Oracle Cloud Infrastructure Classic ネットワーク機能詳細

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Oracle Cloud InfrastructureOCI Classic v2.7

2017 12


Safe Harbor Statement

3


• Oracle Cloud Infrastructure (OCI)

• 2017 9 Bare Metal Cloud Service (BMC) Oracle Cloud Infrastructure (OCI) Oracle Public Cloud (OPC) Oracle Cloud Infrastructure Classic (OCI Classic)

• OCI Classic OCI Classic PaaSOracle Cloud Infrastructure( Bare Metal Cloud) Oracle Ravello

–

•Oracle Cloud

(http://cloud.oracle.com)

4

• Oracle Cloud Infrastructure Compute Classic• Oracle Database Cloud Service (on OCI Classic)

• Oracle Java Cloud Service (on OCI Classic)• OCI SOA Cloud Service (on OCI Classic)

http://cloud.oracle.com/


OCI Classic

5

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 7

OCI Classic SDN (IP )


• Oracle Cloud 1

• OracleIP IP

• 30bit

L3

• PaaS

8

Oracle Cloud

Instance1

eth0

Instance2 Instance3 Instance4

eth0 eth0 eth0

: 10.168.0.0/16

Instance5

eth0

Internet / FastConnect

.22/30 .42/30

Identity Domain 1 Identity Domain 2

.50/30 .134/30 .6/30

NAT

129.152.148.131( IP)

129.152.148.130( IP)


• 2016 10( )

•

–

• IPNIC IP

10

Instance1

eth0 eth1

IP : 192.168.3.0/24

IP : 192.168.2.0/24

IP : 192.168.2.0/24

Instance2 Instance3 Instance4

eth1 eth2 eth1 eth2 eth0 eth1

: 10.32.1.0/24

Instance5

eth1 eth1

internet

.21 .42.2 .3

Identity Domain 1 Identity Domain 2

.4.2 .3 .2 .3

129.152.148.130( IP)

129.152.148.131( IP)

IP

NAT


IP

…1.

2. IP

3. ( NIC)

4. VPN (Corente Cloud Gateway)WAN (GRE )

5. / (/ )

6. NIC MAC( MAC )

11


Web

VPN VPN

VPN


Oracle Cloud

OCI Classic

VPN-GW(CorenteServices

Gateway)

VPN-GW

VPN

Web(Compute Cloud Service)

(Java Cloud Service*)

(Database Cloud Service*)

* (2017 11 ) Java Cloud Service/Database Cloud Service IP


OCI Classic

14


• IP

– IP

– IP

– NIC

– NIC

– *

– *

– *

– IP *

– IP *

•

–

–

–

– IP

– IP

• VPN

– VPNaaS

– Corente**

– FastConnect

15

OCI Classic

* (2017 11 ) * ()

** Corente 2017 10 (17.4.2)


IP – IP

16

IP 1192.168.1.0/24

IP 2192.168.2.0/24

.2 .3 .2 .3

IP (IPNetworks)•

• 16bit( : 10.0.0.0 – 10.0.255.255)

• IP

•( )

• 1

( DHCP DNS )

•

•


IP – IP

17

IP 1192.168.1.0/24

IP 2192.168.2.0/24

IP

.2 .3 .2 .3

IP (IPNetworkExchanges)• IP IP

• IP

• IP :IP = 1:IP 1 IP

•

.1 .1


IP – NIC

18

eth0

: 10.32.1.0/24

.21

eth1 eth2 eth3 eth7

IP : 192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.7.0/24

.2 .2 .2 .2

NIC (VirtualNICs)• 8

• IP 1 NIC

• (= )

• 8 IP

• IPIP


IP – NIC

19

eth0

.2

eth0

.3

IP (192.168.1.0/24)

VPN VPN

eth0 eth0

eth1 eth1

.8 .9

NIC (VirtualNICSets)• NIC ( OK)

• NIC OK

• ACL

internet192.168.101.0/24

(Routes)•

• IP (CIDR)NIC

• IP

ECMP

LAN


IP –

20

Instance1(AP)

eth0

IP

Instance2(AP)

eth0

• NIC /

(ACL)•

NICInstance3

(DB)

eth0

NIC (AP) NIC (DB)

allow-ping

: icmp:

: icmp:

1521-egress-to-DB

1521-ingress-from-AP

: 1521: : DB

: 1521:

: AP

* (2017 11 ) ( )


IP – IP *

21

Instance1

eth0

IP

Instance2

eth0

IP (IPAddressReservations)

•IP 1 1NAT IP

NIC

• IP ( IP)NIC

GIP

NAT

.2 .3

GIP

internet

NAT

* (2017 11 ) ( )

•IP 1 1NAT IP

NIC

• IP


IP – DNS

22

web1

eth0

IP (192.168.1.0/24)

web2

eth0

DNS• IP 1 IP

DNS

• IP

• ( ) A

IP DNS

• DNS (IPVPN

)

.2 .3

DNS

.1

web1.ipnet1.abc.com. IN A 192.168.1.2web2.ipnet1.abc.com. IN A 192.168.1.3www.abc.com. IN A 192.168.1.2www.abc.com. IN A 192.168.1.3


Instance1

eth0 eth1

IP

Instance2

eth1

Data Center 1

Instance3

eth0

Data Center 2

WAN

internet

•

• IP PaaSIP

• IP

Storage Cloud


– IP

24

Instance1

eth0 eth1

IP

Instance2

eth1

internet

IP (IPReservations)•

IP NAT

•IP

• Database Cloud Service PaaS1 IP

IPNAT

NAT (IPAssociations)• IP ( IP)

IP 1 1


– DNS

25

web1

eth0

web2

eth0

DNS• DNS

DHCP

•IP

• ( )

•(Compute-

<domain>.oraclecloud.internal)

DNS

web1.compute-mydomain.oraclecloud.internal. IN A 10.168.x.yweb2.compute-mydomain.oraclecloud.internal. IN A 10.168.x.y


–

26

AP1

eth0

AP2

eth0

DB

eth0

seclist-ap seclist-db

: seclist-ap: seclist-db

: tcp/1521

: 0.0.0.0/0: seclist-ap

: tcp/443

: ( IP): seclist-db

: tcp/22

IP• Oracle Cloud IP

• IPv4 CIDR

•

•

• (from)(to)

•IP


IP

28

1. PaaS(DBCS, JCS ) IP

– : XXCOM (USCOM-CENTRAL-1, USCOM-EAST-1, GBCOM-SOUTH-1, AUCOM-EAST-1 ) DC(AP5_Z11)

– : AP5_Z11( DC) / US00n_Znn / EM00n_Znn• PaaS ComputeCS

PaaS GRE ( ) NAT

2. IP (=ACL) &IP NAT (IP )

– : XXCOM AP5_Z11( DC) US006_Znn

– : US00n_Znn / EM00n_Znn• ( IP )

New!



IP

30

OCI Classic

(SecRules)

+ +

(SecurityRules)

NIC+

+ /

+/ IP

NICNICOracle Cloud →

Oracle Cloud → IP

Oracle Cloud →

Oracle Cloud → IP

NIC


• /

•/

()

– (Deny)

•

– (Reject)

•

– (Permit)

•( )

31


•

–

–

–

32

Ins Ins Ins

A B

※1 8


•

• ( or IP) ( or )

33

(SecRules)

?

?

OCI Classic → → IP


•

•

•

–

• TCP

• UDP

• ICMP

• GRE

• ESP

– ~

34


• IP

•

• IP

(IP )

•

35

IP


8

1

10

n n

1

IP

1

n

Oracle Cloud(PaaS / IaaS)

/

/

IPIP

IP


•

– →

:

– : •

•

• DBCS PaaS

– DBCS (DBCS )

– : DBCS

Compute DBCS

Seclist-AP

Compute DBCS

Seclist-DB


IP

•

–

–

–

•

• IP

• IP

38

(REST API SecurityRules)

ACL ?

( / )

IP

IP


OCI Classic

39


OCI Classic •• Oracle Cloud

SSL•

• VPN

• IPsec•

• Oracle Cloud DC• Oracle•

(1Gbps / 10Gbps)

• Oracle Cloud

•

+ SSL

VPN(IPsec)

Ora

cle

Fast

Co

nn

ect Standard

Edition

Partner Edition(NTT-

Com,Verizon,BT )

Oracle Cloud

Oracle Cloud

i

Oracle Cloud

NW

NW

Oracle

Oracle


VPN OCI Classic

Virtual Private Network(VPN)

VPN

Point-to-Point( )

42

On-Premise Oracle Cloud

VPN


VPN

43


• Corente

–

– Compute

– IP (GRE )

• VPNaaS

– VPN

–

– IP

Oracle Confidential – Internal 44

2 VPN

IP

LAN

GRE

internet

IPsec

CorenteService Gateway

CorenteService Gateway

IP

LAN

internet

IPsec

VPNaaS

Compute JCS DBCS


VPN

• 2017 10 20 ( ) Corente+ VPNaaS ( ) VPNaaS

– Corente VPNaaS (Corente)

• VPNaaS IP ( VPN)

– : RAC Data Guard Database Cloud Service (2017 12 ) IP VPNaaS

NAT

Confidential – Oracle Internal/Restricted/Highly Restricted 45


VPN (2017 10 )

DBCS/JCS?

YES

NO

IP+

2017 10 ?

YES

NO

Corente + NW(GRE)

RACData Guard ?

YES

NO

VPNaaS + IP

IPsec ?

NO

YES


VPN - VPNaaS

47


VPNaaS

Confidential – Oracle Internal/Restricted/Highly Restricted 48

VPNaaS(

DatabaseCompute

Compute

Gateway

Gateway

IP Network

Compute

IP Exchange

IP Network

Oracle Cloud

NAT

• VPN VPNaaS)

• VPN

•

NAT

•IP Network

• IP Network IP Exchange


VPNaaS

• VPNIPsec VPNaaS

Oracle

•

– Cicso 2921

– Cisco ISR 4331

– Cisco ASA5505

– Checkpoint 3200

– Palo Alto 3020

– FortiGate-200D

•

49

https://docs.oracle.com/cd/E83857_01/iaas/compute-iaas-cloud/stcsg/setting-vpn-connection-using-vpnaas.html#GUID-F6207807-9E1A-46D0-8BF4-AC4A2E7785E6


VPN (1)

•

–

• IP

– (IP)

– IP IP

• vNICset( )

•

– WAN IP(NAT )

•

– ()

• (PSK)

– ( )

• IKE ID( )

– IP_ADDR_V4 VPNaaS IP

50


VPN (2)

• 1 IKE

– 1(IKE) VPNaaS

• 2 ESP

– 2(ESP) VPNaaS

•

– 2 PFS : Perfect Forward Securecy

51


VPNaaS TIPS

• IKEv1 (IKEv1 IKEv2 )

• VPN ( VPN )

– IP N

• VPN VPNaaS IP IP

• VPN VPN (=IP )

– (= IP)

– (= )

– (PSK)

– IP (= IP )

• 1 VPN 1

• VPNaaS

52


VPN

•

– VPN > VPNaaS > VPN >

• VPNaaS (=Corente Services Gateway) Openswan

– Openswan

– strongSwan

– Libreswan

53

https://www.openswan.org/

https://www.strongswan.org/

https://libreswan.org/


VPN - Corente

54


VPN – Corente

55

Corente Services Gateway

• Corente Services Gateway– IPsec

– OCI Classic

– VPN

– OSOracle Compute Cloud Cloud

App Net Manager

– VPNCorente Services Gateway


VPN – Corente

56

DC VPN

• 1. Corente Services Gateway – Oracle Technology Network Corente Services Gateway

–

–

– Oracle (Oracle Cloud )

• 2. IPsec– IPsec


VPN – Corente

57

DC GW Corente Services Gateway

•

A)

• ( )

– Oracle VM 3.4.1

– Xen 4.4, VMWare ESX5.5

– Citrix XenServer 6.2

– Microsoft Windows Server 2012 R2 Hyper-V

B) Corente

•

• (Corente AppNetManager)

→

Oracle Cloud

http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html

http://docs.oracle.com/cd/E74662_01/E80339/html/install-plan-req.html

http://docs.oracle.com/cd/E74662_01/E80339/html/install-gateway-vm.html

http://docs.oracle.com/cd/E74662_01/E80339/html/install-plan-req.html


VPN – Corente

• DC Corente

–

• Corente → IP (ANY) 443/TCP ( )

• Corente → IP (ANY) 53/UDP ( )

• Corente 1025-65535/TCP → IP (ANY) 551/TCP (Corente Service Port)

• Corente 551/UDP → IP (ANY) 551/UDP (Corente Service Port)

–

• IP (ANY) 1025-65535/TCP → Corente 551/TCP (Corente Service Port)

• IP (ANY) 551/UDP → Corente 551/UDP (Corente Service Port)

58

DC GW Corente Services Gateway

Corente Services Gateway Deployment Guide - 2.2 Network Requirementshttp://docs.oracle.com/cd/E74662_01/E80339/html/install-plan-lan.html#install-plan-lan-fw

http://docs.oracle.com/cd/E74662_01/E80339/html/install-plan-lan.html


VPN – CorenteDC GW Corente Services Gateway

59

: 1.5 GHz Intel-based x86 compatible server: 1 GB RAM

: 40 GB IDE/SATA: Integrated 10/100/1000M Ethernet Interfaces

Oracle VM Server for x86 Release 3.4.1 or laterXen 4.4VMware ESX 5.5Citrix XenServer 6.2Microsoft Windows Server 2012 R2 Hyper-V

※Corente Services Gateway Deployment Guide(http://docs.oracle.com/cd/E74662_01/E80339/E80339.pdf)

2.1 Corente Services Gateway Installation Requirements

http://docs.oracle.com/cd/E74662_01/E80339/E80339.pdf


VPN – Corente

60

DC GW IPsec

•(Certified Configuration) IPsec

Corente Services Gateway

• My Oracle Support

– Cisco ASA 5505 (Doc ID 2153452.1)

– SonicWall TZ190 (Doc ID 2153603.1)

– Juniper JuneOS15 (Doc ID 2164001.1)

•

– Cisco CSR1000v (How to connect an application on Ravelloto Oracle IaaS/PaaS services (e.g. DBCS etc.) over VPN)

Oracle Cloud

http://docs.oracle.com/cloud/latest/stcomputecs/CTVPN/GUID-8BD62D32-0D74-48C2-8CF6-53E1D2709454.htm

https://support.oracle.com/epmos/faces/DocumentDisplay?id=2153452.1



https://community.oracle.com/docs/DOC-1008193


VPN – Corente

• Oracle Compute CloudIP

Oracle Cloud IP

IPGRE

61

NW IP


VPN – Corente

• Corente Services GatewayCompute / PaaS

GRE

• Oracle Technology Network (Linux, Windows )

• : 10.0.0.0/8

62

NW GRE


Corente Active / Active HA ( IPsec )

VPN

IPsec

IPsec

CSG01(Active)

CSG02(Active)

eth0

IP192.168.55.0/24

.8

.9

VMvNIC Set:A

Name IP Address Next Hop vNIC Distance

Outbound 192.168.0.0 A 0

Routes:

route add -net 192.168.0.0/24 gw 192.168.55.1

IPsec

DC

192.168.0.0/24

(VRRP, HSRP, MHSRP, etc) .100

Static Route

Cloud Failover

eth0eth1

eth1

OCI Classic

VM.2

IPsec

F/W


Corente Services Gateway IPsec

• /

• Corente Services Gateway

64

VPN

• Oracle Cloud

• ( ) NAT / NAPT

• IPsec VPN

• ( )NAT / NAPT• AppNet Manager

•

• IP( 1 )

• IPsec

• IPsec

• VPN IP (IP )

•

• VPN IPsec

•

• AppNet Manager IPsec

• Oracle Cloud

•

VPN

Oracle Cloud

LAN


VPN

65

※ (2017 12 ) Database Cloud Service (RAC Data Guard) IPIP VPN IPGRE

NW VPNGW

IP

VPNaaS IPsec & Oracle Cloud Infrastructure Compute Classic - 16 VPNaaS VPN

CorenteIPsec

Oracle Cloud Infrastructure Compute Classic - VPN

(Active-Active HA) - HA

CorenteCorente Services Gateway IP

VPN

+GRE ※

CorenteIPsec

Oracle Cloud Infrastructure Compute Classic - VPN

(Active-Active HA) - HA

Corente Corente Services Gateway VPN

https://docs.oracle.com/cd/E83857_01/iaas/compute-iaas-cloud/stcsg/setting-vpn-connection-using-vpnaas.html#GUID-5AFBB3FC-C0F6-4AC7-9312-718B594EB0D2

https://docs.oracle.com/cd/E83857_01/iaas/compute-iaas-cloud/stcsg/setting-vpn.html#GUID-07FAD4A9-DDE4-4391-BB9C-EA4784552EDA

https://www.oracle.com/pls/topic/lookup?ctx=en/cloud/iaas/compute-iaas-cloud/stcsg&id=TPIPV-GUID-024B75F7-DB15-4A51-B13A-D2B8B1A10990

https://docs.oracle.com/cd/E83857_01/iaas/compute-iaas-cloud/cgipv/setting-vpn-using-corente-services-gateway-cgipv.html#CGIPV-GUID-E434EFA5-BBEC-4647-8A27-F0743C6D203B

https://docs.oracle.com/cd/E83857_01/iaas/compute-iaas-cloud/stcsg/setting-vpn.html#GUID-07FAD4A9-DDE4-4391-BB9C-EA4784552EDA

https://www.oracle.com/pls/topic/lookup?ctx=en/cloud/iaas/compute-iaas-cloud/stcsg&id=TPIPV-GUID-024B75F7-DB15-4A51-B13A-D2B8B1A10990

https://docs.oracle.com/cd/E83857_01/iaas/compute-iaas-cloud/mcvpn/setting-vpn-using-corente-services-gateway.html#MCVPN-GUID-6C006FED-F313-4C12-B2CB-6602D7072A09



• Oracle CloudVPN

•

• Oracle Cloud IP

1.

Compute

eth0

IP192.168.1.0/24

Compute Java AP

eth0 eth0

internet

.2 .3 .4

IP

Oracle Cloud VPN IPIP

67

VPNaaS

.253

Database

eth0.5


• Web

•

• VPN

• (Bastion)

2.

Web

eth1

Back: 192.168.2.0/24

AP* DB* Bastion

eth0 eth0eth1.2.3 .5 .2

IP

Oracle Cloud

eth0.2

internet

IP

Web

VPNIP

69

eth0.4

NAT

NATFront: 192.168.0.0/24

IP

VPNaaS.253

Mgmt:192.168.1.0/24


TIPS

70


OCI Classic

• IP IP ( )IP( )IP

– DHCPIP

• IP ( )IP

– DHCP( DNS )

• IP IP– IP Site-to-site VPN

71


• OCI Classic DHCP

OS

– Oracle Linux (eth0 )

72

OracleLinux1

eth2

IP 1

IP 2

eth0 eth1

✓

DNS✓

IP OracleLinux2

eth0

eth1 eth2

✓ IP 2DNS

✓ IP 2

IP 1


• IP

• IP(IP ) IP

73

IP

IP

internet

NAT

GW


( )

• : IP

– (Linux)

• sudo ip route add 10.196.0.0/16 via $(ip route | awk '/default/ {print $3}’) dev eth0

• sudo ip route change default via 192.168.1.1 dev eth1

– IP ssh( ssh )

74


( )

•”instance” ( )

• ”userdata” ( {} )

75

"instances": [{"attributes": {"userdata": {

"pre-bootstrap": {"script": [

"ip route add 10.196.0.0/16 via $(ip route | awk '/default/ {print $3}') dev eth0","ip route change default via 192.168.1.1 dev eth1"

]}

}},xxxxxx

}]

※10.196.0.0/16 -> IPEth0 -> NIC192.168.1.1 -> IP (1 )


NIC IP

76

• IP 1IP

• 1

→ IPeth0

(10.x.x.x)eth1

(192.168.1.2)eth2

(192.168.2.2)

internet

NAT

GIP2GIP1 GIP3

IPnet1 IPnet2

sudo ip rule add from 192.168.1.2 table 100 prio 1000sudo ip rule add from 192.168.2.2 table 200 prio 1000sudo ip route add default via 192.168.1.1 dev eth1 table 100sudo ip route add default via 192.168.2.1 dev eth2 table 200

IPDefault GW

IP

※ IP


1 NIC IP(IP )

77

• IPNIC IP

• IP NICIP IP

IP

eth0192.168.1.2

192.168.1.10

IP (192.168.1.0/24)

IP :192.168.1.10/32: 1 eth0 (vNICSet )

$ sudo ip addr add 192.168.1.10/32 dev eth0 label eth0:1$ ip addr list eth0 | grep inet

inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0inet 192.168.1.10/24 scope global secondary eth0:1

IP


Instance1

eth0

Instance2

eth0

internet

IPNAT

Active Standby

35.x.x.x ( IP)

10.x.x.1( IP)

10.x.x.2( IP)

IP

Instance1

Instance1

eth0

Instance2

eth0

internet

IPNAT

Active Standby

35.x.x.x ( IP)

10.x.x.1( IP)

IP

10.x.x.2( IP)

• IP IP Instance 1

• IP

• Instance1 IP IP Instance2


Instance1 Instance2

IP

79

eth1

192.168.1.3

eth1

192.168.1.4

IP(192.168.1.0/24)

Instance1

• Instance1 Instance2 eth1 2 IP ※

• 2 IP

192.168.1.11eth1:1

Instance

eth1

Active Standby

• IP NIC OS IP 2 IP

• OCI Classic 2 IP

※ L2 2IP

※ NIC

192.168.1.11 Instance1

eth1

192.168.1.2

: 192.168.1.11

Instance1 Instance2

eth1

192.168.1.3

eth1

192.168.1.4

IP(192.168.1.0/24)

192.168.1.11eth1:1

Instance

eth1

Active Standby

192.168.1.2

192.168.1.11 Instance2

eth1


Data & Analytics

Oracle Cloud Infrastructure Classic ネットワーク機能詳細