Professional Documents
Culture Documents
Student Guide
Ka
rth
ike
y
no an
n- Du
D107965GC20 | D108009
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
Administration Essentials
is e.
Gu co
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print
this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except
where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform,
reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.
The information contained in this document is subject to change without notice and is not warranted to be error-free. If you find any errors,
please report them to us in writing.
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States
sa
Government, the following notice is applicable:
. ha
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded,
installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle
data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software
ide m)
documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the
use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle
Gu co
programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware,
is e.
and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and
limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government's use of Oracle cloud
th cl
services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.
e ra
us @o
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
to rai
Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are
se du
trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks
of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
en ik.
lic arth
This documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and
ble (k
its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and
services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be
ra y
responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as
fe m
2010072020
n- Du
no an
y
ike
rth
Ka
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Contents
sa
OCI Region – HA Building Blocks 1-6
. ha
One AD Regions 1-7
Inside an AD – High Scale, High Performance, Network 1-8
ide m)
Off-box Network Virtualization 1-9
Gu co
Oracle Cloud Infrastructure Services 1-10
is e.
Differentiation 1-12
th cl
e ra
Summary 1-13
us @o
2 Identity and Access Management to rai
Objectives 2-2
se du
Principals 2-5
lic arth
Authentication 2-6
Authorization 2-7
ble (k
Compartment 2-15
Reference Model: Compartments 2-16
no an
Federation 2-19
rth
iii
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
Public IP 3-14
. ha
Public IP Addresses 3-15
Internet Gateway 3-17
ide m)
Route Table 3-18
Gu co
NAT Gateway 3-20
is e.
Service Gateway 3-21
th cl
Dynamic Routing Gateway 3-22
e ra
Local Peering (Within Regions) 3-24
us @o
Remote Peering (Across Regions) 3-25
to rai
Summary of OCI Network Connectivity Options 3-26
se du
SL + NSG 3-34
ra y
Summary 3-43
y
ike
Objectives 4-2
Ka
iv
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
5 Connectivity - FastConnect
Objectives 5-2
sa
Why do you need dedicated connectivity into cloud? 5-3
. ha
FastConnect: Product Overview 5-4
FastConnect Use Cases 5-5
ide m)
FastConnect: Use Scenarios 5-6
Gu co
FastConnect (Private Connection) 5-7
is e.
BGP Advertisement and Traffic-flow CI Icons – White with Captions 5-8
th cl
FastConnect: Use Scenarios 5-9
e ra
FastConnect (Public Peering Connection) 5-10
us @o
BGP Advertisement and Traffic Flow 5-12
Private and Public Peering 5-13
to rai
se du
Direct to Oracle: Dedicated Circuits Using a Network Service Provider (1b) 5-20
ra y
How to Set Up a FastConnect Virtual Circuit with Partner: Demo Example - Megaport
Ka
v
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
6 Load Balancer
sa
Objectives 6-2
. ha
Primer 6-3
OCI Load Balancing Service 6-5
ide m)
Public Load Balancer 6-6
Gu co
Public Load Balancer (Regional Subnets - recommended) 6-8
is e.
Public Load Balancer (AD Specific Subnets) 6-9
th cl
Private Load Balancer 6-10
e ra
Private Load Balancer (Using Regional Subnets) 6-12
us @o
Private Load Balancer (with AD Specific Subnets) 6-13
Policies, Health Checks 6-14
to rai
se du
Summary 6-17
ble (k
7 Compute
ra y
Objectives 7-2
fe m
vi
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
Docker and Kubernetes 8-4
. ha
Docker and Kubernetes Lead the Market 8-5
Container Orchestration and Containers as a Service (CaaS) 8-6
ide m)
Three Ways to Run Kubernetes on Oracle Cloud Infrastructure 8-8
Gu co
Terraform Kubernetes Installer for OCI 8-9
is e.
Container Engine for Kubernetes (OKE): Introduction 8-10
th cl
Kubernetes Challenges 8-11
e ra
Working with OKE and OCIR on OCI 8-12
us @o
OKE/OCIR Pricing and Packaging 8-13
to rai
Oracle Container Engine (OKE) and Registry 8-14
se du
Summary 8-30
n- Du
no an
Objectives 9-2
ike
vii
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
10 Object Storage
Objectives 10-2
OCI Storage Services 10-3
Object Storage Intro 10-4
sa
Object Storage Service 10-5
. ha
Object Storage Scenarios 10-6
Object Storage Service Features 10-7
ide m)
Object Storage Resources 10-8
Gu co
Object Naming 10-9
is e.
Object Storage Tiers 10-10
th cl
Object Storage Capabilities 10-11
e ra
Managing Access and Authentications 10-12
us @o
Cross-region Copy 10-13
Object Lifecycle Management 10-14
to rai
se du
Summary 10-16
lic arth
11 Block Volume
ble (k
Objectives 11-2
ra y
Clone 11-20
Volume Groups 11-21
Boot Volumes 11-23
Custom Boot Volumes 11-25
Summary 11-26
viii
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
Security 12-13
. ha
Security Lists 12-14
Export Option 12-15
ide m)
File Storage Service Snapshots 12-17
Gu co
File Storage Service Snapshot 12-18
is e.
Summary 12-19
th cl
e ra
13 Database
us @o
Objectives 13-2
OCI Database Service 13-3
to rai
se du
ix
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
14 Autonomous Database
Objectives 14-2
Autonomous Optimizations – Specialized by Workload 14-5
Autonomous Database – Choice of Cloud Deployment 14-6
Autonomous Database Cloud Service – Deployment Options 14-8
Autonomous Database – Fully Managed 14-11
Automated Tuning in Autonomous Database 14-12
Autonomous Database – Fully Elastic 14-13
sa
Full Support of Database Ecosystem 14-14
. ha
Autonomous Data Warehouse: Architecture 14-15
Autonomous Transaction Processing: Architecture 14-16
ide m)
Getting Started with Autonomous Database 14-17
Gu co
Auto Scaling Autonomous Database 14-18
is e.
Securing Autonomous Database (ADB) 14-19
th cl
Connecting to the Autonomous Database 14-20
e ra
Troubleshooting Connectivity Issues 14-21
us @o
Scaling Your Database 14-22
Monitoring 14-23
to rai
se du
Summary 14-34
ns isa
tra ra
15 DNS
n- Du
Objectives 15-2
no an
x
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
Traffic Management Steering Policies 16-12
. ha
Traffic Management Concepts 16-13
Load Balancer Policy 16-14
ide m)
Failover Policy 16-17
Gu co
Geolocation Steering Policy 16-19
is e.
ASN Steering Policy 16-21
th cl
IP Prefix Policy 16-22
e ra
Health Checks 16-24
us @o
Health Checks Service Components 16-25
Creating a Health Check 16-26
to rai
se du
Summary 16-29
en ik.
lic arth
17 OCI Security
Agenda 17-2
ble (k
Federation 17-7
n- Du
Audit 17-13
Contents of an Audit log event 17-14
Network Protection 17-15
OCI Web Application Firewall 17-16
Multiple Layers of Defense In-Depth 17-17
Advanced Control: Defense In-Depth and Breadth 17-18
Compliance Certifications 17-19
Summary 17-20
xi
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
Access Controls 18-10
. ha
Oracle Cloud Infrastructure WAF Architecture 18-12
WAF Point of Presences (PoPs) 18-13
ide m)
Shared Responsibility Model for WAF 18-14
Gu co
Benefits of Oracle Cloud Infrastructure WAF 18-15
is e.
Summary 18-16
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
xii
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Ka
rth
ike
y
Infrastructure
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Getting Started with Oracle Cloud
Gu co
ide m)
. ha
sa
1
Objective
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
LONDON
FRANKFURT
TORONTO ZURICH
CHICAGO
sa
. ha
MUMBAI
ide m)
Commercial
Gu co
Government
is e.
Microsoft Azure
th cl
Interconnect
SAO PAULO
e ra
us @o
SYDNEY
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
LONDON
NEWPORT,
WALES AMSTERDAM
MONTREAL FRANKFURT
TORONTO ZURICH
EUROPE CHUNCHEON
CHICAGO
BAY AREA
ASHBURN SEOUL TOKYO
PHOENIX US GOV ISRAEL
sa
ASIA
OSAKA
DUBAI
. ha
JEDDAH UAE 2 MUMBAI
Commercial SAUDI 2
HYDERABAD
ide m)
Commercial Planned
SINGAPORE
Gu co
Government
is e.
Government Planned
BELO HORIZONTE
th cl
Microsoft Azure CHILE
SAO PAULO
Interconnect
e ra
Microsoft Azure SOUTH AFRICA
us @o
Interconnect Planned SYDNEY
4 MELBOURNE
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
LONDON
NEWPORT,
WALES AMSTERDAM
MONTREAL FRANKFURT
TORONTO ZURICH
EUROPE CHUNCHEON
CHICAGO
BAY AREA
ASHBURN SEOUL TOKYO
PHOENIX US GOV ISRAEL
sa
ASIA
OSAKA
DUBAI
. ha
JEDDAH UAE 2
SAUDI 2 MUMBAI
HYDERABAD
ide m)
SINGAPORE
Gu co
Commercial
is e.
Government BELO HORIZONTE
th cl
CHILE
SAO PAULO
Microsoft Azure
e ra
Interconnect SOUTH AFRICA
us @o
SYDNEY
5 MELBOURNE
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
FD1 FD2 FD3
. ha
ide m)
Rack Rack Rack
Gu co
is e.
Availability Availability Availability
Domain 1 Domain 2 Domain 3
th cl
REGION DATACENTERS
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Australia East (Sydney) 1
made available within a year to enable
Brazil East (Sao Paulo) 1
. ha
further options for DR and data Canada Southeast (Toronto) 1
residency.
ide m)
India West (Mumbai) 1
Gu co
Japan East (Tokyo) 1
is e.
South Korea Central (Seoul) 1
th cl
Switzerland North (Zurich) 1
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
PHYSICAL NETWORK
ide m)
Gu co
is e.
Availability Availability Availability
Domain 1 Domain 2 Domain 3
REGION
th cl
DATACENTERS
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Off Box Network Virtualization – Moves storage and network I/O out of the hypervisor
and enables lower overhead and bare metal instances
VIRTUAL NETWORK
sa
. ha
PHYSICAL NETWORK
ide m)
Gu co
is e.
Availability Availability Availability
Domain 1 Domain 2 Domain 3
REGION
th cl
DATACENTERS
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
COMPUTE, STORAGE,
DATABASE, LBs, Security… Bare Metal, VMs, Exadata, DB NVMe, Object, Load Balancers, Security
GPU Containers RAC Systems Block File VPN..
VIRTUAL NETWORK
sa
. ha
PHYSICAL NETWORK
ide m)
Gu co
is e.
Availability Availability Availability
Domain 1 Domain 2 Domain 3
REGION
th cl
DATACENTERS
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
SERVERLESS ANALYTICS NEXT LAYER SERVICES
. ha
Functions, Autonomous-Serverless Streaming, Oracle Analytics Cloud Monitoring, Logging, Audit
Log APIs calls for audit, bring your Software NAS Gateway, Global DNS, global private
ide m)
own keys Data Transfer Appliance connectivity at up to 97% less cost
Gu co
SECURITY DATA MOVEMENT EDGE
is e.
Audit, Key Management Storage appliance, Data Transfer DNS, Other Edge, Email
th cl
Log APIs calls for audit, bring your Software NAS Gateway, Global DNS, global private
e ra
own keys Data Transfer Appliance connectivity at up to 97% less cost
us @o
11 https://www.oracle.com/cloud/data-regions.html
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Technical Business
1. Performance 1. Aggressive and predictable pricing –
– Off-box network virtualization cheaper than AWS
sa
– No Network, CPU or Memory over- 3. BYOL and Universal Cloud Credits
subscription
. ha
4. Support through one org
2. Battle tested (NetSuite and other SaaS
ide m)
apps run on OCI)
Gu co
3. DB Options - BM, VM, Exadata, RAC
is e.
4. Enterprise Apps support (EBS, JDE..)
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Identity and Access Management
Gu co
ide m)
. ha
sa
2
Objectives
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
•
. ha
• Explore OCI Audit service features
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• The Identity and Access Management (IAM) service enables you to control
what type of access a group of users have and to which specific resources.
• Resource is a cloud object that you create and use in OCI (e.g. compute
instances, block storage volumes, Virtual Cloud Networks).
• Each OCI resource has a unique, Oracle-assigned identifier called an Oracle
sa
Cloud ID (OCID).
. ha
• IAM uses traditional identity concepts, such as Principals, Users, Groups, and
AuthN, AuthZ, and introduces a new capability called Compartment.
ide m)
Gu co
is e.
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
4
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
Principals, AuthN, AuthZ
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
1.
. ha
–
– The same user can be a member of multiple groups.
ide m)
• Instance Principals
– Instance Principals lets instances (and applications) to make API calls against other OCI services
Gu co
removing the need to configure user credentials or a configuration file.
is e.
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Key is an RSA key pair in the PEM format (min 2048 bits).
– In OCI Console, copy and paste the contents of the PEM public
. ha
key file. Use the private key with the SDK or with your own client
to sign your API requests.
ide m)
• Auth Tokens
– Oracle-generated token strings to authenticate with third-party
Gu co
APIs that do not support OCI signature-based authentication
is e.
(e.g. ADW).
th cl
– Auth tokens do not expire.
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
what resources and at what level of access.
. ha
• Policies are written in human-readable format:
ide m)
– Allow group <group_name> to <verb> <resource-type> in tenancy
– Allow group <group_name> to <verb> <resource-type> in compartment
Gu co
<compartment_name> [where <conditions>]
is e.
Policy Attachment: Policies can be attached to a compartment or the tenancy. Where
th cl
•
e ra
you attach, it controls who can then modify or delete it.
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
8
Ka
IAM Policies
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Includes read + ability to work console-histories
use with existing resources (the object-family buckets, objects
. ha
actions vary by resource type)* virtual-network- vcn, subnet, route-tables, security-lists, dhcp-
ide m)
Includes all permissions for the family options, and many more resources (link)
manage
resource volume-family volumes, volume-attachments, volume-backups
Gu co
* In general, this verb does not include the ability Cluster-family clusters, cluster-node-pool, cluster-work-requests
is e.
to create or delete that type of resource.
File-family file-systems, mount-targets, export-sets
th cl
e ra
dns dns-zones, dns-records, dns-traffic,..
us @o
The IAM Service has no family resource-type, only individual ones
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
API
Verb Permissions Operation
VOLUME
• When you write a policy giving a group access to INSPECT _INSPECT ListVolumes
sa
• As you go from inspect > read > use > manage, VOLUME
_WRITE
…..
. ha
the level of access generally increases, and the
permissions granted are cumulative.
USE +
ide m)
• Each API operation requires the caller to have
Gu co
VOLUME
access to one or more permissions. For example, MANAGE _CREATE CreateVolume
is e.
access to a single permission: VOLUME_INSPECT.
th cl
VOLUME
_DELETE DeleteVolume
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Allow group InstanceLaunchers to use volume-family in compartment ABC
. ha
– Allow group InstanceLaunchers to use virtual-network-family in compartment XYZ
ide m)
Gu co
is e.
th cl
e ra
https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/commonpolicies.htm
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
12
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
Advanced IAM Policies
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• As part of a policy statement, you can specify one or more conditions that must be
met to get access:
– Allow <subject> to <verb> <resource-type> in <location> where <conditions>
• You use variables when adding conditions to a policy:
– request – Relevant to the request itself
– target – Relevant to the resources being acted upon in the request
sa
— The request.operation variable represents the API operation being requested (e.g.
ListUsers); target.group.name represents the name of the group
. ha
— Variable name is prefixed accordingly with either request or target followed by a period.
ide m)
• Examples:
Gu co
– Allow group Phoenix-Admins to manage all-resources in tenancy where
is e.
request.region='phx'
th cl
e ra
us @o
https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm#Resource
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
14
Ka
rth
ike Compartments
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• A compartment is a collection of related resources (VCN, instances, ...) that can be accessed
only by groups that have been given permission (by an administrator in your organization).
• Compartments help you organize and control access to your resources.
• Design considerations:
– Each resource belongs to a single compartment but resources can be connected/shared
across compartments. (VCN and its subnets can live in different compartments.)
– A compartment can be deleted after creation or renamed.
sa
– A compartment can have subcompartments that can be up to six levels deep.
. ha
– Most resources can be moved to a different compartment after they are created
(some restrictions apply).
ide m)
– After creating a compartment, you need to write at least one policy for it; otherwise, it
Gu co
cannot be accessed (except by administrators or users who have permission to the tenancy).
is e.
– A subcompartment inherits access permissions from compartments higher up its hierarchy.
th cl
– When you create a policy, you need to specify which compartment to attach it to.
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Compartment: NetworkInfra
– Critical network infrastructure centrally managed by
network admins
– Resources: Top-level VCN, Security Lists, Internet
Gateways, DRGs
• Compartment: Dev, Test, Prod Networks
– Modeled as a separate compartment to easily write
policies about who can use the network
sa
– Resources: Subnets, Databases, Storage (if shared)
• Compartment: Projects
. ha
– The resources used by a particular team or project;
ide m)
separated for the purposes of distributed management
– Resources: Compute Instances, Databases, Block
Gu co
Volumes, and so on
is e.
– There will be multiple of these, one per team that
th cl
needs its own DevOps environment.
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Service Limits
Tenancy
Root Compartment Policy
sa
. ha
• Oracle sets up a default administrator for the account.
• Default Group Administrators:
ide m)
– Cannot be deleted and there must always be at least one user in it
Gu co
– Any other users placed in the Administrators group will have full access to all of resources
– Tenancy Policy gives Administrators group access to all resources – this policy can’t be deleted/changed
is e.
• Root Compartment can hold all the cloud resources.
th cl
Best practice is to create dedicated Compartments when you need to isolate resources.
e ra
•
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Global:
– IAM
– Key Vaults, Keys
– DNS
• Availability Domain:
– Subnet
– Compute instances
sa
– Block Volume
. ha
– DB Systems
– File System (& Mount Target)
ide m)
– Ephemeral Public IPs
Gu co
• Regional:
is e.
– Everything else!
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• OCI provides federation with Oracle IDCS, Microsoft Active Directory, and any identity
provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol.
• Federation:
– First, a federation trust is set up between the
Identity Provider (IdP) and OCI.
– Any person in your company who goes to
sa
OCI Console is prompted with an SSO
experience provided by the IdP.
. ha
– The user signs in with the login/password
that they've already set up with the IdP and
ide m)
used elsewhere.
Gu co
– The IdP authenticates the user, and then
is e.
that user can access OCI resources.
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
20
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Policy Inheritance and
fe m
ra y
ble (k
lic arth
en ik.
se du
Attachment for Compartments
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
• Three levels of compartments: A, B, and C A
. ha
– Policies that apply to resources in Compartment A also
ide m)
apply to resources in Compartments B and C. B
Gu co
– Allow group NetworkAdmins to manage
is e.
virtual-network-family in compartment A allows the group
th cl
C
NetworkAdmins to manage VCNs in Compartment A, B, and C.
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• You want to create a policy to allow NetworkAdmins to manage VCNs in
Compartment C. Attach to A
. ha
– C or B – Allow group NewtworkAdmins to manage virtual-network-family in
compartment C
ide m)
– A – Allow group NewtworkAdmins to manage virtual-network-family in B
Gu co
compartment B:C
Only Compartment A admins can modify it
is e.
—
th cl
– Tenancy – Allow group NewtworkAdmins to manage virtual-network-family in C
e ra
compartment A:B:C
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
23
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
Moving Compartments
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Compartment
• You can move a compartment to a different parent
compartment in the same tenancy. When you move a
compartment, all its contents (sub compartments and
resources) are moved with it.
• Restrictions:
sa
– You can't move a compartment to a destination compartment
with the same name as the compartment being moved.
. ha
– Two compartments within the same parent cannot have the
ide m)
same name. Therefore, you can't move a compartment to a
Gu co
destination compartment where a compartment with the
same name already exists.
is e.
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Policies that specify the compartment hierarchy down to the compartment being
moved will automatically be updated when the policy is attached to a shared ancestor
of the current and target parent.
sa
Allow group G1 to Allow group G1 to
. ha
Ops manage instance-family Ops manage instance-family
in compartment Test:A in compartment Dev:A
ide m)
Gu co
Policy automatically
Test Dev Test Dev updated – G1 does not
is e.
lose its permissions
th cl
e ra
A A
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
Ops Ops
ide m)
Gu co
Test Dev Test Dev
is e.
th cl
e ra
A A
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ops Ops
sa
. ha
ide m)
Test Dev Test Dev
Gu co
is e.
A A
th cl
Allow group G1 to manage The policy is not automatically
e ra
instance-family in compartment A updated and is invalid
us @o
27
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
28
Tags
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
– Are contained in Namespaces
– Customize the organization of
– Defined schema, secured with Policy
. ha
your resources
– Control tag spam
ide m)
– Script bulk actions based on Tags
Gu co
is e.
th cl
e ra
us @o
29
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• A Tag Namespace is a container for a set of tag keys with tag key definitions.
• Tag key definition specifies its key (environment) and what types of values are
allowed (string, number, text, date, enumerations, and so on).
Tag
sa
Key Definition: Environment
Operations.Environment = “Production”
. ha
Namespace Key Value
ide m)
• Tag key definition or a tag namespace cannot be deleted, but retired. Retired tag
Gu co
namespaces and key definitions can no longer be applied to resources.
is e.
th cl
• You can reactivate a tag namespace or tag key definition that has been retired to
e ra
reinstate its usage in your tenancy.
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• You can use a variable to set the value of a tag. When you add the tag to a resource,
. ha
the variable resolves to the data it represent. Example:
– Operations.CostCenter = ${iam.principal.name} at ${oci.datetime}
ide m)
Operations is the namespace, CostCenter is the tag key, and the tag value contains two
Gu co
—
is e.
When you add this tag to a resource, the variable resolves to your username (the name
th cl
—
of the principal that applied the tag) and a time date stamp for when you added the tag.
e ra
us @o
31
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
family in compartment A
• Allow group InstanceLaunchers to use virtual- Ops
sa
network-family in compartment A
. ha
• Allow group InstanceLaunchers to use tag- Test Dev
namespaces in compartment A where target.tag-
ide m)
namespace.name='Operations‘
Gu co
A
Users in the InstanceLaunchers group can now apply
is e.
th cl
the Operations.CostCenter tag to resources in
e ra
Compartment A.
us @o
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Audit Service automatically records calls to OCI services API endpoints as log events.
• Log Information shows time of API activity, source and target of the activity,
and action and response.
• All OCI Services support Audit Logs.
• You can perform diagnostics, track resource usage, monitor compliance,
sa
and collect security-related events using Audit Logs.
. ha
• By default, Audit logs are retained for 90 days.
ide m)
You can configure log retention for up to 365 days.
Gu co
is e.
th cl
e ra
us @o
33
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
OCI IAM
Identities Permissions
(Who requests) (what is requested
by the Identity)
Compartments
sa
. ha
Groups Instance Policies
ide m)
Gu co
is e.
th cl
Users
e ra
Resources
us @o
34
to rai
se du
• Identity and Access Management Service (IAM) enables you to control who can do what in your
en ik.
OCI account
lic arth
Authorization done by defining specific privileges in Policies and associating them with Principals
fe m
•
ns isa
• Policies are comprised of one or more human-readable statements which specify what groups
tra ra
can access what resources and what level of access users in that group have
n- Du
• Compartment, a unique OCI feature, can be used to organize and isolate related cloud resources
no an
• OCI supports both free form tags and defined tags with a schema and secured by policies
y
• OCI Audit Service Automatically records calls to OCI services API endpoints as log events
ike
rth
Ka
sa
• Compartment, a unique OCI feature, can be used to organize and
isolate related cloud resources
. ha
• Concept of Policy Inheritance and Attachment for compartments
ide m)
• OCI supports both free form tags and defined tags with a schema and
Gu co
secured by policies
is e.
th cl
• OCI Audit service automatically records calls to OCI services API
e ra
endpoints as log events
us @o
35
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Rohit Rahi
Ka
rth
ike
y
no an
n- Du
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
3
Objectives
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
After completing this lesson, you should be able to describe the following:
• Virtual Cloud Network (VCN) basics
• IP addresses
• Gateways and Routing
Peering
sa
•
Transit Routing
. ha
•
ide m)
• Security
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
3
CIDR
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
(<network><subnet><host>)
. ha
• Subnet Mask is made by setting network bits to all "1"s and setting host bits to all "0"s. Within a
given network, two host addresses cannot be assigned to hosts. The "0" address is assigned a
ide m)
network address and "255" is assigned to a broadcast address
• Notation is constructed from an IP address, a '/' character, and a decimal number.
Gu co
xxx.xxx.xxx.xxx/n, where n is the number of bits used for subnet mask. E.g. 192.168.1.0/24
is e.
• Examples of commonly used netmasks for classed networks are 8-bits (Class A), 16-bits (Class B),
th cl
and 24-bits (Class C).
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
192.168.1.0/27 would equate to IP range: 192.168.1.0 – 192.168.1.31
. ha
• Now same network divided in 8 subnets with 32 hosts each due to the /27 mask (255.255.255.224)
192.168.1.0 1 1 000000 1 0 1 0 1 000 0000000 1 00000000
ide m)
/27 subnet mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 00000
Gu co
is e.
Logical AND 1 1 000000 1 0 1 0 1 000 0000000 1 00000000
th cl
• Subnets – 2 x 2 x 2 = 8. Hosts – 2 x 2 x 2 x 2 x 2 = 32
e ra
• Subnetworks – 192.168.1.0/27, 192.168.1.32/27, 192.168.1.64/27…
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
6
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Virtual Cloud Network
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Is a private network that you set up in the Oracle data centers, with
firewall rules and specific types of communication gateways that
you can choose to use
• Covers a single, contiguous IPv4 CIDR block of your choice
• Resides within a single region
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Avoid IP ranges that overlap with other on-premises or other cloud networks.
10.0.0.0/16
sa
. ha
• Use private IP address ranges specified in RFC 1918 (10.0.0.0/8, 172.16/12, 192.168/16).
ide m)
• Allowable OCI VCN size range is from /16 through /30.
Gu co
• VCN reserves the first two IP addresses and the last one in each subnet's CIDR.
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
region.
SUBNET D
Regional subnet spans all three
. ha
– 10.0.4.0/24
ide m)
• Each subnet has
Gu co
a contiguous range of IPs, ORACLE CLOUD DATA CENTER REGION
is e.
described in CIDR notation.
th cl
Subnet IP ranges cannot overlap.
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Public (contain both private and
public IP addresses assigned to SUBNET D
. ha
10.0.4.0/24
VNICs)
VNIC is a component that enables a VCN, 10.0.0.0/16
ide m)
•
compute instance to connect to a VCN.
Gu co
The VNIC determines how the instance ORACLE CLOUD DATA CENTER REGION
is e.
connects with endpoints inside and
th cl
outside the VCN.
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
11
Ka
rth
ike IP Addresses
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
can have additional private IPs called
secondary private IPs. SUBNET A, 10.0.1.0/24
. ha
• A private IP can have an VCN, 10.0.0.0/16
ide m)
optional public IP assigned to it.
Gu co
Secondary VNIC
• Primary private IP address
is e.
• Secondary private IP, #1, #2…#31
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– VM1 - Single VNIC instance
primary
primary
primary
. ha
– VM2 - Connected to two VNICs from two
subnets within the same VCN; used for VM1 VM2 VM3
ide m)
virtual appliance scenarios
– VM3 - Connected to two VNICs from two
Gu co
subnets from separate VCNs; used to
VNIC5
is e.
connect instances to a separate Subnet X
th cl
172.16.0.0/24
management network for isolated access
VCN
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
resource multiple public IPs
. ha
SUBNET A, 10.0.1.0/24
across one or more VNICs.
ide m)
VCN, 10.0.0.0/16
Gu co
Secondary VNIC
• Primary private IP address
is e.
• Secondary private IP, #1, #2…#31
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• No charge for using Public IP, including when the Reserved public IP addresses are
unassociated.
. ha
• Public IP assigned to:
ide m)
– Instance (not recommended in most cases)
Gu co
– Oracle provided; cannot choose/edit, but can view
is e.
OCI Public Load Balancer, NAT Gateway, DRG - IPSec tunnels, OKE master/worker
th cl
—
e ra
Internet Gateway, Autonomous Database
us @o
—
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
16
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Gateways and Routing
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Instance with Internet
Gateway
public IP SUBNET A,
• After creating an Internet 10.0.1.0/24
. ha
gateway, you must add a Regional Public
ide m)
Subnet
route for the gateway in the VCN, 10.0.0.0/16
Gu co
VCN's Route Table to
is e.
enable traffic flow.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Internet
– Route Target (the next 0.0.0.0/0
Internet
Gateway
SUBNET A, Gateway
10.0.1.0/24
. ha
hop) for the traffic that
matches that CIDR Regional Public
ide m)
Subnet
VCN, 10.0.0.0/16 All traffic
Gu co
destined for
Internet Gateway
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Internet
enable traffic within the VCN itself. 0.0.0.0/0
Internet
SUBNET A, Gateway
Gateway
• When you add an Internet gateway, 10.0.1.0/24
. ha
NAT gateway, service gateway, Regional Public
ide m)
Subnet
dynamic routing gateway or a peering
VCN, 10.0.0.0/16
connection, you must update the
Gu co
route table for any subnet that uses
is e.
these gateways or connections.
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
NAT
inbound connections initiated from 0.0.0.0/0
NAT
SUBNET A, Gateway
Gateway
the Internet. (Use case: updates, 10.0.1.0/24
. ha
patches) Regional Private
ide m)
Subnet
• You can have more than one NAT Instance with
VCN, 10.0.0.0/16
gateway on a VCN, although a given
Gu co
private IP
subnet can route traffic to only a
is e.
single NAT gateway.
th cl
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Destination Route
traverses the Internet. (Use case: Back up DB CIDR Target SUBNET A,
10.0.1.0/24
. ha
Systems in VCN to Object Storage) 0.0.0.0/0
NAT
Gateway
• Service CIDR labels represent all the public Regional Private
ide m)
Subnet
CIDRs for a given Oracle service or a group of
VCN, 10.0.0.0/16
Gu co
Oracle services. Example:
– OCI <region> Object Storage
is e.
– All <region> Services
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• After attaching a DRG, you must add a 10.0.1.0/24
. ha
Regional Private
Subnet
table to enable traffic flow VCN, 10.0.0.0/16
ide m)
• DRG is a standalone object. You must
attach it to a VCN. VCN and DRG have a
Gu co
1:1 relationship.
is e.
CUSTOMER
Customer Premises
th cl
DATA CENTER
Equipment (CPE)
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
23
Peering
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
• A local peering gateway (LPG) is a
component on a VCN for routing traffic to
. ha
a locally peered VCN. LPG-1 LPG-2
ide m)
• The two VCNs in the peering relationship VCN-1, VCN-2,
Gu co
10.0.0.0/16 192.168.0.0/16
shouldn’t have overlapping CIDRs.
is e.
ORACLE CLOUD DATA CENTER REGION
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
remotely peered VCN.
. ha
• The two VCNs in the peering relationship LPG-1 Oracle LPG-2
ide m)
backbone
must not have overlapping CIDRs.
VCN-1, VCN-2,
Gu co
10.0.0.0/16 192.168.0.0/16
is e.
ORACLE CLOUD DATA CENTER REGION
th cl
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Scenario Solution
Let instances connect to the Internet, and receive connections from it Internet Gateway
Let instances reach the Internet without receiving connections from it NAT Gateway
Let VCN hosts privately connect to object storage, bypassing the internet Service Gateway
Make an OCI extend an on-premise network, with easy connectivity in IPsec VPN
sa
both directions FastConnect
. ha
Privately connect two VCNs in a region Local Peering Gateway
Remote Peering
ide m)
Privately connect two VCNs in different regions
Connection (DRG)
Gu co
is e.
th cl
e ra
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
27
Ka
rth
ike
y
no an
n- Du
Transit and Routing
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
• One of the VCNs acts as the Hub and VCN Peering VCN-2
. ha
other VCNs are locally peered with the Hub
ide m)
VCN. The traffic between the on-premises Local SPOKE
network and the peered VCNs transits
Gu co
Peering VCN-3
through the Hub VCN.
is e.
• The VCNs must be in the same region but
th cl
can be in different tenancies.
e ra
us @o
28
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
have only rules that target a 172.16.0.0/12 10.0.0.0/16 192.168.0.0/16
DRG or a private IP.
. ha
• DRG or LPG can exist without Destination Route Destination Route
ide m)
CIDR Target CIDR Target
route table associated with it. 192.168.0.0/16 LPG-1 10.0.0.0/16 LPG-2
Gu co
172.16.0.0/12 DRG 172.16.0.0/12 LPG-2
is e.
th cl
e ra
us @o
29
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
VCN Gateway-1
VCN's service gateway (the one
Object Storage
dedicated for this purpose, SG-1) and not
. ha
through the service gateways of the Service Gateway-3
ide m)
other VCNs (SG-2,3). Local
For those other VCNs, only the Peering
Gu co
• SPOKE
resources inside those VCNs can reach VCN-3
is e.
Oracle services through their VCN's
th cl
service gateway.
e ra
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
31
Security
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Security
subnet, you associate the security list with List List List
the subnet either during subnet creation or
. ha
later.
ide m)
• Security list apply to a given instance SUBNET A, SUBNET B, SUBNET C,
10.0.1.0/24 10.0.2.0/24 10.0.2.0/24
whether it's talking with another instance
Gu co
in the VCN or a host outside the VCN.
is e.
VCN, 10.0.0.0/16
• You can choose whether a given rule is
th cl
stateful or stateless.
e ra
us @o
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• When writing rules for an NSG, you can specify
. ha
an NSG as the source or destination. Contrast
ide m)
this with SL rules, where you specify a CIDR as
SUBNET B,
the source or destination. SUBNET A, 10.0.1.0/24
Gu co
10.0.1.0/24
is e.
because NSGs let you separate the VCN's VCN, 10.0.0.0/16
th cl
subnet architecture from your application
e ra
security requirements
us @o
33
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• If you choose to use both SLs and NSGs, the set of
rules that applies to a given VNIC is the union of
. ha
NSG-B
these items: SUBNET A, 10.0.1.0/24
ide m)
– The security rules in the SLs associated with the
VNIC's subnet
Gu co
– The security rules in all NSGs that the VNIC is in
is e.
– A packet in question is allowed if any rule in any
th cl
of the relevant lists and groups allows the traffic.
e ra
us @o
34
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
ide m)
Gu co
is e.
Hosts in this group are
th cl
reachable from the
e ra
internet on Port 80
us @o
35
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
that indicates that you do NOT want to use
. ha
connection tracking for any traffic that
matches that rule.
ide m)
Gu co
• Stateless rules are better for scenarios with
large numbers of connections (Load
is e.
th cl
Balancing, Big Data).
e ra
us @o
36
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
37
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Default VCN, Internal DNS
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Default SL Custom SL
• You can’t delete these default SUBNET A, SUBNET B,
. ha
components; however, you can 10.0.1.0/24 10.0.2.0/24
ide m)
individual route rules). And you can VCN, 10.0.0.0/16
Gu co
create more of each kind of
is e.
component in your cloud network
th cl
(for example, additional route tables).
e ra
us @o
38
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• The VCN Private Domain Name System (DNS) enables instances to use host names instead
of IP addresses to talk to each other.
• Options:
– Internet and VCN Resolver: Default choice for new VCNs
– Custom Resolver: Lets instances resolve the host names of hosts in your
on-premises network through IPsec VPN/FastConnect
sa
• Optionally, specify a DNS label when creating VCN/subnets/instances.
– VCN: <VCN DNS label>.oraclevcn.com
. ha
– Subnet: <subnet DNS label>.<VCN DNS label>.oraclevcn.com
– Instance FQDN: <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com
ide m)
Gu co
• Instance FQDN resolves to the instance's Private IP address
is e.
• No automatic creation of FQDN for Public IP addresses (for example, cannot SSH using
th cl
<hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com)
e ra
us @o
39
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
40
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Putting It All Together
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Subnets can have one Route Table and multiple (5*) Security Lists associated to it.
• Route table defines what can be routed out of VCN
• Private subnets are recommended to have individual route tables to control the flow of
traffic outside of VCN.
• All hosts within a VCN can route to all other hosts in a VCN (no local route rule required).
• Security Lists manage connectivity north-south (incoming/outgoing VCN traffic) and east-
west (internal VCN traffic between multiple subnets).
sa
• OCI follows a white-list model. (You must manually specify white listed traffic flows.) By
. ha
default, things are locked down .
• Instances cannot communicate with other instances in the same subnet, until you permit
ide m)
them to!
Gu co
• Oracle recommends using NSGs instead of SLs because NSGs let you separate the VCN's
is e.
subnet architecture from your application security requirements.
th cl
e ra
us @o
41
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
NSG-A RT - Frontend
sa
Internet Destination Route Target
NSG-B RT - Backend Internet CIDR
. ha
Gateway
0.0.0.0/0 NAT/ Service gateway /DRG
ide m)
Source Dest
Gu co
Backend, 10.0.2.0/24
Type CIDR Protocol
Port Port
is e.
Stateful Ingress NSG-A TCP All 1521
VCN, 10.0.0.0/16
th cl
Stateful Egress All All
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Local and Remote Peering
. ha
– Transit Routing
ide m)
– VPN, FastConnect (next module)
Gu co
VCN Security
is e.
•
th cl
– Security List, Network Security Groups
e ra
us @o
43
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Rohit Rahi
Ka
rth
ike
y
no an
n- Du
2
•
•
IPsec VPN
Objectives
Ka
rth Oracle FastConnect
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
(first 10TB free) (free)
• Port speeds of 1 Gbps
. ha
– Software VPN (running on and10 Gbps
OCI Compute)
ide m)
• SLA
Gu co
is e.
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
VPN – Using a public network to make end-to-end connection between two private networks in
a secure fashion
• Tunnel – A way to deliver packets through the Internet to private RFC 1918 addresses
• Authentication – Provides a mechanism to authenticate who you are
• Encryption – Packets need to be encrypted, so they cannot be sniffed over the public Internet.
• Static routing: Configure a router to send traffic for particular destinations in preconfigured
directions.
sa
• Dynamic routing: Use a routing protocol, such as BGP, to figure out what paths traffic should take.
. ha
Tunnel VPN
Connection
ide m)
Internet
Gu co
Private Private
Network 1 Network 2
is e.
th cl
e ra
VPN Router VPN Router
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
SUBNET A,
network via IPsec VPN or FastConnect 0.0.0.0/0 DRG
sa
10.0.1.0/24
(private, dedicated connectivity).
. ha
Regional Private
• After attaching a DRG, you must add a VCN, 10.0.0.0/16
Subnet
ide m)
table to enable traffic flow.
Gu co
• DRG is a stand-alone object. You must
is e.
CUSTOMER
attach it to a VCN. VCN and DRG have Customer Premises
th cl
DATA CENTER
Equipment (CPE)
a one-to-one relationship.
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
10.0.2.0/24
(typically, less than 250 Mbps – but your mileage
may vary).
. ha
VCN,
• VPN Connect is offered for free. 10.0.0.0/16
ide m)
• Customer Proof of Concepts usually start as a VPN
and then morph into FastConnect designs.
Gu co
• OCI provisions redundant VPN tunnels located on Customer
is e.
CUSTOMER
Premises
physically and logically isolate tunnel endpoints. DATA CENTER
th cl
Equipment
(CPE)
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Route Table
10.0.0.0/16
DRG
On-Premises Network
Internet
sa
CPE, SUBNET B,
10.0.2.0/24
. ha
142.32.45.56
Static Route
10.0.0.0/16 or Dynamic
Routing
ide m)
(BGP)
Gu co
VCN, 10.0.0.0/16
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
router Public IP address.
. ha
6. From DRG, create an IPsec Connection
ide m)
between CPE and DRG and provide a Static
Route or use BGP routing.
Gu co
is e.
7. Configure on-premises CPE Route.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Extend remote datacenters into Oracle (“Private peering”) or connect to Public
. ha
resources (“Public peering”)
ide m)
• No charges for inbound/outbound data transfer
Gu co
• Uses BGP protocol
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
10
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
FastConnect Scenarios
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Virtual circuit is an isolated network path that runs over one or more physical network
connections to provide a single, logical connection between customer's edge router
and their DRG.
• Each virtual circuit is made up of information shared between the customer, Oracle,
and a provider .
sa
• It is possible to have multiple virtual circuits to isolate traffic from different parts of
organization (e.g. one virtual circuit for 10.0.1.0/24; another for 172.16.0.0/16), or to
. ha
provide redundancy.
ide m)
• FastConnect uses BGP to exchange routing information.
Gu co
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Private Peering:
• Is an extension of the on-premise network to the OCI VCN
• Enables communication across connections with private IP addresses
Public Peering:
• Enables you to access public OCI services, such as Object storage, OCI Console, or
sa
APIs, over a dedicated FastConnect connection
. ha
• Doesn’t use DRG
ide m)
Gu co
is e.
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Internet
sa
. ha
Customer Premises Customer
Equipment or Partner Oracle
Edge Edge
ide m)
Object Storage
Gu co
Fast Connect Data center Location ORACLE CLOUD INFRASTRUCTURE (REGION)
is e.
th cl
Public Peering
e ra
Private Peering
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
14
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
FastConnect Connectivity Providers
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Protocols IPsec BGP
. ha
Routing Static Routing, Dynamic Routing Dynamic Routing
ide m)
Connection Resiliency active-active active-active
Encryption Yes, by default No * (can be achieved using virtual firewall)
Gu co
• Billable port hours
is e.
Pricing Free for the managed service
• No data transfer charge between ADs
th cl
e ra
SLA No SLA 99.9% Availability SLA
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• No hourly or monthly VPN connection charge for IPsec VPN, but data transfer rates
(below) apply:
Metric Pay as You Go Monthly Flex
sa
Inbound Data Transfer GB/Month Free Free
. ha
ide m)
Metric Pay as You Go Monthly Flex
Gu co
FastConnect 1 Gbps – Metered Port-hours $.2125 $.2125
is e.
FastConnect 10 Gbps - Metered Port-hours $1.2750 $1.2750
th cl
Port-hours are billed once the connection between the FastConnect Service router and your router is established, or 30 days after you
e ra
ordered the port, whichever comes first. Port charges will continue to be billed anytime the FastConnect Service port is provisioned.
us @o
16
https://www.oracle.com/cloud/networking/fastconnect.html#pricing
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
17
•
•
IPsec VPN
Summary
Ka
rth Oracle FastConnect
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
In this lesson, you should have learned to describe the following:
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 200
Jamal Arif
Ka
rth
ike
y
no an
n- Du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
5
Objectives
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
After completing this lesson, you should be able to describe the following:
• FastConnect Use cases
• FastConnect Concepts
• FastConnect Service Models
– Direct to Oracle:
sa
Datacenter Colocation (1a)
. ha
—
ide m)
—
Gu co
is e.
– Pre-requisites: Connectivity – Level 100
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Apps
Tier
HPC Compute
DB
Oracle Cloud
sa
Applications with Large data transfer (for Applications that contain Moving Web-App-DB
. ha
relational database example batch jobs or sensitive data benefit tiers to Oracle Cloud
especially vulnerable to real-time queries) require from an extra level of needs dedicated network
ide m)
latency and require high performance and privacy and isolation connectivity
predictable performance low latency
Gu co
including backup,
is e.
replication use cases
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
FastConnect provides an easy, elastic, and economical way to create a dedicated and
private connection with higher bandwidth options, and a more reliable and consistent
networking experience when compared to internet-based connections.
• Connect to OCI directly or via pre-integrated Network Partners
• 1Gbps and 10Gbps increments
sa
• Extend remote datacenters into Oracle (“Private peering”) or connect to Public
. ha
resources (“Public peering”)
ide m)
• No charges for inbound/outbound data transfer
Gu co
• Uses BGP protocol
is e.
th cl
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
5
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
FastConnect Use Cases
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Private Peering:
• Extension of the on-premise network to the OCI VCN
• Communication across connection with private IP addresses
Public Peering
• To access public OCI services over a dedicated FastConnect connection
sa
Access Object storage, OCI Console, or APIs
. ha
•
Communication across connection with public IP addresses
ide m)
•
Gu co
is e.
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Internet
sa
. ha
Customer Premises Customer
Equipment or Partner Oracle
Edge Edge
ide m)
Object Storage
Gu co
FastConnect Datacenter Location ORACLE CLOUD INFRASTRUCTURE (REGION)
is e.
th cl
e ra
Private Peering
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
192.168.1.0/24
sa
192.168.2.0/24 CPE/L3 10.1.2.0/24
172.16.0.0/16
Provider SUBNET
. ha
Customer network eBGP
Dynamic Routing AVAILABILITY DOMAIN - 2
Gateway
ide m)
192.168.1.0/24
192.168.2.0/24
172.16.0.0/16 192.168.1.0/24
Gu co
192.168.2.0/24
172.16.0.0/16 10.1.3.0/24
is e.
SUBNET
th cl
e ra
AVAILABILITY DOMAIN – 3
us @o
VCN
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Private Peering
• Extension of the on premise network to the OCI VCN
• Communication across connection with private IP addresses
Public Peering
• To access public OCI services over dedicated FastConnect connection
sa
Access Object storage, OCI Console or APIs
. ha
•
Communication across connection with public IP addresses
ide m)
•
Gu co
is e.
th cl
e ra
us @o
9
to rai
se du
With FastConnect, you can choose to use private peering, public peering, or both.
en ik.
Private peering: To extend your existing infrastructure into a virtual cloud network (VCN) in Oracle
lic arth
Cloud Infrastructure (for example, to implement a hybrid cloud, or a lift and shift scenario).
ble (k
Communication across the connection is with IPv4 private addresses (typically RFC 1918).
ra y
Public peering: To access public services in Oracle Cloud Infrastructure without using the internet. For
fe m
example, Object Storage, the Oracle Cloud Infrastructure Console and APIs, or public load balancers in
ns isa
your VCN. Communication across the connection is with IPv4 public IP addresses. Without FastConnect,
tra ra
the traffic destined for public IP addresses would be routed over the internet. With FastConnect, that
n- Du
Internet
sa
. ha
Customer Premises Customer
Equipment or Partner Oracle
Edge Edge
ide m)
Object Storage
Gu co
FastConnect Datacenter Location ORACLE CLOUD INFRASTRUCTURE (REGION)
is e.
th cl
Public Peering
e ra
Private Peering
us @o
10
to rai
se du
Now as we discussed earlier, one use of the FastConnect can be that you can get a dedicated access to
en ik.
the regional public services of OCI via the fastconnect by using public peering connections. So whenever
lic arth
you access the public OCI services like Object Storage, the Oracle Cloud Infrastructure Console and APIs,
and public load balancers in your VCN, your traffic can go across the dedicated FastConnect connection
ble (k
instead of the internet. All communication across a public virtual circuit uses public IP addresses.
ra y
fe m
The figures show the colocation and oracle provider scenarios where we have both the private and
ns isa
public peering connections. We must note that the DRG only comes into play with in the FC private
connection.
tra ra
n- Du
no an
y
ike
rth
Ka
• You choose which of your organization's public IP prefixes you want to use with the
virtual circuit. Each prefix must be /31 or less specific.
• Oracle verifies your organization's ownership of each prefix before sending any traffic
for it across the connection.
• When configuring your edge for public peering, make sure to give higher preference
sa
to FastConnect over your ISP
. ha
• Oracle prefers the most specific route when routing traffic from Oracle Cloud
Infrastructure to other destinations that means even if you have a IGW, replies to your
ide m)
verified public prefixes will go over the FastConnect connection.
Gu co
You can add or remove public IP prefixes at any time by editing the virtual circuit.
is e.
•
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
129.254.0.0/17 129.146.128.0/17
129.254.128.0/17
129.254.0.0/17 OCI Public services IPs
129.254.128.0/17 (Block storage, Casper. etc..)
VPN-GW
129.146.128.0/17
129.254.0.0/17
sa
129.254.128.0/17 129.146.0.0/17
CPE
1.1.1.0/24 1.1.1.0/24
. ha
eBGP Internet
Customer network
1.1.1.0/24
ide m)
129.146.0.0/17
1.1.1.0/24
Gu co
Customer’s Public VCN IPs
is e.
th cl
OCI Region
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
FastConnect-Private FastConnect-Public
Use case To manage VCN resources privately To access OCI’s public service offering
sa
OCI advertises public VCN routes and public
Prefix-advertisement OCI advertises VCN subnet routes
Services routes
. ha
OCI does validation that prefixes are owed by
Prefix-validation Not needed
customer or not
ide m)
Prefix-limit 2000 200
Gu co
BGP ASN Any ASN Public ASN
is e.
