Ka
OKE/OCIR Pricing and Packaging 9-5

Pre-requisites for OCIR 9-6
OCIR Repositories 9-7
Push/Pull Images from OCIR 9-8
OCIR Image Layers 9-9
Pulling Images from Registry for Kubernetes Deployments 9-10
Pulling Images from Registry for Kubernetes Deployments 9-11
Pulling Images from Registry for Kubernetes Deployments (2) 9-12
OCIR Image Retention Policies 9-13
vii
OCIR Image Retention Policies (2) 9-14

OCIR Image Retention Policies (3) 9-15
Summary 9-16
10 Object Storage
Objectives 10-2
OCI Storage Services 10-3
Object Storage Intro 10-4
sa
Object Storage Service 10-5
. ha
Object Storage Scenarios 10-6
Object Storage Service Features 10-7
ide m)
Object Storage Resources 10-8
Gu co
Object Naming 10-9
is e.
Object Storage Tiers 10-10
th cl
Object Storage Capabilities 10-11
e ra
Managing Access and Authentications 10-12
us @o
Cross-region Copy 10-13
Object Lifecycle Management 10-14
to rai
se du
Managing Multipart Uploads 10-15

en ik.
Summary 10-16
lic arth
11 Block Volume
ble (k
Objectives 11-2
ra y

fe m
Local NVMe SSD Devices 11-5

ns isa
Protecting NVMe SSD Devices 11-7

tra ra
SLA for NVMe Performance 11-8

n- Du
Block Volume Service 11-10

no an
Creating and Attaching a Block Volume 11-12

y
Detaching and Deleting Block Volumes 11-13

ike
Block Volume Offline Resize 11-14

rth
Backup and Restoration 11-16

Ka
Clone 11-20
Volume Groups 11-21
Boot Volumes 11-23
Custom Boot Volumes 11-25
Summary 11-26
12 File Storage Service

Objectives 12-2
File Storage Service Info 12-3
viii

File Storage Service – Use Cases 12-5
File Storage Service: Features 12-6
Mount Target 12-7
File System 12-9
FSS Paths 12-10
Mounting an OCI File System 12-11
File Storage Service Security 12-12
sa
Security 12-13
. ha
Security Lists 12-14
Export Option 12-15
ide m)
File Storage Service Snapshots 12-17
Gu co
File Storage Service Snapshot 12-18
is e.
Summary 12-19
th cl
e ra
13 Database
us @o
Objectives 13-2
OCI Database Service 13-3
to rai
se du
Virtual Machine (VM) Database (DB) Systems 13-4

en ik.
VM DB Systems Storage Architecture 13-5

lic arth
VM DB Systems Storage Architecture – Fast Provisioning Option 13-6

Bare Metal DB Systems 13-7
ble (k
Bare Metal DB Systems: Storage Architecture 13-8

ra y
Exadata DB Systems 13-9

fe m
Exadata DB Systems: Storage Architecture 13-11

ns isa
DB Systems – VM, BM, Exadata 13-12

tra ra
Database Editions and Versions 13-13

n- Du
Database Editions and Options 13-14

no an
Managing DB Systems 13-15

y
Patching DB Systems 13-16

ike
Backup / Restore 13-17

rth
Automatic Backups 13-18

Ka
High Availability and Scalability 13-19

Oracle Data Guard 13-20
OCI Security Features: Overview for Database Service 13-21
Pricing – Virtual Machines 13-22
Pricing – Bare Metal X7 – License Included 13-23
Pricing – Bare Metal X7 – Bring Your Own License (BYOL) 13-24
Pricing - Exadata 13-25
Summary 13-26
ix
14 Autonomous Database
Objectives 14-2
Autonomous Optimizations – Specialized by Workload 14-5
Autonomous Database – Choice of Cloud Deployment 14-6
Autonomous Database Cloud Service – Deployment Options 14-8
Autonomous Database – Fully Managed 14-11
Automated Tuning in Autonomous Database 14-12
Autonomous Database – Fully Elastic 14-13
sa
Full Support of Database Ecosystem 14-14
. ha
Autonomous Data Warehouse: Architecture 14-15
Autonomous Transaction Processing: Architecture 14-16
ide m)
Getting Started with Autonomous Database 14-17
Gu co
Auto Scaling Autonomous Database 14-18
is e.
Securing Autonomous Database (ADB) 14-19
th cl
Connecting to the Autonomous Database 14-20
e ra
Troubleshooting Connectivity Issues 14-21
us @o
Scaling Your Database 14-22
Monitoring 14-23
to rai
se du
Autonomous Database (ADB) Cloud – Backup and Recovery 14-24

en ik.
Autonomous Database Cloud – Cloning 14-25

lic arth
Autonomous Data Warehouse Cloud – Cloning Screenshots 14-26

Predefined Services for Autonomous Data Warehouse 14-27
ble (k
Predefined Services for Autonomous Transaction Processing 14-28

ra y
Autonomous Database – Dedicated 14-30

fe m
Summary 14-34
ns isa
tra ra
15 DNS
n- Du
Objectives 15-2
no an
DNS – How it works! 15-3

y
DNS Zone Management 15-5

ike
Supported Record Types 15-6

rth
DNS Zone Management 15-7

Ka
Adding a Zone 15-8

View/Add Records 15-9
DNS Zone – Use Cases Secondary DNS Architecture (1) 15-10
DNS Zone – Use Cases Secondary DNS Architecture with ‘Hidden Master’ 15-11
Summary 15-12
16 Traffic Management Policies

Objectives 16-2
Traffic Management 16-3
x
When should I use DNS Traffic Management? 16-4

Failover 16-5
Cloud Migration 16-6
Load Balancing for Scale 16-7
Hybrid/Multi-cloud Environments 16-8
Geolocation Steering 16-9
Canary Testing 16-10
Zero Rating Services 16-11
sa
Traffic Management Steering Policies 16-12
. ha
Traffic Management Concepts 16-13
Load Balancer Policy 16-14
ide m)
Failover Policy 16-17
Gu co
Geolocation Steering Policy 16-19
is e.
ASN Steering Policy 16-21
th cl
IP Prefix Policy 16-22
e ra
Health Checks 16-24
us @o
Health Checks Service Components 16-25
Creating a Health Check 16-26
to rai
se du
Summary 16-29
en ik.
lic arth
17 OCI Security
Agenda 17-2
ble (k
Shared Security Model 17-3

ra y
Security Services and Features 17-4

fe m
Identity and Access Management 17-5

ns isa
Multi-factor Authentication (MFA) 17-6

tra ra
Federation 17-7
n- Du
Data Protection 17-8

no an
Vault – Key Management 17-9

y
Data Safe 17-10

ike
Dedicated VM Host 17-11

rth
OS Management Service 17-12

Ka
Audit 17-13
Contents of an Audit log event 17-14
Network Protection 17-15
OCI Web Application Firewall 17-16
Multiple Layers of Defense In-Depth 17-17
Advanced Control: Defense In-Depth and Breadth 17-18
Compliance Certifications 17-19
Summary 17-20
xi
18 Web Application Firewall

Objectives 18-2
What is a Web Application Firewall? 18-4
OCI Web Application Firewall 18-5
Key OCI WAF Components 18-6
OCI WAF Rulesets 18-7
Challenges and Whitelisting Capabilities 18-8
Bot Management 18-9
sa
Access Controls 18-10
. ha
Oracle Cloud Infrastructure WAF Architecture 18-12
WAF Point of Presences (PoPs) 18-13
ide m)
Shared Responsibility Model for WAF 18-14
Gu co
Benefits of Oracle Cloud Infrastructure WAF 18-15
is e.
Summary 18-16
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
xii
Level 100
Ka
rth
ike
y
Infrastructure
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Getting Started with Oracle Cloud
Gu co
ide m)
. ha
sa
1
Objective
After completing this lesson, you should be able to:

• Oracle Cloud Infrastructure Global Footprint
• OCI Region – HA Building Blocks
• One AD Regions
Oracle Cloud Infrastructure Services
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Oracle Cloud Infrastructure Administration Essentials 1 - 2

Oracle Cloud Infrastructure Global Footprint
October 2019: 16 Regions Live
LONDON
FRANKFURT
TORONTO ZURICH
CHICAGO
ASHBURN SEOUL TOKYO

PHOENIX
sa
. ha
MUMBAI
ide m)
Commercial
Gu co
Government
is e.
Microsoft Azure
th cl
Interconnect
SAO PAULO
e ra
us @o
SYDNEY
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

October 2019: 16 Regions Live, 20 Planned
LONDON
NEWPORT,
WALES AMSTERDAM
MONTREAL FRANKFURT
TORONTO ZURICH
EUROPE CHUNCHEON
CHICAGO
BAY AREA
ASHBURN SEOUL TOKYO
PHOENIX US GOV ISRAEL
sa
ASIA
OSAKA
DUBAI
. ha
JEDDAH UAE 2 MUMBAI
Commercial SAUDI 2
HYDERABAD
ide m)
Commercial Planned
SINGAPORE
Gu co
Government
is e.
Government Planned
BELO HORIZONTE
th cl
Microsoft Azure CHILE
SAO PAULO
Interconnect
e ra
Microsoft Azure SOUTH AFRICA
us @o
Interconnect Planned SYDNEY
4 MELBOURNE
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

End of CY2020: 36 Oracle Regions
LONDON
NEWPORT,
WALES AMSTERDAM
MONTREAL FRANKFURT
TORONTO ZURICH
EUROPE CHUNCHEON
CHICAGO
BAY AREA
ASHBURN SEOUL TOKYO
PHOENIX US GOV ISRAEL
sa
ASIA
OSAKA
DUBAI
. ha
JEDDAH UAE 2
SAUDI 2 MUMBAI
HYDERABAD
ide m)
SINGAPORE
Gu co
Commercial
is e.
Government BELO HORIZONTE
th cl
CHILE
SAO PAULO
Microsoft Azure
e ra
Interconnect SOUTH AFRICA
us @o
SYDNEY
5 MELBOURNE
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCI Region – HA Building Blocks
• Multiple fault de-correlated, completely independent datacenters:

Availability Domain (AD)
• Grouping of hardware and infrastructure within an AD: Fault Domain
• Predictable low latency and high speed, encrypted interconnect between ADs
AD
sa
FD1 FD2 FD3
. ha
ide m)
Rack Rack Rack
Gu co
is e.
Availability Availability Availability
Domain 1 Domain 2 Domain 3
th cl
REGION DATACENTERS
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

One AD Regions
• OCI has chosen to launch regions in # Availability

new geographies with one AD (to OCI Region (current)
Domains
increase our global reach quickly). US West (Phoenix) 3
US East (Ashburn) 3
• For any region with one AD, a
UK South (London) 3
second AD or region in the same
Germany Central (Frankfurt) 3
country or geo-political area will be
sa
Australia East (Sydney) 1
made available within a year to enable
Brazil East (Sao Paulo) 1
. ha
further options for DR and data Canada Southeast (Toronto) 1
residency.
ide m)
India West (Mumbai) 1
Gu co
Japan East (Tokyo) 1
is e.
South Korea Central (Seoul) 1
th cl
Switzerland North (Zurich) 1
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Inside an AD –
High Scale, High Performance, Network

• Non-oversubscribed network; no noisy-neighbors
• Very high scale – ~1 million network ports in an AD
• Predictable low latency and high speed interconnect between hosts in an AD
sa
. ha
PHYSICAL NETWORK
ide m)
Gu co
is e.
REGION
th cl
DATACENTERS
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Off-box Network Virtualization
Off Box Network Virtualization – Moves storage and network I/O out of the hypervisor
and enables lower overhead and bare metal instances
VIRTUAL NETWORK
sa
. ha
PHYSICAL NETWORK
ide m)
Gu co
is e.
REGION
th cl
DATACENTERS
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

COMPUTE, STORAGE,
DATABASE, LBs, Security… Bare Metal, VMs, Exadata, DB NVMe, Object, Load Balancers, Security
GPU Containers RAC Systems Block File VPN..
VIRTUAL NETWORK
sa
. ha
PHYSICAL NETWORK
ide m)
Gu co
is e.
REGION
th cl
DATACENTERS
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

IDENTITY NETWORKING COMPUTE

Identity and Access Management VCN, VPN, FastConnect, LB Bare Metal, Dedicated Hosts, VMs
Granular, role based access control Isolated software defined private Bare Metal, Dedicated Hosts, VMs with
to cloud resources networks same APIs; Managed Kubernetes
STORAGE DATABASE AUTONOMOUS DATABASE

Local, Block, File, Object, Archive Bare Metal, VMs, RAC, Exadata ADW, ATP
Local, Block, File, Object and Archive Bare Metal, VM, Exadata, RAC and Only autonomous database
storage options Active Data Guard support in the cloud
sa
SERVERLESS ANALYTICS NEXT LAYER SERVICES
. ha
Functions, Autonomous-Serverless Streaming, Oracle Analytics Cloud Monitoring, Logging, Audit
Log APIs calls for audit, bring your Software NAS Gateway, Global DNS, global private
ide m)
own keys Data Transfer Appliance connectivity at up to 97% less cost
Gu co
SECURITY DATA MOVEMENT EDGE
is e.
Audit, Key Management Storage appliance, Data Transfer DNS, Other Edge, Email
th cl
Log APIs calls for audit, bring your Software NAS Gateway, Global DNS, global private
e ra
own keys Data Transfer Appliance connectivity at up to 97% less cost
us @o
11 https://www.oracle.com/cloud/data-regions.html
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Differentiation
Technical Business
1. Performance 1. Aggressive and predictable pricing –
– Off-box network virtualization cheaper than AWS
– Bare Metal + Local NVMe storage 2. Industry’s unique SLAs on Performance,

– All SSD Storage Management and Availability
sa
– No Network, CPU or Memory over- 3. BYOL and Universal Cloud Credits
subscription
. ha
4. Support through one org
2. Battle tested (NetSuite and other SaaS
ide m)
apps run on OCI)
Gu co
3. DB Options - BM, VM, Exadata, RAC
is e.
4. Enterprise Apps support (EBS, JDE..)
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned about:

• Oracle Cloud Infrastructure Global Footprint
• OCI Region – HA Building Blocks
• One AD Regions
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Identity and Access Management
Gu co
ide m)
. ha
sa
2
Objectives

• Describe IAM Principals, AuthN, AuthZ
• Review Policies syntax and examples of advanced policies
• Understand the concept of Compartment in OCI
Understand the use of Tags
sa
•
. ha
• Explore OCI Audit service features
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

• The Identity and Access Management (IAM) service enables you to control
what type of access a group of users have and to which specific resources.
• Resource is a cloud object that you create and use in OCI (e.g. compute
instances, block storage volumes, Virtual Cloud Networks).
• Each OCI resource has a unique, Oracle-assigned identifier called an Oracle
sa
Cloud ID (OCID).
. ha
• IAM uses traditional identity concepts, such as Principals, Users, Groups, and
AuthN, AuthZ, and introduces a new capability called Compartment.
ide m)
Gu co
is e.
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

4
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
Principals, AuthN, AuthZ
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Principals
• A principal is an IAM entity that is allowed to interact with OCI resources.

• Principals – IAM users and Instance Principals
• IAM Users and Groups
– Users are persistent identities set up by using IAM service to represent individual people or applications.
– When customers sign up for an OCI account, the first IAM user is the default administrator.
– The default administrator sets up other IAM users and groups.
– Users enforce security principle of least privilege:
User has no permissions until placed in one or more groups
sa
1.
2. Group having at least one policy with permission to tenancy or a compartment

A Group is a collection of users who all need the same type of access to a particular set of resources.
. ha
–
– The same user can be a member of multiple groups.
ide m)
• Instance Principals
– Instance Principals lets instances (and applications) to make API calls against other OCI services
Gu co
removing the need to configure user credentials or a configuration file.
is e.
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Authentication
IAM service authenticates a Principal by:

• Username, Password
– You use the password to sign in to the web console.
– An administrator will provide you with a one-time password
when setting up your account.
– At your first log in, you are prompted to reset the password.
• API Signing Key
– Required when using the OCI API in
conjunction with the SDK/CLI
sa
– Key is an RSA key pair in the PEM format (min 2048 bits).
– In OCI Console, copy and paste the contents of the PEM public
. ha
key file. Use the private key with the SDK or with your own client
to sign your API requests.
ide m)
• Auth Tokens
– Oracle-generated token strings to authenticate with third-party
Gu co
APIs that do not support OCI signature-based authentication
is e.
(e.g. ADW).
th cl
– Auth tokens do not expire.
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Authorization
• Authorization specifies various actions an authenticated Principal can perform.

• OCI Authorization: Define specific privileges in policies and associate them with
principals.
• It supports the security principle of least privilege; by default, users are not allowed to
perform any actions. (Policies cannot be attached to users, but only groups.)
• Policies comprised one or more statements, which specify what groups can access
sa
what resources and at what level of access.
. ha
• Policies are written in human-readable format:
ide m)
– Allow group <group_name> to <verb> <resource-type> in tenancy
– Allow group <group_name> to <verb> <resource-type> in compartment
Gu co
<compartment_name> [where <conditions>]
is e.
Policy Attachment: Policies can be attached to a compartment or the tenancy. Where
th cl
•
e ra
you attach, it controls who can then modify or delete it.
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

8
Ka
IAM Policies
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
Verb Type of access Aggregate

Individual resource type
resource-type
inspect Ability to list resources
all-resources
Includes inspect + ability to get
read user-specified metadata/actual database-family db-systems, db-nodes, db-homes, databases
resource instances, instance-images, volume-attachments,
instance-family
sa
Includes read + ability to work console-histories
use with existing resources (the object-family buckets, objects
. ha
actions vary by resource type)* virtual-network- vcn, subnet, route-tables, security-lists, dhcp-
ide m)
Includes all permissions for the family options, and many more resources (link)
manage
resource volume-family volumes, volume-attachments, volume-backups
Gu co
* In general, this verb does not include the ability Cluster-family clusters, cluster-node-pool, cluster-work-requests
is e.
to create or delete that type of resource.
File-family file-systems, mount-targets, export-sets
th cl
e ra
dns dns-zones, dns-records, dns-traffic,..
us @o
The IAM Service has no family resource-type, only individual ones
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Verbs and Permissions
API
Verb Permissions Operation
VOLUME
• When you write a policy giving a group access to INSPECT _INSPECT ListVolumes
a particular verb and resource type, you're

actually giving that group access to one or more READ VOLUME
_INSPECT GetVolume
predefined permissions.
…..
READ +
• Permissions are the atomic units of authorization
that control a user's ability to perform operations
Volumes VOLUME
on resources. -family
USE _UPDATE
sa
• As you go from inspect > read > use > manage, VOLUME
_WRITE
…..
. ha
the level of access generally increases, and the
permissions granted are cumulative.
USE +
ide m)
• Each API operation requires the caller to have
Gu co
VOLUME
access to one or more permissions. For example, MANAGE _CREATE CreateVolume
to use ListVolumes or GetVolume, you must have
is e.
access to a single permission: VOLUME_INSPECT.
th cl
VOLUME
_DELETE DeleteVolume
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Common Policies
1. Network Admins manage a cloud network:

– Allow group NetworkAdmins to manage virtual-network-family in tenancy
2. Users launch compute instances:
– Allow group InstanceLaunchers to manage instance-family in compartment ABC
– Allow group InstanceLaunchers to read app-catalog-listing in tenancy
sa
– Allow group InstanceLaunchers to use volume-family in compartment ABC
. ha
– Allow group InstanceLaunchers to use virtual-network-family in compartment XYZ
ide m)
Gu co
is e.
th cl
e ra
https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/commonpolicies.htm
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

12
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
Advanced IAM Policies
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Advanced Policy Syntax
• As part of a policy statement, you can specify one or more conditions that must be
met to get access:
– Allow <subject> to <verb> <resource-type> in <location> where <conditions>
• You use variables when adding conditions to a policy:
– request – Relevant to the request itself
– target – Relevant to the resources being acted upon in the request
sa
— The request.operation variable represents the API operation being requested (e.g.
ListUsers); target.group.name represents the name of the group
. ha
— Variable name is prefixed accordingly with either request or target followed by a period.
ide m)
• Examples:
Gu co
– Allow group Phoenix-Admins to manage all-resources in tenancy where
is e.
request.region='phx'
th cl
e ra
us @o
https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm#Resource
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

14
Ka
rth
ike Compartments
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Compartment
• A compartment is a collection of related resources (VCN, instances, ...) that can be accessed
only by groups that have been given permission (by an administrator in your organization).
• Compartments help you organize and control access to your resources.
• Design considerations:
– Each resource belongs to a single compartment but resources can be connected/shared
across compartments. (VCN and its subnets can live in different compartments.)
– A compartment can be deleted after creation or renamed.
sa
– A compartment can have subcompartments that can be up to six levels deep.
. ha
– Most resources can be moved to a different compartment after they are created
(some restrictions apply).
ide m)
– After creating a compartment, you need to write at least one policy for it; otherwise, it
Gu co
cannot be accessed (except by administrators or users who have permission to the tenancy).
is e.
– A subcompartment inherits access permissions from compartments higher up its hierarchy.
th cl
– When you create a policy, you need to specify which compartment to attach it to.
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Reference Model: Compartments
• Compartment: NetworkInfra
– Critical network infrastructure centrally managed by
network admins
– Resources: Top-level VCN, Security Lists, Internet
Gateways, DRGs
• Compartment: Dev, Test, Prod Networks
– Modeled as a separate compartment to easily write
policies about who can use the network
sa
– Resources: Subnets, Databases, Storage (if shared)
• Compartment: Projects
. ha
– The resources used by a particular team or project;
ide m)
separated for the purposes of distributed management
– Resources: Compute Instances, Databases, Block
Gu co
Volumes, and so on
is e.
– There will be multiple of these, one per team that
th cl
needs its own DevOps environment.
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

When you sign up for OCI
Service Limits
Tenancy
Root Compartment Policy
Default Administrator Groups Allow group Administrators to

Administrators
manage all-resources in tenancy
xx.yy@companyABC.com
sa
. ha
• Oracle sets up a default administrator for the account.
• Default Group Administrators:
ide m)
– Cannot be deleted and there must always be at least one user in it
Gu co
– Any other users placed in the Administrators group will have full access to all of resources
– Tenancy Policy gives Administrators group access to all resources – this policy can’t be deleted/changed
is e.
• Root Compartment can hold all the cloud resources.
th cl
Best practice is to create dedicated Compartments when you need to isolate resources.
e ra
•
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Resource Locations
• Global:
– IAM
– Key Vaults, Keys
– DNS
• Availability Domain:
– Subnet
– Compute instances
sa
– Block Volume
. ha
– DB Systems
– File System (& Mount Target)
ide m)
– Ephemeral Public IPs
Gu co
• Regional:
is e.
– Everything else!
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Federation
• OCI provides federation with Oracle IDCS, Microsoft Active Directory, and any identity
provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol.
• Federation:
– First, a federation trust is set up between the
Identity Provider (IdP) and OCI.
– Any person in your company who goes to
sa
OCI Console is prompted with an SSO
experience provided by the IdP.
. ha
– The user signs in with the login/password
that they've already set up with the IdP and
ide m)
used elsewhere.
Gu co
– The IdP authenticates the user, and then
is e.
that user can access OCI resources.
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

20
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Policy Inheritance and
fe m
ra y
ble (k
lic arth
en ik.
se du
Attachment for Compartments
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Policy Inheritance
• Concept of inheritance: Compartments inherit any policies from

their parent compartment.
– For example, OCI has a built-in policy for Administrators,
Allow group Administrators to manage all-resources in tenancy. Tenancy (root
compartment)
– Because of Policy Inheritance, the Administrators group
can also do anything in any of the compartments in the tenancy.
sa
• Three levels of compartments: A, B, and C A
. ha
– Policies that apply to resources in Compartment A also
ide m)
apply to resources in Compartments B and C. B
Gu co
– Allow group NetworkAdmins to manage
is e.
virtual-network-family in compartment A allows the group
th cl
C
NetworkAdmins to manage VCNs in Compartment A, B, and C.
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Policy Attachment
• Concept of attachment: When you create a policy, you must attach it to a

compartment (or tenancy). Where you attach, it controls who can then
modify it or delete it.
– Attach it to tenancy (root compartment), then anyone with access to
manage policies in the tenancy can then change or delete it
– Attach to a child compartment, then anyone with access to manage the Tenancy (root
policies in that compartment (e.g. compartment admins) can change or compartment)
delete it
sa
• You want to create a policy to allow NetworkAdmins to manage VCNs in
Compartment C. Attach to A
. ha
– C or B – Allow group NewtworkAdmins to manage virtual-network-family in
compartment C
ide m)
– A – Allow group NewtworkAdmins to manage virtual-network-family in B
Gu co
compartment B:C
Only Compartment A admins can modify it
is e.
—
— NetworkAdmins can still only manage VCNs in CompartmentC
th cl
– Tenancy – Allow group NewtworkAdmins to manage virtual-network-family in C
e ra
compartment A:B:C
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

23
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
Moving Compartments
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Moving a Compartment to a Different Parent
Compartment
• You can move a compartment to a different parent
compartment in the same tenancy. When you move a
compartment, all its contents (sub compartments and
resources) are moved with it.
• Restrictions:
sa
– You can't move a compartment to a destination compartment
with the same name as the compartment being moved.
. ha
– Two compartments within the same parent cannot have the
ide m)
same name. Therefore, you can't move a compartment to a
Gu co
destination compartment where a compartment with the
same name already exists.
is e.
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Policy Implications When Moving Compartments
Policies that specify the compartment hierarchy down to the compartment being
moved will automatically be updated when the policy is attached to a shared ancestor
of the current and target parent.
Tenancy (root Tenancy (root

compartment) compartment)
sa
Allow group G1 to Allow group G1 to
. ha
Ops manage instance-family Ops manage instance-family
in compartment Test:A in compartment Dev:A
ide m)
Gu co
Policy automatically
Test Dev Test Dev updated – G1 does not
is e.
lose its permissions
th cl
e ra
A A
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Allow group G1 to manage instance- G1 can no longer manage instances in

family in compartment Ops:Test compartment A
Allow group G2 to manage instance- G2 can now manage instances in
family in compartment Ops:Dev compartment A

sa
. ha
Ops Ops
ide m)
Gu co
Test Dev Test Dev
is e.
th cl
e ra
A A
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Policy attached directly to a compartment moved is not automatically updated

Ops Ops
sa
. ha
ide m)
Test Dev Test Dev
Gu co
is e.
A A
th cl
Allow group G1 to manage The policy is not automatically
e ra
instance-family in compartment A updated and is invalid
us @o
27
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

28
Tags
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Tagging
• If you've ever added PHX-Project42- • Free-form Tags – basic implementation

RCK21-FED to a title of a compute – Comprises key and value only
instance to remind yourself of its – No defined schema or access
restriction
purpose, then you'll understand the
value of tagging. • Defined Tags – more features and
• OCI Tagging allows you to: control
sa
– Are contained in Namespaces
– Customize the organization of
– Defined schema, secured with Policy
. ha
your resources
– Control tag spam
ide m)
– Script bulk actions based on Tags
Gu co
is e.
th cl
e ra
us @o
29
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Tag Namespace
• A Tag Namespace is a container for a set of tag keys with tag key definitions.
• Tag key definition specifies its key (environment) and what types of values are
allowed (string, number, text, date, enumerations, and so on).
Namespace Definition: Operations
Tag
sa
Key Definition: Environment
Operations.Environment = “Production”
. ha
Namespace Key Value
ide m)
• Tag key definition or a tag namespace cannot be deleted, but retired. Retired tag
Gu co
namespaces and key definitions can no longer be applied to resources.
is e.
th cl
• You can reactivate a tag namespace or tag key definition that has been retired to
e ra
reinstate its usage in your tenancy.
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Working with Defined Tags
• Defined tags consist of a tag namespace, a key, and a value.

• Tag namespace and tag key definition must be set up in your tenancy before users
can apply them.
• A tag key can have either a tag value type of string or a list of values (from which the
user must choose).
sa
• You can use a variable to set the value of a tag. When you add the tag to a resource,
. ha
the variable resolves to the data it represent. Example:
– Operations.CostCenter = ${iam.principal.name} at ${oci.datetime}
ide m)
Operations is the namespace, CostCenter is the tag key, and the tag value contains two
Gu co
—
tag variables ${iam.principal.name} and ${oci.datetime}.
is e.
When you add this tag to a resource, the variable resolves to your username (the name
th cl
—
of the principal that applied the tag) and a time date stamp for when you added the tag.
e ra
us @o
31
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Defined tags work with Policies
• Allow group InstanceLaunchers to manage

instance-family in compartment A
Tenancy (root
• Allow group InstanceLaunchers to use volume- compartment)
family in compartment A
• Allow group InstanceLaunchers to use virtual- Ops
sa
network-family in compartment A
. ha
• Allow group InstanceLaunchers to use tag- Test Dev
namespaces in compartment A where target.tag-
ide m)
namespace.name='Operations‘
Gu co
A
Users in the InstanceLaunchers group can now apply
is e.
th cl
the Operations.CostCenter tag to resources in
e ra
Compartment A.
us @o
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Audit Service
• Audit Service automatically records calls to OCI services API endpoints as log events.
• Log Information shows time of API activity, source and target of the activity,
and action and response.
• All OCI Services support Audit Logs.
• You can perform diagnostics, track resource usage, monitor compliance,
sa
and collect security-related events using Audit Logs.
. ha
• By default, Audit logs are retained for 90 days.
ide m)
You can configure log retention for up to 365 days.
Gu co
is e.
th cl
e ra
us @o
33
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Identity and Access Management (IAM) service enables you to control what
type of access a group of users have and to which specific resources.
OCI IAM
Identities Permissions
(Who requests) (what is requested
by the Identity)
Compartments
sa
. ha
Groups Instance Policies
ide m)
Gu co
is e.
th cl
Users
e ra
Resources
us @o
34
to rai
se du
• Identity and Access Management Service (IAM) enables you to control who can do what in your
en ik.
OCI account
lic arth
• IAM service Principals – Users/Groups, Instance Principals

ble (k
• Authentication done through username/password and API Signing Keys

ra y
Authorization done by defining specific privileges in Policies and associating them with Principals
fe m
•
ns isa
• Policies are comprised of one or more human-readable statements which specify what groups
tra ra
can access what resources and what level of access users in that group have
n- Du
• Compartment, a unique OCI feature, can be used to organize and isolate related cloud resources
no an
• OCI supports both free form tags and defined tags with a schema and secured by policies
y
• OCI Audit Service Automatically records calls to OCI services API endpoints as log events
ike
rth
Ka

Summary
In this lesson, you should have learned about the following:

• IAM Principals – IAM users and Instance Principals
• Authentication – Username/password, API Signing keys, Auth Tokens
• Authorization – Policies and associating them with Principals
• Policies syntax and examples of advanced policies
sa
• Compartment, a unique OCI feature, can be used to organize and
isolate related cloud resources
. ha
• Concept of Policy Inheritance and Attachment for compartments
ide m)
• OCI supports both free form tags and defined tags with a schema and
Gu co
secured by policies
is e.
th cl
• OCI Audit service automatically records calls to OCI services API
e ra
endpoints as log events
us @o
35
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Rohit Rahi
Ka
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
ble (k
Virtual Cloud Network
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
3
Objectives
After completing this lesson, you should be able to describe the following:
• Virtual Cloud Network (VCN) basics
• IP addresses
• Gateways and Routing
Peering
sa
•
Transit Routing
. ha
•
ide m)
• Security
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

3
CIDR
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

CIDR Basics
CIDR (classless inter-domain routing) notation

• IP addresses are described as consisting of two groups of bits in the address: the most significant
bits are the network prefix, which identifies a whole network (or subnet), and the least
significant set forms the host identifier, which specifies a particular interface of a host on that
network
• An IP address has two components, the network address and the host address: <network> <host>
• A subnet mask separates the IP address into the network and host addresses (<network><host>).
Subnetting further divides the host part of an IP address into a subnet and host address
sa
(<network><subnet><host>)
. ha
• Subnet Mask is made by setting network bits to all "1"s and setting host bits to all "0"s. Within a
given network, two host addresses cannot be assigned to hosts. The "0" address is assigned a
ide m)
network address and "255" is assigned to a broadcast address
• Notation is constructed from an IP address, a '/' character, and a decimal number.
Gu co
xxx.xxx.xxx.xxx/n, where n is the number of bits used for subnet mask. E.g. 192.168.1.0/24
is e.
• Examples of commonly used netmasks for classed networks are 8-bits (Class A), 16-bits (Class B),
th cl
and 24-bits (Class C).
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

CIDR Basics
192.168.1.0/24 would equate to IP range: 192.168.1.0 – 192.168.1.255

• 128 64 32 16 8 4 2 1 -> 27 26 25 24 23 22 21 20
• 192 is represented as 1 1 0 0 0 0 0 0
192.168.1.0 1 1 000000 1 0 1 0 1 000 0000000 1 00000000
/24 subnet mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 00000000
Logical AND 1 1 000000 1 0 1 0 1 000 0000000 1 00000000
sa
192.168.1.0/27 would equate to IP range: 192.168.1.0 – 192.168.1.31
. ha
• Now same network divided in 8 subnets with 32 hosts each due to the /27 mask (255.255.255.224)
192.168.1.0 1 1 000000 1 0 1 0 1 000 0000000 1 00000000
ide m)
/27 subnet mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 00000
Gu co
is e.
Logical AND 1 1 000000 1 0 1 0 1 000 0000000 1 00000000
th cl
• Subnets – 2 x 2 x 2 = 8. Hosts – 2 x 2 x 2 x 2 x 2 = 32
e ra
• Subnetworks – 192.168.1.0/27, 192.168.1.32/27, 192.168.1.64/27…
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

6
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Virtual Cloud Network
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Virtual Cloud Network (VCN)
• Is a private network that you set up in the Oracle data centers, with
firewall rules and specific types of communication gateways that
you can choose to use
• Covers a single, contiguous IPv4 CIDR block of your choice
• Resides within a single region
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

IP Address Range for Your VCN
Avoid IP ranges that overlap with other on-premises or other cloud networks.
10.0.0.0/16
Recommended Recommended /16 size

RFC 1918 Range (65,536 IP addresses)
sa
. ha
• Use private IP address ranges specified in RFC 1918 (10.0.0.0/8, 172.16/12, 192.168/16).
ide m)
• Allowable OCI VCN size range is from /16 through /30.
Gu co
• VCN reserves the first two IP addresses and the last one in each subnet's CIDR.
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Subnet
• Each VCN network is subdivided AVAILABILITY AVAILABILITY AVAILABILITY

into subnets. DOMAIN-1 DOMAIN-2 DOMAIN-3
• Each subnet can be AD specific or

Regional (recommended). SUBNET A, SUBNET B, SUBNET C,
10.0.1.0/24 10.0.2.0/24 10.0.3.0/24
– AD-specific subnet is contained
within a single AD in a multi-AD
sa
region.
SUBNET D
Regional subnet spans all three
. ha
– 10.0.4.0/24
ADs in a multi-AD region.

VCN, 10.0.0.0/16
ide m)
• Each subnet has
Gu co
a contiguous range of IPs, ORACLE CLOUD DATA CENTER REGION
is e.
described in CIDR notation.
th cl
Subnet IP ranges cannot overlap.
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Subnet
• Instances are placed in subnets and

AVAILABILITY AVAILABILITY AVAILABILITY
draw their internal IP address and DOMAIN-1 DOMAIN-2 DOMAIN-3
network configuration from their

subnet.
• Subnets can be designated as either: SUBNET A, SUBNET B, SUBNET C,
10.0.1.0/24 10.0.2.0/24 10.0.3.0/24
– Private (instances contain private
IP addresses assigned to VNICs)
sa
– Public (contain both private and
public IP addresses assigned to SUBNET D
. ha
10.0.4.0/24
VNICs)
VNIC is a component that enables a VCN, 10.0.0.0/16
ide m)
•
compute instance to connect to a VCN.
Gu co
The VNIC determines how the instance ORACLE CLOUD DATA CENTER REGION
is e.
connects with endpoints inside and
th cl
outside the VCN.
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

11
Ka
rth
ike IP Addresses
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Private IP Addresses
• Each instance in a subnet has at least Primary VNIC

• Primary private IP address
one primary private IP address. • Secondary private IP, #1, #2…#31
• Instances ≥ 2 VNICs (additional VNICs

Instance
called secondary VNICs)
• Each VNIC has one primary private IP;
sa
can have additional private IPs called
secondary private IPs. SUBNET A, 10.0.1.0/24
. ha
• A private IP can have an VCN, 10.0.0.0/16
ide m)
optional public IP assigned to it.
Gu co
Secondary VNIC
is e.
• Secondary private IP, #1, #2…#31
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Multiple VNICs on Virtual Machines
ORACLE CLOUD INFRASTRUCTURE (REGION)

• Every VM has one primary VNIC created at
Availability Domains AD1/AD2/AD3
launch, and a corresponding Ethernet
device on the instance with the IP address Subnet A Subnet B
10.0.0.0/24 10.0.1.0/24
configuration of the primary VNIC.
VNIC1 VNIC2 VNIC3 VNIC4
• When a secondary VNIC is added, new
Ethernet device is added and is recognized
by the instance OS
sa
– VM1 - Single VNIC instance
primary
primary
primary
. ha
– VM2 - Connected to two VNICs from two
subnets within the same VCN; used for VM1 VM2 VM3
ide m)
virtual appliance scenarios
– VM3 - Connected to two VNICs from two
Gu co
subnets from separate VCNs; used to
VNIC5
is e.
connect instances to a separate Subnet X
th cl
172.16.0.0/24
management network for isolated access
VCN
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Public IP
• Public IP address is an IPv4 Primary VNIC

• Primary private IP address, public IP address
address that is reachable from • Secondary private IP, #1, public IP address
the Internet; assigned to a
private IP object on the resource Instance
(Instance, load balancer).
• It is possible to assign a given
sa
resource multiple public IPs
. ha
SUBNET A, 10.0.1.0/24
across one or more VNICs.
ide m)
VCN, 10.0.0.0/16
Gu co
Secondary VNIC
is e.
• Secondary private IP, #1, #2…#31
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Public IP Addresses
• Public IP types: Ephemeral and Reserved

– Ephemeral: Temporary and existing for the lifetime of the instance
– Reserved: Persistent and existing beyond the lifetime of the instance it's assigned
to (can be unassigned and then reassigned to another instance)
— Ephemeral IP can be assigned to primary private IP only (hence, only 1 per VNIC v/s a
max 32 for Reserved IP)
sa
• No charge for using Public IP, including when the Reserved public IP addresses are
unassociated.
. ha
• Public IP assigned to:
ide m)
– Instance (not recommended in most cases)
Gu co
– Oracle provided; cannot choose/edit, but can view
is e.
OCI Public Load Balancer, NAT Gateway, DRG - IPSec tunnels, OKE master/worker
th cl
—
– Oracle provided; cannot choose/edit/view
e ra
Internet Gateway, Autonomous Database
us @o
—
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

16
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Gateways and Routing
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Internet Gateway
• Internet gateway provides

a path for network traffic ORACLE CLOUD DATA CENTER REGION
Internet
between your VCN and the Availability Domain – AD1
Internet.
• You can have only one
Internet gateway for a VCN.
sa
Instance with Internet
Gateway
public IP SUBNET A,
• After creating an Internet 10.0.1.0/24
. ha
gateway, you must add a Regional Public
ide m)
Subnet
route for the gateway in the VCN, 10.0.0.0/16
Gu co
VCN's Route Table to
is e.
enable traffic flow.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Route Table
• Route Table is used to send

traffic out of the VCN. ORACLE CLOUD DATA CENTER REGION
Internet
• Consists of a set of route rules; Availability Domain – AD1
each rule specifies:

Route Table
– Destination CIDR block Destination Route
CIDR Target
sa
Internet
– Route Target (the next 0.0.0.0/0
Internet
Gateway
SUBNET A, Gateway
10.0.1.0/24
. ha
hop) for the traffic that
matches that CIDR Regional Public
ide m)
Subnet
VCN, 10.0.0.0/16 All traffic
Gu co
destined for
Internet Gateway
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Route Table
• Each subnet uses a single route table

specified at the time of subnet ORACLE CLOUD DATA CENTER REGION
creation, but can be edited later. Internet
Availability Domain – AD1
• Route table is used only if the
destination IP address is not within
the VCN's CIDR block. Route Table
Destination Route
• No route rules are required in order to CIDR Target
sa
Internet
enable traffic within the VCN itself. 0.0.0.0/0
Internet
SUBNET A, Gateway
Gateway
• When you add an Internet gateway, 10.0.1.0/24
. ha
NAT gateway, service gateway, Regional Public
ide m)
Subnet
dynamic routing gateway or a peering
VCN, 10.0.0.0/16
connection, you must update the
Gu co
route table for any subnet that uses
is e.
these gateways or connections.
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

NAT Gateway
• NAT gateway gives an entire private

network access to the Internet ORACLE CLOUD DATA CENTER REGION
without assigning each host a public Internet
IP address.
• Hosts can initiate outbound
connections to the Internet and Route Table
Destination Route
receive responses, but not receive CIDR Target
sa
NAT
inbound connections initiated from 0.0.0.0/0
NAT
SUBNET A, Gateway
Gateway
the Internet. (Use case: updates, 10.0.1.0/24
. ha
patches) Regional Private
ide m)
Subnet
• You can have more than one NAT Instance with
VCN, 10.0.0.0/16
gateway on a VCN, although a given
Gu co
private IP
subnet can route traffic to only a
is e.
single NAT gateway.
th cl
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Service Gateway
• Service gateway lets resources in VCN access

Object
public OCI services such as Object Storage, Storage ORACLE CLOUD DATA CENTER REGION
but without using an Internet or NAT
gateway Availability Domain – AD1
• Any traffic from VCN that is destined for one
of the supported OCI public services uses the Service
Gateway
instance's private IP address for routing,
travels over OCI network fabric, and never
sa
Destination Route
traverses the Internet. (Use case: Back up DB CIDR Target SUBNET A,
10.0.1.0/24
. ha
Systems in VCN to Object Storage) 0.0.0.0/0
NAT
Gateway
• Service CIDR labels represent all the public Regional Private
ide m)
Subnet
CIDRs for a given Oracle service or a group of
VCN, 10.0.0.0/16
Gu co
Oracle services. Example:
– OCI <region> Object Storage
is e.
– All <region> Services
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Dynamic Routing Gateway
ORACLE CLOUD DATA CENTER REGION

• A virtual router that provides a path for
private traffic between your VCN and Availability Domain – AD1
destinations other than the Internet.
• You can use it to establish a
connection with your on-premises
Destination Route
network via IPsec VPN or FastConnect CIDR Target
(private, dedicated connectivity). 0.0.0.0/0 DRG SUBNET A,
sa
• After attaching a DRG, you must add a 10.0.1.0/24
route for the DRG in the VCN's route
. ha
Regional Private
Subnet
table to enable traffic flow VCN, 10.0.0.0/16
ide m)
• DRG is a standalone object. You must
attach it to a VCN. VCN and DRG have a
Gu co
1:1 relationship.
is e.
CUSTOMER
Customer Premises
th cl
DATA CENTER
Equipment (CPE)
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

23
Peering
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Local Peering (Within Regions)
• VCN peering is the process of connecting Destination Route Destination Route

CIDR Target CIDR Target
multiple VCNs. 192.168.0.0/16 LPG-1 10.0.0.0/16 LPG-2
• Local VCN peering is the process of

connecting two VCNs in the same region
so that their resources can communicate
using private IP addresses.
sa
• A local peering gateway (LPG) is a
component on a VCN for routing traffic to
. ha
a locally peered VCN. LPG-1 LPG-2
ide m)
• The two VCNs in the peering relationship VCN-1, VCN-2,
Gu co
10.0.0.0/16 192.168.0.0/16
shouldn’t have overlapping CIDRs.
is e.
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Remote Peering (Across Regions)
• Remote VCN peering is the process of Destination Route Destination Route

connecting two VCNs in different regions 192.168.0.0/16 LPG-1 10.0.0.0/16 LPG-2
so that their resources can communicate
using private IP addresses.
• It requires a remote peering connection
(RPC) to be created on the DRGs. RPC's job
is to act as a connection point for a
sa
remotely peered VCN.
. ha
• The two VCNs in the peering relationship LPG-1 Oracle LPG-2
ide m)
backbone
must not have overlapping CIDRs.
VCN-1, VCN-2,
Gu co
10.0.0.0/16 192.168.0.0/16
is e.
th cl
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary of OCI Network Connectivity Options
Scenario Solution
Let instances connect to the Internet, and receive connections from it Internet Gateway
Let instances reach the Internet without receiving connections from it NAT Gateway
Let VCN hosts privately connect to object storage, bypassing the internet Service Gateway
Make an OCI extend an on-premise network, with easy connectivity in IPsec VPN
sa
both directions FastConnect
. ha
Privately connect two VCNs in a region Local Peering Gateway
Remote Peering
ide m)
Privately connect two VCNs in different regions
Connection (DRG)
Gu co
is e.
th cl
e ra
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

27
Ka
rth
ike
y
no an
n- Du
Transit and Routing
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Transit Routing: Hub and Spoke
• Transit Routing refers to a setup in which an

on-premises network uses a connected VCN
Local SPOKE
to reach Oracle resources or services beyond Peering VCN-1
that VCN. Two scenarios:
– Access to multiple VCNs
in the same region On-Premises
Network
– Private access to Oracle services HUB Local SPOKE
sa
• One of the VCNs acts as the Hub and VCN Peering VCN-2
connects to the on-premises network. The
. ha
other VCNs are locally peered with the Hub
ide m)
VCN. The traffic between the on-premises Local SPOKE
network and the peered VCNs transits
Gu co
Peering VCN-3
through the Hub VCN.
is e.
• The VCNs must be in the same region but
th cl
can be in different tenancies.
e ra
us @o
28
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Transit Routing: Hub and Spoke
• A route table that is

Destination Route Destination Route
associated with a DRG can CIDR Target CIDR Target
have only rules that target an 192.168.0.0/16 LPG-1 172.16.0.0/12 DRG
LPG or a private IP.

On-Premises LPG-1 LPG-2
• A route table that is Network
HUB Local SPOKE
associated with an LPG can VCN Peering VCN-1
sa
have only rules that target a 172.16.0.0/12 10.0.0.0/16 192.168.0.0/16
DRG or a private IP.
. ha
• DRG or LPG can exist without Destination Route Destination Route
ide m)
route table associated with it. 192.168.0.0/16 LPG-1 10.0.0.0/16 LPG-2
Gu co
172.16.0.0/12 DRG 172.16.0.0/12 LPG-2
is e.
th cl
e ra
us @o
29
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Transit Routing: Private Access to Oracle Services
• On-premises network has private SPOKE

access to Oracle services in the Oracle VCN-1
Local
Services Network. The hosts in the Peering
on-premises network communicate with
Service Gateway-2
their private IP addresses.
• The on-premises network can reach the On-Premises ORACLE SERVICES
Network NETWORK
Oracle services only through a single HUB Service
sa
VCN Gateway-1
VCN's service gateway (the one
Object Storage
dedicated for this purpose, SG-1) and not
. ha
through the service gateways of the Service Gateway-3
ide m)
other VCNs (SG-2,3). Local
For those other VCNs, only the Peering
Gu co
• SPOKE
resources inside those VCNs can reach VCN-3
is e.
Oracle services through their VCN's
th cl
service gateway.
e ra
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

31
Security
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Security List (SL)
A common set of firewall rules associated with Direction CIDR Protocol

Source
Port
Dest
Port
a subnet and applied to all instances launched Stateful Ingress 0.0.0.0/0 TCP All 80
inside the subnet Stateful Egress 10.0.2.0/24 TCP All 1521
• Security list consists of rules that specify
the types of traffic allowed in and out of
the subnet
• To use a given security list with a particular Security Security
sa
Security
subnet, you associate the security list with List List List
the subnet either during subnet creation or
. ha
later.
ide m)
• Security list apply to a given instance SUBNET A, SUBNET B, SUBNET C,
10.0.1.0/24 10.0.2.0/24 10.0.2.0/24
whether it's talking with another instance
Gu co
in the VCN or a host outside the VCN.
is e.
VCN, 10.0.0.0/16
• You can choose whether a given rule is
th cl
stateful or stateless.
e ra
us @o
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Network Security Group (NSG)
A network security group (NSG) provides a virtual

Source Dest
Direction CIDR Protocol
firewall for a set of cloud resources that all have the Port Port
same security posture. NSG-A Stateful Ingress 0.0.0.0/0 TCP All 80

NSG-B Stateful Ingress 0.0.0.0/0 TCP All 22
• NSG consists of a set of rules that apply only to
a set of VNICs of your choice in a single VCN.
• Currently, compute instances, load balancers,

and DB instances support NSG. NSG-A NSG-B NSG-A
sa
• When writing rules for an NSG, you can specify
. ha
an NSG as the source or destination. Contrast
ide m)
this with SL rules, where you specify a CIDR as
SUBNET B,
the source or destination. SUBNET A, 10.0.1.0/24
Gu co
10.0.1.0/24
• Oracle recommends using NSGs instead of SLs
is e.
because NSGs let you separate the VCN's VCN, 10.0.0.0/16
th cl
subnet architecture from your application
e ra
security requirements
us @o
33
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

SL + NSG
• You can use security lists alone, network security

groups alone, or both together.
Security List 1
• If you have security rules that you want to enforce
for all VNICs in a VCN, the easiest solution is to put Security List 2
the rules in one security list, and then associate
that security list with all subnets in the VCN.
NSG-A
sa
• If you choose to use both SLs and NSGs, the set of
rules that applies to a given VNIC is the union of
. ha
NSG-B
these items: SUBNET A, 10.0.1.0/24
ide m)
– The security rules in the SLs associated with the
VNIC's subnet
Gu co
– The security rules in all NSGs that the VNIC is in
is e.
– A packet in question is allowed if any rule in any
th cl
of the relevant lists and groups allows the traffic.
e ra
us @o
34
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Stateful Security Rules
• Connection Tracking: When an instance

receives traffic matching the stateful ingress
rule, the response is tracked and automatically
allowed regardless of any egress rules;
similarly for sending traffic from the host
• Default Security List rules are stateful.
sa
. ha
ide m)
Gu co
is e.
Hosts in this group are
th cl
reachable from the
e ra
internet on Port 80
us @o
35
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Stateless Security Rules
• With stateless rules, response traffic is not

automatically allowed.
• To allow the response traffic for a stateless
ingress rule, you must create a corresponding
stateless egress rule.
• If you add a stateless rule to a security list,
sa
that indicates that you do NOT want to use
. ha
connection tracking for any traffic that
matches that rule.
ide m)
Gu co
• Stateless rules are better for scenarios with
large numbers of connections (Load
is e.
th cl
Balancing, Big Data).
e ra
us @o
36
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

37
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Default VCN, Internal DNS
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Default VCN Components
• Your VCN automatically comes with

some default components: ORACLE CLOUD DATA CENTER REGION
– Default Route Table AVAILABILITY AVAILABILITY

DOMAIN-1 DOMAIN-2
– Default Security List Default RT Custom RT
– Default set of DHCP options
sa
Default SL Custom SL
• You can’t delete these default SUBNET A, SUBNET B,
. ha
components; however, you can 10.0.1.0/24 10.0.2.0/24
change their contents (for example, Private Subnet Public Subnet
ide m)
individual route rules). And you can VCN, 10.0.0.0/16
Gu co
create more of each kind of
is e.
component in your cloud network
th cl
(for example, additional route tables).
e ra
us @o
38
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Internal DNS
• The VCN Private Domain Name System (DNS) enables instances to use host names instead
of IP addresses to talk to each other.
• Options:
– Internet and VCN Resolver: Default choice for new VCNs
– Custom Resolver: Lets instances resolve the host names of hosts in your
on-premises network through IPsec VPN/FastConnect
sa
• Optionally, specify a DNS label when creating VCN/subnets/instances.
– VCN: <VCN DNS label>.oraclevcn.com
. ha
– Subnet: <subnet DNS label>.<VCN DNS label>.oraclevcn.com
– Instance FQDN: <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com
ide m)
Gu co
• Instance FQDN resolves to the instance's Private IP address
is e.
• No automatic creation of FQDN for Public IP addresses (for example, cannot SSH using
th cl
<hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com)
e ra
us @o
39
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

40
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Putting It All Together
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

VCN Review
• Subnets can have one Route Table and multiple (5*) Security Lists associated to it.
• Route table defines what can be routed out of VCN
• Private subnets are recommended to have individual route tables to control the flow of
traffic outside of VCN.
• All hosts within a VCN can route to all other hosts in a VCN (no local route rule required).
• Security Lists manage connectivity north-south (incoming/outgoing VCN traffic) and east-
west (internal VCN traffic between multiple subnets).
sa
• OCI follows a white-list model. (You must manually specify white listed traffic flows.) By
. ha
default, things are locked down .
• Instances cannot communicate with other instances in the same subnet, until you permit
ide m)
them to!
Gu co
• Oracle recommends using NSGs instead of SLs because NSGs let you separate the VCN's
is e.
subnet architecture from your application security requirements.
th cl
e ra
us @o
41
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VCN Review
OCI REGION Destination CIDR Route Target

0.0.0.0/0 Internet Gateway
AVAILABILITY DOMAIN-1
Frontend, 10.0.1.0/24 Source Dest

Type CIDR Protocol
Port Port
Stateful Ingress 0.0.0.0/0 TCP All 80
Stateful Egress NSG-B TCP All 1521
NSG-A RT - Frontend
sa
Internet Destination Route Target
NSG-B RT - Backend Internet CIDR
. ha
Gateway
0.0.0.0/0 NAT/ Service gateway /DRG
ide m)
Source Dest
Gu co
Backend, 10.0.2.0/24
Type CIDR Protocol
Port Port
is e.
Stateful Ingress NSG-A TCP All 1521
VCN, 10.0.0.0/16
th cl
Stateful Egress All All
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned to describe the following:

• Key Virtual Cloud Network (VCN) concepts
– Subnets, Route Table, Private IP, Public IP, Internal DNS
• Gateways and Routing
– Internet Gateway, NAT Gateway, Service Gateway,
sa
Local and Remote Peering
. ha
– Transit Routing
ide m)
– VPN, FastConnect (next module)
Gu co
VCN Security
is e.
•
th cl
– Security List, Network Security Groups
e ra
us @o
43
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Rohit Rahi
Ka
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Connectivity to On-Premises Networks
4
2
•
•
IPsec VPN
Objectives
Ka
rth Oracle FastConnect
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Connectivity Options
Public Internet VPN FastConnect

• Internet Gateway/ NAT • IPsec authentication and • Private Connection
Gateway encryption
• Separate from the internet
• Reserved and Ephemeral IPs • Two main options
• Consistent network
• Internet Data out Pricing – OCI managed VPN Service experience
sa
(first 10TB free) (free)
• Port speeds of 1 Gbps
. ha
– Software VPN (running on and10 Gbps
OCI Compute)
ide m)
• SLA
Gu co
is e.
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VPN Basics
VPN – Using a public network to make end-to-end connection between two private networks in
a secure fashion
• Tunnel – A way to deliver packets through the Internet to private RFC 1918 addresses
• Authentication – Provides a mechanism to authenticate who you are
• Encryption – Packets need to be encrypted, so they cannot be sniffed over the public Internet.
• Static routing: Configure a router to send traffic for particular destinations in preconfigured
directions.
sa
• Dynamic routing: Use a routing protocol, such as BGP, to figure out what paths traffic should take.
. ha
Tunnel VPN
Connection
ide m)
Internet
Gu co
Private Private
Network 1 Network 2
is e.
th cl
e ra
VPN Router VPN Router
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Dynamic Routing Gateway

• It is a virtual router that
provides a path for private traffic Availability Domain – AD1
between your VCN and destinations
other than the Internet.
• You can use it to establish a Destination Route
connection with your on-premises CIDR Target
SUBNET A,
network via IPsec VPN or FastConnect 0.0.0.0/0 DRG
sa
10.0.1.0/24
(private, dedicated connectivity).
. ha
Regional Private
• After attaching a DRG, you must add a VCN, 10.0.0.0/16
Subnet
route for the DRG in the VCN's route
ide m)
table to enable traffic flow.
Gu co
• DRG is a stand-alone object. You must
is e.
CUSTOMER
attach it to a VCN. VCN and DRG have Customer Premises
th cl
DATA CENTER
Equipment (CPE)
a one-to-one relationship.
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VPN Connect (IPSec)
• VPN Connect is a managed VPN service, which

securely connects on-premises network to OCI
VCN through an IPSec VPN connection.
• It ensures secure remote connectivity via industry
Custom Route Table
standard IPSec encryption.
• Bandwidth is dependent on the customer’s access
to the Internet and general Internet congestion SUBNET B,
sa
10.0.2.0/24
(typically, less than 250 Mbps – but your mileage
may vary).
. ha
VCN,
• VPN Connect is offered for free. 10.0.0.0/16
ide m)
• Customer Proof of Concepts usually start as a VPN
and then morph into FastConnect designs.
Gu co
• OCI provisions redundant VPN tunnels located on Customer
is e.
CUSTOMER
Premises
physically and logically isolate tunnel endpoints. DATA CENTER
th cl
Equipment
(CPE)
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VPN Connect (IPSec): Workflow
Route Table
10.0.0.0/16
 DRG
On-Premises Network
Internet
sa
CPE, SUBNET B,
10.0.2.0/24
. ha
142.32.45.56
Static Route
10.0.0.0/16 or Dynamic
Routing
ide m)
(BGP)
Gu co
VCN, 10.0.0.0/16
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VPN Connect: Workflow
1. Create a Virtual Cloud Network (VCN).

2. Create a Dynamic Routing Gateway (DRG).
3. Attach DRG to your VCN.
4. Update VCN Router to route traffic to DRG.
5. Create a CPE Object and add on-premises
sa
router Public IP address.
. ha
6. From DRG, create an IPsec Connection
ide m)
between CPE and DRG and provide a Static
Route or use BGP routing.
Gu co
is e.
7. Configure on-premises CPE Route.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect
FastConnect provides a dedicated and private connection with higher bandwidth

options, and a more reliable and consistent networking experience when compared to
internet-based connections.
• Connect to OCI directly or via pre-integrated Network Partners
• Port speeds of 1 Gbps and 10 Gbps increments
sa
• Extend remote datacenters into Oracle (“Private peering”) or connect to Public
. ha
resources (“Public peering”)
ide m)
• No charges for inbound/outbound data transfer
Gu co
• Uses BGP protocol
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

10
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
FastConnect Scenarios
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Virtual Circuit
• Virtual circuit is an isolated network path that runs over one or more physical network
connections to provide a single, logical connection between customer's edge router
and their DRG.
• Each virtual circuit is made up of information shared between the customer, Oracle,
and a provider .
sa
• It is possible to have multiple virtual circuits to isolate traffic from different parts of
organization (e.g. one virtual circuit for 10.0.1.0/24; another for 172.16.0.0/16), or to
. ha
provide redundancy.
ide m)
• FastConnect uses BGP to exchange routing information.
Gu co
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect Use Scenarios
Private Peering:
• Is an extension of the on-premise network to the OCI VCN
• Enables communication across connections with private IP addresses
Public Peering:
• Enables you to access public OCI services, such as Object storage, OCI Console, or
sa
APIs, over a dedicated FastConnect connection
. ha
• Doesn’t use DRG
ide m)
Gu co
is e.
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect Use Cases
Internet

DOMAIN-1 DOMAIN-2 DOMAIN-3
sa
. ha
Customer Premises Customer
Equipment or Partner Oracle
Edge Edge
ide m)
Object Storage
Gu co
Fast Connect Data center Location ORACLE CLOUD INFRASTRUCTURE (REGION)
is e.
th cl
Public Peering
e ra
Private Peering
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

14
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
FastConnect Connectivity Providers
th cl
is e.
Gu co
ide m)
. ha
sa

IPsec VPN and FastConnect
IPsec VPN FastConnect

Dev/test and small scale Enterprise-class and mission critical
Use case
production workloads workloads, Oracle Apps, Backup, DR
Supported Services All OCI Services within VCN All OCI Services within VCN
Higher bandwidth; increments of 1 Gbps,
Typical bandwidth Typically < 250 Mbps aggregate
and 10 Gbps ports
sa
Protocols IPsec BGP
. ha
Routing Static Routing, Dynamic Routing Dynamic Routing
ide m)
Connection Resiliency active-active active-active
Encryption Yes, by default No * (can be achieved using virtual firewall)
Gu co
• Billable port hours
is e.
Pricing Free for the managed service
• No data transfer charge between ADs
th cl
e ra
SLA No SLA 99.9% Availability SLA
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VPN and FastConnect Pricing
• No hourly or monthly VPN connection charge for IPsec VPN, but data transfer rates
(below) apply:
Metric Pay as You Go Monthly Flex
Outbound Data Transfer - First 10 TB / Month GB/month Free Free

Outbound Data Transfer - Over 10 TB / Month GB/Month $0.0085 $0.0085
sa
Inbound Data Transfer GB/Month Free Free
• Fast Connect pricing:
. ha
ide m)
Metric Pay as You Go Monthly Flex
Gu co
FastConnect 1 Gbps – Metered Port-hours $.2125 $.2125
is e.
FastConnect 10 Gbps - Metered Port-hours $1.2750 $1.2750
th cl
Port-hours are billed once the connection between the FastConnect Service router and your router is established, or 30 days after you
e ra
ordered the port, whichever comes first. Port charges will continue to be billed anytime the FastConnect Service port is provisioned.
us @o
16
https://www.oracle.com/cloud/networking/fastconnect.html#pricing
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

17
•
•
IPsec VPN
Summary
Ka
rth Oracle FastConnect
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 200
Jamal Arif
Ka
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
Connectivity - FastConnect
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
5
Objectives
• FastConnect Use cases
• FastConnect Concepts
• FastConnect Service Models
– Direct to Oracle:
sa
Datacenter Colocation (1a)
. ha
—
Dedicated Circuits from a third-party Network Carrier (1b)
ide m)
—
– Using an Oracle Network Provider or Exchange Partner
Gu co
is e.
– Pre-requisites: Connectivity – Level 100
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Why do you need dedicated connectivity into cloud?
Apps
Tier
HPC Compute
DB
Oracle Cloud
Latency sensitive Big Data & High Sensitive data that

Lift-and-shift to
enterprise Performance Computing cannot traverse the
Cloud
applications with data-transfer needs public internet
sa
Applications with Large data transfer (for Applications that contain Moving Web-App-DB
. ha
relational database example batch jobs or sensitive data benefit tiers to Oracle Cloud
especially vulnerable to real-time queries) require from an extra level of needs dedicated network
ide m)
latency and require high performance and privacy and isolation connectivity
predictable performance low latency
Gu co
including backup,
is e.
replication use cases
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect: Product Overview
FastConnect provides an easy, elastic, and economical way to create a dedicated and
private connection with higher bandwidth options, and a more reliable and consistent
networking experience when compared to internet-based connections.
• Connect to OCI directly or via pre-integrated Network Partners
• 1Gbps and 10Gbps increments
sa
• Extend remote datacenters into Oracle (“Private peering”) or connect to Public
. ha
resources (“Public peering”)
ide m)
• No charges for inbound/outbound data transfer
Gu co
• Uses BGP protocol
is e.
th cl
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

5
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
FastConnect Use Cases
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

FastConnect: Use Scenarios
Private Peering:
• Extension of the on-premise network to the OCI VCN
• Communication across connection with private IP addresses
Public Peering
• To access public OCI services over a dedicated FastConnect connection
sa
Access Object storage, OCI Console, or APIs
. ha
•
Communication across connection with public IP addresses
ide m)
•
Gu co
is e.
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect (Private Connection)
Internet

sa
. ha
Edge Edge
ide m)
Object Storage
Gu co
FastConnect Datacenter Location ORACLE CLOUD INFRASTRUCTURE (REGION)
is e.
th cl
e ra
Private Peering
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

BGP Advertisement and Traffic-flow CI Icons – White
with Captions VCN CIDR 10.1.0.0/16

DRG routing-table
192.168.1.0/24
192.168.2.0/24 10.1.1.0/24
172.16.0.0/16
10.1.1.0/24 SUBNET
10.1.1.0/24
10.1.2.0/24
10.1.2.0/24
10.1.1.0/24 10.1.3.0/24 AVAILABILITY DOMAIN - 1
10.1.3.0/24
10.1.2.0/24
10.1.3.0/24
VPN-GW
192.168.1.0/24
sa
192.168.2.0/24 CPE/L3 10.1.2.0/24
172.16.0.0/16
Provider SUBNET
. ha
Customer network eBGP
Dynamic Routing AVAILABILITY DOMAIN - 2
Gateway
ide m)
192.168.1.0/24
192.168.2.0/24
172.16.0.0/16 192.168.1.0/24
Gu co
192.168.2.0/24
172.16.0.0/16 10.1.3.0/24
is e.
SUBNET
th cl
e ra
AVAILABILITY DOMAIN – 3
us @o
VCN
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect: Use Scenarios
Private Peering
• Extension of the on premise network to the OCI VCN
• Communication across connection with private IP addresses
Public Peering
• To access public OCI services over dedicated FastConnect connection
sa
Access Object storage, OCI Console or APIs
. ha
•
Communication across connection with public IP addresses
ide m)
•
Gu co
is e.
th cl
e ra
us @o
9
to rai
se du
With FastConnect, you can choose to use private peering, public peering, or both.
en ik.
Private peering: To extend your existing infrastructure into a virtual cloud network (VCN) in Oracle
lic arth
Cloud Infrastructure (for example, to implement a hybrid cloud, or a lift and shift scenario).
ble (k
Communication across the connection is with IPv4 private addresses (typically RFC 1918).
ra y
Public peering: To access public services in Oracle Cloud Infrastructure without using the internet. For
fe m
example, Object Storage, the Oracle Cloud Infrastructure Console and APIs, or public load balancers in
ns isa
your VCN. Communication across the connection is with IPv4 public IP addresses. Without FastConnect,
tra ra
the traffic destined for public IP addresses would be routed over the internet. With FastConnect, that
n- Du
traffic goes over your private physical connection.

no an
y
ike
rth
Ka

FastConnect (Public Peering Connection)
Internet

sa
. ha
Edge Edge
ide m)
Object Storage
Gu co
FastConnect Datacenter Location ORACLE CLOUD INFRASTRUCTURE (REGION)
is e.
th cl
Public Peering
e ra
Private Peering
us @o
10
to rai
se du
Now as we discussed earlier, one use of the FastConnect can be that you can get a dedicated access to
en ik.
the regional public services of OCI via the fastconnect by using public peering connections. So whenever
lic arth
you access the public OCI services like Object Storage, the Oracle Cloud Infrastructure Console and APIs,
and public load balancers in your VCN, your traffic can go across the dedicated FastConnect connection
ble (k
instead of the internet. All communication across a public virtual circuit uses public IP addresses.
ra y
fe m
The figures show the colocation and oracle provider scenarios where we have both the private and
ns isa
public peering connections. We must note that the DRG only comes into play with in the FC private
connection.
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect (Public Peering Connection)
• You choose which of your organization's public IP prefixes you want to use with the
virtual circuit. Each prefix must be /31 or less specific.
• Oracle verifies your organization's ownership of each prefix before sending any traffic
for it across the connection.
• When configuring your edge for public peering, make sure to give higher preference
sa
to FastConnect over your ISP
. ha
• Oracle prefers the most specific route when routing traffic from Oracle Cloud
Infrastructure to other destinations that means even if you have a IGW, replies to your
ide m)
verified public prefixes will go over the FastConnect connection.
Gu co
You can add or remove public IP prefixes at any time by editing the virtual circuit.
is e.
•
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

BGP Advertisement and Traffic Flow
129.254.0.0/17 129.146.128.0/17
129.254.128.0/17
129.254.0.0/17 OCI Public services IPs
129.254.128.0/17 (Block storage, Casper. etc..)
VPN-GW
129.146.128.0/17
129.254.0.0/17
sa
129.254.128.0/17 129.146.0.0/17
CPE
1.1.1.0/24 1.1.1.0/24
. ha
eBGP Internet
Customer network
1.1.1.0/24
ide m)
129.146.0.0/17
1.1.1.0/24
Gu co
Customer’s Public VCN IPs
is e.
th cl
OCI Region
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Private and Public Peering
FastConnect-Private FastConnect-Public
Use case To manage VCN resources privately To access OCI’s public service offering
Higher bandwidth; increments of 1 Higher bandwidth; increments of 1 Gbps, and

Typical bandwidth
Gbps, and 10 Gbps ports 10 Gbps ports
Protocols BGP BGP
Point-to-point IPs Customer assigns IPs (/30 or /31) Oracle assign IPs (/30 or /31)
sa
OCI advertises public VCN routes and public
Prefix-advertisement OCI advertises VCN subnet routes
Services routes
. ha
OCI does validation that prefixes are owed by
Prefix-validation Not needed
customer or not
ide m)
Prefix-limit 2000 200
Gu co
BGP ASN Any ASN Public ASN
is e.
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

14
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
FastConnect Connectivity Models
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Fast Connect Concepts
• FastConnect location
– A specific Oracle data center where you can connect with Oracle Cloud
Infrastructure
• Metro Area
– A geographical area (for example, Ashburn) with multiple FastConnect locations
– All locations in a metro area connect to the same set of availability domains for
resiliency in case of failure in a single location
sa
• Oracle provider
. ha
– A network service provider that has integrated with Oracle in a FastConnect location
ide m)
• Third-party provider
– A network service provider that is NOT on the list of Oracle providers
Gu co
• Colocation
is e.
– The situation where your equipment is deployed into a FastConnect location
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

• Cross-connect
– In a colocation or third-party provider scenario, this is the physical cable connecting
your existing network to Oracle in the FastConnect location.
• Cross-connect group
– In a colocation or third-party provider scenario, this is a link aggregation group
sa
(LAG) that contains at least one cross-connect.
. ha
– You can add additional cross-connects to a cross-connect group as your bandwidth
needs increase. This is applicable only for colocation.
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

• Virtual Circuit
– A virtual circuit is an isolated network path that runs over one or more physical
network connections to provide a single, logical connection between the customer's
edge router and their DRG.
– Each virtual circuit is made up of information shared between the customer, Oracle,
and a provider.
sa
– The customer could have multiple virtual circuits to isolate traffic from different
. ha
parts of their organization (e.g. one virtual circuit for 10.0.1.0/24; another for
ide m)
172.16.0.0/16), or to provide redundancy.
Gu co
– FastConnect uses Border Gateway Protocol (BGP) to exchange routing information
is e.
between the various autonomous systems involved in the connection.
th cl
e ra
– With FastConnect, there are two scenarios for how the virtual circuit's BGP session is
us @o
17 established (Layer 2 or Layer 3).
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect Connectivity Options
Connectivity Models
• Direct to Oracle:
– Datacenter Colocation (1a)
– Dedicated Circuits from a third-party Network Carrier (1b)
• Using an Oracle Network Provider or Exchange Partner
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Direct to Oracle: Datacenter Colocation (1a)
Physical Connection:
Availability Domain 1
FastConnect
Edge
sa
CPE
. ha
CUSTOMER 10Gbps
DATACENTER
ide m)
Gu co
Customer Cage Oracle CAGE
is e.
FastConnect DATACENTER LOCATION
OCI Region
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Direct to Oracle: Dedicated Circuits Using a Network
Service Provider (1b)

FastConnect
Edge
sa
Remote location Private Circuits via 1Gbps or
a Network carrier 10Gbps
. ha
CPE Availability Domain 3
ide m)
CUSTOMER
DATACENTER
Gu co
Oracle CAGE
is e.
Regional Cloud Services
th cl
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Cross Connects in Models 1a and 1b - Physical
Connection
In colocation model 1a and 1b:
• You can add additional cross-connects to a
cross-connect group as your bandwidth needs FastConnect
increase such as 2x10g ports into a LAG Edge
• When you create a Cross-Connect Group, the CPE 1 1Gbps or

10Gbps
R1
sa
Cross-Connects are grouped together to form CUSTOMER
DATACENTER CPE 1 1Gbps or
R1
a Link Aggregation Group (LAG) 10Gbps
. ha
• You can group up to eight cross-connects in a Customer Cage Oracle CAGE
ide m)
cross-connect group. (8x10g if required)
Gu co
• In a cross-connect group, all ports are on the
is e.
same router
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Direct to Oracle Logical Connection: Virtual Circuit
Metro area
ORACLE CLOUD INFRASTRUCTURE - REGION
FastConnect
location
Your existing
network Your Oracle
Private IPs in VCN
Edge Edge
10.0.0.0/16
sa
SUBNET
SUBNET
. ha
AVAILABILITY DOMAIN
AVAILABILITY DOMAIN
BGP speakers
ide m)
VCN 172.16.0.0/16
Gu co
Legend: Private virtual circuit
is e.
th cl
A single, logical connection (virtual circuit) between your edge and Oracle Cloud Infrastructure by
e ra
way of your Dynamic Routing Gateway. Traffic is destined for private IP addresses in your VCN.
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

How to Set Up a FastConnect Virtual Circuit in
Colocation Model?
Service Models
– Datacenter Colocation – 1a
– Dedicated Circuits from a 3rd Party Network Carrier – 1b
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
23
to rai
se du
OCI-C – 1Gbps and 10g

en ik.
OCI – 10Gbps
lic arth
(can support – LAG)

ble (k
Virtual Circuits
ra y
fe m
Colocation
ns isa
tra ra
• Number of Virtual Circuits – (no limits – might be implemented later on)

n- Du
• Shared across all VC

no an
Hardware Requirements on BGP ASN, Prefix Count, BGP timers available at

y
ike
https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Concepts/fastconnectcolocate.htm
rth
Ka

24
Ka
rth
ike
y
no an
Colocation Model?
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

How to Set Up a FastConnect Virtual Circuit in
FastConnect: Connectivity Options
Service Models
– Datacenter Colocation
– Dedicated Circuits from a 3rd Party Network Carrier
• Using an Oracle Network Provider or Exchange Partner (Layer 2 or Layer 3)
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Using an Oracle Network Provider or Exchange
Partner
FastConnect
sa
Edge
Point-to-point or Availability Domain 2
multi-point service Partner Redundant
. ha
Edge 10Gbps
PARTNER
NETWORK
ide m)
CUSTOMER CPE Availability Domain 3
DATACENTER
Gu co
Partner Demarc Oracle CAGE
is e.
CUSTOMER CPE
th cl
DATACENTER FastConnect DATACENTER LOCATION
OCI Region
e ra
Partners
us @o
• Network Service Providers
26 • Exchanges (example Equinix, Megaport, Interxion)
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Partner– Layer 2
Logical Connection: FastConnect Virtual Circuit 1
FastConnect Virtual Circuit 2
FastConnect
sa
Edge
Partner
. ha
CUSTOMER CPE PARTNER
Edge
DATACENTER NETWORK
ide m)
Gu co
is e.
FastConnect
th cl
DATACENTER LOCATION
OCI Region
e ra
BGP Route advertisements Example Megaport , Equinix, Interxion
(Oracle <-> Customer)
us @o
27
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Partner– Layer 3
Logical Connection: FastConnect Virtual Circuit 1
FastConnect Virtual Circuit 2
FastConnect
sa
Edge
Partner
. ha
CUSTOMER CPE PARTNER
Edge
DATACENTER NETWORK
ide m)
Gu co
is e.
FastConnect
th cl
DATACENTER LOCATION
OCI Region
e ra
BGP Route advertisements BGP Route advertisements
(Customer   Partner)
us @o
(Partner  Oracle)
28
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect: Connectivity Partners
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
https://www.oracle.com/cloud/networking/fastconnect-providers.html
us @o
29
to rai
se du
This table lists the Oracle Cloud Infrastructure FastConnect locations, as we increase our regions the list
en ik.
will grow as well. Currently for all the three OCI regions, this is the list for FastConnect.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

How to Set Up a FastConnect Virtual Circuit with
Partner: Demo Example - Megaport Layer3 Partner

Service Models
– Datacenter Colocation – 1a
– Dedicated Circuits from a 3rd Party Network Carrier – 1b
sa
• Using an Oracle Network Provider or Exchange Partner (Layer 2 or Layer 3)
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
30
to rai
se du
OCI-C – 1Gbps and 10g

en ik.
OCI – 10Gbps
lic arth
(can support – LAG)

ble (k
Virtual Circuits
ra y
fe m
Colocation
ns isa
tra ra
• Number of Virtual Circuits – (no limits – might be implemented later on)

n- Du
• Shared across all VC

no an
Hardware Requirements on BGP ASN, Prefix Count, BGP timers available at

y
ike
https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Concepts/fastconnectcolocate.htm
rth
Ka

31
Ka
rth
ike
y
no an
a. DRG (Private Peering Only)
n- Du
tra ra
ns isa
fe m
b. Set up a Virtual Circuit with Provider
ra y
ble (k
1. Set Up OCI Components
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

a. DRG (Private Peering Only)

b. Set up a Virtual Circuit with Provider.
sa
. ha
Select the type of circuit
ide m)
Select the DRG
Gu co
Private Peering: Provide
is e.
customer and oracle BGP IP
th cl
address and ASN
e ra
Public Peering: Customer Public
us @o
BGP ASN and public Prefixes
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

33
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
c. Provide details of Virtual Circuit to provider.
ble (k
lic arth
en ik. Pending Provider
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

OCID of the Virtual Circuit
34
Ka
rth
ike
y
no an
n- Du
tra ra
a. Use OCID of the Virtual Circuit in Megaport.
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
2. Set Up Megaport Connection
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Create a Virtual Circuit
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
Choose POP Location
sa

circuit OCID
Provide OCI virtual
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

43
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
FastConnect Connectivity Resiliency
th cl
is e.
Gu co
ide m)
. ha
sa

FastConnect Redundancy
• Have multiple redundant connections into OCI and avoid having single points of
failure in your design.
• For IPSec VPN - OCI recommends using multiple connections from redundant
physical devices at the customer premises. High availability connections require
redundant hardware, even when connecting from the same physical location
sa
• OCI FastConnect provides multiple redundancy options, and its recommended to
use multiple vendors if financially feasible to ensure you have redundant network
. ha
connections
ide m)
• Plan for sufficient network capacity with your FastConnect virtual circuits to ensure
Gu co
individual circuits are not overwhelmed in case of failures on redundant circuits.
is e.
th cl
• Have a service level redundancy by creating a IPsec VPN service alongside FC.
e ra
Oracle always prioritizes FC over VPN connection.
us @o
44
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FastConnect Redundancy
• With FastConnect there are multiple types of redundancy:

– Transit POP redundancy
– Router redundancy with-in a single Transit POP
– Partner redundancy
– Service redundancy
• Oracle provides:
sa
– Two Oracle FastConnect (POPs), for location redundancy in following regions.
. ha
Each is connected to all of Oracle’s Availability Domains in the region.
Ashburn, Phoenix, London, Frankfurt
ide m)
—
Gu co
• Per Oracle POP: Two routers, for router redundancy
is e.
• Multiple physical connections between each Oracle provider and Oracle (for a
th cl
given region)
e ra
us @o
45
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Redundancy: Connectivity Model
Colocation or colocation via third party Network

Provider
Transit POP redundancy
FastConnect POP Location 1
Customer Edge 1 Oracle Edge 1
Virtual Circuit 1
sa
Router 1 Router 1
. ha
ide m)
Customer Edge 2 Oracle Edge 2
Gu co
Cross-connect Group
Virtual Circuit 2 (LAG)
is e.
Router 1 Router 1 Virtual Circuit
th cl
Cross-Connect
e ra
(Physical Connection)
us @o
46
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Colocation or Colocation via Third-Party Network

Provider
Router redundancy with-in a single Transit POP
Customer Edge Oracle Edge
sa
Virtual Circuit 1
Router 1 Router 1
. ha
ide m)
Virtual Circuit 2
Gu co
Cross-connect Group
Router 2 Router 2
(LAG)
is e.
Virtual Circuit
th cl
Cross-Connect
e ra
(Physical Connection)
us @o
47
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Oracle Partner (Layer 2)

• For a Layer 2 partner, a given virtual circuit can run on only a single port group
(formerly known as Cross-Connect) (LAG), or single cross-connect (an individual
cable, no LAG).
• Redundancy can be achieved by provisioning a second virtual circuit.
• Partner will make sure that the second virtual circuit will land on redundant
sa
cross-connect LAG between them and Oracle.
. ha
• Redundant cross-connect LAG could land in same POP or different POP depending
ide m)
upon connectivity between partner and oracle.
Gu co
• Active/Active or Active/Passive setup is possible with “LP” and “AS_PATH” BGP
is e.
attributes influencing egress traffic from customer and OCI respectively
th cl
e ra
us @o
48
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Layer 2 Partners : Megaport, Equinix, CenturyLink
Oracle requires
redundancy OCI Region
with Partners
Customer Oracle POP 1

responsible for Partner X Network
redundancy
Router 1
Customer DC
Virtual Circuit -1
PE
CPE PE
Oracle POP 2
PE
sa
Virtual Circuit -2
Router 1
. ha
ide m)
For Redundancy
Customer Partner Oracle
Gu co
• Order 2X VC with Oracle • Min 2X Circuits to • Min 2X Circuits to Partner
is e.
• Order 2X cross-connects to Oracle. • Agreement with partner
th cl
partner • Provisions 2nd VC on to Provision 2nd VC on
e ra
redundant cross- redundant cross-connect
connect
us @o
49
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Oracle Partner (Layer 3)

• For a Layer 3 partner, a given virtual circuit can run on multiple cross-connect groups
(LAGs) or multiple cross-connects (a cross-connect is an individual cable, no LAG),
which provides router redundancy for the virtual circuit.
• Customer would get two BGP sessions tied to single virtual circuit by default running
over redundant cross-connect group or cross-connects.
sa
• Partner and Oracle will make sure that the second BGP session will land on redundant
. ha
cross-connect LAG between partner and Oracle.
ide m)
• Customer can still provision the second virtual circuit with additional cost should they
Gu co
need redundancy with virtual circuits.
is e.
th cl
e ra
us @o
50
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Layer 3 Partners: Verizon, BT
Oracle requires
redundancy OCI Region
with Partners
Customer Oracle POP 1

responsible for Partner X Network
redundancy
Router 1
Customer DC Virtual Circuit -1

PE Router 2
BGP Session
CPE PE
Oracle POP 2
PE
sa
Router 1
Virtual Circuit -2
. ha
Router 2
ide m)
For Redundancy
Customer Partner Oracle
Gu co
• Order 2X VC with Oracle • Min 2X Circuits to Oracle • Min 2X Circuits to Partner
is e.
• Order 2X cross-connects • Runs 2BGP sessions with • Runs 2 BGP sessions with
th cl
to partner Oracle Partner.
e ra
us @o
51
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Service Redundancy
• Customer can provision IPsec along with FastConnect.

• IPsec can be treated as backup if FastConnect fails.
• Egress traffic from OCI will prefer FastConnect.*
• Bandwidth, latency concerns over IPsec
• Highly recommended if customer has single FastConnect to OCI
Public
sa
IPSec VPN CONNECTION
Internet
Firewall
. ha
VIRTUAL CIRCUIT #1
EDGE EDGE
PRIVATE SUBNET 10.2.2.0/24
ide m)
CUSTOMER PROVIDER FASTCONNECT LOCATION 1 AVAILABILITY DOMAIN 1
NETWORK CPE NETWORK DRG
Gu co
10.0.0.0/16
VIRTUAL CIRCUIT #1 EDGE EDGE
is e.
Firewall
th cl
FASTCONNECT LOCATION 2
DST IP:0.0.0.0/0
e ra
Public
IGW AVAILABILITY DOMAIN 2
us @o
Internet VCN
52 Region
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary

• FastConnect Use cases
• FastConnect Concepts
• FastConnect Service Models
FastConnect resiliency options
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
53
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Rohit Rahi
Ka
rth
ike
y
no an
Load Balancer
n- Du

tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
6
Objectives

• Explain the concepts and features of OCI Load Balancing Service
• Describe Public and Private Load Balancer
• Describe Policies and Health Checks
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Primer
A load balancer sits between the clients and the back ends and performs tasks such as:
• Service Discovery: What back ends are available in the system? How should the load
balancer talk to them?
• Health Check: What back ends are currently healthy
and available to accept requests?
• Algorithm: What algorithm should be used to balance
individual requests across the healthy back ends? Load
sa
Balancer
Load Balancer benefits
. ha
• Fault tolerance and HA: Using health check + LB algorithms,
ide m)
an LB can effectively route around a bad or overloaded back end.
Gu co
• Scale: LB maximizes throughput, minimizes response time,
and avoids overload of any single resource.
is e.
• Naming abstraction: Name resolution can be delegated to the LB; back ends don’t
th cl
e ra
need public IP addresses.
us @o
3
to rai
se du
So Oracle Cloud infrastructure Load Balancing Service provides an automated traffic distribution from
en ik.
one entry point into multiple back end servers in your Virtual Cloud Network.
lic arth
This helps to load balance large amounts of traffic which could overwhelm a single server, it gives a
ble (k
mechanism to scale out an application tier by adding more servers, and also provides the application
higher availability so even if one availability domain has an issue, you can still be up and running in
ra y
fe m
other availability domains.

ns isa
Load Balancer is a regional service – load balancers come in pairs, active and passive, and public load
tra ra
balancers live in two separate availability domains providing HA, with no single point of failure.
n- Du
The OCI load balancer supports TCP and the usual http protocols, as well as HTTP/2 and websocket,
no an
supporting things like Data Compression, Server Push, Multiplexing of requests ….. all of these features
y
are supported.
ike
For security purposes, it supports SSL offloading, SSL termination, SSL end to end and SSL tunneling
rth
Ka

Lets talk about the key differentiators for the LB service.
1. We can deploy the service either as public facing where a listener is running on the public IP and
the backend servers are on the inside.

We can also use the same service to load balance within OCI between tiers keeping it entirely
private.
2. The other nice feature of the OCI load balancer service is you get a public or a dedicated IP
address. You don’t have to worry about getting a CNAME and dealing with that to use this
service. The listener listens on the service port on this IP address and it is mapped to the user's
OCI tenancy.
3. The load balancers come in 3 sizes, 100Mbps, 400Mbits, and 8Gbits. These sizes are for
sa
aggregate throughput. The nice thing about having this much capacity provisioned is its always
. ha
available to the user. There is no warm-up period when using these shapes - this aggregate
throughput performance is always available.
ide m)
4. There is a single load balancer for HTTP and TCP. This makes the service easier to use in general.
Gu co
is e.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCI Load Balancing Service
• Load Balancer as-a-service, provides scale and HA

• Public and Private Load Balancer options
• Supported Protocols – TCP, HTTP/1.0, HTTP/1.1, HTTP/2, WebSocket
• Supports SSL Termination, End-to-End SSL, SSL Tunneling
• Supports advanced features such as session persistence and content-based routing
sa
• Key differentiators
. ha
– Private or Public Load Balancer (with Public IP address)
ide m)
– Provisioned bandwidth – 100 Mbps, 400 Mbps, 8 Gbps
Gu co
– Single load balancer for TCP (layer 4) and HTTP (layer 7) traffic
is e.
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

6
Ka
rth
ike
y
no an
n- Du
tra ra
Public Load Balancer
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Public Load Balancer
• Accepts traffic from the Internet by using a public IP address that serves as the entry
point for incoming traffic.
• Public Load Balancer is a regional service.
• If your region includes multiple availability domains, a public load balancer requires
either a regional subnet (recommended) or two availability domain–specific (AD-
specific) subnets, each in a separate availability domain.
• Load Balancing service creates a primary load balancer and a standby load balancer,
sa
each in a different availability domain.
. ha
• It supports AD failover in the event of an AD outage in an Oracle Cloud
Infrastructure multi-AD region.
ide m)
• Floating Public IP is attached to the primary load balancer, and in the event of an AD
Gu co
outage, Floating Public IP is attached to the standby load balancer.
is e.
• Service treats the two load balancers as equivalent and you cannot denote one as
th cl
"primary.”
e ra
us @o
7
to rai
se du
Lets move forward and discuss how the LB service works.

en ik.
There are two kinds of LBs, a Public LB and a private LB. Lets first talk about the Public LB.
lic arth
When you create a Public LB you select two ADs for the LB to reside in, in this case this LB lives in AD1
ble (k
and AD2. Because OCI is going to create two copies of the LB to make the service highly available, you
ra y
need to have two subnets (its subnet 1 and subnet 2). After creation, The Public load balancer sits at the
fe m
edge of a VCN.
ns isa
tra ra
What happens next is there is a primary load balancer selected automatically to hold the public IP, and a
n- Du
secondary load balancer in an active/standby configuration. This is completely invisible to the user,
there is no requirement or capability to designate primary or secondary LB. Next we have a listener. This
no an
is the public IP address and the service ports that are opened up to sit between the internet and your
y
backend servers.
ike
In case one of the ADs goes down, the listener will failover to the other availability domain automatically
rth
and where we see a dotted line up at the top will be the new path for the traffic.
Ka
This HA is built in, the user doesn’t have to manage that HA. Remember there is no way or reason to
change which LB is acting as the primary load balancer. It is all managed by the service itself.
The second type of load balancer is a private LB.
For private load balancer the implementation is a bit different. Two copies of the load balancer go into a
single subnet into a single AD. So it doesn't give you HA in case of the AD outage. However other than
this, all other capabilities are the same.

Public Load Balancer (Regional Subnets - recommended)
Internet
AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
VCN
Public IP address
Listener
Load Balancer Load Balancer Pair Load Balancer

(Active) (Failover)
sa
Regional Subnet 1
. ha
ide m)
Gu co
Backend Set
Backend Servers Backend Servers
is e.
Regional Subnet 2
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Public Load Balancer (AD Specific Subnets)
Internet
VCN
Public IP address
Listener
Load Balancer (Active) Load Balancer Pair Load Balancer (Failover)
sa
SUBNET 1 SUBNET 2
. ha
ide m)
Gu co
Backend Set
is e.
SUBNET 3
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

10
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Private Load Balancer
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Private Load Balancer
• It is assigned a private IP address from the subnet hosting the load balancer.
• The load balancer can be regional or AD-specific, depending on the scope of the
host subnet. It is highly available within an AD with AD specific subnets or highly
available with regional subnets .
• The primary and standby load balancer each require a private IP address from
sa
that subnet.
. ha
• The load balancer is accessible only from within the VCN that contains the
associated subnet, or as further restricted by your security list rules.
ide m)
Gu co
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Private Load Balancer (Using Regional Subnets)
Local VCN
Traffic
VCN
Private IP address
Listener
Load Balancer Load Balancer Pair Load Balancer
sa
(Active) (Failover)
Regional Subnet 1
. ha
ide m)
Gu co
Backend Set
is e.
Regional Subnet 2
th cl
e ra
us @o
12
to rai
se du
Lets move forward and discuss how the LB service works.

en ik.
There are two kinds of LBs, a Public LB and a private LB. Lets first talk about the Public LB.
lic arth
When you create a Public LB you select two ADs for the LB to reside in, in this case this LB lives in AD1
ble (k
and AD2. Because OCI is going to create two copies of the LB to make the service highly available, you
ra y
need to have two subnets (its subnet 1 and subnet 2). After creation, The Public load balancer sits at the
fe m
edge of a VCN.
ns isa
tra ra
What happens next is there is a primary load balancer selected automatically to hold the public IP, and a
n- Du
secondary load balancer in an active/standby configuration. This is completely invisible to the user,
there is no requirement or capability to designate primary or secondary LB. Next we have a listener. This
no an
is the public IP address and the service ports that are opened up to sit between the internet and your
y
backend servers.
ike
In case one of the ADs goes down, the listener will failover to the other availability domain automatically
rth
and where we see a dotted line up at the top will be the new path for the traffic.
Ka
This HA is built in, the user doesn’t have to manage that HA. Remember there is no way or reason to
change which LB is acting as the primary load balancer. It is all managed by the service itself.
The second type of load balancer is a private LB.
For private load balancer the implementation is a bit different. Two copies of the load balancer go into a
single subnet into a single AD. So it doesn't give you HA in case of the AD outage. However other than
this, all other capabilities are the same.

Private Load Balancer (with AD Specific Subnets)
VCN
Private IP address
Listener
Local VCN
(Failover) Traffic
Load Balancer
sa
(Active) Regional Subnet 1
. ha
ide m)
Gu co
Backend Set
is e.
Regional Subnet 2
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

14
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
Policies, Health Checks
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Load Balancing Policies
• Round Robin: Default policy, distributes incoming traffic sequentially to each server
in a backend set. After each server has received a connection, the load balancer
repeats the list in the same order.
• IP Hash: Uses an incoming request's source IP address as a hashing key to route
non-sticky traffic to the same back-end server
• Least Connection: Routes incoming nonsticky request traffic to the back-end server
sa
with the fewest active connections
. ha
• Load balancer policy decisions apply differently to TCP load balancer, cookie-based
ide m)
session persistent HTTP requests (sticky requests), and non-sticky HTTP requests
– A TCP load balancer considers policy and weight criteria
Gu co
– An HTTP load balancer w/ cookie-based session persistence forwards requests
is e.
using cookie's session info
th cl
– For non-sticky HTTP requests, the load balancer applies policy and weight criteria
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Health Check
• Health check is a test to confirm the availability of back-end servers.

Health Check is activated for
– Back end
Server 1
Backend set
– Back-end set
Load
– Overall Load Balancer Balancer IP
Listener Server 2
• A load balancer IP can have up to
sa
Server 3
16 listeners (port numbers). Listener
. ha
Each listener has a back-end set that
can have 1 to N back-end servers.
ide m)
Health API provides a 4-state health status (ok, warning, critical, unknown).
Gu co
•
is e.
• Health status is updated every three minutes. No finer granularity is available.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned how to:

• Explain the concepts and features of OCI Load Balancing Service
• Describe Public and Private Load Balancer
• Describe Policies and Health Checks
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Rohit Rahi
Ka
Compute
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
7
Objectives

• Describe Instance Configuration and Pool
• Create an Autoscaling Policy
• Describe Instance Console Connections
Describe Bring your Own Image
sa
•
. ha
• Describe Bring your own Hypervisor
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
In this lecture, we’ll dive deeper into the OCI compute service and talk about concepts and look at various
en ik.
features for compute.

lic arth
After we finish this lesson, you should be able to:

ble (k
• Describe High Availability and Disaster Recovery in OCI

ra y
fe m
• Describe Instance Configuration and Pool

ns isa
• Describe Instance Console Connections

tra ra
• Create custom images – Import/Export

n- Du
• Describe Bring your Own Image (Emulated Mode)

no an
• Describe Bring your own Hypervisor

y
ike
• Describe GPU images

rth
• Describe Cloud-Init and instance metadata

Ka

Bare Metal, VM and Dedicated Hosts
Bare Metal (BM) Virtual Machine (VM) Dedicated VM Hosts (DVH)

Direct Hardware Access A hypervisor to virtualize Run your VMs instances
– customers get the full the underlying Bare on dedicated servers that
Bare Metal server Metal server into are a single tenant and not
smaller VMs shared with other customers
(single-tenant model) (multi-tenant model)
VMs
sa
Hypervisor
. ha
ide m)
Gu co
Bare Metal Server Bare Metal Server Bare Metal Server
is e.
th cl
VM compute instances runs on the same hardware as a Bare Metal instances, leveraging the
e ra
same cloud-optimized hardware, firmware, software stack, and networking infrastructure
us @o
3
to rai
se du
Just to give you a brief overview, we are the only public cloud that supports bare metal and VMs using
en ik.
the same set of APIs, hardware, firmware, software stack and networking infrastructure.
lic arth
You can see the two models on the slide – Bare Metal instances are instances where customers get the
ble (k
full server. This is also referred to as single-tenant model. The advantage here is that there is no
performance overhead, no shared agents and no noisy neighbors.
ra y
fe m
On the other spectrum are VMs, where the underlying host is virtualized to provide smaller VMs – also
ns isa
referred to as multi-tenant model. The advantage here is flexibility in regards to choice of instance
tra ra
shapes.
n- Du
no an
y
ike
rth
Ka

Bare Metal
Direct Hardware Access with all the Security, Capabilities, Elasticity, and Scalability of
Hypervisor
sa
. ha
ide m)
Workloads that Workloads that
Workloads that are Workloads that
require a specific require BYO
Gu co
Performance-intensive are not virtualized
hypervisor Licensing
is e.
th cl
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Bare Metal Instances
Max Max
RAM Network
Shape Instance type OCPU Local Disk (TB) vNICs vNICs
(GB) Bandwidth
(Linux) (Win)
BM.Standard2.52 X7 Standard compute 52 768 Block Storage only 2 x 25 Gbps 52 27
BM.DenseIO2.52 X7 Dense I/O compute 52 768 51.2 TB NVMe SSD 2 x 25 Gbps 52 27
BM.Standard.E2.64 E1 AMD Standard compute 64 512 Block Storage only 2 x 25 Gbps 75 76
BM.HPC2.36 X7 High Frequency 36 384 6.7 TB NVMe SSD 1 x 100 Gbps RDMA 50 1
sa
BM.GPU2.2 2xP100 NVIDIA GPUs 28 192 Block Storage only 2 x 25 Gbps 28 15
BM.GPU3.8 8xV100 NVIDIA GPUs 52 768 Block Storage only 2 x 25 Gbps 52 27
. ha
BM.Standard1.36 X5 Standard compute 36 256 Block Storage only 10 Gbps 36 1
ide m)
BM.DenseIO1.36 X5 Dense I/O compute 36 512 28.8 TB NVMe SSD 10 Gbps 36 1
Gu co
BM.Standard.B1.44 X6 standard compute 44 512 Block Storage only 25 Gbps 44 NA
is e.
th cl
• Compute Standard E2 is based of AMD EPYCTM processor
e ra
• 2 x 25 Gbps implies two NIC cards with 25 Gbps bandwidth
us @o
• Network bandwidth is based on expected bandwidth for traffic within a VCN
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Use Cases for AMD EPYC-Based Instances
• AMD EPYC Bare Metal server (64 cores, 512 GB RAM, 2 x 25 Gbps bandwidth, 75
vNICs) available at $0.03 core/hour; 66% cheaper than other options.
• AMD EPYC-based instances ideal for maximizing price performance
• Supported for Oracle applications, including E-Business Suite, JD Edwards, and
PeopleSoft
Certified to run Cloudera, Hortonworks, MapR, and Transwarp
sa
•
On a 10-TB full TeraSort benchmark, including TeraGen, TeraSort and TeraValidate,
. ha
•
the AMD EPYC-based instance demonstrated a 40 percent reduction in cost / OCPU
ide m)
v/s x86 alternatives with only a very slight increase in run times.
Gu co
• On a 4-node, 14M cell Fluent CFD simulation of an aircraft wing, the AMD EPYC-
is e.
based instance demonstrated a 30 percent reduction in cost along with a slight
th cl
reduction in overall run times as compared to an x86 alternative.
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

