Access Oracle Fusion Analytics Service Endpoints Privately

December 4, 2023 | 12 minute read
Text Size 100%:
Redwood

Published Version 3 on December 9th, 2023.

Introduction

Oracle Analytics is a complete platform with ready-to-use services for various workloads and data. Oracle Analytics offers valuable, actionable insights from all types of data in the cloud, on-premises, and hybrid sources. It empowers business users, data engineers, and data scientists to access and process relevant data, evaluate predictions, and make quick, accurate decisions. Oracle Analytics services are accessed via the OSN (Oracle Services Network) or private service endpoints (IP addresses).

Two services used as examples in this post are Oracle Analytics Cloud and Oracle Fusion Analytics, a component of the Oracle Fusion Data Intelligence Platform.
In the architecture diagrams, they are referred to as an Oracle Analytics Service.

! This post does not cover Oracle Analytics Server for on-premises deployments of Oracle Analytics Cloud.

Among other things, DNS (Domain Name Systems) translate and resolve FQDNs (Fully Qualified Domain Names) into numerical IP addresses.

Unlike public Oracle Analytics services, those with service endpoints have FQDNs that are not publicly accessible from the internet and use private DNS methods to resolve the names.

This post is a member of the Private Fusion Analytics series. It builds upon the foundation described in Prepare Network Components for Private Access to Oracle Fusion Analytics Service Endpoints and is a companion post to Access Oracle Fusion Analytics Service Endpoints Publicly.

Note: Although a Private Fusion Analytics series member, this post also applies to Public Oracle Analytics (services with public IP addresses).

It illustrates the private access flow for public Oracle Analytics services. It also guides the DNS component setup and illustrates the private access flows for service endpoints. Architectural diagrams, component descriptions, access flows, and links for additional references are included.


Scenarios

Two scenarios are presented:

  • Public Oracle Analytics Service
  • Private Oracle Analytics Service Endpoint

Alternative Methods

This post presents four alternative methods for resolving an Oracle Analytics service FQDN.

  • A public internet DNS resolver.
  • A local DNS resolver file on a client workstation.
  • A customer DNS resolver.
  • An OCI (Oracle Cloud Infrastructure) DNS resolver in a VCN (Virtual Cloud Network).
Redwood
Architecture

Two initial and four prepared architecture diagrams are presented. All diagrams depict the network components that support private network traffic.


Initial States

Public Oracle Analytics Service Scenario

Public Initial

This diagram depicts a provisioned public Oracle Analytics service in the OSN.


Private Oracle Analytics Service Endpoint Scenario

private initial

This diagram depicts a provisioned private Oracle Analytics service endpoint in an OCI VCN.


Prepared States

Prepared states are presented for the alternative methods.


Public Oracle Analytics Service Scenario - Public DNS Resolver

Public prepared

This diagram depicts a public internet DNS resolver for a public Oracle Analytics service. The specific resolver used depends on client settings.


Private Oracle Analytics Service Endpoint Scenario - Local DNS Resolver

etc hosts

This diagram depicts a local client DNS resolver file.


Private Oracle Analytics Service Endpoint Scenario - Customer DNS Resolver

customer dns

This diagram depicts private zone records in the customer DNS.


Private Oracle Analytics Service Endpoint Scenario - OCI DNS Resolver

OA PRIVATE ACCESS OCI DNS

This diagram depicts a forwarder in the Customer DNS and an OCI DNS listener endpoint.

Redwood
Components

This section describes the additional and updated components depicted in the architecture diagrams.


Service Components
Oracle Services Network

The OSN is a conceptual network in OCI reserved for Oracle services. It comprises a list of regional CIDR service labels, e.g., All PHX Services in Oracle Services Network, for the Oracle services available in the US Phoenix region.

The OSN hosts the Oracle Analytics service in both scenarios.


Oracle Analytics Service

In both scenarios, the Oracle Analytics service resides in the OSN.


Public Oracle Analytics Service Scenario

The Oracle Analytics service has a public IP address.


Private Oracle Analytics Endpoint Scenario

The Oracle Analytics service has a service endpoint with a private IP address.


Oracle Analytics Service Endpoint

Private Oracle Analytics Service Endpoint Scenario

The Oracle Analytics service endpoint provides ingress to the Oracle Analytics Service via a service endpoint in the Oracle Analytics VCN


Oracle Identity Service

Either an Identity Cloud Service (IDCS) stripe or an OCI Identity Domain for authenticating and authorizing users.


Pre-existing Network Components

Pre-existing network components are described in the blog posts noted in the introduction.


DNS Components
DNS

DNS (Domain Name Systems) translate and resolve FQDNs (Fully Qualified Domain Names) into numerical IP addresses.


Public Oracle Analytics Service Scenario - Public DNS

Public DNS is accessible from the internet and contains public zones.


Private Oracle Analytics Service Endpoint Scenario - Private DNS

Private DNS is not accessible from the internet, contains private zones, and may include listening endpoints and forwarding records.

Local DNS Resolver Alternative

The DNS resides on the client workstation.


Customer DNS Resolver Alternative

The DNS resides in the customer environment.


OCI DNS Resolver Alternative

The DNS resides in the OCI VCN.


DNS Zones

DNS zones are used in all alternatives. They are collections of resource records that share a domain. For example, oraclecloud.com is a zone containing FQDN records ending in oraclecloud.com.

Public Oracle Analytics Service Scenario - Public DNS Zones

Public zones contain publicly available FQDNs reachable on the internet and are registered with a DNS registrar.

Private Oracle Analytics Service Endpoint Scenario - Private DNS Zones

Private zones contain private FQDNs not registered with a DNS registrar.

Local DNS Resolver Alternative

The client workstation's local /etc/hosts file acts as the private zone.


Customer DNS Resolver Alternative

The custom private zone resides in the customer environment.


OCI DNS Resolver Alternative

The prebuilt private zone resides in the OCI VCN.


DNS Resource Records

DNS resource records are used in all alternatives. A DNS contains many types of resource records. This post focuses on "A" type records that map Oracle Analytics FQDNs to IP addresses.

Commercial DNS products differ in their features and implementation. Customer DNS examples are shown using OCI DNS features.


Public Oracle Analytics Service Scenario - Public Resource Records

Public DNS Zones have the Oracle Analytics service resource records containing the FQDNs and public IP addresses.


Private Oracle Analytics Service Endpoint Scenario - Private Resource Records

Oracle Analytics service resource records containing the FQDNs and private IP addresses are stored in private DNS zones. Example zone records are below:

Zone Records

Local DNS Resolver Alternative

The local /etc/hosts file on the client workstation contains the resource records. An example is below:

etc


Customer DNS Resolver Alternative

The custom private zone resides in the customer environment.


OCI DNS Resolver Alternative

The prebuilt private zone resides in the OCI VCN.


Local DNS Resolver

The client workstation's local /etc/hosts file acts as the private zone. It is used to resolve Oracle Analytics FQDNs into IP addresses. Its use is suitable as an initial method for Oracle Analytics administrators immediately after creating an instance with a service endpoint.

Some drawbacks to its use are:

  • It is not a scalable solution for many users.
  • Depending on the settings in the operating system:
    • It may not be used or modifiable.
    • It may override the use of DNS private zones if not removed.

DNS Forwarder

A DNS forwarder is a component in the OCI DNS Resolver alternative. It conditionally forwards DNS queries containing Oracle Analytics FQDNs to an OCI DNS listener for resolution.


OCI DNS Listener

An OCI DNS listener is a component in the OCI DNS Resolver alternative. It receives forwarded DNS queries containing Oracle Analytics FQDNs, sends them to the OCI DNS resolver for resolution, and returns the resulting IP addresses. It is part of an Oracle Analytics VCN DNS resolver and is deployed as a service endpoint in a private subnet.

Redwood
Deploy

It is assumed deployers belong to OCI groups granted permissions via OCI policy rules to manage deployment components, including creating compartments if necessary.

Several frameworks exist to deploy the components:

A typical provisioning sequence for all frameworks follows:

  • For the Public Oracle Analytics Service scenario, no deployment is required.
  • For the Private Oracle Analytics Service Endpoint scenario:
    1. Obtain the FQDNs and associated IP addresses of the Oracle Analytics service endpoints.
    2. Use the Local DNS Resolver alternative and create an /etc/hosts files for use by administrators immediately after instance provisioning.
    3. For the Customer DNS alternative:
      • Create private zones with resource records containing the FQDNs and associated IP addresses.
    4. For the OCI DNS alternative:
      1. Create an OCI DNS listener endpoint in the Oracle Analytics VCN and note the IP address.
      2. Create a forwarder in the customer DNS to forward queries containing Oracle Analytics FQDNs to the OCI DNS listener IP address.
    5. Remove the /etc/hosts files used by administrators.
Redwood
Access Flows

Access flow diagrams are presented for the alternative methods.


Public DNS Resolver

Public access

This diagram depicts the following:

  1. A client browser or application queries and receives a response from a public internet DNS resolver. The specific resolver queried depends on client settings.
  2. The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.

Local DNS Resolver

Local Etc

This diagram depicts the following:

  1. DNS
    1. A client browser or application sends a DNS query for an Oracle Analytics FQDN.
    2. The client operating system uses the /etc/hosts file to obtain the IP address.
    3. The result is returned to the client browser or application.
  2. The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.

Customer DNS Resolver

Private Access Customer resolver

 

This diagram depicts the following:

  1. DNS
    1. A client browser or application queries the Customer DNS resolver with an Oracle Analytics FQDN.
    2. The Customer DNS resolver uses the private DNS zone to obtain the IP address.
    3. The result is returned to the client browser or application.
  2. The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.

OCI DNS Resolver

Private OCI DNS Access

This diagram depicts the following:

  1. DNS
    1. A client browser or application queries the Customer DNS resolver with an Oracle Analytics FQDN.
    2. The Customer DNS forwarder sends the query to the OCI DNS listener.
    3. The OCI DNS listener uses the VCN DNS resolver to obtain the IP address.
    4. The result is returned to the client browser or application.
  2. The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.
Redwood
Explore More

Refer to the Overview of Private Fusion Analytics for references to other posts in the series.

Explore and learn more about Fusion Analytics by visiting the community links, blogs, and library.

Implementing Oracle Fusion Analytics Series

Fusion Analytics Implementation Guide

CEAL Implementation Guidance Sessions, September 2023

Fusion Analytics Community

Fusion Analytics Blogs

Fusion Analytics Library

Redwood

Dayne Carley


Previous Post

Prepare Network Components for Internet Access to Oracle Fusion Analytics Service Endpoints

Dayne Carley | 9 min read

Next Post


Essbase integration with Oracle Analytics Cloud

Kalpana Singh | 4 min read