Connecting via OCI Service Gateway

This blog article intends to discuss how to access object storage from a private subnet. Since the object storage is located inside the same Oracle tenant, it doesn’t make sense to take the traffic over the Internet.

However, we need to provision ‘Service Gateway’ and configure routing to flow traffic. After completing this, a compute in a private subnet will be able to access object storage within the internal network. 

I described creating networking and compute instances in my previous blog. If you need to know about it in detail please refer to the previous blog here.

ACTIVITIES

We are going to follow below steps to achieve this. 

  1. Create Object storage and upload file
  2. Test Connectivity from private subnet
  3. Create Service Gateway
  4. Configure routing and security rules
  5. Verify access to object storage

ARCHITECTURE

The architecture diagram shows only the private subnet where the database compute could connect into object storage.

Figure 1: Architecture

1. Create Object storage and upload file

We will require an object storage bucket and a file inside to demonstrate the accessibility from the private subnet.

Figure 2: Locate Object Storage

Bucket creation is straightforward activity after and only require to provide preferred name.

Figure 3: Create Bucket

Once the bucket is created, upload a file using the console as shown in figure 4.

Figure 4: Upload file

An easier way to access/download a file on a bucket is creating a ‘pre-authenticated request’. This will eliminate authentication burdens.

Figure 5: Create Pre-authenticate request

Since this is simple object download test, we can allow the scope of request only to the object.

Figure 6: Choose object

Upon clicking ‘Create Pre-Authenticated Request’, an unique URL will appear on screen as shown in figure 7. We can copy this URL to download the file from outside.

Figure 7: Request URL

2. Test Connectivity from private subnet

Before we configure anything, we can login to the compute created inside the private subnet and try to download the file in the object storage bucket. If you need to read details about this please refer to my previous blog here.

Figure 8: Login to private subnet compute

Now we can try to download the file as;

     “wget <pre-authenticated request URL>”

Figure 9: Download object – failed

As expected it failed to download the file.

3. Create Service Gateway

We need to create a service gateway to connect our private subnet to the Oracle service network and allow traffic to object storage.

The service gateway can be found under the ‘resources’ section of your VCN (Virtual Cloud Network).

Figure 10: Locate Service Gateway

We can provide a preferred name and required services to cover by the gateway (in our case object storage).

Figure 11: Create Service Gateway

This concludes the creation part of the service gateway.

4. Configure routing and security rules

Now we need to add a routing rule and allow necessary ports to flow the traffic via service gateway.

The routing rule needs to be configured in the route table for the private subnet. As in figure 12, we can select the previously created service gateway as the target service for the routing rule. Destination service is object storage in our case.

Figure 12: Adding routing rule

Then we need to add an egress rule to the security list. Make sure to select ‘Service’ as the ‘Destination type’ and ‘object storage’ as the ‘destination service’. The required port would be ‘443’.

Figure 13: Security List

This completes the necessary configuration for routing. 

5. Verify access to object storage

Let’s try again to download the object storage file again from the compute in private subnet. Yes, it should work and able to download the file without any issue.

Figure 14: Downloading file

This brings to the end of this blog post. In summary service gateway is required to access Oracle internal services like object storage from a private subnet. In addition to creating a service gateway, we need to add routing and update security lists as well.

Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.