Cloud:
provides ondemand self service provisioning of computing capabilities over network
resources are pooled to optimize resources
provides elasticity
measured service - pay for usage, visibility for what we are paying for
IaaS - OS, middleware, runtime env, applications, data need to be managed by the customer
PaaS - Application and Data needs to be managed by the customer
SaaS - customer can directly use the application as a service
Disaster recovery:
RTO - recovery time objective
RPO - recovery point objective
CAPEX (Capital Expense) Vs OPEX (Operational Expense)
Cloud allows rmoving CAPEX for OPEX
Regions - OCI has around 22 regions + 14 planned
Each region has ADs (Availability Domain)
Each availability domain has 3 Fault Domains. FDs have separate hardware point of failure
Compute Service:
Bare Metal, Dedicated Virtual Host, Virtual Machine, Container Engine, Oracle functions
compute instances are placed on virtual cloud networks (VCN)
VM - have to take care of patch OS, configure network, firewall, scaling etc
block volume of 2 types - for boot data/boot volume and block volume for application data, is kept remote for the instance for maintaining HA
NIC - Network Interface Card - Virtual NIC is placed in a subnet of VCN and has privte/public IP
Autoscaling - create a gold image - config file - os image, metadata, shape of VM, vNICs, storage, subnet
you can specify initial pool size and max pool size and scale it based on rules like 70% cpu utilization etc
Container Engine - is managed Kubernetes offering and we just need to give our docker for deployment to Container Engine, scaling is taken care of.
Oracle functions - serverless coding, charged based on execution resources.
Autoscaling - no cost - instance pool - define min and max
Storage Service:
Block volume, local NVMe, file storage, object storage, archive storage
Block volume of compute instance is kept remote for the instance for maintaining HA.
If backup is configured, the backup copy is stored in object storage which can be restored to a block volume in same region.
There is also provision to copy backup of block volume cross-region
Block Volume tiers - Basic, Balanced, High Performance
KMS - key management service can be used for data encryption
Local NVMe (Non-Volatile Memory Express) - temporary local storage - for applications that requires high performance local storage like NoSQL/Inmemory databases. it is not durable, not encrypted as it is local storage to compute instance and if instance dies, data is gone
File Storage - shared file system storage for various compute instances.
NFS - Network File Storage SMB - Server Message Block
File Storage snapshots can be maintained and used for restoring in case of corruption.
to access your file system, you need to create a mount target and a mount target can contain 100 file systems
Object Storage:
data stored in buckets, flat heirarchy - means faster access, object also contains metadata making it easy for index
detect and auto repair corrupt data
size allowed 10TB per object
bucket - for grouping storage of objects
can have private as well as public bucket
data is stored with encryption - AES (Advanced Encryption Standard) 256
data is replicated across ADs and FDs to maintains HA and durability
have standard (hot storage) and cold storage option - cold storage can be used for rarely used and requiring long retention
pre-authenticated requests - can be used to generate urls that can be shared for accessing a private object in a secured way.
Network Service:
Virtual Cloud Network (VCN) - software defined private network for OCI - assigned an address space or IP address range.
subnets allow VCN to be divided into subnetworks and a vcn should have at leats one subnet
compute instances have to be placed inside a subnet of a VCN
subnets can be further isolated and secured
Internet gateway - provides a path for internet traffic to communicate with your compute instance in a VCN
NAT gateway (Network Address Transalation) - allows outbound communications to the internet but does not allow any inbound communications initiated from internet
Service gateway - allows resources in a VCN access public OCI services such as object storage, connects via OCI network fabric and will not go via internet
Dynamic Routing Gateway (DRG) - provides a path for private traffic between VCN and a private network. can be used in the hybrid cloud model for connecting between on-premise netwrok and VCN.
DRG uses IPSec VPN (IPSec encryption) or FastConnect (dedicated private connectivity BGP (Borader gateway protocol)) to establish network with on-premise network.
Oracle Kubernetes Engine (OKE):
OCIR - Managed docker conatiner registry service that can be used by kubernetes for Oracle Kubernetes Engine
OCIR provides full integration with OKE
Security List - VCN can further add security list to control ips that can send requests egress or ingress to the VCN
NSG (Network Security Group) can be further used to control egress/ingress to a set of VNICs inside a VCN
Local VCN peeering - process of connecting two VCNs in the same region using a local peering gateway.
Similarly Remote VCN peering option is available for VCNs in different regions
Load Balancer - performs tasks such as service discovery, health check, algorithm for request distribution for scaling.
In cloud, load balancers will have a stand by to avoid single point of failure.
IAM:
user/instance principal
user cant directly have permissions, need to be part of a group, same goes with instance/service principal
Authentication - either using user/password (UI), using API signing key (SDK/REST API/cli) or using auth token
Authorization - using allow/admit group to policy verb on tenancy/compartment
Database Services:
VM Database - can scale storage, but not CPU core
BareMetal Database - can scale CPU core but not storage
RAC
Exadata
ATP-S, ATP Dedicated
Database is created in a separate VCN (Virtual Cloud Network) and is given a private IP address
Backup and recovery - backup is stored in object storage via service gateway with private access although object storage is public
Data gaurd - maintains copies of DB and switches over in case of disaster recovery/data corruption etc
Active data guard - has additional capabilities like data protection and availability
switch over - planned migration/failover - unplanned migration modes
Datasafe:
unified database securty control center
monitor user activity and mask sensitive data for test and development
OCI Security:
Oracle responsibility of security - physical security, comute, data center/storage isolation, network, IAM framework, infra services such as load balancer, WAF etc
Customer's responsibility of security - maintain user credentials and other info, data encryption, VCN configuration, adding security list, route table, setting up strong IAM policies, patching etc
MFA - Multi factor Authentication support is there
Federation - Using the organizations idP, the user can log in to cloud and no need to have separate user/password
data protection - data is encrypted at rest and in transit, there is also KMS (Key Management Service)
OS Management Service - security/compliance reporting to make sure all critical fixes are in place
Web Application Firewall - server side plugin to filter http/s requests with a set of rules
OCI has a managed WAF Service
OCI Pricing, Billing and Cost Management:
Pricing models:
PAYG - Pay as you go - depends on usage
Monthly Flex (Universal Credit) - min 1k USD/month for an year - discounts based on deal
BYOL - Bring Your Own Licenses
compute instance - pricing is per OCPU
Block Volume pricing - GB/month, for performance - cost per VPUs for Balanced and high performance block volumes
pricing per region - OCI has same pricing for all regions, some cloud providers have different pricing for different regions
data transfer costs - its free inside an AD and between ADs of same region, but there is egress charge for between regions data transfer
cost tags can be used for tracking spending by different cost center
create budget can be used for setting limit on spending by resources in a compartment etc
Usage reports gives detail of the spending on each resourcess - generated daily
OCI free tier - $300 credit for 30 days - 5TB free Always free 2VMs 2 ATP
SLA: calculated for a month, example SLA provided by OCI Vault service
99-99.9% up time - means 10% credit to customer
95-99% - 25% credit
less than 95% up time - 100% credit
oracle offers end to end SLAs covering availability, performance and manageability (control-plane)
control plane - administration of OCI resources
data plane - for usage of the resources - other cloud providers give SLA only for data plane operations
OCI services - status monitoring page - https://ocistatus.oraclecloud.com - can also subscribe to notification emails
My Oracle Support (MOS) account - free of cost - can link with OCI account - CSI number to identify the customer, you also need tenancy and resource info
only paid accounts can have support account - can raise an SR request for:
technical issues, password reset, changing tenancy admin, service limit in crease.
Cloud customer connect - OCI general forum - in which customer can raise queries
No comments:
Post a Comment