Connecting OAC to an ADB using Private Endpoints
November 25, 2020 | 8 minute read
Note: Private Access Channel is now available in Oracle Analytics and is recommended by Oracle for new connections to private data sources. For more information on the feature and the data sources it supports refer to:
Connect to Private Data Sources Through a Private Access Channel
Supported Data Sources
A-Team Chronicles Private Access Channel Series
Validated November 24, 2020 with OAC 5.8
Introduction
Oracle Analytics Cloud (OAC) may now be provisioned within a Virtual Cloud network (VCN) on Oracle Cloud Infrastructure (OCI) with a private IP address.
This post is a step-by-step guide for deploying the components and validating the connectivity between them thus enabling a private connection between OAC and an Autonomous Database (ADB). The ADB may be on shared or dedicated infrastructure and may be either Autonomous Data Warehouse (ADW) or Autonomous Transaction Processing. This guide uses an ADW as the ADB.
This is one of the post listed in the OAC Private Endpoint Parent Post
Validations
November 29, 2020 with OAC 5.8
Topics
Before You Begin
Deploying Components
Validating Connectivity
Creating a Private ADW connection
Final States and Traffic Flows
Before You Begin
All names and addresses used in this post are for examples only. Although not required, resources are assumed to be in separate subnets to demonstrate security and routing rules.
Three scenarios are provided; Single VCN, Locally Peered VCNs and Remotely Peered VCNs. The "Peered VCNs" scenario includes both peering scenarios and the "All" scenario includes all.
The following are assumed to be in place relative to your scenario.
Privileges
A user account in an OCI tenancy granted compartment privileges for managing Analytics, Compute, ADBs and Networking components.
OAC Subnet
Rules for client connectivity in the OAC subnet's security list and route table.
Components
| SCENARIO | NAME | CIDR | DNS |
|---|---|---|---|
| All | VCN1 | 10.10.10.0/23 | Yes |
| Peered VCNs | VCN2 | 10.20.10.0/23 | Yes |
| SCENARIO | VCN | NAME | CIDR | DNS | DHCP Option | Route Table | Security List |
|---|---|---|---|---|---|---|---|
| All | VCN1 | VCN1-OAC-SN | 10.10.10.0/27 | Yes | Default | Default | Default |
| Single VCN | VCN1 | VCN1-DB-SN | 10.10.10.32/27 | Yes | Default | Default | Default |
| Peered VCNs | VCN2 | VCN2-DB-SN | 10.20.10.32/27 | Yes | Default | Default | Default |
| SCENARIO | VCN | SUBNET | TYPE | FQDN |
|---|---|---|---|---|
| All | VCN1 | VCN1-OAC-SN | OAC | OAC.analytics.ocp.oraclecloud.com |
| Single VCN | VCN1 | VCN1-ADW-SN | ADW | ADW.adb.region1.oraclecloud.com |
| Local Peering | VCN2 | VCN2-ADW-SN | ADW | ADW.adb.region1.oraclecloud.com |
| Remote Peering | VCN2 | VCN2-ADW-SN | ADW | ADW.adb.region2.oraclecloud.com |
Single VCN Initial State
Peered VCNs Initial State
Deploying Components
This section details the following additional components relative to your scenario.
Subnets
Security Lists
Remote Data Gateway
Peering Gateways
Route Tables
DNS Private Views
Gateway Associations
Remote Peering Connections
DNS EndPoints
DNS Rules
Subnets
A Subnet consists of a contiguous range of IPv4 addresses that do not overlap with other subnets in the VCN. They act as a unit of configuration: all instances in a subnet use the same route table, security lists, and DHCP options.
Create subnets relative to your scenario.
| SCENARIO | VCN | NAME | CIDR | DNS | DHCP Option | Route Table | Security List |
|---|---|---|---|---|---|---|---|
| Single VCN | VCN1 | VCN1-RDG-SN | 10.10.10.64/27 | Yes | Default | Default | Default |
| Peered VCNs | VCN2 | VCN2-RDG-SN | 10.20.10.64/27 | Yes | Default | Default | Default |
| Remote Peering | VCN1 | VCN1-DNS-SN | 10.10.10.32/27 | Yes | Default | Default | Default |
| Remote Peering | VCN2 | VCN2-DNS-SN | 10.20.10.0/27 | Yes | Default | Default | Default |
Security Lists
Security Lists control network traffic within a subnet in addition to firewall rules within each resource.
