Connecting Oracle Cloud to your Data Centre (Part A)
1 like670 views
The document provides a detailed overview of connecting Oracle Cloud to data centers, including the evolution of VPN services and networking options such as shared networks, IP networks, and virtual cloud networks. It discusses Oracle's strategic approach towards VPNaas and emphasizes the importance of collaboration with network teams for successful implementation. Recommendations are provided for setting up new instances, focusing on IP networks and VPNaas.
Connecting Oracle Cloud to your Data Centre (Part A)
- 1. Copyright © 2014, eProseed and/or its affiliates. All rights reserved. | Confidential CONNECTING ORACLE CLOUD TO YOUR DATA CENTRE A Detailed Walk-Through (Part A) Simon Haslam Technical Director eProseed 1
- 2. Copyright © 2017, eProseed UK Ltd INTRODUCTION Simon Haslam • Platform / Infrastructure Architect with a focus on HA, DR, automation etc • Using Oracle products since 1994 (Oracle7) • Formerly UKOUG App Server & Middleware SIG Chair About eProseed • Multi award-winning Oracle Platinum Partner • HQ in Luxembourg with 9 subsidiaries across the world including UK, NL, PT, KSA, USA & now Australia! • A highly technical Oracle practice with 7 active ACEDs
- 3. 3 Membership Tiers: • Oracle ACE Director • Oracle ACE • Oracle ACE Associate bit.ly/OracleACEProgram 500+ Technical Experts Helping Peers Globally Connect: Nominate yourself or someone you know: acenomination.oracle.com @oracleace Facebook.com/oracleaces [email protected]
- 4. 4 • Overview • VPNaaS walk-through • Recap IP networking • Corente ‘Classic’ • Recommendations
- 5. Copyright © 2017, eProseed UK Ltd 3 TYPES OF INTERNAL NETWORKS IN ORACLE CLOUD • IPv4 internal networks described by RFC 1918 (in colloquial notation): – 10.*.*.* 16 million – 172.16.*.* to 17.31.*.* 1 million – 192.168.*.* 65 thousand • Oracle offers 3 types of internal networks for IaaS: 5 1 Shared Network Compute Classic Old 2 IP Networks Compute Classic Newer 3 Virtual Cloud Networks Oracle Cloud Infrastructure fka Bare Metal Cloud Newest
- 6. Copyright © 2017, eProseed UK Ltd 1. SHARED NETWORK • “Traditionally” Oracle only had Shared Network for PaaS / IaaS – Internal IPs are dynamically allocated and subject to change on instance restart – Hosts can be NAT/PAT’d to Public IPs from Oracle ASN address spaces Good: you don’t need to think much Bad: how do we address Oracle VMs from on-prem systems without clashes etc? Shared network is pretty complex for intra-host firewalling Readiness “for cloud scale”? 6
- 7. Copyright © 2017, eProseed UK Ltd 2. IP NETWORKS & 3. VIRTUAL CLOUD NETWORKS • IP Networks (not very descriptive name!) is very similar to AWS Virtual Private Cloud – Allows you to choose the IP subnets you want to use internally within Oracle Cloud – Provides “IP Exchanges” which are gateways between IP Networks • Allows you to make Cloud data centre look much more like an on-prem one Virtual Cloud Networks New Oracle Cloud Infrastructure (OCI) has Virtual Cloud Networks which look very similar to IP Networks (but managed within compartments etc) – I need to do more research there 7
- 8. Copyright © 2017, eProseed UK Ltd VPNS, THEY ARE A CHANGIN’ • Last year in my “3 ways to connect to Oracle Cloud” presentation we had: VPN for Shared Compute (aka Corente) VPN For Dedicated Compute Fast Connect (0. was ‘Directly’ which doesn’t really count!) • Since then lots of new shiny things have arrived: – IP Networks (just arriving at end of 2016) – Oracle Cloud Infrastructure (this is soooo big and shiny it deserves a session of its own!) with its Virtual Cloud Networks – VPNaaS for Classically Classic Cloud Compute Classic 8 © Official Disney UK Channel https://www.youtube.com/watch?v=RiC-dMMYevc
- 9. Copyright © 2017, eProseed UK Ltd ORACLE CLOUD VPN EVOLUTION 9 Early 2016 Orchestration & Console Visibility Nov 2016 Create CSG wizard Mid 2017 VPNaaS (optional) Nov 2017 VPNaaS only
- 10. Copyright © 2017, eProseed UK Ltd THE WRITING IS ON THE WALL 10 Oracle Cloud Infrastructure (fka IaaS) – Compute Classic November 2017 17.4 My speculation: Shared Network will soon be deprecated* * find out why later
- 11. Copyright © 2017, eProseed UK Ltd NETWORKING MENU IN COMPUTE CLASSIC 11 Provisioned Pre-Nov 17 Provisioned Nov 17+ Note: Dec 17 Compute Classic console
- 12. Copyright © 2017, eProseed UK Ltd VPNS COMPARED 12 VPNaaSCorente Evolution VM Shared Network VM VM IP Network(s)
- 13. Copyright © 2017, eProseed UK Ltd QUESTIONS • Is this Distinction between Corente VPN and VPNaaS important? – Yes! Corente is a gateway appliance you manage, whereas VPNaaS is a black box running in the network • Does this mean I should always use Corente as it gives me flexibility to choose Shared or IP Networks? – No. VPNaaS is much easier to set up and appears to be Oracle’s strategic approach: use that if possible. – WARNING: no diagnostics for gateway end of VPNaaS (currently), i.e. have to diagnose issues from your 3rd party device. • Corente can be used for cloud-to-cloud connections – how about VPNaaS? – Sounds plausible but no documentation seen about it yet 13 This means you should be using IP Networks for all new PaaS instances you create, and probably VPNaaS to access them
- 14. Copyright © 2017, eProseed UK Ltd 14 • Overview • VPNaaS walk-through • Recap IP networking • Corente ‘Classic’ • Recommendations
- 15. Copyright © 2017, eProseed UK Ltd WHAT’S OUR GOAL? 15 VPNaaS VM VM IP Network(s) Corporate VLAN(s) Host Admin PCs VPN Note: this doesn’t consider application access – that is normally over the internet 3rd Party Device
- 16. Copyright © 2017, eProseed UK Ltd HIGH-LEVEL WALKTHROUGH Make friends with your network team! Agree the IP Network subnet addresses – if you have them already hopefully you have discussed this before with them! Discuss the IPSec tunnel requirements, hardware vendors, etc You create the VPNaaS Network team sets up & tests the IPSec end point (You & network team debug the VPN) 16
- 17. Copyright © 2017, eProseed UK Ltd 1. NETWORK NUMBERING • Nothing new here – treat it like an on-prem data centre. Consider: – How many networks (VLANs) you need (e.g. prod versus test, network zones) – Think about how numbering will work when adding further Oracle Cloud data centres – Consider a sensible subnet sizes according to potential use 17 We won’t be trunking VLANs – each network gets a gateway/endpoint pair – so don’t go wild. Keep it simple!
- 18. Copyright © 2017, eProseed UK Ltd 2. DISCUSS IPSEC TERMINATION REQUIREMENTS • Your network team will almost certainly have set up IPSec VPNs on the same hardware before – They should know what sets of cypher suites etc that they support – They probably have standard procedures / request form for new IPSec connections • You need to think about access and how routes are advertised, etc • My advice is to try to agree on the latest/strongest cyphers supported by both ends – You don’t know when Oracle may choose to deprecate older ones, e.g. SHA-1 digests. 18
- 19. Copyright © 2017, eProseed UK Ltd 3. YOU CREATE THE VPNAAS GATEWAYS 19 Note: you often have to specify the IKE ID, typically as the external IP
- 20. Copyright © 2017, eProseed UK Ltd20
- 21. Copyright © 2017, eProseed UK Ltd CLOUD CONSOLE VPNAAS CONFIGURATION ARTEFACTS 21 1 x VPN Gateway 1 x Customer Device 1 x Connection In this case – 3 on-prem DC to 2 cloud DC – has 6 VPNaaS pairs Cloud 2 Cloud 2 Cloud 2 A VPNaaS Gateway pair can serve one connection to a Customer Device Cloud 1 DC 1 DC 2 DC 3 Cloud 1 Cloud 1 Remember, this is not necessarily just data centres – could be e.g. Head Office connection
- 22. Copyright © 2017, eProseed UK Ltd VPNAAS: NAMING CONVENTIONS • For VPNaaS you only have one decision to make. Characteristics: – It is point to point, so I like to have same naming at each – It is DC-to-DC within an identity domain (Classic Compute) – It connects into one IP network only, but more are reachable Example convention: prd-{opc-dc}-{on-prem-dc}-{primary-IPnet} e.g. prd-gbs1-wh-int01 Note: I use a short abbreviation for data centres (e.g. gbs1 for gbcom-south-1, eun-1 for eucom-north-1) as it’s helpful to use the same abbreviations on your networking equipment 22
- 23. Copyright © 2017, eProseed UK Ltd 4. NETWORK TEAM SETS UP & TESTS THE IPSEC END POINT • Your network team will almost certainly have set up IPSec VPNs on the same hardware before – They will have standard configuration steps – They should have test methods, or at least a standard testing approach when both ends are ready 23 I recommend setting up the Oracle VPNaaS gateways first since: a) it’s easy ☺ b) it gives your network team something to test against
- 24. Copyright © 2017, eProseed UK Ltd HIGH AVAILABILITY 24
- 25. Copyright © 2017, eProseed UK Ltd Simon’s House DEMO 25 Firewall VPN 1 Windows Terminal Server Firewall VPN 2 Laptop PC ICC wifi Firewall Birmingham SloughDorset VPNaaS Cloud VM 2 This shouldn’t be needed but VPN-VPN needs some config changes…
- 26. Copyright © 2017, eProseed UK Ltd 26 See Part B for Corente
- 27. Copyright © 2017, eProseed UK Ltd RECOMMENDATIONS • If starting completely new now: – Use IP Networks – Use VPNaaS (probably) • If you have existing & Shared Network – Use CSG • Don’t bother with on-prem CSGs – use hardware device • Make friends with your network team • Forget any other ideas about using Corente except for cloud-to-DC VPNs • Think about naming conventions for now & future plans • IGNORE ANY DOCUMENTATION > ~6 MONTHS OLD ☺27
- 28. Copyright © 2017, eProseed UK Ltd Where? Hall 4 Tech17 Community drinks When? Monday 18:45 – 19:45