OCI Foundations Flashcards
What is OCI IAM?
Identity and Access Management Service
* Fine-grained Access Control
* Role Based Access Control
* AuthN - Who are you?
* AuthZ - What permissions do you have?
OCI Identity Concepts
- Identity Domains
- Users
- Groups
- Policies
- Federation
- Networks Sources
- Principals
- Dynamic Groups
- Compartments
- Resource
Identity Domains
An identity domain represents a user population in OCI and associated configurations and security settings
Identity Domain
- Users
- Groups
- Identity Domain
- Users
- Groups
- Policies - Role Based Access Control
- Compartments
- Resources - Cloud Object
How to Identify an OCI Resources?
Oracle Cloud ID (OCID)
ex:ocid1.<RESOURCE TYPE>.<REALM>.[REGION][.FUTURE USE].<UNIQUE ID>
- ocid1: The literal string indicating the version of the OCID.
- resource type: The type of resource (for example, instance, volume, vcn, subnet, user, group, and so on).
- realm: The realm the resource is in. A realm is a set of regions that share entities. Possible values are oc1 for the commercial realm, oc2 for the Government Cloud realm, or oc3 for the Federal Government Cloud realm. The regions in the commercial realm (OC1) belong to the domain oraclecloud.com. The regions in the Government Cloud (OC2) belong to the domain oraclegovcloud.com.
- region: The region the resource is in (for example, phx, iad, eu-frankfurt-1). With the introduction of the Frankfurt region, the format switched from a three-character code to a longer string. This part is present in the OCID only for regional resources or those specific to a single availability domain. If the region is not applicable to the resource, this part might be blank (see the example tenancy ID below).
- future use: Reserved for future use. Currently blank.
- unique ID: The unique portion of the ID. The format may vary depending on the type of resource or service.
Compartment
- Get a Root Compartment when create a account (can hold all the cloud resources)
- Collection of related resources
- Isolated and control access
Best practice: Create dedicated compartements to isolate resources
Compartment
- Each resource belongs to a single compartment
- Resources can be moved from one compartment to another
- Groups + Policies = Access to Compartments
- Resources can interact with other resources in different compartments
- Resources from multiple regions can be in the same compartment.
- Six levels of Nesting allowed (Nested Compartment)
- Set Quotas and Budgets on Compartments
Principals
IAM entities that are allowed to interact with OCI resources
AuthN
- User name/Password
- API Signing Key
- Authentication Tokens
- Oracle-generated token strings
- Authenticate third party APIs
AuthZ
What permissions do you have?
AuthZ in OCI - IAM Policies
Policies - human readable statements to define granular permissions
policy can be attach to a compartment or tenancy
policy statement basic syntax
Allow group <identity_domain_name>/<group_name> to <verb> <resource-type> in compartment <compartment_name>
Allow <group_name> to <verb> <resource-type> in <location> where <conditions>
Verb
* manage
* use
* read
* inspect
Aggregate resource-type
* all-resources
* database-family
* instance-family
* object-family
* virtual-network-family
* volume-family
Tencnacy Setup Best Practices
- Don’t use the tenancy administrator account for day-to-day operations
- Create dedicated compartments to isoldate resources
- Enforce the use of Multi-Factor Authentication (MFA)
Virtual Cloud Network (VCN)
- software define private network
- for secure communication use
- lives in a OCI region
- VCN is:
- Highly Available
- Scalable
- Secure
VCN Address Space
ip address CIDR
Public Subnet
Private Subnet
- Internet Gateway
- NAT Gateway
- Service Gateway
- Dynamic Routing Gateway - connection to On-Premises
Route Table
Local Peering
Remote Peering - DRG
Dynamic Routing Gateway v2
VCN Security
- Security Lists
Firewall rules
stateful and stateless
direction ingress and egress - Network Security Group (NSG)
Load Balancer
- Layer 7 HTTP/S
- Scalable - Flexible/Dynamic shapes
- Public/Private
- Highly Available
- Advanced features
- Routing intelligence
- Network Load Balancer
- Layer 4 TCP & UDP
- Public/Private
- Highly Available
- Scalable
- Faster than HTTP/S LB; lower latency
- Virtual Machines
- Shared
- Multi tenant
- Bare Metal Servers
- Dedicated Host
Flexible Shapes
Processor Options
AMD, Intel, Arm-based processor (AMpere Altra)
Pay for What you use
Preemptible VMs
* Low Cost
* Short lived VMs
* Batch Jobs
* Fault tolerant workloads
* 50% cheaper
Instance Basics
Compute instance dependecies:
VCN - VNIC
block volume - boot disk
Storage - dataa
live migrate
between hosts
transparent
no downtime
seamless
mkdir .ssh cd .ssh ssh-keygen -b 2048 -t rsa -f <<sshkeyname>>
Note in the output that there are two files, a private key: <<sshkeyname>> and a public key: <<sshkeyname>>.pub. Keep the private key safe and don’t share its content with anyone. The public key will be needed for various activities and can be uploaded to certain systems as well as copied and pasted to facilitate secure communications in the cloud.
