1. Getting Started with Oracle Cloud at Customer
  2. Getting Started with IaaS and PaaS Services
  3. Compute Classic: Advanced Tasks
  4. Create a Multi-Tier Topology with IP Networks Using an Orchestration

Create a Multi-Tier Topology with IP Networks Using an Orchestration

Create an orchestration to launch and manage a multi-tier topology for an application deployed on Compute Classic instances attached to IP networks.

Topics

Scenario Overview

The application and the database that the application uses are hosted on instances attached to separate IP networks. Users outside Oracle Cloud have HTTPS access to the application instances. The topology also includes an admin instance that users outside the cloud can connect to using SSH. The admin instance can communicate with all the other instances in the topology.

Note:

The focus of this guide is the network configuration for instances attached to IP networks in a sample topology. The framework and the flow of the steps can be applied to other similar or more complex topologies. The steps for provisioning or configuring other resources (like storage) are not covered in this guide.

Compute Topology

The topology that you are going to build using the steps in this tutorial contains the following Compute Classic instances:

  • Two instances – appVM1 and appVM2 – for hosting a business application, attached to an IP network, each with a fixed public IP address.

  • Two instances – dbVM1 and dbVM2 – for hosting the database for the application. These instances are attached to a second IP network.

  • An admin instance – adminVM – that's attached to a third IP network and has a fixed public IP address.

Note:

You won't actually install any application or database. Instead, you'll simulate listeners on the required application and database ports using the nc utility. The goal of this section is to demonstrate the steps to configure the networking that's necessary for the traffic flow requirements described next.

Traffic Flow Requirements

Only the following traffic flows must be permitted in the topology that you'll build:

  • HTTPS requests from anywhere to the application instances

  • SSH connections from anywhere to the admin instance

  • All traffic from the admin instance to the application instances

  • All traffic from the admin instance to the database instances

  • TCP traffic from two application instances to port 1521 of the database instances

Topology Architecture Diagram

Description of architecture.png follows
Description of the illustration architecture.png

Network Resources Required for this Topology

  • Public IP address reservations for the application instances and for the admin instance

  • Three IP networks, one each for the application instances, the database instances, and the admin instance

  • An IP network exchange to connect the IP networks in the topology

  • Security protocols for SSH, HTTPS, and TCP/1521 traffic

  • ACLs that will contain the required security rules

  • vNICsets for the application instances, database instances, and the admin instance

  • Security rules to allow SSH connections to the admin instance, HTTPS traffic to the application instances, and TCP/1521 traffic to the database instances

Create the Orchestration

You can create a blank orchestration, and then add objects to it by updating the orchestration. While updating the orchestration, you can define attributes for a topology that consists of multiple instances and multiple networks.

Prerequisite

Generate an SSH key pair. In the orchestration, you’ll add the public key and associate it with the instance. See Generate an SSH Key Pair.

Procedure

Note:

This procedure walks you through the key steps required to quickly provision the basic compute and networking resources. It does not cover the advanced configuration options.
  1. Sign in to the Compute Classic console.
  2. Go to the Orchestrations tab, and click Create Orchestration.
  3. In the Create Orchestration dialog box, enter the following information.
    • Name: Enter a name for the orchestration.
    • Description: Enter a description.
    • Tags: Specify one or more tags to help you identify and categorize the orchestration.
    Click Create.

    A blank orchestration is created and listed on the Orchestrations page. You can now add objects by updating the orchestration.

  4. From the menu icon menu for the orchestration that you created, select Update.
    The Orchestration page has a JSON section that shows the current orchestration definition. As you add and update the objects in the orchestration, the JSON section gets updated. Note that the objects you add and update are in the Inactive status. They are created only when you start the orchestration.
  5. Add the following access control lists:
    Purpose Suggested Name
    For the admin VM adminVM
    For the application VMs appVMs
    For the database VMs dbVMs

    Add the ACLs, one at a time, using the following steps:

    1. In the Access Control List section, and click Add.
    2. Enter a name for the ACL, as suggested in the table..
      Note this name. You’ll need to specify it later when configuring the security rules.
    3. Click Create.
    4. From the menu icon menu for the ACL that you added, select Properties.
    5. In the Object Properties dialog box, select the Persistent check box.
    6. Click Update.
  6. Add an IP exchange.
    1. In the IP Exchange section, and click Add.
    2. In the Create IP Exchange dialog box, enter a name for the IP exchange.
      Note this name. You’ll need to specify it later when you add the IP networks.
    3. Click Create.
    4. From the menu icon menu for the IP reservation that you added, select Properties.
    5. In the Object Properties dialog box, select the Persistent check box.
    6. Click Update.
  7. Add the following IP networks:
    Purpose Suggested Name Suggested IP Address Prefix
    For the admin VM adminIPnetwork 172.16.1.0/24
    For the application VMs appIPnetwork 10.50.1.0/24
    For the database VMs dbIPnetwork 192.168.1.0/24