7
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
Import/Export and BYOI
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Oracle-Provided Images
• A template of a virtual hard drive that determines the operating system and other
software for an instance. Images can be Oracle-provided, Custom, or BYOI.
• Oracle provides several pre-built images for Oracle Linux, Microsoft Windows,
Ubuntu and CentOS.
Image Name
Oracle-Linux-7.x-<date>-<number>,
sa
Oracle Linux
Oracle-Linux-6.x-<date>-<number>
CentOS-7-x-<date>-<number>,
. ha
CentOS 7
CentOS-6.x-<date>-<number>
ide m)
Canonical-Ubuntu-16.x-<date>-<number>,
Ubuntu 16.04 LTS
Canonical-Ubuntu-14.x-<date>-<number>
Gu co
Windows Server 2012 R2 Windows-Server-2012-R2-<edition>-<gen>.<date>-<number>
is e.
Windows Server 2008 R2 - VM Windows-Server-2008-R2-Standard-Edition-VM-<date>-<number>
th cl
e ra
Windows Server 2016 Windows-Server-2016-Datacenter-Edition-Gen2.<date>-<number>
us @o
8
to rai
se du
All Oracle-provided images include rules that allow only "root" on Linux instances or "Administrators" on
en ik.
Windows instances to make outgoing connections to the iSCSI network endpoint (169.254.0.2:3260) that
lic arth
serves the instance's boot and block volumes.

ble (k
Oracle recommends that you do not reconfigure the firewall on your instance to remove these rules.
Removing these rules allows non-root users or non-administrators to access the instance’s boot disk
ra y
fe m
volume. Oracle recommends that you do not create custom images without these rules unless you
ns isa
understand the security risks.

tra ra
n- Du
no an
y
ike
rth
Ka

Oracle-Provided Images
• Linux Images
– Username opc is created automatically for instances created from Oracle Linux/CentOS.
– Username ubuntu is created automatically for instances created from Ubuntu image.
– These users have sudo privileges and are configured for remote access over the SSH v2.
– Default set of firewall rules allow only SSH access (port 22).
sa
– Provide a startup script using cloud-init.
. ha
• Windows Images
Username opc created automatically with an OTP (one time password)
ide m)
–
Gu co
– Include the Windows Update utility to get the latest Windows updates from Microsoft
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Custom Images
• Create a custom image of an instance’s boot disk and use it to launch other instances.
• Instances you launch from your custom image include customizations, configuration,
and software installed when you created the image.
• During the process, instance shuts down and remains unavailable for several
minutes. The instance restarts when the process completes.
sa
• Custom images do not include the data from any attached block volumes.
. ha
• A custom image cannot exceed 300 GB.
ide m)
• Windows custom images cannot be exported or downloaded out of the tenancy.
Gu co
is e.
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Image Import/Export
• Compute service enables you to share custom images across tenancies and
regions using image import/export
• Image import/export uses OCI Object Storage service
• You can import Linux and Windows operating systems.
• Supports:
– Emulation Mode:
— Virtual machines I/O devices (disk, network), CPU, and memory are implemented in
sa
software
Emulated VM can support almost any x86 operating system. These VMs are slow.
. ha
—
– Paravirtualized:
ide m)
— Virtual Machine includes a driver specifically designed to enable virtualization
– Native Mode: Same as Hardware Virtualized Machine (HVM), offers maximum
Gu co
performance with modern OSs.
is e.
• You can also find more information about custom images here:
th cl
https://cloud.oracle.com/iaas/whitepapers/deploying_custom_os_images.pdf
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Bring Your Own Image (BYOI)
The Bring Your Own Image (BYOI) feature enables you to bring your own versions of operating
systems to the cloud as long as the underlying hardware supports it. The BYOI can help with
the following scenarios:
• Enables lift-and-shift cloud migration projects
Supports both old and new operating systems
Encourages experimentation
• Increases infrastructure flexibility OCI Region
sa
Object
. ha
On-premises qcow2 Image Storage Custom Image Instance
ide m)
Gu co
is e.
th cl
e ra
NOTE: You must comply with all licensing requirements when you upload
and start instances based on OS images that you supply.
us @o
12
to rai
se du
You also have the ability do import and export an image. This will give you the ability to move images
en ik.
between regions and tenancies.

lic arth
All images imported and exported will be placed in bucket of your choice in the Object Storage.
ble (k
There are import modes that you can use for your images:
ra y
fe m
The first option is Emulation mode, where all the drivers for Network and boot disk are fully emulated.
ns isa
The second option is Native Mode: Where it offers the maximum performance as the drivers are directly
tra ra
connected with the hardware and will be a good fit for Bare Metal instances.
n- Du
The third mode is Paravirtualized or PV Mode where this capacity minimizes overheard and optimize
no an
performance allowing new Operating System to take advantage of that.

y
ike
rth
Ka

13
Ka
rth
ike Boot Volume
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Boot Volumes
• A compute instance is launched using the OS image stored on a remote boot volume.
• Boot volume is created, automated, and associated with an instance until you
terminate the instance.
• Boot volumes are encrypted, have faster performance, lower launch times,
and higher durability for BM and VM instances.
Compute instance can be scaled to a larger shape by using boot volumes.
sa
•
You can preserve the boot volume when you terminate a compute instance.
. ha
•
Boot volumes are only terminated when you manually delete them.
ide m)
•
Gu co
• Boot volumes cannot be detached from a running instance.
is e.
• Possible to take a manual backup, assign backup policy or
th cl
create clone of boot volumes.
e ra
us @o
14
to rai
se du
So we briefly discussed about boot volumes early.

en ik.
When any instance is launched (virtual machine or a bare metal) on an oracle provided image or a
lic arth
custom image, a new boot volume for the instance is created in the same compartment. That boot
ble (k
volume is associated with that instance until you terminate the instance. When you terminate the
instance, you have the option of preserving the boot volume and its data. This feature gives you more
ra y
fe m
control on the boot volumes of your compute instance. For instance .

ns isa
It gives you the ability to preserve your boot disk content by keeping it when you terminate a compute
tra ra
instance: You can use the preserved boot volume for new instance creation.
n- Du
Just like block volumes are replicated across ADs, the boot volumes are also highly durable as they are
no an
replicated across ADs automatically.

y
ike
Boot volumes can also help in instance scaling. Since you can preserve the boot volume when
terminating an instance, the preserved boot volume can be used with a new instance of different shape,
rth
which can have more OCPUs.

Ka
The launch times are much faster than earlier.
All boot volumes are encrypted at rest like block volumes
And it also helps us in troubleshooting or repairing boot disks.
To use boot volumes, there is nothing special that one needs to do. Moving forward all instances that are
launched will be done using boot volumes having all the features we talked earlier.

Custom Boot Volumes
• You have the option of specifying a custom boot volume size.

• To take advantage of the larger size, you must first extend the root (Linux-based
images) or system (Windows-based images) partition.
sa
. ha
ide m)
Gu co
is e.
Linux default size is 46.6 GB Windows default size is 256GB
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Custom Image Versus Boot Volume Backup
Custom Images
Pros Cons
You can export a custom image across regions Instance shuts down and remains unavailable
and tenancies for several minutes until the process finished
No cost associated to store your custom images Limit of 25 custom images per compartment
sa
Boot volume Backup
. ha
Pros Cons
It doesn’t require a down time Cost associated with the amount of Object
ide m)
Storage used to store your backup
Gu co
Preserve the entire state of your running Creating a boot volume backup while instance
is e.
operating system as a backup is running creates a crash-consistent backup
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

17
Ka
rth
ike
y
no an
Pools, Autoscaling
n- Du
tra ra
ns isa
fe m
ra y
Instance Configurations,
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Instance Configuration and Pool
Instance Configurations
- OS image, metadata, shape

- vNICs, Storage, subnets
Running Instance Config
sa
. ha
- Different Availability Domains
ide m)
- Manage all together (stop, start,
Gu co
terminate)
is e.
- Attach to a Load Balancer
th cl
Config Multiple Instances
e ra
us @o
18
to rai
se du
en ik.
• Define the configuration information to launch a Compute instance.

lic arth
• Include parameters (OS image, metadata, shape) and related resources as a single configuration
ble (k
entity, so you don’t have to specify them every time you launch a new instance
ra y
Configure attached storage volumes; VNIC, Subnets and AD placements all with a single request
fe m
•
ns isa
Instance Pools
tra ra
• Provision and create multiple compute instances based off of the same instance configuration,
n- Du
within the same region

no an
• Scale up/down
y
ike
• 1 pool:1 configuration, but 1 configuration: n pools

rth
• Instance Pools are a building block needed to implement Auto-Scaling

Ka

An Instance Configuration is a template that defines a set of required and optional parameters needed
to create a compute instance on Oracle Cloud Infrastructure, including OS image, shape and resources,
such as block volumes attached to the instance as a single configuration entity. You can create an
Instance Configuration from an existing running instance or construct a custom Instance Configuration
via the CLI. When Boot or Data storage Volumes do not already exist, these resources will automatically
be created for you when launching an instance. With one single action, you can launch an instance, we
create storage volumes, attach VNIC's and stripe the set number of Instances evenly across the desired
availability domains (AD's) for you. This is something that would normally require manual provisioning
of each individual resource on the platform to launch an instance..
Oracle Cloud Infrastructure has created a new powerful approach that launches and manages identical
VM instances in a logical group called an Instance Pool. The pool automatically provisions a horizontal
sa
scalable pool of VM instances. An Instance Pool uses an instance configuration template that contains all
. ha
the settings for how you want an instance created. Instance Pools manage the launching of identical
instances based on the instance configuration template. The pool maintains your configured instance
ide m)
count and can be updated to scale on demand. The Instance Pool constantly monitors its own health
Gu co
state to ensure all instances are in a running state. In the event of any instance failure, the pool will
is e.
automatically self-heal and take corrective action to bring the pool back to a healthy state.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Instance Configuration and Pool – Use Cases
• Instance Configurations
– Clone an instance and save to a configuration file.
– Create standardized baseline instance templates.
– Easily deploy instances from CLI with a single configuration file.
– Automate the provisioning of many instances, its resources and handle the
attachments.
sa
• Instance Pools
– Centrally manage a group of instance workloads that are all configured with a
. ha
consistent configuration.
ide m)
– Update a large number of instances with a single instance configuration change.
Gu co
– Maintain high availability and distribute instances across availability domains within
is e.
a region.
th cl
– Scale out instances on-demand by increasing the instance size of the pool.
e ra
us @o
20
to rai
se du
Here you can see some use cases for Instance Configuration and Pools.
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Autoscaling Configurations
• Autoscaling enables you to automatically adjust the number of Compute instances in

an instance pool based on performance metrics such as CPU or Memory utilization.
• When an instance pool scales in, instances are terminated in this order: the number of
instances is balanced across availability domains, and then balanced across fault
domains. Finally, within a fault domain, the oldest instance is terminated first.
sa
Instance Pool before scale Instance Pool after scale
. ha
Scaling Rule
ide m)
Gu co
Minimum Size
is e.
If CPU or Memory > 70% add 2 Instances Initial Size
If CPU or Memory < 70% remove 2 instances
th cl
Initial Size Maximum Size
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

22
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
Instance Metadata and Lifecycle
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Instance Metadata
• Instance Metadata includes its OCID, name, compartment, shape, region, AD, creation
date, state, image, and any custom metadata such as an SSH public key
• Service runs on every instance and is an HTTP endpoint listening on 169.254.169.254
• Get instance metadata by logging in to the instance and using the metadata service
• Oracle-provided Linux instances:
sa
– curl http://169.254.169.254/opc/v1/instance/
. ha
– curl http://169.254.169.254/opc/v1/instance/metadata/
ide m)
– curl http://169.254.169.254/opc/v1/instance/metadata/<key-name>/
Gu co
• Add and update custom metadata for an instance using CLI or SDK.
is e.
th cl
e ra
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Instance Life Cycle
• Start – Restarts a stopped instance. After the instance is restarted, the Stop action is enabled.
• Stop – Shuts down the instance. After the instance is powered off, the Start action is enabled.
• Reboot – Shuts down the instance, and then restarts it
• Terminate – Permanently deletes instances that you no longer need
– Instance's public and private IP addresses are released and become
available for other instances
– By default, the instance's boot volume is deleted. However, you can preserve the boot
sa
volume and attach it to a different instance as a data volume,
or use it to launch a new instance.
. ha
• Resource Billing
– Standard shapes, billing pauses in a STOP state
ide m)
– Dense I/O shapes, billing continues even in STOP state
Gu co
– GPU shapes, billing continues in STOP state
is e.
– HPC shapes, billing continues in STOP state
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned the following:

• OCI Compute Service offers Bare Metal, Virtual Machine and
Dedicated Hosts instances
• Bare Metal instances provide direct hardware access and
highest level of performance and isolation
– Supports a wide variety of shapes with industry-leading price/performance
sa
– Supports both x7 and AMD EPYC based instances with
. ha
industry-leading price/performance
ide m)
• Image options include Oracle-provided images, BYOI,
Gu co
custom images, image import/export
is e.
• Advanced features include instance configuration,
th cl
e ra
Pools and Autoscaling
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Jamal Arif
Ka
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Oracle Container Engine for Kubernetes
8
Objectives

• Describe Containers and Docker container engine
• Describe Orchestration systems and Kubernetes
• Describe Oracle Container Engine for Kubernetes
Create a K8s cluster in OCI using “quickstart"
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Key Containers/Orchestration Use Cases
Share Container Use Cases Orchestration Use Cases

Developer productivity; Consistent Automated deploys to accelerate
Development 65%
appstacks in Dev, Test & Production application release cadence
Containerized dependencies;
CI/CD/DevOps 48%
Container registries;
Rolling updates and reversals
sa
Standardized environments for dev, Resilient, self-healing systems; High
Operations 41%
testing and operations Availability; Elastic Scalability
. ha
Refactor from N-tier to portable Run distributed, stateful apps on scale-
Refactor Legacy Apps 34%
containerized applications out infrastructure
ide m)
Move entire appstacks and see them Cloud bursting; Reduce infrastructure
Migrate to Cloud 33%
run identically in the cloud costs by avoiding over-provisioning
Gu co
Create small purpose-built services
Dynamically manage large-scale
is e.
New Microservice Apps 32% that can be assembled to scalable
microservices infrastructure
th cl
custom applications
e ra
SOURCE: THE EVOLUTION OF THE MODERN SOFTWARE SUPPLY CHAIN, DOCKER SURVEY 2016
us @o
3
to rai
se du
There is a wide range of use cases to which Docker containers can be applied, but as soon as the scale
en ik.
increases, orchestration becomes necessary. With Kubernetes, Docker infrastructure can be made to
lic arth
scale and to support much more advanced use cases.

ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Docker and Kubernetes
Docker Containers Kubernetes Orchestration

• Popular, easy-to-use tooling • Production grade container
targeting developer productivity management targeting DevOps
and operations, with widespread
sa
• De facto standard container runtime
adoption
and image format
. ha
• Complex but powerful toolset
• Used for developer on-boarding and
ide m)
supporting cloud scale applications
first generation application
Gu co
management • Rich operations feature set,
is e.
autoscaling, rolling upgrades,
th cl
stateful apps and more.
e ra
us @o
4
to rai
se du
Oracle’s strategy for container-based services focuses on the leading technologies for containers and
en ik.
orchestration: Docker and Kubernetes. With these technologies, you can create applications at any scale
lic arth
from simple devops setups, to global mission critical enterprise applications. Because the technologies
are so widely used, they support a truly hybrid architecture, running apps on premises and in multiple
ble (k
clouds.
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Docker and Kubernetes Lead the Market
Containers (Docker) Orchestration (Kubernetes)
sa
. ha
60% 40%
of enterprise companies of Docker users also use
ide m)
(500+ hosts) use Docker orchestrators
Gu co
is e.
15% of all the hosts at these
80%
of these orchestration
th cl
companies run Docker users prefer Kubernetes
e ra
us @o
5
to rai
se du
“Hosts” refers to computers, servers, and VMs.

en ik.
Docker:
lic arth
• Popular, easy to use tooling targeting developer productivity

ble (k
• De Facto standard container runtime and image format

ra y
fe m
• Developer on-boarding and

ns isa
Gen1 application management (Compose, Swarm)

tra ra
Kubernetes:
n- Du
• Production grade container management targeting DevOps and Ops, widespread adoption
no an
• Complex but powerful toolset supporting Gen2 applications

y
ike
• Rich operations feature set, autoscaling, rolling upgrades, stateful apps and more.
rth
Ka

Container Orchestration and Containers
as a Service (CaaS)
• Multi-container apps • Orchestration as a service

• Scheduling • Hosted Container Runtime
Service Discovery Minimize operational
sa
• •
Maintaining Desired State overhead
. ha
•
ide m)
Gu co
is e.
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

7
Ka
rth
ike
y
no an
Kubernetes - OKE
n- Du
tra ra
Container Engine for
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Three Ways to Run Kubernetes on

Roll Your Own, Pre-Built Installer, Managed Service
Oracle Cloud Quickstart Experience Container Engine for

Infrastructure (OSS Terraform Installer Kubernetes (OKE)
on GitHub)
sa
. ha
ide m)
Gu co
is e.
th cl
Roll-Your-Own Pre-Built Kubernetes Enterprise Class Managed
e ra
Container Management Installer Kubernetes Service
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Terraform Kubernetes Installer for OCI
kubectl,
Internet
• Open source, based on Terraform clients, etc.
– Oracle developed for Kubernetes on OCI

OCI Compartment
– Available now on Github
OCI LB (k8s-master)
— https://github.com/oracle/terrafor
m-kubernetes-installer
• Key Highlights
sa
k8s-master-n k8s-
– Highly available Kubernetes cluster master-n
configured in your
. ha
OCI tenancy and compartment Optional OCI LB (etcd)
ide m)
– Creates VCN, subnets, LBs and instances
for control plane
Gu co
etcd-1 etcd-2
(ad-1) (ad-2)
– Specify number and shape of nodes for
is e.
etcd-3
your cluster (ad-3)
th cl
Scale your cluster as needed
e ra
–
us @o
https://blogs.oracle.com/developers/get-a-highly-available-kubernetes-cluster-on-oracle-cloud-infrastructure-in-minutes
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Container Engine for Kubernetes (OKE):
Introduction
• Managed Kubernetes container service to deploy and run your own
container based apps
What is It? • Tooling to create, scale, manage & control your own standard Kubernetes
clusters instantly
• Too complex, costly and time consuming to build & maintain environments
sa
• Too hard to integrate Kubernetes with a registry and build process for
What Problems Does container lifecycle management
. ha
it Solve? • Too difficult to manage and control team access to production clusters
ide m)
• Enables developers to get started and deploy containers quickly. Gives
Gu co
DevOps teams visibility and control for Kubernetes management.
is e.
• Combines production grade container orchestration of open Kubernetes,
Key Benefits
th cl
with control, security, IAM, and high predictable performance of Oracle’s
e ra
next generation cloud infrastructure
us @o
10
to rai
se du
Formal name: Oracle Cloud Infrastructure Container Engine for Kubernetes

en ik.
• Enables developers to get started and deploy containers quickly, DevOps teams with Kubernetes
lic arth
management, visibility and control.

ble (k
• Combines production grade container orchestration of open Kubernetes, with control, security
ra y
and high predictable performance of Oracle’s next generation OCI cloud infrastructure
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Kubernetes Challenges
• Managing Kubernetes Security
Infrastructure, upgrading, Networking
security Complexity
Storage
• Container networking &
persistent storage
Monitoring
Logging
Managing Teams &
sa
• Reliability
Access
. ha
Scaling Based on Load
• CI/CD Integration, Choosing solution
ide m)
automated testing, Vendor Support
Gu co
conditional release 0 10 20 30 40 50 60
is e.
Percentages reported by companies with >1,000 containers
th cl
(Source: CNCF Survey, The New Stack, 22 Mar 2018)
e ra
us @o
to rai
se du
• Managing Kubernetes Infrastructure

en ik.
Maintaining and upgrading versions, components

lic arth
-
- Setting up security
ble (k
- Deploying clusters
ra y
fe m
• Container networking & storage

ns isa
- Creating and maintaining network overlays

tra ra
Connecting containers to persistent storage

n- Du
-
• Managing Teams
no an
How to manage & control team access

y
-
ike
- Leveraging existing access control infrastructure

rth
• CI/CD Integration
Ka
- How do I drive automated testing and

conditional release into my application
lifecycle?

Working with OKE and OCIR on OCI
OCI Registry (OCIR) OCI Container Engine Customer’s OCI

for Kubernetes (OKE) Account/Tenancy
Cluster Management
VM based Clusters and Nodes
HA - 3 Masters/etcd
across 3 ADs
sa
In-flight and at rest Bare Metal Clusters and Nodes
data encryption
Container Engine Dashboard
. ha
ide m)
Gu co
is e.
Oracle Managed Customer Managed
th cl
e ra
us @o
12
to rai
se du
The grey shaded area designates the functions that Oracle manages for customers, including an
en ik.
integrated Registry and image storage and the Container Engine / Managed Kubernetes.
lic arth
Oracle will manage the etcd and Master nodes of the Kubernetes instance, in a High Availability setup
ble (k
for the customer. Upgrades to new versions of Kubernetes will also be supported in the Container
Engine dashboard, within the OCI console.
ra y
fe m
The customer will manage the Clusters/Worker Nodes that are setup by the Managed Service for that
ns isa
instance, in their own OCI account/tenancy, shaded in blue above.

tra ra
n- Du
Note: The customer will need to bring their own OCI account to create clusters for the managed
Kubernetes cloud service and pay for any infrastructure usage incurred with their clusters of worker
no an
nodes.
y
ike
rth
Ka

OKE/OCIR Pricing and Packaging
OCI Registry OCI Container Engine Customer’s OCI

for Kubernetes Account/Tenancy
Cluster Management
Pay only
VM based for and
Clusters theNodes
Free Free
HA - 3 Masters/etcd
across 3 ADs
OCI resources used
to run your K8s clusters
sa
In-flight and at rest Bare Metal Clusters and Nodes
data encryption (VM’s, Storage, LB, etc.)
Container Engine Dashboard
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
13
to rai
se du
Users DO NOT Pay for any of the Oracle-managed container infrastructure (the grey area). This is the
en ik.
“Control Plane” that enables you to configure these services, maintains operations, versions, availability,
lic arth
etc.
ble (k
The user pays regular fees for the Compute, Storage, and Networking used in the “Data Plane” (the blue
area), where the applications run, data is stored, etc.
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Oracle Container Engine (OKE)
and Registry
Container Native Developer Friendly Enterprise Ready
• Standard Docker & Kubernetes • Streamlined Workflow • Simplified Cluster Operations
– Deploy standard & open upstream – Use your favorite CI to push – Fully managed, highly available
Docker and Kubernetes versions for containers to the registry, then registry, master nodes and control
compatibility across environments Kubernetes to deploy to clusters plane
and manage operations – One-click Quick Create for secure
• Registry Integration
Private Worker Nodes/Subnets
• Full REST API
sa
– Full Docker v2 compatible private
registry to store and manage – Automate the workflow, create and • Full Bare Metal Performance and Highly
images scale clusters through full REST API Available IaaS
. ha
• Container Engine • Built In Cluster Add-Ons – Combine Kubernetes with bare
metal shapes for raw performance
– Deploy and operate containers and – Kubernetes Dashboard, DNS &
ide m)
– Deploy Kubernetes clusters across
clusters Helm
multiple Availability Domains for
Gu co
• Full integration to cloud networking and • Open Standards resilient applications
storage
– Docker Based Runtime • Team Based Access Controls
is e.
– Leverage the enterprise class – Worker Node SSH Access
networking, load balancing and – Control team access and
th cl
– Standard Kubernetes permissions to clusters
persistent storage of Oracle Cloud
e ra
Infrastructure
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Containers Use Case: Lift & Shift WebLogic
Application
WebLogic Push Docker Pull WebLogic and Operator
Build
Application image to Registry images from Registry
Test
WebLogic Server Define build
for CI/CD Push
toolchain
Container Cloud Container
Dockerfile Pipelines, Infrastructur Engine for
Jenkins, etc. e Registry Kubernetes
Containerize Deploy images
sa
WebLogic to production
. ha
WebLogic WebLogic Operator
Application WebLogic
managing WebLogic
ide m)
Application
+ Server Domains
WebLogic Server
Gu co
Autonomous
WebLogic Transaction Kubernetes
is e.
Processing worker nodes
Migrate
th cl
data store
e ra
Data Store
(ex. Oracle Database) ORACLE CLOUD INFRASTRUCTURE
us @o
15
to rai
se du
An Oracle-specific, but popular use case for containerization is “Lift and Shift WebLogic.” “WebLogic”
en ik.
consists of the WebLogic Application and WebLogic Server. WebLogic works with a database, such as
lic arth
Oracle Database, to serve web requests for, say, a sales portal. The entire WebLogic Application and
Server are then containerized and defined in a Dockerfile, without any refactoring. After that, a CI/CD
ble (k
tool such as Container Pipelines, or Jenkins, is used to build, test, and push the resulting container image
ra y
to Cloud Infrastructure Registry.

fe m
ns isa
This image, as well as the WebLogic Operator image (source available on GitHub:
tra ra
https://github.com/oracle/weblogic-kubernetes-operator ), are pulled from the Registry using Oracle

n- Du
Container Engine for Kubernetes. The WebLogic Application + Server, and its Operator are then
deployed into production on Kubernetes Worker Nodes. The resulting application is more scalable,
no an
available, and performant.

y
ike
rth
Ka

Containers Use Case: Refactor an Existing
Application
Push Docker Pull images
User Interface Build
image to Registry from Registry
Test
App Server + Push Code
Data Access
to CI/CD Push
toolchain
Container Cloud Container
Data Store Pipelines, Infrastructur Engine for
Jenkins, etc. e Registry Kubernetes
Microservices
sa
Re-factor app
Deploy images
. ha
to production
User Interface
Containers running
ide m)
App Server + microservices
Data Access
Gu co
Monolith Application Kubernetes
is e.
worker nodes
th cl
e ra
Data Store
ORACLE CLOUD INFRASTRUCTURE
us @o
16
to rai
se du
A general use case for leveraging containers is refactoring existing applications. In order to do this, an
en ik.
existing application, consisting of User Interface, App Server + Data Access is rewritten as microservices,
lic arth
with each microservice running in a separate Docker container. The data store is also containerized –
databases such as MySQL, Cassandra, MongoDB, etc. are available on the Docker Hub. The code is
ble (k
stored in a Source Code Management System, such as Github.

ra y
fe m
The application and associated build scripts are then pushed into a CI/CD toolchain, such as Container
ns isa
Pipelines, or Jenkins. After build and test, Docker images are generated, and are pushed into a private
tra ra
registry such as Oracle Cloud Infrastructure Registry. Oracle Container Engine for Kubernetes, a
n- Du
enterprise-grade orchestration system for containers, can then be used to pull these Docker images and
deploy the application and data store into production. The use of microservices allows the application to
no an
be more agile (code pushed more frequently), efficient, and scalable, easier to debug.
y
ike
rth
Ka

17
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
Creating an OKE Cluster in OCI
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Pre-requisites for Creating a K8s Cluster Via Quickstart
• Monthly universal Credits have limit of 3 clusters per OCI region with 1000 nodes in a cluster and Pay-as-
you-go or Promo accounts have a limit for One Cluster (by default)
• Must also have compute Instance Quota (Required) – to launch k8s worker nodes in an AD or across ADs
for HA
• Required Policy in the root compartment of your tenancy
allow service OKE to manage all-resources in tenancy
• To launch a K8s cluster, user must be either part of the Admin group or a group to which a policy grants
the appropriate Container Engine for Kubernetes permissions.
sa
• Policies can be created for users which are not part of the admin group
. ha
• For Example: To enable users in group ’dev-team’ to perform any operation on cluster-related resources 
allow group dev-team to manage cluster-family in tenancy
ide m)
• Note: Polices must also grant the group ‘dev-team’ Networking permissions of VCN_READ and
Gu co
VCN_CREATE, SUBNET_READ and SUBNET_CREATE, COMPARTMENT_INSPECT,
INTERNET_GATEWAY_CREATE, NAT_GATEWAY_CREATE, ROUTE_TABLE_UPDATE,
is e.
SECURITY_LIST_CREATE: Details here
th cl
(https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengprerequisites.htm)
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

19
Create Cluster
Ka
rth
ike
y
OKE Quickstart
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Step 1: Navigate to Menu  Developer Services  Container Clusters (OKE) 
OKE Quickstart
Step 2: Cluster Creation
Name of the Cluster
The version of Kubernetes to run on the

master nodes and worker nodes of the
sa
cluster. Either accept the default version or
select a version of your choice. Amongst
. ha
other things, the Kubernetes version you
select determines the default set of
ide m)
admission controllers that are turned on in
the created cluster (the set follows the
Gu co
recommendation given in the Kubernetes
documentation for that version).
is e.
th cl
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OKE Quickstart

New network resources for the cluster are
created automatically, the worker nodes in a
'quick cluster' can be created in private subnets
or public. A NAT gateway is created in case of
private subnets.
sa
Shape: The compute shape to use for each node in the node pool.
Quantity per Subnet: The number of worker nodes to create for
. ha
the node pool in each private subnet.
Public SSH Key: (Optional) The public key is installed on all worker
ide m)
nodes in the cluster, and you can use this key to access the worker
nodes (Connect via Bastion Host since worker nodes are in Private
Gu co
subnets)
is e.
Kubernetes Labels: One or more labels (in addition to a default
th cl
label) to add to worker nodes in the node pool to enable the
targeting of workloads at specific node pools.
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OKE Quickstart
Kubernetes Dashboard Enabled: Select if you want to use

the Kubernetes Dashboard to deploy and troubleshoot
containerized applications, and to manage Kubernetes
resources. See Starting the Kubernetes Dashboard.
Tiller (Helm) Enabled: Select if you want Tiller (the server
sa
portion of Helm) to run in the Kubernetes cluster. With
Tiller running in the cluster, you can use Helm to manage
. ha
Kubernetes resources.
ide m)
Gu co
is e.
th cl
e ra
us @o
22
to rai
se du
Starting the Kubernetes Dashboard:

en ik.
https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contengstartingk8sdashboard.htm
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

23
Cluster details
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
K8s Cluster in minutes...
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

24
Node Pool details
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
K8s Cluster in minutes...
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

25
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Accessing the K8s Cluster - Dashboard
Gu co
ide m)
. ha
sa

26
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Accessing the K8s Cluster - Dashboard
Gu co
ide m)
. ha
sa

27
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
https://kubernetes.io/docs/reference/kubectl/kubectl/
th cl
is e.
Accessing the K8s Cluster with kubectl
Gu co
ide m)
. ha
sa

Accessing the Cluster endpoints Through Ingress
Controllers
• Ingress is the built-in configuration for HTTP Load balancing in a Kubernetes Cluster.
• It defines the rules for external connectivity to Kubernetes services.
• With the Ingress Controller for Kubernetes, you get basic load balancing, SSL/TLS
termination, support for URI rewrites, and upstream SSL/TLS encryption
sa
• Ingress Controller comprises two components:
. ha
– An ingress controller deployment called nginx-ingress-controller. The deployment
ide m)
deploys an image that contains the binary for the ingress controller and Nginx.
Gu co
– An ingress-controller service called ingress-nginx. The service exposes the ingress
is e.
controller deployment as a Load Balancer type service.
th cl
e ra
us @o
28
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Monitoring via API Gateway Metrics: oci_apigateway
Metric Unit Description
Bytes Received Bytes Number of bytes received by the API gateway from front-end clients
Bytes Sent Bytes Number of bytes sent by the API gateway to front-end clients
Backend Responses Count Count of the HTTP responses returned by the backend services
sa
Time the API gateway receives the first byte of an HTTP request to the
Gateway Latency Seconds
time when the response send operation is completed
. ha
Time between the API gateway sending a request to the back-end service
ide m)
Backend Latency Seconds
and receiving a response from the back-end service.
Gu co
is e.
th cl
e ra
us @o
29
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned the following:

• OCI Container engine for Kubernetes is a managed Kubernetes service
• K8s service is itself free; you only pay for the resources you use for your
worker nodes
• You can create a highly available Kubernetes cluster using quickstart in
sa
minutes on OCI
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Level 100
Jamal Arif
Ka
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
OCI Registry Service
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
9
Objectives

• Use the OCI Registry Service
• Create Policy Requirements for OCIR
• Manage Repos using OCIR
Pull an image from OCIR with OKE
sa
•
. ha
• Set Global image retention policies
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Oracle Cloud Infrastructure Registry (OCIR):
Introduction
• A high availability Docker v2 container registry service
What is It? • Stores Docker Images in Private or Public Repositories.
• Runs as a fully managed service on Oracle Cloud Infrastructure.
• Without a registry it is hard for Development teams to maintain a consistent set of

Docker images for their containerized applications
What Problems
sa
• Without a managed registry it is hard to enforce access rights and security
Does it Solve? policies for images
. ha
• It is hard to find right images and have them available in the region of deployment
ide m)
• Full integration with Container Engine for Kubernetes (OKE)
Registries are private by default, but can be made public by an admin
Gu co
•
Key Benefits • Co-located regionally with Container Engine for low latency Docker image deploys
is e.
• Leverages OCI for high performance, low latency and high availability
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Working with OKE and OCIR on OCI

(OCIR) for Kubernetes (OKE) Account/Tenancy
Cluster Management
VM based Clusters and Nodes
HA - 3 Masters/etcd
across 3 ADs
sa
Bare Metal Clusters and Nodes
In-flight and at rest
data encryption Container Engine Dashboard
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
4
to rai
se du
The grey shaded area designates the functions that Oracle Manages for the customers, including an
en ik.
integrated Registry and image storage and the Container Engine / Managed Kubernetes.
lic arth
Oracle will manage the etcd and Master nodes of the Kubernetes instance, in a High Availability setup
ble (k
for the customer. Upgrades to new versions of Kubernetes will also be supported in the Container
Engine dashboard, within the OCI console.
ra y
fe m
The customer will manage the Clusters/Worker Nodes that are setup by the Managed Service for that
ns isa
instance, in their own OCI account/tenancy, shaded in blue above.

tra ra
n- Du
Note: The customer will need to bring their own OCI account to create clusters for the managed
Kubernetes cloud service and pay for any infrastructure usage incurred with their clusters of worker
no an
nodes.
y
ike
rth
Ka

OKE/OCIR Pricing and Packaging

(OCIR) for Kubernetes (OKE) Account/Tenancy
Cluster Management Pay only for the

VM OCI resources usedNodes
Free Free
based Clusters and
HA - 3 Masters/etcd
across 3 ADs to run your K8s clusters
sa
(VM’s,Bare MetalLB,
storage, Clusters and Nodes
etc.) and store your
In-flight and at rest images
data encryption Container Engine Dashboard
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
5
to rai
se du
Users DO NOT Pay for any of the Oracle managed container infrastructure (the grey area). This is the
en ik.
“Control Plane” that enables you to configure these services, maintains operations, versions, availability,
lic arth
etc.
ble (k
The user pays regular fees for the Compute, Storage, and Networking used in the “Data Plane” (the blue
area), where the applications run, data is stored, and so on.
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Pre-requisites for OCIR
• To use registry service, user is either a part of the admin group or part of a group
to which a policy grants the appropriate permissions
– allow group acme-viewers to inspect repos in tenancy - Ability to
see a list of all repositories in Oracle Cloud Infrastructure Registry belonging to
the tenancy
– allow group acme-managers to manage repos in tenancy - Ability to
sa
perform any operation on any repository in Oracle Cloud Infrastructure
Registry that belongs to the tenancy (Pull an image, push an image,
. ha
create/delete repos etc.)
ide m)
Note: repos are tenancy-level resources, policies controlling access to them need to
Gu co
go into the root compartment (i.e., the tenancy).
is e.
• User needs to have an OCI username and auth token before being able to
th cl
push/pull an image.
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCIR Repositories
• Repositories can be private or public.

• Any user with Internet access and knowledge of the appropriate URL can pull images
from a public repository in Oracle Cloud Infrastructure Registry.
• To create a repository via Console:
– Containers  Registry  Create Repository
— Repository Name
Public or Private
sa
—
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Push/Pull Images from OCIR
Region Code Region Name
phx Phoenix
iad Ashburn
• You use Docker CLI to push/pull images to the repository in OCI.
fra Frankfurt
• Create an Auth Token for User and copy it.
• Log in to OCIR: lhr London
– docker login <region-code>.ocir.io icn Seoul
— <tenancy_namespace>/<username> nrt Tokyo

— Auth-token
yyz Toronto
– What is Tenancy namespace
sa
• Find images in your local repository to be pushed to OCIR and tag in the format:
– <region-code>.ocir.io/<tenancy-namespace>/<repos-name>/<image-name>:<tag>
. ha
– docker tag 9f1191b287da iad.ocir.io/jamalarif/testing/tomcat:1.2
• Push your tagged image to OCIR:
ide m)
– docker push iad.ocir.io/jamalarif/testing/tomcat
• Similarly, images can be pulled using docker pull:
Gu co
– docker pull <region-code>.ocir.io/<tenancy-namespace>/<repos-name>/<image-
is e.
name>:<tag>
th cl
– docker pull iad.ocir.io/jamalarif/testing/tomcat:1.2
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

9
Ka
rth
ike
y
no an
n- Du
OCIR Image Layers
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

10
Ka
rth
ike
y
Deployments
Step 1: Create an Auth Token
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Pulling Images from Registry for Kubernetes

Deployments
Step 2: Create docker registry secret and use Auth Token
• Create a Docker registry secret, containing the Oracle Cloud Infrastructure credentials
to use when pulling the image.
kubectl create secret docker-registry <secret-name> --docker-
server=<region-code>.ocir.io --docker-username='<tenancy-
sa
namespace>/<oci-username>' --docker-password='<oci-auth-token>' -
. ha
-docker-email='<email-address>'
ide m)
Gu co
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Deployments (2)
Specify the image to pull from Oracle Cloud Infrastructure Registry, including the
repository location and the Docker registry secret to use, in the application's manifest file.
apiVersion: v1
kind: Pod
metadata:
sa
name: ngnix-image
spec:
containers:
. ha
- name: ngnix
image: iad.ocir.io/jamalarif/testing/nginx:1.1
ide m)
imagePullPolicy: Always
ports:
Gu co
- name: nginx
is e.
containerPort: 8080
protocol: TCP
th cl
imagePullSecrets:
e ra
- name: ocirsecret
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCIR Image Retention Policies
• Set up image retention policies to automatically delete images that meet particular
selection criteria. The following rules can be applied:
– Images that have not been pulled for a certain number of days
– Images that have not been tagged for a certain number of days
– Images that have not been given particular Docker tags specified as exempt
from automatic deletion
• Hourly process checks images against the selection criteria and deletes images
sa
accordingly.
. ha
• A global Image retention policy pre-exists with default selection criteria to retain all
images.
ide m)
• Users can edit global image retention policy or create their own custom policy.
Gu co
• Policies are regional and applied on repository level.
is e.
• Repos can only be part of one image retention policy at a time.
th cl
• After the policy is created, the first time it can take several hours to take effect, which
e ra
is known as cooling period to avoid unintentional deletion of images.
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCIR Image Retention Policies (2)
On OCIR Home page, click Settings, and then select Image retention policies.
Edit the Global Image

Retention Policy
sa
. ha
ide m)
Create a new custom
Gu co
image retention policy
is e.
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCIR Image Retention Policies (3)
• Select the criteria and number

of days for each policy.
• Provide image tag to prevent
images from being deleted.
sa
• After the policy is created, add
repositories by clicking + Add
. ha
repository.
Remove the repos from the policy.
ide m)
•
Gu co
is e.
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary

• Use the OCI Registry Service
• Create Policy Requirements for OCIR
• Manage Repos using OCIR
Pull an image from OCIR with OKE
sa
•
Set Global image retention policies
. ha
•
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Level 100
Ka
rth
ike
y
no an
Object Storage
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
10
2
•
•
Objectives
Ka
rth
ike
y
no an
n- Du
tra ra
Understand OCI Object Storage
ns isa
fe m
Identify Object Storage Capabilities
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

OCI Storage Services
Local Block File Object Archive

NVMe Volume Storage Storage Storage
Long-term
NVMe SSD based NVMe SSD based NFSv3 compatible Highly durable
Type archival and
temporary storage block storage file system Object storage
backup
Highly durable Highly durable
Non-persistent; Durable (multiple Durable (multiple
Durability (multiple copies (multiple copies
survives reboots copies in an AD) copies in an AD)
across ADs)* across ADs)*
sa
Capacity Terabytes+ Petabytes+ Exabytes+ Petabytes+ Petabytes+
. ha
51.2 TB for BM, 50 GB to 32 TB/vol
Unit Size Up to 8 Exabyte 10 TB/object 10 TB/object
6.4-25.6 TB for VM 32 vols/instance
ide m)
Apps that require Long term archival
Big Data, OLTP, Apps that require Unstructured data
Gu co
SAN like features and backups
Use cases high performance shared file system incl. logs, images,
(Oracle DB, VMW, (Oracle DB
is e.
workloads (EBS, HPC) videos
Exchange) backups)
th cl
e ra
* in multi-AD regions
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

4
Ka
rth
ike
y
no an
n- Du
tra ra
Object Storage Intro
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Object Storage Service
• An Internet-scale, high-performance storage platform

• Ideal for storing unlimited amount of unstructured data (images, media files, logs,
backups)
• Data is managed as objects using an API built on standard HTTP verbs.
• Regional service; not tied to any specific compute instance
sa
• Offers two distinct storage classes to address the need for performant, frequently
accessed "hot" storage, and less frequently accessed "cold" storage
. ha
Supports private access from Oracle Cloud Infrastructure resources in a VCN through
ide m)
•
a Service Gateway
Gu co
Supports advanced features such as cross-region copy, pre-authenticated requests,
is e.
•
th cl
lifecycle rules and multipart upload
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Object Storage Scenarios
• Content Repository - Highly available and durable content repository for data,
images, logs, and video etc.
• Archive/Backup - Use of object storage for preserving data for longer periods of time
• Log Data - Application log data for analysis and debugs/troubleshooting
• Large Data Sets - Large data e.g. pharmaceutical trials data, genome data, and
Internet of Things (IoT)
sa
Big Data/Hadoop Support
. ha
•
– Use as a primary data repository for big data enables ~50% improvement in
ide m)
performance
Gu co
– HDFS connector provides connectivity to various big data analytic engines like
is e.
Apache Spark and MapReduce
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Object Storage Service Features
• Strong consistency
– Object Storage Service always serves the most recent copy of the data when
retrieved.
• Durability
– Data is stored redundantly across multiple storage servers across multiple ADs.
– Data integrity is actively monitored and corrupt data detected and auto repaired.
sa
• Performance
– Compute and Object Storage Services are co-located on the same fast network.
. ha
• Custom metadata
ide m)
– Define your own extensive metadata as key-value pairs.
Gu co
• Encryption
is e.
– Employs 256-bit Advanced Encryption Standard (AES-256) to encrypt object data
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Object Storage Resources
• Object
– All data, regardless of content type, is managed as objects (e.g. logs, videos).
– Each Object is composed of the object itself and metadata of the object.
• Bucket
– A logical container for storing objects. Each object is stored in a bucket.
• Namespace
sa
– A logical entity that serves as a top-level container for all buckets and objects.
. ha
– Each tenancy is provided one unique namespace that is global, spanning all
ide m)
compartments and regions.
– Bucket names must be unique within your tenancy, but can be repeated across
Gu co
tenancies.
is e.
– Within a namespace, buckets and objects exist in flat hierarchy, but you can
th cl
simulate a directory structure using prefixes and hierarchies.
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Object Naming
• Service prepends the Object Storage namespace string and bucket name to object
name, /n/<object_storage_namespace>/b/<bucket>/o/<object_name>
– https://objectstorage.us-phoenix-
1.oraclecloud.com/n/gse00014346/b/DatabaseBackup/o/database1.dbf
• Flat hierarchy
• For large number of objects, use prefixes and hierarchies:
sa
/n/ansh8tvru7zp/b/event_photos/o/marathon/finish_line.jpg
. ha
—
/n/ansh8tvru7zp/b/event_photos/o/marathon/participants/p_21.jpg
ide m)
—
– You can use the CLI to perform bulk downloads and bulk deletes of all objects at a
Gu co
specified level of the hierarchy, without affecting objects in levels above or below.
is e.
– In the example above, you can use CLI to download or delete all objects at the
th cl
marathon/ level without downloading or deleting objects at the
e ra
marathon/participants sublevel.
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Object Storage Tiers
Standard Storage Tier (Hot)

• Fast, immediate, and frequent access
• Object Storage Service always serves the
most recent copy of the data when retrieved.
• Data retrieval is instantaneous.
• Standard buckets can’t be downgraded to archive
storage.
Archive Storage Tier (Cold)
sa
• Seldom or rarely accessed data but must be
. ha
retained and preserved for long periods of time.
• Minimum retention requirement for Archive
ide m)
Storage is 90 days.
• Objects need to be restored before download.
Gu co
• Archive Bucket can’t be upgraded to Standard
is e.
storage tier.
th cl
• Time To First Byte (TTFB) after Archive
e ra
Storage restore request is made: 4 Hours
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

11
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Object Storage Capabilities
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Managing Access and Authentications
• Pre-Authenticated Requests
– Provides a way to let users access a bucket or an object without
having their own credentials
– Can access via a unique URL, for example,
https://objectstorage.us-ashburn-1.oraclecloud.com/p/p09Nx-
f4UaLCN-MMOxGQIpobmMchgHQrSQv4Lr-
aSzs/n/intoraclerohit/b/Image/o/kvm
– Can revoke the links any time (much easier than S3)
sa
• Public Buckets
. ha
– At creation, a bucket is considered private and access to the
bucket requires authentication and authorization.
ide m)
– Service supports anonymous, unauthenticated access to a bucket
Gu co
by making a bucket public (read access to the bucket).
is e.
– Changing the type of access doesn't affect existing
pre-authenticated requests. Existing pre-authenticated requests
th cl
e ra
still work.
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Cross-region Copy
• Copy objects to other buckets in the same

region and to buckets in other regions.
• You must authorize the service to
manage objects on your behalf (separate
policy for each region), for example, allow
service objectstorage-us-ashburn-1 to
manage object-family in tenancy.
sa
• You must specify an existing target
. ha
bucket.
ide m)
• Bulk copying is not supported
Gu co
• Objects cannot be copied from Archive
is e.
storage
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Object Lifecycle Management
• Define lifecycle rules to automatically archive or

delete objects after a specified number of days.
• Must authorize the service to manage objects on
your behalf (separate policy/region). Example:
allow service objectstorage-us-ashburn-1 to
manage object-family in tenancy
• Applied at the bucket or object name prefix level.
sa
If no prefix is specified, the rule will apply to all
. ha
objects in the bucket.
A rule that deletes an object always takes priority
ide m)
•
over a rule that would archive that same object.
Gu co
• Enable or disable a rule to make it active or
is e.
inactive.
th cl
e ra
For objects, /n/ansh8tvru7zp/b/apparel/o/gloves_27_dark_green.jpg,
us @o
/n/ansh8tvru7zp/b/apparel/o/gloves_27_light_blue.jpg, gloves_27 is the prefix
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Managing Multipart Uploads
With multipart uploads, individual parts of an object can be uploaded in parallel to

reduce the amount of time you spend uploading.
1. Create object parts.
– Perform a multipart upload to upload objects larger than 100 MiB. Individual parts
can be as large as 50 GiB or as small as 10 MB.
– Assign part numbers from 1 to 10,000.
2. Initiate an upload.
sa
– Initiate a multipart upload by making a CreateMultipartUpload REST API call.
3. Upload object parts.
. ha
– Make an UploadPart request for each object part upload.
ide m)
– If you have network issues, you can restart a failed upload for an individual part.
You do not need to restart the entire upload.
Gu co
4. Commit the upload
is e.
– When you have uploaded all object parts, complete the multipart upload by
th cl
committing it; add a bullet on checksum, and so on.
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned that Object Storage Service:
• Is an Internet-scale, high-performance storage platform
• Is a regional service, not tied to any specific compute instance
• Offers two distinct storage classes to address the need for performant,
frequently accessed "hot" storage, and less frequently accessed "cold"
sa
storage
. ha
• Supports private access from Oracle Cloud Infrastructure resources in
ide m)
a VCN through a Service Gateway
Gu co
• Supports advanced features such as cross-region copy, life cycle
is e.
management, pre-authenticated requests and multipart uploads
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Level 100
Ka
rth
ike
y
Block Volume
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
11
Objectives

• Understand Local NVMe Storage
• Understand Block Volume Service
• Identify Backup and Restoration Capabilities
Understand Clone and Volume Groups
sa
•
. ha
• Understand Boot Volume Service
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka


Long-term
Type archival and
backup
across ADs) across ADs)
sa
. ha
ide m)
Gu co
is e.
th cl
Exchange) backups)
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

4
Ka
rth
ike
y
no an
n- Du
tra ra
Local NVMe Storage
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Local NVMe SSD Devices
• Some instance shapes in OCI include locally attached NVMe devices.

• Local NVMe SSD can be used for workloads that have high storage performance
requirements.
• Locally attached SSDs are not protected and OCI provides no RAID, snapshots,
backups capabilities for these devices.
• Customers are responsible for the durability of data on the local SSDs.
sa
[opc@nvme ~]$ lsblk
Instance type NVMe SSD Devices
. ha
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 5.8T 0 disk
BM.DenseIO2.52 8 drives = 51.2 TB raw nvme1n1 259:3 0 5.8T 0 disk
ide m)
nvme2n1 259:1 0 5.8T 0 disk
VM.DenseIO2.8 2 drive = 6.4 TB raw nvme3n1 259:2 0 5.8T 0 disk
Gu co
nvme4n1 259:5 0 5.8T 0 disk
VM.DenseIO2.16 4 drives = 12.8 TB raw nvme5n1 259:6 0 5.8T 0 disk
is e.
nvme6n1 259:4 0 5.8T 0 disk
VM.DenseIO2.24 8 drives = 25.6 TB raw nvme7n1 259:7 0 5.8T 0 disk
th cl
sda 8:0 0 46.6G 0 disk
e ra
├─sda2 8:2 0 8G 0 part [SWAP]
├─sda3 8:3 0 38.4G 0 part /
us @o
└─sda1 8:1 0 200M 0 part /boot/efi
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

NVMe SSD Persisted: Reboot/Pause
Data deleted on
10101101010101010
Data saved 10101101010101010 instance reboot
0101010101010010 on instance 0101010101010010
or pause, not
1010100101010001
1010100101010001
0011110101
reboot or 0011110101 usable for
pause primary data
sa
Local NVMe Local NVMe
Instance SSD Instance SSD
. ha
(VM/BM) (VM/BM)
ide m)
“With Oracle Cloud Infrastructure, companies can leverage NVMe for persistent storage to host databases and
Gu co
applications. However, other cloud providers typically do not offer such a capability. In cases where NVMe
storage was an option with other vendors, it was not persistent. This meant that the multi-terabyte database
is e.
that researchers loaded to this storage was lost when the server stopped.
th cl
~Accenture
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Protecting NVMe SSD Devices
RAID 1: RAID 10: RAID 6:

An exact copy Stripes data across multiple Block-level striping with
(or mirror) of a set of data mirrored pairs. As long as one disk two parity blocks distributed
on two or more disks in each mirrored pair is functional, across all member disks
data can be retrieved
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

SLA for NVMe Performance
• OCI provides a service-level agreement

Minimum
(SLA) for NVMe performance. Shape
Supported IOPS
• Measured against 4k block sizes with VM.DenseIO1.4 200k
100% random write workload on Dense VM.DenseIO1.8 250k
IO shapes where the drive is in a
VM.DenseIO1.16 400k
sa
steady-state of operation
BM.DenseIO1.36 2.5MM
. ha
• Run test on Oracle Linux shapes with VM.DenseIO2.8 250k
third-party Benchmark Suites,
ide m)
VM.DenseIO2.16 400k
https://github.com/cloudharmony/blo
Gu co
VM.DenseIO2.24 800k
ck-storage.
is e.
BM.DenseIO2.52 3.0MM
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

9
Ka
rth
ike
y
no an
n- Du
Block Volume Intro
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Block Volume Service
• Block Volume Service lets you store data on block volumes independently and
beyond the lifespan of compute instances.
• Block volumes operate at the raw storage device level and manages data as a set of
numbered, fixed-size blocks using a protocol such as iSCSI.
• You can create, attach, connect, and move volumes, as needed, to meet your storage
sa
and application requirements.
. ha
• Typical scenarios:
ide m)
– Persistent and Durable Storage
Gu co
– Expand an Instance's Storage
is e.
– Instance Scaling
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Block Volume Service
Capacity Configurable: 50 GB to 32 TB (1GB increments)

Perf: disk type NVMe SSD based
Perf: IOPS 60 IOPS/GB - up to 25K IOPS*
Perf: Throughput/Vol 480 KBPS/GB - up to 320 MBPS**
Perf: Latency (P95) Sub-millisecond latencies
• 32 attachments/instance, up to 1 PB (32 TB/volume x 32 volumes/instance)
sa
Perf: Per-instance Limits
• Up to 620K or more IOPS, near line rate throughout.
. ha
Durability Multiple replicas across multiple storage servers within the AD
Security Encrypted at rest and transit
ide m)
Gu co
* For Bare Metal or 8-core+ VM compute instance, using 4KB blocks. VM perf is limited by VM network bandwidth.
** 256 KB block size
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Creating and Attaching a Block Volume
• Paravirtualization is a light virtualization

technique where a VM utilizes hypervisor
APIs to access remote storage directly as if
it were a local device.
• iSCSI block storage attachment utilizes the
internal storage stack in the guest OS and
sa
network hardware virtualization to access
block volumes. Hypervisor is not involved
. ha
in the iSCSI attachment process.
ide m)
• By default, all Block Volumes are
Gu co
Read/Write.
is e.
• Block Volume can also be read-only to
th cl
prevent against accidental modification.
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Detaching and Deleting Block Volumes
• When an instance no longer requires a block volume, you can disconnect and then
detach it from the instance without any loss of data.
• When you attach the same volume to another instance or to the same instance, DO
NOT FORMAT the disk volume. Otherwise, you will lose all the data on the volume.
• When the volume itself is no longer needed, you can delete the block volume.
sa
• You cannot undo a delete operation. Any data on a volume will be permanently
. ha
deleted once the volume is deleted.
ide m)
Gu co
is e.
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Block Volume Offline Resize
The Oracle Cloud Infrastructure Block Volume service lets you expand the size of block
volumes and boot volumes. You have three options to increase the size of your volumes:
• Expand an existing volume in place with offline

resizing (cannot resize an attached volume).
• Restore from a volume backup to a larger volume.
sa
• Clone an existing volume to a new, larger volume.
. ha
50 GB Oracle Cloud Infrastructure 32 TB Block or
ide m)
Block or Boot Block Volumes Service Boot Volume
Volume
Gu co
is e.
th cl
You can only increase the size of the volume, you cannot decrease the size.
e ra
us @o
14
to rai
se du
It provided the ability to expand an existing boot and block volume by taking the volume offline by using
en ik.
the following process:

lic arth
• Stop the instance.

ble (k
• Detach the boot and/or block volume(s).

ra y
Expand the boot and/or block volume(s).

fe m
•
ns isa
• Reattach the volumes.

tra ra
• Restart the instance.

n- Du
• Extend partition(s).
no an
This capability applies to both block volumes and boot volumes. It allows increasing the size of the
y
ike
volume up to the maximum allowed by block storage (which is 32 TB as of the time of this feature
development). Volumes cannot be decreased in size.
rth
Ka

15
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
Backup and Restoration
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

• Complete point-in-time snapshot copy of your block volumes

• Encrypted and stored in the Object Storage Service, and can be restored as new volumes to
any Availability Domain within the same region (for multi-AD regions)
• Can copy block volume backups from one region to another
ORACLE CLOUD INFRASTRUCTURE (REGION)

sa
Subnet A Subnet B
. ha
ide m)
Server Server Object Storage
Gu co
is e.
th cl
Block Storage Block Storage
(Backup) (Restore)
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

• Backups are done using point-in-time snapshot. Therefore, while the backup is being
performed in the background asynchronously, your applications can continue to
access your data without any interruption or performance impact.
– For a 2 TB volume being backed up for the first time, ~30 mins
– For a 50 GB boot volume being backed up for the first time, ~ few mins
sa
• On-demand, one-off block volume backups provide a choice of incremental versus
. ha
full backup options.
ide m)
Gu co
is e.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Backup options:
• On-demand, one-off: point-in-time snapshot
• Automated policy-based: Backs up automatically on a schedule and retain them
based on the selected backup policy. Three backup policies:
– Bronze: Monthly incremental backups, retained for twelve months (+full yearly
sa
backup, retained for 5 years)
. ha
– Silver: Weekly incremental backups, retained for four weeks (+ Bronze)
ide m)
– Gold: Daily incremental backups, retained for seven days (+Silver, + Bronze)
Gu co
• Customized backup policy not available today
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

19
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Clone and Volume Groups
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Clone
• Cloning allows copying an entire existing block volume to a new volume without needing to go through a
backup and restore process.
• Clone is a point-in-time direct disk-to-disk deep copy an of entire volume.
• The clone operation is immediate, but actual copying of data happens in the background and can take up
to 15 minutes for 1 TB volume.
• A clone can be only created in the same AD with no need of detaching the source volume before cloning it.
sa
• Clones cannot be copied to another region.
A clone can be attached and used as regular volume when its lifecycle state changes from ”PROVISIONING”
. ha
•
to "AVAILABLE", usually within seconds.
ide m)
• Clone and backup operations are mutually exclusive.
Gu co
• Number of clones created simultaneously.
is e.
– If the source volume is attached: You can create one clone at a time
th cl
If the source volume is detached: You can create up to 10 clones from the same source volume
e ra
–
simultaneously
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Volume Groups
• Group together block and boot volumes from

multiple compartments across multiple compute Typical Enterprise Application Storage
instances in a volume group.
Architecture
• You can use volume groups to create volume group
backups and clones that are point-in-time and
crash-consistent.
VMs with VMs with Bare Metal Compute
• Manually trigger a full or incremental backup of all Web Tier Application Tier with Database Tier
sa
the volumes in a volume group leveraging a
coordinated snapshot across all the volumes.
. ha
• This is ideal for the protection and lifecycle
ide m)
management of enterprise applications, which
typically require multiple volumes across multiple
Gu co
1TB block 2TB block 32TB block
volumes volumes volume
compute instances to function effectively
is e.
Volume Group feature is available with no
th cl
•
additional charge
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

22
Ka
rth
ike Boot Volumes
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Boot Volumes
• A compute instance is launched using OS image stored on a remote boot volume.

• Boot volume is created, automated, and associated with an instance until you terminate the instance.
• Boot volumes are encrypted, have faster performance, lower launch times, and higher durability for BM
and VM instances.
• Launch another instance with a boot volume:
– First create a custom image of your boot volume and then using the custom image launch the
instance.
sa
– Alternately, you can launch a new instance directly from an unattached boot volume if you don't
wish to create a custom image.
. ha
• Delete boot volume:
ide m)
– You can delete an unattached boot volume.
Gu co
– You can optionally chose to automatically delete the boot volume when terminating an instance by
selecting the check box in the delete confirmation dialog.
is e.
th cl
– OCI does not allow you to delete the boot volume currently attached to an instance.
e ra
• It is possible to take a manual backup, assign backup policy or create a clone of boot volumes.
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Boot Volumes
Attach a Boot Volume to an instance as a block volume for troubleshooting.

• You can attach any boot volume to an instance as block storage in order to debug
issues. You will first need to detach a boot volume from its associated compute
instance in order to attach it to a different instance.
• You can perform the following steps to debug your boot volume:
sa
1. 'Stop' the instance you want to debug and click 'Boot Volume' filter, and then click
. ha
the 'Detach Boot Volume' button. Alternatively, you can terminate your instance,
which persists your boot volume by default.
ide m)
2. Navigate to a new running instance you want to use to debug your boot volume,
Gu co
and click the 'Attach Block Volume' button.
is e.
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Custom Boot Volumes
You have the option of specifying a custom boot volume size

In order to take advantage of the larger size, you must first extend the root (Linux-
based images) or system (Windows-based images) partition
sa
. ha
ide m)
Gu co
is e.
th cl
Linux default size is 46.6 GB Windows default size is 256GB
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned that:

• OCI offers local NVMe SSD storage with SLAs for high-performance workloads
• OCI Block Volume service is a persistent, durable, high-performance block service with industry
leading price/performance
• You can create, attach, connect, and move volumes, as needed, to meet your storage and
application requirements
sa
Block volume service supports backups (on-demand, Policy based) and restoration
. ha
•
• Cloning- and Policy-based backups are offered only by OCI Block Volume
ide m)
service
Gu co
• Another unique feature, Volume Groups simplifies backups of running
is e.
enterprise applications that span multiple storage volumes across
th cl
e ra
multiple instances
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
File Storage Service
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
12
2
•
•
Objectives
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
Understand File Storage Service & Features
Identify File Storage Service Secure Features
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

3
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
File Storage Service Info
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa


Long-term
Type archival and
backup
across ADs) across ADs)
sa
. ha
ide m)
Gu co
is e.
th cl
Exchange) backups)
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

File Storage Service – Use Cases
EBS
Oracle
Applications General Purpose Big Data &
Lift and Shift File Systems Analytics
sa
. ha
ide m)
Gu co
HPC Test / Dev MicroServices
is e.
Scale Out Apps Databases Containers
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

File Storage Service: Features
• AD-local service, available in all OCI regions and Availability Domains

• Supports NFS v.3
• Network Lock Management (NLM) for file locking
• Full POSIX semantics
Data Protection: Snapshots capabilities; 10,000 snapshots per file system
sa
•
Security: 128-bit, data-at-rest encryption for all file systems & metadata
. ha
•
ide m)
• Console management, APIs, CLI, data-path commands, and Terraform
Gu co
• Create 100 file systems and 2 mount targets per AD per account
is e.
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Mount Target
OCI REGION
• NFS endpoint that lives in your
subnet of choice; AD-specific AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
• Mount target has an IP address and

DNS name that you can use in your
mount command, for example,
10.0.0.6.
sa
• It requires three private IP
. ha
addresses in the subnet. (Do not NFS client NFS client
ide m)
use /30 or smaller subnets for the 10.0.0.0/24 10.0.1.0/24
FSS.)
Gu co
VCN, 10.0.0.0/16
is e.
• Two of the IP addresses are used
th cl
during mount target creation; 3rd IP
e ra
used for HA.
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Mount Target
OCI REGION
• Placing NFS clients and mount
target in the same subnet can AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
result in IP conflicts, as users are

10.0.0.0/24
not shown which private IPs are
used for mount target.
• Place FSS mount target in its own
sa
subnet, where it can consume IPs
. ha
as it needs. NFS client NFS client
ide m)
10.0.0.0/24 10.0.1.0/24
Gu co
VCN, 10.0.0.0/16
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

File System
OCI REGION
• Primary resources for storing files in FSS
• To access your file systems, you create a
new (or use an existing) mount target. 10.0.0.0/24
• 100 File Systems per Mount Target

• AD-specific
sa
• Accessible from OCI VM/BM instances
. ha
• Accessible from on-premises through NFS client NFS client
ide m)
FastConnect/VPN 10.0.0.0/24 10.0.1.0/24
Gu co
VCN, 10.0.0.0/16
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

FSS Paths
• Export Path: Unique path specified when the file

system is associated with a mount target during
creation
• No two file systems associated with the same Mount target (NFS endpoint): 10.0.0.6
Export Path1: /example1/path
mount target can have overlapping export Export Path1 2: /example2/path
paths. (For example, FS paths such as /example
and /example/path are not allowed.)
sa
• Export path, along with the mount target IP address, is used to mount the file
. ha
system to an instance:
ide m)
− sudo mount 10.0.0.6:/example1/path /mnt/mountpointA
Gu co
− sudo mount 10.0.0.6:/example2/path /mnt/mountpointB
is e.
− /mnt/mountpointA and /mnt/mountpointB are path to the directory on the NFS
client instance on which the external file systems are mounted
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Mounting an OCI File System
• Launch OCI instance from console.

opc@node01:~$ sudo mkdir -p /<user’s
• Use NFSv3 protocol to mount the target directory>
FSS volume.
• Install nfs-utils (Oracle Linux and opc@node01:~$ sudo mount
<IPaddress>:<path-name> /<user’s
CentOS) or nfs-common (Ubuntu) in target directory>
your Linux system.
• Create a directory. opc@node01:~$ sudo yum install nfs-utils
sa
• On the FSS console, opc@node01:~$ sudo mkdir -p /mnt/nfs
. ha
click Mount Targets.
opc@node01:~$ sudo mount 10.0.0.3:/fss-
Use the Private IP address information to
ide m)
• shared /mnt/nfs
mount the volume using nfs command:
Gu co
is e.
th cl
NOTE: We recommend not to pass mount options to achieve best performance with File Storage Service.
This approach leaves it to the client and server to negotiate the window size for Read & Write operations.
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

12
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
File Storage Service Security
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Security
Four distinct and separate layers of security with its own authorization entities
and methods to consider when using FSS:
Security layer Uses these.. To control actions like these..
Creating instances (NFS clients) and FSS VCNs. Creating,
IAM Service OCI users, policies
listing, and associating file systems and mount targets
Security Lists CIDR blocks Connecting the NFS client instance to the mount target
sa
Applying access control per-file system based on source
Export options,
. ha
Export Options IP CIDR blocks that bridges the Security Lists layer and the
CIDR blocks
NFS v.3 Unix Security layer
ide m)
NFS v3. Unix Mounting file systems1, reading the writing files, file access
Gu co
Unix users
Security security
is e.
1 When mounting file systems, don't use mount options such as nolock, rsize, or wsize. These options cause issues with performance
th cl
and file locking
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Security Lists
OCI REGION
Security List can be used as a virtual firewall to
prevent NFS clients from mounting an FSS AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
mount target (even in the same subnet). FSS

needs: 10.0.0.0/24
• Stateful ingress TCP ports 111, 2048 – 2050

• Stateful ingress UDP ports 111 and 2048
• Opening these ports enables traffic from Solaris,
Linux, and Windows NFS clients
sa
Type Source Protocol Source Dest Port
. ha
CIDR Port
NFS client NFS client
Ingress 10.0.0.0/241 TCP All 2048-2050
ide m)
10.0.0.0/24 10.0.1.0/24
Ingress 10.0.0.0/24 TCP All 111
Gu co
Ingress 10.0.0.0/24 UDP All 2048
VCN, 10.0.0.0/16
is e.
Ingress 10.0.0.0/24 UDP All 111
th cl
1For all subnets within VCN (e.g. 10.0.1.0/24) to access File
e ra
System, change destination CIDR to 10.0.0.0/16; all rules stateful
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Export Option
• Security List is all or nothing approach – the client either can or cannot access the
mount target, and therefore, all file systems associated with it.
• In a multi-tenant environment, using NFS export option, you can limit clients' ability
to connect to the file system and view or write data.
• Export controls how NFS clients access file systems; info stored in an export includes
the file system OCID, export path, and client access options.
sa
• When you create file system and associated mount target, the NFS export options for
that file system are set to allow full access for all NFS clients:
. ha
– Source: 0.0.0.0/0 (All)
ide m)
– Require Privileged Source Port: False
Gu co
is e.
– Access: Read_Write
th cl
– Identity Squash: None
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Export Option
• Client X, assigned to 10.0.0.0/24, requires Read/Write access to

file system A, but not file system B. 10.0.2.0/24
Mount Target subnet
• Client Y, assigned to 10.0.1.0/24, requires Read access to file
system B, but no access to file system A. File File
System System
• Both file systems A and B are associated to a single mount A B
target.
sa
oci fs export update --export-id <FS_A_export_ID> --export-
options '[{"source":"10.0.0.0/24 ","require-privileged-
source-port":"true","access": "READ_WRITE","identity-
. ha
squash":"NONE","anonymous-uid":"65534","anonymous-
gid":"65534"}]'
ide m)
Client X Client Y
Gu co
oci fs export update --export-id <FS_B_export_ID> --export-
10.0.0.0/24 10.0.1.0/24
options '[{"source":"10.0.1.0/24 ","require-privileged-
is e.
source-port":"true","access":"READ_ONLY","identity-
squash":"NONE","anonymous-uid":"65534","anonymous-
th cl
VCN, 10.0.0.0/16
gid":"65534"}]'
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

17
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
File Storage Service Snapshots
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

File Storage Service Snapshot
• Snapshots provide a read-only, space efficient, point-in-time backup of a file system.

• Snapshots are created under the root folder of the file system, in a hidden directory named
.snapshot.
• You can take up to 10,000 snapshots per file system.
• You can restore a file within the snapshot, or an entire snapshot using the cp or rsync command:
– cp -r .snapshot/snapshot_name/* destination_directory_name
sa
• If nothing has changed within the target file system and you take a snapshot,
it does not consume any additional storage.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary
In this lesson, you should have learned that:

• OCI File Storage Service provides a fully managed, elastic, durable, distributed,
enterprise-grade network file system
• FSS supports NFS v3, snapshots and default data-at-rest encryption
• FSS is highly scalable (Exabytes) and performant
sa
• FSS supports four distinct and separate layers of security with its own authorization
. ha
entities and methods
ide m)
Gu co
is e.
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Ka
Database
Sanjay Narvekar
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
13
Objectives

• Describe the options of database systems available with Oracle Cloud Infrastructure
• Describe the features of Database Service
• Launch a one-node database system
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCI Database Service
• Mission critical, enterprise grade cloud database service with Exadata

comprehensive offerings to cover all enterprise database needs
– Exadata, RAC, Bare Metal, VM
• Complete Lifecycle Automation RAC
– Provisioning, Patching, Backup & Restore
• High Availability and Scalability
sa
– RAC & Data Guard
Bare Metal
– Dynamic CPU and Storage scaling
. ha
• Security
ide m)
– Infrastructure (IAM, Security Lists, Audit logs)
Gu co
– Database (TDE, Encrypted RMAN backup / Block volume encryption) Virtual Machine
is e.
• OCI Platform integration
th cl
– Tagging, Limits and Usage integration
e ra
• Bring Your Own License (BYOL)
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Virtual Machine (VM) Database (DB) Systems
• There are two types of DB systems on virtual machines:

– A 1-node VM DB system consists of one VM.
– A 2-node VM DB system consists of two VMs clustered with RAC enabled.
• VM DB systems can have only a single database home, which in turn can have only a single database.
• Amount of memory allocation for the VM DB system depends on the VM shape selected during the
provisioning process.
• Size of storage is specified when you launch a VM DB system and you scale up the storage as needed at
sa
any time.
. ha
• The number of CPU cores on an existing VM DB system cannot be changed.
If you are launching a DB system with a virtual machine shape, you have the option of selecting an older
ide m)
•
database version. Check Display all database versions to include older database versions in the drop-
Gu co
down list of database version choices.
is e.
• When a 2-node RAC VM DB system is provisioned, the system assigns each node to a different fault
th cl
domain by default.
e ra
• Data Guard within and across ADs is available for VM DB systems (requires DB Enterprise Edition).
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VM DB Systems Storage Architecture
• ASM relies on OCI Block Volume (based on NVMe) for

mirroring data. ASM
• Block volumes are mounted using iSCSI.

DATA RECO
• ASM uses external redundancy relying on the triple
mirroring of the Block Storage. ASM Disk Groups
+DATA, +RECO
sa
• Different Block Storage volumes are used for DATA and
RECO.
. ha
Block Storage
• Monitors the disks for hard and soft failures
ide m)
Gu co
• These actions ensure highest level availability and
performance at all times.
is e.
th cl
• This storage architecture is required for VM RAC DB
e ra
systems.
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

VM DB Systems Storage Architecture – Fast
Provisioning Option
ext4 File System mounts - /u01 - BITS, • Linux Logical Volume Manager manages the filesystems
/u02 – DATA and /u03 - RECO used by the database for storing database files, redo logs,
etc.
Logical Volumes
• Block volumes are mounted using iSCSI
sa
Volume Groups on VM • The available storage value you specify during provisioning
determines the maximum total storage available through
. ha
scaling**
ide m)
Physical Volumes on VM
• VM RAC DB Systems cannot be deployed using this option
Gu co
Block Storage • Currently supports Oracle Database 18c and 19c releases
is e.
th cl
e ra
**Please refer to https://docs.cloud.oracle.com/iaas/Content/Database/References/fastprovisioningstorage.htm for more information
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Bare Metal DB Systems
• Bare Metal DB Systems rely on Bare Metal servers

Bare Metal Server X7
running Oracle Linux.
Oracle Database
• One-node database system:
ASM for 12c +, ACFS for 11g
– Single Bare Metal server
DB Management Agent – Locally attached 51 TB NVMe storage (raw)
sa
Oracle Linux 6.8 – Start with 2 cores and scale up/down OCPUs
. ha
based on requirement
52 CPU cores
ide m)
– Data Guard within and across ADs (requires DB
768 GB RAM
Enterprise Edition)
Gu co
51 TB NVMe raw
– If single node fails, launch another system and
is e.
th cl
restore the databases from current backups
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Bare Metal DB Systems: Storage Architecture
• ASM manages mirroring of NVMe disks

ASM
• Disks are partitioned – one for DATA and one for RECO
• Monitors the disks for hard and soft failures DATA RECO
• Proactively offlines disks that failed, predicted to fail, or
ASM Disk Groups
are performing poorly, and performs corrective actions,
+DATA, +RECO
sa
if possible
. ha
• On disk failure, the DB system automatically creates an NVMe
internal ticket and notifies internal team to contact the
ide m)
customer
Gu co
• These actions ensure highest level availability and
is e.
performance at all times.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Exadata DB Systems
• Full Oracle Database with all advanced options

• On fastest and most available database cloud platform
– Scale-Out Compute, Scale-Out Storage, Infiniband, PCIe flash
– Complete Isolation of tenants with no overprovisioning
• All Benefits of Public Cloud
sa
– Fast, Elastic, Web Driven Provisioning
. ha
– Oracle Experts Deploy and Manage Infrastructure
ide m)
Gu co
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Exadata DB Systems
• Oracle manages Exadata infrastructure - servers, storage, networking, firmware, hypervisor, etc.
• You can specify zero cores when you launch Exadata; this provisions and immediately stops Exadata.
• You are billed for the Exadata infrastructure for the first month, and then by the hour after that. Each
OCPU you add to the system is billed by the hour from the time you add it.
• Scaling from ¼ to a ½ rack, or from ½ to a full rack requires that the data associated with database
deployment is backed up and restored on a different Exadata DB system.
sa
Resource Base System Quarter Rack Half Rack Full Rack
X6 X7 X6 X7 X6 X7
. ha
Number of Compute Nodes 2 2 4 8
Total Minimum (Default) Number of Enabled CPU Cores 0 22 0 44 0 88 0
ide m)
Total Maximum Number of Enabled CPU Cores 48 84 92 168 184 336 368
Gu co
Total RAM Capacity 720 GB 1440 GB 2880 GB 5760 GB
Number of Exadata Storage Servers 3 3 6 12
is e.
Total Raw Flash Storage Capacity 38.4 TB 38.4 TB 76.8 TB 76.8 TB 153.6 TB 153.6 TB 307.2 TB
th cl
Total Raw Disk Storage Capacity 252 TB 288 TB 360 TB 576 TB 720 TB 1152 TB 1440 TB
e ra
Total Usable Storage Capacity 74.8 TB 84 TB 106 TB 168 TB 212 TB 336 TB 424 TB
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Exadata DB Systems: Storage Architecture
• Backups provisioned on Exadata storage: ~ 40% of the

ASM
available storage space allocated to DATA disk group
and ~ 60% allocated to the RECO disk group
DATA RECO
• Backups not provisioned on Exadata storage: ~ 80% of
the available storage space allocated to DATA disk ASM Disk Groups
group and ~ 20% allocated to the RECO disk group +DATA, +RECO
sa
• After the storage is configured, the only way to adjust
. ha
Local Storage
the allocation without reconfiguring the whole
ide m)
environment is by submitting a service request to
Gu co
Oracle.
is e.
th cl
e ra
us @o
11
to rai
se du
When Backups are provisioned on Exadata storage…

en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

DB Systems – VM, BM, Exadata
Virtual Machine (VM) Bare Metal (BM) Exadata

Storage (number of CPU CPU can be scaled within a
CPU (amount of available
Scaling cores on VM DB cannot be ¼ , ½ and Full rack. Storage
storage cannot be changed)
changed) cannot be scaled
Multiple No, single DB and Home Yes (one edition, but different
Yes
Homes/Databases only** versions possible)
sa
Local spinning disks and
Storage Block Storage Local NVMe disks
NVMe flash cards
. ha
Real Application
Available (2-node) Not Available Available
Clusters (RAC)
ide m)
Data Guard Available Available Available*
Gu co
is e.
*You can manually configure Data Guard on Exadata DB systems using native Oracle Database utilities and commands. dbcli is not available
th cl
on Exadata DB systems
e ra
**The database can be a container database with multiple pluggable databases, if the edition is High Performance or Extreme Performance.
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Database Editions and Versions
VM DB Systems BM DB Systems Exadata DB Systems DB Versions
Standard Edition Yes Yes No

11.2.0.4
Enterprise Edition Yes Yes No 12.1.0.2
12.2.0.1
High Performance Yes Yes No 18.1.0.0
sa
19.3*
Extreme
. ha
Yes Yes Yes
Performance
ide m)
BYOL Yes
Gu co
is e.
*Note that Oracle Database 19c is only available on VM DB and Exadata DB Systems (as of September 2019)
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Database Editions and Options
Standard Edition Enterprise Edition EE High Performance EE Extreme Performance
Adds… Adds… Adds…

• Full database instance • All standard EE features Multitenant Real Application
Clusters (RAC)
• Includes Transparent • Data Masking and
Data Encryption Subsetting Partitioning
In-Memory
• Diagnostics and Tuning
sa
Advanced
• Real Application Testing Compression Active Data Guard
. ha
Advanced Security,
Label Security,
ide m)
Database Vault
Gu co
OLAP, Advanced
Analytics, Spatial
is e.
and Graph
Management
th cl
Packs
e ra
us @o
14
Note that all editions include Oracle Database Transparent Data Encryption (TDE)
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Managing DB Systems
You can use the console to perform the following tasks:

• Launch a DB System: You can create a database system.
– Status check: You can view the status of your database creation and after that,
you can view the runtime status of the database.
• Start, stop, or reboot DB Systems.
sa
– Billing continues in stop state for BM DB Systems (but not for VM DB).
. ha
• Scale CPU cores: Scale up the number of enabled CPU cores in the system
(BM DB systems only).
ide m)
Scale up Storage: Increase the amount of Block Storage with no impact
Gu co
•
(VM DB systems only).
is e.
th cl
• Terminate: Terminating a DB System permanently deletes it and any databases
e ra
running on it.
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Patching DB Systems
• Automated Applicable Patch Discovery: Automatic patch discovery and pre-flight checks/tests
• On demand patching: N-1 patching (previous patch is available if it hasn’t been applied), pre-check
and patching at the click of a button.
• Availability during patching: For Exadata and RAC shapes, patches are rolling. For single-node
systems, if Active Data Guard is configured, this can be leveraged by the patch service.
• 2 step process – Patching is a two-step process, one for DB System and one for the database. DB
System needs to be patched first before the database is patched.
sa
• Identity and Access Controls: Granular Permissions – it is possible to control who can list patches,
apply them, etc.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Backup / Restore
• Manage backup and restore feature for VM/BM DB Systems; the Exadata backup process requires
creating a backup config file
• Backups stored in Object or Local storage (recommended: Object storage for high durability)
• DB System in private subnets can leverage Service Gateway
• Backup options
– Automatic incremental – runs once/day, repeats the cycle every week; retained for 30 days
sa
– On-demand, standalone/ full backups
• Restore a DB
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Automatic Backups
• By default, automatic backups are written to Oracle-owned object storage. (Customers will not be able to
view the object store backups.)
• Default policy cannot be changed at this time.
• Automatic backups enabled for the first time after November 20, 2018 on any database will run between
midnight and 6:00 AM in the time zone of the DB system's region.
• You can optionally specify a 2-hour scheduling window for your database during which the automatic
sa
backup process will begin.
. ha
• These are the preset retention periods for automatic backups: 7 days, 15 days, 30 days, 45 days and 60 days.
ide m)
• Backup jobs are designed to be automatically retried.
Gu co
• Oracle automatically gets notified if a backup job is stuck.
is e.
• All backups to cloud Object Storage are encrypted.
th cl
e ra
• Link to troubleshooting backup issues https://docs.us-phoenix-
us @o
1.oraclecloud.com/Content/Database/Troubleshooting/Backup/backupfail.htm
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

High Availability and Scalability
• Robust Infrastructure
‒ Region with 3 Availability Domains architecture
‒ Fully redundant and non-blocking Networking Fabric
‒ 2-way or 3-way mirrored storage for Database
‒ Redundant Infiniband Fabric (Exadata) for cluster networking
sa
• Database Options to enable HA
. ha
‒ Database RAC Option in VMs and Exadata
ide m)
Gu co
‒ Automated Data Guard within and across ADs
is e.
• Dynamic CPU and Storage Scaling
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Oracle Data Guard
• Robust Infrastructure
• Supported on both Virtual Machine and Bare Metal DB Systems.
• Limited to one Standby database per Primary database on OCI.
• Standby database used for queries, reports, test, or backups (only for Active Data Guard)
• Switchover
sa
– Planned role reversal, never any data loss
– No database re-instantiation required
. ha
– Used for database upgrades, tech refresh, data center moves, etc.
ide m)
– Manually invoked via Enterprise Manager, DGMGRL, or SQL*Plus
Gu co
• Failover
is e.
– Unplanned failure of Primary
th cl
– Flashback Database used to reinstate original Primary
e ra
– Manually invoked via Enterprise Manager, DGMGRL, or SQL*Plus
us @o
20
– May also be done automatically: Fast-Start Failover
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCI Security Features: Overview for Database Service
Security capability Features

Instance security isolation BM DB Systems
VCN, Security Lists, VCN Public and Private subnets, Route Table,
Network security and access control
Service Gateway
Secure and Highly-available Connectivity VPN DRGs, VPN and FastConnect
sa
IAM Tenancy, Compartments and security policies, console password,
User authentication & authorization
API signing key, SSH keys
. ha
DBaaS TDE, RMAN encrypted back-ups, Local storage and Object
Data encryption
ide m)
storage encryption at rest
End-to-end TLS LBaaS with TLS1.2, Customer-provided certificates
Gu co
is e.
Auditing OCI API audit logs
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Pricing – Virtual Machines
Virtual Machines Metric Pay as You Go Monthly Flex
Database Standard Edition OCPU Hour $0.4032 $0.2688
Database Enterprise Edition OCPU Hour $0.8064 $0.5376
Database Enterprise Edition High Performance OCPU Hour $1.6634 $1.1089
sa
Database Enterprise Edition Extreme Performance OCPU Hour $2.5202 $1.6801
. ha
BYOL - Database All Editions - Additional Capacity - BYOL OCPU Hour $0.2903 $0.1935
ide m)
*Prices in USD, Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/vm-cloud-pricing.html
Gu co
for current pricing information
is e.
th cl
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Pricing – Bare Metal X7 – License Included
Bare Metal | BM.DenseIO2.52 X7 Server Metric Pay as You Go Monthly Flex
Standard Edition, 2 OCPU DB License (8 Max for Standard) Hosted Environment Per Hour $10.746 $7.1640
Enterprise Edition, 2 OCPUs enabled Hosted Environment Per Hour $11.5524 $7.7016
Enterprise Edition High Performance, 2 OCPUs enabled Hosted Environment Per Hour $13.2661 $8.8441
Enterprise Edition Extreme Performance, 2 OCPUs enabled Hosted Environment Per Hour $14.9798 $9.9865
sa
Additional OCPUs - DB Standard Edition OCPU Per Hour $0.4032 $0.2688
. ha
Additional OCPUs - DB Enterprise Edition OCPU Per Hour $0.8064 $0.5376
ide m)
Additional OCPUs - DB Enterprise Edition High Performance OCPU Per Hour $1.6634 $1.1089
Gu co
Additional OCPUs - DB Enterprise Edition Extreme Performance OCPU Per Hour $2.5202 $1.6801
is e.
Additional OCPUs added must be in multiples of 2
th cl
e ra
*Prices in USD, Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/bare-metal-cloud-pricing.html
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Pricing – Bare Metal X7 – Bring Your Own License
(BYOL)
Pay as You Monthly
Bare Metal | BM.DenseIO2.52 X7 Database License Metric
Go Flex
Database All Editions – BYOL Hosted Environment

$10.5202 $7.0135
(2 enabled OCPUs, 2 OCPU BYOL) Per Hour
Database All Editions – Additional Capacity – BYOL OCPU Per Hour $0.2903 $0.1935
sa
Additional OCPUs added must be in multiples of 2,
. ha
Max 8 OCPUs for DB Standard Edition
ide m)
*Prices in USD, Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/bare-metal-cloud-pricing.html
Gu co
is e.
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Pricing - Exadata
Metric Monthly Flex (X6) Monthly Flex (X7)

Base System Hosted environment per hour NA $20.1613**
Quarter Rack Hosted environment per hour $63.8441 $26.8817**
Half Rack Hosted environment per hour $127.6882 $53.7634**
Full Rack Hosted environment per hour $255.3763 $107.5269**
Additional OCPUs per month OCPU hour $1.6801 $1.6801
sa
Metric Monthly Flex (X6) Monthly Flex (X7)
. ha
Base System Hosted environment per hour NA $20.1613**
Quarter Rack – BYOL Hosted environment per hour $33.9785 $26.8817**
ide m)
Half Rack – BYOL Hosted environment per hour $67.957 $53.7634**
Gu co
Full Rack – BYOL Hosted environment per hour $135.914 $107.5269**
is e.
Additional OCPUs per month – BYOL OCPU hour $.3226 $1.6801
th cl
*Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/exadata-cloud-service-pricing.html
e ra
us @o
** 0 enabled OCPUs
25
to rai
se du
Exadata Cloud Service shapes are charged a minimum of 744 hours for the first month of the cloud
en ik.
service, whether or not you are actively using, and whether or not you terminate that cloud service prior
lic arth
to usage of the entire 744 hours. For ongoing use of the same instance after the first month you will be
charged for all active hours. Additional OCPUs are billed for active hours for the first month and ongoing
ble (k
use.
ra y
fe m
Exadata Infrastructure cost are the same for BYOL as for PAYG on the X7 shapes
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary

• Describe the options of database systems available with Oracle Cloud Infrastructure
• Describe the features of Database Service
• Launch a one-node database system
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Level 100
Ka
Sanjay Narvekar
rth
ike
y
no an
n- Du

tra ra
ns isa
fe m
ra y
ble (k
Autonomous Database
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
14
Objectives

• Compare Autonomous Database (ADB) with DB System Cloud offerings in OCI
• Describe the features of Autonomous Data Warehouse Cloud - Serverless and
Autonomous Data Warehouse Cloud - Dedicated, and Autonomous Transaction
Processing - Serverless and Autonomous Transaction Processing – Dedicated
sa
• Describe how to deploy, use, and manage ADB
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

ORACLE
CLOUD
Autonomous Database Automated DB Services

• All database operations fully automated • Database lifecycle automation provided
• User runs SQL, no access to OS or CDB • User operates, has DBA and OS root access
• Exadata Performance and Availability • Runs older database versions
sa
• Customizable for DW or TP Workload • ALL database features ( e.g. Java, etc )
. ha
ide m)
Serverless Dedicated ExaCS DBCS
Gu co
is e.
Ultra-Simple & Customizable Scale, Performance, VM or bare metal,
th cl
Elastic Private Cloud Availability single server or RAC
e ra
us @o
3
to rai
se du
Let us look at the deployment options for Oracle databases on OCI. We have two options – autonomous
en ik.
or automated.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Autonomous Database Use Cases

World’s Best Fully Self-Driving Database Cloud elasticity, Machine Learning, Self driving
Oracle Builds and Operates Exadata Instant Provisioning, Always online operation
Infrastructure and Databases All workloads, JSON Documents,
User runs SQL, no Access to OS or Container DB Graphs, and more
Oracle Database Cloud Services Use cases

World’s Best Automated Database Cloud Availability, Flexible Version and Features,
Oracle Builds and Operates Infrastructure Small to Large DB deployment,
User Operates Databases Using Provided Lifecycle Automation Single Instance or RAC, Automated Backup,
User Has Full Control, including DBA and Root Access Patching, Customer controls
sa
Exadata Use Cases
. ha
World’s Best Database Platform Private/Public Cloud on-premise, Consolidation,
Oracle Builds, Optimizes, and Automates Infrastructure Highest Performance, Scalability for Mission
All In-Database Automation Features Included Critical Workload
ide m)
Gu co
is e.
Oracle Database Use Cases
th cl
World’s Best Database Small to Big Database transactional need
e ra
Runs Anywhere as well DWH needs, Customer Data Center,
User Builds and Operates Databases and DIY model
us @o
Infrastructure
4
to rai
se du
Using the assessment as a guide, the next step is to create a detailed multi-phase cloud migration plan,
en ik.
with each phase focusing on the migration of specific subsets of related resources. This is also a good
lic arth
time to consider upgrading resources like databases and business applications, and purchasing any add-
ons required for license portability to the cloud. Organizations typically break the migration process into
ble (k
phased based on one or more of following criteria (Check slide bullet points)
ra y
fe m
Be sure to conduct test migrations with low-risk resources. This will help migration teams familiarize
ns isa
themselves with Oracle migration processes and identify any problems with the step-by-step plan for
migration. There are many tools available for migrating databases, including Golden Gate Cloud
tra ra
Service, Oracle Recovery Manager (RMAN), and Oracle Data Guard. Visit Oracle's Migration Partners
n- Du
page to learn about available tools and third-party companies that help organizations execute successful
no an
migrations.
y
ike
rth
Ka

Autonomous Optimizations – Specialized by
Workload
Autonomous Data Warehouse Autonomous Transaction Processing
Columnar Format Row Format
sa
Creates Data Summaries Creates Indexes
. ha
Memory Speeds Joins, Aggs Memory for Caching to Avoid IO
ide m)
Gu co
Statistics updated in real-time while preventing plan regressions
is e.
th cl
e ra
us @o
5
to rai
se du
Both ADW and ATP share the Autonomous Database platform of Oracle Database 18c on our Exadata
en ik.
Cloud infrastructure.
lic arth
The difference is how the services have been optimized within the database. When you start loading
ble (k
data into the autonomous database, we store the data in the appropriate format for the workload.
ra y
• If it is ADW, then we store data in columnar format as that’s the best format for analytics
fe m
processing
ns isa
• If it is ATP, then we will store the data in a row format as that’s the best format for fast single row
tra ra
lookups
n- Du
Query optimization: For analytics workload, we automatically parallelize the query execution to access
no an
large volumes of data in a short amount of time to answer biz questions If it is a transaction processing
y
system, then we will automatically detect missing indexes and create them for you. Regardless of the
ike
workload, we need to keep optimizer statistics current to ensure we get optimal execution plans.
rth
With ADW we are able to achieve this by gather statistics as part of all bulk load activities. With ATP,
Ka
where data is add using more traditional insert statements statistics are automatically gathered
periodically.
As the data volumes change, or new access structures is created, there is the potential for an execution
plan to change and any change could result in a performance regression so we use Oracle SQL Plan
Management to ensure that plans only change for the better.

Autonomous Database – Choice of Cloud Deployment
DBaaS Exadata Cloud Service or Autonomous Autonomous

VM or Bare Metal Cloud @ Customer Serverless Dedicated
Management Customer Customer Oracle Oracle
Private Network Yes Yes No Yes
sa
Single/Multi Tenant Single/Multi Single/Multi Single Single/Multi
Software Updates Customer Initiated Customer Initiated Automatic Customer Policy Control
. ha
Private Cloud No Yes No Yes
Offers Availability
ide m)
No 99.95% SLO SLO
SLA
Gu co
Database Versions 11g,12c,18c,19c 11g,12c,18c,19c 18c 19c
Yes Yes
Disaster Recovery No No
is e.
Across ADs & Regions Across ADs & Regions
Hybrid DR
th cl
Yes Yes No No
Consolidation
e ra
Yes Yes No Yes
us @o
6
to rai
se du
The journey to the Cloud can have many stages and Autonomous Cloud is the same.
en ik.
Some customers are embracing Cloud for new developments or doing legacy lift and shift, but other
lic arth
customers will have huge mixed implementations where parts of their systems are running on-premises
ble (k
and some are on Cloud.

ra y
Understanding where and how your customer might be using our data management solutions allows
fe m
you to really scope out your Autonomous opportunity.

ns isa
tra ra
On the left we have the most manual implementations - more traditional on-premises installs either on
n- Du
commondity hardware or Exadata. This is the land of the traditional IT DBA doign maintenance,
patching, upgrade, optimizations, the time consuming stuff.
no an
On the right we move through DB’s running on our Cloud Infrastructure – the lift and shift opportunity
y
ike
which is still a heavy DBA workload – and then gradually we move through our existing DB PaaS services
– Exadata Cloud, C@C and DBCS – which start to introduce automation and management efficiencies to
rth
release DBA workloads into more interesting takss

Ka
And on the far right we end up at the new Autonomous Cloud services – where all of the benefits of
reducing workload, risk, or freeing up DBA’s come true.
All Database Cloud Service packages include Oracle Database Transparent Data Encryption.

Enterprise package includes the Oracle Database Enterprise Edition, Data Masking and Subsetting Pack,
Diagnostics and Tuning Packs, and Real Application Testing.
High Performance extends the Enterprise package with the following options: Multitenant, Partitioning,
Advanced Compression, Advanced Security, Label Security, Database Vault, OLAP, Advanced Analytics,
Spatial & Graph, Database Lifecycle Management Pack and Cloud Management Pack for Oracle
Database.
Extreme Performance package extends the High Performance package with the following options: RAC
(Real Application Clusters), In-Memory Database, Active Data Guard.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Autonomous Database Cloud Service –
Deployment Options
• Oracle Autonomous Database can be deployed in two ways – dedicated and
serverless.
• Dedicated deployment is a deployment choice that enables you to provision
autonomous databases into their own dedicated Exadata cloud infrastructure, instead
of a shared infrastructure with other tenants.
sa
• With serverless deployment, the simplest configuration, you share the resources of
. ha
an Exadata cloud infrastructure. You can quickly get started with no minimum
ide m)
commitment, enjoying quick database provisioning and independent scalability of
Gu co
compute and storage.
is e.
• Both deployment options are available for Autonomous Transaction Processing and
th cl
e ra
Autonomous Data Warehouse.
us @o
8
to rai
se du
The journey to the Cloud can have many stages and Autonomous Cloud is the same.
en ik.
Some customers are embracing Cloud for new developments or doing legacy lift and shift, but other
lic arth
customers will have huge mixed implementations where parts of their systems are running on-premises
ble (k
and some are on Cloud.

ra y
Understanding where and how your customer might be using our data management solutions allows
fe m
you to really scope out your Autonomous opportunity.

ns isa
tra ra
On the left we have the most manual implementations - more traditional on-premises installs either on
n- Du
commondity hardware or Exadata. This is the land of the traditional IT DBA doign maintenance,
patching, upgrade, optimizations, the time consuming stuff.
no an
On the right we move through DB’s running on our Cloud Infrastructure – the lift and shift opportunity
y
ike
which is still a heavy DBA workload – and then gradually we move through our existing DB PaaS services
– Exadata Cloud, C@C and DBCS – which start to introduce automation and management efficiencies to
rth
release DBA workloads into more interesting takss

Ka
And on the far right we end up at the new Autonomous Cloud services – where all of the benefits of
reducing workload, risk, or freeing up DBA’s come true.
All Database Cloud Service packages include Oracle Database Transparent Data Encryption.

Enterprise package includes the Oracle Database Enterprise Edition, Data Masking and Subsetting Pack,
Diagnostics and Tuning Packs, and Real Application Testing.
High Performance extends the Enterprise package with the following options: Multitenant, Partitioning,
Advanced Compression, Advanced Security, Label Security, Database Vault, OLAP, Advanced Analytics,
Spatial & Graph, Database Lifecycle Management Pack and Cloud Management Pack for Oracle
Database.
Extreme Performance package extends the High Performance package with the following options: RAC
(Real Application Clusters), In-Memory Database, Active Data Guard.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

10
Serverless
Ka
rth
ike
y
Transaction Processing
no an
n- Du
tra ra
ns isa
fe m
ra y
Autonomous Database –
ble (k
lic arth
en ik.
Autonomous Data Warehouse & Autonomous
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Autonomous Database – Fully Managed
• Oracle automates end-to-end

management of the autonomous
database:
– Provisioning new databases
– Growing/shrinking storage
and/or compute
sa
– Patching and upgrades
– Backup and recovery
. ha
• Full lifecycle managed using the
ide m)
service console
Gu co
– Alternatively, can be managed via
is e.
command-line interface or REST API
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Automated Tuning in Autonomous Database
“Load and go”

• Define tables, load data, run queries
– No tuning required
– No special database expertise required
– No need to worry about tablespaces,
partitioning, compression, in-memory,
sa
indexes, parallel execution
. ha
• Fast performance out of the box with
ide m)
zero tuning
Gu co
• Simple web-based monitoring console
is e.
• Built-in resource-management plans
th cl
e ra
us @o
12
to rai
se du
Autonomous Database does not require any tuning.

en ik.
It is designed as a "load and go" service: you start the service, define tables, load data, and then run
lic arth
queries.
ble (k
You do not need to consider any details about parallelism, partitioning, indexing, or compression. The
ra y
service automatically configures the database for high-performance queries.

fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Autonomous Database – Fully Elastic
• Size the database to the exact compute and storage required.

– Not constrained by fixed building blocks, no predefined shapes
• Scale the database on demand
– Independently scale compute or storage
– Resizing occurs instantly, fully online
sa
• Shut off idle compute to save money
. ha
– Restart instantly
ide m)
Gu co
• Auto scaling:
is e.
– Enable auto scaling to allow Autonomous Database to use more CPU and IO
th cl
resources automatically when the workload requires it.
e ra
us @o
13
to rai
se du
Autonomous Database is a completely elastic service.

en ik.
When you get started with Autonomous Database, simply specify the number of CPU cores and the
lic arth
storage capacity in TB's for the database.

ble (k
At any time, you can scale up or down the CPU core count or the storage capacity.
ra y
fe m
When you make resource changes for your Autonomous Database, the database resources
ns isa
automatically shrink or grow, without requiring any downtime or service interruptions.

tra ra
n- Du
no an
y
ike
rth
Ka

Full Support of Database Ecosystem
Autonomous Database service supports:

• Existing tools, running on-premises or in the cloud
– Third-party BI tools
– Third-party data-integration tools
– Oracle BI and data-integration tools: BIEE, ODI, etc.
sa
• Oracle cloud services: Analytics Cloud Service, GoldenGate Cloud Service, Integration
. ha
Cloud Service, and others
ide m)
• Connectivity via SQL*Net, JDBC, ODBC
Gu co
is e.
th cl
e ra
us @o
14
to rai
se du
Autonomous Database is built upon the Oracle Database, so that business intelligence applications and
en ik.
tools that support Oracle Database also support Autonomous Database.

lic arth
These tools and applications connect to Autonomous Database using standard SQL*Net connections.
ble (k
The tools and applications can either be in your data center or in a public cloud.
ra y
fe m
Oracle Analytics Cloud and other Oracle Cloud services are preconfigured for Autonomous Data
ns isa
Warehouse.
tra ra
n- Du
no an
y
ike
rth
Ka

15
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
Autonomous Data Warehouse: Architecture
sa

16
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Autonomous Transaction Processing: Architecture
Getting Started with Autonomous Database
• Provisioning an ADB database requires

only answers to seven simple questions:
– Database name?
– Which data center (region)?
– How many CPU cores?
– How much storage capacity (in TBs)?
sa
– Admin password?
– License Type?
. ha
– Enable Auto scaling?
ide m)
• New service created in a few minutes
Gu co
(regardless of size)
is e.
– Database is open and ready for
th cl
connections
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Auto Scaling Autonomous Database
• Auto scaling allows Autonomous Database to

automatically increase the number of CPU
cores by up to three times the assigned CPU
core count value, depending on demand for
processing.
• The auto scaling feature reduces the number
This picture shows how ADW service automatically scales
sa
of CPU cores when additional cores are not OCPUs up when there is a demand for more computing power and
then scales it down once the demand goes down.
needed.
. ha
• You can enable or disable auto scaling at
ide m)
any time.
Gu co
For billing purposes, the database service
is e.
•
th cl
determines the average number of CPUs used
e ra
per hour.
us @o
18
to rai
se du
Additional points:
en ik.
For databases with up to 42 assigned cores, you can increase the maximum number of cores available
lic arth
through auto scaling by increasing the CPU core count value.

ble (k
Enabling auto scaling does not change the concurrency and parallelism settings for the predefined
ra y
services.
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Securing Autonomous Database (ADB)
• This stores all data in encrypted format in the Oracle Database. Only authenticated users
and applications can access the data when they connect to the database.
• Database clients use SSL/TLS 1.2 encrypted and mutually authenticated connections. This
ensures that there is no unauthorized access to the ADB Cloud and that communications
between the client and server are fully encrypted and cannot be intercepted or altered.
• Certificate-based authentication uses an encrypted key stored in a wallet on both the client
sa
(where the application is running) and the server (where your database service on the ADB
. ha
Cloud is running). The key on the client must match the key on the server to make a
connection. A wallet contains a collection of files, including the key and other information
ide m)
needed to connect to your database service in the ADB Cloud.
Gu co
You can specify IP addresses (or CIDR block) allowed to access the ADB using the access
is e.
•
th cl
control list. This access control list will block all IP addresses that are not in the list from
e ra
accessing the database.
us @o
19
to rai
se du
Additional points:
en ik.
You do not need to do any manual configuration to encrypt your data and the connections to your
lic arth
database. These are implemented by Autonomous Database.

ble (k
Autonomous Database Cloud uses strong password complexity rules for all users based on Oracle Cloud
ra y
security standards.
fe m
ns isa
The wallet (zip file) includes the following:

tra ra
• tnsnames.ora and sqlnet.ora: Network configuration files storing connect descriptors and
n- Du
SQL*Net client side configuration.

no an
• cwallet.sso and ewallet.p12: Auto-open SSO wallet and PKCS12 file. PKCS12 file is protected by
y
the wallet password provided in the UI.

ike
• keystore.jks and truststore.jks: Java keystore and truststore files. They are protected by the
rth
wallet password provided while downloading the wallet.

Ka
• ojdbc.properties: Contains the wallet related connection property required for JDBC connection.
This should be in the same path as tnsnames.ora.

Connecting to the Autonomous Database
Access Control List

CIDR Block 240.0.0.0/4
CLIENT COMPUTER
Public IP of
IP Address
NAT Gateway 2
ODBC Wallet/Keystore IP Address 123.254.7.10 Route Table
IP Address 129.146.160.9
NAT/Service Firewall
JDBC OCI Gateway Security
Wallet/Keystore
Lists
1 Public
ACL
JDBC “Thin” Internet
sa
Oracle Call TCP/IP Encrypted using SSH Route Table
Interface (OCI) over Public Internet
. ha
3
Internet Firewall
Gateway Security
Public IP 129.146.160.9 Lists
ide m)
AVAILABILITY DOMAIN PUBLIC SUBNET 10.1.3.0/24
Public IP 123.254.7.10
Gu co
TENANCY VCN 10.0.0.0/16
REGION
is e.
1 Connecting to Autonomous Database Warehouse (ADW) or Autonomous Transaction Processing (ATP) from Public Internet
th cl
e ra
2 Connecting to ADW or ATP (via NAT or Service Gateway) from a server running on a private subnet in OCI (in the same tenancy)
us @o
3 Connecting to ADW or ATP from a server running on a public subnet in OCI (in the same tenancy)
20
to rai
se du
Connecting from a VCN

en ik.
To connect to Autonomous Databases from a VCN, the VCN must be configured with one of the
lic arth
following gateways:
ble (k
internet gateway: For access from a public subnet in the VCN

ra y
fe m
service gateway: For access from a private subnet in the VCN

ns isa
Make sure to configure the subnet's route table with a rule that sends the desired traffic to the specific
tra ra
gateway. Also configure the subnet's security lists to allow the desired traffic.
n- Du
no an
y
ike
rth
Ka

Troubleshooting Connectivity Issues
• Ensure that the Access Control List for the Autonomous Database (ADB) has the necessary entries
for CIDR Block ranges and IP addresses, as your use case dictates.
• When connecting to ADB from a client computer behind a firewall, the firewall must permit the
use of the port specified in the database connection when connecting to the servers in the
connection. The default port number for Autonomous Data Warehouse is 1522 (find the port
number in the connection string from the tnsnames.ora file in your credentials ZIP file). Your
firewall must allow access to servers within the .oraclecloud.com domain using (TCP) port 1522.
sa
• When connecting to ADB from a server running on a private subnet (on the same OCI tenancy as
. ha
the ADB), ensure that you have a service gateway or NAT gateway attached to the VCN. The route
ide m)
table for the subnet needs to have the appropriate routing rules for the service gateway or NAT
gateway. The security lists for the subnet will need to have the right egress rules.
Gu co
is e.
• For connections originating from a server running on a public subnet (on the same OCI tenancy
th cl
as the ADB), ensure that route table and security lists are appropriately configured.
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Scaling Your Database
Scale your database on demand without tedious manual steps.

• Independently scale compute or storage
• Resizing occurs instantly, fully online
• Memory, IO bandwidth, concurrency scales linearly with CPU
Close your database to save money when not used
sa
•
. ha
• Restart instantly
ide m)
Gu co
is e.
th cl
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Monitoring
• Service Console based monitoring

– Simplified monitoring using the web-based service console.
– Historical and real-time database and CPU utilization monitoring.
– Real Time SQL Monitoring to monitor running and past SQL statements.
– CPU allocation chart to view number of CPUs utilized by the service.
sa
• Performance Hub based monitoring
. ha
– Natively integrated in the OCI console and available via a single click from the ADB
ide m)
detail page
Gu co
– Active Session History (ASH) analytics
is e.
th cl
– Real Time SQL monitoring
e ra
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Autonomous Database (ADB) Cloud – Backup and
Recovery
• Autonomous Database Cloud automatically backs up your database for you. The retention period for
backups is 60 days. You can restore and recover your database to any point-in-time in this retention period.
• Autonomous Database Cloud automatic backups provide weekly full backups and daily incremental backups.
• Manual backups for your ADB database is not needed.
• But, you can do manual backups using the cloud console if you want to take backups before any major
sa
changes, for example before ETL processing, to make restore and recovery faster. The manual backups are
put in your Cloud Object Storage bucket. When you initiate a point-in-time recovery Autonomous Database
. ha
Cloud decides which backup to use for faster recovery.
ide m)
• You can initiate recovery for your Autonomous Database using the cloud console. Autonomous Database
Gu co
Cloud automatically restores and recovers your database to the point-in-time you specify.
is e.
• Network Access Control Lists (ACL)s are stored in the database with other database metadata. If the
th cl
database is restored to a point in time the network ACLs are reverted back to the list as of that point in time.
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Autonomous Database Cloud – Cloning
• Autonomous Database provides cloning where you can choose to clone either the full database or
only the database metadata.
• Full Clone: Creates a new database with the source database’s data and metadata.
• Metadata Clone: creates a new database with the source database’s metadata without the data.
• When creating a Full Clone database, the minimum storage that you can specify is the source
database’s actual used space rounded to the next TB.
sa
• You can clone an Autonomous Database instance only to the same tenancy and the same region
. ha
as the source database.
• During the provisioning for either a Full Clone or a Metadata Clone, the optimizer statistics are
ide m)
copied from the source database to the cloned database.
Gu co
• The following applies for optimizer statistics for tables in a cloned database:
is e.
– Loads into tables behave the same as loading into a table with statistics already in place.
th cl
e ra
– Metadata Clone: The first load into a table after the clone clears the statistics for that table and
us @o
updates the statistics with the new load.
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

26
Ka
Screenshots
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Autonomous Data Warehouse Cloud – Cloning
Predefined Services for Autonomous Data Warehouse
• Three predefined database services Example for a database with 16 OCPUs

identifiable as high, medium and low
No of concurrent Max idle
CPU shares
– Choice of performance and queries time
concurrency for ADW HIGH 3 5 mins 4
• HIGH MEDIUM 20 5 mins 2
– Highest resources, lowest LOW 32 1 hour 1
sa
concurrency
– Queries run in parallel *When connecting for replication purposes, use the LOW database
. ha
service name. For example, use this service with Oracle GoldenGate
• MEDIUM connections.
ide m)
– Less resources, higher
concurrency Queries run in parallel
Gu co
• LOW
is e.
– Least resources, highest concurrency
th cl
Queries run serially
e ra
–
us @o
27
to rai
se du
The predefined service names provide different levels of performance and concurrency for Autonomous
en ik.
Data Warehouse Cloud.

lic arth
High: The High database service provides the highest level of resources to each SQL statement resulting
ble (k
in the highest performance, but supports the fewest number of concurrent SQL statements. Any SQL
statement in this service can use all the CPU and IO resources in your database. The number of
ra y
fe m
concurrent SQL statements that can be run in this service is 3, this number is independent of the
ns isa
number of CPUs in your database.

tra ra
Medium: The Medium database service provides a lower level of resources to each SQL statement
n- Du
potentially resulting a lower level of performance, but supports more concurrent SQL statements. Any
SQL statement in this service can use multiple CPU and IO resources in your database. The number of
no an
concurrent SQL statements that can be run in this service depends on the number of CPUs in your
y
ike
database and scales linearly with the number of CPUs.

rth
Low: The Low database service provides the least level of resources to each SQL statement, but supports
the most number of concurrent SQL statements. Any SQL statement in this service can use a single CPU
Ka
and multiple IO resources in your database. The number of concurrent SQL statements that can be run
in this service is twice the number of CPUs in your database.

Predefined Services for Autonomous Transaction
Processing
• Five predefined database services controlling priority and parallelism
• Different services defined for Transactions and Reporting/Batch
RESOURCE MANAGEMENT
SERVICES NAME PARALELLISM
PLAN SHARES
Operations run in parallel and a
sa
HIGH 4
re subject to queuing
. ha
Operations run in parallel and
MEDIUM 2
are subject to queuing
ide m)
LOW 1 None
Gu co
TPURGENT 12 Manual
is e.
TP 8 None
th cl
e ra
us @o
For Transaction Processing For Reporting or batch processing
28
to rai
se du
By default, the CPU/IO shares assigned to the consumer groups TPURGENT, TP, HIGH, MEDIUM, and
en ik.
LOW are 12, 8, 4, 2, and 1, respectively.

lic arth
The shares determine how much CPU/IO resources a consumer group can use with respect to the other
ble (k
consumer groups.
ra y
With the default settings the consumer group TPURGENT will be able to use 12 times more CPU/IO
fe m
resources compared to LOW, when needed. The consumer group TP will be able to use 4 times more
ns isa
CPU/IO resources compared to MEDIUM, when needed.

tra ra
n- Du
no an
y
ike
rth
Ka

29
Dedicated
Ka
rth
ike
y
Transaction Processing
no an
n- Du
tra ra
ns isa
fe m
ra y
Autonomous Database –
ble (k
lic arth
en ik.
Autonomous Data Warehouse & Autonomous
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Autonomous Database – Dedicated
• The Autonomous Dedicated database service provides a private database cloud

running on dedicated Exadata Infrastructure in the Public Cloud.
• It has multiple levels of isolation protects you from noisy or hostile neighbors.
• Customizable operational policies give you control of provisioning, software updates,
availability and density.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Physical Characteristics and constraints
• Quarter rack X7 Exadata Infrastructure SHOP …. SHIP
– 2 servers (92 OCPU, 1.44TB RAM)

– 3 Storage Servers (76.8TB Flash, 107TB Disk) WEB STORE
• Cluster / Virtual Cloud Network RAC CLUSTER
sa
– 1 Cluster per quarter rack
. ha
• Autonomous Container Database
ide m)
– Maximum of 4 per Cluster
Gu co
is e.
• Autonomous Database
th cl
– High Availability SLA – Maximum 100 DBs
e ra
us @o
31 – Extreme Availability SLA – Maximum 25 DBs
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

High Level Deployment Flow
Provision Create
Create
Autonomous Autonomous
Create VCN Autonomous
sa
Exadata Container
Database
Infrastructure Database
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Security
• Databases always encrypted

• Reduced attack surface
• Automatic protection of customer data from Oracle operations staff
• Database Vault’s new Operations Control feature
sa
• Oracle automatically applies security updates for the entire stack
. ha
• Quarterly, or off-cycle for high-impact security vulnerability
ide m)
Customer can separately use Database Vault for their own user data isolation
Gu co
•
is e.
th cl
e ra
us @o
33
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary

• Compare Autonomous Database (ADB) with DB System Cloud offerings in OCI
• Describe the features of Autonomous Data Warehouse Cloud - Serverless and
Autonomous Data Warehouse Cloud - Dedicated, Autonomous Transaction
Processing - Serverless and Autonomous Transaction Processing – Dedicated
sa
• Describe how to deploy, use, and manage ADB
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
34
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

DNS
Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
15
2
•
•
Objectives
Ka
rth
ike
y
no an
Secondary Zone Use Cases
n- Du
Managing Zone and records
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

After completing this lesson, you should be able to explain DNS Zone management:
DNS – How it works!
ROOT DNS Servers
Query
Users Top-Level Domains
sa
Example.com? Example.com?
. ha
ide m)
1.1.1.1 1.1.1.1
Gu co
Authoritative DNS
Recursive
is e.
DNS Servers
th cl
Answer OCI DNS is
e ra
Authoritative
us @o
3
to rai
se du
End user types http://www.twitter.com/ into their web browser and presses Enter.
en ik.
Client (Computer, smartphone, etc) checks its local DNS cache.

lic arth
• Does it know the answer to www.twitter.com already? If so, use this cached answer.
ble (k
• If the cache doesn’t know the answer, next step.

ra y
fe m
Client queries their assigned Recursive DNS server (likely their ISP) for www.twitter.com
ns isa
• Recursive checks its cache to see if it knows the answer. If so, returns it to client.
• If the cache doesn’t know the answer, next step.
tra ra
n- Du
Recursive then performs several queries (each one can be skipped if already cached)
no an
• Queries root nameservers to find out if they know the answer to www.twitter.com
- Root nameservers return nameservers for the Top Level Domain (TLD)
y
ike
- TLD nameservers return answer for twitter.com nameservers (Dyn)

- Dyn nameservers return answer for www.twitter.com
rth
Ka
Recursive then returns final www.twitter.com answer to client.
Client connects to IP address contained within the DNS answer.
Notes
• Any name registered in authoritative DNS is a domain name
• A DNS zone is the mappings between domain names and IP addresses. Zones can be
organized by geography, service, or resources.

4
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
DNS Zone Management
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

DNS Zone Management
Is a highly scalable, global anycast Domain Name System (DNS) network that assures
high site availability and low latency
Offers a complete set of functions for zone management:
• Create and manage zones and records
• Import/upload zone files
sa
• Filter and sort views of zones and records
. ha
• Secondary DNS support
ide m)
• APIs and SDKs
Gu co
is e.
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Supported Record Types
OCI DNS supports the following DNS records

• A (IPv4 Address Record) - RFC 1035 • KEY (Key Record) - RFC 4025
• AAAA (IPv6 Address Record) - RFC 3596 • KX (Key Exchanger Record) - RFC 2230
• CAA (Certificate Authority Authorization) - RFC 6844 • LOC (Location Record) - RFC 1876
• CDNSKEY (Child DNSKEY) - RFC 7344 • MX (Mail Exchange Record) - RFC 1035
• CDS (Child Delegation Signer) - RFC 7344 • NS (Name Server Record) - RFC 1035
CERT (Certificate Record) - RFC 2538, RFC 4398 PTR (Pointer Record) - RFC 1035
sa
• •
• CNAME (Canonical Name Record) - RFC 1035 • SOA (Start of Authority Record) - RFC 1035
. ha
• CSYNC (Child-toParent sync Record) - RFC 7477 • SPF (Sender Policy Framework) - RFC 4408
• DHCID (DHCP Identification Record) - RFC 4701 • SRV (Service Locator Record) - RFC 2782
ide m)
• DKIM (Domain Key Identified Mail Record - RFC 6376 • SSHFP (SSH Public Key Fingerprint) - RFC 6594
Gu co
• DNAME (Delegation Name Record) - RFC 6672 • TLSA (Transport Layer Security Auth) - RFC 6698
is e.
• DNSKEY (DNS Key Record) - RFC 4034 • TXT (Text Record) - RFC 1035
th cl
• DS (Delegation Signer Record) - RFC 4034 • ALIAS (CNAME at the apex)
e ra
• IPSECKEY (IPSec Key Record) - RFC 4025 – A private pseudo-record that allows
us @o
CNAME functionality at the apex of a zone.
6 6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

DNS Zone Management
• OCI DNS is available in the OCI Console on the “Edge Services" tab.
• This will bring the user to the DNS Zone Management Screen. From here the user can create
Zones to see that the service is working.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Adding a Zone
From the Managed DNS – Zones page:
• Click “Add Zone,” select the Method

type “Manual.”
• Enter a “Zone Name,” select the Zone
Type “Primary.”
sa
Zone is created and can be verified from
the Managed DNS Zones Management
. ha
page.
ide m)
Gu co
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

View/Add Records
• Select a zone to view record

details for that zone.
• Zone details will show the list of
records for that zone.
• Select Add Record to add a new
sa
record.
. ha
• Click “Publish Changes” to update
Zone with new record details.
ide m)
Default NS and SOA records are
Gu co
automatically generated when a Zone is
is e.
th cl
created, so no new records need to be
e ra
added to generate query data.
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

DNS Zone – Use Cases Secondary DNS Architecture (1)
Configuration 1: Provisioning
Other DNS
• Oracle is Secondary,
another vendor is Primary
Authoritative
Name Server Update to
Secondary
Primary DNS
sa
Users
. ha
ide m)
Recursive Name Server Authoritative
Gu co
(AKA DNS Resolver) Name Server
is e.
Secondary DNS
th cl
e ra
ORACLE DNS
us @o
Website
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

DNS Zone – Use Cases
Secondary DNS Architecture with ‘Hidden Master’

Provisioning
Configuration 2: ”Hidden Master” Secondary Other DNS
• Only public-facing nameserver is visible from
the outside world. All DNS requests are sent to Authoritative
this nameserver. Name Server Update to
Secondary
Hidden Master DNS
• Primary DNS services (On-Premises)
sa
secured behind firewall Users
. ha
Firewall
• Customer maintains
complete control
ide m)
Recursive Name Server Authoritative
Gu co
• Public-facing DNS (AKA DNS Resolver) Name Server
network is global;
is e.
Secondary DNS
primary network
th cl
(Public)
e ra
doesn’t need to be. ORACLE DNS
us @o
Website
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

12
•
•
Summary
Ka
rth
ike
y
no an
Secondary Zone Use Cases
n- Du
Managing Zone and records
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

In this lesson, you should have learned how to explain DNS Zone Management:
Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
Traffic Management Policies
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
16
2
•
•
Objectives
Ka
rth
ike
y
no an
Traffic Steering Use Cases
n- Du
tra ra
ns isa
OCI Traffic Management Policies
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

After completing this lesson, you should be able to explain Traffic Management:
Traffic Management
• Traffic Management allows customers

to configure routing policies for
serving intelligent responses to DNS
queries.
• Different answers may be served for a
query according to the logic in the
sa
customer-defined Traffic Management
. ha
Steering Policy, thus sending users to
the most optimal location in your
ide m)
infrastructure.
Gu co
is e.
th cl
e ra
us @o
3
to rai
se du
OCI DNS has advanced traffic management capabilities to steer DNS traffic across multiple public OCI
en ik.
instances and other private and 3rd party assets/endpoints. Traffic management supports
lic arth
comprehensive policies to provide intelligent responses to ensure high performance, scalability, and
availability.
ble (k
Optimize the performance and responsiveness of web-based applications and sites by steering user
ra y
fe m
traffic based on administratively defined policies.

ns isa
Ensure high availability of critical applications through detection of endpoint health and move your
tra ra
traffic accordingly.
n- Du
Balance and distribute traffic for large applications.

no an
Policies allow you to set predictable business expectations for service differentiation, geographic market
y
ike
targeting, and disaster recovery scenarios.

rth
Feature parity with the acquired Dyn DNS Traffic Director Product
Ka

When should I use DNS Traffic Management?
Common Use Cases
sa
. ha
Failover Cloud Load Hybrid Worldwide IP-Based Zero-Rating
Migration Balancing Environments Geolocation Steering Service
ide m)
For Scale Steering
Gu co
is e.
th cl
e ra
us @o
4
to rai
se du
Link to the appropriate slides/diagrams from here

en ik.
All 7 use cases on this slide

lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Failover
A -> B Failover
Outage
Available
Primary asset is monitored
from multiple points via
Oracle Health Checks
Primary Cloud
Traffic is automatically
sa
directed to a different
. ha
User endpoint as soon as service
Recursive OCI DNS fails to respond
ide m)
Server
Gu co
Monitoring is powered by
Available Oracle Health Checks
is e.
Redundant Cloud
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Cloud Migration
Public App Hosted

in Datacenter
90% Utilize Ratio Load Balancing

to migrate fractions of
Want to reach
www.gohere.com traffic to new cloud-hosted
resources and test and
validate access
sa
Data replication
Gradually migrate more
. ha
User
OCI DNS traffic when confident in
ide m)
10% user experience
Gu co
is e.
Public App
th cl
Hosted in Cloud
e ra
us @o
6
to rai
se du
Ns3.p34.dyn
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Load Balancing for Scale
Change these to compute instances
25% Region 1 For scaling, distribute load

Want to reach across multiple compute
www.gohere.com instances.
sa
15% Region 2 Leverage Oracle Health
Checks to ensure users are
. ha
User
sent to healthy endpoints.
OCI DNS
ide m)
60% Region 3
Gu co
is e.
Public App
th cl
Hosted in Cloud
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Hybrid/Multi-cloud Environments
IP Group A
DNS lookup & OCI Region

resolution IP Group B
Datacenter1
sa
IP Group C
Users
. ha
CDN
Oracle Cloud DNS
Authoritative IP Group D
ide m)
Datacenter2
Gu co
IP Group E
is e.
th cl
Other Cloud
e ra
Provider
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Geolocation Steering
Specify which endpoint a

Seattle
User
Sweden user will be steered to
DNS
User
based on their location.
London DNS
Select from predefined
regions, such as US East or
Phoenix, AZ Ashburn, VA Frankfurt
US West, or customize
sa
regions.
. ha
Miami Rome
DNS
User
User lookup
Combine with Oracle
ide m)
DNS
Health Checks to fail over
lookup from one region to another.
Gu co
DNS Lookup
is e.
th cl
Geolocation
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Canary Testing
162.X.X.X/24
App.company.com
129.X.X.1 Limit access to new/beta

features before rolling out
Beta Endpoint
for General Availability.
sa
129.X.X.1
Other IP blocks
. ha
ide m)
GA Endpoint
129.X.X.2 company.com
Gu co
Users
is e.
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Zero Rating Services
ASN### (Preferred)
Conditional steering can
mycompany.com
be based on the
136.X.X.X originating enterprise,
Users mobile operator, or other
Preferred communications provider.
sa
Endpoint
Preferred ASNs can be
All Other ASNs
directed to free resources
. ha
while all other traffic can
be directed to paid
ide m)
Standard
company.com
Endpoint
resources.
Gu co
Users
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Traffic Management Steering Policies
Load Balancer: (Global Server Load Balancing) Round-robin load balancing can be used to distribute
traffic among multiple servers to optimize performance. Traffic can be split evenly among endpoints or
weighted via ratio assignment.
Failover: It’s easy to set up a simple Active-Active failover between two public assets. OCI will monitor
the primary endpoint (via Oracle Health Checks) and reroute all traffic to a failover location if the
primary endpoint is unresponsive.
Geolocation Steering: Traffic Steering policies can also route traffic based on the source of the query.
sa
Geolocation Steering dynamically routes requests to the appropriate Response Pool based on the
physical location of the originating request.
. ha
ide m)
ASN Steering: Dynamically routes traffic requests based on the originating ASN
Gu co
is e.
IP Prefix Steering: Dynamically routes traffic requests based on originating IP prefix
th cl
(e.g. 172.16.1.0/24)
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Traffic Management Concepts
• Steering Policies: A framework to define the traffic management behavior for your
zones. Steering policies contain rules that help to intelligently serve DNS answers.
• Attachments: Allows you to link a steering policy to your zones. An attachment of a
steering policy to a zone occludes all records at its domain that are of a covered
record type, constructing DNS responses from its steering policy rather than from
those domain's records. A domain can have at most one attachment covering any
sa
given record type.
. ha
• Rules: The guidelines steering policies use to filter answers based on the properties
ide m)
of a DNS request, such as the requests geo-location or the health of your endpoints.
Gu co
• Answers: Answers contain the DNS record data and metadata to be processed in a
is e.
steering policy.
th cl
e ra
us @o
13
to rai
se du
After completing this lesson, you should be able to describe the basic OCI DNS services available on OCI.
en ik.
You should also be able to configure DNS within a tenancy.

lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Load Balancer Policy
The Time To Live for responses from

the steering policy. If not specified,
the system will set this value on the
sa
steering policy.
. ha
The maximum number of answers
ide m)
returned for the policy. Answer pools
Gu co
contain the group of answers that will
be served in response to DNS queries.
is e.
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

A number between 0 and 255

used to determine how often
an answer is served in relation
to other answers. Answers with
higher values are more likely to
be served.
sa
. ha
The domain, under the
ide m)
selected zone, that the policy
will be attached to. This is
Gu co
concatenated with the zone
is e.
name to generate the full
attached domain name.
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

The period of time between health checks of the target.
The network protocol used to interact with your

endpoint, such as HTTP protocol, which initializes an
HTTP handshake with your endpoint.
sa
Port: The port for the monitor to look for a connection. The default is
port 80. For HTTPS, use port 8080.
. ha
Path (Optional): The specific path on the target to be monitored.
Method: Select the HTTP method used for the health check.
Timeout: Select the maximum time to wait for a reply before marking
ide m)
the health check as failed.
Gu co
Header Name: (Optional) The name displayed in the request header as
part of the health check. Avoid entering confidential information.
is e.
Header Value: (Optional) Specifies the data requested by the header.
th cl
Click + Add Header to add multiple headers in succession.
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

17
Ka
rth
ike
Failover Policy
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Failover Policy
Failover priority rules specify the

priority of answers that are served in
a policy. If the primary answer is
unavailable, traffic is steered to the
next answer in the list.
sa
. ha
Select a Health Check to be included
as part of the policy.
ide m)
The domain name you want to
Gu co
attach to the policy. Additional
is e.
domains can be added in this
section.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

19
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Geolocation Steering Policy
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Geolocation Steering Policy
Geolocation-based steering distributes DNS traffic to

different endpoints based on the location of the end
user. Customers can define geographic regions
composed of originating continent, countries or
states/provinces (North America) and define a
separate endpoint or set of endpoints for each region.
For example: North American users traffic is routed to
sa
PoolA first, if PoolA fails only then the traffic is routed
to PoolB.
. ha
ide m)
Adding a global catch-all allows you to specify answer
pools for queries that do not match any of the
Gu co
specified rules you have added. No global catch-all
is e.
means that queries not matching any of the above
th cl
rules will receive a random answer.
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

ASN Steering Policy
ASN steering rules specify the priority of answers

that are served in a policy. If the primary answer
is unavailable, traffic is steered to the next answer
in the list.
ASN: an Autonomous System Number (ASN)

that will be used to distribute DNS traffic.
sa
You can also attach a Global Catch-all policy.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

IP Prefix Policy
IP prefix steering rules specify the priority of

answers that are served in a policy. If the
primary answer is unavailable, traffic is steered
to the next answer in the list.
Subnet Address: A subnet address that will be

used to distribute DNS traffic.
sa
You can also attach a Global Catch-all policy.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

23
Ka
rth
ike Health Checks
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Health Checks
• Availability & Performance Monitoring: Monitor the availability and performance of any public-facing
IP address or fully qualified domain name (FQDN).
– Simple UI Configuration: Easy to configure Health Checks for external monitoring from Vantage Points
around the globe.
– Availability Monitoring: Monitor for the availability of any publicly visible IP address or FQDN from
Vantage Points located around the globe.
– Performance Monitoring: Monitor for latency metrics for any publicly visible IP address or FQDN from
sa
Vantage Points located around the globe.
. ha
– On-Demand Testing: Perform tests on demand to gauge performance and troubleshoot endpoints.
• DNS Traffic Management Failover Detection: Detect failures and use DNS Traffic Management to
ide m)
failover in the event of a problem.
Gu co
• Alerting and API: Fully integrated with Oracle Cloud Infrastructure Monitoring and backed by an
is e.
extensive REST API.
th cl
• Hybrid Monitoring: Monitor endpoints within the Oracle cloud and across your hybrid infrastructure.
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Health Checks Service Components
• Monitors: Monitors allow you to continuously monitor the health of public-facing

endpoints. You can configure monitors to use either HTTP and ping protocols.
• On-demand probes: On-demand probes allow you to execute a one-time probe to
assess the health of a public-facing endpoint. You can configure on-demand probes
to use either or both HTTP and ping protocols. This feature is currently only available
via the REST API.
sa
• Vantage points: Vantage points are geographic locations from which monitors and
. ha
probes can be executed to your specified target. Oracle Cloud
ide m)
Infrastructure maintains dozens of vantage points around the world.
Gu co
• Protocols: The Health Checks service allows you to configure both HTTP and ping
is e.
type monitors. Each type has respective protocols.
th cl
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Creating a Health Check
• From the Edge Services menu, navigate to Health Checks.

In the Health Checks area, click Create Health Check, and
enter the details of your check in the dialog box
• Provide a Name and compartment
• Add the target endpoints that you want to monitor.
The Targets field is prepopulated with suggested
sa
endpoints drawn from public IP addresses already
configured in your compartment. You can select one of
. ha
these endpoints to monitor or add a new one.
ide m)
• Select vantage points from which you intend to monitor
Gu co
the targets. These vantage points are located in locations
is e.
around the globe, and we generally recommend selecting
th cl
vantage points that are located in the same continent as
e ra
your application.
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

• Select the type of test that you want to run—HTTP or

HTTPS for a webpage, or TCP or ICMP for a public IP
address.
• Set the frequency of the tests as appropriate to the
level of monitoring that your service requires. Current
options include every 30 or 60 seconds for basic
tests, and premium tests run at the higher frequency
sa
of every 10 seconds. An additional fee is calculated
. ha
for premium tests.
ide m)
• Add any tags to help you quickly search for this check
in the future.
Gu co
is e.
• Click Create Health Check.
th cl
e ra
us @o
27
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

28
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

After the check is created, a details page shows information specific to this check:
29
•
•
Summary
Ka
rth
ike
y
no an
Traffic Steering Use Cases
n- Du
tra ra
ns isa
OCI Traffic Management Policies
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

In this lesson, you should have learned how to explain Traffic Management:
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
OCI Security
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
17
2
•
•
•
•
•
•
Agenda
Ka
Data protection
Security services
rth
ike
y
Shared Security Model
Infrastructure protection
no an OS and workload isolation
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

On-premises Oracle Cloud

Infrastructure
Applications Applications Customer responsible for security in
the cloud
Security IN the Cloud

Customers manage
Data Data • Patching applications and OS, OS
configuration
Runtime Runtime
Customer manage all Security
• Identity and access management

Middleware Middleware • Network security
sa
Operating System Operating System
• Endpoint protection
• Data classification and compliance
. ha
Virtualization Virtualization
Security OF the Cloud
ide m)
Oracle responsible for security of
Oracle manages
Servers Servers
the cloud
Gu co
Storage Storage • Physical security for the data
is e.
centers
th cl
Networking Networking
• Hardware, software, networking
e ra
Data Center / Data Center /
us @o
Physical Security Physical Security
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Security Services and Features
Functionality Use case OCI Service/Feature

Manage user access and policies OCI IAM
Identity and
Manage multi-factor authentication MFA
Access Management
Single sign-on to identity providers Federation
Encryption for data at rest, in-transit Storage and DB services
Discover, classify and protect your data Data Safe
Data Protection
sa
Hardware based key storage
Centralized key management Vault
. ha
Patch Management OS Management service
ide m)
OS and workload
Workload isolation Bare Metal, Dedicated VM Hosts
management
Gu co
Log API calls Audit
is e.
Network security controls VCN NSG, SL
th cl
Infrastructure Protection Filter Malicious web traffic Web Application Firewall
e ra
DDoS Protection In-built
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

5
Users
Groups
Identities
Ka
rth (Who requests)
ike
Instance
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
OCI IAM
en ik.
Resources
se du
Compartments
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Policies
Permissions
by the Identity)
(what is requested
Multi-factor Authentication (MFA)
Password Proof Secure Access
sa
. ha
Multi-factor authentication (MFA) is a method of authentication that
requires the use of more than one factor to verify a user’s identity.
ide m)
Examples of authentication factors are a password (something you know) and
Gu co
a device (something you have)
is e.
th cl
e ra
us @o
6
to rai
se du
MULTI-FACTOR AUTHENTICATION (MFA)

en ik.
• Multi-factor authentication (MFA) is a method of authentication that requires the use of more
lic arth
than one factor to verify a user’s identity. Examples of authentication factors are a password
(something you know) and a device (something you have).
ble (k
ra y
AUTHENTICATOR APP
fe m
An app you install on your mobile device that can provide software-based secure tokens for
ns isa
•
identity verification. Examples of authenticator apps are Oracle Mobile Authenticator and Google
tra ra
Authenticator. To enable MFA for the IAM service, you'll need a device with an authenticator app
n- Du
installed. You'll use the app to register your device and then you'll use the same app (on the same
device) to generate a time-based one-time passcode every time you sign in.
no an
y
REGISTERED MOBILE DEVICE

ike
• Multi-factor authentication is enabled for a specific user and for a specific device. The procedure
rth
to enable MFA for a user includes the registration of the mobile device. This same device must be
Ka
used to generate the time-based one-time passcode every time the user signs in. If the registered
mobile device becomes unavailable, an administrator must disable MFA for the user so
that MFA can be re-enabled with a new device.
TIME-BASED ONE-TIME PASSWORD (TOTP)

• A TOTP is a password (or passcode) that is generated by an algorithm that computes a one-time
password from a shared secret key and the current time, as defined in RFC 6238. The
authenticator app on your registered mobile device generates the TOTP that you need to enter
every time you sign in to Oracle Cloud Infrastructure.

Federation
• Enterprises use an identity provider (IdP) to manage

user login/passwords and to authentications.
• When someone in your company wants to use OCI

Console, they must sign in with a user login and
password.
• Your administrators can federate with a supported

IdP so that each employee can use an existing login
sa
and password (and not create a new set to use OCI).
. ha
• Federated users choose which IdP to use for sign-in,
ide m)
and then they're redirected to that IdP's sign-in
experience for authentication.
Gu co
After entering their login and password, they are
is e.
•
authenticated by the IdP and redirected to
th cl
e ra
the OCI Console.
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Data Protection
Block Volume File Storage Object Storage Database
In-Transit
In-Transit
In-Transit
sa
. ha
• Data encrypted at-rest • Data encrypted at-rest • Data encrypted at-rest • Transparent
ide m)
• Data encrypted in- • Data encrypted in- • Bring Your Own Keys Data Encryption
Gu co
transit transit • Private Buckets, Pre- • Data Safe
• Bring Your Own Keys • Bring Your Own Keys authenticated Requests • Data Vault
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Vault – Key Management
• Managed service that enables you to encrypt your data using keys that you control
• Key Management provides you with:
– Centralized key management capabilities
– Highly available, durable, and secure key storage in hardware security modules (HSMs)*
– Integration with select Oracle Cloud Infrastructure services
sa
• Uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security
. ha
Level 3 security certification
ide m)
• HSM hardware is tamper-evident, has physical safeguards for tamper-resistance,
Gu co
requires identity-based authentication, and deletes keys from the device when it
is e.
detects tampering.
th cl
e ra
* A HSM is a physical computing device that safeguards digital keys and provides crypto processing
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Data Safe
• Managed service that provides a complete and integrated

set of features for protecting sensitive and regulated data in
Oracle Cloud databases
• Features include Security Assessment, User Assessment,
Data Discovery, Data Masking, and Activity Auditing
sa
• Supports ATP (shared), ADW (shared), VM/BM DB Systems
. ha
• Saves time and mitigates security risks
ide m)
• Defense in Depth for all customers
Gu co
• No special security expertise needed
is e.
No extra costs to use
th cl
•
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Dedicated VM Host
• Security of Bare Metal combined with ease and

flexibility of VMs
• Single-tenant: Never share HW with another Virtual
Machine
customer’s VMs
• Pay only for dedicated VM Host – no additional
sa
charge for the VMs running on it Virtual
Machine
. ha
• Control and convenience
ide m)
– Control over placement across Dedicated VM
Hosts, or let Oracle optimize it automatically
Gu co
Virtual Dedicated VM Host
Machine
is e.
– Oracle manages and monitors the hypervisor
th cl
and hardware
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OS Management Service
• Executes and automates common and complex

management tasks
• Package management, configuration management
• Security/compliance reporting
• Enables live patching of critical components and Linux
sa
kernel without down time
. ha
• Configured by default for Oracle Linux instances in OCI
ide m)
Gu co
is e.
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Audit
• API calls are logged and made available to • Information in audit logs includes –
customers. – Time the API activity occurred
• Includes calls made via the Console, CLI, SDKs, – Source of the activity
custom clients and other OCI services – Target of the activity
• By default, audit logs are retained for 90 days. – Type of action
Configurable up to 365 days (tenancy-level – Type of response
sa
•
setting) • Every audit log event includes two
. ha
• Searchable via the Console main parts:
ide m)
• Bulk export of audit logs can be requested – Envelopes that act as a container for
Gu co
(takes 3-4 days) all event messages
is e.
– Payloads that contain data from the
th cl
resource emitting the event message
e ra
us @o
13
to rai
se du
The Oracle Cloud Infrastructure Audit service records all API calls to resources in a customer’s tenancy as
en ik.
well as login activity from the graphical management console. Using the Audit service, customers can
lic arth
achieve their own security and compliance goals by monitoring all user activity within their tenancy.
Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those
ble (k
sources is included.
ra y
fe m
Audit records are available through an authenticated, filterable query API or can be retrieved as batched
ns isa
files from Oracle Cloud Infrastructure Object Storage. Audit log contents include what activity occurred,
the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP
tra ra
headers of the request.

n- Du
API for listing audit events:

no an
y
• New events available within 15 minutes

ike
• 90 days of history by default

rth
• Configurable up to 365 days (affects all regions and compartments)

Ka
API calls are searchable via the Console.

Contents of an Audit log event
"eventType": "com.oraclecloud.ComputeApi.GetInstance", "request": { "id": "<unique_ID>", "response": {

"cloudEventsVersion": "0.1",
"path": "status": "200",
"eventTypeVersion": "2.0", "/20160918/instances/ocid1.instance.oc1.phx.<unique_ID>",
"source": "ComputeApi", "responseTime": "2019-09-18T00:10:59.278Z",
"action": "GET", "parameters": {},
"eventId": "<unique_ID>", "headers": {
"eventTime": "2019-09-18T00:10:59.252Z", "headers": { "opc-principal": [
"ETag": [ "<unique_ID>" ],
"contentType": "application/json",
"{\"tenantId\":\"ocid1.tenancy.oc1..<unique_ID>\",\"subjectId\
"data": { ":\"ocid1.user.oc1..<unique_ID---, "Connection": [ "close" ],
"eventGroupingId": null,
"Accept": [ "application/json" ], ---
"eventName": "GetInstance",
"X-Oracle-Auth-Client-CN": [ "payload": {
"compartmentId": "ocid1.tenancy.oc1..<unique_ID>", "compartmentName":
sa
"compartmentA", "resourceName": "my_instance",
"splat-proxy-se-02302.node.ad2.r2”
"resourceName": "my_instance",
"id": "ocid1.instance.oc1.phx.<unique_ID>" },
. ha
"resourceId": "ocid1.instance.oc1.phx.<unique_ID>", ---
"availabilityDomain": "<availability_domain>", "X-Real-IP": [ "172.24.80.88" ], "message": null },
"freeformTags": null, "definedTags": null, "identity": {
ide m)
"oci-original-url": [ "stateChange": {
"principalName": "ExampleName",
"https://iaas.r2.oracleiaas.com/20160918/instances/ocid1.inst
"principalId": "ocid1.user.oc1..<unique_ID>", "previous": null,
ance.oc1.phx.<unique_ID>" ],
Gu co
"authType": "natv", "current": null },
"opc-request-id": [ "<unique_ID>" ],
"callerName": null,
is e.
"additionalDetails": {
"callerId": null, "tenantId": "ocid1.tenancy.oc1..<unique_ID>", "Date": [ "Wed, 18 Sep 2019 00:10:58 UTC" ] } },
th cl
"ipAddress": "172.24.80.88", "imageId": "ocid1.image.oc1.phx.<unique_ID>",
e ra
"credentials": null,
"shape": "VM.Standard1.1",
"userAgent": "Jersey/2.23 (HttpUrlConnection 1.8.0_212)",
us @o
"consoleSessionId": null }, "type": "CustomerVmi" } } }
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Network Protection
• Tiered subnet strategy for the VCN

OCI REGION
Object Storage – DMZ subnet for load balancers
– Public subnet for web servers
– Private subnet for internal hosts such as databases

Service
Gateway
Internet • Gateways
Gateway
sa
Web – NAT Gateway – for connectivity to internet for patching
Private
– Service Gateway – for connectivity to public OCI services
. ha
Internet
NAT – Dynamic Routing Gateway – for connectivity to on-
ide m)
DB Gateway premises
VCN
Gu co
• Security Lists, NSG
is e.
– SL determines the types of traffic allowed in and out of
the subnet.
th cl
NSG determines the types of traffic allowed in and out
e ra
CUSTOMER –
DATA CENTER of a VNIC.
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

OCI Web Application Firewall
What is a WAF?
• WAF refers to a device, server-side plug-in, or • OCI Web Application Firewall (WAF) is a cloud-
filter that applies a set of rules to HTTP/S traffic based, PCI-compliant, global security service that
protects applications from malicious and
• By intercepting HTTP/S traffic and passing them
unwanted internet traffic.
through a set of filters and rules, WAF is able to
uncover and protect against attack streams • Use cases:
sa
hitting a web application
– Protect any internet-facing endpoint from
Rules cover common attacks (Cross-site Scripting cyberattacks and malicious actors
. ha
•
(XSS), SQL Injection) and ability to filter specific – Protect against cross-site scripting (XSS)
ide m)
source IPs or bad bots and SQL injection
Gu co
• Typical responses from WAF will either be – Bot management – dynamically blocking
is e.
allowing the request to pass through, audit bad bots
th cl
logging the request, or blocking the request by
– Protection against layer 7 DDoS attacks
e ra
responding with an error page.
us @o
16
to rai
se du
To get started, you need to understand what is a Web Application Firewall.

en ik.
So, when you expose a web application to the Internet, you want to make sure your website is protected
lic arth
against bad actors who want to compromise your site. WAF is a solution that help protect websites and
ble (k
applications against attacks that cause data breaches and downtime. WAF acts as a reverse proxy that
inspects all traffic flows or requests before they arrive at the origin web application. It also inspects any
ra y
fe m
request going from the web application server to the end user.
ns isa
Most of those attacks are based on custom scripts that explore vulnerabilities of the web application.
tra ra
When a web application firewall recognize one of those attack requests, it can perform some actions
n- Du
based on the configuration that you defined. It can allow the request to pass through, it can log the
request or block the request responding with an error page.
no an
y
ike
rth
Ka

Multiple Layers of Defense In-Depth
Data
Instance • At-Rest-Crypto
Virtual Network • Tenant Isolation
– TDE
– DataGuard
Monitoring • Interface •
•
Hardened Images
Virtual Taps
• In-Transit-Crypto
Edge Services • 3rd Party Security
Segmentation
• Security Lists • Hardware Entropy
– SSL/TLS
– NNE
– FW • Private Networks • SSH Keys
• Global PoPs • Keys
– NGFW • Bastion Access • Certificates
• DDoS Protection – Managed Keys
– IPS • SSL Load Balancing • Root-Of-Trust Card
• DNS Security – Custom Keys
• User Monitoring • FastConnect (Direct) • Signed Firmware
• WAF Protection – Managed Vault
• Configuration • FastConnect (Carrier) • Hardware Security
Monitoring • IPSec VPN Modules
• Logging
• Compliance
sa
. ha
Internet
ide m)
Gu co
Identity
is e.
• Identity Federation
th cl
• Role-Based Policy
e ra
• Compartments & Tagging
us @o
• Instance Principals
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Advanced Control: Defense In-Depth and Breadth
OCI IAM CASB Service Authoritative

DNS with Internet
Intelligence
FastConnect OCI Region Subnet Level
w/ IPSec option Virtual Cloud Network Virtual Firewalls
AD1
IGW
sa
AD2
IPSec VPN WAF with Automated,
Proactive Threat DDoS
. ha
AD3 Detection Protection
ide m)
Gu co
 vFirewalls – access control in/out  Virtual Private Network (VPN) – protection/encryption in transit over
Internet & private links
 Distributed Denial of Service (DDoS) – network layer attack
is e.
protection  Domain Name Service (DNS) – managed DNS from Oracle for OCI
th cl
customers
 Web Application firewall (WAF) – application layer attack protection
e ra
 Identity & Access Management (IAM) – control who can access and
 Cloud Access Security Broker (CASB) – visibility, compliance, manage OCI resources
us @o
18 control drift alerting
18
to rai
se du
For each customer’s Virtual Cloud Network(s) there is a range of defense in depth protections available
en ik.
spanning layers 3-7.

lic arth
Virtual firewalls are implemented by using VCN security lists. Customers can specify a set of firewall rules
ble (k
and associate them with one or more subnets. Associating a security list with a subnet applies those
firewall rules to all instances running inside the subnet, at the packet level. Rules are enforced bi-
ra y
fe m
directionally.
ns isa
Although by default a VCN has no internet connectivity, internet bound traffic to/from a VCN must pass
tra ra
through an Internet routing gateway. Virtual routing tables can be implemented with private IP
n- Du
addresses for use with NAT and 3rd party firewall devices for additional security.
no an
Alternately traffic can be routed through Dynamic routing gateway (DRG) - A virtual router that provides
y
a path for private traffic between a VCN and a data center’s network. It is used with an IPSec VPN or
ike
Oracle Cloud Infrastructure FastConnect connection to establish private connectivity between a VCN and
rth
an on-premises or other cloud network.

Ka
For protection of web applications Oracle provides a WAF service with 250 pre-defined OWASP and
compliance rules. Oracle Cloud Infrastructure WAF acts as a reverse proxy that inspects all traffic flows
or requests before they arrive at the origin web application. It also inspects any request going from the
web application server to the end user.
You can use Identity and Access Management (IAM) to control access to WAF management. WAF
changes are recorded in the Audit service.
Additionally, Oracle’s optional global anycast DNS service also takes advantage of DNS-based DDoS
protections providing resiliency at the DNS layers.

Compliance Certifications
Global
SOC 1 : 27001 :
Level 1 US Privacy Shield
SOC 2 : SOC 3 27017 : 27018
Governmen
t
Moderate – VPAT – G-Cloud 11 – Model Clauses –
sa
DoD DISA SRG IL2 DoD DISA SRG IL5 Agency ATO Section 508 UK EU
. ha
Industry
Level 1
ide m)
FINMA –
HIPAA PCI DSS FISC - Japan IG Toolkit - UK Switzerland
Gu co
Regional
is e.
C5
th cl
Cyber Essentials My Number - Cloud Security
e ra
GDPR - EU BSI C5 - Germany TISAX - Germany PIPEDA - Canada Plus - UK Japan Principles - UK
us @o
19
to rai
se du
Some of you have asked me – Building region, building feature is easy…. Not compliance ..
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

20
•
•
•
•
•
•
Summary
Ka
Data protection
Security services
rth
ike
y
Infrastructure protection
no an OS and workload isolation
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

L100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
Web Application Firewall
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
18
Objectives

• Describe WAF concepts and use cases
• Describe the OCI WAF Service
• Explain OCI WAF capabilities and architecture
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
At the end of this lesson, you will understand WAF Concepts and use cases, describe the OCI WAF
en ik.
Service,
lic arth
You will also be able to explain its capabilities and architecture of OCI WAF.
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

3
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
WAF Concepts and Use Cases
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

What is a Web Application Firewall?
• Web Application Firewall (WAF) refers to a device, server-side plug-in, or filter that
applies a set of rules to HTTP/S traffic.
• By intercepting HTTP/S traffic and passing them through a set of filters and rules,
WAF is able to uncover and protect against attack streams hitting a web application.
• Generally, these rules cover common attacks, such as Cross-site Scripting (XSS) and
sa
SQL Injection in addition to giving customers the ability to filter specific source IPs or
bad bots.
. ha
• Typical responses from WAF will either be allowing the request to pass through, audit
ide m)
logging the request, or blocking the request by responding with an error page.
Gu co
is e.
th cl
e ra
us @o
4
to rai
se du
To get started you need to understand what is a Web Application Firewall.

en ik.
So, when you expose an web application to the Internet, you want to make sure your website is
lic arth
protected against bad actors who want to compromise your site. WAF is a solution that help protect web
ble (k
sites & applications against attacks that cause data breaches and downtime. WAF acts as a reverse proxy
that inspects all traffic flows or requests before they arrive at the origin web application. It also inspects
ra y
fe m
any request going from the web application server to the end user.
ns isa
Most of those attacks are based on custom scripts that explore vulnerabilities of the web application.
tra ra
When a web application firewall recognize one of those attack requests, it can perform some actions
n- Du
based on the configuration that you defined. It can allow the request to pass through, it can log the
request or block the request responding with an error page.
no an
y
ike
rth
Ka

OCI Web Application Firewall
• OCI Web Application Firewall (WAF) is a cloud-

based, PCI-compliant, global security service that
protects applications from malicious and
unwanted internet traffic
• Use cases:
– Protect any internet-facing endpoint from
sa
cyberattacks and malicious actors
D
– Protect against cross-site scripting (XSS) and SQL
. ha
injection, activities that allow attackers to gain
ide m)
unauthorized access to privileged information
Bot management – dynamically blocking bad bots
Gu co
–
Protection against layer 7 distributed denial-of-
is e.
–
service (DDoS) attacks
th cl
e ra
– Aggregated threat intelligence from multiple
us @o
5
sources including Webroot BrightCloud
to rai
se du
OCI WAF is a cloud-based solution, PCI-compliant, that protect applications from cyber attacks. OCI WAF
en ik.
can protect any internet-facing endpoint hosted on OCI or on-premises by intercepting HTTP/S traffic
lic arth
and passing them through a set of filters and rules. These rules cover common attacks such as Cross-
site Scripting and SQL Injection
ble (k
OCI WAF also provides aggregated threat intelligence from multiple sources, including Webroot
ra y
fe m
BrightCloud. So, onboarding your applications to the OCI WAF service will protect against layer 7
ns isa
distributed denial-of-service (DDoS) attacks.

tra ra
n- Du
no an
y
ike
rth
Ka

Key OCI WAF Components
• Supports over 250 rulesets to protect against SQL

injection, cross-site scripting, HTML injection, and many
more threats
• JavaScript Challenge, CAPTCHA Challenge, Device
Fingerprint Challenge and white listing capabilities work
in conjunction with rulesets to further detect and
mitigate bad bots and allow legitimate human and bot
sa
traffic
. ha
• User access controls can be configured on the basis of
ide m)
countries, IP addresses, URLs, and other request
attributes to prohibit risky traffic
Gu co
is e.
• Multi-cloud support provides WAF protection for any
th cl
internet-facing application in any environment: OCI, on-
e ra
premises, and across multi-cloud deployments
us @o
6
to rai
se du
OCI WAF includes over 250 predefined rulesets to protect against the most know attackers on web
en ik.
applications.
lic arth
You also have the ability to configure OCI WAF to protect your application against Bots. All you have to
ble (k
do is use the additional JavaScript challenge, CAPTCHA challenge, and whitelisting capabilities in
conjunction with the WAF rule sets to further detect and block bad bots while allowing good bots to
ra y
fe m
access your application.

ns isa
In addition to that, it gives the ability for you to filter specific source IPs or bad bots. The rules can also
tra ra
be used to control access based on geolocation, http header parameters and http url.
n- Du
In addition to providing protection for OCI workloads, OCI WAF also protects on-premises and
no an
multicloud environments. Having a single web application firewall to protect your workloads in any
y
environment is extremely important as you move to Oracle Cloud Infrastructure

ike
rth
Ka

OCI WAF Rulesets
• OCI WAF uses OWASP ModSecurity Core Rule Set to protect against the most
common web vulnerabilities. These rules are managed and maintained by the open
source community.
• OCI WAF comes preconfigured with protection against the most important threats on
the Internet as defined by OWASP Top 10. These include
– A1 – Injections (SQL, LDAP, OS, etc.)
sa
– A2 – Broken Authentication and Session Management
. ha
– A3 – Cross-site Scripting (XSS)
ide m)
– A4 – Insecure Direct Object References
Gu co
– A6 – Sensitive Data Exposure
is e.
– A7 – Missing Function-Level Access Control
th cl
• Each type of vulnerability ruleset is shown within the OCI console, with granular
e ra
controls for each specific rule.
us @o
7
to rai
se du
For those 250 predefined rules, OCI WAF uses the Open Web Access Security Project to keep those rules
en ik.
always updated with the latest attacks available today. Those rules are manages and maintained by the
lic arth
open source community

ble (k
So, here is the way it works, these rules are compared against incoming requests to identify if the
request contains an attack payload. If it’s determined that a request is an attack, the WAF blocks or
ra y
fe m
sends an alert about that request.

ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Challenges and Whitelisting Capabilities
• JavaScript Challenge: Fast and efficient way to block a large percentage of bot attacks
– After receiving an HTTP request, a piece of JavaScript is sent back to the browser of
every client, attacker, and real user. It instructs the browser to perform an action.
Legitimate browsers will pass the challenge without the user’s knowledge, while
bots—which are typically not equipped with JavaScript—will fail and be blocked
• CAPTCHA Challenge
sa
– If a specific URL should be accessed only by a human, you can control it with
. ha
CAPTCHA protection.
ide m)
– You can customize the comments for the CAPTCHA Challenge for each URL.
Gu co
Whitelisting: Allows you to manage which IP addresses appear on the IP whitelist
is e.
•
th cl
– Requests from the whitelisted IP addresses bypass all challenges, such as DDoS
e ra
policies and WAF rulesets.
us @o
8
to rai
se du
JavaScript Challenge is a type of Web Challenge that is used in denial of service DDoS mitigation to filter
en ik.
out attackers from legitimate clients. The challenge is to send to every client a JavaScript code that
lic arth
includes some kind of challenge. Virtually any browser has a JavaScript stack and will easily understand
and pass the challenge without the user’s notice. However, the denial of service DDoS bots typically are
ble (k
not equipped with JavaScript stack and therefore cannot pass the challenge.
ra y
fe m
A CAPTCHA challenge is a program that protects websites against bots by generating and grading tests
ns isa
that humans can pass but current computer programs cannot. For example, humans can read texts in
different formats and shapes where bots can’t. OCI WAF allow you to customize the comments for the
tra ra
captcha challenge for each URL.

n- Du
We also have the Whitelisting capability which allow you to specify which IP address can access your
no an
application by passing all challenges above and the WAF control access rules.
y
ike
rth
Ka

Bot Management
Entity Attributes and Behavioral Detection
• Human Interaction
— Oracle WAF identifies normal usage patterns based on legitimate
user behavior to the site. The WAF will challenge with CAPTCHA or
block requests when it detects abnormalities or traffic exceeds defined
interaction thresholds.
sa
. ha
• Device Fingerprinting (available in the API)
ide m)
Oracle WAF collects unique various characteristics about a device entity,
Gu co
—
generating a hashed signature. This hashed signature is then compared to
is e.
other requests to determine the same signature is being leverages across
th cl
different contexts.
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Access Controls
• Use access controls to restrict or control

access to your critical web applications,
data and services. For example, in some
cases, an offering may need to stay within
a specific country. Regional access control
• Restrict or control
access to critical Web • Identifies whether
applications, data and request are from a
can be used to restrict users from certain service human or a machine
• Controls or blocks
geographies. non-human
sa
suspicious request
• Hides the origin server
• Control access, based on HTTP header • Inspects traffic as it

tries to access the
. ha
information. Block requests if the HTTP
server or as it leaves
the server
header contains specific names or
ide m)
values or allow traffic with proper HTTP
Gu co
regular expression.
is e.
• Control access based on URL address matching or partial matching or match
th cl
proper URL regular expressions
e ra
us @o
10
to rai
se du
You can use the User access controls to restrict or control access to your web applications. As an
en ik.
example, regional-based access control is perfect to keep your clients to access applications that are in a
lic arth
specific region. Another use could be to block countries from getting to your applications servers
entirely. For example, if you don't do business with countries located in Asia, you can completely block
ble (k
access from these countries.

ra y
fe m
You can also activate the user control access based on HTTP header information or URL address.
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

11
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
WAF Architecture and Benefits
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa

Oracle Cloud Infrastructure WAF Architecture
Internet Clients WAF EDGE

NODES
WAF Policy
Internet
Gateway
DNS SUBNET
sa
VCN
DNS Optimized
Routing for HA REGION
. ha
TENANCY
ide m)
Other Cloud providers and On-Premise hosted
Gu co
internet facing web applications
is e.
th cl
e ra
Customer Premises
us @o
Equipment
12
to rai
se du
Under the WAF policy, you can take advantaged of over 250 predefined Open Web Access Security
en ik.
Project applications and compliance specific rules. Once you configured your rules, you can then publish
lic arth
it to the WAF Edge Nodes spread around the globe.

ble (k
When a client request access to your web application, all traffic flows through the OCI WAF edge nodes
before arriving at your application server. This allows the OCI WAF to inspect the traffic and compare it
ra y
fe m
to defined rules and parameters that were published by the WAF policy created.
ns isa
Configured as a reverse proxy, the OCI WAF inspects all traffic going in and out of your web application
tra ra
origin and identifies and blocks all malicious traffic protecting your cloud environment and also, your
n- Du
on-premises we applications.
no an
y
ike
rth
Ka

WAF Point of Presences (PoPs)
LONDON
AMSTERDAM
DUBLIN
TORONTO FRANKFURT
CHICAGO
DALLAS TOKYO
sa
VANCOUVER ASHBURN
SEATTLE MIAMI
HONG KONG
. ha
LOS ANAGELES
ide m)
SINGAPORE
Gu co
is e.
th cl
SAO PAULO
e ra
SYDNEY
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Shared Responsibility Model for WAF
Responsibility Oracle Customer

Configure WAF on-boarding dependencies (DNS, Ingress rules, network) No Yes
On-board/Configure the WAF policy for the web application No Yes
Construct new rules based on the new vulnerabilities and mitigations Yes No
Review and accept new recommended rules No Yes
sa
Keep WAF infrastructure patched and up-to-date Yes No
. ha
Monitor data-plane logs for abnormal, undesired behavior Yes Yes
ide m)
Monitor for Distributed Denial of Services (DDoS) attacks Yes No
Gu co
Provide High Availability (HA) for the WAF Yes No
is e.
Tune the WAF’s access rules and bot management strategies for your traffic No Yes
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Benefits of Oracle Cloud Infrastructure WAF
• Consolidate threat intelligence

• Push malicious traffic farther away from your origin
• Augment your Security Operations Center (SOC)
• Better Visibility into internet traffic metrics
• Consolidate governance through policies, audit, and tagging
sa
Off-load patching and maintenance of Web Application Firewall
. ha
•
ide m)
• Global traffic management and optimization
Gu co
• Consolidate WAF policy for OCI and non-OCI applications
is e.
• Low cost
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Summary

• Describe WAF concepts and use cases
• Describe the OCI WAF Service
• Explain OCI WAF capabilities and architecture
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka

Oracle Cloud Infrastructure Administration Essentials

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Cloud Infrastructure Administration Essentials

Uploaded by

Copyright:

Available Formats

Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.

Learn more from Oracle University at education.oracle.com

Oracle Cloud Infrastructure

Restricted Rights Notice

Third-Party Content, Products, and Services Disclaimer

set forth in an applicable agreement between you and Oracle.

1 Getting Started with Oracle Cloud Infrastructure

Identity and Access Management 2-3

Policy Syntax 2-9

Verbs and Permissions 2-10

Common Policies 2-11

When you sign up for OCI 2-17

Resource Locations 2-18

Policy Inheritance 2-21

Policy Attachment 2-22

3 Virtual Cloud Network

Transit Routing: Hub and Spoke 3-28

Transit Routing: Private Access to Oracle Services 3-30

Security List (SL) 3-32

Stateful Security Rules 3-35

Stateless Security Rules 3-36

Default VCN Components 3-38

Internal DNS 3-39

VCN Review 3-41

4 Connectivity to On-Premises Networks

Connectivity Options 4-3

FastConnect Use Cases 4-13

FastConnect Connectivity Models 5-14

Fast Connect Concepts 5-15

FastConnect Connectivity Options 5-18

Cross Connects in Models 1a and 1b - Physical Connection 5-21

Direct to Oracle Logical Connection: Virtual Circuit 5-22

How to Set Up a FastConnect Virtual Circuit in Colocation Model? 5-23

FastConnect: Connectivity Options 5-25

Using an Oracle Network Provider or Exchange Partner 5-26

Using an Oracle Network Provider or Exchange Partner– Layer 2 5-27

Using an Oracle Network Provider or Exchange Partner– Layer 3 5-28

FastConnect: Connectivity Partners 5-29

Layer3 Partner 5-30

Redundancy: Connectivity Model Oracle Partner (Layer 2) 5-48

Load Balancing Policies 6-15

Health Check 6-16

Bare Metal, VM and Dedicated Hosts 7-3

Bare Metal 7-4

Bare Metal Instances 7-5

Use Cases for AMD EPYC-Based Instances 7-6

Import/Export and BYOI 7-7

Oracle-Provided Images 7-8

Custom Images 7-10

Image Import/Export 7-11

Bring Your Own Image (BYOI) 7-12

Instance Metadata and Lifecycle 7-22

8 Oracle Container Engine for Kubernetes

Containers Use Case: Lift & Shift WebLogic Application 8-15

Pre-requisites for Creating a K8s Cluster Via Quickstart 8-18

OKE Quickstart 8-19

Accessing the K8s Cluster - Dashboard 8-25

Accessing the K8s Cluster with kubectl 8-27

Accessing the Cluster endpoints Through Ingress Controllers 8-28

Monitoring via API Gateway Metrics: oci_apigateway 8-29

9 OCI Registry Service

Oracle Cloud Infrastructure Registry (OCIR): Introduction 9-3

Working with OKE and OCIR on OCI 9-4

OKE/OCIR Pricing and Packaging 9-5