dokucama

User Tools

Site Tools

Trace: openstack host-preparation ios srx api oci
virtualization:cloud:oci

This is an old revision of the document!

OCI


ASN AS31898 - 152.67.96.0/19 - 10.0.0.0/16

  • FastConnect (~DirectConnect , ~ExpressRoute)
  • VCN (~VPC)
  • DRG (VGW)
  • SG (Service Gateway) (~ AWS service endpoints)
  • IG (Internet Gateway) (~ IGW )
  • Compute Shapes
  • IAM (Identity and Access Management - policies/user permissions)
  • ?? AMI (vm source code)
  • ?? (~CloudFront (CDN))
  • ?? (~DNS route 53)
  • AD: Same region but isolated (power and routing wise). Same orchestration system.
  • FD: Each AD has three FD. Specific FD has its own physical hypervisors, racks, ToRs and PDUs. We can see it as a rack. Each FD has its own control and forwarding plane.
  • Compartment: Is a logical global construct (multi region) that helps with access control. Each resource belongs to one and only one compartment. Compartments can be nested, up to six of them.

SECURITY:

  • NSG : micro-segmentation. No deny so, if multiple NSGs applied, if one of them allows a flow, off it goes. Otherwise implicit deny.
  • SL are applied to the SUBNET, not to the VCN.


FASTCONNECT:

  • Partner
  • collocated (requires x-connects)*
  • third-party

If you don’t want to run cross connects then partner is the only option you have but the customer still needs to get with the partner and request service to connect to OCI.

DNS:

Internet and VCN Resolver (VCN and Internet):Link
Is configured in at the subnet level with thhe dhcp options (ie we use dhcp responses to configure DNS.
Is added as subdomains. TLD is mycompany2vcn.com by default but we use mycompany2datacloud.com because we have custom DNS servers.
Custom Resolver: Link TODO

Private DNS service:Link

OCI ARCHITECTURE
Regions > AD > FD

  • FD : 'Logical Datacenter' inside a AD. FD has anti-affinity

OCI CLI:
https://confluence.mycompany2datacloud.com/display/ODCI/OCI+CLI+Setup ; https://docs.cloud.mycompany2.com/iaas/Content/API/SDKDocs/cliinstall.htm oci setup config bin/oci-cli-scripts/

PRETTY TABLE FORMAT:

oci compute instance list  --query "data [*].{ImageName:\"display-name\", State:\"lifecycle-state\", CreatedBy:\"defined-tags\".\"mycompany2DataCloud\".\"isProduction\"}"
--output table

List all rules for a NSG, in table format: 

oci network nsg list --compartment-id=$cb --query "data [*].{NsgName:\"display-name\",NsgOcid:\"id\"}" --output table  # to lists all NSGs and ocid
oci network nsg rules list --nsg-id=ocid1.networksecuritygroup.oc1.uk-london-1.aaaaaaaa5cmsz6u7r67os7f72idsxtiqreft7clctjtkxuk3fx56adow2d5a --query "data [*].{Stateless:\"is-stateless\",src:\"source\",dst:\"destination\",protocol:\"protocol\",description:\"description\",dst_tcp1:\"tcp-options\".\"destination-port-range\".\"min\",dst_tcp2:\"tcp-options\".\"destination-port-range\".\"max\",dst_udp1:\"udp-options\".\"destination-port-range\".\"min\",dst_udp2:\"udp-options\".\"destination-port-range\".\"max\",src_tcp1:\"tcp-options\".\"source-port-range\".\"min\",src_tcp2:\"tcp-options\".\"source-port-range\".\"max\",src_udp1:\"udp-options\".\"source-port-range\".\"min\",src_udp2:\"udp-options\".\"source-port-range\".\"max\"}" --output table

Then don't forget to place your api public key in the console: 

Identity>>Users>>User Details


Files location: 

/home/jaime/bin
/home/jaime/lib/mycompany2-cli
/home/jaime/bin/oci-cli-scripts
/home/jaime/.oci/config
/home/jaime/.oci # keys folder
oci_api_key   # api key name


https://docs.cloud.mycompany2.com/iaas/Content/API/Concepts/cliconcepts.htm

NON-CLOUD COMPUTING WITH TERRAFORM: yes but things with unified controller (nsx, openstack (neutron) etc..)

  • Provider: NSX
  • Provider: HE (OneView)

NETWORKING:

  • wh:
    • For outbound traffic. NATP, same for everybody. Allows permanent Public IP address.
    • The NAT gateway supports TCP, UDP, and ICMP ping traffic.
    • The gateway supports a maximum of approximately 20,000 concurrent connections to a single destination address and port.
    • The Networking service automatically assigns a public IP address to the NAT gateway. You can't choose the public IP address or use one of your reserved public IP addresses.
    • There's a limit on the number of NAT gateways per VCN. You can request an increase to that limit. See Service Limits.
  • VCN address space > subnets (they can be isolated/secured)
  • DRG is a Router (used for any destination except internet)
  • Service Gateway: to access block storage (which is a global IP) but without traversing internet.
  • NSG at the vnic / SL at the subnet
  • Peering
    • LPG
    • RPC
  • LB
    • public
    • private
    • L4,L7
    • SSL,sticky sessions
    • remember listener is a placeholder. Above the lb instances

STORAGE:

  • BLOCK: (~ EBS )
    • mounted drives, no meta data, 512B blocks. Classical for Windows NTFS
    • Boot and block volumes
    • Beyond the lifespan of compute instances. automatically in all FD
    • three tiers, depending on performance (IOPS/Throughput)
  • FILE (fss)
    • Typical in NAS,NFS filesystems looking exactly like local fs * Very durable. Three FDs.
  • OBJECT
    • (~S3 buckets)
    • Access via https (GET PUT)
    • Objects all in a flat structure with lots of meta-data. So fast access and possible to index the data easily.
    • hot storage:
    • cold (archive) tier: access not instantaneous
  • LOCAL NVME
    • Local storage, more temporary. Survives reboot but not instance termination.

IAM (authentication (identity) authorisation (permissions))

  • IAM users
    • groups nees to have a least one policy for a tenancy/compartment
  • Instance principals
    • like delegate the permissions normally assigned for a user to an instance (eg: the instance can make api calls)


  • Example: some humans manage instances, some humans manage network. then some of the 1st group can use (not manage) the network.


User/password, API signing key, auth token (generated to authenticate with a 3rd party)
Authorisation happens with policies. Policies are written in human-readable format. Then we attach the policy to a compartment or tenancy.

  • Policy syntax:
    • verb: inspect/read/use/manage
    • resource-type: database, instance,virtual-network…
    • location
    • conditions

MONITORING SYSTEM:

  • Alert/notification can trigger functions

SECURITY:
HSM (Hardware Security Modules):
Is a tamper proof hardware system for key storage.
DATA SAFE:
Service to protect information in mycompany2 Cloud databases.


CLOUD ADVISOR:
To notify, eg, about underused resources. Gives recommendations to save money without degrading performance.

virtualization/cloud/oci.1662490020.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki