Virtual Cloud Network Level 200. Jamal Arif November 2018

Similar documents
Virtual Cloud Network Best Practices Level 201. Jamal Arif November 2018

Oracle 1Z Oracle Cloud Solutions Infrastructure Architect Associate.

Connectivity FastConnect Level 200. Jamal Arif November 2018

Oracle Cloud Infrastructure Virtual Cloud Network Overview and Deployment Guide ORACLE WHITEPAPER JANUARY 2018 VERSION 1.0

DNS Level 100. Rohit Rahi November Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Object Storage Level 100

25 Best Practice Tips for architecting Amazon VPC

Getting started with Oracle Cloud Infrastructure Level 100

File Storage Level 100

Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure. White Paper September 2017 Version 1.0

Database Level 100. Rohit Rahi November Copyright 2018, Oracle and/or its affiliates. All rights reserved.

MCR Connections to Oracle Cloud Infrastructure using FastConnect

Oracle IaaS, a modern felhő infrastruktúra

Identity and Access Management Level 100

Question: 1 Which three methods can you use to manage Oracle Cloud Infrastructure services? (Choose three.)

Identity and Access Management Level 200

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Oracle Secure Backup 12.2 What s New. Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Creating Your Virtual Data Center

AWS Networking Fundamentals

Infrastructure Consolidation with OCI

Best Practices for Deploying High Availability Architecture on Oracle Cloud Infrastructure

Oracle Cloud 1z0-932

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

Deploying VPN IPSec Tunnels with Cisco ASA/ASAv VTI on Oracle Cloud Infrastructure

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Installing and Configuring Oracle VM on Oracle Cloud Infrastructure ORACLE WHITE PAPER NOVEMBER 2017

Integration Guide. Oracle Bare Metal BOVPN

Bastion Hosts. Protected Access for Virtual Cloud Networks O R A C L E W H I T E P A P E R F E B R U A R Y

Configuring AWS for Zerto Virtual Replication

lab Highly Available and Fault Tolerant Architecture for Web Applications inside a VPC V1.01 AWS Certified Solutions Architect Associate lab title

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

Extending Enterprise Security to Multicloud and Public Cloud

Getting Started with AWS Security

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Installing and Configuring Oracle VM on Oracle Cloud Infrastructure O R A C L E W H I T E P A P E R D E C E M B E R

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

How to Troubleshoot Databases and Exadata Using Oracle Log Analytics

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

Please clarify by S.Syed. Oracle Cloud Infrastructure Associate Arch. Part II 1Z0-932 SL Syed Updated 2 days ago File Storage Service Deepak,

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Building Extreme-Scale File Services in the Oracle Public Cloud Ed Beauvais, Director Product Management

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

1. VPC and Subnet Layout

Session objectives and takeaways

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Azure Compute. Azure Virtual Machines

FortiGate. on OCB FE Configuration Guide. 6 th December 2018 Version 1.0

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

EdgeConnect for Amazon Web Services (AWS)

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Oracle WebLogic Server 12c on AWS. December 2018

Deploying High Availability and Business Resilient R12 Applications over the Cloud

Getting Started Guide 6/5/2018

Oracle Database 18c and Autonomous Database

Design Guide for Cisco ACI with Avi Vantage

Service Graph Design with Cisco Application Centric Infrastructure

Top 30 AWS VPC Interview Questions and Answers Pdf

Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018

Improve Existing Disaster Recovery Solutions with VMware NSX

1. Click on "IaaS" to advance to the Windows Azure Scenario. 2. Click to configure the "CloudNet" Virtual Network

How to set up a Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud. Getting Started Guide

FortiMail AWS Deployment Guide

Quantum, network services for Openstack. Salvatore Orlando Openstack Quantum core developer

Application Container Cloud

VM-SERIES FOR VMWARE VM VM

[MS10992]: Integrating On-Premises Core Infrastructure with Microsoft Azure

Migrating Oracle Databases from Amazon Web Services to Oracle Cloud Infrastructure Database O R A C L E W H I T E P A P E R M A Y

WLS Neue Optionen braucht das Land

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Pexip Infinity and Amazon Web Services Deployment Guide

Advanced CSR Lab with High Availability and Transit VPC

A Reference Design. VPN user access and VPC networking. Version Copyright Aviatrix Systems, Inc. All rights reserved.

Overview of AWS Security - Database Services

NGFWv & ASAv in Public Cloud (AWS & Azure)

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Getting Started Guide. VMware NSX Cloud services

Configuring Aviatrix Encryption

NGF0502 AWS Student Slides

BERLIN. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Amazon Virtual Private Cloud. User Guide API Version

Creating your Virtual Data Centre

Virtual Private Cloud. User Guide

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

Dedicated Hosted Cloud with vcloud Director

Mesh and hub-and-spoke networks on Azure

CLOUD GATEWAY USER GUIDE


Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Network+ Guide to Networks 7 th Edition

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

Achieving High Availability with Oracle Cloud Infrastructure Ravello Service O R A C L E W H I T E P A P E R J U N E

Transcription:

Virtual Cloud Network Level 200 Jamal Arif November 2018 Copyright Copyright 2018, Oracle 2018, and/or Oracle its and/or affiliates. its affiliates. All rights All reserved. rights reserved. 1

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

Objectives After completing this lesson, you should be able to: Describe Advanced VCN Functionalities Service Gateway Private IP as Route Target VCN Peering Local VCN Peering Remote VCN Peering Edge Security Pre-requisites: Virtual Cloud Network Level 100 3

Service Gateway A service gateway enables VCN to access Object Storage without exposing the VCN to the public internet The traffic from the VCN to Object Storage travels over the Oracle Cloud Infrastructure network fabric and never traverses the internet Use case: Back up DB Systems in your VCN to Object Storage With Service Gateway, no Internet Gateway is required for DB System backup. DB Systems can be in a and have only private IP addresses. IAM policies can restrict access to the bucket from only the VCN or the within the VCN 4

Service Gateway Before After ORACLE CLOUD REGION ORACLE CLOUD REGION VCN 10.0.0.0/16 Public Subnet 10.0.0.0/24 Public Instance Internet Gateway VCN 10.0.0.0/16 Public Subnet 10.0.0.0/24 Internet Gateway Public Instance 10.0.1.0/24 Object Storage 10.0.1.0/24 Object Storage Private Instance Private Instance Service Gateway 5

Managing Service Gateway You can control which subnets in your VCN use a service gateway A service gateway can be used only by resources in the gateway's own VCN. Object Storage is the first service to be available with a service gateway Must specify a route rule and a Security List Rule in the subnet s associated route table and security lists respectively Service gateway is automatically always attached to only one VCN of your choice, and you can block or allow traffic through the service gateway at any time. Currently, service gateway doesn t support OS updates: blocks access to the YUM repositories needed to update the OS. NAT gateways can be used in the interim. 6

Private IP as Route Target Availability Domain 1 VCN 10.0.0.0/16 Public Subnet 10.0.0.0/24 Firewall Instance ORACLE CLOUD REGION Ability to use a private IP as the target of a route rule in situations where you want to route a subnet's traffic to another instance. Note: a given subnet's route table can have routes only for traffic with a destination IP address outside the VCN 10.0.1.0/24 0.0.0.0/0 Firewall Private IP 172.16.0.0/16 DRG Use Cases To implement a virtual network function (such as a firewall or intrusion detection) Private Instance Customer Datacenter To manage an overlay network on the VCN, which lets you run container orchestration workloads 7

VCN Peering Enables connectivity between the resources in different VCNs Does not require public IPs or NAT to enable connectivity Traffic never leaves the Oracle Network Over other options such as connecting over the internet, VCN Peering offers Faster connectivity Higher security Types of VCN Peering available Local Peering (In-region) Remote Peering (Cross-region) 8

Local VCN Peering connecting VCNs in the same region Connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. VCNs should not have overlapping IP addresses Local Peering VCNs can be either in the same or different tenancies (cross-tenancy peering) Local Peering Gateway (LPG) Like the Internet Gateway, LPG is a component on the VCN LPGs of two VCNs are connected to make a peering relationship Enable the data plane to learn about instances in peered VCNs 9

Local VCN Peering Create Local Peering Gateway in each VCN Have required IAM policies to establish connection Establish connection across LPGs Update the Route Table Update the Security List Test Connectivity 10

Remote VCN Peering connecting VCNs in the different region Traffic flows between regions through the OCI backbone network Supported between ASH PHX and LHR-FRA, other regions on roadmap. The two VCNs in the peering relationship must not have overlapping CIDRs Requires a DRG to set up the Remote Peering connection; vnic of one VCN instance forwards traffic to its DRG, which forwards traffic to peer DRG in other region over backbone Enables features such as data replication across regions Remote Peering Connection Like Virtual Circuits, the Remote Peering Connection is a component of DRG RPCs of two DRGs from two regions are connected to create a peering relationship 11

Remote VCN Peering Existing DRG and attached to a VCN Have required IAM policies to establish connection Establish connection across DRGs Update the Route Table Update the Security List Test Connectivity 12

Things to remember for VCN Peering! With IAM policies, you can control: Who can subscribe your tenancy to another region (required for remote VCN peering). Who in your organization has the authority to establish VCN peerings. Who can manage route tables and security lists. Once the peering connection has been established control the packet flow over the connection with route tables in your VCN control the packet flow over the connection with security lists in your VCN ensure that all outbound and inbound traffic with the other VCN is intended/expected and well defined implement security list rules that explicitly state the types of traffic your VCN can send to the other and accept from the other. If you're concerned about high levels of network traffic coming to your VCN, consider using stateless security list rules to limit the level of connection tracking your VCN must perform. 13

Edge Security 14

Securing your VCN Public vs s - designate a subnet to be private, which means instances in the subnet cannot have public IP addresses Security Lists - To control packet-level traffic in/out of an instance by defining security rules in your VCN Firewall Rules - configure firewall rules directly on the instance itself to control packet-level traffic in/out of an instance Gateways and Route Tables - Control general traffic flow from your cloud network to outside destinations (the internet, your on-premises network, or another VCN) IAM Policies - control who has access to the Oracle Cloud Infrastructure API or console 15

Virtual Firewall Instances Fortigate NGFW with a Two Tier App OCI Client On-premises Network Internet Internet Gateway Public Load Balancer Fortigate NGFW Fortigate NGFW Bastion Host Public Subnet Bastion Host Public Subnet Private Load Balancer DB Systems DataGuard Sync AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 VCN: 10.0.0.0/16 Protection Tier Web/App Tier DB Tier OCI Blog on Fortigate NGFW 16

Using vsrx as a Virtual Firewall/Nat Device vsrx provide benefits like stateful firewall protection, and application and content security features like IPS, antivirus, web filtering, and antispam High Level workflow Create VCN and three subnets as shown in the figure Import vsrx image and launch a vsrx compute instance in VCN Attach additional vnics in each subnet Use Instance console connection to setup vsrx Following blog post provides details on how to setup a vsrx on OCI - https://blogs.oracle.com/cloudinfrastructure/how-to-deploy-a-virtual-firewallappliance-on-oracle-cloud-infrastructure 17

cloud.oracle.com/iaas cloud.oracle.com/tryit 18

Best Practices for Virtual Cloud Network Design 19

Review: Virtual Cloud Network VCN network range once created can t be modified and it is a contiguous IPv4 CIDR block VCN is a regional construct and Subnets are specific to an AD Subnets can have ONE Route Table and MULTIPLE (5*) Security Lists associated to it Security Lists support stateful and stateless rules All hosts within a VCN can route to all other hosts in a VCN, the route table defines what can be routed into and out of the VCN Allowable VCN size range is from /16 to /30 (VCN reserves the first two IP addresses and the last one in each subnet's CIDR) 20

VCN Best Practices Architect your networking infrastructure in a way to maximize use of Availability Domains for High Availability (ADs are fault tolerant and geographically distributed to sustain a natural disaster) Ensure VCN CIDR block does not overlap with other VCNs in Oracle Cloud Infrastructure (same/different regions) and with your organizations private IP network ranges Ensure not all IP addresses are allocated at once within a VCN or Subnet, instead plan to reserve some IP addresses for future use Divide your VCN network range across all ADs evenly Hosts that have similar routing requirements can use same routing tables across multiple availability domains for e.g. public hosts, private hosts, NAT instances etc. Ensure your VCN and subnet network ranges can support additional workloads 21

VCN Best Practices (2) Ensure security lists are used as Firewalls to manage connectivity North-South (incoming/outgoing VCN traffic) and East-West (internal VCN traffic between multiple subnets), and is applied at a Subnet Level. All instances with in that subnet inherit all security rules in that SL. Private subnets are recommended to have individual route tables to control the flow of traffic within and outside of VCN. OCI recommends to use OCI IAM policies to restrict unauthorized users from managing virtual cloud network resources in your tenancy/compartment. Only network admins are allowed to manage VCN resources, and other users can have least privilege policies (use, inspect, read) Use OCI tags to tag VCN resources (Route Tables, Security Lists, Subnets etc.) so that all resources are following organizational tagging/naming conventions 22

Example: VCN and Subnet Sizing VCN CIDR Block 10.0.0.0/16 Extra Large IPv4 CIDR Block Divide in Four equal blocks three for ADs and one spare 10.0.0.0/18 AD1 10.0.64.0/18 AD2 10.0.128.0/18 AD3 10.0.192.0/18 Extra With in each AD, we can have Public and s Private instances are more prevalent than public instances so we should reserve a greater range for the private subnets. 10.0.0.0/18 AD1 10.0.0.0/19 AD1 10.0.32.0/19 AD1 Public/spare 10.0.32.0/20 AD1 Public Subnet 10.0.48.0/20 AD1 Extra Follow the same design pattern for all 3 Availability Domains. 23

Example: VCN and Subnet Sizing VCN Size Netmask Subnet Size IPs/Subnet Total Subnets Total IPs Small /24 /27 29* 8 232 Medium /20 /24 253* 16 4,048 Large /18 /22 1021* 16 16,336 Extra Large /16 /20 4093* 16 65,488 The first two IP addresses and the last one in each subnet's CIDR are reserved. 24

Example: VCN and Subnet Sizing VCN 10.0.0.0/16 10.0.0.0/18 10.0.64.0/18 10.0.128.0/18 AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 AVAILABILITY DOMAIN-3 10.0.0.0/19 10.0.64.0/19 10.0.128.0/19 Spare Network Range 10.0.192.0/18 Public Subnet Public Subnet Public Subnet 10.0.32.0/20 Extra Range 10.0.48.0/20 10.0.96.0/20 Extra Range 10.0.112.0/20 10.0.160.0/20 Extra Range 10.0.176.0/20 25

Example: Three Tier Application Architecture (Extra Large VCN size) ORACLE CLOUD INFRASTRUCTURE REGION Object Storage Client On-premises Network Internet Internet Gateway Public LB (Active) Public Subnet 10.0.40.0/21 Public LB (standby) Public Subnet 10.0.104.0/21 Public Subnet 10.0.32.0/21 Public Subnet 10.0.96.0/21 Private LB (Standby) Private LB (Active) 10.0.16.0/20 10.0.0.0/20 10.0.64.0/19 10.0.48.0/20 DB Systems DataGuard Sync 10.0.112.0/20 AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 VCN: 10.0.0.0/16 Web Tier App Tier DB Tier 26

Example: Oracle Customer Architecture (1) IGW ORACLE CLOUD DATA CENTER REGION Customer Datacenter Public Subnet-A Public Subnet-D Virtual Cloud Network 10.0.0.0/16 Public Subnet-B Load balanced Web Servers on VMs Public Subnet- E IAM Service -C -F Audit Service VPN DRG Bastion Server on VM RMAN backup 2-node RAC Database Object Storage AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 27

Summary Describe Advanced VCN Functionalities Service Gateway Private IP as Route Target VCN Peering Local VCN Peering Remote VCN Peering Edge Security 28

cloud.oracle.com/iaas cloud.oracle.com/tryit 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback