OCI技術資料 : 仮想クラウド・ネットワーク (VCN) 詳細

Transcript

1. 仮想クラウド・ネットワーク (VCN) 詳細 Virtual Cloud Network Level 200 Oracle Cloud

   Infrastructure 2021 2

2. Safe harbor statement Copyright © 2021, Oracle and/or its affiliates.

   2

3. • VCN • Oracle Services Network VCN • 1 VCN

   ( ) • • VCN DNS • 翻 VCN Copyright © 2021, Oracle and/or its affiliates. 3

4. Copyright © 2021, Oracle and/or its affiliates. 4 VCNピアリング VCN

   Peering – Local Peering & Remote Peering

5. VCN 2 VCN • IP • • 2 • VCN

   ( ) • VCN ( ) OCI 2 OCI 1 VCN VCN VCN Local Peering Gateway Local Peering Gateway Dynamic Routing Gateway Dynamic Routing Gateway VCN VCN Copyright © 2021, Oracle and/or its affiliates. 5

6. 2 VCN • (LPG) • • VCN 10 LPG •

   VCN ( ) VCN VCN1 VCN2 VCN3 VCN4 OCI Local Peering Gateway 1 Local Peering Gateway 2 Local Peering Gateway 10 Local Peering Gateway 2-1 Local Peering Gateway 3-1 Local Peering Gateway 4-1 Copyright © 2021, Oracle and/or its affiliates. 6

7. 11 i VCN VCN VCN OCI (Oracle Services ) (

   ) VCN ( 3 ) VCN 3 VCN (VCN1 ) VCN VCN1 10.0.0.0/16 VCN2 10.0.0.0/16 VCN 1 VCN 2 VCN 3 VCN1 10.0.0.0/16 VCN3 192.168.0.0 /16 VCN2 192.168.0.0 /16 VCN4 192.168.0.0 /16 ※ VCN1 ( ) ※ VCN VCN Copyright © 2021, Oracle and/or its affiliates. 7

8. 1. IAM 2. VCN 3. LPG 4. VCN 5. VCN

   6. VCN Copyright © 2021, Oracle and/or its affiliates. 8

9. ( ) VCN IAM ※ VCN VCN1 10.0.0.0/16 192.168.0.2 10.0.0.2

   VCN2 192.168.0.0/16 LPG LPG Requestor ABC Acceptor XYZ Define tenancy Acceptor as ocid1.tenancy.oc1…. Allow group Requestor to manage local-peering-from in compartment Requestor Endorse group RequestorGrp to manage local-peering-to in tenancy Acceptor Endorse group RequestorGrp to associate local-peering-gateways in compartment RequestorComp with local-peering-gateways in tenancy Acceptor Define tenancy Requestor as ocid1.tenancy.oc1..aaaaaaarequestorComp Define group Requestor as ocid1.group.oc1..aaaarequestorgrp Admit group Requestor of tenancy Requestor to manage local-peering-to in compartment Acceptor Admit group Requestor of tenancy Requestor to associate local-peering-gateways in tenancy Requestor with local-peering-gateways in compartment AcceptorComp Copyright © 2021, Oracle and/or its affiliates. 9

10. 2 VCN • OCI • (DRG) 翻 • (DRG) (Outbound

    Data Transfer) • VCN ( ) VCN VCN2 OCI REGION2 DRG-1 RPC-1 RPC-2 OCI REGION1 VCN1 DRG-2 Copyright © 2021, Oracle and/or its affiliates. 10

11. VCN VCN (Transit) VCN CIDR VCN VCN CIDR VCN-1 VCN-2

    VCN-3 VCN-2 VCN-3 CIDR VCN2 VCN1 VCN1 10.0.0.0/16 VCN2 192.168.0./16 VCN3 192.168.0./16 VCN3 VCN2 10.0.0.0/16 VCN1 10.0.0.0/16 × × × Copyright © 2021, Oracle and/or its affiliates. 11

12. VCN 1. DRG 2. DRG VCN 3. IAM 4. DRG

    5. 6. 7. Copyright © 2021, Oracle and/or its affiliates. 12

13. Copyright © 2021, Oracle and/or its affiliates. 13 Oracle Services

    Network へのアクセス Access to Oracle Services Network

14. Oracle Services Network ? • OCI OCI • OCI VCN

    • NAT IP • Oracle Services Network ※ • OCI API • Object Storage • Oracle Autonomous Database • Analytics Cloud Service PaaS SaaS ※ OCI (https://console.<region>.oraclecloud.com) Oracle Services Network OCIリージョン VCN VCN VCN Oracle Services Network Object Storage Autonomous Database Copyright © 2021, Oracle and/or its affiliates. 14

