OCI

OCI Platform

Infrastructure
Databases
Data & AI
Analytics
Applications
Developer services
Governance and Applications

41 regions + 9 planned

12 Azure interconnected regions

Infrastructure

Compute(perform calculations, execute logic, running applns)

VM, BareMetal servers,
containers,
managed Kubernetes service & managed vm ware service

Storage -> Store, access, govern, Analyze both structured and unstructured data

discs attached to vms
file storage
object storage
archive storage

Networking

Databases

Oracle db and open dbs
ATP data bases(oltp, olap, json, apex)
no sql and my sql

Data & AI

Data flow - Managed apache spark service
Big data
Data catalog
Managed data science platform
Apache kafka service for event streaming

Analytics

Oracle analytics cloud

Applications

serverless offering called events, functions, api gateway

helps build micro services and event driven architectures

Developer services

apex
vbcs

Governance and Applications

Security
Identity
Observability

logging, analytics, apm

OCI Physical Architecture

Regions -> Geographic area
Availability domains ->

An OCI region is composed of one or more isolated, interconnected availability domains. Each availability domain is a separate physical location within a region. The number of availability domains per region may vary; some OCI regions have three availability domains, while some others have a single availability domain.
Has one or more fault tolerant data centers connected with low latency, isolated from each other. Each AD has 3 fault domains

Fault domains -> grouping of hardware and infrastructure within availability domain -> logical data centers

Distributed Cloud

public cloud
hybrid cloud

cloud@customer -> runs in customer data centers
VMware solution -> move on premise VMs to cloud
Autonomous db cloud @ customer
Roving edge infrastructure -> for remote and disconnected scenarios

Oracle Roving Edge Infrastructure is a service that provides a portable, ruggedized device running a subset of OCI services, designed for deployment in the field outside of a traditional data center. It is not a service specifically designed for multicloud deployment. On the other hand, services like Oracle Database Service for Azure and Oracle Interconnect for Azure are designed to allow Oracle Cloud Infrastructure to interoperate with Azure, indicating a multicloud approach. Oracle MySQL HeatWave is an analytics service for MySQL Database service that runs on AWS but the account management and billing and metering are done through OCI.

dedicated region cloud@customer

all oci 100+ public cloud services in self contained region in physical location chosen by customer

multi cloud

Oracle database service for Azure

OCI: Console

https://cloud.oracle.com/?region=ap-mumbai-1
Cloud Shell

It gives a small VM running a bash shell which one can access thru oci console
It comes with several utilities like cli, git, java, python

Code editor

It enables user to edit code and update service to avoid switch between console and dev environment

Identity and Access Management

IAM in OCI consists of Principals, Policies, Federation, and a few other components.

Also known as Fine-graned Access control, role based access control
2 key aspects

AuthN

who are you(Are you who you say)

AuthZ

What permissions do you have

Identity Domain

container for users and groups
represents user population in OCI and associated configurations and security settings.
How it works

Create identity domain

creates users and groups

Policies against groups(role based access control). Groups are put in one of the predetermined roles and permissions are assigned against those roles

Policies are scoped to Compartments/Tenancy/Account.

Resources are within compartment(compartment is logical isolation for resources

Resource

Any thing that we create in cloud is a Resource
Every resource has oracle assigned identifier called Oracle Cloud Id(OCID)

syntax: ocid1.<resource type>.<realm>.[region].[.future use].<unique id>

Compartments

Unique feature in oci. Logical construct to place all cloud resources
when an account is opened in oci we get tenancy/root compartment
one can create individual compartments for isolation, control access
Each resource can be placed only in One Compartment
Resources can interact with other resources in different compartment
Multiple Regions

Compartments are global constructs
Resources from multiple regions can be in same compartment

Compartments can be nested upto 6 levels
One can set quotas and budgets on compartments

Demo

Compartments are logical containers for Resources
Identity domains are containers for users, groups and security configuration
Identity & Security

Compartments -> create Compartment ->
Domain -> create and choose the compartment

Principal

IAM entities that are allowed to interact with oci resources
2 types of principals

Users/groups
Resources(instance principal)

Authentication types

user/pwd
api sign key
Auth tokens

Oracle generated token strings
Authenticate 3rd party apis

AuthZ

what permissions do I have
OCI does it thru policies

Policies can be attached to Compartment OR Tenancy
eg Allow <group name> to <verb> <resource-type> in <location> where <conditions>

Every thing is denied by default
Verbs - Manage, read, use, inspect

In OCI, policies are created at Group level

Tenancy Setup

Tenancy admin is the one who creates account.
Best practice is to create oci admin with set of users and write policies for it. Let them operate in their own compartment
Best practices

Don't use it for day to day operations.
Create dedicated compartments to isolate resources
Enforce use of multi-factor authentication

Networking

VCN -> Virtual Cloud Network

Private software defined network
used for secure communication
lives in OCI region
VCN: 10.0.0.1/16 is broken down into 256 smaller networks like below

subnet: 10.0.1.0/24
subnet: 10.0.2.0/24

Communication mechanism inside VCN

Internet Gateway -> communication on internet
NAT gateway -> router -> traffic is unidirectional -> private subnet to internet and not vice versa -> only outbound
Service Gateway -> Resources in VCN access public OCI services like object storage with out using internet or NAT gateway
Dynamic Routing Gateway -> Virtual router that provides path for private traffic between VCN and destination other than internet like on-premise envs.

Create VCN with Internet Connectivity

name, vcn ipv4 CIDR block, 10.0.0.0/16
configure public subnet 10.0.0.0/24
configure private subnet 10.0.1.0/24

VCN Routing

VCN uses route tables to send traffic out of VCN to internet, on-premises network, peered vcn
Route table consists of set of route rules. Each rule specifies destination cidr block and route target
Route target is next hop for the traffic that matches the destination cidr block
Please note: Traffic within VCN subnet(eg public and private subnet) is automatically handled by vcn local routing.

Multiple networks - how do they talk to each other

Same region - they talk thru local peering using Local peering Gateway (virtual router)
different regions - Remote peering using Dynamic routing gateway
Dynamic routing gateway (v2) -> VCNs can scale

VCN Security

Firewall rules(Security lists) associated with subnet and applied to all instances inside the subnet.
Security list consists of rules that specify type of traffic allowed in/out of subnet
stateful - if traffic is allowed in then it is allowed out
For a VCN subnet 10.0.1.0/24

Ingress 0.0.0.0/0 -> traffic coming from anywhere comes to port 80
Engress 10.0.2.0/24 -> traffic to another subnet goes to port 1521

subnet level

Network Security Groups

Similar to security lists
These apply to only set of virtual network interface cards in a single vcn
These can be source or destination
In this case we specify NSG instead of cidr
set of resources in a VCN

Load Balancer

To achieve high availability & scalability
reverse proxy
layer 7(http/s) load balancer

Flexible shapes - Traffic range(10MPS to 8 GBPS)
Dynamic shapes

predefined shapes - micro, small, medium, large

public & private Load balancer
higher level of intelligence

Network Load Balancer

operates at layer 3 & 4 (TCP, UDP & ICMP)
Much faster than http load balancer

Compute

Provides VMs, bare metal servers(full machine/server), dedicated host(full machine/server and can run VMs on it)

(scalable, high performance, lower pricing)

Flexible shapes

cpu cores, memor

AMD/intel/Ampere processors
Preemptible VMs

low cost, short lived vms for batch jobs - 50% cheaper

Instance Basics

region -> ADs -> VNC(subnet..) -> compute host -> Virtual NIC is placed in subnet
OS Image comes from boot disc
data disc(file system) also live on network
Block volume service runs OS disc and data disc
Compute control plane has dependency on network and block storage control plane
Live Migrate between Hosts on host fails
Block storage is the type of storage associated with instances in the OCI Compute service. It provides low-latency, high-performance storage volumes that can be attached to instances to store data and applications.

Cloud Shell

Developer tools -> cloud shell
ssh pair -> secure shell -> secure remote logging from one computer to another

Compute Instance Creation

Scaling

Vertical

scale up/down
stop instance before resizing

Horizontal/auto scaling

add more vm of same shape
scale out/scale in
High availability & meets traffic demand

Auto Scaling

Running instance on which auto scaling to be done
create config/template that has OS image, metadata, shapes, vnic, storage, subnets(stab)
Create instance pool from stab/template/config file
auto scaling rules for instance pool ie initial size, max size

OKE Cluster overview

Oracle Container Engine for Kubernetes
VMs vs Containers

VM -> hardware -> hypervisor -> OS1, 2..
Containers -> hardware -> os -> container runtime -> container(library, applications)

Container Orchestration

Deploy, Manage, Connect, Scale-up/down
Kubernetes is open source platform

Fully managed, scalable, and highly available service
uses open-source system: Kubernetes
Components of Cluster

Node/Worker node: machine on which Kubernetes is installed
These are grouped into Node Pools
POD is one or more containers with shared storage and network resources. It also has specification file. It is smallest unit of compute in Kubernetes env

Control Plane

Manages worker nodes & pods in cluster
Oracle managed
Makes decision about cluster

Types of Cluster

Enhanced Cluster
Basic cluster

Container instances

One can launch containers with out need of VM maintenance
Only image to be supplied
OCI takes care of container runtime

Oracle Functions

serverless offering
Provide only your code
pricing is based on your code runtime
Consumption based pricing
pay as you go -> consumption based pricing
Function-as-a-service

Event driven architecture
functions are run in container and billed only to duration of function execution
Process

Push container(code + configuration) to registry
configure function trigger
oracle function executes when triggered

Storage

Storage requirements

Persistent vs non-persistent
Kind of data

data base files, videos, audios, text, photos

Performance

capacity, thru put, iops

Durability

replication

Connectivity

local vs network storage
how is the data accessed

Protocol

Block
file
http

Local NVMe

locally attached storage
these are NVMe SSDs
High performance

Block volume

Move local storage to Network Server
Storage is truly persistent and durable
Storage is managed as fixed size blocks
Persistent and durable(multiple copies) storage
Data is stored independently of instance(lives beyond instance)
Tiers

Lower Cost

good for large Sequential i/o workloads like streaming, data warehousing

Balanced

random i/o like boot disks

high performance

most i/o demanding workloads

Ultra high performance

highest i/o demanding like relational dbs

Auto-tune performance
Encrypted by default
resizing of block volumes
replication across regions

Volume Groups

File Storage

Hierarchical collection of documents, organized into named directories
Distributed files systems used

NFS for Linux
SMB for windows

Shared across multiple compute systems
Same as block volume but storage is managed as files & directories
Use cases

EBS- files-oracle appln lift and shift
Micro services and containers - state
Analytics

Object Storage

Storage for web
For Photos, Videos, log files, text files
Any kind of files stored over web where it can be assessed by client using simple protocols like http
Data is managed as Objects
Ideal for unstructured data
public service
Scenarios to be used

Content repository
Unstructured data
bid data/spart/Hadoop/data analytic
archive/backup

How does it work

Object(key value pair)
Objects are stored in bucket
Namespace is logical entity, container for all buckets/objects

Tiers

Standard

fast, immediate, instantaneous

Infrequent access

backups
retrieval fees

Achieve tier

seldom or rarely accessed
Tape storage

Auto-Tiering

Moves data across tiers based on usage

Life cycle management

transition to another ties and purge later

Versioned
Encryption

Always ON

Visibility

public/private
pre-authenticated

Gives security token which can be used with URL. Only people with the url can access the object

Data Migration Services

Data transfer disk
Data transfer appliance
Storage Gateway

Database

Oracle Public Cloud

Base database service

created with VMs and block volume storage
Service provides provides built-in automation database tasks like backup
co-managed(database managed by customer and infrastructure is managed by oracle)

Exadata database service on dedicated infrastructure

combination of hardware and software to run database
co-managed(database managed by customer and infrastructure is managed by oracle)

Autonomous database

on shared & dedicated Exadata infrastructure
automated patching, update, tuning
self managing, self securing,
autonomous

Cloud@Customer

For regulatory requirements
latency requirements
can opt for Exadata database service OR Autonoums database on Exadata

Autonomous database

Complete infra automation + complete database automation + automated data center operations and ML
Provisioning
scale-up and scale-out
turning
security and patching
Fault tolerance
Uses ML plus advanced and proven technologies

RAC
Data Guard
Database Vault
Parallel sql, inmemory
multi-tenant.

Autonomous database - Workload types

ADW
ATP
AJD(Autonomous json db)

It is ATP but designed for developing NoSql style applications that use Json Documents.

Apex Service

Feature scope & significantly lower cost and load autonomous db
Rapid build low code apex appln

MySQL db

Standalone

Test env

High Availability

production
3 nodes across availability domain/fault domains
data is replicated

Heatwave

Easily run high performance analytics against mysql db, no ETL required.
Heatwave is new integrated high performance inmemory query accelerator for mysql
This is the only service in market that enables db admins and developers both oltp and olap workloads directly from mysql db.

NoSQL

fully managed,
elastic,
high performance,
data model flexibility

Document
fixed-schema
key/value models supported
single appln interface

Use cases

mobile apps
IOT
online advt
other apps with huge volume

Security

Shared security model

shared with oci
oci managed security

physical datacenter
physical hosts
physical network
virtualization

customer managed security

data
endpoints
account & access management
Operating system

Security Services

Infrastructure protection

Web-application firewall

protects from DDoS attacks

network firewall

avoids malicious activities

Identity and access management

User identification
Multifactor authentication

OS and workload protection

Shielded instances

secure boot

Dedicated VM hosts
OS Management

Data Protection

Vault key management
Vault secrets management
Certificates

Detection and Remediation

continuously monitors and remediates

Cloud Guard

Helps to monitor and identify potential security issues and remediate them
Completely automate remediation -> detect problem & apply response
How to do it

set target (resource to be detected)
detectors(identifies issues with resources/user actions)
problems(potential security issues)
Responders(provide notification and corrective action for security problems)

it can automatically change settings to remediate them

Security Zones and Security Advisor

Security zone is to configure a location where you cannot disable security

Compartment can be configured as security zone

Security Advisor is a service that unifies security zone, cloud guard and some other capabilities together in a cohesive whole

Takes functionality of cloud guard and security zone and other services and bring them together

Demo

Enable cloud guard

add policy
region & compartment

Encryption

It is used to transform plain text to cypher text. Cypher text means - series of randomized letters and numbers which humans cannot make any sense of text.
Key - A string of numbers or letters stored in a file, which when processed through a cryptographic algorithm, can encrypt or decrypt the data.
Encryption at REST

Data is unreadable on hard disc as well

Encryption in-transit eg: https
Symmetric Encryption

Single key for both Encryption and Decryption

Asymmetric Encryption

Public key for encryption
Private key for decryption

AES Symmetric keys
RSA asymmetric keys

public key encrypts and private decrypts

ECDSA- Elecptic curve digital signature algorithm. Smaller key than other methods.
HSM - Hardware Security Model -

Physical computing device that safe guards and manages keys.
It performs encryption and decryption functions.
It also performs strong authentication and other cryptographic functions.
They are tamper evident
They are typically certified with internally recognized standards Federal Information Processing Standards(FIPS)
OCI vault service uses HSM behind the scenes that meet (FIPS) 140-2

Tamper resistant
requires identity based authentication
Deletes keys from the device when it detects tampering

Vault

Managed service that lets centrally manage keys and secret credentials
Removes the need to store key and secrets in code or config files.
key - to perform encryption
secrets -

passwords
certificates
SSH-Keys
Auth Tokens

2 types of protection modes

Hardware

HCM in oci meets FIPS 140-2
Master security key protected by HSM is stored in HSM device and cannot be exported from HSM

software

Master encryption key protected by software is stored on server
can be exported from server to perform cryptographic operations on client instead of server

Algorithms supported

AES
RSA
ECDSA

keys are integrated with other oci services
can rotate master keys
It is regional service and has public api end point

How vault operates

Envelope Encryption(2 tiered encryption)

Master key -> encrypt data key -> data key encrypts actual data
Policies to authorize master keys
auditing for all activities around master key
Advantages

Easlier to manage
Limits blast radius
doesn't generate a complete data re-encryption

if master key is deleted - no way to recover data
Soft delete keys with 7 day gap and one should take requisite backups.

How it works

Say we upload a file to object storage bucket
Encryption is on by default. If user doesn't come up with key, service does itself.
Object storage service calls Vault service and asks to generate data key. Vault service returns data key as well as data key encrypted with master key.
Object storage takes the data key and encrypts with plain text data key and throws away data key.
Retains the encryped key and object in the bucket.
When decrypt request is initiated, object storage makes request to Vault and send encrypted data key.
Vault strips out and sends data key.

Governance and Administration

Pricing

Simple, transparent, lower
Pay as you go

charged only when consumed
no upfront commitment
no min service period
usage metered
Consumption based pricing

functions
Charged per consumption resource

Annual Universal Credits

Commit to an annual pool of funds
Significant savings
Must use credits within 12 months
Discounts based on size of deal and term of deal

Bring your own license(BYOL)

on-premise license

Factors that impact pricing

Resource size
Data Transfer

Data transfer across high availability domains to achieve high availability is free
incoming traffic is free
outgoing traffic is 10 times lower

Resource Types

VMS vs BMs
VMs vs functions(serverless)
BYOL vs managed DBs

Same price across globe

Cost Management

Budgets

to track costs in tenancy(compartment level)
alerts when it crosses a limit or forecast limit

Cost Analysis

for past expenses

Usage Reports

csv files for each resource used

Service Limits and Usage

Limits, Quotas and usage

Exadata Allocation

sets the max number of cloud resources that can be used for a compartment
resets quotas back to the default service limits
removes access to cloud resource for a compartment

Demo

Navigator -> Billing and cost management
Cost Analysis

helps to visualize and track your spending
Gives cost by service & component/compartment within it
Gives cost breakdown by region

Cost and Usage reports

Invoice line items at resource level granularity
resource level usage for audit and reconciliation

Budgets

Track budgets for compartments
Can be set at Compartment OR Cost-Tracking tags
set alert to notify when threshold is reached(threshold can be % or amount)

Scheduled reports

Cloud Advisor

Service that analyses OCI cloud resources and provide recommendations for cost savings & optimize tenancy performance, security and availability.
Demo

Cost management

reduces costs by finding resources that are under utilized
Recommendations

provides recommendation to remove under utilized/idle resources

high availability

helps to improve system resilience
Recommendations

improve fault tolerance

performance

finding resources that are over utilized
Recommendations

enable auto tuning for block volumes

security

recommendation

strengthen security

Tagging

Key-Value pair to organize resources well

env=prod
project=alpha

why to use

to identify resources among 1000s of other resources
Cost management
Tag based access control

Types of tags

Freeform

Defined

contained in Namespace
defined schema, secured with Policy

Tag namespace cannot be deleted.. but can be retired

Support Rewards

It provides addln value to onpremise customers to consume oci services.
Based on their consuption of oci services, customers can earn support rewards.
The rewards are applied in the form of payment for the software update licenses and support for oracle tech programs
Customers save 25 cents for every $ spent on oci. Customers on UL can save 33 cents.

Search This Blog

OIC

OCI

Comments

Post a Comment