Redwood

Published Version 1 on December 13th, 2023.
Updated Version 2 on January 5th, 2023.

Introduction

Oracle Analytics is a complete platform with ready-to-use services for various workloads and data. Oracle Analytics offers valuable, actionable insights from all types of data in the cloud, on-premises, and hybrid sources. It empowers business users, data engineers, and data scientists to access and process relevant data, evaluate predictions, and make quick, accurate decisions. Oracle Analytics services are accessed via the OSN (Oracle Services Network) or private service endpoints (IP addresses).

The examples in this post use Oracle Fusion Analytics, a component of the Oracle Fusion Data Intelligence Platform.
The post is also relevant to Oracle Analytics Cloud.

! This post does not cover Oracle Analytics Server for on-premises deployments of Oracle Analytics Cloud.

Among other things, DNS (Domain Name Systems) translate and resolve FQDNs (Fully Qualified Domain Names) into numerical IP addresses.

Unlike public Fusion Analytics services, those with service endpoints have FQDNs that are not publicly accessible from the internet and must use private DNS methods to resolve the names.

This post is a member of the Private Fusion Analytics series. It builds upon the foundation described in Prepare Network Components for Internet Access to Oracle Fusion Analytics Service Endpoints and is a companion post of Access Oracle Fusion Analytics Service Endpoints Privately.

It guides setting up the DNS components and illustrates the internet access flows. Architectural diagrams, component descriptions, access flows, and links for additional references are included.

Alternative Methods

This post presents three alternative methods for resolving Fusion Analytics service endpoint FQDNs.

Client (Local) DNS

A file on a client computer, typically named /etc/hosts, acts a DNS private zone for that client.

Customer DNS

A private zone in the customer DNS containing the FQDNs and respective NLB public IP addresses. Clients must be configured to use the Customer DNS.

OCI (Oracle Cloud Infrastructure) DNS

A DNS listener and a private zone in an OCI VCN containing the FQDNs and respective NLB public IP addresses. The examples use a VCN named DNS_VCN. The customer DNS must be configured to forward DNS queries for Fusion Analytics FQDNs to the NLB, acting as a public proxy for the OCI listener. Clients must be configured to use the Customer DNS.

Redwood
Architecture

Initial and prepared architecture diagrams are presented.

Initial States
Base Initial State for All Alternatives

Slide18.jpeg

This diagram depicts existing network components described in Prepare Network Components for Internet Access to Fusion Analytics Service Endpoints.

OCI DNS Alternative Initial State

x

This diagram depicts additional network components required for the OCI DNS alternative.

Prepared States

Prepared states are presented for the three alternative methods.

Local DNS

20

This diagram depicts additional and updated client (local) DNS components.

Customer DNS

21

This diagram depicts additional and updated customer DNS components.

OCI DNS

22

This diagram depicts additional and updated components required for the OCI DNS alternative.

Redwood
Components

This section describes the components depicted in the architecture diagrams.

The VCN containing the Fusion Analytics service endpoints is referred to as the FA VCN, and the VCN containing the OCI DNS listener endpoint is referred to as the DNS VCN

Initial Components

The components illustrated in the initial states are described in the Prepare Network Components for Internet Access to Fusion Analytics Service Endpoints blog post.

Additional Components for the Local DNS Alternative
Local Client DNS File

An etc/hosts file is added to client workstations containing the Fusion Analytics FQDNs and respective NLB (Network Load Balancer) public IP addresses.

Additional Components for the Customer DNS Alternative
Customer DNS Private Zone

A custom private zone is added to the customer DNS containing the Fusion Analytics FQDNs and respective NLB (Network Load Balancer) public IP addresses.

Additional Components for the OCI DNS Alternative
Customer DNS Forwarder

A forwarding mechanism is added to the customer DNS system to forward DNS queries containing Fusion Analytics FQDNs to the DNS VCN NLB.

Note: Forwarding is implemented differently by commercially available DNS software.

Network Security Group

The NSG (Network Security Group) in the DNS VCN is updated with rules allowing ingress for DNS queries from the Customer DNS resolver and egress for the responses.

OCI DNS Resolver

The DNS VCN was created with a default DNS resolver containing a prebuilt DNS private view with prebuilt DNS private zones. The prebuilt DNS private zones contain FQDNs hosted by the VCN.

The resolver resolves FQDNs hosted by the VCN and hostnames that are publicly published on the internet.

The DNS resolver is modified to:

  • Include a custom private view.
  • Include a DNS listener endpoint.
OCI DNS Custom Private View

A custom  DNS private view is added to the DNS resolver to host a custom private zone.

OCI DNS Custom Private Zone

A custom DNS private zone is added to the custom DNS private view containing the Fusion Analytics FQDNs and respective NLB (Network Load Balancer) public IP addresses.

OCI DNS Listener Endpoint

An DNS listener endpoint is added to the DNS resolver to receive DNS queries from the Customer DNS Forwarder. It is configured to use the NSG. The DNS resolver uses the custom private view and custom private zone to resolve the queries and send the responses to the Customer DNS.

Network Load Balancer

The NLB in the  DNS VCN is updated with the DNS listener private IP address.

Redwood
Deploy

It is assumed deployers belong to OCI groups granted permissions via OCI policy rules to manage deployment components, including creating compartments if necessary.

Several frameworks exist to deploy the components:

A typical provisioning sequence follows:

  1. For all alternatives:
    • Obtain the Fusion Analytics FQDNs and associated OCI NLB IP addresses.
  2. For the Local DNS alternative:
    • Create an /etc/hosts file for use by administrators containing the Fusion Analytics FQDNs and associated OCI NLB IP addresses.
  3. For the Customer DNS alternative:
    • Create a private zone with resource records containing the Fusion Analytics FQDNs and associated NLB IP addresses.
  4. For the OCI DNS alternative:
    • Create a forwarding mechanism in the customer DNS to forward queries containing Fusion Analytics FQDNs to the NLB in the DNS VCN.
    • Update the NSG in the DNS VCN with rules allowing ingress and egress to the customer DNS forwarding mechanism IP address.
    • Create a DNS listener endpoint in the DNS VCN private subnet.
    • Update the NLB in the DNS VCN with the DNS listener’s private IP address.
    • Create a DNS custom private view.
    • Create a DNS custom private zone containing the Fusion Analytics FQDNs and associated NLB public IP addresses.
    • Update the DNS resolver in the DNS VCN by adding the DNS custom private view.

Redwood
Access Flows

Access flow diagrams are presented for the alternative methods.

Local DNS

23

This diagram depicts the following:

ONE DNS Flow

  1. A client browser or application sends a DNS query with a Fusion Analytics FQDN.
  2. The client operating system uses the /etc/hosts file to obtain the associated NLB IP address.

TWO Connection Flow

  1. The client browser or application connects to the NLB via the internet.
  2. The NLB privately connects to the Fusion Analytics service endpoint.
Customer DNS

24

This diagram depicts the following:

ONE DNS Flow

  1. A client browser or application sends a DNS query with a Fusion Analytics FQDN.
  2. The client operating system uses the customer DNS private zone to obtain the NLB IP address.

TWO Connection Flow

  1. The client browser or application connects to the NLB via the internet.
  2. The NLB privately connects to the Fusion Analytics service endpoint.
OCI DNS

25

This diagram depicts the DNS flow.

ONE DNS Flow

  1. A client browser or application sends a DNS query with a Fusion Analytics FQDN.
  2. The client operating system uses the customer DNS forwarding mechanism.
  3. The custom DNS forwarding mechanism forwards the query to the NLB in the DNS VCN.
  4. The NLB routes the query to the DNS Listener to obtain the NLB IP address.

26

This diagram depicts the connection flow.

TWO Connection Flow

  1. The client browser or application connects to the NLB via the internet.
  2. The NLB privately connects to the Fusion Analytics service endpoint.

27

This diagram depicts both flows:

ONE DNS Flow

  1. A client browser or application sends a DNS query with a Fusion Analytics FQDN.
  2. The client operating system uses the customer DNS forwarding mechanism.
  3. The custom DNS forwarding mechanism forwards the query to the NLB in the DNS VCN.
  4. The NLB routes the query to the DNS Listener to obtain the NLB IP address..

TWO Connection Flow

  1. The client browser or application connects to the NLB via the internet.
  2. The NLB privately connects to the Fusion Analytics service endpoint.
Redwood
Explore More

Refer to the Overview of Private Fusion Analytics for references to other posts in the series.

Explore and learn about Fusion Analytics by visiting the community links, blogs, and library.

Implementing Oracle Fusion Analytics Series

Fusion Analytics Implementation Guide

CEAL Implementation Guidance Sessions, September 2023

Fusion Analytics Community

Fusion Analytics Blogs

Fusion Analytics Library

Redwood
var coll = document.getElementsByClassName(“collapsible”); var i; for (i = 0; i < coll.length; i++) { coll[i].addEventListener("click", function() { this.classList.toggle("active"); var content = this.nextElementSibling; if (content.style.display === "block") { content.style.display = "none"; } else { content.style.display = "block"; } }); }