Oracle Data Integration Platform Cloud (DIPC): Configure VPN as a Service (VPNaaS) for On-Premises Connectivity

Introduction

This document will walk you through how to configure Virtual Private Network as a Service (VPNaaS) with Oracle Data Integration Platform Cloud (DIPC) for connectivity between On-Premises Oracle database and Oracle Public Cloud (OPC).

One major requirement for DIPC to be configured with VPNaaS is; DIPC must be provisioned to use IP Network instead of a Shared Network. Managing and configuration of OPC’s IP Networks are not discussed in this article. It is assumed that an IP Network has been created. For more details on OPC’s Shared and IP Network, please check the following Oracle documentation link:

Installation of Oracle Database on the On-Premises and the detail provisioning steps of Oracle DIPC are also not discussed in this article. It is assumed that the Oracle database software on the On-Premises has been installed and the instances for DIPC on the OPC already exist and was provisioned on the IP network.

The concepts, scripts and information presented in this article are for educational purposes only. They are not supported by Oracle Development or Support, and come with no guarantee or warrant for functionality in any environment other than the test system used to prepare this article. Before applying any changes presented in this article to your environment, you should thoroughly test to assess functionality and performance implications.

For details provisioning steps of DIPC, please check the following Oracle tutorial:

Main Article

VPNaaS communicates to the On-Premises network via a third-party device which acts as a VPN gateway. For this article, we used a pfSense appliance as the On-Premises VPN Gateway Device. For a list of supported third-party device and configuration, check the following Oracle Documentation link:

Here’s a diagram of the VPN setup between On-Premises and DIPC on the OPC via VPNaaS depicted in this article:

DIPC_VPNaaS_Diagram

 

On-Premises Environment

  • On-Premises Network: 192.168.37.0/24
  • VPN Gateway Device: pfSense Appliance
  • VPN Gateway Public Facing IP (WAN): 209.56.134.179
  • VPN Gateway Private IP (LAN): 192.168.37.1
  • Database Server IP: 192.168.37.101
  • Pre-Shared Key (PSK):MyPreSharedKey2018
  • Encryption Algorithm: AES256
  • Hash Algorithm: SHA256
  • Phase 1 Diffie-Hellman (DH) Group: 14
  • Phase 2 Diffie-Hellman (DH) Group: 14

Oracle Public Cloud (OPC) Environment

  • IP Network: 172.16.1.0/24 (DIPCIPN)
  • DIPC VM Instance Private IP Address: 172.16.1.5
  • VPNaaS Gateway Name: DIPC-IPNET-MPAPIO-VPN
  • VPNaaS Gateway Public IP: 129.150.197.128
  • VPNaaS Gateway Private IP: 172.16.1.254
  • Pre-Shared Key (PSK):MyPreSharedKey2018

High Level Steps of VPN Connection Configuration via VPNaaS

The following are the high-level steps for configuring the VPN Connection between On-Premises OGG and OPC DIPC servers via VPNaaS :

  • OPC – Verify and Check the IP Network and the DIPC instance
  • OPC – Provision and Configure the VPN Connection for the VPNaaS
  • On-Premises – Create and Configure the VPN Connection on the third-party VPN device (pfSense appliance)
  • OPC and On-Premises – Verify  Tunnel Status is Up
  • OPC and On-Premises – Verify connectivity is up between On-Premises Database Server and OPC DIPC server

OPC – IP Network and DIPC Instance Check

Verify and check the IP Network where DIPC was provisioned and double check DIPC instance that it was provisioned on the correct IP network. You can do this from the Oracle Cloud Web UI.

DIPC_VPNaaS_MP_01

Figure 1

Figure 1 shows an example on where to look and check for the IP Network. In our example, the IP Network Name is DIPCIPN and the IP Network Address is 172.16.1.0/24.

DIPC_VM_MP_Create_01v2

Figure 2

Figure 2 shows an example on where to set the IP Network during DIPC provisioning. In our example the DIPC instance was set to use IP network DIPCIPCN.

As of this writing, configuring DIPC on IP Network has a prerequisite of having configured an Internet Facing Load Balancer on the IP network. For more details explanation on Load Balancer please refer to Oracle Load Balancing Classic documentation page.

