Monday, July 18, 2022

OCI load balancer redirection using Routing Policies

In Layman terms, load balancers helps in distributing the requests to the backend servers based upon certain algorithms. OCI Load Balancers helps in achieving high availability and scalability. Based upon our requirement we can induce multiple policies and application level health checks in OCI Load Balancer. In this post, i am going to demonstrate how we can leverage routing policies to redirect requests to backend servers using certain conditions. If you want to know how to create a Load balancer, you can refer to my earlier post https://samappsdba.blogspot.com/2020/05/configuring-oci-load-balancer-for-ebs.html

 I have a webserver1 with Public IP:-X.X.X.65. This is registered under DNS as dumka.tk 
I have an another webserver2 with Public IP:-X.X.X.61. This is registered under DNS as dumka.ml




Now i will create the Load balancer





I will add the backend later









Load balancer will now be created.

Add the backends now






Create listener for two backends






Now create the hostnames






Edit the listener and add the respective hostnames








Now Define the Routing Policies










At last, add the Public IP of the Load balancer to the DNS Zones.


Perform the testing








There are many other advanced configurations which we can use with our OCI Load Balancer for which we can go through the Advanced OCI LB Concepts. You can also refer my earlier post OCI LB Redirection on how i had used Path Route set for Load balance Redirection. This post is all about how using one Network load balancer, we can serve multiple websites using hostname and Routing policies. Hope this post helps someone. Keep learning cloud.
at No comments:
Labels: ,

Saturday, July 9, 2022

connect to Compute instance on Private Subnet using Public Load balancer OCI

 In this post, i am going to demonstrate on how we can connect to a VM Compute instance running on Private Subnet using a Network Load balancer. There are many ways available through which you can connect using Fast Connect, IPSec VPN or using Bastion Service which are beyond the scope for this post. The Oracle Cloud Infrastructure Flexible Network Load Balancing service (Network Load Balancer) provides automated traffic distribution from one entry point to multiple backend servers in your virtual cloud network (VCN). It operates at the connection level and load balances incoming client connections to healthy backend servers based on Layer 3/Layer 4 (IP protocol) data. The service offers a load balancer with your choice of a regional public or private IP address that is elastically scalable and scales up or down based on client traffic with no bandwidth configuration requirement.


Network Load Balancer provides the benefits of flow high availability, source and destination IP addresses, and port preservation. It is designed to handle volatile traffic patterns and millions of flows, offering high throughput while maintaining ultra low latency. Network load balancers have a default 1 million concurrent connection limit. Network Load Balancer is the ideal load balancing solution for latency sensitive workloads. For more information, you can refer to https://docs.oracle.com/enus/iaas/Content/NetworkLoadBalancer/overview.htm




Steps:- I have two subnets one is private and another one is public. The compute instance is created in Private Subnet and Network Load balancer is defined under Public subnet. Both the subnets have their respective Security lists and Route Tables. The compute instance will be accessible through SSH port 22.


Create a VCN






Create a NAT Gateway




Create  a Service gateway





Create Route Rule





Create a Security List 



192.168.0.8/30 is the CIDR for LB subnet


Create a Compute instance on private Subnet




Next, Create a the public Subnet which will host the LB.




Create the NSG for defining the ingress and egress of LB









Now Create the Network Load balancer







unselect Preserve Source IP





make Sure the health checks are passed






Now use the Public IP of the LB to connect to the private Compute instance using SSH






In this Blog Post, we looked into one of the easiest solution on how to connect to Compute instance running on Private Subnet. Using Network Load balancer, we can also connect to DB running on specific port, Windows RDP etc. I hope this post will help someone. Till then, enjoy learning Cloud.






















at 1 comment:

Tuesday, July 5, 2022

create oci iam user with least privilege

 The IAM service lets you control who has access to cloud resources. You can control what type of access a group of users has and to which specific resources. The service enables you to enforce the security principle of least privilege by default. New users aren’t allowed to perform actions on any resources until they’re granted the appropriate permissions. With the IAM service, you can use a single model for authentication and authorization across all OCI services. IAM makes it easy to manage access for organizations of all sizes—from one person working on a single project to large companies with many groups working on many projects at the same time—within a single account.

In my last post https://samappsdba.blogspot.com/2022/06/protect-accidental-termination-of-OCI-Compute-instance.html i had explained, how we can protect any compute instance from getting terminated by mistake. In this post, i will go through the demonstration on how we should create users when first time our instance is provisioned. Basically, when our instance is provisioned, we are given the tenancy administrator credentials. This user is the root user and it should not be used in our daily operations. Thus, when an instance is provisioned, the administrator should create separate user which can be used for day to day activities and this user should have the least privileges. 


Source-Oracle Documentations


In my tenancy, i have created one group



I will now create a user and assign the user to the group



User is assigned to group



Now once we reset the password for the user and set the email, the user is good to login to OCI. But will he/she be able to do anything. No, because the group, in which user has been assigned, doesn’t have any policies set

 We will get the below message




Thus, we will now create a policy and add the policy to the group






Now if the user try to login to the OCI Console, he/she will be able to see the instance now. The above policy will allow the user to work in only one compartment but under that specific compartment he/she can do all the work. If they go into other compartment in that case they cannot see the resources in other compartments. They will get an unauthorized error message

To further narrow down the scope in one specific compartment, i just want the user to see the compute instance and nothing else. In that case, my policy will be

Allow group REST_USERS to manage instance-family in compartment OCIPROF

Other example can be

Virtual-network-family

Database-family

Volume-family


I hope, this post gives an overview of how privileges are given to user and how least privileges are enforced to new user. Hope, this post helps someone. Till then happy learning cloud.









at No comments:
Labels: , ,
Subscribe to: Posts (Atom)