Prepare Network Components for Internet Access to Oracle Fusion Analytics Service Endpoints

December 1, 2023 | 9 minute read
Text Size 100%:

rw

Published December 4, 2023.
Updated January 3rd, 2024.

Introduction

Oracle Analytics is a complete platform with ready-to-use services for various workloads and data. Oracle Analytics offers valuable, actionable insights from all types of data in the cloud, on-premises, and hybrid sources. It empowers business users, data engineers, and data scientists to access and process relevant data, evaluate predictions, and make quick, accurate decisions. Oracle Analytics services are accessed via the Oracle Services Network or service endpoints.

The examples in this post use Oracle Fusion Analytics, a component of the Oracle Fusion Data Intelligence Platform.
The post is also relevant to Oracle Analytics Cloud.

! This post does not cover Oracle Analytics Server for on-premises deployments of Oracle Analytics Cloud.

Direct Internet access to Fusion Analytics service endpoints is prohibited. However, there are network topology scenarios that enable indirect access using intermediary components. The intermediary components are accessible from the internet and act as proxies. Users connect to the proxies, which privately connect to the Fusion Analytics service endpoints. NLBs (Network Load Balancers) are used in examples to fulfill the proxy functions.

This post is a member of the Private Fusion Analytics series. It builds upon the network foundation described in Prepare for Oracle Fusion Analytics Service Endpoints, is a companion post to Prepare Network Components for Private Access to Oracle Fusion Analytics Service Endpoints, and a prequel to Access Oracle Fusion Analytics Service Endpoints Publicly. It guides the networking component setup for internet access to Fusion Analytics service endpoints. Included are architectural diagrams, component descriptions, and links for additional references.

Alternative Methods

This post presents three alternative methods for resolving Fusion Analytics service endpoint FQDNs.

Client (Local) DNS

A file on a client computer, typically named /etc/hosts, acts a DNS private zone for that client. It contains the FQDNs and respective NLB (Network Load Balancer) public IP addresses. Each client usually has it's own file.

Customer DNS

A private zone in the customer DNS containing the FQDNs and respective NLB public IP addresses. Clients must be configured to use the Customer DNS.

OCI (Oracle Cloud Infrastructure) DNS

A DNS listener and a private zone in an OCI VCN containing the FQDNs and respective NLB public IP addresses. The examples use a VCN named DNS_VCN. The customer DNS must be configured to forward DNS queries for Fusion Analytics FQDNs to the NLB acting as a public proxy for the OCI listener. Clients must be configured to use the Customer DNS.

rw
Architecture

This section contains an initial state and two prepared states. The network components depicted are based on what type of DNS topology you choose. Although DNS components are covered in Internet Access to Fusion Analytics Service Endpoints using Domain Name System Components, architectures are provided here for two scenarios:

  • Private zones in a customer DNS and file-based DNS.
  • Private zones in Oracle Cloud Infrastructure DNS.
Initial State

The initial state contains a provisioned Fusion Analytics instance with three service endpoints.

Refer to Prepare Oracle Fusion Analytics with Service Endpoints and Provision Oracle Fusion Analytics with Service Endpoints for details on a Fusion Analytics instance's provisioned state.

Slide15

This diagram depicts Fusion Analytics service endpoints provisioned in a Virtual Cloud Network (VCN).


Prepared States
Customer and Client DNS Alternatives

Slide16

This diagram depicts Fusion Analytics service endpoints with network components that provide proxy access. It is a base for OCI private zones and supports customer private zones and file-based DNS.


OCI DNS Alternative

Slide17

This diagram depicts Fusion Analytics service endpoints with network components that support OCI private zones.

Redwood
Components

This section describes the components depicted in the architecture diagrams.

The VCN containing the Fusion Analytics service endpoints is referred to as the FA VCN.

Initial Components
Oracle Services Network

The OSN (Oracle Services Network) is a conceptual network in an OCI region reserved for Oracle services. It comprises CIDR blocks and a list of regional CIDR service labels, e.g., All PHX Services in Oracle Services Network, for the Oracle services available in the region.


Fusion Analytics Services

The three Fusion Analytics services in the OSN.


Fusion Analytics Service Endpoints

The three Fusion Analytics service endpoints in the FA VCN.


Oracle Identity Service

Either an Identity Cloud Service (IDCS) stripe or an OCI Identity Domain authenticating and authorizing users.

Note: The Identity Service may exist in a different region than Fusion Analytics and Fusion Applications, especially if Fusion Analytics is provisioned in a region that is not the cloud account's home region.


Virtual Cloud Network

The FA VCN comprises a private subnet, a security list, and a network security group for the ADW (Autonomous Data Warehouse) service endpoint.


