Oracle Cloud Infrastructure — Associate Architect — Notes

Notes from my OCI 2018 certification preparation —(personal and not endorsed by Oracle).

Try for Free | Oracle Cloud

IAM — Identity and Access Management

IAM is included with your cloud subscription. No additional charge.
You can leverage a single model for Access
IAM can be consumed via: IAM Console, REST, CLI, SDK
IAM affects — Compute, Block volume, VNC etc.
IAM uses traditional identity concepts such as Principals, Users, Groups, Policies
OCI IAM introduces a new feature called Compartments

Tenancy:

• Equivalent of an account; tenancy contains all of your OCI resources
• Provisioned with a single, top-level compartment called the ‘root compartment’ — you can create other compartments

Compartment:

• Logical container used to organize and isolate cloud resources; each resource is in exactly one compartment
• Compartments are global and logical; distinct from physical “containers” like Regions and Availability Domains
• Resources can be connected/shared across compartments
• Compartment cannot be deleted (you can rename )— deep nesting will be allowed in the future.

Principals:

• Three types of Principals — root users, IAM users and Instance Principals
• First IAM user is called the root user
• The root user cannot be deleted
• root user is persistent and has complete administrative access to all OCI resources

IAM Users/Groups:

• User has no permissions until placed in one (or more) groups and
• Group having at least one policy with permission to tenancy or a compartment
• Same users can be member of multiple groups

Instance Principals:

• Instance Principals can make API calls against other OCI services without storing credentials in a configuration file
• Instance Principals are implemented in OCI with ‘Dynamic Groups’
• Membership in the dynamic group is determined by a set of matching rules. When you set up a dynamic group, you also define the rules for membership in the group.
• Resources that match the rule criteria are members of the dynamic group
• Dynamic Groups also need Policies to access OCI resources

Authentication:

Two ways IAM service authenticates a Principal

1) Username/Password
2) API Signing key

• Username/Password
• You use the password to sign in to the web console.
• API Signing Key
• The API Signing Key is required when using the API in conjunction with the SDK
• The key is an RSA key pair in the PEM format (minimum 2048 bits required)
• In the interfaces, you can copy and paste the PEM public key

Authorization:

Authorization in IAM service done by defining specific privileges in policies and associating them with principals

Supports security principle of least privilege; by default, users are not allowed to perform any actions (policies cannot be attached to users, but only groups)

Policies:

• Policies are comprised of one or more statements which specify what groups can access what resources and what level of access users in that group have
• Policies are written in human-readable format:

Examples

allow group <group_name> to <verb> <resource-type> in tenancy <tenancy_name>
allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>]
E.g. Allow group ProjectA_Admins to manage all-resources in compartment ProjectA_compartment

verb (choices-4):
inspect (read w/o user-specified metadata)
read (w- user specific metadata)
use (use it, not create or delete)
manage (all)

resource-type (choices-6) :
all-resources
database-family
instance-family
object-family
virtual-network-family
volume-family

Example — Aggregate

allow group Admins to manage all-resources in tenancy 
allow group NetworkAdmins to manage virtual-network-family in tenancy

Example — Individual

allow group HRAdmins to use console-histories in compartment HR 
allow group ServerAdmins to read objects in compartment IT

FastConnect

FastConnect provides an easy, elastic, and economical way to create a dedicated and private connection with higher bandwidth options, and a more reliable and consistent networking experience when compared to internet-based connections

Service Models:

• Colocation with Oracle: Physical connection between Customer and Oracle
• Provider: Megaport, Equinix, Verizon SCI, etc.

FastConnect Use Scenarios:

• Private Peering:
• Extension of the on premise network to the OCI VCN
• Communication across connection with private IP addresses
• Public Peering:
• To access public OCI services over dedicated Fast Connect connection
• Access Object storage, OCI Console or APIs
• Communication across connection with public IP addresses

FastConnect Redundancy:

Oracle provides Circuit, Provider, and Data Center (DC) redundancy.

Provider:
Redundant circuits provisioned into 2 different “Fast Connect” locations by the same provider (Circuit and DC redundant)

Redundant circuits provisioned into 2 different “Fast Connect” locations by different provider (Circuit, Provider, and DC redundant)

Colocation with Oracle:
Move your equipments or existing Oracle cloud DC’s

• 2 physical connections in the co-location to our equipment (Circuit redundant but not DC redundant)
• 2 physical connections in the co-location to our equipment plus a partner provided connection to a second “Fast Connect” location within the region (Circuit redundant and DC redundant)

Networking

VPN IPsec service provides a connection between a customer’s on premises network and Oracle Cloud Infrastructure Virtual Cloud Network (VCN). It consists of multiple redundant IPsec tunnels that use static routes to route traffic.

