Copyright © 2014, eProseed and/or its affiliates. All rights reserved. | Confidential
3 WAYS TO CONNECT TO THE ORACLE CLOUD
Simon HaslamTechnical Director & Partner, eProseed UK
1
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
Simon Haslam
• Platform / Infrastructure Architect
• Using Oracle products since ~1995 (Oracle7)
• Formerly UKOUG App Server & Middleware SIG Chair
• A weakness for networking kit – owns various Cisco routers & switches, even a F5 BIG-IP hardware appliance
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential3
Our Connectivity Needs
Oracle Compute Service – Network Connectivity Options
VPN For Compute – Special Focus
Demo
AGENDA
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
OUR CONNECTIVITY NEEDS: TODAY
• Many of us are spoilt by 10GbE+ dedicated fibre between DCs
– Tempts people into stretched cluster nonsense
– You can usually take connectivity for granted
– We hardly ever think about security between servers in similar networks
• The DC interconnects are usually shared within the org so need management
– Storage replication
– Microsoft server traffic (less so over time with Office 365)
– VOIP
• Connectivity is mostly someone else’s problem
• Network is almost always someone else’s cost
4
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
OUR CONNECTIVITY NEEDS: HYBRID CLOUD
• Bulk data (customer transactional data) will probably be the last thing to end up on cloud (with exception of SaaS)
• Backup / standby to cloud is immediately appealing
– Offsite tape rotation is insane in connected age
– Most providers offer backup appliances to another DC and/or cloud provider
– If you can secure it why wouldn’t you?
• Coping with pre-historic licensing models
• Mobile is driving increasingly high SLAs, which can put pressure on on-prem internet connectivity (in and out)
5
Organisations have to be increasingly well connected
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
FUTURE
• Network will be increasingly important
• Bandwidth/latency will continue to improve
– Remember: nothing can travel faster than the speed of light! (130ms RTT ½ planet)
• Bulk data transfers – old adage:
“Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.”– Computer Networks, 3rd ed., p. 83. (paraphrasing Dr. Warren Jackson, Director,
University of Toronto Computing Services (UTCS) circa 1985)
6
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
AWS SNOWBALL:MODERN TAPES
7
Note:Oracle has something similar
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
AWS SNOWMOBILE:THE STATION WAGON WITH A NEW TWIST
8
30 Nov 2016 • Fibre-connected• Satellite tracked• Security out-riggers
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
SIMON’S PREDICTIONS AROUND BULK-DATA
• Bulk data transfer to/from Cloud over network will become increasingly commonplace
– With sufficient management/reliability will it matter if it takes a week?
– IP transit costs are falling year on year
• There will always be exceptions of course, but for most of us slow will be good enough
• More and more of big data will already be in the cloud
– IMO transactional data generally hasn’t got that much bigger, there’s just lots of new data around it
9
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential10
Our Connectivity Needs
Oracle Compute Service – Network Connectivity Options
VPN For Compute – Special Focus
Demo
AGENDA
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
3 WAYS TO CONNECT TO THE ORACLE CLOUD
1. VPN for Compute (aka VPN for Multitenant Compute aka Corente)
2. VPN for Dedicated Compute
3. Fast Connect
– Standard Edition
– Partner Edition
0. Over the open internet…
11
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
1. VPN FOR COMPUTE
• VPN for Multitenant Compute= Corente Cloud Services Exchange (Corente CSX)
• Included with IaaS at no extra cost (other than OCPU)
• Corente CSX key features:
– Trusted network services between any location
– IPsec VPN software appliance running in OPC and optionally your DC• “Corente Services Gateway”
– Compatible with hardware devices running IPsec, e.g. Cisco, Juniper etc
– Centralised management and configuration (provided from Oracle Cloud)
12
Flexible, software-defined VPN
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
2. VPN FOR DEDICATED COMPUTE
• What is Dedicated Compute?
– You get your hardware (servers/ZFS?) dedicated to your use
– Complete network isolation from other tenants
– The hardware is in a single Oracle cloud data centre
– Starts at 500 OCPU / $50,000 per month = $600,000 pa for x86 (300 OCPU/$30k pcm for SPARC)(I’m not sure how this relates to other PaaS consumption)
• Hardware VPN (pair presumably) provided for you at the Oracle cloud data centre
13
Traditional site-to-site hardware VPN with as much throughput as you need
IMO this is for relatively niche, security-driven requirementsand is not the most cloudy kind of cloud though!
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
3. FAST CONNECT
• Premium cloud network solution
• Essentially Oracle white label product on top of Equinix
• Designed for multi-cloud access (i.e. Oracle, AWS, SAP, SalesForce…)
• Starts at $4600 per month for 1GbE, $46k per month 10GbE
• Two variants:
– Standard: customer has separately managed connection to Equinix
– Partner Edition: part of customer’s existing WAN networking provision, e.g. MPLS with BT
14
Premier cloud network solution:~a semi-private enterprise-grade internet
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
(0. DIRECTLY OVER INTERNET)
• You really shouldn’t send any admin traffic over public interface – we don’t for on-prem, why should cloud be different?
• If you do, only open up ssh and tunnel anything you need
•DO NOT OPEN PORT 1521!!!!
15
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
3 WAYS TO CONNECT TO ORACLE CLOUD
16
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential17
Adding hosts
Adding GRE tunnels, test pings
Adding routes/subnets
BEWARE OF SIMPLE SOUNDING VPN PRESENTATIONS!
CC BY-SA 3.0 Created by Uwe Kils (iceberg) and User:Wiska Bodo (sky).(Work by Uwe Kils) http://www.ecoscope.com/iceberg/
Initial VPN ordering
Running App Net Manger to set up CSG config
Firewall rules
Dynamic Routing (BGP etc)
Failover & Topology design
Sizing
Debugging
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
CORENTE TOPOLOGY
18
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
CSG CONFIGURATIONS (BASIC)
• Inline
20
• Peer
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
CSG CONFIGURATIONS (ADVANCED)
21
• Failover
• CSG failover & WAN failover
Lots of features that I think will probably disappear:• DMZ support• Firewall• DHCP• Mobile device connections (e.g. Windows)
Failover network: 1.1.1.1/30 subnet (fixed so mustn’t clash)
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
CSG – DETAILS
• Oracle Linux 6 (UEK3) based appliance
• Two appliances can be configured for active-standby (via an interconnect network)
• Configuration is automatic by connecting to AppNet Manager (traditionally had file config options too)
• Comes as an ISO which you can:
– Install on Linux 6 KVM as a VM (Oracle Cloud instructions)
– Install on Oracle VM (Oracle Corente instructions)
– Install on ESX, Hyper-V, … (you’re on your own! )
• For installing on OPC there’s an Oracle-supplied image
• 9.4.1 is latest release, 9.4.0 is previous release… take your pick!
22
gateway9.4-1062.iso
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
ON-PREM OSG DEMO
• VMware ESXi 5.5
23
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
SUPPORTED HARDWARE & SOFTWARE
• Physical servers including
– HP DL360G5(though a Gen9 ML110!)
– UCS C200 M2
– Dell PE R510 etc
24
http://www.oracle.com/technetwork/server-storage/corente/documentation/corente-services-gateway-hcl-3302281.pdf
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
RECENT CHANGES
• App Net Manager Lite has now gone (9.4.1 <- current release / Oct)
• The Compute Cloud VPN menu and wizard arrived:
25
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
PLAN NETWORK ARCHITECTURE
• Think about how you’d do this on-prem:
– Start project
– Talk to network team
– Plan networks
– Diagram with firewall rules and ports
– Do the job
– Test
• Use sensible naming conventions, as you may end up with several CSGs.
– Create security list for all your gateways (probably want all to behave the same)
– Shorten to csg ? (names can get long)
– I think 01 02 03 is fine, but maybe you’d prefer db01, jcs02 etc but will probably share
26
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
TWO PLACES FOR DOCUMENTATION (1)
• Oracle Compute Cloud Service Docs
– https://docs.oracle.com/cloud/latest/stcomputecs/MCVPN/GUID-67EE82C5-00BE-4057-B9D1-BFF5D40137B3.htm#MCVPN-GUID-67EE82C5-00BE-4057-B9D1-BFF5D40137B3
27
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
TYPICAL ISSUE IN CURRENT DOCS (NOV 2016)
28
By User:Alain r - Own work, CC BY-SA 2.5https://commons.wikimedia.org/w/index.php?curid=1150148
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
TWO PLACES FOR DOCUMENTATION (2)
• Oracle Corente Docs
– http://docs.oracle.com/cd/E74662_01/E80339/html/index.html
29
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential30
=> If you don’t have this email STOP HERE!
Username format<domain>_admin
This step is NOT automaticfor all Domains
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
• Zero Touch Configuration needs a MAC address or service tag of the proposed gateway
31
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
DEMO
32
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
CORENTE / VPN FOR COMPUTE – WHERE ARE WE TODAY?
• IPnet is very new (1-2 months) so docs can be tricky to navigate
• Removal of need for App Net Manager Lite is new (1-2 months) so non-official docs (e.g. Oracle tutorial from Sep ’16) are now out of date
• Brand new console Create Gateway function not yet in official docs
• No example configuration given, e.g. IOS or Junos commands, for common hardware devices
• Oracle is gradually removing competitor configuration (and possibly support?),e.g. VMware ESXi
• The remote configuration of CSGs seems well thought out and works well
• CSX offers point-to-point without dependence on management portal
• Scalability and failover options look good
• Hardware option at on-prem DC end should be popular with network admins
• CSX is included with all Oracle PaaS at modest cost (from just 1 IaaS OCPU)
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
SIMON’S PREDICTIONS FOR OPC NETWORKING 2017-18
Post toe-in-water cloud customers (i.e. really consuming Oracle Cloud):
• Most Oracle Cloud presentations will discourage opening non-public ports to internet
• IPnet will become a de-facto best practice
• VPN for Compute (Corente) will dominate on-prem to cloud connectivity solutions
– Probably in hardware device mode for all except smallest customers
=> this is the closest experience to running linking multiple on-prem Data Centres today
• Oracle “next gen” Infrastructure may bring something dramatically different but not for a while for existing PaaS services
34
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
COMING FROM SIMON NEXT…
• Blog about installing CSG on VMware ESXi
• Get IPsec termination working on Cisco IOS 15+
• Try to get failover working over two Cisco devices
35
Comms cabinet at Haslam HQ!
Copyright © 2016, eProseed and/or its affiliates. All rights reserved. | Confidential
THANKS FOR LISTENING!
Q & A
Blog: http://simonhaslam.co.uk
New posts are coming…
36
@simon_haslam
Top Related