Categories: OCIOracle

Oracle Cloud Infrastructure Service Gateway

Recently Oracle announced Service Gateway for Oracle Cloud Infrastructure (OCI). One of the problematic areas what I have found with OCI is that if you use Object Storage for example for your database backups you have been required to have public internet access from your OCI subnets either by placing instance to public subnet or using a NAT instance between.

Service Gateway is going to change this as now you can access object storage through your private subnet by setting the route rule towards service gateway only without need to access public internet.

This is great news! I wanted to try this out with below example.

Creating and testing Service Gateway

For this example I had created following:

  • VCN with a private subnet
  • Empty routing table
  • Empty security list
  • One instance in the private subnet with oci-cli installed
  • A bucket in object storage

Below are instance and private subnet details.

Instance is created in the Suomenlinna compartment without public IP address

 

Private subnet with own Routetable and a securitylist

First I will need to create the Service Gateway under Networking => My Test VCN and selecting Service Gateway from the left.

To create SGW just select compartment, a name for SGW and the services available. Currently only ObjectStorage service is available.
After creation SGW shows up available almost immediately.

After creating the Service Gateway I now need to create a route rule on my routing table for the private subnet. If you’ve done some VCN configuration earlier this is no different than selecting an Internet Gateway for your public subnet.

When configuring the route rule you select target type as Service Gateway and define destination service, compartment and select the SGW you created in earlier step.

So now when we have the routing in place we are ready to test!

I’m logged into my OCI instance in the private subnet (by using a jump server in between). I will use oci-cli to list my buckets in the Suomenlinna compartment.


[opc@instance-20180627-1115 ~]$ oci os bucket list --compartment-id ocid1.compartment.oc1..aaaaaaaafidv5tggg5lxxeb4tf35nkjyl5z4ehdauiiwgk4zhetoq2uehl7a
ServiceError:
{
"code": "NamespaceNotFound",
"message": "You do not have authorization to perform this request, or the requested resource could not be found.",
"opc-request-id": "07178F60467D445ABCB891E721B44A20",
"status": 404
}

What! Something is missing?

Remember always to configure also security lists as by default everything is denied. Accessing Object Storage is no different.

I will just make necessary change to my security list as shown below.

Time for a new try!


[opc@instance-20180627-1115 ~]$ oci os bucket list --compartment-id ocid1.compartment.oc1..aaaaaaaafidv5tggg5lxxeb4tf35nkjyl5z4ehdauiiwgk4zhetoq2uehl7a
{
"data": [
{
"compartment-id": "ocid1.compartment.oc1..aaaaaaaafidv5tggg5lxxeb4tf35nkjyl5z4ehdauiiwgk4zhetoq2uehl7a",
"created-by": "ocid1.saml2idp.oc1..aaaaaaaab6mng7jcan6vncjxehd6mkhlobzm4redvlthq2l4nhmqrow7hnza/fivan.bscoperations@uponor.com",
"defined-tags": null,
"etag": "62809e66-083e-453e-bc78-916a54dc84a1",
"freeform-tags": null,
"name": "test-bucket",
"namespace": "simo",
"time-created": "2018-06-25T07:18:23.919000+00:00"
}
]
}

Working, now I can see my test-bucket on my namespace!

Summary

Service Gateway is really good addition to basic functionality you need with OCI. I think for a lot of people having a necessity to use public internet for your database backups could have been an issue.

Next service I’m waiting which would be required is a NAT Gateway service so you wouldn’t need to create your own NAT instances in the public subnet like you have to do today.

Simo

View Comments

  • This is a pretty good feature. I can imagine using same network architecture for public and non-public resources, by just adding an SGW for the later.

Recent Posts

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

1 month ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

1 month ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

6 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

6 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

6 months ago

OCI IP Address Insights

Recently OCI announced small but VERY useful service, IP Address Insights. Why this matters? I've…

6 months ago