Using Network Path Analyzer and Visualiser to troubleshoot OCI GoldenGate connectivity issues

February 4, 2025 | 11 minute read
Shrinidhi Kulkarni
Principal Product Manager
Atefeh (Ati) Yousefi Attaei
Senior Cloud Network Engineer | North America Cloud Engineering
Text Size 100%:

Network Visualizer:

An Oracle virtual network is composed of virtual cloud networks (VCNs), subnets, gateways, and other resources. These entities are related and connected through routing that's often complex. These resources can also have complex relationships with other Oracle Cloud Infrastructure (OCI) services.

VCN components

Having a concise picture of these entities and their relationships is essential for understanding the design and operation of a virtual network. The Network Visualizer  provides a diagram of the implemented topology of all VCNs in a selected region and tenancy.

Network visualiser

Network Path Analyzer (NPA)  

Network Path Analyzer (NPA)  is a diagnostic tool provided by OCI to help users troubleshoot and optimize network paths within their cloud environments. This tool is particularly useful for identifying potential network issues.

NPA carefully examines routing and security configurations and identifies the potential network path your defined traffic traverses, along with information about virtual networking entities in the path. In addition to the path information, the output of these checks includes how routing rules and network access lists (security lists, NSGs, and so on) allow or deny traffic. The sources and destinations could be within OCI, or across OCI and on-premises, or OCI and internet. 

NPA Example

Using NPA, you can:

  • Troubleshoot routing and security misconfigurations that are causing connectivity issues between OCI GoldenGate and your source/target
  • Validate that the logical network paths match the intended route
  • Verify that the virtual network connectivity setup works as expected before starting data replication using OCI GoldenGate.

How to use Network Path Analyzer?

  • Network Path Analyzer is directly available under Networking on the Oracle Cloud Console. You only need to create and run a path analysis. An API is available for you to programmatically create, manage, and run your path analyses.
  • When creating a path analysis, specify
    • OCI GoldenGate Ingress IP as source and IP address of the GoldenGate source/ target as destination
    • TCP as network protocol
    • the source and the destination ports

Note:  Select "This IP address is an on-premises endpoint" option when you enter an on-premises IP address as a source or destination. OCI GoldenGate Ingress IP to be used within the NPA test depends on the Traffic Routing Method of connection,

  • Shared endpoint" then connection's traffic originates from the assigned deployment's Ingress IPs
  • "Dedicated endpoint" then connection has its own dedicated private endpoint in the selected subnet with its own Ingress IPs. The traffic of this connection originates from these two IP addresses.

 

Here are a couple of scenarios depicting how to use Network Path Analyzer to troubleshoot connectivity issues related to OCI GoldenGate:

Scenarios:

  • OCI GoldenGate Replication for ADB Source/Target
    • ADB Source/Target in different VCN (allowing access to specific VCN & IPs)
    • ADB Source/Target access restricted to Private access only
    • ADB Source/Target traffic not opened i.e., ingress rule            
  • OCI GoldenGate Replication for OCI Base Database service:
    • connectivity issues due to missing egress/ingress rules
    • connectivity issues due to missing Service Gateway/ NAT Gateway

 

Scenario A: An OCI GoldenGate deployment can’t communicate with the Autonomous Database.

In this scenario, the ADB source/target database is in a different VCN than the OCI GoldenGate deployment. Network Path Analyzer reveals that the routing connectivity is available between the two tiers, but the security list of the ADB subnet is missing the ingress policy to allow traffic from the OCI GoldenGate deployment to the destination port 1522. The NPA test results show that the routing status is successful, but the security status shows up as Denied.

Test connection from OCI GoldenGate to the ADB fails with the below error
 

connection test error

Run an NPA test to analyse each hop between between OCI GoldenGate and Source/Target endpoint

NPA Results

NPA Error

Note: NPA considers the union of all the security rules configured within NSG and Subnet Security Lists attached at the subnet level. We can go ahead and add the required ingress rule in the security list to allow traffic.

We can go ahead and add the required ingress rule in the security list to allow traffic.

Adding Network Sec Rules

Once the changes are made, rerun the NPA test.

Run NPA Analysis

 

Scenario B : ADB Source/Target in different VCN (allowing access to specific VCN & IP addresses)

In this scenario, the ADB source/target database allows access only from specific listed VCN and IP addresses. Network Path Analyzer reveals that the routing connectivity is available between the two tiers, but the Access control list of the ADB is missing the access control rule to allow traffic from the OCI GoldenGate deployment to ADB. As shown in the NPA test results, the routing status is successful, but the security status shows up as Denied.

Test COnnection _Scenario B

Run NPA Analysis


Add the appropriate security rule to allow connections from OCI GoldenGate. For example, you can add OCI GoldenGate deployment Ingress IP to the access control list.

Network Rule Changes

 

Once the changes are made, run the NPA test again.

NPA Analysis

Also, perform test connection from OCI GoldenGate.

Test Connection

 

Scenario C : ADB Source/Target access restricted to Private access only

An OCI GoldenGate deployment can’t communicate with the Autonomous Database configured with Private Access only (Network Access option) within the same VCN.

In this scenario, the ADB source/target database allows access only from specific private IP addresses defined in the subnet security list. Network Path Analyzer reveals that the routing connectivity is available between the two tiers, but the Access control list of the ADB is missing the access control rule to allow traffic from the OCI GoldenGate deployment private ip to ADB. The NPA test results show that the routing status is successful, but the security status shows up as Denied.

Test Connection Error

NPA test results show the Security status as Denied even though the routing status is Forwarded.

NPA Analysis

To allow connections from OCI GoldenGate, we add the deployment Ingress IP to the security list.

Network Sec List

Next, run the NPA test and test connection again to confirm.

NPA Analysis 3

Test Connection

 

Scenario D: OCI GoldenGate to Oracle Base Database Service with missing egress/ingress rules to allow OCI GoldenGate connections.

In this scenario, Network Path Analyzer reveals that the routing connectivity as well as security rule is missing, thus not allowing inbound traffic from the OCI GoldenGate deployment. As shown in the NPA test results, the routing status and security status show up as no route and denied respectively.

Test Connection

NPA Analysis 4

To allow outbound connections from OCI GoldenGate, we add the follow egress rule to the subnet security list.

SEC List Update

Running the NPA test again shows that the routing connectivity is available between the two tiers, but the Access control list of the Base database service is missing the ingress rule to allow traffic from the OCI GoldenGate deployment. Thus, Routing is successful with the result as Forwarded, but it returns denied under security status.

NPA Analysis 4

NPA Analysis 5

Now adding the appropriate ingress rule to the subnet security list i.e. adding OCI GoldenGate ingress ip address to the allow list.

Network Sec List

Finally, run the NPA test and test connection again to confirm.

NPA Analysis

Test Connection

 

Scenario E : OCI GoldenGate to Oracle Base Database Service with missing NAT Gateway to allow OCI GoldenGate connections to a public endpoint.

In this scenario, Network Path Analyzer reveals that the routing connectivity as well as routing rule is missing, thus not allowing traffic from the OCI GoldenGate deployment. As shown in the NPA test results, the routing status shows up as no route.

Test Connection

 

NPA Analysis

To allow outbound connections and access from OCI GoldenGate to public endpoints, ensure you have a NAT gateway or other access to the internet if necessary. To allow access to all Services in Oracle Services Network only, then a Service Gateway should be sufficient.

NPA Test

Test OCI GG Connection

 

In conclusion, when armed with the right tools, troubleshooting network issues in Oracle OCI GoldenGate becomes much more manageable. The Network Visualizer provides a comprehensive, end-to-end view of your network topology, enabling you to visualize and understand the complex relationships between components. This holistic approach helps identify potential network bottlenecks or misconfigurations that could impact replication. On the other hand, the Network Path Analyzer is invaluable for pinpointing issues at each network hop between GoldenGate and the source/target systems. Together, these tools equip you to proactively identify and address network issues, ensuring your Oracle GoldenGate environment runs smoothly, efficiently, and without interruptions.

Shrinidhi Kulkarni

Principal Product Manager

Shrinidhi Kulkarni is a Principal Product Manager in the Oracle GoldenGate group focusing on OCI GoldenGate,GoldenGate for Non-Oracle and GoldenGate for Big Data.

Atefeh (Ati) Yousefi Attaei

Senior Cloud Network Engineer | North America Cloud Engineering


Previous Post

OCI Dataflow Private Endpoint Use Cases

Mario Miola | 15 min read

Next Post


Setting up Bi-Directional Replication using Replication Tags

Volker Kuhr | 3 min read
Oracle Chatbot
Disconnected