What is Load Balancer.

Load balancer provide automated traffic distribution from one entry point to multiple servers reachable from your VCN. They improve resource utilization, facilitate scaling, and help ensure high availability.

Types of Load Balancers?

OCI provides two types of Load Balancers.

1. Load balancer

The load balancer service provides a reverse proxy solution that hides the IP of the client from backend application server and vice versa. It is capable of performing advanced layer 7 (HTTP/HTTPS), layer 4 (TCP) load balancing and SSL offloading.

Best for: Websites, mobile apps, SSL termination, and advanced HTTP handling.

2. Network load balancer.

The network load balancer service provides a pass-through (non-proxy solution) that is capable of preserving the client header (source and destination IP). It is built for speed, optimized for long running connections, high throughput and low latency.

Best for: Scaling network virtual appliances such as firewalls, real-time streaming, long running connections, Voice over IP (VoIP), Internet of Things (IoT), and trading platforms.

Which load balancer is right for me?

Find more about OCI Load Balancer

Click Load “Balancers” under the “Networking”

I will choose public as it’s for webservers.

Network and security team, will discuss about more options.

You need to add the backends at this point.

2 backends selected.

You can choose the type of traffic and key too.

Select VCN under the network and click ‘Start VCN Wizard’

I will choose ‘Create VCN with Internet connectivity’. In next screen I will provide CIDR for private and public subnet

Click next and it will provide all information,

Note: you can see there are ‘Gateways’, ‘Security Lists’ and ‘Route tables’.

Let’s expand ‘Gateways’, ‘Security Lists’ and ‘Route tables’. You can see internet gateway usage, ingress and egress in ‘Security lists’ etc.

Now hit create button and it will create a FULLY WORKING vcn and other things inside it.

Now create a compute instance.

Click ‘Instance’ under the ‘Compute’ option. and provide details like machine, image, os etc.

Once ready…you can connect to Sanjay_Webserver1 from your windows machine,

ssh -i Downloads\ssh-key-2024-08-03.key ubuntu@143.47.225.152

Note: There is nothing installed in this new machine.

How To Install VIM on Ubuntu Linux Operating System

1. Command To Update the apt package manager In Ubuntu – $ sudo apt update.
2. Command To Search VIM – $ sudo apt search vim.
3. Command To Install VIM – $ sudo apt install vim.
4. Command To check the version Of VIM – $ vim –version.

Public ip won’t be able to access the server/instance. In order to do that.

Add ingress CIDR and allow traffic on port 80

OCI Networking Best Practices document, along with examples for better understanding:

1. Scalability with Dynamic Routing Gateway (DRG)

• Feature: The DRG allows you to connect up to 300 Virtual Cloud Networks (VCNs).
• Example: If your organization starts with a single VCN for development, as it grows, you can easily add additional VCNs for production, testing, and staging environments without redesigning the entire network.
• Security: You can place network security appliances, such as firewalls, in the hub VCN to inspect traffic between spoke VCNs.
• Example: A firewall in the hub can monitor and control traffic between a production VCN and a development VCN, ensuring that sensitive production data is protected.

2. VCN Segmentation

• Recommendation: Segment different network environments into separate VCNs for better management and security.
• Example: Create one VCN for production (e.g., vcn-prod-ashburn) and another for non-production (e.g., vcn-nonprod-ashburn). This separation helps prevent accidental access to production resources from non-production environments.
• Common Use Cases:
  • Production vs. Non-Production: Isolating environments to reduce risk.
  • Customer Segmentation: Different VCNs for different clients to ensure data privacy and compliance.

3. Hub-and-Spoke Design

• Tip: Implement a hub-and-spoke architecture to centralize connectivity and management.
• Example: The hub VCN can serve as a central point for shared services (like DNS or logging), while spoke VCNs can be dedicated to specific applications or departments, such as finance or HR.

4. Subnet Planning

• Recommendation: Determine the types of subnets needed before provisioning.
• Example: If you need a public subnet for web servers and a private subnet for databases, plan your CIDR blocks accordingly (e.g., 10.0.1.0/24 for public and 10.0.2.0/24 for private).

