X

Best Practices from Oracle Development's A‑Team

Connecting OAC to an ADB using Private Endpoints

Validated November 24, 2020 with OAC 5.8

Introduction

Oracle Analytics Cloud (OAC) may now be provisioned within a Virtual Cloud network (VCN) on Oracle Cloud Infrastructure (OCI) with a private IP address.

This post is a step-by-step guide for deploying the components and validating the connectivity between them thus enabling a  private connection between OAC and an Autonomous Database (ADB). The ADB may be on shared or dedicated infrastructure and may be either Autonomous Data Warehouse (ADW) or Autonomous Transaction Processing. This guide uses an ADW as the ADB.

This is one of the post listed in the OAC Private Endpoint Parent Post

Validations

November 29, 2020 with OAC 5.8

Topics

Before You Begin

Deploying Components

Validating Connectivity

Creating a Private ADW connection

Final States and Traffic Flows

 Before You Begin

All names and addresses used in this post are for examples only. Although not required, resources are assumed to be in separate subnets to demonstrate security and routing rules.

Three scenarios are provided; Single VCN, Locally Peered VCNs and Remotely Peered VCNs. The "Peered VCNs" scenario includes both peering scenarios and the "All" scenario includes all.

The following are assumed to be in place relative to your scenario.

Privileges

A user account in an OCI tenancy granted compartment privileges for managing Analytics, Compute, ADBs and Networking components.

OAC Subnet

Rules for client connectivity in the OAC subnet's security list and route table.

Components

VCN

SCENARIO NAME CIDR DNS
All VCN1 10.10.10.0/23 Yes
Peered VCNs VCN2 10.20.10.0/23 Yes

 

Subnets

SCENARIO VCN NAME CIDR DNS DHCP Option Route Table Security List
All VCN1 VCN1-OAC-SN 10.10.10.0/27 Yes Default Default Default
Single VCN VCN1 VCN1-DB-SN 10.10.10.32/27 Yes Default Default Default
Peered VCNs VCN2 VCN2-DB-SN 10.20.10.32/27 Yes Default Default Default

 

Resources

SCENARIO VCN SUBNET TYPE FQDN
All VCN1 VCN1-OAC-SN OAC OAC.analytics.ocp.oraclecloud.com
Single VCN VCN1 VCN1-ADW-SN ADW ADW.adb.region1.oraclecloud.com
Local Peering VCN2 VCN2-ADW-SN ADW ADW.adb.region1.oraclecloud.com
Remote Peering VCN2 VCN2-ADW-SN ADW ADW.adb.region2.oraclecloud.com

 

Single VCN Initial State

Peered VCNs Initial State

 Deploying Components

This section details the following additional components relative to your scenario.

Subnets
Security Lists
Remote Data Gateway
Peering Gateways
Route Tables
DNS Private Views
Gateway Associations
Remote Peering Connections
DNS EndPoints
DNS Rules

Subnets

A Subnet consists of a contiguous range of IPv4 addresses that do not overlap with other subnets in the VCN. They act as a unit of configuration: all instances in a subnet use the same route table, security lists, and DHCP options.

Create subnets relative to your scenario.

Subnets

SCENARIO VCN NAME CIDR DNS DHCP Option Route Table Security List
Single VCN VCN1 VCN1-RDG-SN 10.10.10.64/27 Yes Default Default Default
Peered VCNs VCN2 VCN2-RDG-SN 10.20.10.64/27 Yes Default Default Default
Remote Peering VCN1 VCN1-DNS-SN 10.10.10.32/27 Yes Default Default Default
Remote Peering VCN2 VCN2-DNS-SN 10.20.10.0/27 Yes Default Default Default


Security Lists

Security Lists control network traffic within a subnet in addition to firewall rules within each resource. 

Create security lists for the DB, DNS, and OAC subnets with the following rules.

Note: For ADW on dedicated infrastructure the TCPS port may be 2482

 

Security Lists

SCENARIO NAME VCN SOURCE CIDR PROTOCOL PORT NOTE
Single VCN VCN1-OAC-SL VCN1 10.10.10.0/23 TCP 443 From VCN1 RDG
Single VCN VCN1-ADW-SL VCN1 10.10.10.0/23 TCP 1522 From VCN1 RDG 
Peered VCNs VCN1-OAC-SL VCN1 10.20.10.0/23 TCP 443 From VCN2 RDG
Peered VCNs VCN2-ADW-SL VCN2 10.20.10.0/23 TCP 1522 From VCN2 RDG
Remote Peering VCN1-DNS-SL VCN1 10.20.10.0/23 UDP 53 From VCN2 DNS

 

 Associate the security lists to the corresponding subnet.

Security List Associations

SCENARIO NAME SUBNET
All VCN1-OAC-SL VCN1-OAC-SN
Single VCN VCN1-ADW-SL VCN1-ADW-SN
Peered VCNs VCN2-ADW-SL VCN2-ADW-SN
Remote Peering VCN1-DNS-SL VCN1-DNS-SN


Remote Data Gateway

OAC currently requires Remote Data Gateway (RDG) to reach private data sources. RDG is deployed in either a Linux or a Windows VM.

Deploy RDG. Refer here for a post on deploying in a private subnet.

Remote Data Gateway

SCENARIO VCN SUBNET FQDN
Single VCN VCN1 VCN1-RDG-SN RDG.vcn1rdgsn.vcn1.oraclevcn.com
Peered VCNs VCN2 VCN2-RDG-SN RDG.vcn2rdgsn.vcn2.oraclevcn.com

 

If you are using a single VCN proceed to Section 2: Validating Connectivity

 

Peering Gateways

A Peering Gateway peers multiple virtual cloud networks (VCNs). There are two types of gateways: Local Peering Gateway (LPG) and Dynamic Routing Gateway (DRG).

Create gateways relative to your scenario.

Gateways

SCENARIO TYPE NAME
Local Peering LPG VCN1toVCN2
Local Peering LPG VCN2toVCN1
Remote Peering DRG Region1-DRG
Remote Peering DRG Region2-DRG

 

Peer the LPGs.

Peered LPGs

SCENARIO PEERED CIDR NAME
Local Peering 10.20.10.0/24 VCN1toVCN2
Local Peering 10.10.10.0/24 VCN2toVCN1


Route Tables

Route Tables send a subnet's traffic to destinations outside the VCN. 

Create route tables for Local Peering and Remote Peering with the following rules.

Ensure to add OAC's existing route rules to the appropriate scenario's route table. 

 

Route Tables

SCENARIO NAME VCN DESTINATION CIDR TARGET NOTE
Local Peering VCN1-LCL-PEER-RT VCN1 10.20.10.0/23 VCN1toVCN2 Return to VCN2 RDG
Local Peering VCN2-LCL-PEER-RT VCN2 10.10.10.0/23 VCN2toVCN1 Send to VCN1 OAC 
Remote Peering VCN1-RMT-PEER-RT VCN1 10.20.10.0/23 Region1-DRG Return to VCN2 RDG and DNS
Remote Peering VCN2-RMT-PEER-RT VCN2 10.10.10.0/23 Region2-DRG Send to VCN1 OAC and DNS

 

Associate the route tables to the RDG, DNS, and OAC subnets

Route Table Associations

SCENARIO NAME SUBNET
Local Peering VCN1-LCL-PEER-RT VCN1-OAC-SN
Local Peering VCN2-LCL-PEER-RT VCN2-RDG-SN
Remote Peering VCN1-RMT-PEER-RT VCN1-OAC-SN
Remote Peering VCN2-RMT-PEER-RT VCN2-RDG-SN
Remote Peering VCN1-RMT-PEER-RT VCN1-DNS-SN
Remote Peering VCN2-RMT-PEER-RT VCN2-DNS-SN

 

DNS Private Views

A DNS Private View is a collection of DNS private zones. Private Views relate to VCNs. Private Zones relate to Subnets. You can associate private views within the same region to your VCN's DNS resolver. Private views cannot be used for remote peering.

Associate the VCN1 Private View to VCN2

DNS Private Views

SCENARIO VCN PRIVATE VIEW
Local Peering VCN2 VCN1

 

If you are using local peering proceed to Section 2: Validating Connectivity

 

Gateway Attachments

A Gateway Attachment attaches a DRG to a VCN.

Attach the DRGs to the corresponding VCN.

Gateway Attachments

SCENARIO VCN DRG
Remote Peering VCN1 REGION1-DRG
Remote Peering VCN2 REGION2-DRG


Remote Peering Connections

Remote Peering Connection (RPC) acts as a connection point for a remotely peered VCN.

Create an RPC for each DRG.

Remote Peering Connections

SCENARIO DRG NAME
Remote Peering REGION1-DRG REGION1-RPC-TO-REGION2
Remote Peering REGION2-DRG REGION2-RPC-TO-REGION1

 

Peer the RPCs.

Peered RPCs

SCENARIO RPC PEER REGION PEERED RPC
Remote Peering REGION1-RPC-TO-REGION2 REGION2 REGION2-RPC-TO-REGION1

 

DNS Endpoints

DNS Endpoint is attached to a VCN or a subnet. An endpoint can only be configured to either forward or listen. A listening endpoint receives queries from within the VCN, other VCN Resolvers, or your on-premises network's DNS. A forwarding endpoint forwards DNS queries to the listening endpoint in other peered VCNs or your on-premises network's DNS.

To resolve the OAC FQDN create a listening endpoint in the VCN1 DNS Subnet and a forwarding endpoint in the VCN2 DNS Subnet.

DNS Endpoints

SCENARIO VCN Subnet MODE NAME IP address
Remote Peering VCN1 VCN1-DNS-SN Listener VCN1-DNS-Listener 10.10.10.34
Remote Peering VCN2 VCN2-DNS-SN Forwarder VCN2-DNS-Forwarder 10.10.10.2


DNS Rules

DNS Rule is used to answer queries that isn't answered by a VCN's DNS private views.

Create a DNS Rule in VCN2 that detects an OAC domain request, submits it to the VCN2 forwarding endpoint with instructions to forward the request to VCN1's listener endpoint's IP address.

Note: OAC domains are the same for all regions thus requiring the full FQDN be specified.

 

DNS Rules

SCENARIO VCN Subnet TYPE Domain Forwarder Listener IP address
Remote Peering VCN2 DNS-SN DNS Rule OAC.analytics.ocp.oraclecloud.com VCN2-Forwarder 10.10.10.34

 

 Validating Connectivity

Validate connectivity between the following components. 

Validating Fully Qualified Domain Name (FQDN) Resolution

Connect to the RDG host and Issue the nslookup command from the command line e.g.

nslookup < your OAC or ADW FQDN >  

Validating Port Access

Connect to the RDG host. Use the traceroute command on Linux and the Test-NetworkConnection (tnc) on Windows.

Linux: 

sudo traceroute  -n -q 1  -T -p  your OAC or ADW port > your OAC or ADW FQDN >

For remote peering you see:

 1  nnn.nnn.nnn.nnn  nnn ms
 2  nnn.nnn.nnn.nnn  nnn ms
 3  < your OAC or ADW IP address > nnn ms

Otherwise:

1  < your OAC or ADW IP address > nnn ms

Windows:

tnc < your OAC or ADW FQDN > -port your OAC or ADW port >

TcpTestSucceeded : True

Validations

SCENARIO SOURCE TARGET TYPE IDENTIFIER RESULT
Single VCN RDG ADW FQDN ADW.adb.region1.oraclecloud.com Success
Single VCN RDG ADW Port 1522 Success
Peered VCNs RDG ADW FQDN ADW.adb.region2.oraclecloud.com Success
Peered VCNs RDG ADW Port 1522 Success
All RDG OAC FQDN OAC.analytics.ocp.oraclecloud.com Success
All RDG OAC Port 10.10.10.2:443 Success
Remote Peering DNS Forwarder DNS Listener Port 53 Implicit Success based on above

 

 Creating an OAC Private ADW connection

Connect to OAC, click Create, click Connection, and click Oracle Autonomous Data Warehouse.

Enter a Connection Name

Enter a Description

Click Select and choose your ADW Client Credentials zip file

Enter an ADW Username e.g. admin and Password

Select a Service Name related to your ADW from the dropdown

Check the box for Use Remote Data Connectivity

Click Save

The connection is created and you may now create data sets, analyses and projects.

 Final States and Traffic Flows

Single VCN

Local Peering

Remote Peering

 Summary

This post provided a step-by-step guide for deploying the necessary components and validating the connectivity between them for a private connection between OAC and an Autonomous Database (ADB). 

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha