Prepare Network Components for Private Access to Oracle Fusion Analytics Service Endpoints

November 20, 2023 | 9 minute read
Text Size 100%:

rw

Published Version 5 on December 10th, 2023.

Introduction

Oracle Analytics is a complete platform with ready-to-use services for various workloads and data. Oracle Analytics offers valuable, actionable insights from all types of data in the cloud, on-premises, and hybrid sources. It empowers business users, data engineers, and data scientists to access and process relevant data, evaluate predictions, and make quick, accurate decisions. Oracle Analytics services are accessed via the Oracle Services Network or service private endpoints.

Two services used as examples in this post are Oracle Analytics Cloud and Oracle Fusion Analytics, a component of the Oracle Fusion Data Intelligence Platform.
In the architecture diagrams, they are referred to as an Oracle Analytics Service.

! This post does not cover Oracle Analytics Server for on-premises deployments of Oracle Analytics Cloud.

Private Access to Oracle Services is a network topology scenario that enables customer on-premise networks to use intermediary components to reach Oracle Analytics services without traversing the public internet. The intermediary described in this post consists of these Oracle Cloud Infrastructure (OCI) network components:

This post is a member of the Private Fusion Analytics series. It builds upon the foundation described in Provisioning Private Oracle Fusion Analytics, is a companion post to Prepare Network Components for Internet Access to Oracle Fusion Analytics Service Endpoints and a prequel to Access Oracle Fusion Analytics Service Endpoints Privately.

Note: Although a member of the Private Fusion Analytics series, this post also applies to Public Oracle Analytics (services with public IP addresses).

It guides the networking component setup for private access to Oracle Analytics services. Included are architectural diagrams, component descriptions, and links for additional references.

rw
Architecture

This section contains initial and prepared states for an Oracle Analytics service and an Oracle Analytics service endpoint.

Initial States

The initial states contain provisioned Oracle Analytics services.

Oracle Analytics Service

Initial Provisioned Public State

This diagram depicts an Oracle Analytics service provisioned in the Oracle Services Network.


Oracle Analytics Service Endpoint

OA Initial Private Access

This diagram depicts an Oracle Analytics service endpoint provisioned in a Virtual Cloud Network.


Prepared States

The prepared states contain the necessary networking components.

Oracle Analytics Service

Public Prepared

This diagram depicts an Oracle Analytics service with the necessary network components.


Oracle Analytics Service Endpoint

Prepared OA Private Access

This diagram depicts an Oracle Analytics service endpoint with the necessary network components.

Redwood
Components

This section describes the components depicted in the architecture diagrams.

Many components shown as "additional" in the diagrams may currently exist in a customer's cloud and on-premises environments.

Service Components Oracle Services Network

The Oracle Services Network is a conceptual network in OCI reserved for Oracle services. It comprises a list of regional CIDR service labels, e.g., All PHX Services in Oracle Services Network, for the Oracle services available in the US Phoenix region.


Oracle Analytics Service

A placeholder service representing Oracle Analytics services such as Oracle Analytics Cloud and Oracle Fusion Analytics.


Oracle Analytics Service Endpoint

A placeholder service endpoint representing Oracle Analytics services such as Oracle Analytics Cloud and Oracle Fusion Analytics provisioned with private endpoints.


Oracle Identity Service

Either an Identity Cloud Service (IDCS) stripe or an OCI Identity Domain authenticating and authorizing users.



Network Components Customer Premises Equipment (CPE)

CPE is a virtual representation in OCI of an actual hardware or software device in a customer's on-premises network. The device enables traffic between the on-premises network via Site-to-Site VPN to the DRG.


Site-to-Site Virtual Private Network (VPN)

Site-to-Site VPN provides site-to-site IPSec connections between on-premises networks and VCNs. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives. It offers the following advantages:

  • Public internet lines transmit data, so dedicated, expensive lease lines from one site to another are unnecessary.
  • The internal IP addresses of the participating networks and nodes are hidden from external users.
  • The entire communication between the source and destination sites is encrypted, significantly lowering the chances of information theft.

OCI FastConnect Private Peering

OCI FastConnect Private Peering provides an easy way to create a dedicated, private connection that extends a customer's on-premises network into a VCN in OCI. It offers higher bandwidth options and more reliable and consistent networking experiences than internet-based connections. Cloud connectivity services from Oracle's FastConnect partners make it easy to establish connections to Oracle Cloud services.


Dynamic Routing Gateway (DRG)

A DRG acts as a virtual router, providing a path for traffic between a customer's on-premises networks and VCNs in OCI. It attaches to the following components:

  • VCNs
  • Site-to-Site VPN IPSec tunnels
  • OCI FastConnect virtual circuits

Each DRG attachment has an associated route table, which routes packets entering the DRG to their next hop.


A Virtual Cloud Network (VCN)

A VCN provides a customizable and private cloud network in OCI. A VCN offers complete control over its cloud networking environment, such as assigning private IP address spaces and creating subnets, gateways, route tables, and stateful firewalls.

In the component diagrams, the VCN contains a Service Gateway and attaches to a DRG.
In the Oracle Analytics service endpoint component diagram, the VCN contains a private subnet, security list, route table, and service endpoint.

Service Gateway

A Service Gateway enables access to supported Oracle services in the same region. The accessible services have public IP addresses and do not have private endpoints. The public IP address ranges are advertised to the on-premises network via the DRG and are included in a CIDR service label for use in route tables.

In both component diagrams, the Service Gateway enables private access to the Identity service.
In the service component diagram, the Service Gateway enables private access to the Oracle Analytics service.


Security List

A Security List is a virtual firewall offered by the OCI networking service. It consists of a set of ingress and egress security rules that apply to components in a subnet it is assigned to.

In the Oracle Analytics service endpoint provisioned diagram, the security list limits traffic to within the private subnet hosting the service endpoint.
In the Oracle Analytics service endpoint component diagram, additional rules allow ingress and egress from and to the DRG and Service Gateway.


Route Table

A Route Table can apply to a subnet within a VCN, a Service Gateway, and a DRG. It can send traffic to the internet, on-premises networks via a DRG, other VCNs, and the Oracle Services Network via a Service Gateway. It has rules that specify a destination CIDR block and the target (the next hop) for any traffic that matches the CIDR.

Note: OCI local routing automatically handles traffic within VCNs. Local routing does not require defining route rules in a route table to enable traffic.

In the Oracle Analytics service component diagram:

  • The DRG route table routes traffic from the customer network to the Oracle Analytics and Identity services via the Service Gateway.
  • The Service Gateway route table routes traffic from the Oracle Analytics and Identity services to the customer network via the DRG.

In the Oracle Analytics service endpoint component diagram:

  • The DRG route table routes traffic from the customer network to the Identity service via the Service Gateway.
  • Traffic to the service endpoint in the VCN from the customer network via the DRG and the Identity Service via the Service Gateway is handled via local routing and does not require routing rules.
  • The VCN route table routes traffic from the service endpoint in the VCN to the customer network via the DRG and to the Identity Service via the Service Gateway.
Redwood
Deploy

It is assumed deployers belong to OCI groups granted permissions via OCI policy rules to manage deployment components, including creating compartments if necessary.

Several frameworks exist to deploy the components:

A typical provisioning sequence for all frameworks follows:

  1. Use the VCN hosting an Oracle Analytics service endpoint or create a VCN for access to an Oracle Analytics service.
  2. Use an existing or create a DRG.
  3. Use an existing or create a DRG attachment to the VCN.
  4. Use an existing or create a Service Gateway in the VCN.
  5. Deploy FastConnect and/or VPN with CPE and connect to the DRG.
  6. Create the following routing tables:
    • A DRG route table for traffic to the Service Gateway.
    • A Service Gateway route table for traffic to the DRG.
    • A VCN route table for traffic to the DRG and Service Gateway.
  7. If using a service endpoint, update or create a security list for egress and ingress to the DRG and Service Gateway.
rw
Explore More

Refer to the Overview of Private Fusion Analytics for references to other posts in the series.

Explore and learn more about Fusion Analytics by visiting the community links, blogs, and library.

Implementing Oracle Fusion Analytics Series

Fusion Analytics Implementation Guide

CEAL Implementation Guidance Sessions, September 2023

Fusion Analytics Community

Fusion Analytics Blogs

Fusion Analytics Library

rw

Dayne Carley


Previous Post

Mobile Metrics in a Minute - how Oracle Analytics Mobile helps transform Oracle Global Business Finance (GBF)

Richard Shaw | 3 min read

Next Post


New AI capabilities with Oracle Analytics

Benjamin Arnulf | 5 min read