Published Version 3 on December 9th, 2023.
Oracle Analytics is a complete platform with ready-to-use services for various workloads and data. Oracle Analytics offers valuable, actionable insights from all types of data in the cloud, on-premises, and hybrid sources. It empowers business users, data engineers, and data scientists to access and process relevant data, evaluate predictions, and make quick, accurate decisions. Oracle Analytics services are accessed via the OSN (Oracle Services Network) or private service endpoints (IP addresses).
Two services used as examples in this post are Oracle Analytics Cloud and Oracle Fusion Analytics, a component of the Oracle Fusion Data Intelligence Platform.
In the architecture diagrams, they are referred to as an Oracle Analytics Service.
!
This post does not cover Oracle Analytics Server for on-premises deployments of Oracle Analytics Cloud.
Among other things, DNS (Domain Name Systems) translate and resolve FQDNs (Fully Qualified Domain Names) into numerical IP addresses.
Unlike public Oracle Analytics services, those with service endpoints have FQDNs that are not publicly accessible from the internet and use private DNS methods to resolve the names.
This post is a member of the Private Fusion Analytics series. It builds upon the foundation described in Prepare Network Components for Private Access to Oracle Fusion Analytics Service Endpoints and is a companion post to Access Oracle Fusion Analytics Service Endpoints Publicly.
Note: Although a Private Fusion Analytics series member, this post also applies to Public Oracle Analytics (services with public IP addresses).
It illustrates the private access flow for public Oracle Analytics services. It also guides the DNS component setup and illustrates the private access flows for service endpoints. Architectural diagrams, component descriptions, access flows, and links for additional references are included.
Scenarios
Two scenarios are presented:
- Public Oracle Analytics Service
- Private Oracle Analytics Service Endpoint
Alternative Methods
This post presents four alternative methods for resolving an Oracle Analytics service FQDN.
- A public internet DNS resolver.
- A local DNS resolver file on a client workstation.
- A customer DNS resolver.
- An OCI (Oracle Cloud Infrastructure) DNS resolver in a VCN (Virtual Cloud Network).
Two initial and four prepared architecture diagrams are presented. All diagrams depict the network components that support private network traffic.
Initial States
Public Oracle Analytics Service Scenario
This diagram depicts a provisioned public Oracle Analytics service in the OSN.
Private Oracle Analytics Service Endpoint Scenario
This diagram depicts a provisioned private Oracle Analytics service endpoint in an OCI VCN.
Prepared States
Prepared states are presented for the alternative methods.
Public Oracle Analytics Service Scenario – Public DNS Resolver
This diagram depicts a public internet DNS resolver for a public Oracle Analytics service. The specific resolver used depends on client settings.
Private Oracle Analytics Service Endpoint Scenario – Local DNS Resolver
This diagram depicts a local client DNS resolver file.
Private Oracle Analytics Service Endpoint Scenario – Customer DNS Resolver
This diagram depicts private zone records in the customer DNS.
Private Oracle Analytics Service Endpoint Scenario – OCI DNS Resolver
This diagram depicts a forwarder in the Customer DNS and an OCI DNS listener endpoint.
This section describes the additional and updated components depicted in the architecture diagrams.
Service Components
Oracle Services Network
The OSN is a conceptual network in OCI reserved for Oracle services. It comprises a list of regional CIDR service labels, e.g., All PHX Services in Oracle Services Network, for the Oracle services available in the US Phoenix region.
The OSN hosts the Oracle Analytics service in both scenarios.
Oracle Analytics Service
In both scenarios, the Oracle Analytics service resides in the OSN.
Public Oracle Analytics Service Scenario
The Oracle Analytics service has a public IP address.
Private Oracle Analytics Endpoint Scenario
The Oracle Analytics service has a service endpoint with a private IP address.
Oracle Analytics Service Endpoint
Private Oracle Analytics Service Endpoint Scenario
The Oracle Analytics service endpoint provides ingress to the Oracle Analytics Service via a service endpoint in the Oracle Analytics VCN
Oracle Identity Service
Either an Identity Cloud Service (IDCS) stripe or an OCI Identity Domain for authenticating and authorizing users.
Pre-existing Network Components
Pre-existing network components are described in the blog posts noted in the introduction.
DNS Components
DNS
DNS (Domain Name Systems) translate and resolve FQDNs (Fully Qualified Domain Names) into numerical IP addresses.
Public Oracle Analytics Service Scenario – Public DNS
Public DNS is accessible from the internet and contains public zones.
Private Oracle Analytics Service Endpoint Scenario – Private DNS
Private DNS is not accessible from the internet, contains private zones, and may include listening endpoints and forwarding records.
Local DNS Resolver Alternative
The DNS resides on the client workstation.
Customer DNS Resolver Alternative
The DNS resides in the customer environment.
OCI DNS Resolver Alternative
The DNS resides in the OCI VCN.
DNS Zones
DNS zones are used in all alternatives. They are collections of resource records that share a domain. For example, oraclecloud.com is a zone containing FQDN records ending in oraclecloud.com.
Public zones contain publicly available FQDNs reachable on the internet and are registered with a DNS registrar.
Private Oracle Analytics Service Endpoint Scenario – Private DNS ZonesPrivate zones contain private FQDNs not registered with a DNS registrar.
Local DNS Resolver Alternative
The client workstation’s local /etc/hosts file acts as the private zone.
Customer DNS Resolver Alternative
The custom private zone resides in the customer environment.
OCI DNS Resolver Alternative
The prebuilt private zone resides in the OCI VCN.
DNS Resource Records
DNS resource records are used in all alternatives. A DNS contains many types of resource records. This post focuses on “A” type records that map Oracle Analytics FQDNs to IP addresses.
Commercial DNS products differ in their features and implementation. Customer DNS examples are shown using OCI DNS features.
Public Oracle Analytics Service Scenario – Public Resource Records
Public DNS Zones have the Oracle Analytics service resource records containing the FQDNs and public IP addresses.
Private Oracle Analytics Service Endpoint Scenario – Private Resource Records
Oracle Analytics service resource records containing the FQDNs and private IP addresses are stored in private DNS zones. Example zone records are below:
Local DNS Resolver Alternative
The local /etc/hosts file on the client workstation contains the resource records. An example is below:
Customer DNS Resolver Alternative
The custom private zone resides in the customer environment.
OCI DNS Resolver Alternative
The prebuilt private zone resides in the OCI VCN.
Local DNS Resolver
The client workstation’s local /etc/hosts file acts as the private zone. It is used to resolve Oracle Analytics FQDNs into IP addresses. Its use is suitable as an initial method for Oracle Analytics administrators immediately after creating an instance with a service endpoint.
Some drawbacks to its use are:
- It is not a scalable solution for many users.
- Depending on the settings in the operating system:
- It may not be used or modifiable.
- It may override the use of DNS private zones if not removed.
DNS Forwarder
A DNS forwarder is a component in the OCI DNS Resolver alternative. It conditionally forwards DNS queries containing Oracle Analytics FQDNs to an OCI DNS listener for resolution.
OCI DNS Listener
An OCI DNS listener is a component in the OCI DNS Resolver alternative. It receives forwarded DNS queries containing Oracle Analytics FQDNs, sends them to the OCI DNS resolver for resolution, and returns the resulting IP addresses. It is part of an Oracle Analytics VCN DNS resolver and is deployed as a service endpoint in a private subnet.
It is assumed deployers belong to OCI groups granted permissions via OCI policy rules to manage deployment components, including creating compartments if necessary.
Several frameworks exist to deploy the components:
A typical provisioning sequence for all frameworks follows:
- For the Public Oracle Analytics Service scenario, no deployment is required.
- For the Private Oracle Analytics Service Endpoint scenario:
- Obtain the FQDNs and associated IP addresses of the Oracle Analytics service endpoints.
- Use the Local DNS Resolver alternative and create an /etc/hosts files for use by administrators immediately after instance provisioning.
- For the Customer DNS alternative:
- Create private zones with resource records containing the FQDNs and associated IP addresses.
- For the OCI DNS alternative:
- Create an OCI DNS listener endpoint in the Oracle Analytics VCN and note the IP address.
- Create a forwarder in the customer DNS to forward queries containing Oracle Analytics FQDNs to the OCI DNS listener IP address.
- Remove the /etc/hosts files used by administrators.
Access flow diagrams are presented for the alternative methods.
Public DNS Resolver
This diagram depicts the following:
- A client browser or application queries and receives a response from a public internet DNS resolver. The specific resolver queried depends on client settings.
- The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.
Local DNS Resolver
This diagram depicts the following:
- DNS
- A client browser or application sends a DNS query for an Oracle Analytics FQDN.
- The client operating system uses the /etc/hosts file to obtain the IP address.
- The result is returned to the client browser or application.
- The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.
Customer DNS Resolver
This diagram depicts the following:
- DNS
- A client browser or application queries the Customer DNS resolver with an Oracle Analytics FQDN.
- The Customer DNS resolver uses the private DNS zone to obtain the IP address.
- The result is returned to the client browser or application.
- The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.
OCI DNS Resolver
This diagram depicts the following:
- DNS
- A client browser or application queries the Customer DNS resolver with an Oracle Analytics FQDN.
- The Customer DNS forwarder sends the query to the OCI DNS listener.
- The OCI DNS listener uses the VCN DNS resolver to obtain the IP address.
- The result is returned to the client browser or application.
- The client browser or application authenticates via the CPE, DRG, and Service Gateway and connects via the CPE and DRG.
Refer to the Overview of Private Fusion Analytics for references to other posts in the series.
Explore and learn more about Fusion Analytics by visiting the community links, blogs, and library.
Implementing Oracle Fusion Analytics Series
Fusion Analytics Implementation Guide