Oracle Analytics Cloud (OAC) may now be provisioned within a Virtual Cloud network (VCN) with a private IP address.
This post is a step-by-step guide for connecting to a private OAC via a Public Load Balancer (LB). It is written for those who do not have access to a private OAC from within Oracle's Cloud Infrastructure (OCI) or via their organization's VPN / FastConnect.
This is one of the post listed in the OAC Private Endpoint Parent Post
October 31, 2020 with OAC 5.8
Before You Begin
Updating Your DNS
Preparing to Provision a Public Load Balancer
Provisioning a Public Load Balancer
Updating Your DNS
Validating Connectivity to OAC via the Load Balancer
A user account in an OCI tenancy associated with an Identity and Access Management (IAM) group.
Compartment privileges for managing Analytics, Load Balancers and Networking components. Refer here for policy references. An example policy rule for development purposes is:
Allow group < Your IAM Group > to Manage all-resources in < Your Compartment >
An existing VCN hosting OAC or create a new one. This post uses VCN, 10.10.10.0/24, as an example. Refer here for VCN documentation.
An existing private subnet hosting OAC or create a new one. This post uses OAC-Subnet, 10.10.10.0/27, as an example.
An existing OAC provisioned with a private endpoint or create a new one. This post uses an example of an OAC named PRVT-OAC with an IP address of 10.10.10.2 and an FQDN of prvtoac.analytics.ocp.oraclecloud.com. Refer here for a post on provisioning.
Utilities on your client workstation such as nslookup and ncat for validating the configuration.
Access to the internet from your client workstation.
Administrative privileges on your workstation or router to modify Domain Name System (DNS) settings.
The initial state is depicted below.
Provisioning a public load balancer requires a public subnet, security list, route table and internet gateway. Connect to the OCI console and perform the following.
Create a regional public subnet in the VCN hosting OAC. Navigate to Networking and select your compartment and region. Navigate to Virtual Cloud Networks and click on the VCN. From the Subnets resource click on Create Subnet.
Provide a Name e.g. LB-Subnet
Provide a CIDR Block e.g. 10.10.10.32/27
Let everything else default and click Create Subnet.
Navigate to the Internet Gateways resource. If the OAC VCN does not have an existing internet gateway click Create Internet Gateway. Refer here for documentation.
Provide a Name and click Create Internet Gateway.
The load balancer subnet restricts access via a security list to your public IP address or a range of public IP addresses. This may be tricky because your public IP address is assigned by your router and may/will change over time. To find what your IP address is today perform a search from your browser "What is my IP". The result will be your public IP address e.g. 18.104.22.168 Note: If you are connected to a VPN the public IP address is different. Make a note of that one also e.g. 22.214.171.124
Although it may change, it may not change by much. If you think it is always be between 126.96.36.199 and 188.8.131.52 then CIDR block 184.108.40.206/24 fits. If it changes to something outside off that range, then the security list CIDR block needs to be updated to allow it. In the above VPN example the CIDR may be 220.127.116.11/24
The load balancer listens on port 443 for OAC HTTPS connections. Create a security list that allows ingress to TCP port 443. Navigate to the Security Lists resource and click Create Security List.
Enter a Name e.g. LB-Subnet-SL and click Create Security List.
Click on the new security list and click Add Ingress Rule.
Enter the SOURCE CIDR corresponding to your range of non-VPN public IP addresses e.g. 18.104.22.168/24
Enter 443 as the Destination Port Range
If you have access to a VPN connection, Click + Another Ingress Rule
Enter the SOURCE CIDR corresponding to your range of VPN public IP addresses e.g. 22.214.171.124/24
Enter 443 as the Destination Port Range
Accept the remaining defaults and click Add Ingress Rules
Create a route table with a rule directing traffic leaving the VCN to the internet gateway. Navigate to the Route Tables resource and click Create Route Table.
Enter a Name e.g. LB-Subnet-RT and click Create Route Table.
Click on the new route table and click Add Route Rules.
