Redwood

Published Version 4 on July 6th, 2024.

Introduction

Oracle Fusion Analytics (Fusion Analytics) is a component of the Oracle Fusion Data Intelligence (FDI) platform designed to deliver personalized insights for Oracle Fusion Cloud Applications (Fusion Cloud Applications). It combines business data, ready-to-use analytics, and prebuilt AI and machine learning (ML) models to deliver deep insights and actionable results.

New FDI Logo

This post is a member of the Private Fusion Analytics series. It builds upon the foundation described in Use Custom Hostnames for Oracle Fusion Analytics.

It guides setting up the OCI (Oracle Cloud Infrastructure) network components required to use custom hostnames to access Fusion Analytics service endpoints via the internet. Architectural diagrams, component descriptions, access flows, and links for additional references are included.

Note: This post describes using a custom hostname for two FDI web services, one of which is OAC (Oracle Analytics Cloud). It does not cover using a custom hostname for the FDI ADW (Autonomous Data Warehouse). The Call to Action includes links to relevant ADW documentation.

Note: The Vanity URL feature available in standalone instances of OAC offers more functionality than the method described in this post. However, it is unavailable in the current release of Fusion Analytics. The method described in this post may also be used for standalone instances of OAC if desired.

Use Case

Custom hostnames enable customers to use their registered domains for Fusion Analytics services and a single hostname for multiple web services.

The following shows the Fusion Analytics prebuilt hostnames format as of the current release.

  • Fusion Analytics Console
    • <instance name>-<tenancy name>-prod.data.analyticsapps.<region name>.ocs.oraclecloud.com
  • Oracle Analytics Cloud
    • oax<instance name>-<tenancy object storage namespace>-to.analytics.ocp.oraclecloud.com

The following shows an example format of a custom hostname used by Myorg, inc., whose registered domain is myorg.com.

  • For all Fusion Analytics services
    • analytics.<environment>.myorg.com
Prerequisites

Following the guidance in this post requires:

  • Fusion Analytics Components
  • Custom hostname components described in Use Custom Hostnames for Oracle Fusion Analytics:
    • The custom hostname designated for the Fusion Analytics environment.
    • The certificate for the hostname signed by a CA (Certificate Authority).
  • Privileges to
    • Manage load-balancers, certificate-authority-family, and virtual-network-family in the compartment hosting the Fusion Analytics environment.
    • Create, register, and publish DNS entries for the custom hostnames.
Redwood
Architecture

The architecture diagrams depict two alternatives described in Prepare DNS Components for Oracle Fusion Analytics Service Endpoints Internet Access.

Initial States

Slide29

This diagram depicts the initial state of the Customer DNS alternative.

Slide33

This diagram depicts the initial state of the OCI DNS alternative.

Prepared States

Slide30

This diagram depicts the prepared state for the Customer DNS alternative.

Slide34

This diagram depicts the prepared state for the OCI DNS alternative.

Redwood
Components

This section describes the additional and updated components in the prepared-state architecture diagrams.

OCI Certificates Service

You must supply a certificate for standard SSL with a load balancer and its resources.

Oracle strongly recommends using the Certificates service for creating and managing certificates.
The service stores the uploaded custom hostname certificate.

Public Load Balancer

A public load balancer in a public subnet with a public IP address receives a Fusion Analytics URL containing a custom hostname and redirects it to the actual Fusion Analytics URL.

Load Balancer Rule Set

A rule set is associated with the load balancer’s listener and comprises rules and actions applied to inbound traffic.

Load Balancer URL Redirect Rules

A URL redirect rule specifies the path string and match condition the service uses to evaluate an incoming URL. URL redirect rules in the load balancer’s rule set specify how to redirect incoming URLs to destination URLs.  A  destination URL and response code are returned to the client.

Load Balancer Backend Set

A backend set is a logical entity associated with the load balancer listener. It is defined by a load balancing policy, a health check policy, and, optionally, a list of backend servers.

The default backend set is defined without backend servers, as they are unnecessary for URL redirection.

Load Balancer Listener

A listener is a logical entity that checks for incoming traffic on the load balancer’s IP address. For use with URL redirection, it handles HTTPS traffic arriving on port 443. It is configured with the following:

  • SSL using the custom hostname certificate managed by the Certificate service.
  • The load balancer rule set defined for URL redirection.
Customer DNS

The customer DNS is modified to add records to a public external zone.

Public External Zone Records

A DNS “A” record is added to a public external zone. It contains the load balancer’s custom hostname and public IP address.

Redwood
Deploy

Several frameworks exist to deploy the components:

The Call to Action includes links to documentation for using the OCI console.

A typical provisioning sequence follows:

  1. Import the custom hostname certificate determined in Use Custom Hostnames for Oracle Fusion Analytics to the OCI Certificates Service.
  2. Create a public load balancer with a public IP address in a public subnet.

Tip: Use the public subnet containing the NLBs (Network Load Balancers) to utilize existing security rules.

  • Accept the defaults for the backend set. Do not add backend servers.
  • Configure the listener for the HTTPs protocol and port 443.
    • Configure SSL for the listener.
  1. Update the load balancer.
    • Create a rule set.
      • Add the URL redirection rules to the rule set.
    • Associate the rule set to the load balancer listener.

Notes for the rule set. Define a rule for these source paths: /ui, /ui/dv, /ui/analytics, and /ui/oax.

  • For the /ui source path rule:
    • In the Redirect to section:
      • Use /ui/dv as the Path.
  • For the /ui/dv, /ui/analytics, and /ui/oax source path rules:
    • In the Redirect to section:
      • Use the source path as the Path.
  • For all rules:
    • Use the Source path.
    • Use Force longest prefix match as the Match type.
    • Use the actual Fusion Analytics hostname as the Host.
      • Use the OAC hostname for the /ui,/ui/dv, and /ui/analytics source paths.
      • Use the Fusion Analytics console hostname for the /ui/oax source path.
    • Use https as the Redirect protocol.
    • Use 443 as the Redirect port.
    • Leave the Redirect query blank.
    • Use 301 - Moved Permanently as the Response code.
  • Example:

URL Redirect Rule

  1. Follow your organization’s procedures for adding a DNS record to the private internal zone containing the custom hostname and the load balancer’s private IP address.

An example may look like this:

Domain                                           Type TTL  RDATA
analytics.dev.myorg.com A   500 129.35.20.68

Redwood
Access Flows

After the components are deployed, custom hostnames can be used to access Fusion Analytics service endpoints.

Slide32

This diagram depicts the access flow for the Customer DNS alternative.

OneA client browser sends a DNS query with the Fusion Analytics custom hostname. The query is resolved with the record in the public external zone, and the LB (Load Balancer) IP is returned.

twoThe browser sends an HTTPs request to the LB with the Fusion Analytics custom hostname. The load balancer evaluates the URL path and match rules and returns the Fusion Analytics hostname.

threeThe browser sends a DNS query with the Fusion Analytics hostname. The query is resolved with a record in the private internal zone, and the NLB IP is returned.

fourThe browser sends an HTTPs request with the Fusion Analytics hostname to the NLB. The NLB forwards it to the Fusion Analytics web service.

Slide36

This diagram depicts the access flow for the OCI DNS alternative.

OneA client browser sends a DNS query with the Fusion Analytics custom hostname. The query is resolved with the record in the public external zone, and the LB (Load Balancer) IP is returned.

twoThe browser sends an HTTPs request to the LB with the Fusion Analytics custom hostname. The LB evaluates the URL path and match rules and returns the Fusion Analytics hostname.

threeThe browser sends a DNS query with the Fusion Analytics hostname. The query is forwarded by the customer DNS to the OCI DNS listener. OCI DNS resolves the query and returns the NLB IP address.

fourThe browser sends an HTTPs request with the Fusion Analytics hostname to the NLB. The NLB forwards it to the Fusion Analytics web service.

Redwood
Call to Action

Refer to the Overview of Private Fusion Analytics for references to other posts in the series.

Explore the components used in this post. DNS server software uses various methods to create DNS zones. Below is a link to the OCI DNS method. Explore Fusion Analytics by visiting the community links, blogs, and library.
Redwood
var coll = document.getElementsByClassName(“collapsible”); var i; for (i = 0; i < coll.length; i++) { coll[i].addEventListener("click", function() { this.classList.toggle("active"); var content = this.nextElementSibling; if (content.style.display === "block") { content.style.display = "none"; } else { content.style.display = "block"; } }); }