X

Best Practices from Oracle Development's A‑Team

Connecting to Oracle Analytics Private Endpoint with a Public Load Balancer

Validated February 11, 2021 with OAC 5.9

Introduction

Oracle Analytics (OAC) may now be provisioned within a Virtual Cloud network (VCN) on Oracle Cloud Infrastructure (OCI) with a private IP address.

A public load balancer (LB) provides access when VPN / FastConnect is not available. It acts as a proxy between users / applications and the private instance.

Load balancers may listen for TCP or HTTPs traffic. HTTPs listeners require an upload of a trusted certificate signed by a certificate authority for each fully qualified domain name (FQDN) it directs traffic to. TCP listeners do not.

Prior to version 5.9 OAC had a single native FQDN. Versions 5.9 and higher now provide for an optional custom or vanity FQDN. The TCP protocol is used for native FQDNs as it is not possible to upload the associated certificate's private key.

This post is a step-by-step guide for connecting to a private OAC via a public load balancer using the TCP protocol.

It is a companion of this post that describes using a load balancer with an HTTPs listener for vanity URLs and is one of the posts listed in the OAC Private Endpoint Series

Validations

February 11, 2021 with OAC 5.9

October 31, 2020 with OAC 5.8

Topics

Before You Begin

Preparing to Provision a Public Load Balancer

Provisioning a Public Load Balancer

Updating Your DNS

Validating Connectivity to OAC via the Load Balancer

 Before You Begin

This guide assumes the following is in place:

A user account in an OCI tenancy associated with an Identity and Access Management (IAM)  group.

Compartment privileges for managing Analytics, Load Balancers and Networking components. Refer here for policy references. An example policy rule for development purposes is:

Allow group < Your IAM Group > to Manage all-resources in < Your Compartment >

An existing VCN hosting OAC or create a new one. This post uses VCN, 10.10.10.0/24, as an example. Refer here for VCN documentation.

An existing private subnet hosting OAC or create a new one. This post uses OAC-Subnet, 10.10.10.0/27, as an example.

An existing OAC provisioned with a private endpoint or create a new one. This post uses an example of an OAC named PRVT-OAC with an IP address of 10.10.10.2 and an FQDN of prvtoac.analytics.ocp.oraclecloud.com. Refer here for a post on provisioning. 

Utilities on your client workstation such as nslookup and ncat for validating the configuration.

Access to the internet from your client workstation.

Administrative privileges on your workstation or router to modify Domain Name System (DNS) settings.

The initial state is depicted below.

 Preparing to Provision a Public Load Balancer

Provisioning a public load balancer requires a public subnet, security list, route table and internet gateway. Connect to the OCI console and perform the following.

Creating a Public Subnet

Create a regional public subnet in the VCN hosting OAC. Navigate to Networking and select your compartment and region. Navigate to Virtual Cloud Networks and click on the VCN. From the Subnets resource click on Create Subnet.

Provide a Name e.g. LB-Subnet
Provide a CIDR Block e.g. 10.10.10.32/27
Let everything else default and click Create Subnet.

Creating an Internet Gateway

Navigate to the Internet Gateways resource. If the OAC VCN does not have an existing internet gateway click Create Internet Gateway. Refer here for documentation.

Provide a Name and click Create Internet Gateway.

Determining Your Public IP Address

The load balancer subnet restricts access via a security list to your public IP address or a range of public IP addresses. This may be tricky because your public IP address is assigned by your router and may/will change over time. To find what your IP address is today perform a search from your browser "What is my IP". The result will be your public IP address e.g. 172.228.43.165 Note: If you are connected to a VPN the public IP address is different. Make a note of that one also e.g. 148.228.4.23

Although it may change, it may not change by much. If you think it is always be between 172.228.43.0 and 172.228.43.255 then CIDR block 172.228.43.0/24 fits. If it changes to something outside off that range, then the security list CIDR block needs to be updated to allow it. In the above VPN example the CIDR may be 148.87.23.0/24

Access Control and Routing for the LB Subnet

Limiting Access to the LB

The load balancer listens on port 443 for OAC HTTPS connections. Create a security list that allows ingress to TCP port 443. Navigate to the Security Lists resource and click Create Security List.

Enter a Name e.g. LB-Subnet-SL and click Create Security List.

Click on the new security list and click Add Ingress Rule.