image
- Oracle Linux
- Ubuntu
- Red Hat
- CentOS
- Windows
- SUSE
- AlmaLinux
- Rocky Linux
- Marketplace
- My Images (custom images)
shapes
- Instance types
- VM
- Bare metal
- CPH Options
- AMD
- Intel
- Ampere (Arm-based processor)
- Number of CPH
- Memory
Scaling
- Vertical Scaling
- Downtime required
- Stop instance before resizing
- Autoscaling/Horizontal Scaling
- Running Instance
- template call “Config” in OCI
- Instance Pool
- Initial Size
- Minimum Size
- Maximum Size
- Scaling rule
VMs VS Containers
- VM contain OS and run on Hypervisor
- Higher Utilization of Resources Cpmapred to On-Permises
- Multiple VMs and Multiple OS
- Higher Disk Space
- Longer Boot Time
- Container do not contain OS and run on Container Runtime
- Faster Boot Time
- Lightweight
- Portable
Container Orchestration
Kubernetes, an open source platform:
How To:
* Deploy
* Manage
* Connect
* Scale Up-Down
Kubernetes, an open source platform:
For Automating, Deploying, Scaling and Management of Containerized Applications
Advantages:
* Can run containerized applications of any scale without any down time
* Can self-heal containerized applications
* Can auto-scale containerized applications
* Greatly simplifies deployment operations
Docker is used to manage and build the containers
Docker as a container runtime is no loger supported after Kubernetes v1.20
(other runtimes like CRI-O are used instead)
Container Engine for Kubernetes (OKE): Overview
- Core : Fully managed, scalable, and highly available service
- Engine : Uses the open-source system: Kubernetes
- Developer :
- One click cluster creation
- CLI/API support
- Support for Arm and GPU instances
- DevOps :
- Auoscaling support
- Automatic Kubernetes upgrade
- Self-healing cluster nodes
Components of a Cluster
Customer managed
* Node is a machine on which Kubernetes is installed, also refer as Woker node.
* Node Pool is group of node
* Pod
* Group of One or More Containers with Shared Storage and Network Resources
* Specification File
Control plane nodes
How to :
Manage the Cluster?
Schedule the Containers?
Manage High Availability?
Control plane nodes
Oracle managed
Manages Worker Nodes and Pods
Free of Charge
Components:
* Kube-controller manager
* Cloud-controller manager
* Kube-APIserver
* Kube-scheduler
* etcd
database like etcd, it’s a key value store used for Kubernetes to back all the cluster data, is stored there.
Types of OKE Clusters
- Enhanced Clusters
support all available features, including features not supported by basic clusters - Basic Clusters
- support all the core functionality provided by Kubernetes and Container Engine for Kubernetes
- come with a Service Level Objective (SLO) but not a financially-backed Service Level Agreement (SLA)
- Virtual Nodes
- Virtual nodes provide a ‘serverless’ Kubernetes experience, enabling you to run containerized applications at scale
- The Kubernetes software is upgraded, and security patches are applied while respecting application availability requirements.
- You can only create virtual nodes and virtual node pools in ehhanced clusters
- Managed Nodes
- You are responsible for managing managed nodes (can configure them to meet your specific requirements).
- You are responsible for upgrading Kubernetes on managed nodes, and for managing cluster capacity.
- You can create managed nodes and node pools in both basic clusters and enhanced clusters.
OCI Container Instances
- elimiate operational complexities for user
- take care of the underlying container runtime and compute resources
- The compute infrastructure provides robust workload isolation for enhanced security
Oracle Functions
- Functions-as-a-Service
- Event Driven Architecture
- Oracle Cloud Integrated
- Container Native
- Open Source
How Oracle Function Work
- Uploaded code and configuration is package as a container image and stored in the OCI Registry
- Set up trigger actions
- Direct Invoke SDK/CLI/API
- OCI Event
- Oracle Functions executes the code when triggered
- Oracle Functions code can Invoke OCI services or external systems
- Monitoring
- Identity
- Registry
- Logging
- Network
- OCI services
Storage Requirement
- Persistent vs non-persistent
- What type of data?
- Performance
- Capacity
- IOPS
- Throughput
- Durability
- number of copies
- Connectivity
- Local Storage
- Network Storage
- How to access data
- Protocol
- Block
- File
- HTTP
Persistence vs Durability
OCI Storage Services
- Local NVMe
- AD
- Locally Attached Storage
- NVMe SSDs
- Performance Sensitive Applications
- Block Volume
- persistent, durable
- Fixed size blocks
- File Storage
- Shared
- Files and Directories
- Mount File System
- Object Storage
- HTTP
- unstructured data
OCI Data Migration Services
- Data Transfer Disk
- Data Transfer Appliance
- Storage Gateway
OCI Object Storage
- Internet-scale, high-performance storage platform
- Data managed as objects
- Ideal for unstructured data
- Regional, Public service
- Multiple storage tiers
- Private access from OCI resources (e.g. compute)
- Advanced capabilities
OCI Object Storage Scenarios
- Content Repository
- Unstructured and semi-structured data
- Big Data/Spark/Hadoop/Data Analytics
- Archive/Backup
- Object (key value pair)
- Bucket
- stored in a bucket
- unique name in a tenancy
- Flat hierarchy
- Namespace
- Logical entity
- top-level container for all buckets/objects
- Global unique name
Object Storage Tiers
- Standard Storage Tier/Hot Tier
- Fast, immediate, and frequent access
- Most recent copy of the data
- Instantaneous retrieval
- Can’t be downgraded
- Infrequent Access Storage Tier/ Cool Tier
- Ideal for data that you access infrequently
- Storage costs lower than the Standard Storage Tier
- Minimum retention requirement for Infrequent Access: 31 days
- Retrieval fees
- Archive Storage Tier/ Cold Tier
- Seldom or rarly accessed data
- Minimum retention requirement for Archive Storage: 90 days
- Objects need to be restored before download
- Restore time: 1 Hour
- Download time: 24 Hours
- Archive Bucket can’t be upgraded
Auto-Tiering
Life Cycle Management
Objects Automatically Versioned
Data Encryption
cannot turn off
Data is encrypted by default and you can use your own encryption key
Accessing Stored Data
Once you have stored data, access is easy with just a single API call for all storage classes