    Add the vNICsets, one at a time, using the following steps:

    1. In the IP Network section, and click Add.
    2. In the Name field, enter a name for the IP network, as suggested in the table..
      Note this name. You’ll need to specify it later when configuring the network interface of your instance.
    3. In the IP Address Prefix field, enter the address range of the IP network in the CIDR format.
    4. In the IP Exchange field, select the IP exchange that you created earlier.
    5. Click Create.
    6. From the menu icon menu for the IP network that you added, select Properties.
    7. In the Object Properties dialog box, select the Persistent check box.
    8. Click Update.
  8. Add the following IP reservations:
    For VM Suggested Name
    Admin VM ipResForAdminVM
    Application VM 1 ipResForAppVM1
    Application VM 2 ipResForAppVM2

    Add the IP reservations, one at a time, using the following steps:

    1. In the IP Reservation (IP Network) section, and click Add.
    2. In the Create IP Reservation dialog box, enter a name for the IP reservation, as suggested in the table..
      Note this name. You’ll need to specify it later when configuring the network interface of your instance.
    3. Click Create.
    4. From the menu icon menu for the IP reservation that you added, select Properties.
    5. In the Object Properties dialog box, select the Persistent check box.
    6. Click Update.
  9. Add the following security protocols:
    Purpose Suggested Name IP Protocol Destination Port Set
    For HTTPS requests to the application VMs https TCP 443
    For SSH traffic ssh TCP 22
    For TCP traffic from the application VMs to the database VMs tcp1521 TCP 1521

    Add the security protocols, one at a time, using the following steps:

    1. In the Security Protocol section, and click Add.
    2. In the Create Security Protocol dialog box, provide the following information:
      • Name: Enter a name for the protocol, as suggested in the table..

        Note this name. You’ll need to specify it later when configuring the security rule to permit SSH access.

      • IP Protocol: Select TCP.
      • Destination Port Set: Enter the required port.
    3. Click Create.
    4. From the menu icon menu for the protocol that you added, select Properties.
    5. In the Object Properties dialog box, select the Persistent check box.
    6. Click Update.
  10. Add the following vNICsets:
    Purpose Suggested Name Applied Access Control Lists
    For the admin VM adminVM adminVM
    For the application VMs appVMs appVMs
    For the database VMs dbVMs dbVMs

    Add the vNICsets, one at a time, using the following steps:

    1. In the Virtual NIC Set section, and click Add.
    2. Enter a name for the vNICset, as suggested in the table.
      Note this name. You’ll need to specify it later when configuring the network interface of your instance.
    3. In the Applied Access Control Lists field, select the ACL as specified in the table.
    4. Click Create.
    5. From the menu icon menu for the vNICset that you added, select Properties.
    6. In the Object Properties dialog box, select the Persistent check box.
    7. Click Update.
  11. Add the following security rules:
    Purpose Suggested Name Type ACL Source and Destination Protocol
    SSH requests from any source to the admin VM internet-to-adminVM Ingress adminVM Source: Any

    Destination: adminVM vNICset

    		 ssh
    All traffic from the admin VM to any destination adminVM-to-any Egress adminVM Source: adminVM vNICset

    Destination: Any

    		 Any
    All traffic from the admin VM to the application VMs adminVM-to-appVMs Ingress appVMs Source: adminVM vNICset

    Destination: appVMs vNICset

    		 Any
    HTTPS traffic from any source to port 443 of the application VMs internet-to-appVMs Ingress appVMs Source: Any

    Destination: appVMs vNICset

    		 https
    TCP traffic from the application VMs to port 1521 of the DB VMs appVMs-to-dbVMs-egress Egress appVMs Source: appVMs vNICset

    Destination: dbVMs vNICset

    		 tcp1521
    TCP traffic from the application VMs to port 1521 of the DB VMs appVMs-to-dbVMs-ingress Ingress dbVMs Source: appVMs vNICset

    Destination: dbVMs vNICset

    		 tcp1521
    All traffic from the admin VM to the DB VMs adminVM-to-dbVMs Ingress dbVMs Source: adminVM vNICset

    Destination: dbVMs vNICset

    		 Any

    Add the security rules, one at a time, using the following steps:

    1. Expand the Security Rule (IP Network) section, and click Add.
    2. In the Create Security Rule dialog box, provide the following information:
      • Name: Enter a name for the security rule, as suggested in the table..
      • Type: Select Ingress or Egress, as specified in the table.
      • Access Control List: Select the ACL specified in the table.
      • Security Protocols: Select the SSH protocol specified in the table. If the table shows Any, then leave this field blank.
      • Source vNICset: Select the source specified in the table. If the table shows Any, then leave this field at Not Set.
      • Destination vNICset: Select the destination specified in the table. If the table shows Any, then leave this field at Not Set.

