[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Cloud Infrastructure
OCI Classic v2.7
2017 12

Safe Harbor Statement
3

• Oracle Cloud Infrastructure (OCI)
• 2017 9 Bare Metal Cloud Service (BMC) Oracle Cloud Infrastructure (OCI) Oracle Public
Cloud (OPC) Oracle Cloud Infrastructure Classic (OCI Classic)
• OCI Classic OCI Classic PaaS
Oracle Cloud Infrastructure( Bare Metal Cloud) Oracle Ravello
–
•
Oracle Cloud
(http://cloud.oracle.com)
4
• Oracle Cloud Infrastructure Compute Classic
• Oracle Database Cloud Service (on OCI Classic)
• Oracle Java Cloud Service (on OCI Classic)
• OCI SOA Cloud Service (on OCI Classic)

OCI Classic
5

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 7
OCI Classic SDN (IP )

• Oracle Cloud 1
• Oracle
IP IP
• 30bit
L3
• PaaS
8
Oracle Cloud
Instance1
eth0
Instance2 Instance3 Instance4
eth0 eth0 eth0
: 10.168.0.0/16
Instance5
eth0
Internet / FastConnect
.22/30 .42/30
Identity Domain 1 Identity Domain 2
.50/30 .134/30 .6/30
NAT
129.152.148.131
( IP)
129.152.148.130
( IP)

• 2016 10
( )
•
–
• IP
NIC IP
10
Instance1
eth0 eth1
IP : 192.168.3.0/24
IP :
192.168.2.0/24
IP :
192.168.2.0/24
Instance2 Instance3 Instance4
eth1 eth2 eth1 eth2 eth0 eth1
: 10.32.1.0/24
Instance5
eth1 eth1
internet
.21 .42.2 .3
Identity Domain 1 Identity Domain 2
.4.2 .3 .2 .3
129.152.148.130
( IP)
129.152.148.131
( IP)
IP
NAT

IP
…
1.
2. IP
3. ( NIC)
4. VPN (Corente Cloud Gateway)
WAN (GRE )
5. / (
/ )
6. NIC MAC
( MAC )
11

Web
VPN VPN
VPN

Oracle Cloud
OCI Classic
VPN-GW
(Corente
Services
Gateway)
VPN-GW
VPN
Web
(Compute Cloud Service)
(Java Cloud Service*)
(Database Cloud Service*)
* (2017 11 ) Java Cloud Service/Database Cloud Service IP

OCI Classic
14

• IP
– IP
– IP
– NIC
– NIC
– *
– *
– *
– IP *
– IP *
•
–
–
–
– IP
– IP
• VPN
– VPNaaS
– Corente**
– FastConnect
15
OCI Classic
* (2017 11 ) * (
)
** Corente 2017 10 (17.4.2)

IP – IP
16
IP 1
192.168.1.0/24
IP 2
192.168.2.0/24
.2 .3 .2 .3
IP (IPNetworks)
•
• 16bit
( : 10.0.0.0 – 10.0.255.255)
• IP
•
( )
• 1
( DHCP DNS )
•
•

IP – IP
17
IP 1
192.168.1.0/24
IP 2
192.168.2.0/24
IP
.2 .3 .2 .3
IP (IPNetworkExchanges)
• IP IP
• IP
• IP :IP = 1:
IP 1 IP
•
.1 .1

IP – NIC
18
eth0
: 10.32.1.0/24
.21
eth1 eth2 eth3 eth7
IP : 192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.7.0/24
.2 .2 .2 .2
NIC (VirtualNICs)
• 8
• IP 1 NIC
• (= )
• 8 IP
• IP
IP

IP – NIC
19
eth0
.2
eth0
.3
IP (192.168.1.0/24)
VPN VPN
eth0 eth0
eth1 eth1
.8 .9
NIC (VirtualNICSets)
• NIC ( OK)
• NIC OK
• ACL
internet
192.168.101.0/24
(Routes)
•
• IP (CIDR)
NIC
• IP
ECMP
LAN

IP –
20
Instance1
(AP)
eth0
IP
Instance2
(AP)
eth0
• NIC /
(ACL)
•
NIC
Instance3
(DB)
eth0
NIC (AP) NIC (DB)
allow-ping
: icmp
:
: icmp
:
1521-egress
-to-DB
1521-ingress
-from-AP
: 1521
:
: DB
: 1521
:
: AP
* (2017 11 ) ( )

IP – IP *
21
Instance1
eth0
IP
Instance2
eth0
IP (IPAddressReservations)
•
IP 1 1NAT IP
NIC
• IP ( IP)
NIC
GIP
NAT
.2 .3
GIP
internet
NAT
* (2017 11 ) ( )
•
IP 1 1NAT IP
NIC
• IP

IP – DNS
22
web1
eth0
IP (192.168.1.0/24)
web2
eth0
DNS
• IP 1 IP
DNS
• IP
• ( ) A
IP DNS
• DNS (IP
VPN
)
.2 .3
DNS
.1
web1.ipnet1.abc.com. IN A 192.168.1.2
web2.ipnet1.abc.com. IN A 192.168.1.3
www.abc.com. IN A 192.168.1.2
www.abc.com. IN A 192.168.1.3

Instance1
eth0 eth1
IP
Instance2
eth1
Data Center 1
Instance3
eth0
Data Center 2
WAN
internet
•
• IP PaaS
IP
• IP
Storage Cloud

– IP
24
Instance1
eth0 eth1
IP
Instance2
eth1
internet
IP (IPReservations)
•
IP NAT
•
IP
• Database Cloud Service PaaS
1 IP
IP
NAT
NAT (IPAssociations)
• IP ( IP)
IP 1 1

– DNS
25
web1
eth0
web2
eth0
DNS
• DNS
DHCP
•
IP
• ( )
•
(Compute-
<domain>.oraclecloud.internal)
DNS
web1.compute-mydomain.oraclecloud.internal. IN A 10.168.x.y
web2.compute-mydomain.oraclecloud.internal. IN A 10.168.x.y

–
26
AP1
eth0
AP2
eth0
DB
eth0
seclist-ap seclist-db
: seclist-ap
: seclist-db
: tcp/1521
: 0.0.0.0/0
: seclist-ap
: tcp/443
: ( IP)
: seclist-db
: tcp/22
IP
• Oracle Cloud IP
• IPv4 CIDR
•
•
• (from)
(to)
•
IP

IP
28
1. PaaS(DBCS, JCS ) IP
– : XXCOM (USCOM-CENTRAL-1, USCOM-EAST-1, GBCOM-
SOUTH-1, AUCOM-EAST-1 ) DC(AP5_Z11)
– : AP5_Z11( DC) / US00n_Znn / EM00n_Znn
• PaaS ComputeCS
PaaS GRE ( ) NAT
2. IP (=ACL) &
IP NAT (IP )
– : XXCOM AP5_Z11( DC) US006_Znn
– : US00n_Znn / EM00n_Znn
• ( IP )
New!

IP
30
OCI Classic
(SecRules)
+ +
(SecurityRules)
NIC
+
+ /
+
/ IP
NIC
NICOracle Cloud →
Oracle Cloud → IP
Oracle Cloud →
Oracle Cloud → IP
NIC

• /
•
/
(
)
– (Deny)
•
– (Reject)
•
– (Permit)
•
( )
31

•
–
–
–
32
Ins Ins Ins
A B
※1 8

•
• ( or IP
) ( or )
33
(SecRules)
?
?
OCI Classic →
→ IP

•
•
•
–
• TCP
• UDP
• ICMP
• GRE
• ESP
– ~
34

• IP
•
• IP
(IP )
•
35
IP

8
1
10
n n
1
IP
1
n
Oracle Cloud(PaaS / IaaS)
/
/
IP
IP
IP

•
– →
:
– :
•
•
• DBCS PaaS
– DBCS (
DBCS )
– : DBCS
Compute DBCS
Seclist-AP
Compute DBCS
Seclist-DB

IP
•
–
–
–
•
• IP
• IP
38
(REST API SecurityRules)
ACL ?
( / )
IP
IP

OCI Classic
39

OCI Classic
•
• Oracle Cloud
SSL
•
• VPN
• IPsec
•
• Oracle Cloud DC
• Oracle
•
(1Gbps / 10Gbps)
• Oracle Cloud
•
+ SSL
VPN
(IPsec)
Oracle
FastConnect
Standard
Edition
Partner
Edition
(NTT-
Com,Verizon
,BT )
Oracle Cloud
Oracle Cloud
i
Oracle Cloud
NW
NW
Oracle
Oracle

VPN OCI Classic
Virtual Private Network(VPN)
VPN
Point-to-Point( )
42
On-Premise Oracle Cloud
VPN

VPN
43

• Corente
–
– Compute
– IP (GRE )
• VPNaaS
– VPN
–
– IP
Oracle Confidential – Internal 44
2 VPN
IP
LAN
GRE
internet
IPsec
Corente
Service Gateway
Corente
Service Gateway
IP
LAN
internet
IPsec
VPNaaS
Compute JCS DBCS

VPN
• 2017 10 20 ( ) Corente
+ VPNaaS ( ) VPNaaS
– Corente VPNaaS (Corente
)
• VPNaaS IP ( VPN
)
– : RAC Data Guard Database Cloud Service
(2017 12 ) IP VPNaaS
NAT
Confidential – Oracle Internal/Restricted/Highly Restricted 45

VPN (2017 10 )
DBCS/JCS
?
YES
NO
IP
+
2017 10 ?
YES
NO
Corente + NW(GRE)
RAC
Data Guard ?
YES
NO
VPNaaS + IP
IPsec ?
NO
YES

VPN - VPNaaS
47

VPNaaS
Confidential – Oracle Internal/Restricted/Highly Restricted 48
VPNaaS
(
DatabaseCompute
Compute
Gateway
Gateway
IP Network
Compute
IP Exchange
IP Network
Oracle Cloud
NAT
• VPN VPNaaS)
• VPN
•
NAT
•
IP Network
• IP Network IP Exchange

VPNaaS
• VPN
IPsec VPNaaS
Oracle
•
– Cicso 2921
– Cisco ISR 4331
– Cisco ASA5505
– Checkpoint 3200
– Palo Alto 3020
– FortiGate-200D
•
49

VPN (1)
•
–
• IP
– (IP
)
– IP IP
• vNICset( )
•
– WAN IP(NAT )
•
– (
)
• (PSK)
– ( )
• IKE ID( )
– IP_ADDR_V4 VPNaaS IP
50

VPN (2)
• 1 IKE
– 1(IKE) VPNaaS
• 2 ESP
– 2(ESP) VPNaaS
•
– 2 PFS : Perfect Forward
Securecy
51

VPNaaS TIPS
• IKEv1 (IKEv1 IKEv2 )
• VPN ( VPN )
– IP N
• VPN VPNaaS IP IP
• VPN VPN (=
IP )
– (= IP)
– (= )
– (PSK)
– IP (= IP )
• 1 VPN 1
• VPNaaS
52

VPN
•
– VPN > VPNaaS > VPN >
• VPNaaS (=Corente Services
Gateway) Openswan
– Openswan
– strongSwan
– Libreswan
53

VPN - Corente
54

VPN – Corente
55
Corente Services Gateway
• Corente Services Gateway
– IPsec
– OCI Classic
– VPN
– OS
Oracle Compute Cloud Cloud
App Net Manager
– VPN

VPN – Corente
56
DC VPN
• 1. Corente Services Gateway
– Oracle Technology Network Corente Services Gateway
–
–
– Oracle (Oracle Cloud )
• 2. IPsec
– IPsec

VPN – Corente
57
DC GW Corente Services Gateway
•
A)
• ( )
– Oracle VM 3.4.1
– Xen 4.4, VMWare ESX5.5
– Citrix XenServer 6.2
– Microsoft Windows Server 2012 R2 Hyper-V
B) Corente
•
• (Corente AppNet
Manager)
→
Oracle Cloud

VPN – Corente
• DC Corente
–
• Corente → IP (ANY) 443/TCP ( )
• Corente → IP (ANY) 53/UDP ( )
• Corente 1025-65535/TCP → IP (ANY) 551/TCP (Corente Service Port)
• Corente 551/UDP → IP (ANY) 551/UDP (Corente Service Port)
–
• IP (ANY) 1025-65535/TCP → Corente 551/TCP (Corente Service Port)
• IP (ANY) 551/UDP → Corente 551/UDP (Corente Service Port)
58
Corente Services Gateway Deployment Guide - 2.2 Network Requirements
http://docs.oracle.com/cd/E74662_01/E80339/html/install-plan-lan.html#install-plan-lan-fw

VPN – Corente
59
: 1.5 GHz Intel-based x86 compatible server
: 1 GB RAM
: 40 GB IDE/SATA
: Integrated 10/100/1000M Ethernet Interfaces
Oracle VM Server for x86 Release 3.4.1 or later
Xen 4.4
VMware ESX 5.5
Citrix XenServer 6.2
Microsoft Windows Server 2012 R2 Hyper-V
※Corente Services Gateway Deployment Guide
(http://docs.oracle.com/cd/E74662_01/E80339/E80339.pdf)
2.1 Corente Services Gateway Installation Requirements

VPN – Corente
60
DC GW IPsec
•
(Certified Configuration) IPsec
• My Oracle Support
– Cisco ASA 5505 (Doc ID 2153452.1)
– SonicWall TZ190 (Doc ID 2153603.1)
– Juniper JuneOS15 (Doc ID 2164001.1)
•
– Cisco CSR1000v (How to connect an application on Ravello
to Oracle IaaS/PaaS services (e.g. DBCS etc.) over VPN)
Oracle Cloud

VPN – Corente
• Oracle Compute Cloud
IP
Oracle Cloud IP
IP
GRE
61
NW IP

VPN – Corente
Compute / PaaS
GRE
• Oracle Technology Network (Linux,
Windows )
• : 10.0.0.0/8
62
NW GRE

Corente Active / Active HA ( IPsec )
VPN
IPsec
IPsec
CSG01
(Active)
CSG02
(Active)
eth0
IP
192.168.55.0/24
.8
.9
VMvNIC Set:A
Name IP Address Next Hop vNIC Distance
Outbound 192.168.0.0 A 0
Routes:
route add -net
192.168.0.0/24
gw 192.168.55.1
IPsec
DC
192.168.0.0/24
(VRRP, HSRP,
MHSRP, etc) .100
Static Route
Cloud Failover
eth0eth1
eth1
OCI Classic
VM
.2
IPsec
F/W

Corente Services Gateway IPsec
• /
64
VPN
• Oracle Cloud
• ( ) NAT / NAPT
• IPsec VPN
• ( )NAT / NAPT• AppNet Manager
•
• IP( 1 )
• IPsec
• IPsec
• VPN IP (IP )
•
• VPN IPsec
•
• AppNet Manager IPsec
• Oracle Cloud
•
VPN
Oracle Cloud
LAN

VPN
65
※ (2017 12 ) Database Cloud Service (RAC Data Guard) IP
IP VPN IP
GRE
NW VPNGW
IP
VPNaaS IPsec &
Oracle Cloud Infrastructure Compute Classic - 16 VPNaaS VPN
Corente
IPsec
Oracle Cloud Infrastructure Compute Classic - VPN
(Active-Active HA) - HA
Corente
Corente Services Gateway IP
VPN
+
GRE ※
Corente
IPsec
Oracle Cloud Infrastructure Compute Classic - VPN
(Active-Active HA) - HA
Corente Corente Services Gateway VPN

• Oracle Cloud
VPN
•
• Oracle Cloud IP
1.
Compute
eth0
IP
192.168.1.0/24
Compute Java AP
eth0 eth0
internet
.2 .3 .4
IP
Oracle Cloud VPN IP
IP
67
VPNaaS
.253
Database
eth0
.5

• Web
•
• VPN
• (Bastion)
2.
Web
eth1
Back: 192.168.2.0/24
AP* DB* Bastion
eth0 eth0eth1
.2.3 .5 .2
IP
Oracle Cloud
eth0
.2
internet
IP
Web
VPN
IP
69
eth0
.4
NAT
NAT
Front: 192.168.0.0/24
IP
VPNaaS
.253
Mgmt:
192.168.1.0/24

TIPS
70

OCI Classic
• IP IP ( )IP
( )IP
– DHCP
IP
• IP ( )IP
– DHCP
( DNS )
• IP IP
– IP Site-to-site VPN
71

• OCI Classic DHCP
OS
– Oracle Linux (eth0 )
72
OracleLinux1
eth2
IP 1
IP 2
eth0 eth1
✓
DNS
✓
IP OracleLinux2
eth0
eth1 eth2
✓ IP 2
DNS
✓IP 2
IP 1

• IP
• IP(IP ) IP
73
IP
IP
internet
NAT
GW

( )
• : IP
– (Linux)
• sudo ip route add 10.196.0.0/16 via $(ip route | awk '/default/ {print $3}’) dev eth0
• sudo ip route change default via 192.168.1.1 dev eth1
– IP ssh
( ssh )
74

( )
•
”instance” ( )
• ”userdata” ( {} )
75
"instances": [
{
"attributes": {
"userdata": {
"pre-bootstrap": {
"script": [
"ip route add 10.196.0.0/16 via $(ip route | awk '/default/ {print $3}') dev eth0",
"ip route change default via 192.168.1.1 dev eth1"
]
}
}
},
xxxxxx
}
]
※
10.196.0.0/16 -> IP
Eth0 -> NIC
192.168.1.1 -> IP (1 )

NIC IP
76
• IP 1
IP
• 1
→
IPeth0
(10.x.x.x)
eth1
(192.168.1.2)
eth2
(192.168.2.2)
internet
NAT
GIP2GIP1 GIP3
IPnet1 IPnet2
sudo ip rule add from 192.168.1.2 table 100 prio 1000
sudo ip rule add from 192.168.2.2 table 200 prio 1000
sudo ip route add default via 192.168.1.1 dev eth1 table 100
sudo ip route add default via 192.168.2.1 dev eth2 table 200
IPDefault GW
IP
※ IP

1 NIC IP
(IP )
77
• IP
NIC IP
• IP NIC
IP IP
IP
eth0
192.168.1.2
192.168.1.10
IP (192.168.1.0/24)
IP :192.168.1.10/32
: 1 eth0 (vNICSet )
$ sudo ip addr add 192.168.1.10/32 dev eth0 label eth0:1
$ ip addr list eth0 | grep inet
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
inet 192.168.1.10/24 scope global secondary eth0:1
IP

Instance1
eth0
Instance2
eth0
internet
IP
NAT
Active Standby
35.x.x.x ( IP)
10.x.x.1
( IP)
10.x.x.2
( IP)
IP
Instance1
Instance1
eth0
Instance2
eth0
internet
IP
NAT
Active Standby
35.x.x.x ( IP)
10.x.x.1
( IP)
IP
10.x.x.2
( IP)
• IP IP Instance 1
• IP
• Instance1 IP
IP Instance2

Instance1 Instance2
IP
79
eth1
192.168.1.3
eth1
192.168.1.4
IP
(192.168.1.0/24)
Instance1
• Instance1 Instance2
eth1 2 IP
※
• 2 IP
192.168.1.11eth1:1
Instance
eth1
Active Standby
• IP NIC OS IP
2 IP
• OCI Classic 2 IP
※ L2 2
IP
※ NIC
192.168.1.11
Instance1
eth1
192.168.1.2
: 192.168.1.11
Instance1 Instance2
eth1
192.168.1.3
eth1
192.168.1.4
IP
(192.168.1.0/24)
192.168.1.11eth1:1
Instance
eth1
Active Standby
192.168.1.2
192.168.1.11
Instance2
eth1

[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細

[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a [非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細

Semelhante a [非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細 (20)

Mais de オラクルエンジニア通信

Mais de オラクルエンジニア通信 (20)

Último

Último (20)

[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細