15. VCN Oracle Services Gateway 1. • VCN IP ( )

    • IP • VCN 2. NAT • VCN IP ( ) • IP- IP • VCN 3. • VCN IP ( ) • IP- IP ( IP 240.0.0.0/4 ) • VCN 4. VCN • VCN IP ( ) • VCN IP • (Autonomous Database Oracle Data Safe) VCN Oracle Services Network Copyright © 2021, Oracle and/or its affiliates. 15

16. VCN Oracle Services Network 1. FastConnect • FastConnect IP 2.

    VCN Transit Routing • DRG Service Gateway 3. • VCN 4. • VCN (Autonomous DB ) 5. : • LB Listener IP NAT ※ Customer Data Center FastConnect (Public Peering) Autonomous Database Service Gateway OCIリージョン Proxy Server Private Load Balancer ADB Private Endpoint 1 2 FastConnect (Private Peering) 3 4 5 Copyright © 2021, Oracle and/or its affiliates. 16

17. Oracle Services Network VCN • • VCN IP NIC •

    • Autonomous Database ( ) • Oracle Data Safe • ( ) Copyright © 2021, Oracle and/or its affiliates. 17

18. Copyright © 2021, Oracle and/or its affiliates. 18 VCNトランジット・ルーティングの詳細 Transit

    Routing Scenarios

19. VCN 1 2 VCN ( ) VCN : 3 VCN

    Copyright © 2020, Oracle and/or its affiliates 19 VCN VCN FastConnect / IPsec VPN VCN

20. 1. FastConnect/VPN VCN • 1 FastConnect VPN VCN 2. Oracle

    • FastConnect VPN IP VCN Oracle (Object Storage/Autonomous DB) 3. VCN • 2 VCN VCN VCN VCN 3 Copyright © 2020, Oracle and/or its affiliates 20 OCI Service Gateway VCN ORACLE SERVICES NETWORK Object Storage

21. ハブ VCN スポーク VCN-2 スポーク VCN-1 スポーク VCN-3 VCN VCN

    VCN 1 - FastConnect/VPN VCN • 1 VCN VCN & • VCN FastConnect / VPN VCN VCN ( ) • VCN VCN VCN VCN • • • 10 /VCN Copyright © 2021, Oracle and/or its affiliates. 21

22. • ( ) VCN VCN VCN • (DRG) VCN(192.168.0.0/16) LPG-

    1 • LPG-1 (172.16.0.0/16) DRG • VCN LPG- 2 1 - VCN VCN DRG LPG Copyright © 2021, Oracle and/or its affiliates. 22 (172.16.0.0/12) VCN (10.0.0.0/16) VCN (192.168.0.0/16) 192.168.0.0/16 LPG-1 172.16.0.0/12 DRG 10.0.0.0/16 LPG-2 172.16.0.0/12 LPG-2 LPG-1 LPG-2 192.168.0.0/16 LPG-1 172.16.0.0/12 DRG

23. 1 - VCN Copyright © 2021, Oracle and/or its affiliates.

    23 外部ネットワーク (オンプレミス/Azure) 172.16.0.0/12 ORACLE CLOUD INFRASTRUCTURE REGION FastConnect Hub VCN 10.0.0.0/16 LPG2 Spoke VCN-1 10.1.0.0/16 Spoke VCN-2 10.2.0.0/16 172.16.0.0/16 Local Peering Local Peering Firewall FW UnTrust Subnet 10.0.4.0/24 FW Trust Subnet 10.0.8.0/24 vnic1 vnic2 LPG T1 LPG1 10.0.4.2 10.0.8.2 Destination CIDR Route Target 10.1.0.0/16 10.0.4.2 10.2.0.0/16 10.0.4.2 Destination CIDR Route Target 172.16.0.0/16 DRG Destination CIDR Route Target 10.1.0.0/16 LPGT1 10.2.0.0/16 LPGT2 LPG T2 Destination CIDR Route Target 172.16.0.0/16 10.0.8.2 Destination CIDR Route Target 172.16.0.0/16 10.0.8.2

