Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Virtual cloud network_200

330 visualizaciones

Publicado el

In this course, you will learn advanced Virtual Cloud Network features like Service Gateway, VCN Peering, Private IP as route target and virtual firewalls for edge security.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Virtual cloud network_200

  1. 1. 1Copyright © 2018, Oracle and/or its affiliates. All rights reserved.Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Virtual Cloud Network Level 200 Jamal Arif November 2018
  2. 2. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. 3Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Objectives After completing this lesson, you should be able to: • Describe Advanced VCN Functionalities – Service Gateway – Private IP as Route Target – VCN Peering — Local VCN Peering — Remote VCN Peering — Edge Security • Pre-requisites: Virtual Cloud Network Level 100
  4. 4. 4Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Service Gateway • A service gateway enables VCN to access Object Storage without exposing the VCN to the public internet • The traffic from the VCN to Object Storage travels over the Oracle Cloud Infrastructure network fabric and never traverses the internet • Use case: • Back up DB Systems in your VCN to Object Storage • With Service Gateway, no Internet Gateway is required for DB System backup. DB Systems can be in a Private Subnet and have only private IP addresses. • IAM policies can restrict access to the bucket from only the VCN or the Private Subnet within the VCN
  5. 5. 5Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Service Gateway Public Subnet 10.0.0.0/24 ORACLE CLOUD REGION VCN 10.0.0.0/16 Private Subnet 10.0.1.0/24 Public Instance Private Instance Object Storage Internet Gateway Before ORACLE CLOUD REGION VCN 10.0.0.0/16 Private Subnet 10.0.1.0/24 Private Instance Object Storage After Service Gateway Public Subnet 10.0.0.0/24 Internet Gateway Public Instance
  6. 6. 6Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Managing Service Gateway – You can control which subnets in your VCN use a service gateway – A service gateway can be used only by resources in the gateway's own VCN. – Object Storage is the first service to be available with a service gateway – Must specify a route rule and a Security List Rule in the subnet’s associated route table and security lists respectively – Service gateway is automatically always attached to only one VCN of your choice, and you can block or allow traffic through the service gateway at any time. – Currently, service gateway doesn’t support OS updates: Private Subnet blocks access to the YUM repositories needed to update the OS. NAT gateways can be used in the interim.
  7. 7. 7Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Public Subnet 10.0.0.0/24 ORACLE CLOUD REGION Availability Domain 1 VCN 10.0.0.0/16 Private Subnet 10.0.1.0/24 Private IP as Route Target Customer Datacenter Firewall Instance Private Instance • Ability to use a private IP as the target of a route rule in situations where you want to route a subnet's traffic to another instance. • Note: a given subnet's route table can have routes only for traffic with a destination IP address outside the VCN • Use Cases – To implement a virtual network function (such as a firewall or intrusion detection) – To manage an overlay network on the VCN, which lets you run container orchestration workloads 0.0.0.0/0 Firewall Private IP 172.16.0.0/16 DRG
  8. 8. 8Copyright © 2018, Oracle and/or its affiliates. All rights reserved. • Enables connectivity between the resources in different VCNs • Does not require public IPs or NAT to enable connectivity • Traffic never leaves the Oracle Network • Over other options such as connecting over the internet, VCN Peering offers • Faster connectivity • Higher security • Types of VCN Peering available • Local Peering (In-region) • Remote Peering (Cross-region) VCN Peering
  9. 9. 9Copyright © 2018, Oracle and/or its affiliates. All rights reserved. • Connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. • VCNs should not have overlapping IP addresses • Local Peering VCNs can be either in the same or different tenancies (cross-tenancy peering) Local Peering Gateway (LPG) • Like the Internet Gateway, LPG is a component on the VCN • LPGs of two VCNs are connected to make a peering relationship • Enable the data plane to learn about instances in peered VCNs Local VCN Peering – connecting VCNs in the same region
  10. 10. 10Copyright © 2018, Oracle and/or its affiliates. All rights reserved. • Create Local Peering Gateway in each VCN • Have required IAM policies to establish connection • Establish connection across LPGs • Update the Route Table • Update the Security List • Test Connectivity Local VCN Peering
  11. 11. 11Copyright © 2018, Oracle and/or its affiliates. All rights reserved. • Traffic flows between regions through the OCI backbone network • Supported between ASH – PHX and LHR-FRA, other regions on roadmap. • The two VCNs in the peering relationship must not have overlapping CIDRs • Requires a DRG to set up the Remote Peering connection; vNIC of one VCN instance forwards traffic to its DRG, which forwards traffic to peer DRG in other region over backbone • Enables features such as data replication across regions • Remote Peering Connection • Like Virtual Circuits, the Remote Peering Connection is a component of DRG • RPCs of two DRGs from two regions are connected to create a peering relationship Remote VCN Peering – connecting VCNs in the different region
  12. 12. 12Copyright © 2018, Oracle and/or its affiliates. All rights reserved. • Existing DRG and attached to a VCN • Have required IAM policies to establish connection • Establish connection across DRGs • Update the Route Table • Update the Security List • Test Connectivity Remote VCN Peering
  13. 13. 13Copyright © 2018, Oracle and/or its affiliates. All rights reserved. • With IAM policies, you can control: • Who can subscribe your tenancy to another region (required for remote VCN peering). • Who in your organization has the authority to establish VCN peerings. • Who can manage route tables and security lists. • Once the peering connection has been established • control the packet flow over the connection with route tables in your VCN • control the packet flow over the connection with security lists in your VCN • ensure that all outbound and inbound traffic with the other VCN is intended/expected and well defined • implement security list rules that explicitly state the types of traffic your VCN can send to the other and accept from the other. • If you're concerned about high levels of network traffic coming to your VCN, consider using stateless security list rules to limit the level of connection tracking your VCN must perform. Things to remember for VCN Peering!
  14. 14. 14Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Edge Security
  15. 15. 15Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Securing your VCN • Public vs Private Subnets - designate a subnet to be private, which means instances in the subnet cannot have public IP addresses • Security Lists - To control packet-level traffic in/out of an instance by defining security rules in your VCN • Firewall Rules - configure firewall rules directly on the instance itself to control packet-level traffic in/out of an instance • Gateways and Route Tables - Control general traffic flow from your cloud network to outside destinations (the internet, your on-premises network, or another VCN) • IAM Policies - control who has access to the Oracle Cloud Infrastructure API or console
  16. 16. 16Copyright © 2018, Oracle and/or its affiliates. All rights reserved. OCI AVAILABILITYDOMAIN-2AVAILABILITYDOMAIN-1 Public Subnet VCN: 10.0.0.0/16 Protection Tier Public Subnet Public Load Balancer Internet Gateway Internet On-premises Network Virtual Firewall Instances – Fortigate NGFW with a Two Tier App Client Private Subnet Private Subnet Private Load Balancer Web/App Tier Private Subnet Private Subnet DB Tier DBSystems DataGuardSync Fortigate NGFW Fortigate NGFW Bastion Host Bastion Host OCI Blog on Fortigate NGFW
  17. 17. 17Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Using vSRX as a Virtual Firewall/Nat Device • vSRX provide benefits like stateful firewall protection, and application and content security features like IPS, antivirus, web filtering, and antispam • High Level workflow • Create VCN and three subnets as shown in the figure • Import vSRX image and launch a vSRX compute instance in VCN • Attach additional vNICs in each subnet • Use Instance console connection to setup vSRX • Following blog post provides details on how to setup a vSRX on OCI - https://blogs.oracle.com/cloud- infrastructure/how-to-deploy-a-virtual-firewall- appliance-on-oracle-cloud-infrastructure
  18. 18. 18Copyright © 2018, Oracle and/or its affiliates. All rights reserved. cloud.oracle.com/iaas cloud.oracle.com/tryit
  19. 19. 19Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Best Practices for Virtual Cloud Network Design
  20. 20. 20Copyright © 2018, Oracle and/or its affiliates. All rights reserved. • VCN network range once created can’t be modified and it is a contiguous IPv4 CIDR block • VCN is a regional construct and Subnets are specific to an AD • Subnets can have ONE Route Table and MULTIPLE (5*) Security Lists associated to it • Security Lists support stateful and stateless rules • All hosts within a VCN can route to all other hosts in a VCN, the route table defines what can be routed into and out of the VCN • Allowable VCN size range is from /16 to /30 (VCN reserves the first two IP addresses and the last one in each subnet's CIDR) Review: Virtual Cloud Network
  21. 21. 21Copyright © 2018, Oracle and/or its affiliates. All rights reserved. VCN Best Practices • Architect your networking infrastructure in a way to maximize use of Availability Domains for High Availability (ADs are fault tolerant and geographically distributed to sustain a natural disaster) • Ensure VCN CIDR block does not overlap with other VCNs in Oracle Cloud Infrastructure (same/different regions) and with your organizations private IP network ranges • Ensure not all IP addresses are allocated at once within a VCN or Subnet, instead plan to reserve some IP addresses for future use • Divide your VCN network range across all ADs evenly • Hosts that have similar routing requirements can use same routing tables across multiple availability domains for e.g. public hosts, private hosts, NAT instances etc. • Ensure your VCN and subnet network ranges can support additional workloads
  22. 22. 22Copyright © 2018, Oracle and/or its affiliates. All rights reserved. VCN Best Practices (2) • Ensure security lists are used as Firewalls to manage connectivity North-South (incoming/outgoing VCN traffic) and East-West (internal VCN traffic between multiple subnets), and is applied at a Subnet Level. All instances with in that subnet inherit all security rules in that SL. • Private subnets are recommended to have individual route tables to control the flow of traffic within and outside of VCN. • OCI recommends to use OCI IAM policies to restrict unauthorized users from managing virtual cloud network resources in your tenancy/compartment. Only network admins are allowed to ‘manage’ VCN resources, and other users can have least privilege policies (use, inspect, read) • Use OCI tags to tag VCN resources (Route Tables, Security Lists, Subnets etc.) so that all resources are following organizational tagging/naming conventions
  23. 23. 23Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Example: VCN and Subnet Sizing VCN CIDR Block – 10.0.0.0/16 – Extra Large IPv4 CIDR Block • Divide in Four equal blocks – three for ADs and one spare • 10.0.0.0/18  AD1 • 10.0.64.0/18  AD2 • 10.0.128.0/18  AD3 • 10.0.192.0/18  Extra • With in each AD, we can have Public and Private Subnets • Private instances are more prevalent than public instances so we should reserve a greater range for the private subnets. • 10.0.0.0/18  AD1 – 10.0.0.0/19  AD1 Private Subnet – 10.0.32.0/19  AD1 Public/spare — 10.0.32.0/20  AD1 Public Subnet — 10.0.48.0/20  AD1 Extra • Follow the same design pattern for all 3 Availability Domains.
  24. 24. 24Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Example: VCN and Subnet Sizing VCN Size Netmask Subnet Size IPs/Subnet Total Subnets Total IPs Small /24 /27 29* 8 232 Medium /20 /24 253* 16 4,048 Large /18 /22 1021* 16 16,336 Extra Large /16 /20 4093* 16 65,488 The first two IP addresses and the last one in each subnet's CIDR are reserved.
  25. 25. 25Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Example: VCN and Subnet Sizing AVAILABILITY DOMAIN-2AVAILABILITY DOMAIN-1 10.0.0.0/19 10.0.64.0/19 Private Subnet Private Subnet AVAILABILITY DOMAIN-3 10.0.32.0/20 VCN 10.0.0.0/16 10.0.0.0/18 10.0.64.0/18 10.0.128.0/18 10.0.96.0/20 Public Subnet Public Subnet Private Subnet 10.0.128.0/19 10.0.160.0/20 Public Subnet Extra Range 10.0.48.0/20 Extra Range 10.0.112.0/20 Extra Range 10.0.176.0/20 Spare Network Range 10.0.192.0/18
  26. 26. 26Copyright © 2018, Oracle and/or its affiliates. All rights reserved. ORACLE CLOUD INFRASTRUCTURE REGION AVAILABILITYDOMAIN-2AVAILABILITYDOMAIN-1 Public Subnet 10.0.32.0/21 VCN: 10.0.0.0/16 Web Tier Public Subnet 10.0.96.0/21 Public LB (Active) Internet Gateway Internet On-premises Network Example: Three Tier Application Architecture (Extra Large VCN size) Client Private Subnet 10.0.0.0/20 Private Subnet 10.0.64.0/19 Private LB (Active) App Tier Private Subnet 10.0.48.0/20 Private Subnet 10.0.112.0/20 DB Tier Object Storage DBSystems DataGuardSync Public Subnet 10.0.40.0/21 Public Subnet 10.0.104.0/21 Public LB (standby) Private LB (Standby) Private Subnet 10.0.16.0/20
  27. 27. 27Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Example: Oracle Customer Architecture (1) ORACLE CLOUD DATA CENTER REGION AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 Public Subnet-A Virtual Cloud Network 10.0.0.0/16 Private Subnet-C Private Subnet-F 2-node RAC Database Public Subnet-D Load balanced Web Servers on VMs Public Subnet- E Customer Datacenter VPN DRG Bastion Server on VM IAM Service Audit Service Object Storage IGW RMAN backup Public Subnet-B
  28. 28. 28Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Summary • Describe Advanced VCN Functionalities – Service Gateway – Private IP as Route Target – VCN Peering — Local VCN Peering — Remote VCN Peering — Edge Security
  29. 29. 29Copyright © 2018, Oracle and/or its affiliates. All rights reserved. cloud.oracle.com/iaas cloud.oracle.com/tryit

×