X

Best Practices from Oracle Development's A‑Team

Connecting to Oracle Analytics Cloud Private Endpoint with a Public Load Balancer

Validated October 29, 2020 with OAC 5.8

Introduction

Oracle Analytics Cloud (OAC) may now be provisioned within a Virtual Cloud network (VCN) with a private IP address.

This post is a step-by-step guide for connecting to a private OAC via a Public Load Balancer (LB). It is written for those who do not have access to a private OAC from within Oracle's Cloud Infrastructure (OCI) or via their organization's VPN / FastConnect.

This is one of the post listed in the OAC Private Endpoint Parent Post

Validations

October 31, 2020 with OAC 5.8

Topics

Before You Begin

Updating Your DNS

Preparing to Provision a Public Load Balancer

Provisioning a Public Load Balancer

Updating Your DNS

Validating Connectivity to OAC via the Load Balancer

 Before You Begin

This guide assumes the following is in place:

A user account in an OCI tenancy associated with an Identity and Access Management (IAM)  group.

Compartment privileges for managing Analytics, Load Balancers and Networking components. Refer here for policy references. An example policy rule for development purposes is:

Allow group < Your IAM Group > to Manage all-resources in < Your Compartment >

An existing VCN hosting OAC or create a new one. This post uses VCN, 10.10.10.0/24, as an example. Refer here for VCN documentation.

An existing private subnet hosting OAC or create a new one. This post uses OAC-Subnet, 10.10.10.0/27, as an example.

An existing OAC provisioned with a private endpoint or create a new one. This post uses an example of an OAC named PRVT-OAC with an IP address of 10.10.10.2 and an FQDN of prvtoac.analytics.ocp.oraclecloud.com. Refer here for a post on provisioning. 

Utilities on your client workstation such as nslookup and ncat for validating the configuration.

Access to the internet from your client workstation.

Administrative privileges on your workstation or router to modify Domain Name System (DNS) settings.

The initial state is depicted below.

 Preparing to Provision a Public Load Balancer

Provisioning a public load balancer requires a public subnet, security list, route table and internet gateway. Connect to the OCI console and perform the following.

Creating a Public Subnet

Create a regional public subnet in the VCN hosting OAC. Navigate to Networking and select your compartment and region. Navigate to Virtual Cloud Networks and click on the VCN. From the Subnets resource click on Create Subnet.

Provide a Name e.g. LB-Subnet
Provide a CIDR Block e.g. 10.10.10.32/27
Let everything else default and click Create Subnet.

Creating an Internet Gateway

Navigate to the Internet Gateways resource. If the OAC VCN does not have an existing internet gateway click Create Internet Gateway. Refer here for documentation.

Provide a Name and click Create Internet Gateway.

Determining Your Public IP Address

The load balancer subnet restricts access via a security list to your public IP address or a range of public IP addresses. This may be tricky because your public IP address is assigned by your router and may/will change over time. To find what your IP address is today perform a search from your browser "What is my IP". The result will be your public IP address e.g. 172.228.43.165 Note: If you are connected to a VPN the public IP address is different. Make a note of that one also e.g. 148.228.4.23

Although it may change, it may not change by much. If you think it is always be between 172.228.43.0 and 172.228.43.255 then CIDR block 172.228.43.0/24 fits. If it changes to something outside off that range, then the security list CIDR block needs to be updated to allow it. In the above VPN example the CIDR may be 148.87.23.0/24

Access Control and Routing for the LB Subnet

Limiting Access to the LB

The load balancer listens on port 443 for OAC HTTPS connections. Create a security list that allows ingress to TCP port 443. Navigate to the Security Lists resource and click Create Security List.

Enter a Name e.g. LB-Subnet-SL and click Create Security List.

Click on the new security list and click Add Ingress Rule.

Enter the SOURCE CIDR corresponding to your range of non-VPN public IP addresses e.g. 172.228.43.0/24
Enter 443 as the Destination Port Range

If you have access to a VPN connection, Click + Another Ingress Rule

Enter the SOURCE CIDR corresponding to your range of VPN public IP addresses e.g. 148.87.23.0/24
Enter 443 as the Destination Port Range


Accept the remaining defaults and click Add Ingress Rules

Creating a Route Table

Create a route table with a rule directing traffic leaving the VCN to the internet gateway. Navigate to the Route Tables resource and click Create Route Table.

Enter a Name e.g. LB-Subnet-RT and click Create Route Table.

Click on the new route table and click Add Route Rules.

Select Internet Gateway as the TARGET TYPE
Enter 0.0.0.0/0 as the DESTINATION CIDR BLOCK to forward all traffic
Select your internet gateway as the TARGET INTERNET GATEWAY
Accept the remaining defaults and click Add Route Rules

Associating the Security List and Route Table

Associate the security list and route table to the LB subnet. Navigate to the Subnets resource and click on the LB subnet.

Click Add Security List

Select the new LB security list from the dropdown and click Add Security List.

Click Edit

Select the new LB security list from the dropdown and click Save Changes.

Access Control for the OAC Subnet

Limiting Access to OAC

OAC listens on port 443 for HTTPS connections. Ensure there is a security list rule that allows ingress to TCP port 443. A moderately restrictive rule has the SOURCE CIDR set to the CIDR of the OAC VCN e.g. 10.10.10.0/24

Associating the Security List

Ensure the security list containing the rule is associated with the OAC subnet. 

 Provisioning a Public Load Balancer

Provision the public load balancer. Refer here for LB documentation.

Creating the Load Balancer

Navigate to Networking >> Load Balancers and click Create Load Balancer.

Add Details Page

Give the LB a Name e.g. PublicLB
Select the OAC VCN from the dropdown for the VIRTUAL CLOUD NETWORK
Select the LB subnet from the dropdown for the SUBNET
Click Next

Choose Backends Page

For the SPECIFY HEALTH CHECK POLICY
   Select TCP from the dropdown for the PROTOCOL
   Enter 443 for the PORT
Accept the remaining defaults and click Next

Configure Listener Page

Enter a LISTENER NAME e.g. PublicLB-LSNR
Check TCP for the SPECIFY THE TYPE OF TRAFFIC YOUR LISTENER HANDLES
Enter 443 for the SPECIFY THE PORT YOUR LISTENER MONITORS FOR INGRESS TRAFFIC
Accept the remaining defaults and click Submit

Noting the public IP address

When the State changes to Active make a note of the IP Address e.g. 129.228.231.215

Updating the Backend Set

An empty backend set is created for the LB and must be updated. Navigate to the Backend Sets resource. Click on the Backend Set name.

Navigate to the Backends resource and click Add Backends.

Check IP ADDRESSES
Enter the OAC IP ADDRESS e.g. 10.10.10.2
Enter 443 for the PORT
Accept the remaining defaults and click Add

Initially the health shows unknown but the first health check changes it to OK

Validating Access to the Load Balancer Using the IP Address

On your client machine use the netcat (nc) see here -  or nmap see here command to create a connection to the LB. Note: These types of commands may not work if you are on VPN.

This command shows the connection status (-v), and exits after 2 seconds (-i 2 -w 2) 

nc -v -i 2 -w 2 129.228.231.215 443  returns:

Connection to 129.228.231.215 port 443 [tcp/https] succeeded!

 Updating Your DNS

Update your DNS so that OAC's FQDN translates to the public IP address of the load balancer. This is done by adding an "A" record to a DNS resolver. This type of record maps a domain, sub-domain, or a FQDN to an IP address. Using the examples in this guide, OAC's FQDN, prvtoac.analytics.ocp.oraclecloud.com, needs to be mapped to IP address 129.228.231.215 

This can be done in any one of multiple DNS resolvers your workstation may be using for FQDN resolution. How your workstation is connected to the internet is a driving factor.

Updating your Local Area Network's (LAN) default DNS resolver.

If you are connected to an organization's LAN, you probably don't have access to modify the DNS resolver. But you could ask an administrator to add the record.

If you are a remote employee working from home, your home router probably has a built-in resolver that can be modified. However, if you leave home and connect to the internet from the airport, library, etc then you lose the resolution capability.

Below is an example of the OAC A record added to a BEC router

To validate the router configuration use the nslookup utility.

nslookup prvtoac.analytics.ocp.oraclecloud.com -- returns: (192.168.1.254 is the routers address)

Server:        192.168.1.254.      
Address:    192.168.1.254#53

Name:    prvtoac.analytics.ocp.oraclecloud.com
Address:
129.228.231.215

Adding a DNS resolver to your Workstation

Add an open source lightweight DNS server such as DnsmasqBIND or Acrylic to your workstation. This post uses Dnsmasq on a MAC.

Once installed, add the A record to the server and restart it. Change the order of DNS servers in your networking preferences / properties to have the local host, 127.0.0.1, be the first entry. Keep the other entries as secondary servers.

The line to add to the Dnsmasq configuration file is:

address=/prvtoac.analytics.ocp.oraclecloud.com/129.146.215.131

The list of DNS servers in the networking preferences is:

To validate the DNS configuration use the same nslookup command.

nslookup prvtoac.analytics.ocp.oraclecloud.com -- returns: (127.0.0.1 is the workstation localhost address)

Server:        127.0.0.1.      
Address:    127.0.0.1#53

Name:    prvtoac.analytics.ocp.oraclecloud.com
Address:
129.228.231.215

Validating Access to the Load Balancer Using the OAC FQDN

Rerunning the command used for the IP address validation now translates the FQDN before making the connection.

nc -v -i 2 -w 2 prvtoac.analytics.ocp.oraclecloud.com 443  returns:

Connection to prvtoac.analytics.ocp.oraclecloud.com port 443 [tcp/https] succeeded!

The provisioned state is depicted below.

 Validating Connectivity to OAC via the Load Balancer

Connect to the private OAC using the URL e.g. https://prvtoac.analytics.ocp.oraclecloud.com/ui

The traffic flow is depicted below.

 Summary

This post described the steps required to connect to a private OAC via a Public Load Balancer.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha