Skip to main content

Accessing OCI public services via private network

Introduction

When you running your workloads on any public cloud, protecting your network, data, instance from prying eyes and hands is one of the most important things.

But whenever you need to access public services offered by a cloud, one has to go through the internet. When your data is going through the internet, your network/instance(if not using NAT) and data are exposed to the public.

Is there a way to access public services offered by a public cloud safely, securely and with the same performance and high availability?

So if you are using Oracle Cloud Infrastructure(OCI), look no further, your answer is Service Access Gateway(SGW).

OCI users can access all these services directly from their Virtual Cloud Network(VCN) with private Subnet without any NAT, IGW by using SGW(No need to go to the internet). All traffic for these services is routed through OCI's internal network, thus protecting your data/network/instance.

How to set up an SGW?

This section explains step by step on how to create an SGW and configure it to access the OCI services from your private subnet.

1. Let's create a VCN.

Goto Networking->Virtual Cloud Networks and click on Create Virtual Cloud Network
Provide a name, select Create Virtual Cloud Network only,  CIDR block and click create.

2. Create a Private Subnet

Click on Create Subnet, provide a name, select Regional, CIDR block, and select the default route table and click on create

3. Create a Service Gateway

Click on Service Gateways from the left menu and click on Create Service Gateway. Provide a name and in services select "All Services in Oracle Services Network". If you want to only access Object storage via SGW please select "OCI Object Storage". In this example lets select "All Services in Oracle Services Network" which gives private access to all these services. Click on Create.

It's that simple. So lets test if we can access any OCI public services via our Private subnet.

4. Let's add a Route rule to tell VCN to send the traffic to SGW.

Click on Route Tables from the left menu and click on "Default Route Table for Test-SGW-VCN" default route table. Click on "Add Route Rules" and from drop-down select "Service Gateway" since we want access to All services, lets select "All Services in Oracle Services Network" for destination service. Select newly created SGW for "Target Service Gateway"

That's it, now you can access all these services from the newly created Private subnet.

PS: This is a personal blog. Any comments and questions are welcome.

Comments

Post a Comment

Popular posts from this blog

Enable stats GUI on haproxy.

Add bottom snippet to the haproxy.conf below the defaults section. listen  stats         bind 19.41.259.10:1234         mode            http         log             global         maxconn 10         clitimeout      100s         srvtimeout      100s         contimeout      100s         timeout queue   100s         stats enable         stats hide-version         stats refresh 30s         stats show-node         stats auth admin:password         stats uri  /haproxy?stats Make sure you are updating the IP address on the bind to your VIP and if you want, you can change th...
Post a Comment
Read more

Sending a SIGHUP signal to some external process from Python script

Code : import psutil import os import signal pids = psutil.get_pid_list() for pid in pids: if psutil.Process(pid).name == "process_name": os.kill(pid,signal.SIGHUP) break Steps to follow. 1.Get the PID of the process, in this case  "process_name"   to which you want to send out a SIGHUP signal. 2.Use os.kill(pid,sig) command to send out the SIGHUP signal to that process. 1.Get the PID of the process to which you want to send out a SIGHUP signal. One has to install a package called psutil by the following command. easy_install psutil Check out the following links for more details https://code.google.com/p/psutil/ https://pypi.python.org/pypi/psutil use psutil.get_pid_list() to get all of the PIDs. psutil.get_pid_list() works in the following manner.  pids = [ int ( x ) for x in os . listdir ( '/proc' ) if x . isdigit ()] return pids once you get all the PIDs get the PID you are i...
Post a Comment
Read more

Adding a table to the openstack databases using migration scripts

So I had a task of adding a new table to the neutron database and at the same time not to use the neutron's migration script, as we wanted to keep the neutron code pure. I tried to google for the alembic data migration but could not find anything useful. So I started to reverse engineer the migration scripts of the other Openstack projects. I used the db code base from the following link. https://github.com/stackforge/group-based-policy/tree/stable/juno/gbpservice/neutron/db So I ll just mention the modifications we need to do to make it work. Please note that I am doing these changes in the Devstack environment. 1. Create folders for new project. Lets say we are building a new project called test_db. Add a folder named test_db as shown in the below location /opt/stack/test_db/test_db/ (Yes 2 folders just to keep in sync with Devstack Arch) 2. Copy migration folder from the below link to  /opt/stack/test_db/test_db/ https://github.com/stackforge/group-based-pol...
Post a Comment
Read more