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
14
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
FastConnect Connectivity Models
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• FastConnect location
– A specific Oracle data center where you can connect with Oracle Cloud
Infrastructure
• Metro Area
– A geographical area (for example, Ashburn) with multiple FastConnect locations
– All locations in a metro area connect to the same set of availability domains for
resiliency in case of failure in a single location
sa
• Oracle provider
. ha
– A network service provider that has integrated with Oracle in a FastConnect location
ide m)
• Third-party provider
– A network service provider that is NOT on the list of Oracle providers
Gu co
• Colocation
is e.
– The situation where your equipment is deployed into a FastConnect location
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Cross-connect
– In a colocation or third-party provider scenario, this is the physical cable connecting
your existing network to Oracle in the FastConnect location.
• Cross-connect group
– In a colocation or third-party provider scenario, this is a link aggregation group
sa
(LAG) that contains at least one cross-connect.
. ha
– You can add additional cross-connects to a cross-connect group as your bandwidth
needs increase. This is applicable only for colocation.
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Virtual Circuit
– A virtual circuit is an isolated network path that runs over one or more physical
network connections to provide a single, logical connection between the customer's
edge router and their DRG.
– Each virtual circuit is made up of information shared between the customer, Oracle,
and a provider.
sa
– The customer could have multiple virtual circuits to isolate traffic from different
. ha
parts of their organization (e.g. one virtual circuit for 10.0.1.0/24; another for
ide m)
172.16.0.0/16), or to provide redundancy.
Gu co
– FastConnect uses Border Gateway Protocol (BGP) to exchange routing information
is e.
between the various autonomous systems involved in the connection.
th cl
e ra
– With FastConnect, there are two scenarios for how the virtual circuit's BGP session is
us @o
17 established (Layer 2 or Layer 3).
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Connectivity Models
• Direct to Oracle:
– Datacenter Colocation (1a)
– Dedicated Circuits from a third-party Network Carrier (1b)
• Using an Oracle Network Provider or Exchange Partner
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Physical Connection:
Availability Domain 1
FastConnect
Edge
sa
Availability Domain 2
CPE
. ha
CUSTOMER 10Gbps
DATACENTER
Availability Domain 3
ide m)
Gu co
Customer Cage Oracle CAGE
is e.
FastConnect DATACENTER LOCATION
OCI Region
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Availability Domain 1
FastConnect
Edge
sa
Availability Domain 2
Remote location Private Circuits via 1Gbps or
a Network carrier 10Gbps
. ha
CPE Availability Domain 3
ide m)
CUSTOMER
DATACENTER
Gu co
Oracle CAGE
is e.
FastConnect DATACENTER LOCATION
Regional Cloud Services
th cl
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Connection
In colocation model 1a and 1b:
• You can add additional cross-connects to a
cross-connect group as your bandwidth needs FastConnect
increase such as 2x10g ports into a LAG Edge
sa
Cross-Connects are grouped together to form CUSTOMER
DATACENTER CPE 1 1Gbps or
R1
a Link Aggregation Group (LAG) 10Gbps
. ha
• You can group up to eight cross-connects in a Customer Cage Oracle CAGE
ide m)
cross-connect group. (8x10g if required)
Gu co
FastConnect DATACENTER LOCATION
• In a cross-connect group, all ports are on the
is e.
same router
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Metro area
ORACLE CLOUD INFRASTRUCTURE - REGION
FastConnect
location
Your existing
network Your Oracle
Private IPs in VCN
Edge Edge
10.0.0.0/16
sa
SUBNET
SUBNET
. ha
AVAILABILITY DOMAIN
AVAILABILITY DOMAIN
BGP speakers
ide m)
VCN 172.16.0.0/16
Gu co
Legend: Private virtual circuit
is e.
th cl
A single, logical connection (virtual circuit) between your edge and Oracle Cloud Infrastructure by
e ra
way of your Dynamic Routing Gateway. Traffic is destined for private IP addresses in your VCN.
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Colocation Model?
Service Models
• Direct to Oracle:
– Datacenter Colocation – 1a
– Dedicated Circuits from a 3rd Party Network Carrier – 1b
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
23
to rai
se du
OCI – 10Gbps
lic arth
Virtual Circuits
ra y
fe m
Colocation
ns isa
tra ra
https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Concepts/fastconnectcolocate.htm
rth
Ka
24
Ka
rth
ike
y
no an
Colocation Model?
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Service Models
• Direct to Oracle:
– Datacenter Colocation
– Dedicated Circuits from a 3rd Party Network Carrier
• Using an Oracle Network Provider or Exchange Partner (Layer 2 or Layer 3)
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Partner
Physical Connection:
Availability Domain 1
FastConnect
sa
Edge
Point-to-point or Availability Domain 2
multi-point service Partner Redundant
. ha
Edge 10Gbps
PARTNER
NETWORK
ide m)
CUSTOMER CPE Availability Domain 3
DATACENTER
Gu co
Partner Demarc Oracle CAGE
is e.
CUSTOMER CPE
th cl
DATACENTER FastConnect DATACENTER LOCATION
OCI Region
e ra
Partners
us @o
• Network Service Providers
26 • Exchanges (example Equinix, Megaport, Interxion)
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Partner– Layer 2
Logical Connection: FastConnect Virtual Circuit 1
FastConnect Virtual Circuit 2
Availability Domain 1
FastConnect
sa
Edge
Availability Domain 2
Partner
. ha
CUSTOMER CPE PARTNER
Edge
DATACENTER NETWORK
ide m)
Availability Domain 3
Gu co
Partner Demarc Oracle CAGE
is e.
FastConnect
th cl
DATACENTER LOCATION
OCI Region
e ra
BGP Route advertisements Example Megaport , Equinix, Interxion
(Oracle <-> Customer)
us @o
27
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Partner– Layer 3
Logical Connection: FastConnect Virtual Circuit 1
FastConnect Virtual Circuit 2
Availability Domain 1
FastConnect
sa
Edge
Availability Domain 2
Partner
. ha
CUSTOMER CPE PARTNER
Edge
DATACENTER NETWORK
ide m)
Availability Domain 3
Gu co
Partner Demarc Oracle CAGE
is e.
FastConnect
th cl
DATACENTER LOCATION
OCI Region
e ra
BGP Route advertisements BGP Route advertisements
(Customer Partner)
us @o
(Partner Oracle)
28
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
https://www.oracle.com/cloud/networking/fastconnect-providers.html
us @o
29
to rai
se du
This table lists the Oracle Cloud Infrastructure FastConnect locations, as we increase our regions the list
en ik.
will grow as well. Currently for all the three OCI regions, this is the list for FastConnect.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Using an Oracle Network Provider or Exchange Partner (Layer 2 or Layer 3)
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
30
to rai
se du
OCI – 10Gbps
lic arth
Virtual Circuits
ra y
fe m
Colocation
ns isa
tra ra
https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Concepts/fastconnectcolocate.htm
rth
Ka
31
Ka
rth
ike
y
no an
a. DRG (Private Peering Only)
n- Du
tra ra
ns isa
fe m
b. Set up a Virtual Circuit with Provider
ra y
ble (k
1. Set Up OCI Components
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
. ha
Select the type of circuit
ide m)
Select the DRG
Gu co
Private Peering: Provide
is e.
customer and oracle BGP IP
th cl
address and ASN
e ra
Public Peering: Customer Public
us @o
BGP ASN and public Prefixes
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
33
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
c. Provide details of Virtual Circuit to provider.
ble (k
1. Set Up OCI Components
lic arth
en ik. Pending Provider
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
34
Ka
rth
ike
y
no an
n- Du
tra ra
a. Use OCID of the Virtual Circuit in Megaport.
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
2. Set Up Megaport Connection
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
Choose POP Location
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
43
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
FastConnect Connectivity Resiliency
th cl
is e.
Gu co
ide m)
. ha
sa
• Have multiple redundant connections into OCI and avoid having single points of
failure in your design.
• For IPSec VPN - OCI recommends using multiple connections from redundant
physical devices at the customer premises. High availability connections require
redundant hardware, even when connecting from the same physical location
sa
• OCI FastConnect provides multiple redundancy options, and its recommended to
use multiple vendors if financially feasible to ensure you have redundant network
. ha
connections
ide m)
• Plan for sufficient network capacity with your FastConnect virtual circuits to ensure
Gu co
individual circuits are not overwhelmed in case of failures on redundant circuits.
is e.
th cl
• Have a service level redundancy by creating a IPsec VPN service alongside FC.
e ra
Oracle always prioritizes FC over VPN connection.
us @o
44
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Two Oracle FastConnect (POPs), for location redundancy in following regions.
. ha
Each is connected to all of Oracle’s Availability Domains in the region.
Ashburn, Phoenix, London, Frankfurt
ide m)
—
Gu co
• Per Oracle POP: Two routers, for router redundancy
is e.
• Multiple physical connections between each Oracle provider and Oracle (for a
th cl
given region)
e ra
us @o
45
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Router 1 Router 1
. ha
ide m)
FastConnect POP Location 2
Customer Edge 2 Oracle Edge 2
Gu co
Cross-connect Group
Virtual Circuit 2 (LAG)
is e.
Router 1 Router 1 Virtual Circuit
th cl
Cross-Connect
e ra
(Physical Connection)
us @o
46
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Virtual Circuit 1
Router 1 Router 1
. ha
ide m)
Virtual Circuit 2
Gu co
Cross-connect Group
Router 2 Router 2
(LAG)
is e.
Virtual Circuit
th cl
Cross-Connect
e ra
(Physical Connection)
us @o
47
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
cross-connect LAG between them and Oracle.
. ha
• Redundant cross-connect LAG could land in same POP or different POP depending
ide m)
upon connectivity between partner and oracle.
Gu co
• Active/Active or Active/Passive setup is possible with “LP” and “AS_PATH” BGP
is e.
attributes influencing egress traffic from customer and OCI respectively
th cl
e ra
us @o
48
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Oracle requires
redundancy OCI Region
with Partners
Router 1
Customer DC
Virtual Circuit -1
PE
CPE PE
Oracle POP 2
PE
sa
Virtual Circuit -2
Router 1
. ha
ide m)
For Redundancy
Customer Partner Oracle
Gu co
• Order 2X VC with Oracle • Min 2X Circuits to • Min 2X Circuits to Partner
is e.
• Order 2X cross-connects to Oracle. • Agreement with partner
th cl
partner • Provisions 2nd VC on to Provision 2nd VC on
e ra
redundant cross- redundant cross-connect
connect
us @o
49
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Partner and Oracle will make sure that the second BGP session will land on redundant
. ha
cross-connect LAG between partner and Oracle.
ide m)
• Customer can still provision the second virtual circuit with additional cost should they
Gu co
need redundancy with virtual circuits.
is e.
th cl
e ra
us @o
50
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Oracle requires
redundancy OCI Region
with Partners
CPE PE
Oracle POP 2
PE
sa
Router 1
Virtual Circuit -2
. ha
Router 2
ide m)
For Redundancy
Customer Partner Oracle
Gu co
• Order 2X VC with Oracle • Min 2X Circuits to Oracle • Min 2X Circuits to Partner
is e.
• Order 2X cross-connects • Runs 2BGP sessions with • Runs 2 BGP sessions with
th cl
to partner Oracle Partner.
e ra
us @o
51
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
IPSec VPN CONNECTION
Internet
Firewall
. ha
VIRTUAL CIRCUIT #1
EDGE EDGE
PRIVATE SUBNET 10.2.2.0/24
ide m)
CUSTOMER PROVIDER FASTCONNECT LOCATION 1 AVAILABILITY DOMAIN 1
NETWORK CPE NETWORK DRG
Gu co
10.0.0.0/16
VIRTUAL CIRCUIT #1 EDGE EDGE
is e.
Firewall
th cl
FASTCONNECT LOCATION 2
DST IP:0.0.0.0/0
e ra
PRIVATE SUBNET 10.2.3.0/24
Public
IGW AVAILABILITY DOMAIN 2
us @o
Internet VCN
52 Region
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
53
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Rohit Rahi
Ka
rth
ike
y
no an
Load Balancer
n- Du
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
A load balancer sits between the clients and the back ends and performs tasks such as:
• Service Discovery: What back ends are available in the system? How should the load
balancer talk to them?
• Health Check: What back ends are currently healthy
and available to accept requests?
• Algorithm: What algorithm should be used to balance
individual requests across the healthy back ends? Load
sa
Balancer
Load Balancer benefits
. ha
• Fault tolerance and HA: Using health check + LB algorithms,
ide m)
an LB can effectively route around a bad or overloaded back end.
Gu co
• Scale: LB maximizes throughput, minimizes response time,
and avoids overload of any single resource.
is e.
• Naming abstraction: Name resolution can be delegated to the LB; back ends don’t
th cl
e ra
need public IP addresses.
us @o
3
to rai
se du
So Oracle Cloud infrastructure Load Balancing Service provides an automated traffic distribution from
en ik.
one entry point into multiple back end servers in your Virtual Cloud Network.
lic arth
This helps to load balance large amounts of traffic which could overwhelm a single server, it gives a
ble (k
mechanism to scale out an application tier by adding more servers, and also provides the application
higher availability so even if one availability domain has an issue, you can still be up and running in
ra y
fe m
Load Balancer is a regional service – load balancers come in pairs, active and passive, and public load
tra ra
balancers live in two separate availability domains providing HA, with no single point of failure.
n- Du
The OCI load balancer supports TCP and the usual http protocols, as well as HTTP/2 and websocket,
no an
supporting things like Data Compression, Server Push, Multiplexing of requests ….. all of these features
y
are supported.
ike
For security purposes, it supports SSL offloading, SSL termination, SSL end to end and SSL tunneling
rth
Ka
sa
aggregate throughput. The nice thing about having this much capacity provisioned is its always
. ha
available to the user. There is no warm-up period when using these shapes - this aggregate
throughput performance is always available.
ide m)
4. There is a single load balancer for HTTP and TCP. This makes the service easier to use in general.
Gu co
is e.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Key differentiators
. ha
– Private or Public Load Balancer (with Public IP address)
ide m)
– Provisioned bandwidth – 100 Mbps, 400 Mbps, 8 Gbps
Gu co
– Single load balancer for TCP (layer 4) and HTTP (layer 7) traffic
is e.
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
6
Ka
rth
ike
y
no an
n- Du
tra ra
Public Load Balancer
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Accepts traffic from the Internet by using a public IP address that serves as the entry
point for incoming traffic.
• Public Load Balancer is a regional service.
• If your region includes multiple availability domains, a public load balancer requires
either a regional subnet (recommended) or two availability domain–specific (AD-
specific) subnets, each in a separate availability domain.
• Load Balancing service creates a primary load balancer and a standby load balancer,
sa
each in a different availability domain.
. ha
• It supports AD failover in the event of an AD outage in an Oracle Cloud
Infrastructure multi-AD region.
ide m)
• Floating Public IP is attached to the primary load balancer, and in the event of an AD
Gu co
outage, Floating Public IP is attached to the standby load balancer.
is e.
• Service treats the two load balancers as equivalent and you cannot denote one as
th cl
"primary.”
e ra
us @o
7
to rai
se du
There are two kinds of LBs, a Public LB and a private LB. Lets first talk about the Public LB.
lic arth
When you create a Public LB you select two ADs for the LB to reside in, in this case this LB lives in AD1
ble (k
and AD2. Because OCI is going to create two copies of the LB to make the service highly available, you
ra y
need to have two subnets (its subnet 1 and subnet 2). After creation, The Public load balancer sits at the
fe m
edge of a VCN.
ns isa
tra ra
What happens next is there is a primary load balancer selected automatically to hold the public IP, and a
n- Du
secondary load balancer in an active/standby configuration. This is completely invisible to the user,
there is no requirement or capability to designate primary or secondary LB. Next we have a listener. This
no an
is the public IP address and the service ports that are opened up to sit between the internet and your
y
backend servers.
ike
In case one of the ADs goes down, the listener will failover to the other availability domain automatically
rth
and where we see a dotted line up at the top will be the new path for the traffic.
Ka
This HA is built in, the user doesn’t have to manage that HA. Remember there is no way or reason to
change which LB is acting as the primary load balancer. It is all managed by the service itself.
For private load balancer the implementation is a bit different. Two copies of the load balancer go into a
single subnet into a single AD. So it doesn't give you HA in case of the AD outage. However other than
this, all other capabilities are the same.
Internet
VCN
Public IP address
Listener
sa
Regional Subnet 1
. ha
ide m)
Gu co
Backend Set
Backend Servers Backend Servers
is e.
Regional Subnet 2
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Internet
VCN
Public IP address
Listener
sa
SUBNET 1 SUBNET 2
. ha
ide m)
Gu co
Backend Set
Backend Servers Backend Servers
is e.
SUBNET 3
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
10
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
Private Load Balancer
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• It is assigned a private IP address from the subnet hosting the load balancer.
• The load balancer can be regional or AD-specific, depending on the scope of the
host subnet. It is highly available within an AD with AD specific subnets or highly
available with regional subnets .
• The primary and standby load balancer each require a private IP address from
sa
that subnet.
. ha
• The load balancer is accessible only from within the VCN that contains the
associated subnet, or as further restricted by your security list rules.
ide m)
Gu co
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Local VCN
Traffic
AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
VCN
Private IP address
Listener
sa
(Active) (Failover)
Regional Subnet 1
. ha
ide m)
Gu co
Backend Set
Backend Servers Backend Servers
is e.
Regional Subnet 2
th cl
e ra
us @o
12
to rai
se du
There are two kinds of LBs, a Public LB and a private LB. Lets first talk about the Public LB.
lic arth
When you create a Public LB you select two ADs for the LB to reside in, in this case this LB lives in AD1
ble (k
and AD2. Because OCI is going to create two copies of the LB to make the service highly available, you
ra y
need to have two subnets (its subnet 1 and subnet 2). After creation, The Public load balancer sits at the
fe m
edge of a VCN.
ns isa
tra ra
What happens next is there is a primary load balancer selected automatically to hold the public IP, and a
n- Du
secondary load balancer in an active/standby configuration. This is completely invisible to the user,
there is no requirement or capability to designate primary or secondary LB. Next we have a listener. This
no an
is the public IP address and the service ports that are opened up to sit between the internet and your
y
backend servers.
ike
In case one of the ADs goes down, the listener will failover to the other availability domain automatically
rth
and where we see a dotted line up at the top will be the new path for the traffic.
Ka
This HA is built in, the user doesn’t have to manage that HA. Remember there is no way or reason to
change which LB is acting as the primary load balancer. It is all managed by the service itself.
For private load balancer the implementation is a bit different. Two copies of the load balancer go into a
single subnet into a single AD. So it doesn't give you HA in case of the AD outage. However other than
this, all other capabilities are the same.
VCN
Private IP address
Listener
Local VCN
(Failover) Traffic
Load Balancer
sa
(Active) Regional Subnet 1
. ha
ide m)
Gu co
Backend Set
Backend Servers Backend Servers
is e.
Regional Subnet 2
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
14
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
Policies, Health Checks
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Round Robin: Default policy, distributes incoming traffic sequentially to each server
in a backend set. After each server has received a connection, the load balancer
repeats the list in the same order.
• IP Hash: Uses an incoming request's source IP address as a hashing key to route
non-sticky traffic to the same back-end server
• Least Connection: Routes incoming nonsticky request traffic to the back-end server
sa
with the fewest active connections
. ha
• Load balancer policy decisions apply differently to TCP load balancer, cookie-based
ide m)
session persistent HTTP requests (sticky requests), and non-sticky HTTP requests
– A TCP load balancer considers policy and weight criteria
Gu co
– An HTTP load balancer w/ cookie-based session persistence forwards requests
is e.
using cookie's session info
th cl
– For non-sticky HTTP requests, the load balancer applies policy and weight criteria
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Backend set
– Back-end set
Load
– Overall Load Balancer Balancer IP
Listener Server 2
sa
Server 3
16 listeners (port numbers). Listener
. ha
Each listener has a back-end set that
can have 1 to N back-end servers.
ide m)
Health API provides a 4-state health status (ok, warning, critical, unknown).
Gu co
•
is e.
• Health status is updated every three minutes. No finer granularity is available.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Rohit Rahi
Ka
Compute
rth
ike
y
no an
n- Du
sa
•
. ha
• Describe Bring your own Hypervisor
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
In this lecture, we’ll dive deeper into the OCI compute service and talk about concepts and look at various
en ik.
sa
Hypervisor
. ha
ide m)
Gu co
Bare Metal Server Bare Metal Server Bare Metal Server
is e.
th cl
VM compute instances runs on the same hardware as a Bare Metal instances, leveraging the
e ra
same cloud-optimized hardware, firmware, software stack, and networking infrastructure
us @o
3
to rai
se du
Just to give you a brief overview, we are the only public cloud that supports bare metal and VMs using
en ik.
the same set of APIs, hardware, firmware, software stack and networking infrastructure.
lic arth
You can see the two models on the slide – Bare Metal instances are instances where customers get the
ble (k
full server. This is also referred to as single-tenant model. The advantage here is that there is no
performance overhead, no shared agents and no noisy neighbors.
ra y
fe m
On the other spectrum are VMs, where the underlying host is virtualized to provide smaller VMs – also
ns isa
referred to as multi-tenant model. The advantage here is flexibility in regards to choice of instance
tra ra
shapes.
n- Du
no an
y
ike
rth
Ka
Direct Hardware Access with all the Security, Capabilities, Elasticity, and Scalability of
Oracle Cloud Infrastructure
Hypervisor
sa
. ha
ide m)
Workloads that Workloads that
Workloads that are Workloads that
require a specific require BYO
Gu co
Performance-intensive are not virtualized
hypervisor Licensing
is e.
th cl
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Max Max
RAM Network
Shape Instance type OCPU Local Disk (TB) vNICs vNICs
(GB) Bandwidth
(Linux) (Win)
BM.HPC2.36 X7 High Frequency 36 384 6.7 TB NVMe SSD 1 x 100 Gbps RDMA 50 1
sa
BM.GPU2.2 2xP100 NVIDIA GPUs 28 192 Block Storage only 2 x 25 Gbps 28 15
. ha
BM.Standard1.36 X5 Standard compute 36 256 Block Storage only 10 Gbps 36 1
ide m)
BM.DenseIO1.36 X5 Dense I/O compute 36 512 28.8 TB NVMe SSD 10 Gbps 36 1
Gu co
BM.Standard.B1.44 X6 standard compute 44 512 Block Storage only 25 Gbps 44 NA
is e.
th cl
• Compute Standard E2 is based of AMD EPYCTM processor
e ra
• 2 x 25 Gbps implies two NIC cards with 25 Gbps bandwidth
us @o
• Network bandwidth is based on expected bandwidth for traffic within a VCN
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• AMD EPYC Bare Metal server (64 cores, 512 GB RAM, 2 x 25 Gbps bandwidth, 75
vNICs) available at $0.03 core/hour; 66% cheaper than other options.
• AMD EPYC-based instances ideal for maximizing price performance
• Supported for Oracle applications, including E-Business Suite, JD Edwards, and
PeopleSoft
Certified to run Cloudera, Hortonworks, MapR, and Transwarp
sa
•
On a 10-TB full TeraSort benchmark, including TeraGen, TeraSort and TeraValidate,
. ha
•
the AMD EPYC-based instance demonstrated a 40 percent reduction in cost / OCPU
ide m)
v/s x86 alternatives with only a very slight increase in run times.
Gu co
• On a 4-node, 14M cell Fluent CFD simulation of an aircraft wing, the AMD EPYC-
is e.
based instance demonstrated a 30 percent reduction in cost along with a slight
th cl
reduction in overall run times as compared to an x86 alternative.
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
7
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
Import/Export and BYOI
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• A template of a virtual hard drive that determines the operating system and other
software for an instance. Images can be Oracle-provided, Custom, or BYOI.
• Oracle provides several pre-built images for Oracle Linux, Microsoft Windows,
Ubuntu and CentOS.
Image Name
Oracle-Linux-7.x-<date>-<number>,
sa
Oracle Linux
Oracle-Linux-6.x-<date>-<number>
CentOS-7-x-<date>-<number>,
. ha
CentOS 7
CentOS-6.x-<date>-<number>
ide m)
Canonical-Ubuntu-16.x-<date>-<number>,
Ubuntu 16.04 LTS
Canonical-Ubuntu-14.x-<date>-<number>
Gu co
Windows Server 2012 R2 Windows-Server-2012-R2-<edition>-<gen>.<date>-<number>
is e.
Windows Server 2008 R2 - VM Windows-Server-2008-R2-Standard-Edition-VM-<date>-<number>
th cl
e ra
Windows Server 2016 Windows-Server-2016-Datacenter-Edition-Gen2.<date>-<number>
us @o
8
to rai
se du
All Oracle-provided images include rules that allow only "root" on Linux instances or "Administrators" on
en ik.
Windows instances to make outgoing connections to the iSCSI network endpoint (169.254.0.2:3260) that
lic arth
Oracle recommends that you do not reconfigure the firewall on your instance to remove these rules.
Removing these rules allows non-root users or non-administrators to access the instance’s boot disk
ra y
fe m
volume. Oracle recommends that you do not create custom images without these rules unless you
ns isa
• Linux Images
– Username opc is created automatically for instances created from Oracle Linux/CentOS.
– Username ubuntu is created automatically for instances created from Ubuntu image.
– These users have sudo privileges and are configured for remote access over the SSH v2.
– Default set of firewall rules allow only SSH access (port 22).
sa
– Provide a startup script using cloud-init.
. ha
• Windows Images
Username opc created automatically with an OTP (one time password)
ide m)
–
Gu co
– Include the Windows Update utility to get the latest Windows updates from Microsoft
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Create a custom image of an instance’s boot disk and use it to launch other instances.
• Instances you launch from your custom image include customizations, configuration,
and software installed when you created the image.
• During the process, instance shuts down and remains unavailable for several
minutes. The instance restarts when the process completes.
sa
• Custom images do not include the data from any attached block volumes.
. ha
• A custom image cannot exceed 300 GB.
ide m)
• Windows custom images cannot be exported or downloaded out of the tenancy.
Gu co
is e.
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Compute service enables you to share custom images across tenancies and
regions using image import/export
• Image import/export uses OCI Object Storage service
• You can import Linux and Windows operating systems.
• Supports:
– Emulation Mode:
— Virtual machines I/O devices (disk, network), CPU, and memory are implemented in
sa
software
Emulated VM can support almost any x86 operating system. These VMs are slow.
. ha
—
– Paravirtualized:
ide m)
— Virtual Machine includes a driver specifically designed to enable virtualization
– Native Mode: Same as Hardware Virtualized Machine (HVM), offers maximum
Gu co
performance with modern OSs.
is e.
• You can also find more information about custom images here:
th cl
https://cloud.oracle.com/iaas/whitepapers/deploying_custom_os_images.pdf
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
The Bring Your Own Image (BYOI) feature enables you to bring your own versions of operating
systems to the cloud as long as the underlying hardware supports it. The BYOI can help with
the following scenarios:
• Enables lift-and-shift cloud migration projects
Supports both old and new operating systems
Encourages experimentation
• Increases infrastructure flexibility OCI Region
sa
Object
. ha
On-premises qcow2 Image Storage Custom Image Instance
ide m)
Gu co
is e.
th cl
e ra
NOTE: You must comply with all licensing requirements when you upload
and start instances based on OS images that you supply.
us @o
12
to rai
se du
You also have the ability do import and export an image. This will give you the ability to move images
en ik.
All images imported and exported will be placed in bucket of your choice in the Object Storage.
ble (k
There are import modes that you can use for your images:
ra y
fe m
The first option is Emulation mode, where all the drivers for Network and boot disk are fully emulated.
ns isa
The second option is Native Mode: Where it offers the maximum performance as the drivers are directly
tra ra
connected with the hardware and will be a good fit for Bare Metal instances.
n- Du
The third mode is Paravirtualized or PV Mode where this capacity minimizes overheard and optimize
no an
13
Ka
rth
ike Boot Volume
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• A compute instance is launched using the OS image stored on a remote boot volume.
• Boot volume is created, automated, and associated with an instance until you
terminate the instance.
• Boot volumes are encrypted, have faster performance, lower launch times,
and higher durability for BM and VM instances.
Compute instance can be scaled to a larger shape by using boot volumes.
sa
•
You can preserve the boot volume when you terminate a compute instance.
. ha
•
Boot volumes are only terminated when you manually delete them.
ide m)
•
Gu co
• Boot volumes cannot be detached from a running instance.
is e.
• Possible to take a manual backup, assign backup policy or
th cl
create clone of boot volumes.
e ra
us @o
14
to rai
se du
When any instance is launched (virtual machine or a bare metal) on an oracle provided image or a
lic arth
custom image, a new boot volume for the instance is created in the same compartment. That boot
ble (k
volume is associated with that instance until you terminate the instance. When you terminate the
instance, you have the option of preserving the boot volume and its data. This feature gives you more
ra y
fe m
It gives you the ability to preserve your boot disk content by keeping it when you terminate a compute
tra ra
instance: You can use the preserved boot volume for new instance creation.
n- Du
Just like block volumes are replicated across ADs, the boot volumes are also highly durable as they are
no an
Boot volumes can also help in instance scaling. Since you can preserve the boot volume when
terminating an instance, the preserved boot volume can be used with a new instance of different shape,
rth
To use boot volumes, there is nothing special that one needs to do. Moving forward all instances that are
launched will be done using boot volumes having all the features we talked earlier.
sa
. ha
ide m)
Gu co
is e.
Linux default size is 46.6 GB Windows default size is 256GB
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Custom Images
Pros Cons
You can export a custom image across regions Instance shuts down and remains unavailable
and tenancies for several minutes until the process finished
No cost associated to store your custom images Limit of 25 custom images per compartment
sa
Boot volume Backup
. ha
Pros Cons
It doesn’t require a down time Cost associated with the amount of Object
ide m)
Storage used to store your backup
Gu co
Preserve the entire state of your running Creating a boot volume backup while instance
is e.
operating system as a backup is running creates a crash-consistent backup
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
17
Ka
rth
ike
y
no an
Pools, Autoscaling
n- Du
tra ra
ns isa
fe m
ra y
Instance Configurations,
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Instance Configurations
sa
. ha
Instance Configurations
- Different Availability Domains
ide m)
- Manage all together (stop, start,
Gu co
terminate)
is e.
- Attach to a Load Balancer
th cl
Config Multiple Instances
e ra
us @o
18
to rai
se du
Instance Configurations
en ik.
• Include parameters (OS image, metadata, shape) and related resources as a single configuration
ble (k
entity, so you don’t have to specify them every time you launch a new instance
ra y
Configure attached storage volumes; VNIC, Subnets and AD placements all with a single request
fe m
•
ns isa
Instance Pools
tra ra
• Provision and create multiple compute instances based off of the same instance configuration,
n- Du
• Scale up/down
y
ike
such as block volumes attached to the instance as a single configuration entity. You can create an
Instance Configuration from an existing running instance or construct a custom Instance Configuration
via the CLI. When Boot or Data storage Volumes do not already exist, these resources will automatically
be created for you when launching an instance. With one single action, you can launch an instance, we
create storage volumes, attach VNIC's and stripe the set number of Instances evenly across the desired
availability domains (AD's) for you. This is something that would normally require manual provisioning
of each individual resource on the platform to launch an instance..
Oracle Cloud Infrastructure has created a new powerful approach that launches and manages identical
VM instances in a logical group called an Instance Pool. The pool automatically provisions a horizontal
sa
scalable pool of VM instances. An Instance Pool uses an instance configuration template that contains all
. ha
the settings for how you want an instance created. Instance Pools manage the launching of identical
instances based on the instance configuration template. The pool maintains your configured instance
ide m)
count and can be updated to scale on demand. The Instance Pool constantly monitors its own health
Gu co
state to ensure all instances are in a running state. In the event of any instance failure, the pool will
is e.
automatically self-heal and take corrective action to bring the pool back to a healthy state.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Instance Configurations
– Clone an instance and save to a configuration file.
– Create standardized baseline instance templates.
– Easily deploy instances from CLI with a single configuration file.
– Automate the provisioning of many instances, its resources and handle the
attachments.
sa
• Instance Pools
– Centrally manage a group of instance workloads that are all configured with a
. ha
consistent configuration.
ide m)
– Update a large number of instances with a single instance configuration change.
Gu co
– Maintain high availability and distribute instances across availability domains within
is e.
a region.
th cl
– Scale out instances on-demand by increasing the instance size of the pool.
e ra
us @o
20
to rai
se du
Here you can see some use cases for Instance Configuration and Pools.
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Instance Pool before scale Instance Pool after scale
. ha
Scaling Rule
ide m)
Gu co
Minimum Size
is e.
If CPU or Memory > 70% add 2 Instances Initial Size
If CPU or Memory < 70% remove 2 instances
th cl
Initial Size Maximum Size
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
22
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
Instance Metadata and Lifecycle
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Instance Metadata includes its OCID, name, compartment, shape, region, AD, creation
date, state, image, and any custom metadata such as an SSH public key
• Service runs on every instance and is an HTTP endpoint listening on 169.254.169.254
• Get instance metadata by logging in to the instance and using the metadata service
• Oracle-provided Linux instances:
sa
– curl http://169.254.169.254/opc/v1/instance/
. ha
– curl http://169.254.169.254/opc/v1/instance/metadata/
ide m)
– curl http://169.254.169.254/opc/v1/instance/metadata/<key-name>/
Gu co
• Add and update custom metadata for an instance using CLI or SDK.
is e.
th cl
e ra
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Start – Restarts a stopped instance. After the instance is restarted, the Stop action is enabled.
• Stop – Shuts down the instance. After the instance is powered off, the Start action is enabled.
• Reboot – Shuts down the instance, and then restarts it
• Terminate – Permanently deletes instances that you no longer need
– Instance's public and private IP addresses are released and become
available for other instances
– By default, the instance's boot volume is deleted. However, you can preserve the boot
sa
volume and attach it to a different instance as a data volume,
or use it to launch a new instance.
. ha
• Resource Billing
– Standard shapes, billing pauses in a STOP state
ide m)
– Dense I/O shapes, billing continues even in STOP state
Gu co
– GPU shapes, billing continues in STOP state
is e.
– HPC shapes, billing continues in STOP state
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Supports both x7 and AMD EPYC based instances with
. ha
industry-leading price/performance
ide m)
• Image options include Oracle-provided images, BYOI,
Gu co
custom images, image import/export
is e.
• Advanced features include instance configuration,
th cl
e ra
Pools and Autoscaling
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Jamal Arif
Ka
rth
ike
y
no an
n- Du
sa
•
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Standardized environments for dev, Resilient, self-healing systems; High
Operations 41%
testing and operations Availability; Elastic Scalability
. ha
Refactor from N-tier to portable Run distributed, stateful apps on scale-
Refactor Legacy Apps 34%
containerized applications out infrastructure
ide m)
Move entire appstacks and see them Cloud bursting; Reduce infrastructure
Migrate to Cloud 33%
run identically in the cloud costs by avoiding over-provisioning
Gu co
Create small purpose-built services
Dynamically manage large-scale
is e.
New Microservice Apps 32% that can be assembled to scalable
microservices infrastructure
th cl
custom applications
e ra
SOURCE: THE EVOLUTION OF THE MODERN SOFTWARE SUPPLY CHAIN, DOCKER SURVEY 2016
us @o
3
to rai
se du
There is a wide range of use cases to which Docker containers can be applied, but as soon as the scale
en ik.
increases, orchestration becomes necessary. With Kubernetes, Docker infrastructure can be made to
lic arth
sa
• De facto standard container runtime
adoption
and image format
. ha
• Complex but powerful toolset
• Used for developer on-boarding and
ide m)
supporting cloud scale applications
first generation application
Gu co
management • Rich operations feature set,
is e.
autoscaling, rolling upgrades,
th cl
stateful apps and more.
e ra
us @o
4
to rai
se du
Oracle’s strategy for container-based services focuses on the leading technologies for containers and
en ik.
orchestration: Docker and Kubernetes. With these technologies, you can create applications at any scale
lic arth
from simple devops setups, to global mission critical enterprise applications. Because the technologies
are so widely used, they support a truly hybrid architecture, running apps on premises and in multiple
ble (k
clouds.
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
60% 40%
of enterprise companies of Docker users also use
ide m)
(500+ hosts) use Docker orchestrators
Gu co
is e.
15% of all the hosts at these
80%
of these orchestration
th cl
companies run Docker users prefer Kubernetes
e ra
us @o
5
to rai
se du
Docker:
lic arth
Kubernetes:
n- Du
• Production grade container management targeting DevOps and Ops, widespread adoption
no an
• Rich operations feature set, autoscaling, rolling upgrades, stateful apps and more.
rth
Ka
as a Service (CaaS)
sa
• •
Maintaining Desired State overhead
. ha
•
ide m)
Gu co
is e.
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
7
Ka
rth
ike
y
no an
Kubernetes - OKE
n- Du
tra ra
Container Engine for
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
. ha
ide m)
Gu co
is e.
th cl
Roll-Your-Own Pre-Built Kubernetes Enterprise Class Managed
e ra
Container Management Installer Kubernetes Service
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
kubectl,
Internet
• Open source, based on Terraform clients, etc.
• Key Highlights
sa
k8s-master-n k8s-
– Highly available Kubernetes cluster master-n
configured in your
. ha
OCI tenancy and compartment Optional OCI LB (etcd)
ide m)
– Creates VCN, subnets, LBs and instances
for control plane
Gu co
etcd-1 etcd-2
(ad-1) (ad-2)
is e.
etcd-3
your cluster (ad-3)
th cl
Scale your cluster as needed
e ra
–
us @o
https://blogs.oracle.com/developers/get-a-highly-available-kubernetes-cluster-on-oracle-cloud-infrastructure-in-minutes
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Introduction
• Managed Kubernetes container service to deploy and run your own
container based apps
What is It? • Tooling to create, scale, manage & control your own standard Kubernetes
clusters instantly
• Too complex, costly and time consuming to build & maintain environments
sa
• Too hard to integrate Kubernetes with a registry and build process for
What Problems Does container lifecycle management
. ha
it Solve? • Too difficult to manage and control team access to production clusters
ide m)
• Enables developers to get started and deploy containers quickly. Gives
Gu co
DevOps teams visibility and control for Kubernetes management.
is e.
• Combines production grade container orchestration of open Kubernetes,
Key Benefits
th cl
with control, security, IAM, and high predictable performance of Oracle’s
e ra
next generation cloud infrastructure
us @o
10
to rai
se du
• Enables developers to get started and deploy containers quickly, DevOps teams with Kubernetes
lic arth
• Combines production grade container orchestration of open Kubernetes, with control, security
ra y
and high predictable performance of Oracle’s next generation OCI cloud infrastructure
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
security Complexity
Storage
• Container networking &
persistent storage
Monitoring
Logging
sa
• Reliability
Access
. ha
Scaling Based on Load
ide m)
automated testing, Vendor Support
Gu co
conditional release 0 10 20 30 40 50 60
is e.
Percentages reported by companies with >1,000 containers
th cl
(Source: CNCF Survey, The New Stack, 22 Mar 2018)
e ra
us @o
to rai
se du
-
- Setting up security
ble (k
- Deploying clusters
ra y
fe m
-
• Managing Teams
no an
-
ike
• CI/CD Integration
Ka
Cluster Management
VM based Clusters and Nodes
HA - 3 Masters/etcd
across 3 ADs
sa
In-flight and at rest Bare Metal Clusters and Nodes
data encryption
Container Engine Dashboard
. ha
ide m)
Oracle Cloud Infrastructure
Gu co
is e.
Oracle Managed Customer Managed
th cl
e ra
us @o
12
to rai
se du
The grey shaded area designates the functions that Oracle manages for customers, including an
en ik.
integrated Registry and image storage and the Container Engine / Managed Kubernetes.
lic arth
Oracle will manage the etcd and Master nodes of the Kubernetes instance, in a High Availability setup
ble (k
for the customer. Upgrades to new versions of Kubernetes will also be supported in the Container
Engine dashboard, within the OCI console.
ra y
fe m
The customer will manage the Clusters/Worker Nodes that are setup by the Managed Service for that
ns isa
Note: The customer will need to bring their own OCI account to create clusters for the managed
Kubernetes cloud service and pay for any infrastructure usage incurred with their clusters of worker
no an
nodes.
y
ike
rth
Ka
Cluster Management
Pay only
VM based for and
Clusters theNodes
Free Free
HA - 3 Masters/etcd
across 3 ADs
OCI resources used
to run your K8s clusters
sa
In-flight and at rest Bare Metal Clusters and Nodes
data encryption (VM’s, Storage, LB, etc.)
Container Engine Dashboard
. ha
ide m)
Oracle Cloud Infrastructure
Gu co
is e.
Oracle Managed Customer Managed
th cl
e ra
us @o
13
to rai
se du
Users DO NOT Pay for any of the Oracle-managed container infrastructure (the grey area). This is the
en ik.
“Control Plane” that enables you to configure these services, maintains operations, versions, availability,
lic arth
etc.
ble (k
The user pays regular fees for the Compute, Storage, and Networking used in the “Data Plane” (the blue
area), where the applications run, data is stored, etc.
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
and Registry
Container Native Developer Friendly Enterprise Ready
• Standard Docker & Kubernetes • Streamlined Workflow • Simplified Cluster Operations
– Deploy standard & open upstream – Use your favorite CI to push – Fully managed, highly available
Docker and Kubernetes versions for containers to the registry, then registry, master nodes and control
compatibility across environments Kubernetes to deploy to clusters plane
and manage operations – One-click Quick Create for secure
• Registry Integration
Private Worker Nodes/Subnets
• Full REST API
sa
– Full Docker v2 compatible private
registry to store and manage – Automate the workflow, create and • Full Bare Metal Performance and Highly
images scale clusters through full REST API Available IaaS
. ha
• Container Engine • Built In Cluster Add-Ons – Combine Kubernetes with bare
metal shapes for raw performance
– Deploy and operate containers and – Kubernetes Dashboard, DNS &
ide m)
– Deploy Kubernetes clusters across
clusters Helm
multiple Availability Domains for
Gu co
• Full integration to cloud networking and • Open Standards resilient applications
storage
– Docker Based Runtime • Team Based Access Controls
is e.
– Leverage the enterprise class – Worker Node SSH Access
networking, load balancing and – Control team access and
th cl
– Standard Kubernetes permissions to clusters
persistent storage of Oracle Cloud
e ra
Infrastructure
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Application
WebLogic Push Docker Pull WebLogic and Operator
Build
Application image to Registry images from Registry
Test
WebLogic Server Define build
for CI/CD Push
toolchain
Container Cloud Container
Dockerfile Pipelines, Infrastructur Engine for
Jenkins, etc. e Registry Kubernetes
sa
WebLogic to production
. ha
WebLogic WebLogic Operator
Application WebLogic
managing WebLogic
ide m)
Application
+ Server Domains
WebLogic Server
Gu co
Autonomous
WebLogic Transaction Kubernetes
is e.
Processing worker nodes
Migrate
th cl
data store
e ra
Data Store
(ex. Oracle Database) ORACLE CLOUD INFRASTRUCTURE
us @o
15
to rai
se du
An Oracle-specific, but popular use case for containerization is “Lift and Shift WebLogic.” “WebLogic”
en ik.
consists of the WebLogic Application and WebLogic Server. WebLogic works with a database, such as
lic arth
Oracle Database, to serve web requests for, say, a sales portal. The entire WebLogic Application and
Server are then containerized and defined in a Dockerfile, without any refactoring. After that, a CI/CD
ble (k
tool such as Container Pipelines, or Jenkins, is used to build, test, and push the resulting container image
ra y
This image, as well as the WebLogic Operator image (source available on GitHub:
tra ra
Container Engine for Kubernetes. The WebLogic Application + Server, and its Operator are then
deployed into production on Kubernetes Worker Nodes. The resulting application is more scalable,
no an
Application
Push Docker Pull images
User Interface Build
image to Registry from Registry
Test
App Server + Push Code
Data Access
to CI/CD Push
toolchain
Container Cloud Container
Data Store Pipelines, Infrastructur Engine for
Jenkins, etc. e Registry Kubernetes
Microservices
sa
Re-factor app
Deploy images
. ha
to production
User Interface
Containers running
ide m)
App Server + microservices
Data Access
Gu co
Monolith Application Kubernetes
is e.
worker nodes
th cl
e ra
Data Store
ORACLE CLOUD INFRASTRUCTURE
us @o
16
to rai
se du
A general use case for leveraging containers is refactoring existing applications. In order to do this, an
en ik.
existing application, consisting of User Interface, App Server + Data Access is rewritten as microservices,
lic arth
with each microservice running in a separate Docker container. The data store is also containerized –
databases such as MySQL, Cassandra, MongoDB, etc. are available on the Docker Hub. The code is
ble (k
The application and associated build scripts are then pushed into a CI/CD toolchain, such as Container
ns isa
Pipelines, or Jenkins. After build and test, Docker images are generated, and are pushed into a private
tra ra
registry such as Oracle Cloud Infrastructure Registry. Oracle Container Engine for Kubernetes, a
n- Du
enterprise-grade orchestration system for containers, can then be used to pull these Docker images and
deploy the application and data store into production. The use of microservices allows the application to
no an
be more agile (code pushed more frequently), efficient, and scalable, easier to debug.
y
ike
rth
Ka
17
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
Creating an OKE Cluster in OCI
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Monthly universal Credits have limit of 3 clusters per OCI region with 1000 nodes in a cluster and Pay-as-
you-go or Promo accounts have a limit for One Cluster (by default)
• Must also have compute Instance Quota (Required) – to launch k8s worker nodes in an AD or across ADs
for HA
• Required Policy in the root compartment of your tenancy
allow service OKE to manage all-resources in tenancy
• To launch a K8s cluster, user must be either part of the Admin group or a group to which a policy grants
the appropriate Container Engine for Kubernetes permissions.
sa
• Policies can be created for users which are not part of the admin group
. ha
• For Example: To enable users in group ’dev-team’ to perform any operation on cluster-related resources
allow group dev-team to manage cluster-family in tenancy
ide m)
• Note: Polices must also grant the group ‘dev-team’ Networking permissions of VCN_READ and
Gu co
VCN_CREATE, SUBNET_READ and SUBNET_CREATE, COMPARTMENT_INSPECT,
INTERNET_GATEWAY_CREATE, NAT_GATEWAY_CREATE, ROUTE_TABLE_UPDATE,
is e.
SECURITY_LIST_CREATE: Details here
th cl
(https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengprerequisites.htm)
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
19
Create Cluster
Ka
rth
ike
y
OKE Quickstart
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
cluster. Either accept the default version or
select a version of your choice. Amongst
. ha
other things, the Kubernetes version you
select determines the default set of
ide m)
admission controllers that are turned on in
the created cluster (the set follows the
Gu co
recommendation given in the Kubernetes
documentation for that version).
is e.
th cl
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Shape: The compute shape to use for each node in the node pool.
Quantity per Subnet: The number of worker nodes to create for
. ha
the node pool in each private subnet.
Public SSH Key: (Optional) The public key is installed on all worker
ide m)
nodes in the cluster, and you can use this key to access the worker
nodes (Connect via Bastion Host since worker nodes are in Private
Gu co
subnets)
is e.
Kubernetes Labels: One or more labels (in addition to a default
th cl
label) to add to worker nodes in the node pool to enable the
targeting of workloads at specific node pools.
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
portion of Helm) to run in the Kubernetes cluster. With
Tiller running in the cluster, you can use Helm to manage
. ha
Kubernetes resources.
ide m)
Gu co
is e.
th cl
e ra
us @o
22
to rai
se du
https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contengstartingk8sdashboard.htm
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
23
Cluster details
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
K8s Cluster in minutes...
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
24
Node Pool details
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
K8s Cluster in minutes...
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
25
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Accessing the K8s Cluster - Dashboard
Gu co
ide m)
. ha
sa
26
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Accessing the K8s Cluster - Dashboard
Gu co
ide m)
. ha
sa
27
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
https://kubernetes.io/docs/reference/kubectl/kubectl/
th cl
is e.
Accessing the K8s Cluster with kubectl
Gu co
ide m)
. ha
sa
Controllers
• Ingress is the built-in configuration for HTTP Load balancing in a Kubernetes Cluster.