      Leave all the other fields at the default values.

    3. Click Create.
    4. From the menu icon menu for the security rule that you added, select Properties.
    5. In the Object Properties dialog box, select the Persistent check box.
    6. Click Update.
  12. Add the SSH public key.
    1. Expand the SSH Key section, and click Add.
    2. Enter a name for the key.
      Note this name. You’ll need to specify it later when selecting the public key for your instance.
    3. Click Select File.
    4. Browse to the file that contains the public key you generated earlier, and select it.
    5. Click Add.
    6. From the menu icon menu for the SSH key that you added, select Properties.
    7. In the Object Properties dialog box, select the Persistent check box.
    8. Click Update.
  13. Add the following VMs, and configure networking for them.
    VM Name Suggested DNS Hostname Prefix Suggested vNIC Name IP Network Public IP Address Virtual NIC Set
    adminVM adminvm admn adminIPnetwork ipResForAdminVM adminVM
    appVM1 appvm1 app1 appIPnetwork ipResForAppVM1 appVMs
    appVM2 appvm2 app2 appIPnetwork ipResForAppVM2 appVMs
    dbVM1 dbvm1 db1 dbIPnetwork None dbVMs
    dbVM2 dbvm2 db2 dbIPnetwork None dbVMs

    Add the VMs, one at a time, using the following steps:

    1. In the Instance section, and click Add.
    2. From the menu icon menu for the instance that you added, select Update.
    3. In the Information section, complete the following steps:admin

      • Name: Enter a name that you can use to easily identify the VM, as suggested in the table.

      • Image: Select an image of your choice.

        Note:

        The optional steps at the end to verify network access are for VMs created using Oracle Linux 6.8 and 7.2 images. Those optional steps might not work for VMs created using other images.

        DNS Hostname Prefix: Enter a host name as suggested in the table.

      • If you want to, change the shape and other settings of the VM as required. The default values will work for this example.

    4. Click Update.
    5. In the IP Network Interfaces section, click Add IP Network Interface, and provide the following information:
      • vNIC Name: Enter a unique name for the vNIC, as suggested in the table.app
      • IP Network: Select the IP network specified in the table.
      • Public IP Address: Select the IP reservation specified in the table.
      • Virtual NIC Sets: Remove the default vNICset, and select the vNICset that you added.
    6. Click Save.
    7. In the SSH Public Keys section, click Add SSH Public Key, and add the public key that you uploaded.
    8. Scroll to the top of the page, and click Back to Orchestration Details.
  14. After adding all the VMs, scroll to the top of the page, and click the Start button near the upper-right corner.
    When you start the orchestration, the status of the orchestration changes to Starting and then to Ready when all the objects defined in the orchestration are created successfully. The instance and other objects are created and their status changes from Inactive to Active.
  15. At the confirmation prompt, click Yes.
    In the Information pane at the top, the Status field shows Starting.
    Wait until the status changes to Ready. Periodically, click the refresh button near the upper-right corner of the Information pane.
  16. Verify that all the resources are created.
    In all the resource sections, the status field shows Active.
    You have successfully created your instances and the required networking resources.

(Optional) Verify Network Access to the VMs

Before You Begin

Identify the IP addresses of the VMs:

  • adminVM: Public IP address
  • appVM1: Public and private IP addresses
  • appVM2: Public and private IP addresses
  • dbVM1: Private IP address
  • dbVM2: Private IP address

In the Instances tab of the web console, locate the VM, and note the addresses in the Public IP and Private IP columns.

Note:

If the Public IP column is blank for a VM, then on the Network tab, under IP Network, select IP Reservations, and note the public IP address shown there for the reservation that’s assigned to the VM.

Verify SSH Connections from Outside the Cloud to the Admin VM

Run the following command from your local machine:

[localmachine ~]$ ssh -i path-to-privateKeyFile opc@publicIPaddressOfAdminVM

You should see the following prompt:

opc@adminvm

This confirms that SSH connections can be made from outside the cloud to the admin VM.

Verify SSH Connections from the Admin VM to the Database and Application VMs

  1. Copy the private SSH key file corresponding to the public key that you associated with your VMs from your local machine to the admin VM, by running the following command on your local machine:

    [localmachine ~]$ scp -i path-to-privateKeyFile path-to-privateKeyFile opc@publicIPaddressOfAdminVM:~/.ssh/privatekey

  2. From your local machine, connect to the admin VM using SSH:

    [localmachine ~]$ ssh -i path-to-privateKeyFile opc@publicIPaddressOfAdminVM

  3. From the admin VM, connect to each of the database and application VMs using SSH:

    [opc@adminvm]$ ssh -i ~/.ssh/privatekey opc@privateIPaddress

  4. Depending on the VM you connect to, you should see one of the following prompts after the ssh connection is established.

    • opc@appvm1

    • opc@appvm2

    • opc@dbvm1

    • opc@dbvm2

Verify Connectivity from Outside the Cloud to Port 443 of the Application VMs

You can use the nc utility to simulate a listener on port 443 on one of the application VMs, and then run nc from any host outside the cloud to verify connectivity to the application VM.

Note:

The verification procedure described here is specific to VMs created using the Oracle-provided images for Oracle Linux 7.2 and 6.8.

  1. On your local host, download the nc package from http://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/nc-1.84-24.el6.x86_64.rpm.

  2. Copy nc-1.84-24.el6.x86_64.rpm from your local host to the admin VM.
    [localmachine ~]$ scp -i path-to-privateKeyFile path_to_nc-1.84-24.el6.x86_64.rpm opc@publicIPaddressOfAdminVM:~
  3. From your local machine, connect to the admin VM using SSH:
    [localmachine ~]$ ssh -i path-to-privateKeyFile opc@publicIPaddressOfAdminVM
  4. Copy nc-1.84-24.el6.x86_64.rpm to one of the application VMs.
    [opc@adminvm]$ scp -i ~/.ssh/privatekey ~/nc-1.84-24.el6.x86_64.rpm opc@privateIPaddressOfAppVM1:~
  5. Connect to the application VM:
    [opc@adminvm]$ ssh -i ~/.ssh/privatekey opc@privateIPaddressOfAppVM1
  6. On the application VM, install nc.
    [opc@appvm1]$ sudo rpm -i nc-1.84-24.el6.x86_64.rpm
  7. Configure the application VM to listen on port 443. Note that this step is just for verifying connections to port 443. In real-life scenarios, this step would be done when you configure your application on the VM to listen on port 443.
    [opc@appvm1]$ sudo nc -l 443
  8. From any host outside the cloud, run the following nc command to test whether you can connect to port 443 of the application VM:
    [localmachine ~]$ nc -v publicIPaddressOfAppVM1 443
    The following message is displayed:
    Connection to publicIPaddressOfAppVM1 443 port [tcp/https] succeeded!

    This message confirms that the application VM accepts connection requests on port 443.

  9. Press Ctrl + C to exit the nc process.

Verify Connectivity from the Application VMs to Port 1521 of the Database VMs

You can use the nc utility to simulate a listener on port 1521 on one of the database VMs, and then run nc from one of the application VMs to verify connectivity from the application tier to the database tier.

Note:

The verification procedure described here is specific to VMs created using the Oracle-provided images for Oracle Linux 7.2 and 6.8.
  1. From your local machine, connect to the admin VM using SSH:
    [localmachine ~]$ ssh -i path-to-privateKeyFile opc@publicIPaddressOfAdminVM
  2. Copy nc-1.84-24.el6.x86_64.rpm to one of the database VMs.
    [opc@adminvm]$ scp -i ~/.ssh/privatekey ~/nc-1.84-24.el6.x86_64.rpm opc@privateIPaddressOfDBVM1:~
  3. Connect to the database VM:
    [opc@adminvm]$ ssh -i ~/.ssh/privatekey opc@privateIPaddressOfDBVM1
  4. On the database VM, install nc.
    [opc@dbvm1]$ sudo rpm -i nc-1.84-24.el6.x86_64.rpm
  5. Configure the VM to listen on port 1521. Note that this step is just for verifying connections to port 1521. In real-life scenarios, this step would be done when you set up your database to listen on port 1521.
    [opc@dbvm1]$ nc -l 1521
  6. Leave the current terminal session open. Using a new terminal session, connect to the admin VM using SSH and, from there, connect to one of the application VMs.
    [localmachine ~]$ ssh -i path-to-privateKeyFile opc@publicIPaddressOfAdminVM
[opc@adminvm]$ ssh -i ~/.ssh/privatekey opc@privateIPaddressOfAppVM1
  7. From the application VM, run the following nc command to test whether you can connect to port 1521 of the database VM:
    [opc@appvm1 ~]$ nc -v privateIPaddressOfDBVM1 1521
    The following message is displayed:
    Connection to privateIPaddressOfDBVM1 1521 port [tcp/ncube-lm] succeeded!

    This message confirms that the database VM accepts connection requests received on port 1521 from the application VMs.

  8. Press Ctrl + C to exit the nc process.