Pat Shuff's Blog

  • Iaas
    August 12, 2016

networking wrap up

Today we are going to wrap up our detailed discussion with networking. We will probably revisit network performance at a later time but we are going to get out of the weeds today and talk about things at a slightly higher level. Yesterday we looked at screen shots of the Oracle, AWS, and Azure security lists and rules. It is important to note that Azure only offers TCP and UDP as rules. You can't define firewall and routing rules for other protocols. Amazon allows for ICMP firewall and routine rules which Oracle also allows. The big question in all of this becomes "so what". So what if you don't support ICMP? What functionality do you loose if you don't provide this packet header on top of IP?

First, let's review what ICMP is. ICMP stands for Internet Control Message Protocol and is defined in RFC 792. It is primarily used for diagnostic and control as well as discovery of services on a network. ICMP packets are treated differently from normal IP packets because they typically require a response to a query or an error code to be returned as part of the response. These packets are good for testing latency and connectivity between machines that need to traverse complex networks. Oracle uses this protocol as part of the keep alive heartbeat of a Database RAC configuration. The networking requirements of RAC also require ARP support as well as multicast within the same subnet. This basically means that RAC will never work on an Azure compute cluster because ICMP and multicast are not supported. Amazon has written a whitepaper on running RAC on AWS but it is not recommended to run RAC with a multi-host configuration that simulates shared storage. This looks like a good science experiment but not a production solution. Amazon basically engineered around the multicast requirements needed for shared storage by creating a message protocol at the operating system layer.

ICMP is also good for network discovery and monitoring network integrity. Oracle also uses this protocol with the Oracle Advanced Support Gateway. The support gateway is a tool that Oracle uses to manage services inside a customer data center. The Oracle Cloud Machine and Exadata/SuperCluster Managed Services products also use ICMP to verify the integrity of the network and report timing and connectivity issues when something happens on the network. The typical structures that are used with the gateway are looking for a message 0 request (standard ping echo request) and a message 8 request (ping echo reply and trace route data) to show network viability. Error codes returned in message 3 are also inspected to see if network configurations have changed or been modified.

Oracle Enterprise Manager also uses ICMP packets as part of a beacon communication and network discovery operations. This does imply that you can not use Enterprise Manager to manage host targets on Azure but you can on AWS. I have successfully configured Linux hosts as well as database instances in Amazon RDS and connected them to Enterprise Manager. This is a very powerful feature that allows you to schedule backups, replicate data from on premise to the cloud, and examine changes in a dev/test environment in the cloud and apply them to your production environment. Without ICMP you loose the ability to connect Enterprise Manager and these higher level functions. According to some Microsoft msdn blogs you can add ICMP to a Windows VM inside their firewall so you can ping between VMs but going across the internet is not necessarily supported. A second msdn blog suggests using alternate applications like TCPing and NMap to work around not having ICMP. This does not solve connecting with Enterprise Manager unless you run an OEM instance in Azure to monitor and measure all servers running in Azure.

The second protocol that Oracle supports that Amazon and Microsoft do not support is the GRE protocol. GRE stands for Generic Routing Encapsulation and is defined in RFC 2784 and RFC 2890. This protocol is used for point to point tunneling and IPSec for passing routing information between connected networks. Oracle currently uses this protocol to create Corente VPN services. The protocol was designed by Cisco Systems so connecting a Cisco router for a VPN connection is relatively easy with this protocol. You can connect with other protocols for a VPN connection but this layer has the mechanisms to keep routing tables in sync without having to run applications to talk to routers and update maps. This is more of an efficiency of networking than a functionality of networking that we saw with the ICMP support. We will talk about VPN services in a later blog. The general concept behind VPN is you would like the computers in your data center to talk to computers in the cloud as if they were on your corporate network. If you create a virtual private network the ip addresses that the computers in your data center use are the same ip addresses that are used in the cloud. The VPN creates a routing protocol that translates the virtual ip addresses which are typically a non routable address to an actual address that gets routed across the internet to the cloud provider. A VPN server on the cloud side then translates these packets to the non routable ip address and it looks like the request came from a machine on the local network. This simplifies network topology and configurations if we can extend our corporate network into a cloud network and have them operates as if they looked like they were on the same network. The tricks with with solution is that network changes need to be constantly updated and latency between your data center and the cloud data center can kill performance. The GRE protocol helps solve route table updates. Products like FastConnect help reduce latency by providing a fast path across the internet that you pay for on a monthly basis.

In summary, the protocols that cloud vendors support have important considerations in architecting a solution. Going with Azure basically prohibits you from using all of Enterprise Manager to manage servers in the Microsoft cloud. You can look at the database by connecting to port 1521 (with firewall rules set properly) but you will get host down when looking for operating system and host information. You can also see higher level services like WebLogic servers or App services because these protocols all run on TCP and connect to ports. The basic host information will not be available. Not supporting the GRE protocol is less of a functionality issue and more of a performance issue. Many Oracle customers are looking at FastConnect as a way of getting 1 GigE or 10 GigE connectivity but for simple workloads like database backup to storage operate good enough without having to go with the additional network cost. Again, this blog is not intended to say that one cloud vendor is superior to another. It is intended to help you decide which cloud provider will give you the service that you want. Feedback and comments are welcome.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.