Enter the SOURCE CIDR corresponding to your range of non-VPN public IP addresses e.g. 172.228.43.0/24
Enter 443 as the Destination Port Range

If you have access to a VPN connection, Click + Another Ingress Rule

Enter the SOURCE CIDR corresponding to your range of VPN public IP addresses e.g. 148.87.23.0/24
Enter 443 as the Destination Port Range


Accept the remaining defaults and click Add Ingress Rules

Creating a Route Table

Create a route table with a rule directing traffic leaving the VCN to the internet gateway. Navigate to the Route Tables resource and click Create Route Table.

Enter a Name e.g. LB-Subnet-RT and click Create Route Table.

Click on the new route table and click Add Route Rules.

Select Internet Gateway as the TARGET TYPE
Enter 0.0.0.0/0 as the DESTINATION CIDR BLOCK to forward all traffic
Select your internet gateway as the TARGET INTERNET GATEWAY
Accept the remaining defaults and click Add Route Rules

Associating the Security List and Route Table

Associate the security list and route table to the LB subnet. Navigate to the Subnets resource and click on the LB subnet.

Click Add Security List

Select the new LB security list from the dropdown and click Add Security List.

Click Edit

Select the new LB security list from the dropdown and click Save Changes.

Access Control for the OAC Subnet

Limiting Access to OAC

OAC listens on port 443 for HTTPS connections. Ensure there is a security list rule that allows ingress to TCP port 443. A moderately restrictive rule has the SOURCE CIDR set to the CIDR of the OAC VCN e.g. 10.10.10.0/24

Associating the Security List

Ensure the security list containing the rule is associated with the OAC subnet. 

 Provisioning a Public Load Balancer

Provision the public load balancer. Refer here for LB documentation.

Creating the Load Balancer

Navigate to Networking >> Load Balancers and click Create Load Balancer.

Add Details Page

Give the LB a Name e.g. PublicLB
Select the OAC VCN from the dropdown for the VIRTUAL CLOUD NETWORK
Select the LB subnet from the dropdown for the SUBNET
Click Next

Choose Backends Page

For the SPECIFY HEALTH CHECK POLICY
   Select TCP from the dropdown for the PROTOCOL
   Enter 443 for the PORT
Accept the remaining defaults and click Next

Configure Listener Page

Enter a LISTENER NAME e.g. PublicLB-LSNR
Check TCP for the SPECIFY THE TYPE OF TRAFFIC YOUR LISTENER HANDLES
Enter 443 for the SPECIFY THE PORT YOUR LISTENER MONITORS FOR INGRESS TRAFFIC
Accept the remaining defaults and click Submit

Noting the public IP address

When the State changes to Active make a note of the IP Address e.g. 129.228.231.215

Updating the Backend Set

An empty backend set is created for the LB and must be updated. Navigate to the Backend Sets resource. Click on the Backend Set name.

Navigate to the Backends resource and click Add Backends.

Check IP ADDRESSES
Enter the OAC IP ADDRESS e.g. 10.10.10.2
Enter 443 for the PORT
Accept the remaining defaults and click Add

Initially the health shows unknown but the first health check changes it to OK

Validating Access to the Load Balancer Using the IP Address

On your client machine use the netcat (nc) see here -  or nmap see here command to create a connection to the LB. Note: These types of commands may not work if you are on VPN.

This command shows the connection status (-v), and exits after 2 seconds (-i 2 -w 2) 

nc -v -i 2 -w 2 129.228.231.215 443  returns:

Connection to 129.228.231.215 port 443 [tcp/https] succeeded!

 Updating Your DNS

Update your DNS so that OAC's FQDN translates to the public IP address of the load balancer. There are many methods to choose from. Below is a partial list.

Updating your Local Area Network's (LAN) DNS resolver.

Adding a DNS resolver to your Workstation

Adding a DNS resolver in OAC

Using a MAC OS Resolver File

Updating your Windows Host File

 

Validating Access to the Load Balancer Using the OAC FQDN

Rerunning the command used for the IP address validation now translates the FQDN before making the connection.

nc -v -i 2 -w 2 prvtoac.analytics.ocp.oraclecloud.com 443  returns:

Connection to prvtoac.analytics.ocp.oraclecloud.com port 443 [tcp/https] succeeded!

The provisioned state is depicted below.

 Validating Connectivity to OAC via the Load Balancer

Connect to the private OAC using the URL e.g. https://prvtoac.analytics.ocp.oraclecloud.com/ui

The traffic flow is depicted below.

 Summary

This post described the steps required to connect to a private OAC via a Public Load Balancer.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha