This blog article intends to discuss how to access object storage from a private subnet. Since the object storage is located inside the same Oracle tenant, it doesn’t make sense to take the traffic over the Internet.
However, we need to provision ‘Service Gateway’ and configure routing to flow traffic. After completing this, a compute in a private subnet will be able to access object storage within the internal network.
I described creating networking and compute instances in my previous blog. If you need to know about it in detail please refer to the previous blog here.
ACTIVITIES
We are going to follow below steps to achieve this.
- Create Object storage and upload file
- Test Connectivity from private subnet
- Create Service Gateway
- Configure routing and security rules
- Verify access to object storage
ARCHITECTURE
The architecture diagram shows only the private subnet where the database compute could connect into object storage.
Figure 1: Architecture
1. Create Object storage and upload file
We will require an object storage bucket and a file inside to demonstrate the accessibility from the private subnet.
Figure 2: Locate Object Storage
Bucket creation is straightforward activity after and only require to provide preferred name.
Figure 3: Create Bucket
Once the bucket is created, upload a file using the console as shown in figure 4.
Figure 4: Upload file
An easier way to access/download a file on a bucket is creating a ‘pre-authenticated request’. This will eliminate authentication burdens.
Figure 5: Create Pre-authenticate request
Since this is simple object download test, we can allow the scope of request only to the object.
Figure 6: Choose object
Upon clicking ‘Create Pre-Authenticated Request’, an unique URL will appear on screen as shown in figure 7. We can copy this URL to download the file from outside.
Figure 7: Request URL
2. Test Connectivity from private subnet
Before we configure anything, we can login to the compute created inside the private subnet and try to download the file in the object storage bucket. If you need to read details about this please refer to my previous blog here.
Figure 8: Login to private subnet compute
Now we can try to download the file as;
“wget <pre-authenticated request URL>”
Figure 9: Download object – failed
As expected it failed to download the file.
3. Create Service Gateway
We need to create a service gateway to connect our private subnet to the Oracle service network and allow traffic to object storage.
The service gateway can be found under the ‘resources’ section of your VCN (Virtual Cloud Network).
Figure 10: Locate Service Gateway
We can provide a preferred name and required services to cover by the gateway (in our case object storage).
Figure 11: Create Service Gateway
This concludes the creation part of the service gateway.
4. Configure routing and security rules
Now we need to add a routing rule and allow necessary ports to flow the traffic via service gateway.
The routing rule needs to be configured in the route table for the private subnet. As in figure 12, we can select the previously created service gateway as the target service for the routing rule. Destination service is object storage in our case.
Figure 12: Adding routing rule
Then we need to add an egress rule to the security list. Make sure to select ‘Service’ as the ‘Destination type’ and ‘object storage’ as the ‘destination service’. The required port would be ‘443’.
Figure 13: Security List
This completes the necessary configuration for routing.
5. Verify access to object storage
Let’s try again to download the object storage file again from the compute in private subnet. Yes, it should work and able to download the file without any issue.
Figure 14: Downloading file
This brings to the end of this blog post. In summary service gateway is required to access Oracle internal services like object storage from a private subnet. In addition to creating a service gateway, we need to add routing and update security lists as well.
Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.