Oracle Analytics (OAC) may now be provisioned within a Virtual Cloud network (VCN) on Oracle Cloud Infrastructure (OCI) with a private IP address.
A public load balancer (LB) provides access when VPN / FastConnect is not available. It acts as a proxy between users / applications and the private instance.
Load balancers may listen for TCP or HTTPs traffic. HTTPs listeners require an upload of a trusted certificate signed by a certificate authority for each fully qualified domain name (FQDN) it directs traffic to. TCP listeners do not.
Prior to version 5.9 OAC had a single native FQDN. Versions 5.9 and higher now provide for an optional custom or vanity FQDN. The TCP protocol is used for native FQDNs as it is not possible to upload the associated certificate's private key.
This post is a step-by-step guide for connecting to a private OAC via a public load balancer using the TCP protocol.
It is a companion of this post that describes using a load balancer with an HTTPs listener for vanity URLs and is one of the posts listed in the OAC Private Endpoint Series
February 11, 2021 with OAC 5.9
October 31, 2020 with OAC 5.8
Before You Begin
Preparing to Provision a Public Load Balancer
Provisioning a Public Load Balancer
Updating Your DNS
Validating Connectivity to OAC via the Load Balancer
A user account in an OCI tenancy associated with an Identity and Access Management (IAM) group.
Compartment privileges for managing Analytics, Load Balancers and Networking components. Refer here for policy references. An example policy rule for development purposes is:
Allow group < Your IAM Group > to Manage all-resources in < Your Compartment >
An existing VCN hosting OAC or create a new one. This post uses VCN, 10.10.10.0/24, as an example. Refer here for VCN documentation.
An existing private subnet hosting OAC or create a new one. This post uses OAC-Subnet, 10.10.10.0/27, as an example.
An existing OAC provisioned with a private endpoint or create a new one. This post uses an example of an OAC named PRVT-OAC with an IP address of 10.10.10.2 and an FQDN of prvtoac.analytics.ocp.oraclecloud.com. Refer here for a post on provisioning.
Utilities on your client workstation such as nslookup and ncat for validating the configuration.
Access to the internet from your client workstation.
Administrative privileges on your workstation or router to modify Domain Name System (DNS) settings.
The initial state is depicted below.
Provisioning a public load balancer requires a public subnet, security list, route table and internet gateway. Connect to the OCI console and perform the following.
Create a regional public subnet in the VCN hosting OAC. Navigate to Networking and select your compartment and region. Navigate to Virtual Cloud Networks and click on the VCN. From the Subnets resource click on Create Subnet.
Provide a Name e.g. LB-Subnet
Provide a CIDR Block e.g. 10.10.10.32/27
Let everything else default and click Create Subnet.
Navigate to the Internet Gateways resource. If the OAC VCN does not have an existing internet gateway click Create Internet Gateway. Refer here for documentation.
Provide a Name and click Create Internet Gateway.
The load balancer subnet restricts access via a security list to your public IP address or a range of public IP addresses. This may be tricky because your public IP address is assigned by your router and may/will change over time. To find what your IP address is today perform a search from your browser "What is my IP". The result will be your public IP address e.g. 172.228.43.165 Note: If you are connected to a VPN the public IP address is different. Make a note of that one also e.g. 148.228.4.23
Although it may change, it may not change by much. If you think it is always be between 172.228.43.0 and 172.228.43.255 then CIDR block 172.228.43.0/24 fits. If it changes to something outside off that range, then the security list CIDR block needs to be updated to allow it. In the above VPN example the CIDR may be 148.87.23.0/24
The load balancer listens on port 443 for OAC HTTPS connections. Create a security list that allows ingress to TCP port 443. Navigate to the Security Lists resource and click Create Security List.
Enter a Name e.g. LB-Subnet-SL and click Create Security List.
Click on the new security list and click Add Ingress Rule.
Enter the SOURCE CIDR corresponding to your range of non-VPN public IP addresses e.g. 172.228.43.0/24
Enter 443 as the Destination Port Range
If you have access to a VPN connection, Click + Another Ingress Rule
Enter the SOURCE CIDR corresponding to your range of VPN public IP addresses e.g. 148.87.23.0/24
Enter 443 as the Destination Port Range
Accept the remaining defaults and click Add Ingress Rules
Create a route table with a rule directing traffic leaving the VCN to the internet gateway. Navigate to the Route Tables resource and click Create Route Table.
Enter a Name e.g. LB-Subnet-RT and click Create Route Table.
Click on the new route table and click Add Route Rules.
Select Internet Gateway as the TARGET TYPE
Enter 0.0.0.0/0 as the DESTINATION CIDR BLOCK to forward all traffic
Select your internet gateway as the TARGET INTERNET GATEWAY
Accept the remaining defaults and click Add Route Rules
Associate the security list and route table to the LB subnet. Navigate to the Subnets resource and click on the LB subnet.
Click Add Security List.
Select the new LB security list from the dropdown and click Add Security List.
Click Edit
Select the new LB security list from the dropdown and click Save Changes.
OAC listens on port 443 for HTTPS connections. Ensure there is a security list rule that allows ingress to TCP port 443. A moderately restrictive rule has the SOURCE CIDR set to the CIDR of the OAC VCN e.g. 10.10.10.0/24
Ensure the security list containing the rule is associated with the OAC subnet.
Provision the public load balancer. Refer here for LB documentation.
Navigate to Networking >> Load Balancers and click Create Load Balancer.
Give the LB a Name e.g. PublicLB
Select the OAC VCN from the dropdown for the VIRTUAL CLOUD NETWORK
Select the LB subnet from the dropdown for the SUBNET
Click Next
For the SPECIFY HEALTH CHECK POLICY
Select TCP from the dropdown for the PROTOCOL
Enter 443 for the PORT
Accept the remaining defaults and click Next
Enter a LISTENER NAME e.g. PublicLB-LSNR
Check TCP for the SPECIFY THE TYPE OF TRAFFIC YOUR LISTENER HANDLES
Enter 443 for the SPECIFY THE PORT YOUR LISTENER MONITORS FOR INGRESS TRAFFIC
Accept the remaining defaults and click Submit
When the State changes to Active make a note of the IP Address e.g. 129.228.231.215
An empty backend set is created for the LB and must be updated. Navigate to the Backend Sets resource. Click on the Backend Set name.
Navigate to the Backends resource and click Add Backends.
Check IP ADDRESSES
Enter the OAC IP ADDRESS e.g. 10.10.10.2
Enter 443 for the PORT
Accept the remaining defaults and click Add
Initially the health shows unknown but the first health check changes it to OK
On your client machine use the netcat (nc) see here - or nmap see here command to create a connection to the LB. Note: These types of commands may not work if you are on VPN.
This command shows the connection status (-v), and exits after 2 seconds (-i 2 -w 2)
nc -v -i 2 -w 2 129.228.231.215 443 returns:
Connection to 129.228.231.215 port 443 [tcp/https] succeeded!
Update your DNS so that OAC's FQDN translates to the public IP address of the load balancer. There are many methods to choose from. Below is a partial list.
Updating your Local Area Network's (LAN) DNS resolver.
Adding a DNS resolver to your Workstation
Adding a DNS resolver in OAC
Using a MAC OS Resolver File
Updating your Windows Host File
Rerunning the command used for the IP address validation now translates the FQDN before making the connection.
nc -v -i 2 -w 2 prvtoac.analytics.ocp.oraclecloud.com 443 returns:
Connection to prvtoac.analytics.ocp.oraclecloud.com port 443 [tcp/https] succeeded!
The provisioned state is depicted below.
Connect to the private OAC using the URL e.g. https://prvtoac.analytics.ocp.oraclecloud.com/ui
The traffic flow is depicted below.
This post described the steps required to connect to a private OAC via a Public Load Balancer.
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley
Previous Post
Next Post