• It defines the rules for external connectivity to Kubernetes services.
• With the Ingress Controller for Kubernetes, you get basic load balancing, SSL/TLS
termination, support for URI rewrites, and upstream SSL/TLS encryption
sa
• Ingress Controller comprises two components:
. ha
– An ingress controller deployment called nginx-ingress-controller. The deployment
ide m)
deploys an image that contains the binary for the ingress controller and Nginx.
Gu co
– An ingress-controller service called ingress-nginx. The service exposes the ingress
is e.
controller deployment as a Load Balancer type service.
th cl
e ra
us @o
28
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Bytes Received Bytes Number of bytes received by the API gateway from front-end clients
Bytes Sent Bytes Number of bytes sent by the API gateway to front-end clients
Backend Responses Count Count of the HTTP responses returned by the backend services
sa
Time the API gateway receives the first byte of an HTTP request to the
Gateway Latency Seconds
time when the response send operation is completed
. ha
Time between the API gateway sending a request to the back-end service
ide m)
Backend Latency Seconds
and receiving a response from the back-end service.
Gu co
is e.
th cl
e ra
us @o
29
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
minutes on OCI
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Level 100
Jamal Arif
Ka
rth
ike
y
no an
n- Du
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
9
Objectives
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
•
. ha
• Set Global image retention policies
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Introduction
• A high availability Docker v2 container registry service
What is It? • Stores Docker Images in Private or Public Repositories.
• Runs as a fully managed service on Oracle Cloud Infrastructure.
sa
• Without a managed registry it is hard to enforce access rights and security
Does it Solve? policies for images
. ha
• It is hard to find right images and have them available in the region of deployment
ide m)
• Full integration with Container Engine for Kubernetes (OKE)
Registries are private by default, but can be made public by an admin
Gu co
•
Key Benefits • Co-located regionally with Container Engine for low latency Docker image deploys
is e.
• Leverages OCI for high performance, low latency and high availability
th cl
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Cluster Management
VM based Clusters and Nodes
HA - 3 Masters/etcd
across 3 ADs
sa
Bare Metal Clusters and Nodes
In-flight and at rest
data encryption Container Engine Dashboard
. ha
ide m)
Oracle Cloud Infrastructure
Gu co
is e.
Oracle Managed Customer Managed
th cl
e ra
us @o
4
to rai
se du
The grey shaded area designates the functions that Oracle Manages for the customers, including an
en ik.
integrated Registry and image storage and the Container Engine / Managed Kubernetes.
lic arth
Oracle will manage the etcd and Master nodes of the Kubernetes instance, in a High Availability setup
ble (k
for the customer. Upgrades to new versions of Kubernetes will also be supported in the Container
Engine dashboard, within the OCI console.
ra y
fe m
The customer will manage the Clusters/Worker Nodes that are setup by the Managed Service for that
ns isa
Note: The customer will need to bring their own OCI account to create clusters for the managed
Kubernetes cloud service and pay for any infrastructure usage incurred with their clusters of worker
no an
nodes.
y
ike
rth
Ka
Free Free
based Clusters and
HA - 3 Masters/etcd
across 3 ADs to run your K8s clusters
sa
(VM’s,Bare MetalLB,
storage, Clusters and Nodes
etc.) and store your
In-flight and at rest images
data encryption Container Engine Dashboard
. ha
ide m)
Oracle Cloud Infrastructure
Gu co
is e.
Oracle Managed Customer Managed
th cl
e ra
us @o
5
to rai
se du
Users DO NOT Pay for any of the Oracle managed container infrastructure (the grey area). This is the
en ik.
“Control Plane” that enables you to configure these services, maintains operations, versions, availability,
lic arth
etc.
ble (k
The user pays regular fees for the Compute, Storage, and Networking used in the “Data Plane” (the blue
area), where the applications run, data is stored, and so on.
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• To use registry service, user is either a part of the admin group or part of a group
to which a policy grants the appropriate permissions
– allow group acme-viewers to inspect repos in tenancy - Ability to
see a list of all repositories in Oracle Cloud Infrastructure Registry belonging to
the tenancy
– allow group acme-managers to manage repos in tenancy - Ability to
sa
perform any operation on any repository in Oracle Cloud Infrastructure
Registry that belongs to the tenancy (Pull an image, push an image,
. ha
create/delete repos etc.)
ide m)
Note: repos are tenancy-level resources, policies controlling access to them need to
Gu co
go into the root compartment (i.e., the tenancy).
is e.
• User needs to have an OCI username and auth token before being able to
th cl
push/pull an image.
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
—
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
phx Phoenix
iad Ashburn
• You use Docker CLI to push/pull images to the repository in OCI.
fra Frankfurt
• Create an Auth Token for User and copy it.
• Log in to OCIR: lhr London
sa
• Find images in your local repository to be pushed to OCIR and tag in the format:
– <region-code>.ocir.io/<tenancy-namespace>/<repos-name>/<image-name>:<tag>
. ha
– docker tag 9f1191b287da iad.ocir.io/jamalarif/testing/tomcat:1.2
• Push your tagged image to OCIR:
ide m)
– docker push iad.ocir.io/jamalarif/testing/tomcat
• Similarly, images can be pulled using docker pull:
Gu co
– docker pull <region-code>.ocir.io/<tenancy-namespace>/<repos-name>/<image-
is e.
name>:<tag>
th cl
– docker pull iad.ocir.io/jamalarif/testing/tomcat:1.2
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
9
Ka
rth
ike
y
no an
n- Du
OCIR Image Layers
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
10
Ka
rth
ike
y
Deployments
Step 1: Create an Auth Token
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Pulling Images from Registry for Kubernetes
Deployments
Step 2: Create docker registry secret and use Auth Token
• Create a Docker registry secret, containing the Oracle Cloud Infrastructure credentials
to use when pulling the image.
kubectl create secret docker-registry <secret-name> --docker-
server=<region-code>.ocir.io --docker-username='<tenancy-
sa
namespace>/<oci-username>' --docker-password='<oci-auth-token>' -
. ha
-docker-email='<email-address>'
ide m)
Gu co
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Deployments (2)
Specify the image to pull from Oracle Cloud Infrastructure Registry, including the
repository location and the Docker registry secret to use, in the application's manifest file.
apiVersion: v1
kind: Pod
metadata:
sa
name: ngnix-image
spec:
containers:
. ha
- name: ngnix
image: iad.ocir.io/jamalarif/testing/nginx:1.1
ide m)
imagePullPolicy: Always
ports:
Gu co
- name: nginx
is e.
containerPort: 8080
protocol: TCP
th cl
imagePullSecrets:
e ra
- name: ocirsecret
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Set up image retention policies to automatically delete images that meet particular
selection criteria. The following rules can be applied:
– Images that have not been pulled for a certain number of days
– Images that have not been tagged for a certain number of days
– Images that have not been given particular Docker tags specified as exempt
from automatic deletion
• Hourly process checks images against the selection criteria and deletes images
sa
accordingly.
. ha
• A global Image retention policy pre-exists with default selection criteria to retain all
images.
ide m)
• Users can edit global image retention policy or create their own custom policy.
Gu co
• Policies are regional and applied on repository level.
is e.
• Repos can only be part of one image retention policy at a time.
th cl
• After the policy is created, the first time it can take several hours to take effect, which
e ra
is known as cooling period to avoid unintentional deletion of images.
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
On OCIR Home page, click Settings, and then select Image retention policies.
sa
. ha
ide m)
Create a new custom
Gu co
image retention policy
is e.
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• After the policy is created, add
repositories by clicking + Add
. ha
repository.
Remove the repos from the policy.
ide m)
•
Gu co
is e.
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
•
Set Global image retention policies
. ha
•
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Level 100
Ka
rth
ike
y
no an
Object Storage
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
10
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
2
•
•
Objectives
Ka
rth
ike
y
no an
n- Du
tra ra
Understand OCI Object Storage
ns isa
fe m
Identify Object Storage Capabilities
ra y
ble (k
lic arth
en ik.
se du
After completing this lesson, you should be able to:
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Capacity Terabytes+ Petabytes+ Exabytes+ Petabytes+ Petabytes+
. ha
51.2 TB for BM, 50 GB to 32 TB/vol
Unit Size Up to 8 Exabyte 10 TB/object 10 TB/object
6.4-25.6 TB for VM 32 vols/instance
ide m)
Apps that require Long term archival
Big Data, OLTP, Apps that require Unstructured data
Gu co
SAN like features and backups
Use cases high performance shared file system incl. logs, images,
(Oracle DB, VMW, (Oracle DB
is e.
workloads (EBS, HPC) videos
Exchange) backups)
th cl
e ra
* in multi-AD regions
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
4
Ka
rth
ike
y
no an
n- Du
tra ra
Object Storage Intro
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
• Offers two distinct storage classes to address the need for performant, frequently
accessed "hot" storage, and less frequently accessed "cold" storage
. ha
Supports private access from Oracle Cloud Infrastructure resources in a VCN through
ide m)
•
a Service Gateway
Gu co
Supports advanced features such as cross-region copy, pre-authenticated requests,
is e.
•
th cl
lifecycle rules and multipart upload
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Content Repository - Highly available and durable content repository for data,
images, logs, and video etc.
• Archive/Backup - Use of object storage for preserving data for longer periods of time
• Log Data - Application log data for analysis and debugs/troubleshooting
• Large Data Sets - Large data e.g. pharmaceutical trials data, genome data, and
Internet of Things (IoT)
sa
Big Data/Hadoop Support
. ha
•
– Use as a primary data repository for big data enables ~50% improvement in
ide m)
performance
Gu co
– HDFS connector provides connectivity to various big data analytic engines like
is e.
Apache Spark and MapReduce
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Strong consistency
– Object Storage Service always serves the most recent copy of the data when
retrieved.
• Durability
– Data is stored redundantly across multiple storage servers across multiple ADs.
– Data integrity is actively monitored and corrupt data detected and auto repaired.
sa
• Performance
– Compute and Object Storage Services are co-located on the same fast network.
. ha
• Custom metadata
ide m)
– Define your own extensive metadata as key-value pairs.
Gu co
• Encryption
is e.
– Employs 256-bit Advanced Encryption Standard (AES-256) to encrypt object data
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Object
– All data, regardless of content type, is managed as objects (e.g. logs, videos).
– Each Object is composed of the object itself and metadata of the object.
• Bucket
– A logical container for storing objects. Each object is stored in a bucket.
• Namespace
sa
– A logical entity that serves as a top-level container for all buckets and objects.
. ha
– Each tenancy is provided one unique namespace that is global, spanning all
ide m)
compartments and regions.
– Bucket names must be unique within your tenancy, but can be repeated across
Gu co
tenancies.
is e.
– Within a namespace, buckets and objects exist in flat hierarchy, but you can
th cl
simulate a directory structure using prefixes and hierarchies.
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Service prepends the Object Storage namespace string and bucket name to object
name, /n/<object_storage_namespace>/b/<bucket>/o/<object_name>
– https://objectstorage.us-phoenix-
1.oraclecloud.com/n/gse00014346/b/DatabaseBackup/o/database1.dbf
• Flat hierarchy
• For large number of objects, use prefixes and hierarchies:
sa
/n/ansh8tvru7zp/b/event_photos/o/marathon/finish_line.jpg
. ha
—
/n/ansh8tvru7zp/b/event_photos/o/marathon/participants/p_21.jpg
ide m)
—
– You can use the CLI to perform bulk downloads and bulk deletes of all objects at a
Gu co
specified level of the hierarchy, without affecting objects in levels above or below.
is e.
– In the example above, you can use CLI to download or delete all objects at the
th cl
marathon/ level without downloading or deleting objects at the
e ra
marathon/participants sublevel.
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Seldom or rarely accessed data but must be
. ha
retained and preserved for long periods of time.
• Minimum retention requirement for Archive
ide m)
Storage is 90 days.
• Objects need to be restored before download.
Gu co
• Archive Bucket can’t be upgraded to Standard
is e.
storage tier.
th cl
• Time To First Byte (TTFB) after Archive
e ra
Storage restore request is made: 4 Hours
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
11
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Object Storage Capabilities
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Pre-Authenticated Requests
– Provides a way to let users access a bucket or an object without
having their own credentials
– Can access via a unique URL, for example,
https://objectstorage.us-ashburn-1.oraclecloud.com/p/p09Nx-
f4UaLCN-MMOxGQIpobmMchgHQrSQv4Lr-
aSzs/n/intoraclerohit/b/Image/o/kvm
– Can revoke the links any time (much easier than S3)
sa
• Public Buckets
. ha
– At creation, a bucket is considered private and access to the
bucket requires authentication and authorization.
ide m)
– Service supports anonymous, unauthenticated access to a bucket
Gu co
by making a bucket public (read access to the bucket).
is e.
– Changing the type of access doesn't affect existing
pre-authenticated requests. Existing pre-authenticated requests
th cl
e ra
still work.
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• You must specify an existing target
. ha
bucket.
ide m)
• Bulk copying is not supported
Gu co
• Objects cannot be copied from Archive
is e.
storage
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
If no prefix is specified, the rule will apply to all
. ha
objects in the bucket.
A rule that deletes an object always takes priority
ide m)
•
over a rule that would archive that same object.
Gu co
• Enable or disable a rule to make it active or
is e.
inactive.
th cl
e ra
For objects, /n/ansh8tvru7zp/b/apparel/o/gloves_27_dark_green.jpg,
us @o
/n/ansh8tvru7zp/b/apparel/o/gloves_27_light_blue.jpg, gloves_27 is the prefix
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Initiate a multipart upload by making a CreateMultipartUpload REST API call.
3. Upload object parts.
. ha
– Make an UploadPart request for each object part upload.
ide m)
– If you have network issues, you can restart a failed upload for an individual part.
You do not need to restart the entire upload.
Gu co
4. Commit the upload
is e.
– When you have uploaded all object parts, complete the multipart upload by
th cl
committing it; add a bullet on checksum, and so on.
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
In this lesson, you should have learned that Object Storage Service:
• Is an Internet-scale, high-performance storage platform
• Is a regional service, not tied to any specific compute instance
• Offers two distinct storage classes to address the need for performant,
frequently accessed "hot" storage, and less frequently accessed "cold"
sa
storage
. ha
• Supports private access from Oracle Cloud Infrastructure resources in
ide m)
a VCN through a Service Gateway
Gu co
• Supports advanced features such as cross-region copy, life cycle
is e.
management, pre-authenticated requests and multipart uploads
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Level 100
Ka
rth
ike
y
Block Volume
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
11
Objectives
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
•
. ha
• Understand Boot Volume Service
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Capacity Terabytes+ Petabytes+ Exabytes+ Petabytes+ Petabytes+
. ha
51.2 TB for BM, 50 GB to 32 TB/vol
Unit Size Up to 8 Exabyte 10 TB/object 10 TB/object
ide m)
6.4-25.6 TB for VM 32 vols/instance
Apps that require Long term archival
Gu co
Big Data, OLTP, Apps that require Unstructured data
SAN like features and backups
Use cases high performance shared file system incl. logs, images,
is e.
(Oracle DB, VMW, (Oracle DB
workloads (EBS, HPC) videos
th cl
Exchange) backups)
e ra
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
4
Ka
rth
ike
y
no an
n- Du
tra ra
Local NVMe Storage
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
[opc@nvme ~]$ lsblk
Instance type NVMe SSD Devices
. ha
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 5.8T 0 disk
BM.DenseIO2.52 8 drives = 51.2 TB raw nvme1n1 259:3 0 5.8T 0 disk
ide m)
nvme2n1 259:1 0 5.8T 0 disk
VM.DenseIO2.8 2 drive = 6.4 TB raw nvme3n1 259:2 0 5.8T 0 disk
Gu co
nvme4n1 259:5 0 5.8T 0 disk
VM.DenseIO2.16 4 drives = 12.8 TB raw nvme5n1 259:6 0 5.8T 0 disk
is e.
nvme6n1 259:4 0 5.8T 0 disk
VM.DenseIO2.24 8 drives = 25.6 TB raw nvme7n1 259:7 0 5.8T 0 disk
th cl
sda 8:0 0 46.6G 0 disk
e ra
├─sda2 8:2 0 8G 0 part [SWAP]
├─sda3 8:3 0 38.4G 0 part /
us @o
└─sda1 8:1 0 200M 0 part /boot/efi
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Data deleted on
10101101010101010
Data saved 10101101010101010 instance reboot
0101010101010010 on instance 0101010101010010
or pause, not
1010100101010001
1010100101010001
0011110101
reboot or 0011110101 usable for
pause primary data
sa
Local NVMe Local NVMe
Instance SSD Instance SSD
. ha
(VM/BM) (VM/BM)
ide m)
“With Oracle Cloud Infrastructure, companies can leverage NVMe for persistent storage to host databases and
Gu co
applications. However, other cloud providers typically do not offer such a capability. In cases where NVMe
storage was an option with other vendors, it was not persistent. This meant that the multi-terabyte database
is e.
that researchers loaded to this storage was lost when the server stopped.
th cl
~Accenture
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
steady-state of operation
BM.DenseIO1.36 2.5MM
. ha
• Run test on Oracle Linux shapes with VM.DenseIO2.8 250k
third-party Benchmark Suites,
ide m)
VM.DenseIO2.16 400k
https://github.com/cloudharmony/blo
Gu co
VM.DenseIO2.24 800k
ck-storage.
is e.
BM.DenseIO2.52 3.0MM
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
9
Ka
rth
ike
y
no an
n- Du
Block Volume Intro
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Block Volume Service lets you store data on block volumes independently and
beyond the lifespan of compute instances.
• Block volumes operate at the raw storage device level and manages data as a set of
numbered, fixed-size blocks using a protocol such as iSCSI.
• You can create, attach, connect, and move volumes, as needed, to meet your storage
sa
and application requirements.
. ha
• Typical scenarios:
ide m)
– Persistent and Durable Storage
Gu co
– Expand an Instance's Storage
is e.
– Instance Scaling
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Perf: Per-instance Limits
• Up to 620K or more IOPS, near line rate throughout.
. ha
Durability Multiple replicas across multiple storage servers within the AD
Security Encrypted at rest and transit
ide m)
Gu co
* For Bare Metal or 8-core+ VM compute instance, using 4KB blocks. VM perf is limited by VM network bandwidth.
** 256 KB block size
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
network hardware virtualization to access
block volumes. Hypervisor is not involved
. ha
in the iSCSI attachment process.
ide m)
• By default, all Block Volumes are
Gu co
Read/Write.
is e.
• Block Volume can also be read-only to
th cl
prevent against accidental modification.
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• When an instance no longer requires a block volume, you can disconnect and then
detach it from the instance without any loss of data.
• When you attach the same volume to another instance or to the same instance, DO
NOT FORMAT the disk volume. Otherwise, you will lose all the data on the volume.
• When the volume itself is no longer needed, you can delete the block volume.
sa
• You cannot undo a delete operation. Any data on a volume will be permanently
. ha
deleted once the volume is deleted.
ide m)
Gu co
is e.
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
The Oracle Cloud Infrastructure Block Volume service lets you expand the size of block
volumes and boot volumes. You have three options to increase the size of your volumes:
sa
• Clone an existing volume to a new, larger volume.
. ha
50 GB Oracle Cloud Infrastructure 32 TB Block or
ide m)
Block or Boot Block Volumes Service Boot Volume
Volume
Gu co
is e.
th cl
You can only increase the size of the volume, you cannot decrease the size.
e ra
us @o
14
to rai
se du
It provided the ability to expand an existing boot and block volume by taking the volume offline by using
en ik.
•
ns isa
• Extend partition(s).
no an
This capability applies to both block volumes and boot volumes. It allows increasing the size of the
y
ike
volume up to the maximum allowed by block storage (which is 32 TB as of the time of this feature
development). Volumes cannot be decreased in size.
rth
Ka
15
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
Backup and Restoration
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
AVAILABILITY DOMAIN-1
Subnet A Subnet B
. ha
ide m)
Server Server Object Storage
Gu co
is e.
th cl
Block Storage Block Storage
(Backup) (Restore)
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Backups are done using point-in-time snapshot. Therefore, while the backup is being
performed in the background asynchronously, your applications can continue to
access your data without any interruption or performance impact.
– For a 2 TB volume being backed up for the first time, ~30 mins
– For a 50 GB boot volume being backed up for the first time, ~ few mins
sa
• On-demand, one-off block volume backups provide a choice of incremental versus
. ha
full backup options.
ide m)
Gu co
is e.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Backup options:
• On-demand, one-off: point-in-time snapshot
• Automated policy-based: Backs up automatically on a schedule and retain them
based on the selected backup policy. Three backup policies:
– Bronze: Monthly incremental backups, retained for twelve months (+full yearly
sa
backup, retained for 5 years)
. ha
– Silver: Weekly incremental backups, retained for four weeks (+ Bronze)
ide m)
– Gold: Daily incremental backups, retained for seven days (+Silver, + Bronze)
Gu co
• Customized backup policy not available today
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
19
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Clone and Volume Groups
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Cloning allows copying an entire existing block volume to a new volume without needing to go through a
backup and restore process.
• Clone is a point-in-time direct disk-to-disk deep copy an of entire volume.
• The clone operation is immediate, but actual copying of data happens in the background and can take up
to 15 minutes for 1 TB volume.
• A clone can be only created in the same AD with no need of detaching the source volume before cloning it.
sa
• Clones cannot be copied to another region.
A clone can be attached and used as regular volume when its lifecycle state changes from ”PROVISIONING”
. ha
•
to "AVAILABLE", usually within seconds.
ide m)
• Clone and backup operations are mutually exclusive.
Gu co
• Number of clones created simultaneously.
is e.
– If the source volume is attached: You can create one clone at a time
th cl
If the source volume is detached: You can create up to 10 clones from the same source volume
e ra
–
simultaneously
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
the volumes in a volume group leveraging a
coordinated snapshot across all the volumes.
. ha
• This is ideal for the protection and lifecycle
ide m)
management of enterprise applications, which
typically require multiple volumes across multiple
Gu co
1TB block 2TB block 32TB block
volumes volumes volume
compute instances to function effectively
is e.
Volume Group feature is available with no
th cl
•
additional charge
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
22
Ka
rth
ike Boot Volumes
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
– Alternately, you can launch a new instance directly from an unattached boot volume if you don't
wish to create a custom image.
. ha
• Delete boot volume:
ide m)
– You can delete an unattached boot volume.
Gu co
– You can optionally chose to automatically delete the boot volume when terminating an instance by
selecting the check box in the delete confirmation dialog.
is e.
th cl
– OCI does not allow you to delete the boot volume currently attached to an instance.
e ra
• It is possible to take a manual backup, assign backup policy or create a clone of boot volumes.
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
1. 'Stop' the instance you want to debug and click 'Boot Volume' filter, and then click
. ha
the 'Detach Boot Volume' button. Alternatively, you can terminate your instance,
which persists your boot volume by default.
ide m)
2. Navigate to a new running instance you want to use to debug your boot volume,
Gu co
and click the 'Attach Block Volume' button.
is e.
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
ide m)
Gu co
is e.
th cl
Linux default size is 46.6 GB Windows default size is 256GB
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Block volume service supports backups (on-demand, Policy based) and restoration
. ha
•
• Cloning- and Policy-based backups are offered only by OCI Block Volume
ide m)
service
Gu co
• Another unique feature, Volume Groups simplifies backups of running
is e.
enterprise applications that span multiple storage volumes across
th cl
e ra
multiple instances
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
File Storage Service
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
12
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
2
•
•
Objectives
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
Understand File Storage Service & Features
Identify File Storage Service Secure Features
en ik.
se du
After completing this lesson, you should be able to:
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
3
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
File Storage Service Info
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Capacity Terabytes+ Petabytes+ Exabytes+ Petabytes+ Petabytes+
. ha
51.2 TB for BM, 50 GB to 32 TB/vol
Unit Size Up to 8 Exabyte 10 TB/object 10 TB/object
ide m)
6.4-25.6 TB for VM 32 vols/instance
Apps that require Long term archival
Gu co
Big Data, OLTP, Apps that require Unstructured data
SAN like features and backups
Use cases high performance shared file system incl. logs, images,
is e.
(Oracle DB, VMW, (Oracle DB
workloads (EBS, HPC) videos
th cl
Exchange) backups)
e ra
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
EBS
Oracle
Applications General Purpose Big Data &
Lift and Shift File Systems Analytics
sa
. ha
ide m)
Gu co
HPC Test / Dev MicroServices
is e.
Scale Out Apps Databases Containers
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
•
Security: 128-bit, data-at-rest encryption for all file systems & metadata
. ha
•
ide m)
• Console management, APIs, CLI, data-path commands, and Terraform
Gu co
• Create 100 file systems and 2 mount targets per AD per account
is e.
th cl
e ra
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
OCI REGION
• NFS endpoint that lives in your
subnet of choice; AD-specific AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
sa
• It requires three private IP
. ha
addresses in the subnet. (Do not NFS client NFS client
ide m)
use /30 or smaller subnets for the 10.0.0.0/24 10.0.1.0/24
FSS.)
Gu co
VCN, 10.0.0.0/16
is e.
• Two of the IP addresses are used
th cl
during mount target creation; 3rd IP
e ra
used for HA.
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
OCI REGION
• Placing NFS clients and mount
target in the same subnet can AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
sa
subnet, where it can consume IPs
. ha
as it needs. NFS client NFS client
ide m)
10.0.0.0/24 10.0.1.0/24
Gu co
VCN, 10.0.0.0/16
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
OCI REGION
• Primary resources for storing files in FSS
AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
• To access your file systems, you create a
new (or use an existing) mount target. 10.0.0.0/24
sa
• Accessible from OCI VM/BM instances
. ha
• Accessible from on-premises through NFS client NFS client
ide m)
FastConnect/VPN 10.0.0.0/24 10.0.1.0/24
Gu co
VCN, 10.0.0.0/16
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Export path, along with the mount target IP address, is used to mount the file
. ha
system to an instance:
ide m)
− sudo mount 10.0.0.6:/example1/path /mnt/mountpointA
Gu co
− sudo mount 10.0.0.6:/example2/path /mnt/mountpointB
is e.
− /mnt/mountpointA and /mnt/mountpointB are path to the directory on the NFS
client instance on which the external file systems are mounted
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• On the FSS console, opc@node01:~$ sudo mkdir -p /mnt/nfs
. ha
click Mount Targets.
opc@node01:~$ sudo mount 10.0.0.3:/fss-
Use the Private IP address information to
ide m)
• shared /mnt/nfs
mount the volume using nfs command:
Gu co
is e.
th cl
NOTE: We recommend not to pass mount options to achieve best performance with File Storage Service.
This approach leaves it to the client and server to negotiate the window size for Read & Write operations.
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
12
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
File Storage Service Security
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Four distinct and separate layers of security with its own authorization entities
and methods to consider when using FSS:
Security layer Uses these.. To control actions like these..
Creating instances (NFS clients) and FSS VCNs. Creating,
IAM Service OCI users, policies
listing, and associating file systems and mount targets
Security Lists CIDR blocks Connecting the NFS client instance to the mount target
sa
Applying access control per-file system based on source
Export options,
. ha
Export Options IP CIDR blocks that bridges the Security Lists layer and the
CIDR blocks
NFS v.3 Unix Security layer
ide m)
NFS v3. Unix Mounting file systems1, reading the writing files, file access
Gu co
Unix users
Security security
is e.
1 When mounting file systems, don't use mount options such as nolock, rsize, or wsize. These options cause issues with performance
th cl
and file locking
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
OCI REGION
Security List can be used as a virtual firewall to
prevent NFS clients from mounting an FSS AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
sa
Type Source Protocol Source Dest Port
. ha
CIDR Port
NFS client NFS client
Ingress 10.0.0.0/241 TCP All 2048-2050
ide m)
10.0.0.0/24 10.0.1.0/24
Ingress 10.0.0.0/24 TCP All 111
Gu co
Ingress 10.0.0.0/24 UDP All 2048
VCN, 10.0.0.0/16
is e.
Ingress 10.0.0.0/24 UDP All 111
th cl
1For all subnets within VCN (e.g. 10.0.1.0/24) to access File
e ra
System, change destination CIDR to 10.0.0.0/16; all rules stateful
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Security List is all or nothing approach – the client either can or cannot access the
mount target, and therefore, all file systems associated with it.
• In a multi-tenant environment, using NFS export option, you can limit clients' ability
to connect to the file system and view or write data.
• Export controls how NFS clients access file systems; info stored in an export includes
the file system OCID, export path, and client access options.
sa
• When you create file system and associated mount target, the NFS export options for
that file system are set to allow full access for all NFS clients:
. ha
– Source: 0.0.0.0/0 (All)
ide m)
– Require Privileged Source Port: False
Gu co
is e.
– Access: Read_Write
th cl
– Identity Squash: None
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
oci fs export update --export-id <FS_A_export_ID> --export-
options '[{"source":"10.0.0.0/24 ","require-privileged-
source-port":"true","access": "READ_WRITE","identity-
. ha
squash":"NONE","anonymous-uid":"65534","anonymous-
gid":"65534"}]'
ide m)
Client X Client Y
Gu co
oci fs export update --export-id <FS_B_export_ID> --export-
10.0.0.0/24 10.0.1.0/24
options '[{"source":"10.0.1.0/24 ","require-privileged-
is e.
source-port":"true","access":"READ_ONLY","identity-
squash":"NONE","anonymous-uid":"65534","anonymous-
th cl
VCN, 10.0.0.0/16
gid":"65534"}]'
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
17
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
File Storage Service Snapshots
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
• If nothing has changed within the target file system and you take a snapshot,
it does not consume any additional storage.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• FSS supports four distinct and separate layers of security with its own authorization
. ha
entities and methods
ide m)
Gu co
is e.
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Level 100
Ka
Database
Sanjay Narvekar
rth
ike
y
no an
n- Du
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– RAC & Data Guard
Bare Metal
– Dynamic CPU and Storage scaling
. ha
• Security
ide m)
– Infrastructure (IAM, Security Lists, Audit logs)
Gu co
– Database (TDE, Encrypted RMAN backup / Block volume encryption) Virtual Machine
is e.
• OCI Platform integration
th cl
– Tagging, Limits and Usage integration
e ra
• Bring Your Own License (BYOL)
us @o
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
any time.
. ha
• The number of CPU cores on an existing VM DB system cannot be changed.
If you are launching a DB system with a virtual machine shape, you have the option of selecting an older
ide m)
•
database version. Check Display all database versions to include older database versions in the drop-
Gu co
down list of database version choices.
is e.
• When a 2-node RAC VM DB system is provisioned, the system assigns each node to a different fault
th cl
domain by default.
e ra
• Data Guard within and across ADs is available for VM DB systems (requires DB Enterprise Edition).
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Different Block Storage volumes are used for DATA and
RECO.
. ha
Block Storage
• Monitors the disks for hard and soft failures
ide m)
Gu co
• These actions ensure highest level availability and
performance at all times.
is e.
th cl
• This storage architecture is required for VM RAC DB
e ra
systems.
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Provisioning Option
ext4 File System mounts - /u01 - BITS, • Linux Logical Volume Manager manages the filesystems
/u02 – DATA and /u03 - RECO used by the database for storing database files, redo logs,
etc.
Logical Volumes
• Block volumes are mounted using iSCSI
sa
Volume Groups on VM • The available storage value you specify during provisioning
determines the maximum total storage available through
. ha
scaling**
ide m)
Physical Volumes on VM
• VM RAC DB Systems cannot be deployed using this option
Gu co
Block Storage • Currently supports Oracle Database 18c and 19c releases
is e.
th cl
e ra
**Please refer to https://docs.cloud.oracle.com/iaas/Content/Database/References/fastprovisioningstorage.htm for more information
us @o
6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Oracle Linux 6.8 – Start with 2 cores and scale up/down OCPUs
. ha
based on requirement
52 CPU cores
ide m)
– Data Guard within and across ADs (requires DB
768 GB RAM
Enterprise Edition)
Gu co
51 TB NVMe raw
– If single node fails, launch another system and
is e.
th cl
restore the databases from current backups
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
if possible
. ha
• On disk failure, the DB system automatically creates an NVMe
internal ticket and notifies internal team to contact the
ide m)
customer
Gu co
• These actions ensure highest level availability and
is e.
performance at all times.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Fast, Elastic, Web Driven Provisioning
. ha
– Oracle Experts Deploy and Manage Infrastructure
ide m)
Gu co
is e.
th cl
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Oracle manages Exadata infrastructure - servers, storage, networking, firmware, hypervisor, etc.
• You can specify zero cores when you launch Exadata; this provisions and immediately stops Exadata.
• You are billed for the Exadata infrastructure for the first month, and then by the hour after that. Each
OCPU you add to the system is billed by the hour from the time you add it.
• Scaling from ¼ to a ½ rack, or from ½ to a full rack requires that the data associated with database
deployment is backed up and restored on a different Exadata DB system.
sa
Resource Base System Quarter Rack Half Rack Full Rack
X6 X7 X6 X7 X6 X7
. ha
Number of Compute Nodes 2 2 4 8
ide m)
Total Maximum Number of Enabled CPU Cores 48 84 92 168 184 336 368
Gu co
Total RAM Capacity 720 GB 1440 GB 2880 GB 5760 GB
Number of Exadata Storage Servers 3 3 6 12
is e.
Total Raw Flash Storage Capacity 38.4 TB 38.4 TB 76.8 TB 76.8 TB 153.6 TB 153.6 TB 307.2 TB
th cl
Total Raw Disk Storage Capacity 252 TB 288 TB 360 TB 576 TB 720 TB 1152 TB 1440 TB
e ra
Total Usable Storage Capacity 74.8 TB 84 TB 106 TB 168 TB 212 TB 336 TB 424 TB
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• After the storage is configured, the only way to adjust
. ha
Local Storage
the allocation without reconfiguring the whole
ide m)
environment is by submitting a service request to
Gu co
Oracle.
is e.
th cl
e ra
us @o
11
to rai
se du
sa
Local spinning disks and
Storage Block Storage Local NVMe disks
NVMe flash cards
. ha
Real Application
Available (2-node) Not Available Available
Clusters (RAC)
ide m)
Data Guard Available Available Available*
Gu co
is e.
*You can manually configure Data Guard on Exadata DB systems using native Oracle Database utilities and commands. dbcli is not available
th cl
on Exadata DB systems
e ra
**The database can be a container database with multiple pluggable databases, if the edition is High Performance or Extreme Performance.
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
19.3*
Extreme
. ha
Yes Yes Yes
Performance
ide m)
BYOL Yes
Gu co
is e.
*Note that Oracle Database 19c is only available on VM DB and Exadata DB Systems (as of September 2019)
th cl
e ra
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Advanced
• Real Application Testing Compression Active Data Guard
. ha
Advanced Security,
Label Security,
ide m)
Database Vault
Gu co
OLAP, Advanced
Analytics, Spatial
is e.
and Graph
Management
th cl
Packs
e ra
us @o
14
Note that all editions include Oracle Database Transparent Data Encryption (TDE)
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– Billing continues in stop state for BM DB Systems (but not for VM DB).
. ha
• Scale CPU cores: Scale up the number of enabled CPU cores in the system
(BM DB systems only).
ide m)
Scale up Storage: Increase the amount of Block Storage with no impact
Gu co
•
(VM DB systems only).
is e.
th cl
• Terminate: Terminating a DB System permanently deletes it and any databases
e ra
running on it.
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Automated Applicable Patch Discovery: Automatic patch discovery and pre-flight checks/tests
• On demand patching: N-1 patching (previous patch is available if it hasn’t been applied), pre-check
and patching at the click of a button.
• Availability during patching: For Exadata and RAC shapes, patches are rolling. For single-node
systems, if Active Data Guard is configured, this can be leveraged by the patch service.
• 2 step process – Patching is a two-step process, one for DB System and one for the database. DB
System needs to be patched first before the database is patched.
sa
• Identity and Access Controls: Granular Permissions – it is possible to control who can list patches,
apply them, etc.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Manage backup and restore feature for VM/BM DB Systems; the Exadata backup process requires
creating a backup config file
• Backups stored in Object or Local storage (recommended: Object storage for high durability)
• DB System in private subnets can leverage Service Gateway
• Backup options
– Automatic incremental – runs once/day, repeats the cycle every week; retained for 30 days
sa
– On-demand, standalone/ full backups
• Restore a DB
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• By default, automatic backups are written to Oracle-owned object storage. (Customers will not be able to
view the object store backups.)
• Automatic backups enabled for the first time after November 20, 2018 on any database will run between
midnight and 6:00 AM in the time zone of the DB system's region.
• You can optionally specify a 2-hour scheduling window for your database during which the automatic
sa
backup process will begin.
. ha
• These are the preset retention periods for automatic backups: 7 days, 15 days, 30 days, 45 days and 60 days.
ide m)
• Backup jobs are designed to be automatically retried.
Gu co
• Oracle automatically gets notified if a backup job is stuck.
is e.
• All backups to cloud Object Storage are encrypted.
th cl
e ra
• Link to troubleshooting backup issues https://docs.us-phoenix-
us @o
1.oraclecloud.com/Content/Database/Troubleshooting/Backup/backupfail.htm
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Robust Infrastructure
‒ Region with 3 Availability Domains architecture
‒ Fully redundant and non-blocking Networking Fabric
‒ 2-way or 3-way mirrored storage for Database
‒ Redundant Infiniband Fabric (Exadata) for cluster networking
sa
• Database Options to enable HA
. ha
‒ Database RAC Option in VMs and Exadata
ide m)
Gu co
‒ Automated Data Guard within and across ADs
is e.
• Dynamic CPU and Storage Scaling
th cl
e ra
us @o
19
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Robust Infrastructure
• Standby database used for queries, reports, test, or backups (only for Active Data Guard)
• Switchover
sa
– Planned role reversal, never any data loss
– No database re-instantiation required
. ha
– Used for database upgrades, tech refresh, data center moves, etc.
ide m)
– Manually invoked via Enterprise Manager, DGMGRL, or SQL*Plus
Gu co
• Failover
is e.
– Unplanned failure of Primary
th cl
– Flashback Database used to reinstate original Primary
e ra
– Manually invoked via Enterprise Manager, DGMGRL, or SQL*Plus
us @o
20
– May also be done automatically: Fast-Start Failover
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
IAM Tenancy, Compartments and security policies, console password,
User authentication & authorization
API signing key, SSH keys
. ha
DBaaS TDE, RMAN encrypted back-ups, Local storage and Object
Data encryption
ide m)
storage encryption at rest
End-to-end TLS LBaaS with TLS1.2, Customer-provided certificates
Gu co
is e.
Auditing OCI API audit logs
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Database Enterprise Edition Extreme Performance OCPU Hour $2.5202 $1.6801
. ha
BYOL - Database All Editions - Additional Capacity - BYOL OCPU Hour $0.2903 $0.1935
ide m)
*Prices in USD, Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/vm-cloud-pricing.html
Gu co
for current pricing information
is e.
th cl
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Standard Edition, 2 OCPU DB License (8 Max for Standard) Hosted Environment Per Hour $10.746 $7.1640
Enterprise Edition, 2 OCPUs enabled Hosted Environment Per Hour $11.5524 $7.7016
Enterprise Edition High Performance, 2 OCPUs enabled Hosted Environment Per Hour $13.2661 $8.8441
Enterprise Edition Extreme Performance, 2 OCPUs enabled Hosted Environment Per Hour $14.9798 $9.9865
sa
Additional OCPUs - DB Standard Edition OCPU Per Hour $0.4032 $0.2688
. ha
Additional OCPUs - DB Enterprise Edition OCPU Per Hour $0.8064 $0.5376
ide m)
Additional OCPUs - DB Enterprise Edition High Performance OCPU Per Hour $1.6634 $1.1089
Gu co
Additional OCPUs - DB Enterprise Edition Extreme Performance OCPU Per Hour $2.5202 $1.6801
is e.
Additional OCPUs added must be in multiples of 2
th cl
e ra
*Prices in USD, Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/bare-metal-cloud-pricing.html
for current pricing information
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
(BYOL)
Pay as You Monthly
Bare Metal | BM.DenseIO2.52 X7 Database License Metric
Go Flex
Database All Editions – Additional Capacity – BYOL OCPU Per Hour $0.2903 $0.1935
sa
Additional OCPUs added must be in multiples of 2,
. ha
Max 8 OCPUs for DB Standard Edition
ide m)
*Prices in USD, Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/bare-metal-cloud-pricing.html
Gu co
for current pricing information
is e.
th cl
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Metric Monthly Flex (X6) Monthly Flex (X7)
. ha
Base System Hosted environment per hour NA $20.1613**
Quarter Rack – BYOL Hosted environment per hour $33.9785 $26.8817**
ide m)
Half Rack – BYOL Hosted environment per hour $67.957 $53.7634**
Gu co
Full Rack – BYOL Hosted environment per hour $135.914 $107.5269**
is e.
Additional OCPUs per month – BYOL OCPU hour $.3226 $1.6801
th cl
*Pricing information as of June 19, 2019. Please refer to https://www.oracle.com/database/exadata-cloud-service-pricing.html
e ra
for current pricing information
us @o
** 0 enabled OCPUs
25
to rai
se du
Exadata Cloud Service shapes are charged a minimum of 744 hours for the first month of the cloud
en ik.
service, whether or not you are actively using, and whether or not you terminate that cloud service prior
lic arth
to usage of the entire 744 hours. For ongoing use of the same instance after the first month you will be
charged for all active hours. Additional OCPUs are billed for active hours for the first month and ongoing
ble (k
use.
ra y
fe m
Exadata Infrastructure cost are the same for BYOL as for PAYG on the X7 shapes
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Level 100
Ka
Sanjay Narvekar
rth
ike
y
no an
n- Du
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
14
Objectives
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
• Describe how to deploy, use, and manage ADB
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
ORACLE
CLOUD
sa
• Customizable for DW or TP Workload • ALL database features ( e.g. Java, etc )
. ha
ide m)
Serverless Dedicated ExaCS DBCS
Gu co
is e.
Ultra-Simple & Customizable Scale, Performance, VM or bare metal,
th cl
Elastic Private Cloud Availability single server or RAC
e ra
us @o
3
to rai
se du
Let us look at the deployment options for Oracle databases on OCI. We have two options – autonomous
en ik.
or automated.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Exadata Use Cases
. ha
World’s Best Database Platform Private/Public Cloud on-premise, Consolidation,
Oracle Builds, Optimizes, and Automates Infrastructure Highest Performance, Scalability for Mission
All In-Database Automation Features Included Critical Workload
ide m)
Gu co
is e.
Oracle Database Use Cases
th cl
World’s Best Database Small to Big Database transactional need
e ra
Runs Anywhere as well DWH needs, Customer Data Center,
User Builds and Operates Databases and DIY model
us @o
Infrastructure
4
to rai
se du
Using the assessment as a guide, the next step is to create a detailed multi-phase cloud migration plan,
en ik.
with each phase focusing on the migration of specific subsets of related resources. This is also a good
lic arth
time to consider upgrading resources like databases and business applications, and purchasing any add-
ons required for license portability to the cloud. Organizations typically break the migration process into
ble (k
phased based on one or more of following criteria (Check slide bullet points)
ra y
fe m
Be sure to conduct test migrations with low-risk resources. This will help migration teams familiarize
ns isa
themselves with Oracle migration processes and identify any problems with the step-by-step plan for
migration. There are many tools available for migrating databases, including Golden Gate Cloud
tra ra
Service, Oracle Recovery Manager (RMAN), and Oracle Data Guard. Visit Oracle's Migration Partners
n- Du
page to learn about available tools and third-party companies that help organizations execute successful
no an
migrations.
y
ike
rth
Ka
Workload
sa
Creates Data Summaries Creates Indexes
. ha
Memory Speeds Joins, Aggs Memory for Caching to Avoid IO
ide m)
Gu co
Statistics updated in real-time while preventing plan regressions
is e.
th cl
e ra
us @o
5
to rai
se du
Both ADW and ATP share the Autonomous Database platform of Oracle Database 18c on our Exadata
en ik.
Cloud infrastructure.
lic arth
The difference is how the services have been optimized within the database. When you start loading
ble (k
data into the autonomous database, we store the data in the appropriate format for the workload.
ra y
• If it is ADW, then we store data in columnar format as that’s the best format for analytics
fe m
processing
ns isa
• If it is ATP, then we will store the data in a row format as that’s the best format for fast single row
tra ra
lookups
n- Du
Query optimization: For analytics workload, we automatically parallelize the query execution to access
no an
large volumes of data in a short amount of time to answer biz questions If it is a transaction processing
y
system, then we will automatically detect missing indexes and create them for you. Regardless of the
ike
workload, we need to keep optimizer statistics current to ensure we get optimal execution plans.
rth
With ADW we are able to achieve this by gather statistics as part of all bulk load activities. With ATP,
Ka
where data is add using more traditional insert statements statistics are automatically gathered
periodically.
As the data volumes change, or new access structures is created, there is the potential for an execution
plan to change and any change could result in a performance regression so we use Oracle SQL Plan
Management to ensure that plans only change for the better.
sa
Single/Multi Tenant Single/Multi Single/Multi Single Single/Multi
Software Updates Customer Initiated Customer Initiated Automatic Customer Policy Control
. ha
Private Cloud No Yes No Yes
Offers Availability
ide m)
No 99.95% SLO SLO
SLA
Gu co
Database Versions 11g,12c,18c,19c 11g,12c,18c,19c 18c 19c
Yes Yes
Disaster Recovery No No
is e.
Across ADs & Regions Across ADs & Regions
Hybrid DR
th cl
Yes Yes No No
Consolidation
e ra
Yes Yes No Yes
us @o
6
to rai
se du
The journey to the Cloud can have many stages and Autonomous Cloud is the same.
en ik.
Some customers are embracing Cloud for new developments or doing legacy lift and shift, but other
lic arth
customers will have huge mixed implementations where parts of their systems are running on-premises
ble (k
Understanding where and how your customer might be using our data management solutions allows
fe m
On the left we have the most manual implementations - more traditional on-premises installs either on
n- Du
commondity hardware or Exadata. This is the land of the traditional IT DBA doign maintenance,
patching, upgrade, optimizations, the time consuming stuff.
no an
On the right we move through DB’s running on our Cloud Infrastructure – the lift and shift opportunity
y
ike
which is still a heavy DBA workload – and then gradually we move through our existing DB PaaS services
– Exadata Cloud, C@C and DBCS – which start to introduce automation and management efficiencies to
rth
And on the far right we end up at the new Autonomous Cloud services – where all of the benefits of
reducing workload, risk, or freeing up DBA’s come true.
All Database Cloud Service packages include Oracle Database Transparent Data Encryption.
High Performance extends the Enterprise package with the following options: Multitenant, Partitioning,
Advanced Compression, Advanced Security, Label Security, Database Vault, OLAP, Advanced Analytics,
Spatial & Graph, Database Lifecycle Management Pack and Cloud Management Pack for Oracle
Database.
Extreme Performance package extends the High Performance package with the following options: RAC
(Real Application Clusters), In-Memory Database, Active Data Guard.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Deployment Options
• Oracle Autonomous Database can be deployed in two ways – dedicated and
serverless.
• Dedicated deployment is a deployment choice that enables you to provision
autonomous databases into their own dedicated Exadata cloud infrastructure, instead
of a shared infrastructure with other tenants.
sa
• With serverless deployment, the simplest configuration, you share the resources of
. ha
an Exadata cloud infrastructure. You can quickly get started with no minimum
ide m)
commitment, enjoying quick database provisioning and independent scalability of
Gu co
compute and storage.
is e.
• Both deployment options are available for Autonomous Transaction Processing and
th cl
e ra
Autonomous Data Warehouse.
us @o
8
to rai
se du
The journey to the Cloud can have many stages and Autonomous Cloud is the same.
en ik.
Some customers are embracing Cloud for new developments or doing legacy lift and shift, but other
lic arth
customers will have huge mixed implementations where parts of their systems are running on-premises
ble (k
Understanding where and how your customer might be using our data management solutions allows
fe m
On the left we have the most manual implementations - more traditional on-premises installs either on
n- Du
commondity hardware or Exadata. This is the land of the traditional IT DBA doign maintenance,
patching, upgrade, optimizations, the time consuming stuff.
no an
On the right we move through DB’s running on our Cloud Infrastructure – the lift and shift opportunity
y
ike
which is still a heavy DBA workload – and then gradually we move through our existing DB PaaS services
– Exadata Cloud, C@C and DBCS – which start to introduce automation and management efficiencies to
rth
And on the far right we end up at the new Autonomous Cloud services – where all of the benefits of
reducing workload, risk, or freeing up DBA’s come true.
All Database Cloud Service packages include Oracle Database Transparent Data Encryption.
High Performance extends the Enterprise package with the following options: Multitenant, Partitioning,
Advanced Compression, Advanced Security, Label Security, Database Vault, OLAP, Advanced Analytics,
Spatial & Graph, Database Lifecycle Management Pack and Cloud Management Pack for Oracle
Database.
Extreme Performance package extends the High Performance package with the following options: RAC
(Real Application Clusters), In-Memory Database, Active Data Guard.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
10
Serverless
Ka
rth
ike
y
Transaction Processing
no an
n- Du
tra ra
ns isa
fe m
ra y
Autonomous Database –
ble (k
lic arth
en ik.
Autonomous Data Warehouse & Autonomous
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
– Patching and upgrades
– Backup and recovery
. ha
• Full lifecycle managed using the
ide m)
service console
Gu co
– Alternatively, can be managed via
is e.
command-line interface or REST API
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
indexes, parallel execution
. ha
• Fast performance out of the box with
ide m)
zero tuning
Gu co
• Simple web-based monitoring console
is e.
• Built-in resource-management plans
th cl
e ra
us @o
12
to rai
se du
It is designed as a "load and go" service: you start the service, define tables, load data, and then run
lic arth
queries.
ble (k
You do not need to consider any details about parallelism, partitioning, indexing, or compression. The
ra y
sa
• Shut off idle compute to save money
. ha
– Restart instantly
ide m)
Gu co
• Auto scaling:
is e.
– Enable auto scaling to allow Autonomous Database to use more CPU and IO
th cl
resources automatically when the workload requires it.
e ra
us @o
13
to rai
se du
When you get started with Autonomous Database, simply specify the number of CPU cores and the
lic arth
At any time, you can scale up or down the CPU core count or the storage capacity.
ra y
fe m
When you make resource changes for your Autonomous Database, the database resources
ns isa
sa
• Oracle cloud services: Analytics Cloud Service, GoldenGate Cloud Service, Integration
. ha
Cloud Service, and others
ide m)
• Connectivity via SQL*Net, JDBC, ODBC
Gu co
is e.
th cl
e ra
us @o
14
to rai
se du
Autonomous Database is built upon the Oracle Database, so that business intelligence applications and
en ik.
These tools and applications connect to Autonomous Database using standard SQL*Net connections.
ble (k
The tools and applications can either be in your data center or in a public cloud.
ra y
fe m
Oracle Analytics Cloud and other Oracle Cloud services are preconfigured for Autonomous Data
ns isa
Warehouse.
tra ra
n- Du
no an
y
ike
rth
Ka
15
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
Autonomous Data Warehouse: Architecture
sa
16
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
– Admin password?
– License Type?
. ha
– Enable Auto scaling?
ide m)
• New service created in a few minutes
Gu co
(regardless of size)
is e.
– Database is open and ready for
th cl
connections
e ra
us @o
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
of CPU cores when additional cores are not OCPUs up when there is a demand for more computing power and
then scales it down once the demand goes down.
needed.
. ha
• You can enable or disable auto scaling at
ide m)
any time.
Gu co
For billing purposes, the database service
is e.
•
th cl
determines the average number of CPUs used
e ra
per hour.
us @o
18
to rai
se du
Additional points:
en ik.
For databases with up to 42 assigned cores, you can increase the maximum number of cores available
lic arth
Enabling auto scaling does not change the concurrency and parallelism settings for the predefined
ra y
services.
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• This stores all data in encrypted format in the Oracle Database. Only authenticated users
and applications can access the data when they connect to the database.
• Database clients use SSL/TLS 1.2 encrypted and mutually authenticated connections. This
ensures that there is no unauthorized access to the ADB Cloud and that communications
between the client and server are fully encrypted and cannot be intercepted or altered.
• Certificate-based authentication uses an encrypted key stored in a wallet on both the client
sa
(where the application is running) and the server (where your database service on the ADB
. ha
Cloud is running). The key on the client must match the key on the server to make a
connection. A wallet contains a collection of files, including the key and other information
ide m)
needed to connect to your database service in the ADB Cloud.
Gu co
You can specify IP addresses (or CIDR block) allowed to access the ADB using the access
is e.
•
th cl
control list. This access control list will block all IP addresses that are not in the list from
e ra
accessing the database.
us @o
19
to rai
se du
Additional points:
en ik.
You do not need to do any manual configuration to encrypt your data and the connections to your
lic arth
Autonomous Database Cloud uses strong password complexity rules for all users based on Oracle Cloud
ra y
security standards.
fe m
ns isa
• tnsnames.ora and sqlnet.ora: Network configuration files storing connect descriptors and
n- Du
• cwallet.sso and ewallet.p12: Auto-open SSO wallet and PKCS12 file. PKCS12 file is protected by
y
• keystore.jks and truststore.jks: Java keystore and truststore files. They are protected by the
rth
• ojdbc.properties: Contains the wallet related connection property required for JDBC connection.
This should be in the same path as tnsnames.ora.
IP Address 129.146.160.9
NAT/Service Firewall
Wallet/Keystore
Lists
1 Public
PRIVATE SUBNET 10.2.2.0/24
ACL
JDBC “Thin” Internet
sa
Oracle Call TCP/IP Encrypted using SSH Route Table
Interface (OCI) over Public Internet
. ha
3
Internet Firewall
Gateway Security
Public IP 129.146.160.9 Lists
ide m)
AVAILABILITY DOMAIN PUBLIC SUBNET 10.1.3.0/24
Public IP 123.254.7.10
Gu co
TENANCY VCN 10.0.0.0/16
REGION
is e.
1 Connecting to Autonomous Database Warehouse (ADW) or Autonomous Transaction Processing (ATP) from Public Internet
th cl
e ra
2 Connecting to ADW or ATP (via NAT or Service Gateway) from a server running on a private subnet in OCI (in the same tenancy)
us @o
3 Connecting to ADW or ATP from a server running on a public subnet in OCI (in the same tenancy)
20
to rai
se du
To connect to Autonomous Databases from a VCN, the VCN must be configured with one of the
lic arth
following gateways:
ble (k
Make sure to configure the subnet's route table with a rule that sends the desired traffic to the specific
tra ra
gateway. Also configure the subnet's security lists to allow the desired traffic.
n- Du
no an
y
ike
rth
Ka
• Ensure that the Access Control List for the Autonomous Database (ADB) has the necessary entries
for CIDR Block ranges and IP addresses, as your use case dictates.
• When connecting to ADB from a client computer behind a firewall, the firewall must permit the
use of the port specified in the database connection when connecting to the servers in the
connection. The default port number for Autonomous Data Warehouse is 1522 (find the port
number in the connection string from the tnsnames.ora file in your credentials ZIP file). Your
firewall must allow access to servers within the .oraclecloud.com domain using (TCP) port 1522.
sa
• When connecting to ADB from a server running on a private subnet (on the same OCI tenancy as
. ha
the ADB), ensure that you have a service gateway or NAT gateway attached to the VCN. The route
ide m)
table for the subnet needs to have the appropriate routing rules for the service gateway or NAT
gateway. The security lists for the subnet will need to have the right egress rules.
Gu co
is e.
• For connections originating from a server running on a public subnet (on the same OCI tenancy
th cl
as the ADB), ensure that route table and security lists are appropriately configured.
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
•
. ha
• Restart instantly
ide m)
Gu co
is e.
th cl
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Performance Hub based monitoring
. ha
– Natively integrated in the OCI console and available via a single click from the ADB
ide m)
detail page
Gu co
– Active Session History (ASH) analytics
is e.
th cl
– Real Time SQL monitoring
e ra
us @o
23
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Recovery
• Autonomous Database Cloud automatically backs up your database for you. The retention period for
backups is 60 days. You can restore and recover your database to any point-in-time in this retention period.
• Autonomous Database Cloud automatic backups provide weekly full backups and daily incremental backups.
• But, you can do manual backups using the cloud console if you want to take backups before any major
sa
changes, for example before ETL processing, to make restore and recovery faster. The manual backups are
put in your Cloud Object Storage bucket. When you initiate a point-in-time recovery Autonomous Database
. ha
Cloud decides which backup to use for faster recovery.
ide m)
• You can initiate recovery for your Autonomous Database using the cloud console. Autonomous Database
Gu co
Cloud automatically restores and recovers your database to the point-in-time you specify.
is e.
• Network Access Control Lists (ACL)s are stored in the database with other database metadata. If the
th cl
database is restored to a point in time the network ACLs are reverted back to the list as of that point in time.
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Autonomous Database provides cloning where you can choose to clone either the full database or
only the database metadata.
• Full Clone: Creates a new database with the source database’s data and metadata.
• Metadata Clone: creates a new database with the source database’s metadata without the data.
• When creating a Full Clone database, the minimum storage that you can specify is the source
database’s actual used space rounded to the next TB.
sa
• You can clone an Autonomous Database instance only to the same tenancy and the same region
. ha
as the source database.
• During the provisioning for either a Full Clone or a Metadata Clone, the optimizer statistics are
ide m)
copied from the source database to the cloned database.
Gu co
• The following applies for optimizer statistics for tables in a cloned database:
is e.
– Loads into tables behave the same as loading into a table with statistics already in place.
th cl
e ra
– Metadata Clone: The first load into a table after the clone clears the statistics for that table and
us @o
updates the statistics with the new load.
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
26
Ka
Screenshots
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
concurrency
– Queries run in parallel *When connecting for replication purposes, use the LOW database
. ha
service name. For example, use this service with Oracle GoldenGate
• MEDIUM connections.
ide m)
– Less resources, higher
concurrency Queries run in parallel
Gu co
• LOW
is e.
– Least resources, highest concurrency
th cl
Queries run serially
e ra
–
us @o
27
to rai
se du
The predefined service names provide different levels of performance and concurrency for Autonomous
en ik.
High: The High database service provides the highest level of resources to each SQL statement resulting
ble (k
in the highest performance, but supports the fewest number of concurrent SQL statements. Any SQL
statement in this service can use all the CPU and IO resources in your database. The number of
ra y
fe m
concurrent SQL statements that can be run in this service is 3, this number is independent of the
ns isa
Medium: The Medium database service provides a lower level of resources to each SQL statement
n- Du
potentially resulting a lower level of performance, but supports more concurrent SQL statements. Any
SQL statement in this service can use multiple CPU and IO resources in your database. The number of
no an
concurrent SQL statements that can be run in this service depends on the number of CPUs in your
y
ike
Low: The Low database service provides the least level of resources to each SQL statement, but supports
the most number of concurrent SQL statements. Any SQL statement in this service can use a single CPU
Ka
and multiple IO resources in your database. The number of concurrent SQL statements that can be run
in this service is twice the number of CPUs in your database.
Processing
• Five predefined database services controlling priority and parallelism
• Different services defined for Transactions and Reporting/Batch
RESOURCE MANAGEMENT
SERVICES NAME PARALELLISM
PLAN SHARES
Operations run in parallel and a
sa
HIGH 4
re subject to queuing
. ha
Operations run in parallel and
MEDIUM 2
are subject to queuing
ide m)
LOW 1 None
Gu co
TPURGENT 12 Manual
is e.
TP 8 None
th cl
e ra
us @o
For Transaction Processing For Reporting or batch processing
28
to rai
se du
By default, the CPU/IO shares assigned to the consumer groups TPURGENT, TP, HIGH, MEDIUM, and
en ik.
The shares determine how much CPU/IO resources a consumer group can use with respect to the other
ble (k
consumer groups.
ra y
With the default settings the consumer group TPURGENT will be able to use 12 times more CPU/IO
fe m
resources compared to LOW, when needed. The consumer group TP will be able to use 4 times more
ns isa
29
Dedicated
Ka
rth
ike
y
Transaction Processing
no an
n- Du
tra ra
ns isa
fe m
ra y
Autonomous Database –
ble (k
lic arth
en ik.
Autonomous Data Warehouse & Autonomous
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
30
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
– 1 Cluster per quarter rack
. ha
• Autonomous Container Database
ide m)
– Maximum of 4 per Cluster
Gu co
is e.
• Autonomous Database
th cl
– High Availability SLA – Maximum 100 DBs
e ra
us @o
31 – Extreme Availability SLA – Maximum 25 DBs
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Provision Create
Create
Autonomous Autonomous
Create VCN Autonomous
sa
Exadata Container
Database
Infrastructure Database
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
32
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Security
sa
• Oracle automatically applies security updates for the entire stack
. ha
• Quarterly, or off-cycle for high-impact security vulnerability
ide m)
Customer can separately use Database Vault for their own user data isolation
Gu co
•
is e.
th cl
e ra
us @o
33
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Describe how to deploy, use, and manage ADB
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
34
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
DNS
Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
15
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
2
•
•
Objectives
Ka
rth
ike
y
no an
Secondary Zone Use Cases
n- Du
Managing Zone and records
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Query
sa
Example.com? Example.com?
. ha
ide m)
1.1.1.1 1.1.1.1
Gu co
Authoritative DNS
Recursive
is e.
DNS Servers
th cl
Answer OCI DNS is
e ra
Authoritative
us @o
3
to rai
se du
End user types http://www.twitter.com/ into their web browser and presses Enter.
en ik.
• Does it know the answer to www.twitter.com already? If so, use this cached answer.
ble (k
Client queries their assigned Recursive DNS server (likely their ISP) for www.twitter.com
ns isa
• Recursive checks its cache to see if it knows the answer. If so, returns it to client.
• If the cache doesn’t know the answer, next step.
tra ra
n- Du
Recursive then performs several queries (each one can be skipped if already cached)
no an
• Queries root nameservers to find out if they know the answer to www.twitter.com
- Root nameservers return nameservers for the Top Level Domain (TLD)
y
ike
Notes
• Any name registered in authoritative DNS is a domain name
• A DNS zone is the mappings between domain names and IP addresses. Zones can be
organized by geography, service, or resources.
4
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
DNS Zone Management
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Is a highly scalable, global anycast Domain Name System (DNS) network that assures
high site availability and low latency
Offers a complete set of functions for zone management:
• Create and manage zones and records
• Import/upload zone files
sa
• Filter and sort views of zones and records
. ha
• Secondary DNS support
ide m)
• APIs and SDKs
Gu co
is e.
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• •
• CNAME (Canonical Name Record) - RFC 1035 • SOA (Start of Authority Record) - RFC 1035
. ha
• CSYNC (Child-toParent sync Record) - RFC 7477 • SPF (Sender Policy Framework) - RFC 4408
• DHCID (DHCP Identification Record) - RFC 4701 • SRV (Service Locator Record) - RFC 2782
ide m)
• DKIM (Domain Key Identified Mail Record - RFC 6376 • SSHFP (SSH Public Key Fingerprint) - RFC 6594
Gu co
• DNAME (Delegation Name Record) - RFC 6672 • TLSA (Transport Layer Security Auth) - RFC 6698
is e.
• DNSKEY (DNS Key Record) - RFC 4034 • TXT (Text Record) - RFC 1035
th cl
• DS (Delegation Signer Record) - RFC 4034 • ALIAS (CNAME at the apex)
e ra
• IPSECKEY (IPSec Key Record) - RFC 4025 – A private pseudo-record that allows
us @o
CNAME functionality at the apex of a zone.
6 6
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• OCI DNS is available in the OCI Console on the “Edge Services" tab.
• This will bring the user to the DNS Zone Management Screen. From here the user can create
Zones to see that the service is working.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Zone is created and can be verified from
the Managed DNS Zones Management
. ha
page.
ide m)
Gu co
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
record.
. ha
• Click “Publish Changes” to update
Zone with new record details.
ide m)
Default NS and SOA records are
Gu co
automatically generated when a Zone is
is e.
th cl
created, so no new records need to be
e ra
added to generate query data.
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Configuration 1: Provisioning
Other DNS
• Oracle is Secondary,
another vendor is Primary
Authoritative
Name Server Update to
Secondary
Primary DNS
sa
Users
. ha
ide m)
Recursive Name Server Authoritative
Gu co
(AKA DNS Resolver) Name Server
is e.
Secondary DNS
th cl
e ra
ORACLE DNS
us @o
Website
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
secured behind firewall Users
. ha
Firewall
• Customer maintains
complete control
ide m)
Recursive Name Server Authoritative
Gu co
• Public-facing DNS (AKA DNS Resolver) Name Server
network is global;
is e.
Secondary DNS
primary network
th cl
(Public)
e ra
doesn’t need to be. ORACLE DNS
us @o
Website
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
12
•
•
Summary
Ka
rth
ike
y
no an
Secondary Zone Use Cases
n- Du
Managing Zone and records
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Level 100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
Traffic Management Policies
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
16
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
2
•
•
Objectives
Ka
rth
ike
y
no an
Traffic Steering Use Cases
n- Du
tra ra
ns isa
OCI Traffic Management Policies
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
customer-defined Traffic Management
. ha
Steering Policy, thus sending users to
the most optimal location in your
ide m)
infrastructure.
Gu co
is e.
th cl
e ra
us @o
3
to rai
se du
OCI DNS has advanced traffic management capabilities to steer DNS traffic across multiple public OCI
en ik.
instances and other private and 3rd party assets/endpoints. Traffic management supports
lic arth
comprehensive policies to provide intelligent responses to ensure high performance, scalability, and
availability.
ble (k
Optimize the performance and responsiveness of web-based applications and sites by steering user
ra y
fe m
Ensure high availability of critical applications through detection of endpoint health and move your
tra ra
traffic accordingly.
n- Du
Policies allow you to set predictable business expectations for service differentiation, geographic market
y
ike
Feature parity with the acquired Dyn DNS Traffic Director Product
Ka
sa
. ha
Failover Cloud Load Hybrid Worldwide IP-Based Zero-Rating
Migration Balancing Environments Geolocation Steering Service
ide m)
For Scale Steering
Gu co
is e.
th cl
e ra
us @o
4
to rai
se du
A -> B Failover
Outage
Available
Primary asset is monitored
from multiple points via
Oracle Health Checks
Primary Cloud
Traffic is automatically
sa
directed to a different
. ha
User endpoint as soon as service
Recursive OCI DNS fails to respond
ide m)
Server
Gu co
Monitoring is powered by
Available Oracle Health Checks
is e.
Redundant Cloud
th cl
e ra
us @o
5
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Data replication
Gradually migrate more
. ha
User
OCI DNS traffic when confident in
ide m)
10% user experience
Gu co
is e.
Public App
th cl
Hosted in Cloud
e ra
us @o
6
to rai
se du
Ns3.p34.dyn
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
15% Region 2 Leverage Oracle Health
Checks to ensure users are
. ha
User
sent to healthy endpoints.
OCI DNS
ide m)
60% Region 3
Gu co
is e.
Public App
th cl
Hosted in Cloud
e ra
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
IP Group A
Datacenter1
sa
IP Group C
Users
. ha
CDN
Oracle Cloud DNS
Authoritative IP Group D
ide m)
Datacenter2
Gu co
IP Group E
is e.
th cl
Other Cloud
e ra
Provider
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
regions.
. ha
Miami Rome
DNS
User
User lookup
Combine with Oracle
ide m)
DNS
Health Checks to fail over
lookup from one region to another.
Gu co
DNS Lookup
is e.
th cl
Geolocation
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
162.X.X.X/24
App.company.com
sa
129.X.X.1
Other IP blocks
. ha
ide m)
GA Endpoint
129.X.X.2 company.com
Gu co
Users
is e.
th cl
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
ASN### (Preferred)
Conditional steering can
mycompany.com
be based on the
136.X.X.X originating enterprise,
Users mobile operator, or other
Preferred communications provider.
sa
Endpoint
Preferred ASNs can be
All Other ASNs
directed to free resources
. ha
while all other traffic can
be directed to paid
ide m)
Standard
company.com
Endpoint
resources.
Gu co
Users
is e.
th cl
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
Load Balancer: (Global Server Load Balancing) Round-robin load balancing can be used to distribute
traffic among multiple servers to optimize performance. Traffic can be split evenly among endpoints or
weighted via ratio assignment.
Failover: It’s easy to set up a simple Active-Active failover between two public assets. OCI will monitor
the primary endpoint (via Oracle Health Checks) and reroute all traffic to a failover location if the
primary endpoint is unresponsive.
Geolocation Steering: Traffic Steering policies can also route traffic based on the source of the query.
sa
Geolocation Steering dynamically routes requests to the appropriate Response Pool based on the
physical location of the originating request.
. ha
ide m)
ASN Steering: Dynamically routes traffic requests based on the originating ASN
Gu co
is e.
IP Prefix Steering: Dynamically routes traffic requests based on originating IP prefix
th cl
(e.g. 172.16.1.0/24)
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Steering Policies: A framework to define the traffic management behavior for your
zones. Steering policies contain rules that help to intelligently serve DNS answers.
• Attachments: Allows you to link a steering policy to your zones. An attachment of a
steering policy to a zone occludes all records at its domain that are of a covered
record type, constructing DNS responses from its steering policy rather than from
those domain's records. A domain can have at most one attachment covering any
sa
given record type.
. ha
• Rules: The guidelines steering policies use to filter answers based on the properties
ide m)
of a DNS request, such as the requests geo-location or the health of your endpoints.
Gu co
• Answers: Answers contain the DNS record data and metadata to be processed in a
is e.
steering policy.
th cl
e ra
us @o
13
to rai
se du
After completing this lesson, you should be able to describe the basic OCI DNS services available on OCI.
en ik.
sa
steering policy.
. ha
The maximum number of answers
ide m)
returned for the policy. Answer pools
Gu co
contain the group of answers that will
be served in response to DNS queries.
is e.
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
The domain, under the
ide m)
selected zone, that the policy
will be attached to. This is
Gu co
concatenated with the zone
is e.
name to generate the full
attached domain name.
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Port: The port for the monitor to look for a connection. The default is
port 80. For HTTPS, use port 8080.
. ha
Path (Optional): The specific path on the target to be monitored.
Method: Select the HTTP method used for the health check.
Timeout: Select the maximum time to wait for a reply before marking
ide m)
the health check as failed.
Gu co
Header Name: (Optional) The name displayed in the request header as
part of the health check. Avoid entering confidential information.
is e.
Header Value: (Optional) Specifies the data requested by the header.
th cl
Click + Add Header to add multiple headers in succession.
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
17
Ka
rth
ike
Failover Policy
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
. ha
Select a Health Check to be included
as part of the policy.
ide m)
The domain name you want to
Gu co
attach to the policy. Additional
is e.
domains can be added in this
section.
th cl
e ra
us @o
18
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
19
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
Geolocation Steering Policy
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
PoolA first, if PoolA fails only then the traffic is routed
to PoolB.
. ha
ide m)
Adding a global catch-all allows you to specify answer
pools for queries that do not match any of the
Gu co
specified rules you have added. No global catch-all
is e.
means that queries not matching any of the above
th cl
rules will receive a random answer.
e ra
us @o
20
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
You can also attach a Global Catch-all policy.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
21
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
You can also attach a Global Catch-all policy.
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
22
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
23
Ka
rth
ike Health Checks
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Availability & Performance Monitoring: Monitor the availability and performance of any public-facing
IP address or fully qualified domain name (FQDN).
– Simple UI Configuration: Easy to configure Health Checks for external monitoring from Vantage Points
around the globe.
– Availability Monitoring: Monitor for the availability of any publicly visible IP address or FQDN from
Vantage Points located around the globe.
– Performance Monitoring: Monitor for latency metrics for any publicly visible IP address or FQDN from
sa
Vantage Points located around the globe.
. ha
– On-Demand Testing: Perform tests on demand to gauge performance and troubleshoot endpoints.
• DNS Traffic Management Failover Detection: Detect failures and use DNS Traffic Management to
ide m)
failover in the event of a problem.
Gu co
• Alerting and API: Fully integrated with Oracle Cloud Infrastructure Monitoring and backed by an
is e.
extensive REST API.
th cl
• Hybrid Monitoring: Monitor endpoints within the Oracle cloud and across your hybrid infrastructure.
e ra
us @o
24
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Vantage points: Vantage points are geographic locations from which monitors and
. ha
probes can be executed to your specified target. Oracle Cloud
ide m)
Infrastructure maintains dozens of vantage points around the world.
Gu co
• Protocols: The Health Checks service allows you to configure both HTTP and ping
is e.
type monitors. Each type has respective protocols.
th cl
e ra
us @o
25
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
endpoints drawn from public IP addresses already
configured in your compartment. You can select one of
. ha
these endpoints to monitor or add a new one.
ide m)
• Select vantage points from which you intend to monitor
Gu co
the targets. These vantage points are located in locations
is e.
around the globe, and we generally recommend selecting
th cl
vantage points that are located in the same continent as
e ra
your application.
us @o
26
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
of every 10 seconds. An additional fee is calculated
. ha
for premium tests.
ide m)
• Add any tags to help you quickly search for this check
in the future.
Gu co
is e.
• Click Create Health Check.
th cl
e ra
us @o
27
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
28
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
Creating a Health Check
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
29
•
•
Summary
Ka
rth
ike
y
no an
Traffic Steering Use Cases
n- Du
tra ra
ns isa
OCI Traffic Management Policies
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
Ka
rth
ike
y
OCI Security
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
17
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
2
•
•
•
•
•
•
Agenda
Ka
Data protection
Security services
rth
ike
y
Shared Security Model
Infrastructure protection
no an OS and workload isolation
n- Du
tra ra
ns isa
Identity and Access Management
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
sa
Operating System Operating System
• Endpoint protection
• Data classification and compliance
. ha
Virtualization Virtualization
ide m)
Oracle responsible for security of
Oracle manages
Servers Servers
the cloud
Gu co
Storage Storage • Physical security for the data
is e.
centers
th cl
Networking Networking
• Hardware, software, networking
e ra
Data Center / Data Center /
us @o
Physical Security Physical Security
3
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Hardware based key storage
Centralized key management Vault
. ha
Patch Management OS Management service
ide m)
OS and workload
Workload isolation Bare Metal, Dedicated VM Hosts
management
Gu co
Log API calls Audit
is e.
Network security controls VCN NSG, SL
th cl
Infrastructure Protection Filter Malicious web traffic Web Application Firewall
e ra
DDoS Protection In-built
us @o
4
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
5
Users
Groups
Identities
Ka
rth (Who requests)
ike
Instance
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
OCI IAM
en ik.
Resources
se du
Compartments
to rai
Identity and Access Management
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
by the Identity)
(what is requested
Multi-factor Authentication (MFA)
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
. ha
Multi-factor authentication (MFA) is a method of authentication that
requires the use of more than one factor to verify a user’s identity.
ide m)
Examples of authentication factors are a password (something you know) and
Gu co
a device (something you have)
is e.
th cl
e ra
us @o
6
to rai
se du
• Multi-factor authentication (MFA) is a method of authentication that requires the use of more
lic arth
than one factor to verify a user’s identity. Examples of authentication factors are a password
(something you know) and a device (something you have).
ble (k
ra y
AUTHENTICATOR APP
fe m
An app you install on your mobile device that can provide software-based secure tokens for
ns isa
•
identity verification. Examples of authenticator apps are Oracle Mobile Authenticator and Google
tra ra
Authenticator. To enable MFA for the IAM service, you'll need a device with an authenticator app
n- Du
installed. You'll use the app to register your device and then you'll use the same app (on the same
device) to generate a time-based one-time passcode every time you sign in.
no an
y
• Multi-factor authentication is enabled for a specific user and for a specific device. The procedure
rth
to enable MFA for a user includes the registration of the mobile device. This same device must be
Ka
used to generate the time-based one-time passcode every time the user signs in. If the registered
mobile device becomes unavailable, an administrator must disable MFA for the user so
that MFA can be re-enabled with a new device.
sa
and password (and not create a new set to use OCI).
. ha
• Federated users choose which IdP to use for sign-in,
ide m)
and then they're redirected to that IdP's sign-in
experience for authentication.
Gu co
After entering their login and password, they are
is e.
•
authenticated by the IdP and redirected to
th cl
e ra
the OCI Console.
us @o
7
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
In-Transit
In-Transit
In-Transit
sa
. ha
• Data encrypted at-rest • Data encrypted at-rest • Data encrypted at-rest • Transparent
ide m)
• Data encrypted in- • Data encrypted in- • Bring Your Own Keys Data Encryption
Gu co
transit transit • Private Buckets, Pre- • Data Safe
• Bring Your Own Keys • Bring Your Own Keys authenticated Requests • Data Vault
is e.
th cl
e ra
us @o
8
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• Managed service that enables you to encrypt your data using keys that you control
• Key Management provides you with:
– Centralized key management capabilities
– Highly available, durable, and secure key storage in hardware security modules (HSMs)*
– Integration with select Oracle Cloud Infrastructure services
sa
• Uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security
. ha
Level 3 security certification
ide m)
• HSM hardware is tamper-evident, has physical safeguards for tamper-resistance,
Gu co
requires identity-based authentication, and deletes keys from the device when it
is e.
detects tampering.
th cl
e ra
* A HSM is a physical computing device that safeguards digital keys and provides crypto processing
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
• Supports ATP (shared), ADW (shared), VM/BM DB Systems
. ha
• Saves time and mitigates security risks
ide m)
• Defense in Depth for all customers
Gu co
• No special security expertise needed
is e.
No extra costs to use
th cl
•
e ra
us @o
10
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
charge for the VMs running on it Virtual
Machine
. ha
• Control and convenience
ide m)
– Control over placement across Dedicated VM
Hosts, or let Oracle optimize it automatically
Gu co
Virtual Dedicated VM Host
Machine
is e.
– Oracle manages and monitors the hypervisor
th cl
and hardware
e ra
us @o
11
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
kernel without down time
. ha
• Configured by default for Oracle Linux instances in OCI
ide m)
Gu co
is e.
th cl
e ra
us @o
12
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
• API calls are logged and made available to • Information in audit logs includes –
customers. – Time the API activity occurred
• Includes calls made via the Console, CLI, SDKs, – Source of the activity
custom clients and other OCI services – Target of the activity
• By default, audit logs are retained for 90 days. – Type of action
sa
•
setting) • Every audit log event includes two
. ha
• Searchable via the Console main parts:
ide m)
• Bulk export of audit logs can be requested – Envelopes that act as a container for
Gu co
(takes 3-4 days) all event messages
is e.
– Payloads that contain data from the
th cl
resource emitting the event message
e ra
us @o
13
to rai
se du
The Oracle Cloud Infrastructure Audit service records all API calls to resources in a customer’s tenancy as
en ik.
well as login activity from the graphical management console. Using the Audit service, customers can
lic arth
achieve their own security and compliance goals by monitoring all user activity within their tenancy.
Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those
ble (k
sources is included.
ra y
fe m
Audit records are available through an authenticated, filterable query API or can be retrieved as batched
ns isa
files from Oracle Cloud Infrastructure Object Storage. Audit log contents include what activity occurred,
the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP
tra ra
sa
"compartmentA", "resourceName": "my_instance",
"splat-proxy-se-02302.node.ad2.r2”
"resourceName": "my_instance",
"id": "ocid1.instance.oc1.phx.<unique_ID>" },
. ha
"resourceId": "ocid1.instance.oc1.phx.<unique_ID>", ---
"availabilityDomain": "<availability_domain>", "X-Real-IP": [ "172.24.80.88" ], "message": null },
"freeformTags": null, "definedTags": null, "identity": {
ide m)
"oci-original-url": [ "stateChange": {
"principalName": "ExampleName",
"https://iaas.r2.oracleiaas.com/20160918/instances/ocid1.inst
"principalId": "ocid1.user.oc1..<unique_ID>", "previous": null,
ance.oc1.phx.<unique_ID>" ],
Gu co
"authType": "natv", "current": null },
"opc-request-id": [ "<unique_ID>" ],
"callerName": null,
is e.
"additionalDetails": {
"callerId": null, "tenantId": "ocid1.tenancy.oc1..<unique_ID>", "Date": [ "Wed, 18 Sep 2019 00:10:58 UTC" ] } },
th cl
"ipAddress": "172.24.80.88", "imageId": "ocid1.image.oc1.phx.<unique_ID>",
e ra
"credentials": null,
"shape": "VM.Standard1.1",
"userAgent": "Jersey/2.23 (HttpUrlConnection 1.8.0_212)",
us @o
"consoleSessionId": null }, "type": "CustomerVmi" } } }
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Web – NAT Gateway – for connectivity to internet for patching
Private
– Service Gateway – for connectivity to public OCI services
. ha
Internet
NAT – Dynamic Routing Gateway – for connectivity to on-
ide m)
DB Gateway premises
VCN
Gu co
• Security Lists, NSG
is e.
– SL determines the types of traffic allowed in and out of
the subnet.
th cl
NSG determines the types of traffic allowed in and out
e ra
CUSTOMER –
DATA CENTER of a VNIC.
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
What is a WAF?
• WAF refers to a device, server-side plug-in, or • OCI Web Application Firewall (WAF) is a cloud-
filter that applies a set of rules to HTTP/S traffic based, PCI-compliant, global security service that
protects applications from malicious and
• By intercepting HTTP/S traffic and passing them
unwanted internet traffic.
through a set of filters and rules, WAF is able to
uncover and protect against attack streams • Use cases:
sa
hitting a web application
– Protect any internet-facing endpoint from
Rules cover common attacks (Cross-site Scripting cyberattacks and malicious actors
. ha
•
(XSS), SQL Injection) and ability to filter specific – Protect against cross-site scripting (XSS)
ide m)
source IPs or bad bots and SQL injection
Gu co
• Typical responses from WAF will either be – Bot management – dynamically blocking
is e.
allowing the request to pass through, audit bad bots
th cl
logging the request, or blocking the request by
– Protection against layer 7 DDoS attacks
e ra
responding with an error page.
us @o
16
to rai
se du
So, when you expose a web application to the Internet, you want to make sure your website is protected
lic arth
against bad actors who want to compromise your site. WAF is a solution that help protect websites and
ble (k
applications against attacks that cause data breaches and downtime. WAF acts as a reverse proxy that
inspects all traffic flows or requests before they arrive at the origin web application. It also inspects any
ra y
fe m
request going from the web application server to the end user.
ns isa
Most of those attacks are based on custom scripts that explore vulnerabilities of the web application.
tra ra
When a web application firewall recognize one of those attack requests, it can perform some actions
n- Du
based on the configuration that you defined. It can allow the request to pass through, it can log the
request or block the request responding with an error page.
no an
y
ike
rth
Ka
Data
Instance • At-Rest-Crypto
Virtual Network • Tenant Isolation
– TDE
– DataGuard
Monitoring • Interface •
•
Hardened Images
Virtual Taps
• In-Transit-Crypto
Edge Services • 3rd Party Security
Segmentation
• Security Lists • Hardware Entropy
– SSL/TLS
– NNE
– FW • Private Networks • SSH Keys
• Global PoPs • Keys
– NGFW • Bastion Access • Certificates
• DDoS Protection – Managed Keys
– IPS • SSL Load Balancing • Root-Of-Trust Card
• DNS Security – Custom Keys
• User Monitoring • FastConnect (Direct) • Signed Firmware
• WAF Protection – Managed Vault
• Configuration • FastConnect (Carrier) • Hardware Security
Monitoring • IPSec VPN Modules
• Logging
• Compliance
sa
. ha
Internet
ide m)
Gu co
Identity
is e.
• Identity Federation
th cl
• Role-Based Policy
e ra
• Compartments & Tagging
us @o
• Instance Principals
17
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
AD1
IGW
sa
AD2
IPSec VPN WAF with Automated,
Proactive Threat DDoS
. ha
AD3 Detection Protection
ide m)
Gu co
vFirewalls – access control in/out Virtual Private Network (VPN) – protection/encryption in transit over
Internet & private links
Distributed Denial of Service (DDoS) – network layer attack
is e.
protection Domain Name Service (DNS) – managed DNS from Oracle for OCI
th cl
customers
Web Application firewall (WAF) – application layer attack protection
e ra
Identity & Access Management (IAM) – control who can access and
Cloud Access Security Broker (CASB) – visibility, compliance, manage OCI resources
us @o
18 control drift alerting
18
to rai
se du
For each customer’s Virtual Cloud Network(s) there is a range of defense in depth protections available
en ik.
Virtual firewalls are implemented by using VCN security lists. Customers can specify a set of firewall rules
ble (k
and associate them with one or more subnets. Associating a security list with a subnet applies those
firewall rules to all instances running inside the subnet, at the packet level. Rules are enforced bi-
ra y
fe m
directionally.
ns isa
Although by default a VCN has no internet connectivity, internet bound traffic to/from a VCN must pass
tra ra
through an Internet routing gateway. Virtual routing tables can be implemented with private IP
n- Du
addresses for use with NAT and 3rd party firewall devices for additional security.
no an
Alternately traffic can be routed through Dynamic routing gateway (DRG) - A virtual router that provides
y
a path for private traffic between a VCN and a data center’s network. It is used with an IPSec VPN or
ike
Oracle Cloud Infrastructure FastConnect connection to establish private connectivity between a VCN and
rth
For protection of web applications Oracle provides a WAF service with 250 pre-defined OWASP and
compliance rules. Oracle Cloud Infrastructure WAF acts as a reverse proxy that inspects all traffic flows
or requests before they arrive at the origin web application. It also inspects any request going from the
web application server to the end user.
You can use Identity and Access Management (IAM) to control access to WAF management. WAF
changes are recorded in the Audit service.
Additionally, Oracle’s optional global anycast DNS service also takes advantage of DNS-based DDoS
protections providing resiliency at the DNS layers.
Global
SOC 1 : 27001 :
Level 1 US Privacy Shield
SOC 2 : SOC 3 27017 : 27018
Governmen
t
sa
DoD DISA SRG IL2 DoD DISA SRG IL5 Agency ATO Section 508 UK EU
. ha
Industry
Level 1
ide m)
FINMA –
HIPAA PCI DSS FISC - Japan IG Toolkit - UK Switzerland
Gu co
Regional
is e.
C5
th cl
Cyber Essentials My Number - Cloud Security
e ra
GDPR - EU BSI C5 - Germany TISAX - Germany PIPEDA - Canada Plus - UK Japan Principles - UK
us @o
19
to rai
se du
Some of you have asked me – Building region, building feature is easy…. Not compliance ..
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
20
•
•
•
•
•
•
Summary
Ka
Data protection
Security services
rth
ike
y
Shared Security Model
Infrastructure protection
no an OS and workload isolation
n- Du
tra ra
ns isa
Identity and Access Management
fe m
ra y
ble (k
lic arth
en ik.
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
L100
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
Web Application Firewall
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
18
Objectives
Unauthorized reproduction or distribution prohibited. Copyright© 2021, Oracle University and/or its affiliates.
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
2
to rai
se du
At the end of this lesson, you will understand WAF Concepts and use cases, describe the OCI WAF
en ik.
Service,
lic arth
You will also be able to explain its capabilities and architecture of OCI WAF.
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
3
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
WAF Concepts and Use Cases
se du
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
• Web Application Firewall (WAF) refers to a device, server-side plug-in, or filter that
applies a set of rules to HTTP/S traffic.
• By intercepting HTTP/S traffic and passing them through a set of filters and rules,
WAF is able to uncover and protect against attack streams hitting a web application.
• Generally, these rules cover common attacks, such as Cross-site Scripting (XSS) and
sa
SQL Injection in addition to giving customers the ability to filter specific source IPs or
bad bots.
. ha
• Typical responses from WAF will either be allowing the request to pass through, audit
ide m)
logging the request, or blocking the request by responding with an error page.
Gu co
is e.
th cl
e ra
us @o
4
to rai
se du
So, when you expose an web application to the Internet, you want to make sure your website is
lic arth
protected against bad actors who want to compromise your site. WAF is a solution that help protect web
ble (k
sites & applications against attacks that cause data breaches and downtime. WAF acts as a reverse proxy
that inspects all traffic flows or requests before they arrive at the origin web application. It also inspects
ra y
fe m
any request going from the web application server to the end user.
ns isa
Most of those attacks are based on custom scripts that explore vulnerabilities of the web application.
tra ra
When a web application firewall recognize one of those attack requests, it can perform some actions
n- Du
based on the configuration that you defined. It can allow the request to pass through, it can log the
request or block the request responding with an error page.
no an
y
ike
rth
Ka
sa
cyberattacks and malicious actors
D
– Protect against cross-site scripting (XSS) and SQL
. ha
injection, activities that allow attackers to gain
ide m)
unauthorized access to privileged information
Bot management – dynamically blocking bad bots
Gu co
–
Protection against layer 7 distributed denial-of-
is e.
–
service (DDoS) attacks
th cl
e ra
– Aggregated threat intelligence from multiple
us @o
5
sources including Webroot BrightCloud
to rai
se du
OCI WAF is a cloud-based solution, PCI-compliant, that protect applications from cyber attacks. OCI WAF
en ik.
can protect any internet-facing endpoint hosted on OCI or on-premises by intercepting HTTP/S traffic
lic arth
and passing them through a set of filters and rules. These rules cover common attacks such as Cross-
site Scripting and SQL Injection
ble (k
OCI WAF also provides aggregated threat intelligence from multiple sources, including Webroot
ra y
fe m
BrightCloud. So, onboarding your applications to the OCI WAF service will protect against layer 7
ns isa
sa
traffic
. ha
• User access controls can be configured on the basis of
ide m)
countries, IP addresses, URLs, and other request
attributes to prohibit risky traffic
Gu co
is e.
• Multi-cloud support provides WAF protection for any
th cl
internet-facing application in any environment: OCI, on-
e ra
premises, and across multi-cloud deployments
us @o
6
to rai
se du
OCI WAF includes over 250 predefined rulesets to protect against the most know attackers on web
en ik.
applications.
lic arth
You also have the ability to configure OCI WAF to protect your application against Bots. All you have to
ble (k
do is use the additional JavaScript challenge, CAPTCHA challenge, and whitelisting capabilities in
conjunction with the WAF rule sets to further detect and block bad bots while allowing good bots to
ra y
fe m
In addition to that, it gives the ability for you to filter specific source IPs or bad bots. The rules can also
tra ra
be used to control access based on geolocation, http header parameters and http url.
n- Du
In addition to providing protection for OCI workloads, OCI WAF also protects on-premises and
no an
multicloud environments. Having a single web application firewall to protect your workloads in any
y
• OCI WAF uses OWASP ModSecurity Core Rule Set to protect against the most
common web vulnerabilities. These rules are managed and maintained by the open
source community.
• OCI WAF comes preconfigured with protection against the most important threats on
the Internet as defined by OWASP Top 10. These include
– A1 – Injections (SQL, LDAP, OS, etc.)
sa
– A2 – Broken Authentication and Session Management
. ha
– A3 – Cross-site Scripting (XSS)
ide m)
– A4 – Insecure Direct Object References
Gu co
– A6 – Sensitive Data Exposure
is e.
– A7 – Missing Function-Level Access Control
th cl
• Each type of vulnerability ruleset is shown within the OCI console, with granular
e ra
controls for each specific rule.
us @o
7
to rai
se du
For those 250 predefined rules, OCI WAF uses the Open Web Access Security Project to keep those rules
en ik.
always updated with the latest attacks available today. Those rules are manages and maintained by the
lic arth
So, here is the way it works, these rules are compared against incoming requests to identify if the
request contains an attack payload. If it’s determined that a request is an attack, the WAF blocks or
ra y
fe m
• JavaScript Challenge: Fast and efficient way to block a large percentage of bot attacks
– After receiving an HTTP request, a piece of JavaScript is sent back to the browser of
every client, attacker, and real user. It instructs the browser to perform an action.
Legitimate browsers will pass the challenge without the user’s knowledge, while
bots—which are typically not equipped with JavaScript—will fail and be blocked
• CAPTCHA Challenge
sa
– If a specific URL should be accessed only by a human, you can control it with
. ha
CAPTCHA protection.
ide m)
– You can customize the comments for the CAPTCHA Challenge for each URL.
Gu co
Whitelisting: Allows you to manage which IP addresses appear on the IP whitelist
is e.
•
th cl
– Requests from the whitelisted IP addresses bypass all challenges, such as DDoS
e ra
policies and WAF rulesets.
us @o
8
to rai
se du
JavaScript Challenge is a type of Web Challenge that is used in denial of service DDoS mitigation to filter
en ik.
out attackers from legitimate clients. The challenge is to send to every client a JavaScript code that
lic arth
includes some kind of challenge. Virtually any browser has a JavaScript stack and will easily understand
and pass the challenge without the user’s notice. However, the denial of service DDoS bots typically are
ble (k
not equipped with JavaScript stack and therefore cannot pass the challenge.
ra y
fe m
A CAPTCHA challenge is a program that protects websites against bots by generating and grading tests
ns isa
that humans can pass but current computer programs cannot. For example, humans can read texts in
different formats and shapes where bots can’t. OCI WAF allow you to customize the comments for the
tra ra
We also have the Whitelisting capability which allow you to specify which IP address can access your
no an
application by passing all challenges above and the WAF control access rules.
y
ike
rth
Ka
• Human Interaction
— Oracle WAF identifies normal usage patterns based on legitimate
user behavior to the site. The WAF will challenge with CAPTCHA or
block requests when it detects abnormalities or traffic exceeds defined
interaction thresholds.
sa
. ha
• Device Fingerprinting (available in the API)
ide m)
Oracle WAF collects unique various characteristics about a device entity,
Gu co
—
is e.
other requests to determine the same signature is being leverages across
th cl
different contexts.
e ra
us @o
9
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
suspicious request
• Hides the origin server
. ha
information. Block requests if the HTTP
server or as it leaves
the server
ide m)
values or allow traffic with proper HTTP
Gu co
regular expression.
is e.
• Control access based on URL address matching or partial matching or match
th cl
proper URL regular expressions
e ra
us @o
10
to rai
se du
You can use the User access controls to restrict or control access to your web applications. As an
en ik.
example, regional-based access control is perfect to keep your clients to access applications that are in a
lic arth
specific region. Another use could be to block countries from getting to your applications servers
entirely. For example, if you don't do business with countries located in Asia, you can completely block
ble (k
You can also activate the user control access based on HTTP header information or URL address.
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
11
Ka
rth
ike
y
no an
n- Du
tra ra
ns isa
fe m
ra y
ble (k
lic arth
en ik.
se du
WAF Architecture and Benefits
to rai
us @o
e ra
th cl
is e.
Gu co
ide m)
. ha
sa
Internet
Gateway
DNS SUBNET
sa
VCN
DNS Optimized
Routing for HA REGION
. ha
TENANCY
ide m)
Other Cloud providers and On-Premise hosted
Gu co
internet facing web applications
is e.
th cl
e ra
Customer Premises
us @o
Equipment
12
to rai
se du
Under the WAF policy, you can take advantaged of over 250 predefined Open Web Access Security
en ik.
Project applications and compliance specific rules. Once you configured your rules, you can then publish
lic arth
When a client request access to your web application, all traffic flows through the OCI WAF edge nodes
before arriving at your application server. This allows the OCI WAF to inspect the traffic and compare it
ra y
fe m
to defined rules and parameters that were published by the WAF policy created.
ns isa
Configured as a reverse proxy, the OCI WAF inspects all traffic going in and out of your web application
tra ra
origin and identifies and blocks all malicious traffic protecting your cloud environment and also, your
n- Du
on-premises we applications.
no an
y
ike
rth
Ka
LONDON
AMSTERDAM
DUBLIN
TORONTO FRANKFURT
CHICAGO
DALLAS TOKYO
sa
VANCOUVER ASHBURN
SEATTLE MIAMI
HONG KONG
. ha
LOS ANAGELES
ide m)
SINGAPORE
Gu co
is e.
th cl
SAO PAULO
e ra
SYDNEY
us @o
13
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Keep WAF infrastructure patched and up-to-date Yes No
. ha
Monitor data-plane logs for abnormal, undesired behavior Yes Yes
ide m)
Monitor for Distributed Denial of Services (DDoS) attacks Yes No
Gu co
Provide High Availability (HA) for the WAF Yes No
is e.
Tune the WAF’s access rules and bot management strategies for your traffic No Yes
th cl
e ra
us @o
14
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
Off-load patching and maintenance of Web Application Firewall
. ha
•
ide m)
• Global traffic management and optimization
Gu co
• Consolidate WAF policy for OCI and non-OCI applications
is e.
• Low cost
th cl
e ra
us @o
15
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka
sa
. ha
ide m)
Gu co
is e.
th cl
e ra
us @o
16
to rai
se du
en ik.
lic arth
ble (k
ra y
fe m
ns isa
tra ra
n- Du
no an
y
ike
rth
Ka