Oracle Cloud Infrastructure Architect Associate exam tests varieties of topics like
- Identity and Access Management
- Networking
- Compute
- Storage
- Database
A good place to learn about the topics are
And there is a book specifically written for the exam and is available in Oreilly
In this blog, I am sharing the notes I have taken for the topic
Networking
CIDR
- Classless inter-domain routing - CIDR notation may be divided into two components, a network identifier and a host address space
- Within a given network two host addressed cannot be assigned to a host
- 0 - reserved for network address
- 255 - broadcast address
- xxx.xxx.xxx.xxx/n - each xxx is 8 bit binary from 0 to 255 and n is the subnet-mask
- The subnet-mask says MostSignifacntBits which is fixed
- Class A - first octet (8 bits) is all 1
- Class B - first 2 octet (16 bits) is all 1
- Class C - first 3 octet (24 bits) are all 1
- Three address within any CIDR range is reserved by OCI, the first (network address), second and last one(broadcast). Second will be subnet default gateway address
- VCN supports only the CIDR range betwen /16 and /30
Virtual Cloud Network:
- Is a regional resource spans across all ADs (Availability domains) and resides in compartment
- There are 3 ADs in each region and are connected by high-speed network
- VCNs require several other networking resources, including subnets, gateways, security lists, and route tables in order to function.
- VCN resources may reside in different compartments from the VCN
- The recommended private IP range is 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- VCN Peering - the act of connecting VCN to other VCNs
- When VCN is created, three mandatory resource are created and we cannot delete them but we can change its content
- Default routing table - determine how network traffic coming in or leaving subnets in your VCN is routed via OCI gateways
- Security list - stateful and stateless. Stateless is recommended, defines the ingress and egress rules
- set of DHCP options - determine how network traffic coming in or leaving subnets in your VCN is routed via OCI gateways
Subnets:
- Subnets can be created for a single AD or for multiple ADs
- When a VCN is created with resources in 3 ADs, OCI automatically creates 3 CIDR blocks
- A subnet can be chosen as a private / public subnet
- The OCI hypervisor software creates and manages virtual NICs (vNICs)
- An instance get their IPs from the subnet they belong
vNIC (Virtual Network Interface Card)
- OCI Network service manages the association between vNIC and physical NIC on the server
- Each vNIC is created and gets one OCID and its IP is based on the subnet which is selected
- For each compute instance one primary vNIC is attached by default which cannot be deleted
- Additionally one or more(52 max) secondary vNICs can be attached
- Each vNIC comes with primary private IP, on top of that 31 secondary private (optionally a public IP) can be attached
- A vNIC on a public subnet is automatically assigned a public IP. It is not mandatory and may be removed or de-assigned
Private IP
- Each compute instance is provided with a private IP when the instance is launched.
- The private IP address cannot be removed from the instance and is terminated when the instance is terminated
- A secondary private IP may be optionally added later and can be moved from vNIC of one instance to another instance's vNIC
Public IP
- Ephemeral addresses - these persists reboot cycles of an instance, the scope of IP is limited to AD, can be assigned only to primary private IP in the vNIC
- Reserved addresses - the scope of IP is within the region. These are independent of the instance and can be assigned and unassigned back to tenancy's pool
- Load Balancer, DRG - IPSec tunnelling, NAT Gateway - Public IPs are provided by Oracle and we cannot choose/edit. We can only view it
- Internet Gateway, Autonomous DB - Public IPs are provided by Oracle and we cannot choose/edit/view
Route Tables
- Contains rules about how IP packets can travel to different IP addresses out of the VCN
- Each subnet can have only one route table
- No rule needs to be defined for routing with in the VCN
Gateways:
Internet Gateway:
- Is attached to any new VCN
- Only one Internet Gateway is allowed in a VCN
- It allows instances with public IP to be accessed and allows the instance to access internet contents
- Internet access can be disabled at the VCN level by setting the is-enabled property in the InternetGateway
NAT (Network Address Translation) Gateway
- Allows instances with no public IP to access the internet content and protect other traffic from entering the instance
- More than one NAT can be created and assigned to a VCN
- Still the instance with no public IP can be accessed from other internal instances or bastion hosts
- Each NAT gateway is assigned with a public IP which will seen as requesting IP when content is accessed from the internet
- With each subnet there is a ruletable associated with it to say to which gateway the traffic should be routed to
Service Gateway:
- Allows resources to talk to public OCI resources (eg: ObjectStore) without going through the Internet Gateway
- The route table will have 'Service label CIDR' instead of CIDR
Dynamic Routing Gateway (DRG):
- To avoid latency between customer Onpremise and OIC, introduced a new Customer Premise Equiment (CPE) in customer's edge router
- Connection between CPE and DRG could be either by IPSec VPN or by FastConnect
- Only one DRG can be connected to the VCN and a VCN can have only one DRG
- Private Peering
- On-premises connections can be made to the private IP addresses of instances
- Public Peering
- allows you to connect from resources outside the VCN
- FastConnect
- Allows direct physical connection between on-premise and oracle FastConnect edge devices
- Using Oracle Network Provider or Exchange Provider - setup FastConnect connection between onpremise and provider
- Using third-party provider who supports MPLS VPN
- Border Gateway Protocol (BGP) is supported with FastConnect but not IPSec VPN connecting external networks to your VCN
SecurityList
- Security List contains the rules for ingress and egress
- The SL is attached to a subnet
- We can attach SL to Subnet when we create subnet or later
Network Security Group
- This is one level above Security List where we can define ingress/egress rule is set at the individual vNIC level
- The final rule is a union of SL and NSG
Stateful vs Stateless Security List Rules:
- In Stateful, no need to mention the egress rule, all the ingress rule will be applicable
- In Stateless, we need to explicitly mention the egress rule
Peering
- Peering is the process of connecting VCNs privately and not going through the public internet
Local Peering:
- Within the region
- Connecting one VCN with another VCN
- Local Peering Gateway (LPG) is a component in VCN for routing traffic to
- If two VPNs are having overlapping CIDR then peering is not possible
- Peering is not transitive, eg: if VCN1-(p)-VCN2-(p)-VCN3 this doesnt meet VCN1 can peer with VCN3
Remote Peering
- Across the region
- Dynamic Routing Gateway (DRG) is used to connect two VCNs in two different region
DNS (Domain Name System)
- Using this we can use the friendly host name instead of using the IP address to access the instances
- Instance FQDN (Fully Qualified Domain Name) - <host_name>.<subnet>.<VCN_DNS_Name>.oraclevcn.com
VPN (IPSec):
- Connecting two private network securely over the public internet
- Few characteristics of VPN
- Mode: Tunnel or Transport (OCI supports only Tunnel mode), in Transport only the actual payload is encrypted but the header is sent as it is. In Tunnel, it encrypts both the header and payload
- Authentication
- Encryption
- Static Routing
- Dynamic Routing - using BGP
FastConnect:
- Can be thought as a high bandwidth connectivity
- Two ways we can connect
- Private Peering
- - through the DRG
- Connectivity is through the private IP
- Usecases are like lift and shift to cloud
- Public peering
- - DRG is not used in public peering, the usecase is something like onpremise wants to connect to public OCI resources like Object Storage but not over the public internet
- Communication is using the public IP over a private network
- Customer's public IP prefix validation needs to happen which can take 3 days
- FastConnect Options
- FastConnect location - Oracle Datacenter which connects to OCI
- Metro area - Group of FastConnect location in same region. All FastConnection location connects to same availability domains
- Oracle Provider - is a network service provider that integrated with FastConnect location
- 3rd Party Provider - another provider who are not listed by Oracle
- Colocation - Where customer equipment is inside the FastConnect location
- Cross-connect - a physical connection between customer equipment and oracle's equipment in fastconnect location
- Cross-connect group - one or more cross-connect to form a LAG (Link Aggregation Group) to increase the bandwidth
- Virtual Circuit -
Load Balancing
- Sits between the client and the backend server
- Does Service Discovery
- Health check
- Load balance algorithm
- Benefits
- Fault tolerance and High Availability
- Scale
- Naming abstraction - backend server do not need public IP
- OCI provides private and public LBs, each public LBs gets one public IP and the Key differences are
- Select between private or public
- We can provide the shape (means the bandwidth size like 100Mbps, 400Mbps, 8Gbps)
- Single LB for both TCP (layer 4) and HTTP (layer 7) traffic
- OCI load balancers support many protocols, including TCP, HTTP/1.0, HTTP/1.1, HTTP/2, and WebSocket
- Supports SSL connections,
- Is a regional service
- Concepts
- Listener - listens to the traffic in the public IP address
- Backend server - server which runs the application
- Load Balancing Policy - algorithm on how to distribute the traffic
- Health check - a test to confirm the availability of the server, 4 states ok, warning, critical, unknown. Runs every 3 mins and no finer granularity
- Backend Set - Logical entity comprises of Backend server, Load Balancing policy and a Health Check policy
- A load balancer can have upto 16 listeners (means 16 ports like 80, 443 etc)
- Each listener will have one Backend Set that can have from 1 to N server
- Private Load balancer can be used which will assign the IP address within the subnet in which it is defined. In this case both Active and Failover will get into the same ADs if Subnet selected is AD specific
- A private load balancer requires three IP addresses from the associated subnet for the primary and standby load balancers as well as the floating private IP
No comments:
Post a Comment