dokucama

This is an old revision of the document!

---

OCI

ASN AS31898 - 152.67.96.0/19 - 10.0.0.0/16

• FastConnect (~DirectConnect , ~ExpressRoute)
• VCN (~VPC)
• DRG (VGW)
• SG (Service Gateway) (~ AWS service endpoints)
• IG (Internet Gateway) (~ IGW )
• Compute Shapes
• IAM (Identity and Access Management - policies/user permissions)
• ?? AMI (vm source code)
• ?? (~CloudFront (CDN))
• ?? (~DNS route 53)

• ODocs link
• https://ruepprich.com/2018/09/06/oci-commandline-interface-cli-filtering/

---

• OCI images External Link
• OCI shapes External Link

---

AD: Same region but isolated (power and routing wise). Same orchestration system.
FD: Each AD has three FD. Specific FD has its own physical hypervisors, racks, ToRs and PDUs. We can see it as a rack. Each FD has its own control and forwarding plane. \\# Compartment: Is a logical global construct (multi region) that helps with access control. Each resource belongs to one and only one compartment. Compartments can be nested, up to six of them.

---

SECURITY:

• NSG : micro-segmentation. No deny so, if multiple NSGs applied, if one of them allows a flow, off it goes. Otherwise implicit deny.
• SL are applied to the SUBNET, not to the VCN.

FASTCONNECT:

• Partner
• collocated (requires x-connects)*
• third-party

If you don’t want to run cross connects then partner is the only option you have but the customer still needs to get with the partner and request service to connect to OCI.

DNS:

Internet and VCN Resolver (VCN and Internet):Link
Is configured in at the subnet level with thhe dhcp options (ie we use dhcp responses to configure DNS.
Is added as subdomains. TLD is oraclevcn.com by default but we use oracledatacloud.com because we have custom DNS servers.
Custom Resolver: Link TODO

Private DNS service:Link

---

OCI ARCHITECTURE
Regions > AD > FD

• FD : 'Logical Datacenter' inside a AD. FD has anti-affinity

---

OCI CLI:
https://confluence.oracledatacloud.com/display/ODCI/OCI+CLI+Setup ; https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliinstall.htm oci setup config bin/oci-cli-scripts/

PRETTY TABLE FORMAT:

oci compute instance list  --query "data [*].{ImageName:\"display-name\", State:\"lifecycle-state\", CreatedBy:\"defined-tags\".\"OracleDataCloud\".\"isProduction\"}"
--output table

List all rules for a NSG, in table format:

oci network nsg list --compartment-id=$cb --query "data [*].{NsgName:\"display-name\",NsgOcid:\"id\"}" --output table  # to lists all NSGs and ocid

oci network nsg rules list --nsg-id=ocid1.networksecuritygroup.oc1.uk-london-1.aaaaaaaa5cmsz6u7r67os7f72idsxtiqreft7clctjtkxuk3fx56adow2d5a --query "data [*].{Stateless:\"is-stateless\",src:\"source\",dst:\"destination\",protocol:\"protocol\",description:\"description\",dst_tcp1:\"tcp-options\".\"destination-port-range\".\"min\",dst_tcp2:\"tcp-options\".\"destination-port-range\".\"max\",dst_udp1:\"udp-options\".\"destination-port-range\".\"min\",dst_udp2:\"udp-options\".\"destination-port-range\".\"max\",src_tcp1:\"tcp-options\".\"source-port-range\".\"min\",src_tcp2:\"tcp-options\".\"source-port-range\".\"max\",src_udp1:\"udp-options\".\"source-port-range\".\"min\",src_udp2:\"udp-options\".\"source-port-range\".\"max\"}" --output table

Then don't forget to place your api public key in the console:

Identity>>Users>>User Details

Files location:

/home/jaime/bin
/home/jaime/lib/oracle-cli
/home/jaime/bin/oci-cli-scripts
/home/jaime/.oci/config
/home/jaime/.oci # keys folder
oci_api_key   # api key name

https://docs.cloud.oracle.com/iaas/Content/API/Concepts/cliconcepts.htm

---

NON-CLOUD COMPUTING WITH TERRAFORM: yes but things with unified controller (nsx, openstack (neutron) etc..)

• Provider: NSX
• Provider: HE (OneView)

---

NETWORKING:

• wh:
  • For outbound traffic. NATP, same for everybody. Allows permanent Public IP address.
  • The NAT gateway supports TCP, UDP, and ICMP ping traffic.
  • The gateway supports a maximum of approximately 20,000 concurrent connections to a single destination address and port.
  • The Networking service automatically assigns a public IP address to the NAT gateway. You can't choose the public IP address or use one of your reserved public IP addresses.
  • There's a limit on the number of NAT gateways per VCN. You can request an increase to that limit. See Service Limits.

• VCN address space > subnets (they can be isolated/secured)
• DRG is a Router (used for any destination except internet)
• Service Gateway: to access block storage (which is a global IP) but without traversing internet.
• NSG at the vnic / SL at the subnet
• Peering
  • LPG
  • RPC
• LB
  • public
  • private
  • L4,L7
  • SSL,sticky sessions
  • remember listener is a placeholder. Above the lb instances

---

STORAGE:

• BLOCK: mmounted drives, no meta data, 512B blocks. Classical for Windows NTFS
  • Boot and block volumes
  • Beyond the lifespan of compute instances. automatically in all FD
  • three tiers, depending on performance (IOPS/Throughput)
• FILE (fss)
  • Typical in NAS,NFS filesystems looking exactly like local fs * Very durable. Three FDs.
• OBJECT
  • (~S3 buckets)
  • Access via https (GET PUT)
  • Objects all in a flat structure with lots of meta-data. So fast access and possible to index the data easily.
  • hot storage:
  • cold (archive) tier: access not instantaneous
• LOCAL NVME
  • Local storage, more temporary. Survives reboot but not instance termination.

---

IAM (authentication (identity) authorization (permissions))

• IAM users
  • groups nees to have a least one policy for a tenancy/compartment
• Instance principals
  • like delegate the permissions normally assigned for a user to an instance (eg: the instance can make api calls)

User/password, API signing key, auth token (generated to authenticate with a 3rd party)
Authorization happens with policies. Policies are written in human-readable format.