Note: Private Access Channel is now available in Oracle Analytics and is recommended by Oracle for new connections to private data sources. For more information on the feature and the data sources it supports refer to:
Connect to Private Data Sources Through a Private Access Channel
Supported Data Sources
A-Team Chronicles Private Access Channel Series
Oracle Analytics Cloud (OAC) may now be provisioned within a Virtual Cloud network (VCN) on Oracle Cloud Infrastructure (OCI) with a private IP address.
This post is a step-by-step guide for deploying the components and validating the connectivity between them thus enabling a private connection between OAC and an Autonomous Database (ADB). The ADB may be on shared or dedicated infrastructure and may be either Autonomous Data Warehouse (ADW) or Autonomous Transaction Processing. This guide uses an ADW as the ADB.
This is one of the post listed in the OAC Private Endpoint Parent Post
November 29, 2020 with OAC 5.8
Before You Begin
Deploying Components
Validating Connectivity
Creating a Private ADW connection
Final States and Traffic Flows
All names and addresses used in this post are for examples only. Although not required, resources are assumed to be in separate subnets to demonstrate security and routing rules.
Three scenarios are provided; Single VCN, Locally Peered VCNs and Remotely Peered VCNs. The "Peered VCNs" scenario includes both peering scenarios and the "All" scenario includes all.
The following are assumed to be in place relative to your scenario.
A user account in an OCI tenancy granted compartment privileges for managing Analytics, Compute, ADBs and Networking components.
Rules for client connectivity in the OAC subnet's security list and route table.
SCENARIO | NAME | CIDR | DNS |
---|---|---|---|
All | VCN1 | 10.10.10.0/23 | Yes |
Peered VCNs | VCN2 | 10.20.10.0/23 | Yes |
SCENARIO | VCN | NAME | CIDR | DNS | DHCP Option | Route Table | Security List |
---|---|---|---|---|---|---|---|
All | VCN1 | VCN1-OAC-SN | 10.10.10.0/27 | Yes | Default | Default | Default |
Single VCN | VCN1 | VCN1-DB-SN | 10.10.10.32/27 | Yes | Default | Default | Default |
Peered VCNs | VCN2 | VCN2-DB-SN | 10.20.10.32/27 | Yes | Default | Default | Default |
SCENARIO | VCN | SUBNET | TYPE | FQDN |
---|---|---|---|---|
All | VCN1 | VCN1-OAC-SN | OAC | OAC.analytics.ocp.oraclecloud.com |
Single VCN | VCN1 | VCN1-ADW-SN | ADW | ADW.adb.region1.oraclecloud.com |
Local Peering | VCN2 | VCN2-ADW-SN | ADW | ADW.adb.region1.oraclecloud.com |
Remote Peering | VCN2 | VCN2-ADW-SN | ADW | ADW.adb.region2.oraclecloud.com |
This section details the following additional components relative to your scenario.
Subnets
Security Lists
Remote Data Gateway
Peering Gateways
Route Tables
DNS Private Views
Gateway Associations
Remote Peering Connections
DNS EndPoints
DNS Rules
A Subnet consists of a contiguous range of IPv4 addresses that do not overlap with other subnets in the VCN. They act as a unit of configuration: all instances in a subnet use the same route table, security lists, and DHCP options.
Create subnets relative to your scenario.
SCENARIO | VCN | NAME | CIDR | DNS | DHCP Option | Route Table | Security List |
---|---|---|---|---|---|---|---|
Single VCN | VCN1 | VCN1-RDG-SN | 10.10.10.64/27 | Yes | Default | Default | Default |
Peered VCNs | VCN2 | VCN2-RDG-SN | 10.20.10.64/27 | Yes | Default | Default | Default |
Remote Peering | VCN1 | VCN1-DNS-SN | 10.10.10.32/27 | Yes | Default | Default | Default |
Remote Peering | VCN2 | VCN2-DNS-SN | 10.20.10.0/27 | Yes | Default | Default | Default |
Security Lists control network traffic within a subnet in addition to firewall rules within each resource.
Create security lists for the DB, DNS, and OAC subnets with the following rules.
SCENARIO | NAME | VCN | SOURCE CIDR | PROTOCOL | PORT | NOTE |
---|---|---|---|---|---|---|
Single VCN | VCN1-OAC-SL | VCN1 | 10.10.10.0/23 | TCP | 443 | From VCN1 RDG |
Single VCN | VCN1-ADW-SL | VCN1 | 10.10.10.0/23 | TCP | 1522 | From VCN1 RDG |
Peered VCNs | VCN1-OAC-SL | VCN1 | 10.20.10.0/23 | TCP | 443 | From VCN2 RDG |
Peered VCNs | VCN2-ADW-SL | VCN2 | 10.20.10.0/23 | TCP | 1522 | From VCN2 RDG |
Remote Peering | VCN1-DNS-SL | VCN1 | 10.20.10.0/23 | UDP | 53 | From VCN2 DNS |
Associate the security lists to the corresponding subnet.
SCENARIO | NAME | SUBNET |
---|---|---|
All | VCN1-OAC-SL | VCN1-OAC-SN |
Single VCN | VCN1-ADW-SL | VCN1-ADW-SN |
Peered VCNs | VCN2-ADW-SL | VCN2-ADW-SN |
Remote Peering | VCN1-DNS-SL | VCN1-DNS-SN |
OAC currently requires Remote Data Gateway (RDG) to reach private data sources. RDG is deployed in either a Linux or a Windows VM.
Deploy RDG. Refer here for a post on deploying in a private subnet.
SCENARIO | VCN | SUBNET | FQDN |
---|---|---|---|
Single VCN | VCN1 | VCN1-RDG-SN | RDG.vcn1rdgsn.vcn1.oraclevcn.com |
Peered VCNs | VCN2 | VCN2-RDG-SN | RDG.vcn2rdgsn.vcn2.oraclevcn.com |
A Peering Gateway peers multiple virtual cloud networks (VCNs). There are two types of gateways: Local Peering Gateway (LPG) and Dynamic Routing Gateway (DRG).
Create gateways relative to your scenario.
SCENARIO | TYPE | NAME |
---|---|---|
Local Peering | LPG | VCN1toVCN2 |
Local Peering | LPG | VCN2toVCN1 |
Remote Peering | DRG | Region1-DRG |
Remote Peering | DRG | Region2-DRG |
Peer the LPGs.
SCENARIO | PEERED CIDR | NAME |
---|---|---|
Local Peering | 10.20.10.0/24 | VCN1toVCN2 |
Local Peering | 10.10.10.0/24 | VCN2toVCN1 |
Route Tables send a subnet's traffic to destinations outside the VCN.
Create route tables for Local Peering and Remote Peering with the following rules.
SCENARIO | NAME | VCN | DESTINATION CIDR | TARGET | NOTE |
---|---|---|---|---|---|
Local Peering | VCN1-LCL-PEER-RT | VCN1 | 10.20.10.0/23 | VCN1toVCN2 | Return to VCN2 RDG |
Local Peering | VCN2-LCL-PEER-RT | VCN2 | 10.10.10.0/23 | VCN2toVCN1 | Send to VCN1 OAC |
Remote Peering | VCN1-RMT-PEER-RT | VCN1 | 10.20.10.0/23 | Region1-DRG | Return to VCN2 RDG and DNS |
Remote Peering | VCN2-RMT-PEER-RT | VCN2 | 10.10.10.0/23 | Region2-DRG | Send to VCN1 OAC and DNS |
Associate the route tables to the RDG, DNS, and OAC subnets
SCENARIO | NAME | SUBNET |
---|---|---|
Local Peering | VCN1-LCL-PEER-RT | VCN1-OAC-SN |
Local Peering | VCN2-LCL-PEER-RT | VCN2-RDG-SN |
Remote Peering | VCN1-RMT-PEER-RT | VCN1-OAC-SN |
Remote Peering | VCN2-RMT-PEER-RT | VCN2-RDG-SN |
Remote Peering | VCN1-RMT-PEER-RT | VCN1-DNS-SN |
Remote Peering | VCN2-RMT-PEER-RT | VCN2-DNS-SN |
A DNS Private View is a collection of DNS private zones. Private Views relate to VCNs. Private Zones relate to Subnets. You can associate private views within the same region to your VCN's DNS resolver. Private views cannot be used for remote peering.
Associate the VCN1 Private View to VCN2
SCENARIO | VCN | PRIVATE VIEW |
---|---|---|
Local Peering | VCN2 | VCN1 |
A Gateway Attachment attaches a DRG to a VCN.
Attach the DRGs to the corresponding VCN.
SCENARIO | VCN | DRG |
---|---|---|
Remote Peering | VCN1 | REGION1-DRG |
Remote Peering | VCN2 | REGION2-DRG |
A Remote Peering Connection (RPC) acts as a connection point for a remotely peered VCN.
Create an RPC for each DRG.
SCENARIO | DRG | NAME |
---|---|---|
Remote Peering | REGION1-DRG | REGION1-RPC-TO-REGION2 |
Remote Peering | REGION2-DRG | REGION2-RPC-TO-REGION1 |
Peer the RPCs.
SCENARIO | RPC | PEER REGION | PEERED RPC |
---|---|---|---|
Remote Peering | REGION1-RPC-TO-REGION2 | REGION2 | REGION2-RPC-TO-REGION1 |
A DNS Endpoint is attached to a VCN or a subnet. An endpoint can only be configured to either forward or listen. A listening endpoint receives queries from within the VCN, other VCN Resolvers, or your on-premises network's DNS. A forwarding endpoint forwards DNS queries to the listening endpoint in other peered VCNs or your on-premises network's DNS.
To resolve the OAC FQDN create a listening endpoint in the VCN1 DNS Subnet and a forwarding endpoint in the VCN2 DNS Subnet.
SCENARIO | VCN | Subnet | MODE | NAME | IP address |
---|---|---|---|---|---|
Remote Peering | VCN1 | VCN1-DNS-SN | Listener | VCN1-DNS-Listener | 10.10.10.34 |
Remote Peering | VCN2 | VCN2-DNS-SN | Forwarder | VCN2-DNS-Forwarder | 10.10.10.2 |
A DNS Rule is used to answer queries that isn't answered by a VCN's DNS private views.
Create a DNS Rule in VCN2 that detects an OAC domain request, submits it to the VCN2 forwarding endpoint with instructions to forward the request to VCN1's listener endpoint's IP address.
SCENARIO | VCN | Subnet | TYPE | Domain | Forwarder | Listener IP address |
---|---|---|---|---|---|---|
Remote Peering | VCN2 | DNS-SN | DNS Rule | OAC.analytics.ocp.oraclecloud.com | VCN2-Forwarder | 10.10.10.34 |
Validate connectivity between the following components.
Connect to the RDG host and Issue the nslookup command from the command line e.g.
nslookup < your OAC or ADW FQDN >
Connect to the RDG host. Use the traceroute command on Linux and the Test-NetworkConnection (tnc) on Windows.
sudo traceroute -n -q 1 -T -p < your OAC or ADW port > < your OAC or ADW FQDN >
For remote peering you see:
1 nnn.nnn.nnn.nnn nnn ms
2 nnn.nnn.nnn.nnn nnn ms
3 < your OAC or ADW IP address > nnn ms
Otherwise:
1 < your OAC or ADW IP address > nnn ms
tnc < your OAC or ADW FQDN > -port < your OAC or ADW port >
TcpTestSucceeded : True
SCENARIO | SOURCE | TARGET | TYPE | IDENTIFIER | RESULT |
---|---|---|---|---|---|
Single VCN | RDG | ADW | FQDN | ADW.adb.region1.oraclecloud.com | Success |
Single VCN | RDG | ADW | Port | 1522 | Success |
Peered VCNs | RDG | ADW | FQDN | ADW.adb.region2.oraclecloud.com | Success |
Peered VCNs | RDG | ADW | Port | 1522 | Success |
All | RDG | OAC | FQDN | OAC.analytics.ocp.oraclecloud.com | Success |
All | RDG | OAC | Port | 10.10.10.2:443 | Success |
Remote Peering | DNS Forwarder | DNS Listener | Port | 53 | Implicit Success based on above |
Connect to OAC, click Create, click Connection, and click Oracle Autonomous Data Warehouse.
Enter a Connection Name
Enter a Description
Click Select and choose your ADW Client Credentials zip file
Enter an ADW Username e.g. admin and Password
Select a Service Name related to your ADW from the dropdown
Check the box for Use Remote Data Connectivity
Click Save
The connection is created and you may now create data sets, analyses and projects.
This post provided a step-by-step guide for deploying the necessary components and validating the connectivity between them for a private connection between OAC and an Autonomous Database (ADB).
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley
Next Post