Oracle Cloud Infrastructure (OCI)

Bazı kısa önemli notlar:….

Dedicated VM Host: Dedicated VM Host için ücret öderiz, üzerindeki VM’ler için ödemeyiz. Oracle, hypervisor ve hardware’i yönetir ve monitor eder.

Data Safe: Oracle Cloud’daki hassas verilerimizi korur, Data Discovery, Data Masking, Activity Auditing yapılır. Lİsans ücreti yoktur.

Key Management: Donanım tabanlı anahtar saklama ve merkezi anahtar yönetimidir. Kontrol ettiğiniz anahtarları kullanarak verilerinizi şifrelemenizi sağlayan yönetim hizmetidir. Highly available, durable, and secure key storage in hardware security modules (HSMs).

Data Protection:

Block Volume ve File Storage ->

Data encrypted at-rest
Data encrypted in-transit
Bring Your Own Keys

Object Storage ->

Data encrypted at-rest
Bring Your Own Keys
Private Buckets, Preauthenticated Request

Database ->

Transparent Data Encryption
Data Safe
Data Vault

Federation: Identity provider (IdP) ile federasyon yapabilirsiniz. Her çalışan mevcut bir user/pass ile OCI konsoluna giriş yapabilir. Federated user’lar oturum açmak için hangi IdP’nin kullanılacağını seçer ve ardından bu IdP’nin kimlik doğrulama oturum açma deneyimine yönlendirilirler. Oturum açma bilgilerini ve şifrelerini girdikten sonra, IdP tarafından kimliği doğrulanır ve OCI Konsoluna yönlendirilirler.

OS Management Service: Package management, configuration management, Security/compliance reporting sağlar. Kritik component’lerin ve Linux kernel’ün kesinti olmadan canlı olarak yama geçer.

Network protection:

DMZ subnet for load balancers
Public subnet for web servers
Private subnet for internal hosts such as databases

Gateways:

NAT Gateway – for connectivity to internet for patching.

NAT Gateway enables outbound connections to the internet, but blocks inbound connections initiated from the internet. Use case: updates, patches.

Service Gateway – for connectivity to public OCI services.

Service gateway lets resources in VCN access public OCI services such as Object Storage, but without using an internet or NAT gateway. Use case: back up DB Systems in VCN to Object Storage.

Dynamic Routing Gateway – for connectivity to on-premises.

DRG is a virtual router that provides a path for private traffic between your VCN and destinations other than the internet.

You can use it to establish a connection with your on-premises network via

IPsecVPN • FastConnect (private, dedicated connectivity)
Internet Gateway – provides a path for network traffic between your VCN and the internet

Local VCN Peering: Resource’ların private IP kullanarak iletişim kurabilmesi için aynı region’daki iki VCN’yi bağlama işlemidir.

Remote VCN Peering: Resource’ların private IP kullanarak iletişim kurabilmesi için farklı region’lardaki iki VCN’yi bağlama işlemidir.

Load Balancer: Faydaları: Fault tolerance and HA. Maximizes throughput, minimizes response time, and avoids overload of any single resource.

WAF (Web Application Firewall): HTTP/S trafiğini yakalayıp bir dizi filtre ve kuraldan geçirerek, bir web uygulamasına isabet eden saldırı akışlarını açığa çıkarabilir ve bunlara karşı koruma sağlayabilir. Kurallar, yaygın saldırıları (Cross-site Scripting (XSS), SQL Injection, layer 7 DDoS attacks) ve belirli kaynak IP’leri veya kötü botları filtreleme yeteneğini kapsar. WAF tarafından verilen tipik yanıtlar, isteğin geçmesine izin verir, isteği günlüğe kaydeder veya bir hata sayfasıyla yanıt vererek isteği engeller. OCI WAF, uygulamaları kötü amaçlı ve istenmeyen internet trafiğinden koruyan bulut tabanlı, PCI uyumlu, küresel bir güvenlik hizmetidir.

Compartments: Her bir resource tek bir compartment’a aittir. Resource’lar farklı compartment’lardaki diğer resource’larla etkileşime girebilir. Politikalar yazarak grup kullanıcılarına compartment’lara erişim izni verebilirsiniz. Compartments, Logical olarak ilişkili resource’ların birarada toplanması demek. Bu resource’ların izole olmasını ve erişim kontrolü sağlar.

Cloud Computing: on-demand self-service, network access, resource pooling, rapid elasticity, measure service

Service Models: Iaas, Paas, Saas

Cloud Terminology: HA, DR, Fault Tolerance, Scability, Elasticity

OCI ARCHITECTURE

OCI Regions

Dünyada 36 bölge var
Regions: Localized geographic area, comprised of one or more Availability Domains (AD)

Availability Domains (AD):

AD: One or more fault-tolerant, isolated data centers located within a region but connected to each other by a low latency high bandwith network (AD fiziksel izole data center)

Fault Domains (FD):

Faut Domains (FD): Grouping of hardware and infrastructure within an AD to provide anti-affinity (logical data center)

FD’lerden birinde problem olur da kapanırsa diğer iki FD’ler çalışmaya devam eder. FD’lerden birinde problem olur da kapanırsa Control Plane ve Data Plane çalışmaya devam eder. FD’lerden birindeki resource problemi diğer FD’leri etkilemez izole oldukları için. Bir FD’deki resource istendiğinde değiştirilebilir.

İstanbuldaki DC’miz AD1’imiz olsun ve İzmirdeki DRC’miz de AD2’miz olsun. AD1’deki FD2’miz down olursa AD2’deki FD2’miz HA’yi sağlar, single point of failure’ın önüne geçmiş oluruz, arada DataGuard var.

OCI COMPUTE SERVICES

OCI Compute Services: Bare Metal, Dedicated Vitual Hosts, Virtual Machines (single VM, multi VM), Container Engine, Functions

Containers: Hardware + Hypervisor -> Kernel/OS -> Dependencies -> App -> VM

Vertical Scaling (scale-up, scale-down): Downtime is required. The instance must be stopped before resize it

Horizontal Scaling (scale-out, scale-in) (Autoscaling): adding or removing VMs automatically

Oracle Kubernetes Engine (OKE):

Kubernetes is an open source system for automating deployment, scaling and management of containerized applications.
OKE is a fully-managed, scalable and highly available service that you can use to deploy your containerized applicaitons in OCI.
OCIR is a managed Docker container registry service and can be used to pull images for k8s deployments.

Functions:

In Oracle functions, functions are:

small but powerful blocks of code that generally do one simple thing
stored as Docker images in a specified Docker registry
invoked in responce to a CLI command or signed HTTP request

OCI STORAGE SERVICES

Block Storage (Block Volume), Local NVMe, File Storage, Object Storage, Archive Storage.

Block Storage:

* Hard drive in a server except the hard drive happens to be installed in a remote chassis
(local storage değil remote storage’dır)
* Storage for compute instances
* 2 types: Boot Volume(OS disk), Block Volume(data disks -> database diskleri)

– Block Volume: Stores replica of data in 3 seperate fault domains
– Block Volume: You don’t need to configure any software based protection (RAID-10 etc.)
– Block Volume: To minimize loss of data due to deletes or corruption, we recommend to take
periodic backups of block volumes. OCI allows automated scheduled backups.
– Block Volume’un backup’ı Object Storage’da tutulur.

Object Storage’daki block volume backup’tan da yeni volume create edebiliriz ve bunu da compute instance’a attach edebiliriz.

Aynı veya farklı availability domain’de bunu yapabiliriz.

Block Volume 50 gb -22 tb arasında yaratılabilir ve her bir instance’a 32 volume attach edebiliriz

– Can copy block volume backups from one-region to another
– Block Volume Tiers: Basic, Balanced, Higher Performance

* Data is typically stored on device in fixed sized blocks
* Accessed by operating system as mounted drive volume
* Commonly deployed in SAN storage

Local NVMe:

* Use cases:

– NoSql databases(Cassandra, Mongodb, Redis)
– in-memory databases
– Scale-out transactional databases
– Data warehousing

* Temporary NVMe based storage locally attached to the compute instances
* Designed for applications that require high-performance local storage
* Storage is non-persistent (survives reboot)
* OCI uses NVMe(Non-Volatile Memory Express) interface for very high performance
* OCI provides no RAID, snapshots, backups capabilities for these devices and customers are responsible for data durability
* Block based protocol (like Block Volume)
* SLA around performance

File Storage:

* Shared file system storage for compute instances
* Supports NFS v.3 distributed file system
* Data protection: Snapshots (10.000 snapshots per file system)
* Security: data-at-rest and in-transit encryption for all file systems & metadata
* Use cases: Oracle App. (EBS gibi), HPC, Bigdata and Analytics, General purpose file systems

Object Storage:

* All data, regardless of content type, is managed as objects
* Each object is stored in a bucket. A bucket is a logical container for storing objects
* Objects are stored in a single, flat structure without a folder hierarchy. This means that accessing individual objects is fast and easy
* Each object is composed of object itself and metadata of the object. This makes it easier to index and access data
* Object storage is quite common in cloud-based storage scenarios with very high scability and reliability
* While files and blocks are generally available to an operating system(by mount operation), object storage relies on standart HTTP verbs

Object Storage Service:

* An internet-scale, high-performance storage platform
* Ideal for storing unlimited amount of unstructured data (images, media files, logs, backups)
* Regional service, not tied to any specific compute instance
* Offers wo distinct storage classes “hot” storage(standart),”cold” storage(Archive)
* Object Storage stores replica of data in 3 seperate Fault Domains in an AD
* In a multi-AD region, it stores replica of data in more than one AD
* Data integrity is actively monitored and corrupt data detected and auto repaired
* You can leverage cross-region copy for disaster recovery scenarios

Use cases:

– Content repository for data, images, logs and video etc.
– Archive/Backup for longer periods of time
– Storing log data for analysis and debugs/troubleshooting
– Storing large data sets (genome data, IoT)
– Bigdata/Hadoop storage

Object Storage Tiers:

Standart Storage Tier (Hot):

* Fast, immediate and frequent access
* Data retrieval is instantaneous
* Always servers the most recent copy of the data when retrieved
* Standard buckets can’t be downgraded to archive storage

Archive Storage Tier (Cold):

* Seldom or rarely accessed data but must be retained and preserved for long periods of time
* 10X cheaper than Standart Tier
* 90 days minimum retention requirement
* Objects need to be restored before download. First Byte(TTFB) after restore request is made: 4 hours
* Archive Bucket can’t be upgraded to Standart storage tier