Recently Oracle announced Service Gateway for Oracle Cloud Infrastructure (OCI). One of the problematic areas what I have found with OCI is that if you use Object Storage for example for your database backups you have been required to have public internet access from your OCI subnets either by placing instance to public subnet or using a NAT instance between.
Service Gateway is going to change this as now you can access object storage through your private subnet by setting the route rule towards service gateway only without need to access public internet.
This is great news! I wanted to try this out with below example.
For this example I had created following:
Below are instance and private subnet details.
First I will need to create the Service Gateway under Networking => My Test VCN and selecting Service Gateway from the left.
After creating the Service Gateway I now need to create a route rule on my routing table for the private subnet. If you’ve done some VCN configuration earlier this is no different than selecting an Internet Gateway for your public subnet.
So now when we have the routing in place we are ready to test!
I’m logged into my OCI instance in the private subnet (by using a jump server in between). I will use oci-cli to list my buckets in the Suomenlinna compartment.
[opc@instance-20180627-1115 ~]$ oci os bucket list --compartment-id ocid1.compartment.oc1..aaaaaaaafidv5tggg5lxxeb4tf35nkjyl5z4ehdauiiwgk4zhetoq2uehl7a ServiceError: { "code": "NamespaceNotFound", "message": "You do not have authorization to perform this request, or the requested resource could not be found.", "opc-request-id": "07178F60467D445ABCB891E721B44A20", "status": 404 }
What! Something is missing?
Remember always to configure also security lists as by default everything is denied. Accessing Object Storage is no different.
I will just make necessary change to my security list as shown below.
Time for a new try!
[opc@instance-20180627-1115 ~]$ oci os bucket list --compartment-id ocid1.compartment.oc1..aaaaaaaafidv5tggg5lxxeb4tf35nkjyl5z4ehdauiiwgk4zhetoq2uehl7a { "data": [ { "compartment-id": "ocid1.compartment.oc1..aaaaaaaafidv5tggg5lxxeb4tf35nkjyl5z4ehdauiiwgk4zhetoq2uehl7a", "created-by": "ocid1.saml2idp.oc1..aaaaaaaab6mng7jcan6vncjxehd6mkhlobzm4redvlthq2l4nhmqrow7hnza/fivan.bscoperations@uponor.com", "defined-tags": null, "etag": "62809e66-083e-453e-bc78-916a54dc84a1", "freeform-tags": null, "name": "test-bucket", "namespace": "simo", "time-created": "2018-06-25T07:18:23.919000+00:00" } ] }
Working, now I can see my test-bucket on my namespace!
Service Gateway is really good addition to basic functionality you need with OCI. I think for a lot of people having a necessity to use public internet for your database backups could have been an issue.
Next service I’m waiting which would be required is a NAT Gateway service so you wouldn’t need to create your own NAT instances in the public subnet like you have to do today.
Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…
I bet few years back folks didn't expect that by 2024 we would be able…
This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…
Recently OCI announced small but VERY useful service, IP Address Insights. Why this matters? I've…
View Comments
This is a pretty good feature. I can imagine using same network architecture for public and non-public resources, by just adding an SGW for the later.