**__OCI__**\\ \\ **ASN AS31898 - 152.67.96.0/19 - 10.0.0.0/16 ** \\ * FastConnect (~DirectConnect , ~ExpressRoute) * VCN (~VPC) * DRG (VGW) * SG (Service Gateway) (~ AWS service endpoints) * IG (Internet Gateway) (~ IGW ) * Compute [[https://docs.cloud.mycompany2.com/iaas/Content/Compute/References/computeshapes.htm|Shapes]] * IAM (Identity and Access Management - policies/user permissions) * ?? AMI (vm source code) * ?? (~CloudFront (CDN)) * ?? (~DNS route 53) * [[https://mycompany2-my.sharepoint.com/:w:/r/personal/jaime_santos_amandi_mycompany2_com/_layouts/15/Doc.aspx?sourcedoc=%7B47CA47E2-765D-431F-AAA7-BE919DD5ABA1%7D&file=terraform-notes.docx&action=default&mobileredirect=true|ODocs link]] * [[https://ruepprich.com/2018/09/06/oci-commandline-interface-cli-filtering/]] ---- * OCI images [[https://docs.mycompany2.com/en-us/iaas/images/|External Link]] * OCI shapes [[https://docs.mycompany2.com/en-us/iaas/Content/Compute/References/computeshapes.htm|External Link]] ---- * AD: Same region but isolated (power and routing wise). Same orchestration system. * FD: Each AD has three FD. Specific FD has its own physical hypervisors, racks, ToRs and PDUs. We can see it as **a rack**. Each FD has its own control and forwarding plane. * Compartment: Is a logical global construct (multi region) that helps with access control. **Each resource belongs to one and only one compartment**. Compartments can be nested, up to six of them. ---- SECURITY: * NSG : micro-segmentation. No deny so, if multiple NSGs applied, if one of them allows a flow, off it goes. Otherwise implicit deny. * SL are applied to the SUBNET, not to the VCN. \\ FASTCONNECT: * Partner * collocated (requires x-connects)* * third-party If you don’t want to run cross connects then partner is the only option you have but the customer still needs to get with the partner and request service to connect to OCI. DNS:\\ __Internet and VCN Resolver__ (VCN and Internet):[[https://docs.mycompany2.com/en-us/iaas/Content/Network/Concepts/dns.htm|Link]]\\ Is configured in at the subnet level with thhe **dhcp options (ie we use dhcp responses to configure DNS**. \\ Is added as subdomains. TLD is ''mycompany2vcn.com'' by default but we use ''mycompany2datacloud.com'' because we have custom DNS servers. \\ __Custom Resolver__: [[https://blogs.mycompany2.com/cloud-infrastructure/configuring-a-custom-dns-resolver-and-the-native-dns-resolver-in-the-same-vcn|Link]] TODO\\ \\ __Private DNS service__:[[https://docs.mycompany2.com/en/solutions/private-dns/index.html#GUID-A1669E7E-EF8B-4B0A-AA36-51D73D51ED46|Link]]\\ ---- OCI ARCHITECTURE\\ Regions > AD > FD\\ * FD : 'Logical Datacenter' inside a AD. FD has **anti-affinity** ---- OCI CLI:\\ [[https://confluence.mycompany2datacloud.com/display/ODCI/OCI+CLI+Setup]] ; [[https://docs.cloud.mycompany2.com/iaas/Content/API/SDKDocs/cliinstall.htm]] oci setup config bin/oci-cli-scripts/ PRETTY TABLE FORMAT:\\ oci compute instance list --query "data [*].{ImageName:\"display-name\", State:\"lifecycle-state\", CreatedBy:\"defined-tags\".\"mycompany2DataCloud\".\"isProduction\"}" --output table List all rules for a NSG, in table format: oci network nsg list --compartment-id=$cb --query "data [*].{NsgName:\"display-name\",NsgOcid:\"id\"}" --output table # to lists all NSGs and ocid oci network nsg rules list --nsg-id=ocid1.networksecuritygroup.oc1.uk-london-1.aaaaaaaa5cmsz6u7r67os7f72idsxtiqreft7clctjtkxuk3fx56adow2d5a --query "data [*].{Stateless:\"is-stateless\",src:\"source\",dst:\"destination\",protocol:\"protocol\",description:\"description\",dst_tcp1:\"tcp-options\".\"destination-port-range\".\"min\",dst_tcp2:\"tcp-options\".\"destination-port-range\".\"max\",dst_udp1:\"udp-options\".\"destination-port-range\".\"min\",dst_udp2:\"udp-options\".\"destination-port-range\".\"max\",src_tcp1:\"tcp-options\".\"source-port-range\".\"min\",src_tcp2:\"tcp-options\".\"source-port-range\".\"max\",src_udp1:\"udp-options\".\"source-port-range\".\"min\",src_udp2:\"udp-options\".\"source-port-range\".\"max\"}" --output table Then don't forget to place your api public key in the console: Identity>>Users>>User Details \\ Files location: /home/jaime/bin /home/jaime/lib/mycompany2-cli /home/jaime/bin/oci-cli-scripts /home/jaime/.oci/config /home/jaime/.oci # keys folder oci_api_key # api key name \\ [[https://docs.cloud.mycompany2.com/iaas/Content/API/Concepts/cliconcepts.htm]]\\ ---- NON-CLOUD COMPUTING WITH TERRAFORM: yes but things with unified controller (nsx, openstack (neutron) etc..) * Provider: NSX * Provider: HE (OneView) ---- NETWORKING:\\ * wh: * **For outbound traffic. NATP, same for everybody. Allows permanent Public IP address.** * The NAT gateway supports TCP, UDP, and ICMP ping traffic. * The gateway supports a maximum of approximately 20,000 concurrent connections to a single destination address and port. * The Networking service automatically assigns a public IP address to the NAT gateway. You can't choose the public IP address or use one of your reserved public IP addresses. * There's a limit on the number of NAT gateways per VCN. You can request an increase to that limit. See Service Limits. * VCN address space > subnets (they can be isolated/secured) * DRG is a Router (used for any destination except internet) * Service Gateway: to access block storage (which is a global IP) but without traversing internet. * NSG at the vnic / SL at the subnet * Peering * LPG * RPC * LB * public * private * L4,L7 * SSL,sticky sessions * remember listener is a placeholder. Above the lb instances ---- STORAGE: * **BLOCK: ** (~ EBS ) * mounted drives, no meta data, 512B blocks. Classical for Windows NTFS * Boot and block volumes * Beyond the lifespan of compute instances. automatically in all FD * three tiers, depending on performance (IOPS/Throughput) * FILE (fss) * Typical in NAS,NFS filesystems looking exactly like local fs * Very durable. Three FDs. * OBJECT * (~S3 buckets) * Access via https (GET PUT) * Objects all in a flat structure with lots of meta-data. So fast access and possible to index the data easily. * hot storage: * cold (archive) tier: access not instantaneous * LOCAL NVME * Local storage, more temporary. Survives reboot but not instance termination. ---- **IAM** (authentication (identity) authorisation (permissions)) \\ * IAM users * groups nees to have a least one policy for a tenancy/compartment * Instance principals * like delegate the permissions normally assigned for a user to an instance (eg: the instance can make api calls) \\ * Example: some humans manage instances, some humans manage network. then some of the 1st group can **use** (not manage) the network. \\ User/password, API signing key, auth token (generated to authenticate with a 3rd party) \\ Authorisation happens with **policies**. Policies are written in human-readable format. Then we attach the policy to a compartment or tenancy. \\ * Policy syntax: * verb: inspect/read/use/manage * resource-type: database, instance,virtual-network... * location * conditions ---- MONITORING SYSTEM:\\ * Alert/notification can trigger functions ---- **SECURITY**:\\ HSM (Hardware Security Modules):\\ Is a tamper proof hardware system for key storage. \\ DATA SAFE:\\ Service to protect information in mycompany2 Cloud databases. \\ CLOUD ADVISOR:\\ To notify, eg, about underused resources. Gives recommendations to save money without degrading performance.