Skip to main content

Accessing OCI public services via private network

Introduction

When you running your workloads on any public cloud, protecting your network, data, instance from prying eyes and hands is one of the most important things.

But whenever you need to access public services offered by a cloud, one has to go through the internet. When your data is going through the internet, your network/instance(if not using NAT) and data are exposed to the public.

Is there a way to access public services offered by a public cloud safely, securely and with the same performance and high availability?

So if you are using Oracle Cloud Infrastructure(OCI), look no further, your answer is Service Access Gateway(SGW).

OCI users can access all these services directly from their Virtual Cloud Network(VCN) with private Subnet without any NAT, IGW by using SGW(No need to go to the internet). All traffic for these services is routed through OCI's internal network, thus protecting your data/network/instance.

How to set up an SGW?

This section explains step by step on how to create an SGW and configure it to access the OCI services from your private subnet.

1. Let's create a VCN.

Goto Networking->Virtual Cloud Networks and click on Create Virtual Cloud Network
Provide a name, select Create Virtual Cloud Network only,  CIDR block and click create.

2. Create a Private Subnet

Click on Create Subnet, provide a name, select Regional, CIDR block, and select the default route table and click on create

3. Create a Service Gateway

Click on Service Gateways from the left menu and click on Create Service Gateway. Provide a name and in services select "All Services in Oracle Services Network". If you want to only access Object storage via SGW please select "OCI Object Storage". In this example lets select "All Services in Oracle Services Network" which gives private access to all these services. Click on Create.

It's that simple. So lets test if we can access any OCI public services via our Private subnet.

4. Let's add a Route rule to tell VCN to send the traffic to SGW.

Click on Route Tables from the left menu and click on "Default Route Table for Test-SGW-VCN" default route table. Click on "Add Route Rules" and from drop-down select "Service Gateway" since we want access to All services, lets select "All Services in Oracle Services Network" for destination service. Select newly created SGW for "Target Service Gateway"

That's it, now you can access all these services from the newly created Private subnet.

PS: This is a personal blog. Any comments and questions are welcome.

Comments

Post a Comment

Popular posts from this blog

Enable stats GUI on haproxy.

Add bottom snippet to the haproxy.conf below the defaults section. listen  stats         bind 19.41.259.10:1234         mode            http         log             global         maxconn 10         clitimeout      100s         srvtimeout      100s         contimeout      100s         timeout queue   100s         stats enable         stats hide-version         stats refresh 30s         stats show-node         stats auth admin:password         stats uri  /haproxy?stats Make sure you are updating the IP address on the bind to your VIP and if you want, you can change the port also. One can even change the uri on the last line of the above snippet, like stats uri /haproxy_stats or whatever one wants. To make sure you have not done any mistake in the config file, one can use the following command to validate. haproxy -c -f haproxy.cfg Once everything looks good, restart the haproxy process and stats GUI should be available at 19.41.259.10:1234/hapro
Post a Comment
Read more

Sending a SIGHUP signal to some external process from Python script

Code : import psutil import os import signal pids = psutil.get_pid_list() for pid in pids: if psutil.Process(pid).name == "process_name": os.kill(pid,signal.SIGHUP) break Steps to follow. 1.Get the PID of the process, in this case  "process_name"   to which you want to send out a SIGHUP signal. 2.Use os.kill(pid,sig) command to send out the SIGHUP signal to that process. 1.Get the PID of the process to which you want to send out a SIGHUP signal. One has to install a package called psutil by the following command. easy_install psutil Check out the following links for more details https://code.google.com/p/psutil/ https://pypi.python.org/pypi/psutil use psutil.get_pid_list() to get all of the PIDs. psutil.get_pid_list() works in the following manner.  pids = [ int ( x ) for x in os . listdir ( '/proc' ) if x . isdigit ()] return pids once you get all the PIDs get the PID you are i
Post a Comment
Read more

How to enable Openstack Octavia, LBaaS V2 with devstack.

Little Intro to Octavia. Octavia is a service manager for Openstack Load balancer as a service. Neutron LBaaS V2 plugin talks to Octavia through Octavia driver. Octavia driver talks to Octavia api(o-api) and that in turn talks to Octavia control worker(o-cw). Neutron LBaaS V2 Plugin ----> Octavia plugin driver -----> o-api ----> o-cw Other than o-api and o-cw Octavia has 2 more components, housekeeping(o-hk) and health manager(o-hm). o-api Octavia api server which receives all the request from octavia LBaaS driver and passes it to o-cw. o-cw It's the main workhorse, it creates the load balancer VMs( amphorae ), configures them. o-hk keeps track of spare amphorae. o-hm Manages the health of the amphorae through heartbeats, collects the stats and takes care of fail over by creating a new amphora when it fails to get the heartbeat. How to enable Openstack Octavia, LBaaS V2 with Devstack. Since octavia uses a VM for loadbalancer its needs good a
Post a Comment
Read more