Create security lists for the DB, DNS, and OAC subnets with the following rules.
| SCENARIO | NAME | VCN | SOURCE CIDR | PROTOCOL | PORT | NOTE |
|---|---|---|---|---|---|---|
| Single VCN | VCN1-OAC-SL | VCN1 | 10.10.10.0/23 | TCP | 443 | From VCN1 RDG |
| Single VCN | VCN1-ADW-SL | VCN1 | 10.10.10.0/23 | TCP | 1522 | From VCN1 RDG |
| Peered VCNs | VCN1-OAC-SL | VCN1 | 10.20.10.0/23 | TCP | 443 | From VCN2 RDG |
| Peered VCNs | VCN2-ADW-SL | VCN2 | 10.20.10.0/23 | TCP | 1522 | From VCN2 RDG |
| Remote Peering | VCN1-DNS-SL | VCN1 | 10.20.10.0/23 | UDP | 53 | From VCN2 DNS |
Associate the security lists to the corresponding subnet.
| SCENARIO | NAME | SUBNET |
|---|---|---|
| All | VCN1-OAC-SL | VCN1-OAC-SN |
| Single VCN | VCN1-ADW-SL | VCN1-ADW-SN |
| Peered VCNs | VCN2-ADW-SL | VCN2-ADW-SN |
| Remote Peering | VCN1-DNS-SL | VCN1-DNS-SN |
Remote Data Gateway
OAC currently requires Remote Data Gateway (RDG) to reach private data sources. RDG is deployed in either a Linux or a Windows VM.
Deploy RDG. Refer here for a post on deploying in a private subnet.
| SCENARIO | VCN | SUBNET | FQDN |
|---|---|---|---|
| Single VCN | VCN1 | VCN1-RDG-SN | RDG.vcn1rdgsn.vcn1.oraclevcn.com |
| Peered VCNs | VCN2 | VCN2-RDG-SN | RDG.vcn2rdgsn.vcn2.oraclevcn.com |
Peering Gateways
A Peering Gateway peers multiple virtual cloud networks (VCNs). There are two types of gateways: Local Peering Gateway (LPG) and Dynamic Routing Gateway (DRG).
Create gateways relative to your scenario.
| SCENARIO | TYPE | NAME |
|---|---|---|
| Local Peering | LPG | VCN1toVCN2 |
| Local Peering | LPG | VCN2toVCN1 |
| Remote Peering | DRG | Region1-DRG |
| Remote Peering | DRG | Region2-DRG |
Peer the LPGs.
| SCENARIO | PEERED CIDR | NAME |
|---|---|---|
| Local Peering | 10.20.10.0/24 | VCN1toVCN2 |
| Local Peering | 10.10.10.0/24 | VCN2toVCN1 |
Route Tables
Route Tables send a subnet's traffic to destinations outside the VCN.
Create route tables for Local Peering and Remote Peering with the following rules.
| SCENARIO | NAME | VCN | DESTINATION CIDR | TARGET | NOTE |
|---|---|---|---|---|---|
| Local Peering | VCN1-LCL-PEER-RT | VCN1 | 10.20.10.0/23 | VCN1toVCN2 | Return to VCN2 RDG |
| Local Peering | VCN2-LCL-PEER-RT | VCN2 | 10.10.10.0/23 | VCN2toVCN1 | Send to VCN1 OAC |
| Remote Peering | VCN1-RMT-PEER-RT | VCN1 | 10.20.10.0/23 | Region1-DRG | Return to VCN2 RDG and DNS |
| Remote Peering | VCN2-RMT-PEER-RT | VCN2 | 10.10.10.0/23 | Region2-DRG | Send to VCN1 OAC and DNS |
Associate the route tables to the RDG, DNS, and OAC subnets
| SCENARIO | NAME | SUBNET |
|---|---|---|
| Local Peering | VCN1-LCL-PEER-RT | VCN1-OAC-SN |
| Local Peering | VCN2-LCL-PEER-RT | VCN2-RDG-SN |
| Remote Peering | VCN1-RMT-PEER-RT | VCN1-OAC-SN |
| Remote Peering | VCN2-RMT-PEER-RT | VCN2-RDG-SN |
| Remote Peering | VCN1-RMT-PEER-RT | VCN1-DNS-SN |
| Remote Peering | VCN2-RMT-PEER-RT | VCN2-DNS-SN |
DNS Private Views
A DNS Private View is a collection of DNS private zones. Private Views relate to VCNs. Private Zones relate to Subnets. You can associate private views within the same region to your VCN's DNS resolver. Private views cannot be used for remote peering.
Associate the VCN1 Private View to VCN2
| SCENARIO | VCN | PRIVATE VIEW |
|---|---|---|
| Local Peering | VCN2 | VCN1 |
Gateway Attachments
A Gateway Attachment attaches a DRG to a VCN.