IPsec tunnels connect Dynamic Routing Gateway (DRG) and Customer Premises Equipment (CPE) that are created and attached to the VCN. By default, three IPsec tunnels, one per Availability Domain are created on Oracle Cloud Infrastructure.

This provides redundancy if there are tunnel failures. Oracle recommends configuring the on premises router to support all of the IPsec tunnels in case one of the tunnels fail. Each tunnel has configuration information (that is, Oracle Cloud Infrastructure DRG-external IP address and pre-shared key for authentication) that are configured on the on premises router.

Stateless

• With stateless rules, response traffic is not automatically allowed.
• To allow the response traffic for a stateless ingress rule, you must create a corresponding stateless egress rules.

Availability domain is isolated from each other.
Fault tolerant
High Availability
Low latency to high bandwidth network — between availability domain.
VCN — resides with in a single region but can cross multiple availability zone.
You can have 10 VCN per Compartments (soft limit).
You can have 300 Subnets per VCN (soft limit).

Local VCN Peering
Local VCN peering is the process of connecting two VCNs in the same region and tenancy so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network.

• A local peering gateway (LPG) on each VCN in the peering relationship.
• A connection between those two LPGs.
• Supporting route rules to enable traffic to flow over the connection, and only to/from select subnets in the respective VCNs (if desired).
• Supporting security list rules to control the types of traffic allowed to/from the instances in the subnets that need to communicate with the other VCN.

A peering is a single peering relationship between two VCNs. Example: If VCN-1 peers with three other VCNs, then there are three peerings.

IPSec VPN Redundancy Models (Single CPE)

• OCI provisions three tunnels per each AD
• Automatic routing of traffic to customer premise via an available (“up”) tunnel in case any one tunnel becomes unavailable in Oracle Cloud Infrastructure

IPSec VPN Redundancy Models (Multiple CPE)
Configuration of two CPEs to create a highly available (HA) deployment in your on-premises network, with three tunnels with each CPE device

Site-to-Site VPN
Dev/test and small scale production workloads
All OCI Services within VCN — compute –VMs and BMs, Database
Typically < 1 Gbps aggregate
Protocols: IPSec
Routing: Static Routing
Connection Resiliency: active-active
Encryption: Yes, by default
Fee: Billable port hours, No data transfer charge between ADs
No SLA

FastConnect
Enterprise-class and mission critical workloads, Oracle Apps, Backup, DR
All OCI Services within VCN — compute –VMs and BMs, Database
Higher bandwidth; increments of 1 Gbps, and 10 Gbps ports
Protocols: MPLS, VPLS
Routing: BGP
Connection Resiliency: active-active
Encryption: No
99.9% Availability SLA

VCN

VCN = Virtual Data Center in CLOUD
VCN and One Subnet before you can launch a compute instance

What are the components -

• Subnets
• IGW — Internet Gateway
• DRG — Dynamic Routing Gateway
• Security Lists
• DHCP options

Think about the address ranges before creating them

IP4 address CIDR can only range /16 to /30

Private Pool allows enterprises to host their domain names and DNS zones under a dedicated IP pool to segregate from those of other customers in order to reduce the risk of external issues affecting their websites.

If multiple customers are in the same pool and one customer’s Zones come under a DDoS attack, the other customers in the pool may have their DNS performance impacted until the DDoS is resolved.

Vanity Nameserver allows enterprises to rename OCI Nameservers with their own branding

By default all OCI customers will be hosted on the OCI name servers. Using standard tools, users can determine that the customer’s assets are hosted by OCI DNS.

Customers that are concerned about their brand can rebrand the name servers

Example:

Default naming: ns1.pxx.dns.oraclecloud.net
Vanity naming: ns1.pxx.vanityname.net

IPSecurity — Site to Site

(Helps to connect on-premise to cloud — IPSec or FastConnect are the options)

IPSec = Internet Protocol Security

Can be Configured 2 Different modes:

• Transport Mode: IPSec only encrypts and/or authenticates the actual payload of the packet, and the header information remains intact.
• Tunnel Model: IPSec encrypts and/or authenticates the entire packet. After the encryption, the packet is then encapsulated to form a new IP packet that has different header information.
• Oracle supports Tunnel mode.

Site to Site encrypted

• No need of expensive dedicated telephone line
• Internal IP address of the both network stays hidden
• Communication between entities are encrypted

Oracle uses Asymmetric routing across the multiple tunnels.

Must create DRG before creating IPSec (Dynamic Routing Gateway)

Think of DRG as a dynamic virtual router that provides a path for a private traffic between your cloud network (you VCN) and your on-premise network.

Components of IPSec

CPE Objects (When setting up a VPN — you must create a visual representation of the router in your on-premise network. The CPE Object contains basic information about your router that is needed in your cloud network (VCN) for communication)

DRG — Consider this a the VPN headend on your cloud network (VCN). The DRG is a standalone object that you must attach your VCN, using either the console or API. You must also add one or more route rules that route traffic from VCN to the DRG.

IPSec Connections — Connect the CPE object and DRG by creating an IPSec Connection, which results in multiple redundancy

Static Routes — You must specify static routes

Provisioning:

• Oracle provision multiple VPN tunnel by default
• Configure min of 2 and ideally 3 tunnels for redundancy, on your on-premise VPN device.
• Oracle automatically routes traffic to your instances via an available tunnel in case any one tunnel becomes available.

IPSec Setting up:

1) Gather background

2) Setup VPN Components

- Create the VCN and DRG

- Attach the DRG to your VCN

- Update the routing in your VCN to use the DRG

- Create CPE object and provide your router’s public IP address

- From your DRG create an IPSec connection to the CPE object and provide your static routes.

— — Your on-premise router configuration needed. Samples templates configurations are available to download. Common vendors are available (CISCO, Pal Alto etc)

DNS — Domain Name Server

Common types of records supported by OCI DNS

• A (Address Record)
• AAAA (IPv6 Address Record)
• CNAME (Canonical Name record)
• MX (Mail Exchange Record)
• TXT (Text Record)
• PTR (Pointer Record)
• SOA (State of Authority Record)
• SRV (Service Locator)
• MS (Name Server Record)

Supports to ALIAS record type — helps to map record (same as CNAME — not available to external resources)

ALIAS record also help by not having to map a record to a specific IP Address

MAX 25K resources records per zone.

You can do the following with Oracle-DNS:

• Create and manage zones
• Create and manage records
• Import or upload zone files
• Save and Publish changes
• View all Zones and Records
• Reporting

Primary and Secondary DNS available — always on

Recursive Server talks to Primary or Secondary

All domains information will be managed with in the primary DNS Server.

Can Oracle DNS become secondary DNS? YES! Can be deployed as a primary or secondary server.

DNS — Max 1000 Zones per Tenant

When you change DNS server — wait 72 hrs before validating.

Benefits:

• DNS Network operating for over 10+ years, leveraged by thousands of customers, large and small, Enterprise, Business and Web properties
• Support for OCI, other Cloud provider endpoints (AWS, Azure) and private assets, including Cloud, CDNs and Data Centers
• Consistently lowest query latency performance
• Industry leading propagation time to ensure fast response to DNS changes
• Support for both Primary and Secondary DNS services, unlike solutions from many Cloud Providers
• Industry’s most accurate geolocation data set, created specifically for steering internet traffic
• DDoS protection built-in
• Most standards-compliant DNS platform

Load Balancing

Primary types:

• Round Robin — Round Robin is the default load balancer policy. This policy distributes incoming traffic sequentially to each server in a backend set list. After each server has received a connection, the load balancer repeats the list in the same order.
• Least Connections — The Least Connections policy routes incoming non-sticky request traffic to the backend server with the fewest active connections. This policy helps you maintain an equal distribution of active connections with backend servers. As with the round robin policy, you can assign a weight to each backend server and further control traffic distribution.
• IP Hash — The IP Hash policy uses an incoming request’s source IP address as a hashing key to route non-sticky traffic to the same backend server. The load balancer routes requests from the same client to the same backend server as long as that server is available. This policy honors server weight settings when establishing the initial connection. IP Hash ensures that requests from a particular client are always directed to the same backend server, as long as it is available.

Keep-Alive Settings:

For HTTP connections, your load balancer honors backend server keep-alive settings. The load balancer inspects the Connection: header in backend server responses to determine connection handling.

Connection Configuration

The default timeout values are: 300 seconds for TCP listeners. 60 seconds for HTTP listeners.

The maximum timeout value is 7200 seconds.

“X” headers:

• Non-standard header fields, which begin with X-, are common. The Load Balancing service adds or modifies the following X- headers when it passes requests to your servers.
• X-Forwarded-For — The load balancer appends the last remote peer address to the X-Forwarded-For field from the incoming request. A comma and space precede the appended address.
• X-Forwarded-Host — Identifies the original host and port requested by the client in the Host HTTP request header. This header helps you determine the original host, since the hostname or port of the reverse proxy (load balancer) might differ from the original server handling the request.
• X-Forwarded-Port — Identifies the listener port number that the client used to connect to the load balancer. For example:
• X-Forwarded-Proto — Identifies the protocol that the client used to connect to the load balancer, either http or https. For example:
• X-Real-IP — Identifies the client’s IP address. For the Load Balancing service, the “client” is the last remote peer.

Session Persistence:

• Session persistence is a method to direct all requests originating from a single logical client to a single backend web server.
• Cookies — The Load Balancing service activates session persistence when a backend server sends a Set-Cookie response header containing a recognized cookie name. The cookie name must match the name specified in the backend set configuration.
• Fallback — By default, the Load Balancing service directs traffic from a persistent session client to a different backend server when the original server is unavailable. You can configure the backend set to disable this fallback behavior. When you disable fallback, the load balancer fails the request and returns an HTTP 502 code.

Request Routing:

The Load Balancing service enables you to route incoming requests to various backend sets. You can:

Assign a virtual hostname to a listener: You can assign a virtual hostname to any listener you create for your load balancer. Each hostname can correspond to an application served from your backend.

• A single associated IP address. Multiple hostnames, backed by DNS entries, can point to the same load balancer IP address.
• A single load balancer. You do not need a separate load balancer for each application.
• A single load balancer shape. Running multiple applications behind a single load balancer helps you manage aggregate bandwidth demands and optimize utilization.

Create path route rules: Some applications have multiple endpoints or content types, each distinguished by a unique URI path. For example, /admin, /data, or /video, or /cgi. You can use path route rules to route traffic to the correct backend set without using multiple listeners or load balancers.

• You cannot use asterisks in path route strings.
• You cannot use regular expressions.
• Path route strings are case-insensitive.

Combine these techniques.
Combine Virtual hostname and path route rules.

Try for Free | Oracle Cloud

Block Storage

VOLUME — What is block volume? Type of expansive data STORAGE
Block volume using iSCSI Ethernet protocol
Block volume can be created and attach to your instance
Dynamically provision and manage block storage volumes
Create-Attach-Move-Backup
Store Data-Manage your block volume, control your data
Instance terminates? The block volume can be attached to different computer instance.

Can use integrated Backup

When you looking for persistent and durable storage — Use case.

• Create using SDK or console.
• Connect from your guestOS using iSCSI
• Disconnect block volume from instance — detached and moved to different computer instance without loss of any data.
• Block volume — high level of data durability — automatically backed up (Integrated backup)
• Complete, point in time snapshot of all data on your block volume

Block Volume cane be created from 50G to 2 TB in 1GB increment.

32 Volume can be created per instance.

IOPS and bandwidth scales linearly per GB volume size up to the service maximums.

Metric
Scale factor
Service Limits
IOPS
60 IOPS/GB
Up to 25k IOPS at 4KB block size
Throughput
480 KB/s/GB
Up to 320 MB/s at 256 KB block size
Sub mill second latencies

32 attachments.. to an instance

Using iSCSI to connect: You will need

• IP address and port
• Volume IQN
• CHAP Username (iSCSI protocol)
• CHAP Password

Policy-Based Backups
There are three predefined backup policies
- Bronze
- Silver
- Gold

Bronze Policy

• Weekly Incremental Backups
• Runs first day of the month
• Retained for 12 months
• Includes full backup (runs on Jan 1st)
• Full backups maintained for 5 years.

Silver Policy

• Weekly backup’s — run on Sunday
• Maintained for 4 weeks
• Plus BRONZE

Gold Policy

• Daily backup’s
• Retained for 7 days
• Weekly backup’s — run on Sunday
• PLUS Silver

Object Storage

AES 256 — default encryption.
All communication performed over the internet — Encrypted
Client can encrypt the data prior sending to the server.
Object buckets can be PUBLIC
Pre-Authenticated buckets
Big data, Backup Archive,
Big Data-> High scalable storage
Backup or Archive data -> Durable and low cost
Content repository — Supports all content types — Storage scales without performance degradation
Object storage uses buckets to organize the objects stored under them.
SDK or REST api. to access the objects.
Objects can be uploaded via browser.

CLI — Command Line Interface

You can get help for any command using — help, -h, or -?. (oci os bucket -h)

The CLI is built on Python (version 2.7.5 or 3.5 or later), running on Mac, Windows, or Linux.

Services supported: Audit | Core Services (Networking, Compute, Block Volume) | Database | IAM | Object Storage | Load Balancing

oci <service> <type> <action> <options>

( compute is the <service> instance is the resource <type> launch is the <action>, and the rest of the command string consists of <options> )

Example:

oci compute instance launch — availability-domain 
“EMIr:PHX-AD-1” -c ocid1.compartment.oc1..aaaaaaaal3gzijdlieqeyg35nz5zxil26astxxhqol2pgeyqdrggnx7jnhwa — shape “VM.Standard1.1” — display-name “Instance 1 for sandbox” — image-id 
ocid1.image.oc1.phx.aaaaaaaaqutj4qjxihpl4mboabsa27mrpusygv6gurp47kat5z7vljmq3puq — subnet-id 
ocid1.subnet.oc1.phx.aaaaaaaaypsr25bzjmjyn6xwgkcrgxd3dbhiha6lodzus3gafscirbhj5bpa

Inline help Dump:

oracle/oci-cli

CLI Table output: oci iam region list — output table

CLI Filter: oci compute image list -c ocid1.compartment.oc1..aaaaaaaapxgklgmujxjzx2ypptfjrcieq7rrob2u2zbesh3wlafsgthhqtea — output table — query “data [*].{ImageName:\”display-name\”, OCID:id}”

Using Environment Variables for OCIDs

Several of the CLI examples use environment variables for OCIDs, such as: $T for a tenancy OCID $C for a compartment OCID

Example CLI Commands:
[Upload an object] oci os object put -ns mynamespace -bn mybucket — name myfile.txt — file /Users/me/myfile.txt — metadata ‘{“key1”:”value1",”key2":”value2"}’
[Download an object] oci os object get -ns mynamespace -bn mybucket — name myfile.txt — file /Users/me/myfile.txt
[Print objects STDOUT] oci os object get -ns mynamespace -bn mybucket — name myfile.txt — file -
[Upload object content from STDIN] oci os object put -ns mynamespace -bn mybucket — name myfile.txt — file ←’object content’

Bulk Operations in Object Storage:

• Uploading files in a directory and all its subdirectories to a bucket
• Downloading all objects, or all the objects that match a specified prefix, in a bucket
• Deleting all objects, or all the objects that match a specified prefix, in a bucket

Upgrading the CLI:

Run Command: pip install oci-cli — upgrade
Upgrade standard virtualenv installation: cli-testing/bin/pip install oci-cli — upgrade

Terraform

Write plan and create infrastructure as a code.

You can compare Terraform to OpenStack Heat, AWS CloudFormation and similar others.

File Extension .tf or .tf.json

Major TF component:

• Configurations: A Terraform configuration is the text file that contains the infrastructure resource definitions. You can write Terraform configurations in either Terraform format (using the .tf extension) or in JSON format (using the .tf.json extension).
• Providers: Terraform leverages multiple providers to talk to back-end platforms and services, like Oracle, GCP and AWS etc.
• Resources: Resources are the basic building blocks of a Terraform configuration.
• Variables: To help make configurations more portable and more flexible, Terraform supports the use of variables.

Refer:

oracle/terraform-provider-oci

OCI Configuration file requirements:

Every configuration file defines the provider that will be used, the OCI provider is called ‘oci’. You must also specify where to get the required authentication details. You should never directly specify these values in a configuration file.

variable “tenancy_ocid” {}
variable “user_ocid” {}
variable “fingerprint” {}
variable “private_key_path” {}
variable “region” {}
provider “oci” {
    tenancy_ocid = “${var.tenancy_ocid}”
    user_ocid = “${var.user_ocid}”
    fingerprint = “${var.fingerprint}”
    private_key_path = “${var.private_key_path}”
    region = “${var.region}”
}

The OCI API uses CamelCase in multiple places. Terraform doesn’t support CamelCase in configuration files so we’ve replaced it with underscores. For example -

OCI native API →Terraform configuration

availabilityDomain → availability_domain
cidrBlock → cidr_block
compartmentId→compartment_id
routeTableId →route_table_id
securityListIds→security_list_ids
vcnId→vcn_id

Can I use Terraform to manage both Oracle Public Cloud and Oracle Cloud Infrastructure? YES!

Setup environment Variables

• export TF_VAR_tenancy_ocid
• export TF_VAR_user_ocid
• export TF_VAR_fingerprint
• export TF_VAR_private_key_path
• export TF_VAR_compartment_ocid

Related Links:

Oracle Cloud Infrastructure

Enterprise Cloud Computing SaaS, PaaS, IaaS | Oracle Cloud

Technical Resources | Oracle Cloud Infrastructure

FastConnect | Oracle Cloud Infrastructure

Oracle Cloud Infrastructure Classic

Cloud at Customer | Oracle Cloud

Provider: Oracle Public Cloud - Terraform by HashiCorp