5. VCN Flow Logs

• Feature: VCN flow logs capture detailed traffic information.
• Recommendation: Enable flow logs for each subnet after creation.
• Example: If you notice unusual traffic patterns, you can analyze the flow logs to identify the source of the traffic and take appropriate action.
• Log Management: Create a separate log group for better organization.
• Cost Awareness: Be aware that storing logs incurs costs, so enable them judiciously.

6. Project Planning for OCI Network Design

• Recommendation: Allocate time and resources for thorough network design.
• Example: Before launching a new application, spend time mapping out the network layout, including VCNs, subnets, and external connectivity, to avoid issues later.
• Collaboration: Work with Oracle specialists for guidance.
• Design Elements: Include layout, topology, sizing, DNS, and external connectivity in your design.

7. Reference Architectures and Templates

• Tip: Use reference architectures for common deployments as a starting point.
• Example: If deploying Oracle E-Business Suite, refer to Oracle’s provided architecture to ensure best practices are followed.
• Diagram Templates: Utilize OCI diagram templates to visualize your network design effectively.

8. Standard Naming Conventions

• Recommendation: Establish a standard naming convention for network resources.
• Example: Use descriptive names like vcn-prod-ashburn for production VCNs, drg-ashburn for DRGs, and web-sn-sl for security lists. This clarity helps team members understand the purpose of each resource at a glance.
• Naming Considerations: Be cautious with names that cannot be changed later, such as DNS labels.

9. DNS Design with OCI Private DNS

• Feature: OCI Private DNS allows for custom DNS domains and records within your VCNs.
• Recommendation: Integrate DNS resolution across VCNs and on-premise environments early in your design.
• Example: If you have a custom domain like oci.customer.com, you can create DNS records that resolve to resources in different VCNs, facilitating seamless connectivity.

By following these detailed points and examples, organizations can effectively design and manage their OCI networking infrastructure, ensuring scalability, security, and operational efficiency.

Here’s a detailed summary of the key topics covered in the document “OCI Networking Best Practices – Part Three – OCI Network Connectivity”:

1. Introduction

• The blog series aims to provide best practices and recommendations for designing, building, securing, and managing OCI network infrastructure.
• This third part focuses on OCI network connectivity, specifically discussing IPSec VPN and FastConnect.
• As organizations grow their cloud deployments, ensuring that critical applications are available and connected in a redundant manner is essential to support both planned and unplanned outages.

2. Ensure Your Network Connectivity is Fully Redundant

• Redundancy is crucial for maintaining the availability of critical applications hosted in OCI.
• Customers need to ensure that their connectivity methods, such as IPSec VPN and FastConnect, are designed to handle outages effectively.
• The document emphasizes the importance of planning for redundancy to avoid single points of failure in the network.

3. IPSec Single and Dual CPE

• It is recommended to deploy two Customer Premise Equipment (CPE) devices with a second set of IPSec tunnels.
• Ideally, these CPEs should be located in different datacenters or geographies to maximize diversity.
• If both CPEs are in the same datacenter, they should be on separate power supplies, LAN switches, and connected to different Internet Service Providers (ISPs).
• The secondary connection must be capable of handling the bandwidth in case the primary connection fails.

4. FastConnect Redundancy Best Practices

• Review the FastConnect Redundancy Best Practices to understand the number of FastConnect locations available in your OCI region.
• Identify your FastConnect scenario and assess the level of diversity it provides.
• Ensure there are no single points of failure along the connectivity path, including in third-party or Oracle partner networks and on-premises setups.

5. Using Border Gateway Protocol (BGP)

• Implement BGP for dynamically advertising routes, which helps in providing predictable automatic network failover.
• Regularly perform failover tests to validate that the redundant connections are functioning correctly. This should be done:
  • When first provisioning the connections.
  • On a regular basis (e.g., every 6 months or annually) during scheduled outage windows.

6. Failover Testing

• Conduct failover tests to ensure that the system behaves as expected during an outage.
• It is critical to validate that the failback to the primary connection also works correctly after a failover.

7. Conclusion

• The document underscores the importance of planning and testing for redundancy in OCI network connectivity.
• By following these best practices, organizations can ensure that their critical applications remain available and resilient against outages.

This summary encapsulates the essential points and recommendations provided in the document, emphasizing the importance of redundancy and proper planning in OCI network connectivity.

Load Balancer

• Application Loadbalancer / Network Loadbalancer
• Network-based load balancer works on TCP/UDP/ICMP
• App-Based load Balancer works on Application Layer [Http/Https]
• Load Balancer Public [Comes with Public IP] and Private [With private Ip]
• Task: service discovery, health check, Algorithm
• Flexible Shape  or Dynamic Shape
• Layer 4 or Layer 7 LB
• You can attach NSG, by default not enabled
• LB can be attached to only one subnet
• You can enable WAF at LB
• Listener  : [Same AWS target group]
  • Weighted round-robin [Round robin with weighted distribution]
  • Ip Hash  [Bound Ip to make a request to the same server]
  • Least request [Redirect Request to the server which has the least number of conenction]

• Up to 16 Listener, 4-state health checks, updated every 3 minute
• There can be downtime in change shape as the existing connection will be drained
• Health Check status
  • OK
  • INVALID_STATUS_CODE
  • TIMEOUT 
  • REGEX_MISMATCH
  • IO_ERROR
  • OFFLINE
  • UNKNOW
• Route based on Virtual Hostname or path-based routing

OCI Traffic Management and Health Checks

• A global Service, generally used in DR/HA to perform Request regional Request Routing

Traffic Management

• Policy
  • Load Balancer [weighted based load balancing]
  • Failover
  • Geolocation Steering
  • ASN Steering
  • IP Prefix Steering

Health check

• Health Check is available for any public ip available [LB, Compute etc]
• Check the target from different Vantage points
• HTTP based health check  or ping type monitors
• Performance monitoring from response time
• Failover detection
• Hybrid Monitoring

Sources Load balancer

Compute

• 1-to-1 mapping for ASG and Instnace Pool
• Scaling is done on the basis of
  • Metric based
    • Cpu utilization
    • Memory utilization
  • Schedule based: cron expression
    • Scale pool size
    • Change in instance state[start or stop]
• In Event of Scale-In, instances are terminated first based on how many instances from the instance pool are in that availability domain and fault domain. Within a placement, the oldest instances are terminated first.

Instance types

• BM [Bare metal / physical machine],
• VM[Virtual Machine]

• Template type
  • Fixed Shape [BM/VM] : Can not be resized
  • Flexible Shape [VM only] : Can be resized cpu and memory
• Shape Types
  • Standard Shapes : Designed for general purpose workloads and suitable for a wide range of applications and use cases. Standard shapes provide a balance of cores, memory, and network resources. Standard shapes are available with Intel or AMD processors.
  • Dense I/O Shapes : Designed for large databases, big data workloads, and applications that require high-performance local storage. DenseIO shapes include locally-attached NVMe-based SSDs.
  • GPU Shapes : Designed for hardware-accelerated workloads. GPU shapes include Intel CPUs and NVIDIA graphics processors.
  • HPC Shapes : Designed for high-performance computing workloads that require high frequency processor cores and cluster networking for massively parallel HPC workloads.
  • Optimized shapes
• Capacity Type
  • On-demand capacity
  • Preemptible capacity
  • Reserved capacity
  • Dedicated capacity
• You can launch console connections that can be connected from your local machine or cloud itself.
• Compute agent provides cpu/memory/io/read/write/network/load metric, which is genrally installed in available images
• Default os can also show OS management and top process
• Cloud-init script can be setup for executing at provison time
• Stop and start does not change the IP [epeheraml ip], however, terminating instance will free that.
• Custom Image from computing will  only include boot volume, region-specific. Maximum size is 300 GB. Instance will shut down for a few minutes while creating images.
• Custom Images can be exported to OS and can be imported
• You can move instances in different fault domains but SAME AD
• Console connection
  • Not booting/need to reset ssh key for the OPC user [default user in oracle linux], edit system configuration
  • Serial console connection / vnc console connection
  • Need private/public key pair
  • Stop / start [can choose boot option and can edit boot file]/ reboot logs will display

Auto Scaling (ASG)

• 1-to-1 mapping for ASG and Instnace Pool
• Scaling is done on the basis of
  • Metric based
    • Cpu utilization
    • Memory utilization
  • Schedule based: cron expression
    • Scale pool size
    • Change in instance state[start or stop]
• In Event of Scale-In, instances are terminated first based on how many instances from the instance pool are in that availability domain and fault domain. Within a placement, the oldest instances are terminated first.

OCI Identity and Access Management

1. IAM – enables to control what type of access a group of users have and to which specific
   resources
2. Each OCI resource has unique OCID
3. IAM uses traditional identity concepts – Principals, Users, Group, AuthN, AuthZ; New
   capability – Compartments
4. Principals – IAM entity interact with OCI resources; IAM users and Instance Principals; User
   has no permissions until placed in groups; Group having at least one policy with permission
   to tenancy or compartment
5. Group – collection of users; same user can be a member of multiple groups; Instance
   Principals – let instances to make API calls against other OCI services
6. Authentication – Username and Password; API siging key; Auth Tokens (Don’t expire)
7. Authorization – define specific privileges in policies and associating them with principals;
   policies cannot be attached to user; policies written in human readable format; Default deny
   all;

IAM Policies

1. Policy Syntax: Allow to in where
2. Verb: inspect(list), read(list+metadata), use(read+existing resource), manage(all permission)
3. Resource Type: Aggregate Resource Type (all-resources, instance-family etc), Individual
   Resource Type(instances, databases etc)
4. Verbs & Permissions – INSPECT & VOLUME INSPECT; USE & VOLUME_WRITE; MANAGE &
   VOLUME_CREATE -> API Operations
5. Common Policies: Network Admins, InstanceLaunchers
6. Advanced Policy Syntax: 2 types of variables added to conditions; request and target; Ex:
   request.operation, targets.group.name

IAM Compartments

1. Organize and control access to resources
2. Compartment Quotas similar to Service Limits but set by Admins using policies; 3 types of
   quota policies (set, unset, zero);
3. Ex: zero compute quotas /bm/ in tenancy (zeroed out BM instance)
4. Main Menu -> Governance -> Compartment Explorer -> List all resources in compartment

Policy Inheritance and Attachment

1. Compartment inherit policies from parent compartments; policy created must be attached
   to a compartment/tenancy (B:C, A:B:C);
2. Compartment move with all its contents; cannot have a same name; two compartment with
   same parent cannot have same name;
3. Policy implications – compartment hierarchy down to the compartment being moved, to a
   shared ancestor of current and target parent; policy attached directly to a compartment
   moved is not automatically updated and is invalid;

IAM-Tags

1. Tagging – Free Form Tags (Basic implementation, key/value) Ex: Env:Production,
   Project:Alpha; Defined Tags – more features and control;
   contained in tag Namespaces; Defined Schema, secured with policy; Ex: Namespace =
   Operations, Human Resources etc
2. Tag Namespace – container for a set of tag keys with tag definitions; key/value pair;
   Namespace.Key = Value; Tag Namespace cannot be deleted but retired; reactivate to use
   again; must be setup in tenancy to start using; variable can be used for volume
3. Ex: ${iam.principal.name} at ${oci.datetime}; Defined tags work with policies; Ex; use tagnamespaces

Required IAM Policy

Only the user can enable multifactor authentication (MFA) for their own account. Users can also disable MFA for their own accounts. Members of the Administrators group can disable MFA for other users, but they cannot enable MFA for another user.

In general, MFA may include any two of the following:

• Something that you know, like a password.
• Something that you have, like a device.
• Something that you are, like your fingerprint.

The IAM service supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).