Attach the DRGs to the corresponding VCN.
| SCENARIO | VCN | DRG |
|---|---|---|
| Remote Peering | VCN1 | REGION1-DRG |
| Remote Peering | VCN2 | REGION2-DRG |
Remote Peering Connections
A Remote Peering Connection (RPC) acts as a connection point for a remotely peered VCN.
Create an RPC for each DRG.
| SCENARIO | DRG | NAME |
|---|---|---|
| Remote Peering | REGION1-DRG | REGION1-RPC-TO-REGION2 |
| Remote Peering | REGION2-DRG | REGION2-RPC-TO-REGION1 |
Peer the RPCs.
| SCENARIO | RPC | PEER REGION | PEERED RPC |
|---|---|---|---|
| Remote Peering | REGION1-RPC-TO-REGION2 | REGION2 | REGION2-RPC-TO-REGION1 |
DNS Endpoints
A DNS Endpoint is attached to a VCN or a subnet. An endpoint can only be configured to either forward or listen. A listening endpoint receives queries from within the VCN, other VCN Resolvers, or your on-premises network's DNS. A forwarding endpoint forwards DNS queries to the listening endpoint in other peered VCNs or your on-premises network's DNS.
To resolve the OAC FQDN create a listening endpoint in the VCN1 DNS Subnet and a forwarding endpoint in the VCN2 DNS Subnet.
| SCENARIO | VCN | Subnet | MODE | NAME | IP address |
|---|---|---|---|---|---|
| Remote Peering | VCN1 | VCN1-DNS-SN | Listener | VCN1-DNS-Listener | 10.10.10.34 |
| Remote Peering | VCN2 | VCN2-DNS-SN | Forwarder | VCN2-DNS-Forwarder | 10.10.10.2 |
DNS Rules
A DNS Rule is used to answer queries that isn't answered by a VCN's DNS private views.
Create a DNS Rule in VCN2 that detects an OAC domain request, submits it to the VCN2 forwarding endpoint with instructions to forward the request to VCN1's listener endpoint's IP address.
| SCENARIO | VCN | Subnet | TYPE | Domain | Forwarder | Listener IP address |
|---|---|---|---|---|---|---|
| Remote Peering | VCN2 | DNS-SN | DNS Rule | OAC.analytics.ocp.oraclecloud.com | VCN2-Forwarder | 10.10.10.34 |
Validating Connectivity
Validate connectivity between the following components.
Validating Fully Qualified Domain Name (FQDN) Resolution
Connect to the RDG host and Issue the nslookup command from the command line e.g.
nslookup < your OAC or ADW FQDN >
Validating Port Access
Connect to the RDG host. Use the traceroute command on Linux and the Test-NetworkConnection (tnc) on Windows.
Linux:
sudo traceroute -n -q 1 -T -p < your OAC or ADW port > < your OAC or ADW FQDN >
For remote peering you see:
1 nnn.nnn.nnn.nnn nnn ms
2 nnn.nnn.nnn.nnn nnn ms
3 < your OAC or ADW IP address > nnn ms
Otherwise:
1 < your OAC or ADW IP address > nnn ms
Windows:
tnc < your OAC or ADW FQDN > -port < your OAC or ADW port >
TcpTestSucceeded : True
| SCENARIO | SOURCE | TARGET | TYPE | IDENTIFIER | RESULT |
|---|---|---|---|---|---|
| Single VCN | RDG | ADW | FQDN | ADW.adb.region1.oraclecloud.com | Success |
| Single VCN | RDG | ADW | Port | 1522 | Success |
| Peered VCNs | RDG | ADW | FQDN | ADW.adb.region2.oraclecloud.com | Success |
| Peered VCNs | RDG | ADW | Port | 1522 | Success |
| All | RDG | OAC | FQDN | OAC.analytics.ocp.oraclecloud.com | Success |
| All | RDG | OAC | Port | 10.10.10.2:443 | Success |
| Remote Peering | DNS Forwarder | DNS Listener | Port | 53 | Implicit Success based on above |
Creating an OAC Private ADW connection
Connect to OAC, click Create, click Connection, and click Oracle Autonomous Data Warehouse.
Enter a Connection Name
Enter a Description
Click Select and choose your ADW Client Credentials zip file
Enter an ADW Username e.g. admin and Password
Select a Service Name related to your ADW from the dropdown
Check the box for Use Remote Data Connectivity
Click Save
The connection is created and you may now create data sets, analyses and projects.
Final States and Traffic Flows
Single VCN
Local Peering
Remote Peering
Summary
This post provided a step-by-step guide for deploying the necessary components and validating the connectivity between them for a private connection between OAC and an Autonomous Database (ADB).
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley
Dayne Carley
Next Post