Validated December 18, 2020 with OAC 5.8
Oracle Analytics Cloud (OAC) may now be provisioned within a Virtual Cloud network (VCN) on Oracle Cloud Infrastructure (OCI) with a private endpoint IP address.
This post is a step-by-step guide for preparing network gateways for private OAC access to private data sources and DNS servers.
This is one of the post listed in the OAC Private Endpoint Parent Post
December 18, 2020 with OAC 5.8
Before You Begin
Determining Gateway Scenarios
Deploying Required Components
Validating Gateway Connectivity
All names and addresses used in this post are for examples only. In this post data sources and DNS resolvers are both referred to as resources. Although not required, resources are in separate subnets to demonstrate security and routing rules.
User accounts in OCI tenancies granted compartment privileges for managing networking components.
OAC and/or RDG are provisioned. Refer here for provisioning a private OAC. Refer here for provisioning a private RDG.
The steps in this post have set up the necessary DNS components for your scenarios.
OAC is provisioned with a private endpoint.
The set of resource and resource definition locations requiring network access.
In this post resource locations are the location of a resource's translated IP address. The address may either be the exact location of the resource or the location of a Web Application Firewall or Load Balancer set in front of the resource. Examples locations are on-premise, other-cloud, OCI region etc.
A resource definition location is the location of the first DNS resolver that finds a resource's definition and successfully provides the resource's location. Examples locations are on-premise, other-cloud, OCI VCN, etc.
OCI is hosted in regions. Regions are localized geographic areas, independent of other regions and can be separated by vast distances—across countries or even continents.
Regions are grouped into realms . Your tenancy exists in a single realm and can directly access all regions that belong to that realm. Currently, OCI has multiple realms. There is one commercial realm and multiple realms for Government Cloud.
The set of defined resource locations and resource definition locations determine the scenarios required. You may have one or more of the following scenarios depicted below.
A gateway is not required for resources existing in the same VCN as OAC.
A Dynamic Routing Gateway (DRG) provides a path for private traffic between your VCN and networks outside the VCN's region. These includes your on-premise network or other cloud networks connected to OCI via VPN and/or FastConnect private peering. Other VCNs in your tenancy located in different regions may be peered using Remote Peering Connections.
A Local Peering Gateway provides a path for private traffic between your VCN and other VCNs in the same region. The VCNs may be in separate tenancies.
A Network Address Translation (NAT) gateway provides a path for traffic to public resources without exposing OAC to incoming internet connections. The NAT gateway's public IP address becomes the source IP address for the outbound traffic. This gateway is used when a public resource such as a load balancer is positioned in front of a private resource.
The following table lists the scenario components that may be deployed with links for reference.
COMPONENT | USE | REFERENCE | Scenarios |
---|---|---|---|
DYNAMIC ROUTING GATEWAY | Facilitates VPN, FastConnect, and Remote Peering | link | DRG |
CUSTOMER-PREMISES EQUIPMENT (CPE) | Facilitates site-to-site IPSec VPN | link | DRG |
VIRTUAL CIRCUIT | Facilitates FastConnect Private Peering | link | DRG |
REMOTE PEERING CONNECTION | Facilitates Inter-Region Peering of your VCNs | link | DRG |
LOCAL PEERING GATEWAY | Facilitates Intra-Region Peering of your VCNs | link | LPG |
ROUTE RULE | Routes a subnet's traffic out of a VCN | link | All except SAME VCN |
SUBNET | Hosts DNS endpoints | link | NAT |
NAT GATEWAY | Facilitates traffic to a public fronting resource | link | NAT |
INTERNET GATEWAY | Facilitates response from the public fronting resource | link | NAT |
LOAD BALANCER | Accepting and routing traffic to the resource | link | NAT |
The following tables provide component details for the scenarios with example values.
Ensure to update any route rules created in the DNS post with the proper gateway.
No additional components required.
Create or use an existing DRG for the OAC and resource's VCNs. Ensure the DRGs are attached to the respective VCNs.
NAME | ATTACHED VCN |
---|---|
Region1-DRG | VCN1 |
Region2-DRG | VCN2 |
For each DRG, create or use one or more of the following components:
Customer Premises Equipment
Virtual Circuit
Remote Peering Connection
Create or use an existing route table for these rules.
ROUTE TABLE | VCN | DESTINATION CIDR | TARGET | ATTACHED TO | NOTE |
---|---|---|---|---|---|
VCN1-OAC-RT | VCN1 | 10.20.10.0/23 | Region1-DRG | VCN1-OAC-SN | Query to the resource |
VCN2-RESOURCE-RT | VCN2 | 10.10.10.0/23 | Region2-DRG | VCN2-RESOURCE-SN | Query response |
Create or use an existing LPG for the OAC and resource's VCNs.
NAME | VCN |
---|---|
VCN1-LPG | VCN1 |
VCN2-LPG | VCN2 |
Create or use an existing route table for these rules.
ROUTE TABLE | VCN | DESTINATION CIDR | TARGET | ATTACHED TO | NOTE |
---|---|---|---|---|---|
VCN1-OAC-RT | VCN1 | 10.20.10.0/23 | VCN1-LPG | VCN1-OAC-SN | Query to the resource |
VCN2-RESOURCE-RT | VCN2 | 10.10.10.0/23 | VCN2-LPG | VCN2-RESOURCE-SN | Query response |
Create or use an existing NAT gateway for the OAC VCN.
NAME | VCN |
---|---|
VCN1-NAT | VCN1 |
Create or use an existing internet gateway for the resource's VCN.
NAME | VCN |
---|---|
VCN2-IG | VCN2 |
Create or use an existing public subnet for the public load balancer.
VCN | NAME | CIDR | ROUTE TABLE | SECURITY LIST |
---|---|---|---|---|
VCN2 | VCN2-LB-SN | 10.20.10.32/27 | Default | Default |
Create or use an existing load balancer to listen and forward traffic to resource
NAME | VCN | SUBNET | PROTOCOL | TARGET IP | TARGET PORT |
---|---|---|---|---|---|
VCN2-LB | VCN2 | VCN2-LB-SN | TCP | 10.20.10.4 | 1521 |
Create or use an existing route table for these rules.
ROUTE TABLE | VCN | DESTINATION CIDR | TARGET | ATTACHED TO | NOTE |
---|---|---|---|---|---|
VCN1-OAC-RT | VCN1 | 10.20.10.0/23 | VCN1-NAT | VCN1-OAC-SN | Query to the resource |
VCN2-LB-RT | VCN2 | 10.10.10.0/23 | VCN2-IG | VCN2-LB-SN | Query response |
Validate the gateway scenarios by deploying minimal compute instances to act as resources.
Create or use a linux instance in the OAC subnet for sending TCP traffic and DNS queries over UDP. Create or use an instance in the remote network to receive and respond to the TCP traffic. The existing DNS components deployed previously receive and respond to the UDP traffic.
Terminate all test instances after validations.
A default FQDN for a compute instance has this format: <prefix>.<subnet>.<vcn>.oraclevcn.com. For each scenario to be validated create an instance in the appropriate location. The following table lists the required instances with example FQDNs.
SCENARIO | LOCATION | FQDN |
---|---|---|
All | OAC subnet | n/a |
All | Resource subnet | <prefix>.<resource-subnet>.<resource-vcn>.oraclevcn.com |
If your client is not in the OAC VCN use a public bastion instance.
For each scenario use a networking utility such as nc. It may be installed using yum install nc -y
Use nc to test both DNS and TCP connectivity through the appropriate gateway(s).
nc -v -i 2 <resource FQDN> <resource port e.g. 1521>
The result is below.
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to <resource-IP>:<resource-port>.
Ncat: Idle timeout expired (2000 ms).
This post provided a step-by-step guide for preparing network gateways for private OAC access to private data sources and DNS servers.
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley
Next Post