Security List

The security list allows egress and intra-subnet ingress to port 443 for the Fusion Analytics and OAC web services.


Private Subnet

The private subnet is assigned the security list and contains the Fusion Analytics service endpoints.


Network Security Group

The NSG (Network Security Group) allows intra-subnet ingress to port 1522 for the ADW (Autonomous Data Warehouse).


Additional and Updated Components Common to All Alternatives
Internet Gateway

An Internet Gateway is added to facilitate traffic from and to the Internet.


Route Table

A Route Table is added to send Fusion Analytics response traffic to the internet via the Internet Gateway.


Public Subnet Security List

A security list is added to allow egress from the subnet and ingress from customer-defined CIDR blocks encompassing user IP addresses.


Public Subnet

A public subnet is added to host the Network Load Balancers acting as public proxies and is assigned the public subnet security list and route table .


Network Load Balancers

NLBs (Network Load Balancers) are added as public proxies that receive TCP traffic from the internet and forward it to relevant Fusion Analytics and OCI service endpoints.

Note: Network Load Balancers support only one destination for each port configured. Because Fusion Analytics has two services using port 443, two NLBs are required. The ADW service using port 1522 is assigned to one of the two NLBs.


Network Security Group

The ADW NSG is updated to allow ingress traffic from the NLB destined for the ADW.


Private Subnet Security List

The security list is updated to allow ingress traffic from the NLBs destined for port 443.


Additional Components for the OCI DNS Alternative

DNS VCN

A second VCN, named the DCN VCN, is added to host an OCI DNS listening endpoint that resolves Fusion Analytics service hostnames to the public IP addresses of the associated NLBs.

The DNS VCN comprises a private and public subnet, Internet gateway, route table, and a network security group.


Internet Gateway

An Internet Gateway facilitates traffic from and to the Internet.


Private Subnet

The private subnet will host an OCI DNS listener endpoint.


Route Table

The route table sends DNS responses to the customer network via the Internet Gateway.


Public Subnet

The private subnet is assigned the route table and hosts an NLB acting as a public proxy.


Network Load Balancer

A NLB is added to the public subnet to act as a public proxy that receives DNS queries forwarded by a customer DNS over the Internet.


Network Security Group

An NSG is added to allow ingress for DNS queries from the NLB and to allow egress for the DNS responses.

Redwood
Deploy

It is assumed deployers belong to OCI groups granted permissions via OCI policy rules to manage deployment components, including creating compartments if necessary.

Several frameworks exist to deploy the components:

A typical provisioning sequence for the alternatives follows:

All Alternatives Create Components
  1. An Internet Gateway to facilitate traffic from and to the Internet.
  2. A Security List for the public subnet with rules allowing:
    • Ingress from customer IP addresses.
    • Egress from the subnet.
  3. A Route Table for the public subnet with a rule to send Fusion Analytics response traffic to the customer network via the internet gateway.
  4. A Public Subnet assigned the security list and route table.
  5. Network Load Balancers in the public subnet with:
    • Backend Sets for the Fusion Analytics service endpoints with:
      • A Backend with the relevant Fusion Analytics service endpoint IP address.
      • A Listener for the relevant Fusion Analytics protocol and port, e.g., TCP 443, TCP 1522
Update Components
  • The Private Subnet Security List with a rule allowing ingress from the NLBs to port 443.
  • The Network Security Group with a rule allowing ingress from an NLB to port 1522.

OCI DNS Alternative Create Components
  1. A DNS VCN with:
    • An Internet Gateway to facilitate traffic from and to the Internet.
    • A Private Subnet.
    • A Route Table with a rule to send OCI DNS response traffic to the customer DNS via the internet gateway.
    • A Public Subnet assigned the route table.
    • A Network Load Balancer in the public subnet with:
      • A Backend Set for the OCI DNS listener with:
        • A NLB Listener for UDP port 53.
    • A Network Security Group for a DNS listener with rules allowing ingress to UDP port 53 from:
      • The Customer DNS forwarder.
      • The NLB.
rw
Explore More

Refer to the Overview of Private Fusion Analytics for references to other posts in the series.

Explore and learn about Fusion Analytics by visiting the community links, blogs, and library.

Implementing Oracle Fusion Analytics Series

Fusion Analytics Implementation Guide

CEAL Implementation Guidance Sessions, September 2023

Fusion Analytics Community

Fusion Analytics Blogs

Fusion Analytics Library

rw

 

Dayne Carley


Previous Post

Provide Personalization in Workbooks in Oracle Analytics Cloud

Abhinav Chaurasia | 5 min read

Next Post


Access Oracle Fusion Analytics Service Endpoints Privately

Dayne Carley | 12 min read