Select Internet Gateway as the TARGET TYPE
Enter 0.0.0.0/0 as the DESTINATION CIDR BLOCK to forward all traffic
Select your internet gateway as the TARGET INTERNET GATEWAY
Accept the remaining defaults and click Add Route Rules
Associate the security list and route table to the LB subnet. Navigate to the Subnets resource and click on the LB subnet.
Click Add Security List.
Select the new LB security list from the dropdown and click Add Security List.
Select the new LB security list from the dropdown and click Save Changes.
OAC listens on port 443 for HTTPS connections. Ensure there is a security list rule that allows ingress to TCP port 443. A moderately restrictive rule has the SOURCE CIDR set to the CIDR of the OAC VCN e.g. 10.10.10.0/24
Ensure the security list containing the rule is associated with the OAC subnet.
Provision the public load balancer. Refer here for LB documentation.
Navigate to Networking >> Load Balancers and click Create Load Balancer.
Give the LB a Name e.g. PublicLB
Select the OAC VCN from the dropdown for the VIRTUAL CLOUD NETWORK
Select the LB subnet from the dropdown for the SUBNET
For the SPECIFY HEALTH CHECK POLICY
Select TCP from the dropdown for the PROTOCOL
Enter 443 for the PORT
Accept the remaining defaults and click Next
Enter a LISTENER NAME e.g. PublicLB-LSNR
Check TCP for the SPECIFY THE TYPE OF TRAFFIC YOUR LISTENER HANDLES
Enter 443 for the SPECIFY THE PORT YOUR LISTENER MONITORS FOR INGRESS TRAFFIC
Accept the remaining defaults and click Submit
When the State changes to Active make a note of the IP Address e.g. 126.96.36.199
An empty backend set is created for the LB and must be updated. Navigate to the Backend Sets resource. Click on the Backend Set name.
Navigate to the Backends resource and click Add Backends.
Check IP ADDRESSES
Enter the OAC IP ADDRESS e.g. 10.10.10.2
Enter 443 for the PORT
Accept the remaining defaults and click Add
Initially the health shows unknown but the first health check changes it to OK
This command shows the connection status (-v), and exits after 2 seconds (-i 2 -w 2)
nc -v -i 2 -w 2 188.8.131.52 443 returns:
Connection to 184.108.40.206 port 443 [tcp/https] succeeded!
Update your DNS so that OAC's FQDN translates to the public IP address of the load balancer. This is done by adding an "A" record to a DNS resolver. This type of record maps a domain, sub-domain, or a FQDN to an IP address. Using the examples in this guide, OAC's FQDN, prvtoac.analytics.ocp.oraclecloud.com, needs to be mapped to IP address 220.127.116.11
This can be done in any one of multiple DNS resolvers your workstation may be using for FQDN resolution. How your workstation is connected to the internet is a driving factor.
If you are connected to an organization's LAN, you probably don't have access to modify the DNS resolver. But you could ask an administrator to add the record.
If you are a remote employee working from home, your home router probably has a built-in resolver that can be modified. However, if you leave home and connect to the internet from the airport, library, etc then you lose the resolution capability.
Below is an example of the OAC A record added to a BEC router
To validate the router configuration use the nslookup utility.
nslookup prvtoac.analytics.ocp.oraclecloud.com -- returns: (192.168.1.254 is the routers address)
Once installed, add the A record to the server and restart it. Change the order of DNS servers in your networking preferences / properties to have the local host, 127.0.0.1, be the first entry. Keep the other entries as secondary servers.
The line to add to the Dnsmasq configuration file is:
The list of DNS servers in the networking preferences is:
To validate the DNS configuration use the same nslookup command.
nslookup prvtoac.analytics.ocp.oraclecloud.com -- returns: (127.0.0.1 is the workstation localhost address)
Rerunning the command used for the IP address validation now translates the FQDN before making the connection.
nc -v -i 2 -w 2 prvtoac.analytics.ocp.oraclecloud.com 443 returns:
Connection to prvtoac.analytics.ocp.oraclecloud.com port 443 [tcp/https] succeeded!
The provisioned state is depicted below.
Connect to the private OAC using the URL e.g. https://prvtoac.analytics.ocp.oraclecloud.com/ui
The traffic flow is depicted below.
This post described the steps required to connect to a private OAC via a Public Load Balancer.
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley