3 ways to connect to the oracle cloud

Copyright © 2014, eProseed and/or its affiliates. All rights reserved. | Confidential

3 WAYS TO CONNECT TO THE ORACLE CLOUD

Simon HaslamTechnical Director & Partner, eProseed UK

1


Simon Haslam

• Platform / Infrastructure Architect

• Using Oracle products since ~1995 (Oracle7)

• Formerly UKOUG App Server & Middleware SIG Chair

• A weakness for networking kit – owns various Cisco routers & switches, even a F5 BIG-IP hardware appliance

Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential3

Our Connectivity Needs

Oracle Compute Service – Network Connectivity Options

VPN For Compute – Special Focus

Demo

AGENDA


OUR CONNECTIVITY NEEDS: TODAY

• Many of us are spoilt by 10GbE+ dedicated fibre between DCs

– Tempts people into stretched cluster nonsense

– You can usually take connectivity for granted

– We hardly ever think about security between servers in similar networks

• The DC interconnects are usually shared within the org so need management

– Storage replication

– Microsoft server traffic (less so over time with Office 365)

– VOIP

• Connectivity is mostly someone else’s problem

• Network is almost always someone else’s cost

4


OUR CONNECTIVITY NEEDS: HYBRID CLOUD

• Bulk data (customer transactional data) will probably be the last thing to end up on cloud (with exception of SaaS)

• Backup / standby to cloud is immediately appealing

– Offsite tape rotation is insane in connected age

– Most providers offer backup appliances to another DC and/or cloud provider

– If you can secure it why wouldn’t you?

• Coping with pre-historic licensing models

• Mobile is driving increasingly high SLAs, which can put pressure on on-prem internet connectivity (in and out)

5

Organisations have to be increasingly well connected


FUTURE

• Network will be increasingly important

• Bandwidth/latency will continue to improve

– Remember: nothing can travel faster than the speed of light! (130ms RTT ½ planet)

• Bulk data transfers – old adage:

“Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.”– Computer Networks, 3rd ed., p. 83. (paraphrasing Dr. Warren Jackson, Director,

University of Toronto Computing Services (UTCS) circa 1985)

6


AWS SNOWBALL:MODERN TAPES

7

Note:Oracle has something similar


AWS SNOWMOBILE:THE STATION WAGON WITH A NEW TWIST

8

30 Nov 2016 • Fibre-connected• Satellite tracked• Security out-riggers


SIMON’S PREDICTIONS AROUND BULK-DATA

• Bulk data transfer to/from Cloud over network will become increasingly commonplace

– With sufficient management/reliability will it matter if it takes a week?

– IP transit costs are falling year on year

• There will always be exceptions of course, but for most of us slow will be good enough

• More and more of big data will already be in the cloud

– IMO transactional data generally hasn’t got that much bigger, there’s just lots of new data around it

9


Our Connectivity Needs

Oracle Compute Service – Network Connectivity Options

VPN For Compute – Special Focus

Demo

AGENDA


3 WAYS TO CONNECT TO THE ORACLE CLOUD

1. VPN for Compute (aka VPN for Multitenant Compute aka Corente)

2. VPN for Dedicated Compute

3. Fast Connect

– Standard Edition

– Partner Edition

0. Over the open internet…

11


1. VPN FOR COMPUTE

• VPN for Multitenant Compute= Corente Cloud Services Exchange (Corente CSX)

• Included with IaaS at no extra cost (other than OCPU)

• Corente CSX key features:

– Trusted network services between any location

– IPsec VPN software appliance running in OPC and optionally your DC• “Corente Services Gateway”

– Compatible with hardware devices running IPsec, e.g. Cisco, Juniper etc

– Centralised management and configuration (provided from Oracle Cloud)

12

Flexible, software-defined VPN


2. VPN FOR DEDICATED COMPUTE

• What is Dedicated Compute?

– You get your hardware (servers/ZFS?) dedicated to your use

– Complete network isolation from other tenants

– The hardware is in a single Oracle cloud data centre

– Starts at 500 OCPU / $50,000 per month = $600,000 pa for x86 (300 OCPU/$30k pcm for SPARC)(I’m not sure how this relates to other PaaS consumption)

• Hardware VPN (pair presumably) provided for you at the Oracle cloud data centre

13

Traditional site-to-site hardware VPN with as much throughput as you need

IMO this is for relatively niche, security-driven requirementsand is not the most cloudy kind of cloud though!


3. FAST CONNECT

• Premium cloud network solution

• Essentially Oracle white label product on top of Equinix

• Designed for multi-cloud access (i.e. Oracle, AWS, SAP, SalesForce…)

• Starts at $4600 per month for 1GbE, $46k per month 10GbE

• Two variants:

– Standard: customer has separately managed connection to Equinix

– Partner Edition: part of customer’s existing WAN networking provision, e.g. MPLS with BT

14

Premier cloud network solution:~a semi-private enterprise-grade internet


(0. DIRECTLY OVER INTERNET)

• You really shouldn’t send any admin traffic over public interface – we don’t for on-prem, why should cloud be different?

• If you do, only open up ssh and tunnel anything you need

•DO NOT OPEN PORT 1521!!!!

15


3 WAYS TO CONNECT TO ORACLE CLOUD

16

http://www.horseracingphoto.co.uk/


Adding hosts

Adding GRE tunnels, test pings

Adding routes/subnets

BEWARE OF SIMPLE SOUNDING VPN PRESENTATIONS!

CC BY-SA 3.0 Created by Uwe Kils (iceberg) and User:Wiska Bodo (sky).(Work by Uwe Kils) http://www.ecoscope.com/iceberg/

Initial VPN ordering

Running App Net Manger to set up CSG config

Firewall rules

Dynamic Routing (BGP etc)

Failover & Topology design

Sizing

Debugging

http://creativecommons.org/licenses/by-sa/3.0/

https://commons.wikimedia.org/wiki/User:Uwe_kils

https://commons.wikimedia.org/wiki/User:Wiska_Bodo

https://en.wikipedia.org/wiki/User:Kils

http://www.ecoscope.com/iceberg/


CORENTE TOPOLOGY

18


CSG CONFIGURATIONS (BASIC)

• Inline

20

• Peer


CSG CONFIGURATIONS (ADVANCED)

21

• Failover

• CSG failover & WAN failover

Lots of features that I think will probably disappear:• DMZ support• Firewall• DHCP• Mobile device connections (e.g. Windows)

Failover network: 1.1.1.1/30 subnet (fixed so mustn’t clash)


CSG – DETAILS

• Oracle Linux 6 (UEK3) based appliance

• Two appliances can be configured for active-standby (via an interconnect network)

• Configuration is automatic by connecting to AppNet Manager (traditionally had file config options too)

• Comes as an ISO which you can:

– Install on Linux 6 KVM as a VM (Oracle Cloud instructions)

– Install on Oracle VM (Oracle Corente instructions)

– Install on ESX, Hyper-V, … (you’re on your own! )

• For installing on OPC there’s an Oracle-supplied image

• 9.4.1 is latest release, 9.4.0 is previous release… take your pick!

22

gateway9.4-1062.iso


ON-PREM OSG DEMO

• VMware ESXi 5.5

23


SUPPORTED HARDWARE & SOFTWARE

• Physical servers including

– HP DL360G5(though a Gen9 ML110!)

– UCS C200 M2

– Dell PE R510 etc

24

http://www.oracle.com/technetwork/server-storage/corente/documentation/corente-services-gateway-hcl-3302281.pdf


RECENT CHANGES

• App Net Manager Lite has now gone (9.4.1 <- current release / Oct)

• The Compute Cloud VPN menu and wizard arrived:

25


PLAN NETWORK ARCHITECTURE

• Think about how you’d do this on-prem:

– Start project

– Talk to network team

– Plan networks

– Diagram with firewall rules and ports

– Do the job

– Test

• Use sensible naming conventions, as you may end up with several CSGs.

– Create security list for all your gateways (probably want all to behave the same)

– Shorten to csg ? (names can get long)

– I think 01 02 03 is fine, but maybe you’d prefer db01, jcs02 etc but will probably share

26


TWO PLACES FOR DOCUMENTATION (1)

• Oracle Compute Cloud Service Docs

– https://docs.oracle.com/cloud/latest/stcomputecs/MCVPN/GUID-67EE82C5-00BE-4057-B9D1-BFF5D40137B3.htm#MCVPN-GUID-67EE82C5-00BE-4057-B9D1-BFF5D40137B3

27

https://docs.oracle.com/cloud/latest/stcomputecs/MCVPN/GUID-67EE82C5-00BE-4057-B9D1-BFF5D40137B3.htm#MCVPN-GUID-67EE82C5-00BE-4057-B9D1-BFF5D40137B3


TYPICAL ISSUE IN CURRENT DOCS (NOV 2016)

28

By User:Alain r - Own work, CC BY-SA 2.5https://commons.wikimedia.org/w/index.php?curid=1150148


TWO PLACES FOR DOCUMENTATION (2)

• Oracle Corente Docs

– http://docs.oracle.com/cd/E74662_01/E80339/html/index.html

29

http://docs.oracle.com/cd/E74662_01/E80339/html/index.html


=> If you don’t have this email STOP HERE!

Username format<domain>_admin

This step is NOT automaticfor all Domains


• Zero Touch Configuration needs a MAC address or service tag of the proposed gateway

31


DEMO

32


CORENTE / VPN FOR COMPUTE – WHERE ARE WE TODAY?

• IPnet is very new (1-2 months) so docs can be tricky to navigate

• Removal of need for App Net Manager Lite is new (1-2 months) so non-official docs (e.g. Oracle tutorial from Sep ’16) are now out of date

• Brand new console Create Gateway function not yet in official docs

• No example configuration given, e.g. IOS or Junos commands, for common hardware devices

• Oracle is gradually removing competitor configuration (and possibly support?),e.g. VMware ESXi

• The remote configuration of CSGs seems well thought out and works well

• CSX offers point-to-point without dependence on management portal

• Scalability and failover options look good

• Hardware option at on-prem DC end should be popular with network admins

• CSX is included with all Oracle PaaS at modest cost (from just 1 IaaS OCPU)


SIMON’S PREDICTIONS FOR OPC NETWORKING 2017-18

Post toe-in-water cloud customers (i.e. really consuming Oracle Cloud):

• Most Oracle Cloud presentations will discourage opening non-public ports to internet

• IPnet will become a de-facto best practice

• VPN for Compute (Corente) will dominate on-prem to cloud connectivity solutions

– Probably in hardware device mode for all except smallest customers

=> this is the closest experience to running linking multiple on-prem Data Centres today

• Oracle “next gen” Infrastructure may bring something dramatically different but not for a while for existing PaaS services

34


COMING FROM SIMON NEXT…

• Blog about installing CSG on VMware ESXi

• Get IPsec termination working on Cisco IOS 15+

• Try to get failover working over two Cisco devices

35

Comms cabinet at Haslam HQ!


THANKS FOR LISTENING!

Q & A

Blog: http://simonhaslam.co.uk

New posts are coming…

36

@simon_haslam

http://simonhaslam.co.uk/

3 ways to connect to the oracle cloud

Technology