Oracle Cloud Infrastructure – Simple Connectivity

This blog post is the first of a series to explain basic components of Oracle Cloud Infrastructure. Here, we are going to discuss creating networking components for basic connectivity.

Following the ‘VCN Wizard’ to create a VCN and related resources is a much easier and faster method. However, the objective of this document is to explain the functionality of each component and therefore we’ll follow manual creation methods. 

Activities 

  1. Create VCN along with related resources without configuring
  2. Create Instances
  3. Check connectivity of public instance 
  4. Complete network configuration for public and verify connectivity
  5. Check connectivity to private instance
  6. Complete network configuration for private subnet and verify connectivity

Architecture

The figure 1 shows the high level architecture we are going to achieve. We’ll first look at what networking requirement is required to connect to compute instance in public subnet. Then we’ll see the connectivity to compute on the private subnet.

 Figure 1: Architecture

  1. Create VCN along with related resources without configuring

Virtual Cloud network (VCN) is a logical structure to define the networking connectivity on Oracle Cloud Infrastructure. This is the starting point of creating resources in the cloud. Since the objective of the blog is to describe the fundamentals, we’ll go through manual VCN creation path instead of Wizard.

Figure 2: Locate VCN

As in figure 3, we need to provide a suitable name and CIDR block for the VCN. In our case CIDR block would be ‘10.1.0.0/16’.

Figure 3: Create VCN

Routing is essential to bring traffic from required sources to our VCN (actually subnets that we’re going to create in a moment). The ‘routing table’ is the network resource that takes care of that. For our setup we’ll have one routing table for the public subnet and another routing table for private subnet. 

A default routing table is created along with the VCN creation so we can use it for public routing. Therefore we are going to create a routing table for the private subnet.

As in figure 4, provide a suitable name for the routing table and create. At this point, we are not going to add any routing rule as explaining the same is the objective of the blog.

Figure 4: Create routing table

Once the routing is set up we can control what type of traffic can be allowed from those sources. For example only TCP 80 can be allowed from the company network and rest will be denied. This is controlled by the ‘security list’. The security list act as the firewall for the VCN.

Similar to routing tables, a default security list is also created along with VCN creation. In our case we’ll create an additional security list for private subnet.

Figure 5: Create security list

Next, we need to create subnets. Subnet is a logical subdivision of VCN. In our case we are going to create one subnet for public access and another subnet for private access. So that we can create publicly facing resources like load balancers and web servers on a public subnet. Private subnet will not expose to public Internet and therefore the resources needed to protect like database can be provisioned their.

Figure 6: Locate Subnet

Firstly, we’ll create a public subnet as in figure 7. As our VCN CIDR is 10.1.0.0/16, we need to pick a subset of it as the public subnet. In this case it is 10.1.1.0/24. Make sure to select ‘Default route table’ as the routing table and ‘Default security list’ as the security list. Most importantly select ‘Public Subnet’ as the access type.

Figure 7: Create Public Subnet

Next, we need to create a private subnet as in figure 8. This time select the newly created routing table and security list. CIDR block is again a subset of VCN, in our case it’s 10.1.2.0/24. Choose ‘Private subnet’ as the access type.

Figure 8: Create Private Subnet

2. Create Instances

Let’s create below instances as our environment;

We are creating two application instances to showcase the load balancing at a later stage. This is actually discussed in the next blog post.

Instance NamePlacementPurpose
AppAPublic SubnetApplication server to be accessed via public Internet
AppBPublic SubnetApplication server to be accessed via public Internet
DatabasePrivate SubnetDatabase server with no public Internet access
winbastionPublic SubnetJump server to access database. 

Navigate to compute instance as in figure 9 and click on ‘Create instance’.

Figure 9: Locate Instances

As the first instance, we are creating ‘AppA’. Make sure to select public subnet we created so that the instance will be placed on that subnet. Figure 10 doesn’t show the details of the instance created but you can leave default shape and OS ( 1 ocpu, Oracle Linux).

Figure 10: Creating AppA

Similarly, we can create ‘AppB’ on public subnet as well. However you can skip creating this instance till we create load balancer as well (discuss in next blog).

Figure 11: Creating AppB

Now, let’s create a database instance which needs to be placed in the private subnet. Make sure to choose the private subnet created earlier.

Figure 12: Creating Database

Next we will create a bastion host on the public subnet. To take things easier, I’m creating a Windows instance. Kindly note that there’s bastion service also available to serve this purpose.

Figure 13: Creating Bastion

Now we can see all our instance as in figure 14. Note that ‘AppA’, ‘AppB’ and ‘winbastion’ has public IPs while database instance has only private IP.

Figure 14: Running Instances

3. Check connectivity of public instance 

Alright ! Now we provisioned our instances and created our VCN and let’s connect to the ‘AppA’. In order to do that we need to create a putty session (or any other alternative) by providing the instance public IP and attaching private key of the instance (which can generate at the time of instance creating).

Figure 15: Putty Connection to AppA

Oops ! It didn’t work 🙁 We are getting error like in figure 15.

Figure 15: Putty Connection error

Let’s understand the reason for this. 

  • Firstly, VCN and subnet require some sort of ‘gateway’ to connect to the Internet. Without that subnet is just an isolated component even though it’s marked as ‘Public Subnet’. For this, we need to create an ‘Internet Gateway’
  • Secondly, the subnet should know from where it can accept traffic from. To do this, we need to add  route rules for the route table
  • Thirdly, the subnet should know what type of traffic it is supposed to accept. Can it accept only http, any ports..etc. For this, we need to update the security list with necessary rules

4. Complete network configuration for public

This section covers the connectivity for the public subnet.

4.1 Create Internet Gateway

We can add an ‘Internet Gateway’ as in figure 16.

Figure 16: Create Internet Gateway

4.2 Add Route Rule

Our public subnet is created to use the default routing table of the VCN. Therefore we need to add route rule to the default route table to accept traffic from the public Internet. As in figure 17, select the Internet gateway we created and destination CIDR. In this case all traffic (0.0.0.0/0) will travel through the Internet gateway.

Figure 17: Add route rule – default routing table

4.3 Update Security List

Our public subnet use default security list of the VCN.

Figure 18: Choose Default Security List

Since our intention for now is just to connect via putty or ssh we need to add port 22 as in figure 19.

Figure 19: Add security rule

4.4 Verify the connectivity 

Now go back to putty connection and retry to connect.

Voila ! it works now !

Figure 20: Putty connect to AppA

This concludes the connectivity to the public subnet.

5. Check connectivity to private instance

Since our database compute provisioned inside the private subnet, we cannot access it via the public Internet. However, we might need to connect to the instance for maintenance purposes. For this, the general approach is to have a ‘jump host’ on public subnet and connect to it first. Then we can configure our network to access the private subnet. 

User → Bastion (on Public Subnet) → Database (on Private subnet)

In our scenario, we created Windows compute as the bastion. First will try to connect to and see the connectivity to the private subnet.

We can use remote desktop connection to bastion compute as in figure 21.

Figure 21: Remote Desktop to bastion

Then try to create putty session to database with its private IP address and private key.

Figure 22: Putty to database

The connection get failed from bastion to database server.

Figure 23: Putty to database – failed

The reason for this is that even though both subnets are in same VCN, traffic is not allowed from the security list.

6. Complete network configuration for private subnet and verify connectivity

Let’s remind our subnets CIDRs again.

Public Subnet10.1.1.0/24
Private Subnet10.1.2.0/24

So, we need to allow traffic from 10.1.1.0/24 to our private subnet. To do this, let’s visit the security list created for the private subnet.

As you can see in figure 24, there’s no rules exist so far. Let’s add the public subnet access by clicking ‘Add Ingress Rules’.

Figure 24: Private security list

Since we need only ssh, port 22 for the public subnet address is enough.

Figure 25: Add public ingress rule

Now add egress rule also for the public subnet.

Figure 26: Add public egress rule

Let’s test the connectivity now.

Figure 27: Connection to database

Yes ! Its working !

So, to summarize what we discussed, we need to configure proper routing and security list rules to establish the connectivity to the resources.

Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.