This blog will share some quick tips, including Q/A and useful links from Day 1 of our previously launched new Oracle Cloud Infrastructure Architect Associate batch. We have covered 15+ hands-on labs in the course.
On our Day 1 Live Session, we have covered Identity Access Management(OCI) basics in OCI.
And in this week’s Day 2 Live Session, we have continued with Module 3: Networking Concepts and Overview. We have covered
- Network Service Overview
- Virtual Cloud Network, Subnet, Route Table
- IP address
- Security list: Ingress & Egress
- Internet Gateway, Service Gateway, NAT Gateway
- Local Peering Gateway & Remote Peering Connection
- Network Security Group
- VPN connects & Fast Connect
So, here are some of the Q/A’s asked during the Live session from Module 3: Networking Concepts and Overview.
Networking in OCI
The Oracle Cloud Infrastructure (OCI) is built on 5 pillars: IAM, Networking, Compute, Storage & Database. Networking is a significant and complex topic in Oracle Cloud Infrastructure Architect. After provisioning a new tenancy in OCI (creating root compartment), One of the first things to create a Networking environment (VCN). Networking allows communication between different resources in the OCI environment.
Also Check: Our blog post on Cloud Support Oracle.
Oracle Cloud Infrastructure(OCI) Networking Architecture
A typical Oracle Cloud Infrastructure(OCI) networking architecture has the following network components:
- Virtual loud Network (VCN) and inside this VCN, we have three subnets.
- One public subnet for bastion host and load balancer, and two private subnets, one for application host and one for the database host.
- An Internet Gateway to connect to the internet from the public subnet.
- A Service Gateway to access OCI Object Storage and other OCI services.
- A Dynamic Routing Gateway (DRG) for private access from an on-premises data centre to OCI.
The first thing you design when you plan to deploy an application on Premise or Cloud is to define the Network. A Virtual Cloud Network(VCN) is a customizable private network in Oracle Cloud Infrastructure. VCN is the bigger Network in which you deploy environments like TEST, DEV & UAT. Within each of these environments, you define Database Tier, Application Tier, Web or DMZ Tier.
This is where VCN & Subnet comes into the picture, so one way of setting this in the cloud is that create one VCN per environment and then break this bigger VCN into smaller Subnet (each Subnet hosting specific Tiers).
Each Virtual Cloud Network(VCN) automatically comes with a default route table that has no rules. If you don’t specify the rules, every subnet uses the VCN’s default route table. When you add route rules to your VCN, you can add them to the default table if that suits your needs. However, if you need both a public subnet and a private subnet, you create a separate (custom) route table for each subnet.
If we talk about Route Rule, A routeing rule specifies a destination CIDR block and the target for any traffic that matches that CIDR. Here are the allowed types of targets for a routeing rule:
- Dynamic Routing Gateway (DRG): For subnets that need private access to networks connected to your VCN (for example, your on-premises network connected with an IPSec VPN or Fast Connect, a peered VCN in the same region, or a peered VCN in another region).
- Internet Gateway: For public subnets that need direct access to the internet.
- NAT Gateway: For subnets with instances that do not have public IP addresses but need outbound access to the internet.
- Service Gateway: For subnets that need private access to Oracle services such as Object Storage.
- Local Peering Gateway (LPG): For subnets that need private access to a peered VCN in the same region.
- Private IP: For subnets that need to route traffic to an instance in the VCN.
Q 1: Can we have multiple Virtual Cloud Networks (VCN), and if yes, what are the advantages of having that in one tenancy?
A: Yes, you can use multiple Virtual Cloud Network (VCN) within one tenancy based on your resource limit. To ensure high availability, we can create multiple VCN in a different region or different availability Domain and then make them locally or remote peering to ensure high availability and many more.
Q 2: Can a private Virtual Cloud Network(VCN) have a public Subnet?
A: Virtual Cloud Network(VCN) is a network (you don’t define it as public or private), only Subnets are defined as public and private, and Subnets are assigned in the network.
Read More: About OCI Shielded Instances.
Internet Protocol (IP) Address
An IP address is a unique address that identifies a device on the internet or a local network. IP(Internet Protocol) is the rules governing the format of data sent via the internet or local network.
An IP address is a string of numbers separated by periods. IP addresses are expressed as a set of four numbers — an example address might be 192.158.1.38. Each number in the set can range from 0 to 255. So, the full IP addressing range goes from 0.0.0.0 to 255.255.255.255.
Security List & Network Security Groups
The Networking service offers two virtual firewall features to control traffic at the packet level:
1. Security list: Security lists act as virtual firewalls for your compute instances and other kinds of resources. A security list consists of a set of ingress and egress security rules that apply to all the Virtual Network Interface Cards(VNICs) in any subnet that the security list is associated with. This means that all the VNICs in a given subnet are subject to the same set of security lists
2. Network Security Groups: An NSG consists of ingress and egress security rules that apply only to a set of Virtual Network Interface Cards(VNICs) of your choice in a single Virtual Cloud Network(VCN).
For example, All the Compute instances that act as web servers in the web tier of a multi-tier application in your VCN.
Q 3: What is the difference between the security list and routing table? When to use which?
A: A security list provides a virtual firewall, for instance, with ingress and egress rules that specify the types of traffic allowed in and out, wherein Your Virtual Cloud Network(VCN) uses virtual route tables to send traffic out of the VCN (for example, to the internet, to your on-premises network, or a peered VCN).
Q 4: Are the ingress and egress rules present by default?
A: By default, both rules are there. However, you can define either ingress, egress or both based on your requirements.
Check Out: Our blog post on OCI Fundamentals.
Gateway
A Gateway is a network component that allows data to flow from one network to another. As the name suggests, it acts as a gate between two networks. Gateways serve as an entry and exit point for a network as all data going outside a network must pass through it.
The Virtual Cloud Network(VCN) has three gateways:
- Internet gateway: To provide the public subnet direct access to public endpoints on the internet. Connections can initiate from the subnet or the internet. The resources in the public subnet must have public IP addresses.
- Service gateway: To provide the private subnet with private access to supported Oracle services within the region. Connections can initiate only from the subnet.
- NAT gateway: To provide the private subnet with private access to public endpoints on the internet. Connections can initiate only from the subnet.
Q 5: Can we create both NAT Gateway and Internet Gateway in the same architecture?
A: Yes, for Public Subnet, you’ll use Internet Gateway, and for Private Subnets, you’ll use NAT Gateway.
Local Peering Gateway & Remote Peering Connection
A Local Peering Gateway (LPG) is an object on a VCN that lets that VCN peer with another VCN in the same region. Peering means that the two VCNs can communicate using private IP addresses without traffic traversing the internet or routing through your on-premises network.
Remote VCN peering is the process of connecting two VCNs in different regions (but with the same tenancy ). The peering allows the VCNs’ resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. Without peering, a given VCN would need an internet gateway and public IP addresses for the instances that need to communicate with another VCN in a different region.
Virtual Private Network(VPN)
A Virtual Private Network(VPN) connection establishes a secure connection between you and the internet. Via the VPN, all your data traffic is routed through an encrypted virtual tunnel. This disguises your IP address when you use the internet, making its location invisible to everyone. A VPN connection is also secure against external attacks.
Fast Connect
Fast Connect is a network connectivity alternative to using the public internet for connecting your on-premises data centre or network to Oracle Cloud Infrastructure.
Fast Connect allows customers to connect directly to their Oracle Cloud Infrastructure (OCI) virtual cloud network via dedicated, private, high-bandwidth connections. Then, based on the amount of data, customers choose an appropriate port speed and pay a consistent, low price each month.
Q6: What is the main purpose to be DHCP Options? When do we require it, and when we can make use of it?
A: The Networking service uses DHCP to provide configuration information to instances when they boot up automatically. Each time the instance boots up or restart the instance’s DHCP client, DHCP passes that same private IP address to the instance. The address never changes during the instance’s lifetime. DHCP is used to assign configurations like DNS & search the domain name of a machine.
Q7: What is the difference between IPSec and Fast Connect?
A: Both are ways to connect On-Premise to the cloud. An IPSec VPN establishes an encrypted network connection over the internet between your network or data centre and your Oracle Cloud Infrastructure virtual cloud network (VCN). It’s a suitable solution if you have low or modest bandwidth requirements and can tolerate the inherent variability in internet-based connections. Fast Connect bypasses the internet. Instead, it uses dedicated, private network connections between your network or data centre and your VCN.
Q8: when I spin up one instance that will be assigned with both public and private IP?
A: If you create a database in a public subnet, then you’ll get both public & private IP, whereas when you create DB on a private subnet, then it assigns only private IP.
Quiz Time (Sample Exam Questions)!
Quiz Time (Sample Exam Questions)! Our [1Z0-1072] Oracle Cloud Infrastructure Architect Associate training program covers 150+ Sample Exam questions to help you prepare for the certification [1Z0-1072].
Check out one of the questions and see if you can crack this…
Ques: What is the default behaviour of a Security List?
A) It automatically allows HTTP connections.
B) It uses stateful rules by default.
C) It automatically allows TCP connections over ports 22 and 3389
D) It will explicitly deny SSH connections from unknown IP addresses
Reply with your answer.
The right answer will reveal in next week’s blog.
Here is the answer to the question shared last week.
Ques: You are responsible for setting up access for all the cloud users of a large enterprise. You log in to the Phoenix region and start creating users and policies. You then realize that some users might be creating resources in the Ashburn region.
A) You can assign a region to each of the users at the time of creation.
B) IAM users are global, and non-admin users can add resources to any region by default.
C) You need to log in to each region separately to create users for that particular region.
D) IAM users are global. As an administrator, make sure that you subscribe to the Ashburn region.
Answer : D
Explanation: IAM Users are global, which means it is available to all the regions, so if users are creating resources in other regions, then you need to subscribe to that region with no additional cost.
Feedback
We always work on improving and being the best version of ourselves from the previous session hence constantly ask feedback from our attendees.
Here’s the feedback that we received from our trainees who had attended the session…
P.S. Here’s the response that we received from our trainees who had attended the session…
Here, 2108 in the below screenshots represents August 2021.
Related/References
- 1Z0-932 V/S 1Z0-1072: Oracle Cloud Infra Architect Associate Certification
- 1Z0-997 | Oracle Cloud Infrastructure 2020 Architect Professional
- FREE MasterClass On How To Become Oracle Certified Cloud Architect [1Z0-1072] in 8 Weeks
- Oracle Cloud Infrastructure (OCI) Architect (1z0-1072)Live Training
Begin Your Cloud Journey
Begin your journey towards becoming a Certified Oracle Cloud Infrastructure Architect and earning a lot more in 2022 by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for OCI Architects in the market, and what to study Including Hands-On labs you must perform to clear the Oracle Cloud Architect Associate Certification (OCI) certification exam by registering for our FREE Masterclass.
Click on the below image to Register Our FREE Class on Master Oracle Cloud (OCI) and Get a Higher Paying Job!
Leave a Reply