The Internet Facing Load Balancer needs to be created first, before you can provision a DIPC instance on an IP Network. You can create the Internet Facing Load Balancer via the REST API for the Load Balancer services.

Here’s an example of the cURL command syntax that was used to create the Load Balancer for this exercise:

curl -X POST -k -H 'X-ID-TENANT-NAME: gse00013735' -u 'cloud.admin:Pass1234' -H 'Content-Type: application/vnd.com.oracle.oracloud.lbaas.VLBR+json' -i 'https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs' --data ' {
 "name":"dipc-manl-public-lbr-central-ipnet",
 "disabled":"false",
 "region":"uscom-central-1",
 "scheme":"INTERNET_FACING",
 "compute_site":"uscom-central-1",
 "ip_network_name":"/Compute-588688908/cloud.admin/DIPCIPN"
}'| grep "{" | python -m json.tool

For detail explanation and additional example of Load Balancer REST Endpoints, please refer to REST API for Oracle Cloud Infrastructure Load Balancing Classic documentation page.

Once the cURL command has been executed, you should see a state of “CREATION IN PROGRESS”.

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1851 0 1619 100 232 1576 225 0:00:01 0:00:01 –:–:– 1576
{
“canonical_host_name”: “vlbr-ffb706a136c0416cbd6794bb5c859678.uscom-central-1.oraclecloud.com”,
“compute_site”: “uscom-central-1”,
“disabled”: “FALSE”,
“display_name”: “dipc-manl-public-lbr-central-ipnet”,
“ip_network_name”: “/Compute-588688908/cloud.admin/DIPCIPN”,
“name”: “dipc-manl-public-lbr-central-ipnet”,
“operation_details”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/OperationDetails/CREATE_VLBR_0682ae52-dedc-4b53-b0b7-7a4b0afb61d9”,
“owner”: “tenant=idcs-4f3cb83b061a44a8adc282db55ac8fdd,username=cloud.admin”,
“region”: “uscom-central-1”,
“rest_uri”: [
{
“type”: “accesscontrol_administration_uri”,
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs/uscom-central-1/dipc-manl-public-lbr-central-ipnet/acls”
},
{
“type”: “policies_base_uri”,
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs/uscom-central-1/dipc-manl-public-lbr-central-ipnet/policies”
},
{
“type”: “loadbalancer_public_endpoint”,
“uri”: “https://vlbr-ffb706a136c0416cbd6794bb5c859678.uscom-central-1.oraclecloud.com”
},
{
“type”: “listeners_base_uri”,
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs/uscom-central-1/dipc-manl-public-lbr-central-ipnet/listeners”
},
{
“type”: “originserverpools_base_uri”,
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs/uscom-central-1/dipc-manl-public-lbr-central-ipnet/originserverpools”
}
],
“scheme”: “INTERNET_FACING”,
“state”: “CREATION_IN_PROGRESS”,
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs/uscom-central-1/dipc-manl-public-lbr-central-ipnet”
}

The creation of the Load Balancer will probably take anywhere from 15 – 30 minutes. To check the successful creation of the Internet Facing Load Balancer the following REST API example can be executed via curl:

curl -X GET -k -H 'X-ID-TENANT-NAME: gse00013735' -u 'cloud.admin:Pass1234' -i 'https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs' | grep "{" | python -m json.tool

For a successful creation of the Load Balancer, the state should have a result of “HEALTHY”.

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 543 0 543 0 0 847 0 –:–:– –:–:– –:–:– 847
{
“items”: [
{
“is_disabled_effectively”: “FALSE”,
“name”: “610734-1523476548295”,
“state”: “HEALTHY”,
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs/uscom-central-1/610734-1523476548295”
},
{
“is_disabled_effectively”: “FALSE”,
“name”: “dipc-manl-public-lbr-central-ipnet”,
“state”: “HEALTHY”,
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs/uscom-central-1/dipc-manl-public-lbr-central-ipnet”
}
],
“uri”: “https://lbaas-71bde0c0714f41cd9cea9a15f414ece3.balancer.oraclecloud.com/vlbrs”
}

OPC – Provision the VPN Connection under the VPNaaS

Create the VPN connection via the Oracle Cloud Web console under the VPN Menu selection.

(01) In the web console, click the Network tab.
(02) Under the IP Network tab in the left pane, click VPN .
(02) Click VPN Connections.
(03) Click Create VPN Connection.
(04) Select or enter the required information:

  • Name: Enter a name for the VPN connection. In our configuration Example it is set to DIPC-IPNET-MPAPIO-VPN
  • IP Network: Select the IP network where DIPC was provisioned, in this example it is set to DIPCIPN (172.16.1.0/24).
  • Connected IP Networks: This field displays the IP networks that will be reachable over this VPN connection. The VPN connection allows you to access all IP networks that are added to the same IP network exchange as the specified IP networks. In our example there’s only one IP Network and there’s no IP Exchanged attached to that network, so this field is blank.
  • vNICsets: Select the vNICsets that are all associated with the DIPC instance, in our example it will be the following vNICs:
    • dics/dipcmpvmipn/lb/ora_otd
    • dics/dipcmpvmipn/wls/ora_admin
    • dics/dipcmpvmipn/lb/ora_otd_infraadmin
    • dics/dipcmpvmipn/wls/ora_ms
    • dics/dipcmpvmipn/wls/ora_wls_infraadmin
    • dipcdbipn/db_1/ora_db
  • Customer Gateway: Enter the WAN IP or public facing IP address of the VPN device in the On-Premises network, in our example it is set to 209.56.134.179. Sometimes, the WAN IP is different from the public IP address, especially if the VPN device is NAT’d, so make sure you enter the public facing IP address of the On-Premises Gateway device.
  • Customer Reachable Routes: Enter (in CIDR format) the subnet for the ON-Premises where Database Server is running, in our case it is set to 192.168.37.0/24.
  • Pre-shared Key: Enter the pre-shared key (PSK), the value will be masked as you type it. In our example it is set to MyPreSharedKey2018. The key here must match the key entered on the On-Premises VPN gateway device.
  • IKE ID: By default, the public IP address of the cloud gateway will be used, if not set. In our example we are using the default value which will be our cloud gateway’s public IP address, so leave this blank. The public IP will be set during provisioning process.
  • Phase 1 IKE Proposal Options: Specify Phase 1 IKE options. Leaving this blank tells the Gateway to let all possible values to be permitted. So, will leave this blank.
  • Phase 2 ESP Proposal Options: Specify Phase 2 Encapsulating Security Payload (ESP) options.Leaving this blank tells the Gateway to let all possible values to be permitted.
  • Require Perfect Forward Secrecy: This option is selected by default.

VPN_Final_Edit_01

Figure 3

Figure 3 shows the selection we used in the creation/provisioning of the VPNaaS depicted in this article.

(05) Click Create. You will get message that the VPN connection has been added and its status on the web console would be Pending/Provisioning.

VPN_Final_Edit_02

Figure 4

Figure 4 shows the message and the status of the VPN connection as soon as it was added.

The provisioning process of the VPNaaS will take anywhere from 20 minutes to 45 minutes and it’s status will be changing and during the process it will also show you the public IP address that will be assigned and it’s corresponding private IP address.

VPN_Final_Edit_03

Figure 5

Figure 5 shows the public IP address being assigned to the VPNaaS gateway. Make a note of this IP address. In this article the VPNaaS Gateway public IP address was set to 129.150.197.128. This IP address is needed during the configuration of the On-Premises VPN Gateway device. To get current updated status, you might need to hit the refresh button as highlighted on Figure 5.

VPN_Final_Edit_04

Figure 6

Figure 6 now shows the Private IP address that was set and it’s status is still being provisioned. In this example, the private IP address was set to 172.16.1.254.

On-Premises – Create and Configure the On-Premises third-party VPN device

As a third-party VPN device for the  On-Premises, we have used a pfSense VPN appliance for the purpose of this article. Installation and configuration of pfSense is not covered in this document, however the VPN configuration needed for the VPN appliance is documented in this article for the purposes of connecting to OPC’s VPNaaS.

Here’s what the third-party VPN device configuration looks like for the pfSense for it’s Phase 1 settings:

VPN_Final_Edit_05

VPN_Final_Edit_06

VPN_Final_Edit_07

Here’s what the third-party VPN device configuration looks like for the pfSense for it’s Phase 2 settings:

VPN_Final_Edit_08 VPN_Final_Edit_09

VPN_Final_Edit_10

Make sure that the Shared Key for both VPN devices on On-Premises and OPC matches.

OPC and On-Premises – Verify Tunnel Status is Up

Once the On-Premises third-party VPN device has been configured and the provisioning of the VPNaaS completed, we need to verify that the tunnel status on both end is Up. On the OPC side, you can do this by checking the provisioning status of the VPNaaS on the Oracle Web console.

VPN_Final_Edit_11

As you can see on the above image for the VPNaaS on the OPC side, the Tunnel status is “Up” .

For the On-Premises side, here’s what it looks like from the pfSense VPN Status page and you should see “Established” message:

GGCS_VPNaaS_006

Once you have verified that both status is up which means a tunnel session has been established for On-Premises and OPC, you can now proceed for checking the connectivity between On-Premises Database Server and OPC DIPC server.

OPC and On-Premises – Verify VPN connection

Checking connectivity between On-Premises Database Server and OPC DIPC server can be done by a simple ping command or logging on from the On-Premises Database Server to DIPC server using it’s private IP address.

The utility netcat “nc” can also be used to check connectivity to the On-Premises database server listener port. In our example the On-Premises database server listener port is running on TCP Port 1522.

01. Ping from On-Premises Database Server to OPC VPNaaS Private Gateway IP (172.16.1.254) and DIPC server (172.16.1.5).
[oracle@ogg-wkshp ~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:80:BF:4C 
 inet addr:192.168.37.101 Bcast:192.168.37.255 Mask:255.255.255.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:142206 errors:0 dropped:0 overruns:0 frame:0
 TX packets:142509 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:29986581 (28.5 MiB) TX bytes:15662550 (14.9 MiB)

[oracle@ogg-wkshp ~]$ ping 172.16.1.254
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=63 time=63.5 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=63 time=63.2 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=63 time=62.9 ms
^C
--- 172.16.1.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 62.990/63.276/63.564/0.373 ms
[oracle@ogg-wkshp ~]$ 
[oracle@ogg-wkshp ~]$ ping 172.16.1.5
PING 172.16.1.5 (172.16.1.5) 56(84) bytes of data.
64 bytes from 172.16.1.5: icmp_seq=1 ttl=62 time=64.4 ms
64 bytes from 172.16.1.5: icmp_seq=2 ttl=62 time=63.8 ms
64 bytes from 172.16.1.5: icmp_seq=3 ttl=62 time=63.7 ms
^C
--- 172.16.1.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 63.744/64.012/64.466/0.383 ms
[oracle@ogg-wkshp ~]$
02. Login from On-Premises Database Server to OPC DIPC server (172.16.1.5).
[oracle@ogg-wkshp ~]$ ssh -i dipc_ssh_key opc@172.16.1.5
The authenticity of host '172.16.1.5 (172.16.1.5)' can't be established.
RSA key fingerprint is 36:44:33:af:bb:62:44:ab:84:4c:a8:27:2c:44:95:85.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.5' (RSA) to the list of known hosts.
[opc@dipcmpvmipn-wls-1 ~]$ 
[opc@dipcmpvmipn-wls-1 ~]$ hostname
dipcmpvmipn-wls-1
[opc@dipcmpvmipn-wls-1 ~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 02:6C:09:49:74:4F 
 inet addr:172.16.1.5 Bcast:172.16.1.255 Mask:255.255.255.0
 inet6 addr: fe80::6c:9ff:fe49:744f/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:8900 Metric:1
 RX packets:9891345 errors:0 dropped:0 overruns:0 frame:0
 TX packets:4663681 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:12370621173 (11.5 GiB) TX bytes:1250294587 (1.1 GiB)

[opc@dipcmpvmipn-wls-1 ~]$ exit
logout
Connection to 172.16.1.5 closed.
[oracle@ogg-wkshp ~]$
03. Login from OPC DIPC server to On-Premises Database Server (192.168.37.101).
[opc@dipcmpvmipn-wls-1 ~]$ ssh oracle@192.168.37.101
The authenticity of host '192.168.37.101 (192.168.37.101)' can't be established.
RSA key fingerprint is 0e:d1:25:f8:e0:b2:af:c6:94:a9:84:1b:e7:58:c9:5d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.37.101' (RSA) to the list of known hosts.
oracle@192.168.37.101's password: 
Last login: Wed Apr 18 11:01:01 2018
[oracle@ogg-wkshp ~]$ 
[oracle@ogg-wkshp ~]$ hostname
ogg-wkshp.us.oracle.com
[oracle@ogg-wkshp ~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:80:BF:4C 
 inet addr:192.168.37.101 Bcast:192.168.37.255 Mask:255.255.255.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:143067 errors:0 dropped:0 overruns:0 frame:0
 TX packets:143494 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:30111397 (28.7 MiB) TX bytes:15756773 (15.0 MiB)

[oracle@ogg-wkshp ~]$ exit
logout

Connection to 192.168.37.101 closed.
[opc@dipcmpvmipn-wls-1 ~]$
04. Verify Connectivity from DIPC VM to the On-Premises Database Server Listener port (1522) via “nc”.
[opc@dipcmpvmipn-wls-1 ~]$ nc -zv 192.168.37.101 1522
Connection to 192.168.37.101 1522 port [tcp/ricardo-lm] succeeded!
[opc@dipcmpvmipn-wls-1 ~]$

Once you have verified data connectivity flow between On-Premises Database Server and OPC DIPC server, now you are ready to configure the DIPC Connection to the On-Premises Database Server as a data source.

Configure DIPC Connection to On-Premises Database Server as a Data Source

To configure a connection within DIPC to the On-Premises Database server as a data source, you will need to access and create the connection from the Data Integration Platform Console via the Oracle Cloud Web Console.

VPN_Final_Edit_12Once the DIPC Console has been opened, the Home screen should have a selection for “Create Connection“.

VPN_Final_Edit_13 The Create Connection Configuration Screen will be shown, just select or enter the required information:

  • Name: Enter any name you want to use, in our example it is set to on-prem-db-mpapio-vm.
  • Description: Enter any comment/description, in our case it is set to On-Premise Database Server.
  • Agent: Select the pre-installed Agent. By default, there’s already a pre-installed DIPC Agent once the DIPC Instance has been provisioned.
  • Type: In our example, this is set to Oracle.

VPN_Final_Edit_14

  • Hostname: Enter the Host IP address of the On-Premises Database server, in our example it is set to 192.168.37.101.
    • Port: Enter the Database Listener Port, in our example it is set to 1522.
    • Username: Enter the database user name, in our example it is set to tpcadb.
    • Password: Enter the password for the database user.
    • Service Name: Enter the Database Listener Service Name, in our example it is set to oracle.domain.
  • Schema Name: take the default schema.
  • CDB Connection: Leave it blank.

VPN_Final_Edit_15

Click “Test Connection” to make sure it can connect before saving the connection. If successful, you should have the “Connection test succeeded” message.

VPN_Final_Edit_16

Once you saved the connection, it should appear on the DIPC catalog as an entry for Connection Category.

VPN_Final_Edit_17

You can click that connection and check the summary information or metadata/tables attached to that connection source.

VPN_Final_Edit_18

The connection source for the On-Premises can now be used by any jobs such as data synchronization, integration or validation within the DIPC frameworks.

Summary

Hopefully, this article has provided an overview and example on how to configure VPN connection via VPNaaS between On-Premises and OPC Data Integration Platform Cloud (DIPC) instance.

For more information on what other articles are available for Oracle GoldenGate please view our index page.

References

Reference the Oracle Data Integration Platform Cloud Documentation for additional information on DIPC.

Reference the Oracle Cloud Infrastructure Load Balancing Classic Documentation for additional information on Load Balancer.

Reference the Oracle Compute Cloud Service Documentation for additional information on PaaS

Reference the Oracle GoldenGate 12c Reference and Administration Guide for additional information GoldenGate

Add Your Comment