top of page
Search

Oracle Cloud study notes (foundation)

  • Writer: Personal Chao yu
    Personal Chao yu
  • Dec 6, 2021
  • 8 min read
1. OCI structure


- example set up for void single points of failure.

use Data Guard to sync data between different ADs...


1. IAM (identity and access management )

Principals are IAM entities that are allowed to interact with OCI resources.

There are two kinds of principals primarily in OCI. One is your users. Think about people who are logging on to your console or using your CLI or SDKs users, human beings actually using your cloud resources. And then the resources themselves can be principals. So a good example of a resource principal is an instance principal which is actually an instance which becomes a principal, which means that it can make API calls against other OCI services like storage.


Also, when we talk about principles we have groups. And groups are basically collection of users who have the same type of access requirements to resources. So you can have a storage admin group where you could group all the human beings who are storage administrators and so on and so forth.


Authentication in OCI

- API signing Key

- Auth tokens



Authorization in OCI

- uses IAM Policies, these policies can apply to Tenancy (root compartment ) or per compartment (logic collection of OCI resources)

- Everything is denied by default

- IAM policies always operate at a group level!!!!

- list of <verb> s

- list of <resource-type>

Compartment in OCI

- what is compartment

  • logic structure to contain OCI resources

- why

  • good practice, instead of putting all resource in Root compartment, isolate resources based on types or features can help with user access management.

- resource access from 1 to another compartment

- move resources from 1 to another compartment

- compartment create is global ( resources created on different OCI regions can be put in the same compartment)

- compartment can also be nested down to 6 levels

- you can set Quotas and Budgets on Compartments

  • So you could say that, my particular compartment, you cannot create a bare metal machine. Or you cannot create an Exadata resource. So you could control it like that. And then you could also create budgets on compartments. So you could say that, if the usage in a particular compartment goes beyond $1,000, you'd get flagged, and you get notified.

2. Cloud Virtual Networking (VCN)

  • Internet Gateway both inbound and outbound traffic

  • NAT(network address translation ) gateway for private subnet to allow outbound traffic ONLY.

  • Service Gateway , enable OCI resources to access public OCI services such as object storage without using an internet or NAT gateway, which is a bit more secure manner.

  • Dynamic Routing Gateway

    • This is a virtual router that provides a path for private traffic between your VCN and destinations other than the internet. So what can these destinations be? Well, this can be your on-premises environment.

  • Route Table ( not for between the subnets)

    • It take Destination Cidr and Route Target


  • Local Peering ( within the same OCI region ) (LPG - local peering)

  • Remote Peering - two VCN from two different OCI region to connect we need DRG (dynamic Routing gateway )

  • Dynamic Routing Gateway V2

  • VCN Security List ( firewall Rules ) - applies to instances

  • VCN Network Security Group (NSG) - applies to VCN and can be used in Security List

  • Load Balancer ( also known as reverse proxy) 1. HTTP Load Balancer ( slower but more intelligent, it can look at the request header and apply logic dynamically )

  • Load Balancer 2. Network Load Balancer ( it is much faster , low latency )


3. Compute Instance

  • Compute Instance Types

VM : share host to run vm; Bare Medtal; Dedicated Host: to run VMs

  • A special types of VMs called Preemptible VMs for these types of work

  • Compute Instance Dependencies

    1. VNC (virtual cloud network)

    2. VNIC ( virtual network interface card)

    3. boot volume

  • Compute Instance Migration

    1. OCI provides live migrate between hosts , meaning NO Downtime

    2. when creating instance, there is Option called "availability control" where option in and option out are presented. on default, it sets to "Let oracle decide"

  • Instance Scaling

    1. Vertical Scaling

  1. Autoscaling or Horizontal Scaling

  1. How Does Autoscaling work?

    1. based on a running instance and create a config file (stamp), it describle OS image, metadata, shapes, vNICs, storage, subnets

    2. Use the Configuration file (stamp) to create an Instance Pool ( a collection of these instances). it can be managed as 1 instance. Also these instance in the pool can also be in different ADs/Regions to add more availability.

    3. Take this instance Pool and write Autoscaling rules on top of it.




  • OS Management Service

    1. Automated Patch Management

    2. Simplified Package Management


4. Storage






  • Durability Vs Persistent

    • Persistence basically means you safely store the data. Durability means making multiple copies of the data, replicating the data. So in case you are storing them safely, even if one copy goes bad, you still have other copies to fall back on.



  • Main OCI storage services

Local NVMe : local attached storage ; Block Volume: system boot volume; File Storage: can be mount to multiple compute instance;' Object Storage: image, videos, logfiles , textfiles, usually exposed to internet

  • OCI Data Migration Services

    1. Data Transfer Disk

    2. Data Transfer Appliance

    3. Storage Gateway

Disk is, basically, you send us your disks, and we migrate the data. Appliance is you use a much larger appliance to send the data to us. And then finally, we have a service called Storage Gateway, which is a Linux appliance. Sits in your data center, and using that, you can migrate data to OCI.

  • OCI Object Storage ( no hierarchical)



  • OCI Object Storage Tiers

  • OCI Block Volume


IOPS : input /output operations per second

  • Block volume has feature which called Read/Write Shareable by multiple VMs

  • Block Volume is also Resizable

    • online resizing

      • ( only expand ) without detaching the volume from instance

    • offline resizing

  • OCI block volume replication services for usage like Migration , disaster Recovery, business expansion. ... they are done asynchronous

  • OCI block volumes can also be grouped called volume groups

  • OCI File Storage



  • OCI Data Migration Services

  • Offline Physical transfer

  • Online Storage Gateway Service

In the online data migrations area, we have this service called Storage Gateway. And the way this works is Storage Gateway is a Linux Docker Appliance which is installed on one or more host in your on-premises data center. Storage Gateway exposes an NFS mount point that can be mounted to any host that supports an NFS client. And then this mount point maps to an object storage bucket on the OCI site. And then it can take the data from your on-premises environment.

Any file which is put into Storage Gateway file system is written to as an object with the same name in the associated object storage bucket. And you could use an Object Storage or you could use archive storage. So this is great for data migration, but this can also be used for cloud tiering, for example. It could also be used for disaster recovery or backup. So great service to use, not just for data migration.

5. Database

  • OCI Database options

Virtual Machines: VM instance with single note database system installed

Bare Metal: Bare Metal with one or more VM instances running with database system installed

RAC(clusters): Oracle managed multi-nodes high availability DB system

Exadata DB?????

Autonomous - Shared : 1 tenant on a multi tenant DB system

Autonomous - Dedicated: dedicated sys

6. Security

  • OCI Shared Security Model

  • OCI Security Services

  • OCI Security Services in practice

  • Cloud Guard

Cloud Guard is a service that falls into the category of Cloud Security Posture Management. It helps to monitor and identify potential security issues and then remediate them. You could also automatically remediate these problems.

  • Security Zone & Security Advisor

    1. Security Zone is to configure a location in which you cannot disable security.

    2. Security Advisor is a service that unifies Security Zone, Cloud Guard, and some other capabilities together in a cohesive whole.

So the idea is you take a portion of your tenancy, think about your own home. You have the most secure items you have, whether it's your passport or documents or jewelry or something else, you could keep that in a secure vault. Make it fire safe, et cetera, so it's protected in case of any kind of a breach or a natural disaster.

  • Vulnerability Scanning

Vulnerability scanning or scanning service is designed to check for vulnerabilities and deviations from best practices for compute instances and operating systems.

  • Vault

OCI Vault is a managed service that lets you centrally manage encryption keys and secret credential. Vault removes the need to store encryption keys and secrets in configuration files or in code.

There are 2 ways to manage vault, 1 in HSM device, 2nd in a software.

  • Web Application Firewall ( WAF )



it's a device server-side plugin or a filter that applies a set of rules to HTTP or HTTPS traffic. By intercepting this HTTPS traffic or HTTP traffic and passing them through a set of filters and rules, a web application firewall is able to uncover and protect against attack streams, like SQL injections hitting a web application.


Typical response from a web application firewall will either be allowing the request to pass through, audit, and log the request or block the request by responding with an error page. So those are some of the common typical scenarios that a web application firewall will do.


WAF service supports over 250 rule sets to protect against SQL injections, cross site scripting, STML injections, et cetera.

  • Bastion

It provides secure and seamless RDP or SSH connectivity to your VMs directly. Bastions are logical entities that provide secure public access to target resources in the Cloud that you cannot otherwise reach from the internet.

7. APP Development ( developer services)

  • Oracle Resource Manager

    1. Terraform configuration (file based ) blueprint of set up. ( infrastructure as code )

  • Functions

  • OKE ( oracle container engine for Kubernetes)

  • OCIR (oracle cloud infrastructure registry ) container repository like docker ...

  • API Gateway

API does not run on the gateway. The endpoint to access that API is available on the gateway.

8. Observability and Management

  • Monitoring Services

    1. metrics (namespace + dimension + metadata )

      1. metric measurements let you monitor health, capacity, and performance of your Cloud resources. For example, you can monitor the CPU utilization and disk reach of your compute instances. Then you can use this data to determine when to launch more instances to handle increased load, troubleshoot issues with your instance, or better understand system behavior.

    2. alarms

      1. So alarm feature notify you when metrics meet alarms specified triggers. So the alarm feature of the monitoring service works like we said earlier in tandem with the notification service to notify you when metrics meet alarms specified triggers. So as you can see in this particular illustration, it depicts the flow.

  • Notification and Events Services

    1. The Notifications service helps you broadcasts messages to distributed components through a publish-subscribe pattern. Use Notifications to get notified when event rules are triggered or alarms are breached, or to directly publish a message. A topic is a communication channel for sending messages to the subscriptions in the topic. You can manage topics and their subscriptions.

  • Logging Services

  • Logging Analytics Services

9. Analytics and AI

  • Data Integration

    • Oracle Data Integration is a Cloud native Oracle-managed ETL service-- extraction, transformation, and loading

  • Data Flow

    • Data Flow is a fully managed OCI service that lets you run Apache Spark applications at any scale with virtually zero administration. Apache Spark, for folks who are not familiar, is the unified analytics engine for Big Data processing with built-in modules for streaming, SQL, machine learning, and graph processing. The thing which makes Spark Apache Spark really unique is that it is the only software framework that combines data and AI.

  • Data Catalog

    • Data catalog is a service that gives you a self-service data discovery and governance solution for your enterprise data. It provides a single collaborative environment to manage technical, business, and operational metadata. You can collect, organize, find, access, understand, enrich, and activate this metadata.

  • Data Science

    • data science is a fully managed and serverless platform for data science teams or data scientists to well train and manage machine learning models using Oracle Cloud Infrastructure.

10. Hybrid


11. Governance and Administration

  • Pricing

    • incoming data transfer is free

    • data transfer between AD within the same Region is also free

  • cost management service

    • set up budget and get notified ( on compartment or resources )

    • cost analysis

    • cost and usage reports

12. SLA and Support





 
 
 

Comments

  • Facebook
  • Twitter
  • LinkedIn

Subscribe Form

©2021 by chaotic. Proudly created with Wix.com

bottom of page