24. 1 – ISV https://www.ateam-oracle.com/isv-architecture-validated-design Copyright © 2021, Oracle and/or its

    affiliates. 24

25. OCI Service Gateway • Oracle Services Network(VCN IP Oracle (Object

    Storage/Autonomous DB) FastConnect VPN • VCN Oracle Services Network (OCI VCN ) ( ) • VCN Oracle Services Network 2 - Oracle VCN ORACLE SERVICES NETWORK Object Storage Copyright © 2021, Oracle and/or its affiliates. 25

26. 2 - VCN DRG Copyright © 2021, Oracle and/or its

    affiliates. 26 ORACLE CLOUD INFRASTRUCTURE REGION VCN 10.0.0.0/16 . On-premises Network 172.16.0.0/12 Dynamic Routing Gateway Service Gateway Object Storage Oracle Services Network Fastconnect or VPN Destination CIDR Route Target All Services in Region Service Gateway Destination CIDR Route Target 172.16.0.0/12 DRG Route Table associated with DRG Route Table associated with Service Gateway ADW/ATP Virtual Machine

27. 2 - VCN ( ) Copyright © 2021, Oracle and/or

    its affiliates. 27 VCN 10.0.0.0/16 SUBNET 10.0.4.0/24 SUBNET 10.0.8.0/24 and more.. Object Storage Oracle Services Network Service Gateway Dynamic Routing Gateway On-premises Data Center 172.16.0.0/12 VNIC VNIC Instance 10.0.4.3 10.0.8.3 Fastconnect or VPN Connect Private IP Private IP DRG Destination CIDR Destination CIDR Route Target Route Target 172.16.0.0/12 Service Gateway All Services in Region Destination CIDR Route Target All Services in Region 10.0.4.3 Destination CIDR Route Target 172.16.0.0/12 10.0.8.3 Route Table associated with Service gateway Route Table associated with DRG ORACLE CLOUD INFRASTRUCTURE REGION Route Table associated with subnet-frontend Route Table associated with subnet-Backend

28. • 2 VCN VCN VCN • VCN-1-A VCN2-A VCN-H-1 VCN-H-

    2 ( ) • VCN 1 OK • VCN VCN VCN VCN • • • 10 /VCN 3 - VCN Copyright © 2021, Oracle and/or its affiliates. 28

29. OSN Object Storage Private Subnet 10.0.6.0/24 Oracle Cloud Infrastructure (Region)

    Availability Domain 1 Availability Domain 3 Public Subnet 10.0.0.0/24 VM 10.0.0.5 129.213.80.25 Database System 10.0.6.3 Virtual Cloud Network 10.0.0.0/16 Service Gateway Autonomous Database ATP/ADW Dynamic Routing Gateway Telemetry/ Monitoring GatewaySubnet 10.0.6.0/24 Availability Zone Subnet_OApp 172.16.0.0/24 VM 172.16.0.5 23.100.26.160 Subnet for Virtual Network Gateway VNet 172.16.0.0/16 Microsoft Azure (Region) FastConnect ExpressRoute Virtual Network Gateway Cross-Cloud Network : Azure + Copyright © 2021, Oracle and/or its affiliates. 29

30. Copyright © 2021, Oracle and/or its affiliates. 30 アプライアンス型仮想ファイアウォールの 利⽤

    Deploy Virtual Firewall on OCI

31. 10.0.0.0/24 1 VCN 10.0.0.0/16 10.0.1.0/24 0.0.0.0/0 IP 172.16.0.0/16 DRG IP

    VCN ( ) IP : UTM(IDS/IPS) Copyright © 2021, Oracle and/or its affiliates. 31

32. Oci -2 -1 VCN: 10.0.0.0/16 Fortigate NGFW / DB DB

    DataGuard Fortigate NGFW Fortigate NGFW Bastion Bastion OCI FortigateNGFW Copyright © 2021, Oracle and/or its affiliates. 32

33. Juniper vSRX • Juniper vSRX IPS Web • • VCN

    3 • vSRX VCN vSRX • vNIC • vSRX • - how to setup a vSRX on OCI - https://blogs.oracle.com/cloud-infrastructure/how- to-deploy-a-virtual-firewall-appliance-on-oracle- cloud-infrastructure Copyright © 2021, Oracle and/or its affiliates. 33

34. North-South Traffic Palo Alto VM https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm- series-firewall-on-oracle-cloud-infrastructure/deployments-supported-on-oci.html Inter-VCN Traffic (East-West)

    Copyright © 2021, Oracle and/or its affiliates. 34

35. Copyright © 2021, Oracle and/or its affiliates. 35 ハイブリッドDNS構成 Hybrid

    DNS Configuration

36. VCN DNS (= VCN ) 169.254.169.254 VCN VCN VCN VCN

    VPN FastConnect VCN VCN DNS DNS DNS DNS Terraform OCI Github • https://github.com/terraform-providers/terraform-provider- oci/blob/255817f83956f1f9a3ab903e11465e8b4dde1957/docs/examples/networking/hybrid_dns/H ybrid-DNS-configuration-using-DNS-VM-in-VCN.md DNS Copyright © 2021, Oracle and/or its affiliates. 36

37. DNS 1 : VCN 1. VCN (db1.exaclient.custvcn.oraclevcn.com) DNS 2. DNS

    (VPN FastConnect) VCN(10.0.10.15) DNS VM 3. VCN DNS (169.254.169.254) DNS 4. DNS VM FQDN IP DNS 5. DNS IP Copyright © 2021, Oracle and/or its affiliates. 37

38. DNS 1. VCN (app1.customer.net) DNS 2. DHCP DNS (10.0.10.15) DNS

    3. (VPN Fastconnect) DNS (172.16.0.5) DNS 4. DNS VM 2 : OCI Copyright © 2021, Oracle and/or its affiliates. 38

39. Copyright © 2021, Oracle and/or its affiliates. 39 VCNフローログ VCN

    Flow Logs

40. https://blogs.oracle.com/cloud-infrastructure/announcing-virtual-cloud-network-flow-logs- general-availability-for-oracle-cloud-infrastructure VCN • VNIC • IP / IP •

    • / • https://docs.cloud.oracle.com/en- us/iaas/Content/Logging/Reference/details_for_vcn_flow_logs.htm#details_for_vcn_flow_logs VCN Flow Logs Copyright © 2021, Oracle and/or its affiliates. 40 VCN Flow Logs ACCEPT TCP 172.21.2.185 Port 43360 → 129.146.13.236 Port 443 Bytes 10515 Packets 19 ACCEPT TCP 129.146.13.236 Port 443 → 172.21.2.185 Port 43360 Bytes 5548 Packets 14

41. OCI Flow Logs Oracle Management Cloud (OMC) Log Analytics https://blogs.oracle.com/managementcloud/how-to-ingest-oci-vcn-flow-logs-into-omc-v2

    Oracle Management Cloud Log Analytics OCI Flow Logs • Flow Logs Object Storage • OMC OCI Flow Logs • OMC Copyright © 2021, Oracle and/or its affiliates. 41

42. OCI Flow Logs Splunk https://blogs.oracle.com/cloud-infrastructure/how-to-ingest-vcn-flow-logs-into-splunk • OCI Splunk Technology Alliance

    Partner (TAP) • splunk.com OCI • OCI Splunk • Flow Logs • Audit Logs • Copyright © 2021, Oracle and/or its affiliates. 42

43. • VCN • Oracle Services Network VCN • 1 VCN

    ( ) • • VCN DNS • 翻 VCN Copyright © 2021, Oracle and/or its affiliates. 43

44. – • https://docs.cloud.oracle.com/ja-jp/iaas/Content/Network/Concepts/overview.htm – (VCN) • https://community.oracle.com/docs/DOC-1019114 VCN Copyright ©

    2021, Oracle and/or its affiliates. 44

45. Oracle Cloud Infrastructure ( / ) • https://docs.cloud.oracle.com/iaas/api/ - API

    • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm - • https://docs.cloud.oracle.com/iaas/releasenotes/ - • https://docs.cloud.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues) • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI (PPT SVG Visio ) ※ Oracle Cloud Infrastructure Copyright © 2021, Oracle and/or its affiliates. 45

46. Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocidocs/ - Oracle Cloud Infrastructure •

    https://oracle-japan.github.io/ocitutorials/ Oracle Cloud • https://www.oracle.com/goto/ocws-jp Oracle • https://www.oracle.com/search/events/_/N-2bu/ Oracle Cloud Infrastructure – General Forum ( ) • https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary Oracle Cloud Infrastructure Copyright © 2021, Oracle and/or its affiliates. 46

47. Thank you Copyright © 2021, Oracle and/or its affiliates. 47

48. None

49. Our mission is to help people see data in new

    ways, discover insights, unlock endless possibilities.