Connect to Oracle Cloud Infrastructure GoldenGate using a private IP

Use OCI Bastion to secure access to your OCI GoldenGate Deployment Console.

Related Topics

Overview

OCI GoldenGate is only accessible using a private endpoint from within the OCI network, or through a bastion host that secures access to OCI resources. While this quickstart example uses OCI Bastion, it is possible for you to use your own bastion. This quickstart includes both options, so you can choose the one that works best for you.

Description of qs-bastion.png follows
Description of the illustration qs-bastion.png

Before you begin

You must have the following in order to proceed:

  • A free trial or paid Oracle Cloud Infrastructure account
  • Access to OCI GoldenGate
  • An OCI GoldenGate deployment in a private subnet and without a public endpoint
  • For OCI Bastion:
    • Access to the service
    • Access to OCI Bastion or your own bastion on OCI Compute
  • For your own bastion on OCI Compute:
    • Access to OCI Compute
    • Public and private subnets configured in each availability domain

      Note:

      Oracle recommends creating a separate public subnet solely for bastion hosts to ensure that the appropriate security list is assigned to the correct host.

Option A: Use OCI Bastion

You can use OCI Bastion or use your own. This example uses OCI Bastion.

Note:

For US Government Cloud with FedRAMP Authorization, you must use Option B. The OCI Bastion service is not currently available in these regions.
  1. Create a bastion. Ensure that you:
    1. Use the same VCN as the target OCI GoldenGate deployment and subnet.

      Note:

      The subnet can be the same as the OCI GoldenGate deployment or one that has access to the OCI GoldenGate subnet.
    2. Include the IP addresses of the machines used to connect to OCI Bastion in the CIDR Block Allowlist.
  2. Create a SSH port forwarding session.
    1. For IP Address, enter the OCI GoldenGate deployment's private IP. You can find the private IP on the deployment's Details page.
    2. For Port, enter 443.
    3. Under Add SSH Key, provide the public key file of the SSH key pair to use for the session.
  3. After the session is created, from the session's Actions (three dots) menu, select Copy SSH Command.
  4. Paste the command into a text editor, and then replace the <privateKey> and <localPort> placeholders with the path to the private key and port 443.
  5. Run the command using the command line interface to create the tunnel.
  6. Open a web browser and go to https://localhost.

Note:

  • Ensure that you add an Ingress rule for the Bastion host in Private Subnet's security list. Learn more.
  • If you encounter the following error message, 
    {"error":"invalid_redirect_uri","error_description":"Client xxdeploymentgoldengateusphoenix1ocioraclecloudcom_APPID requested an invalid redirect URL: https://localhost/services/adminsrvr/v2/authorization. ECID: cvSDu0r7B20000000"}

    then you must add an entry in your client machine hosts file to map 127.0.0.1 to your deployment FQDN. For example:

    127.0.0.1 xx.deployment.goldengate.us-phoenix-1.oci.oraclecloud.com

Option B: Use your own bastion on OCI Compute

  1. Create a compute instance in the public subnet of same VCN as the OCI GoldenGate deployment.

    Note:

    In this example, the public subnet CIDR is 10.0.0.0/24. The same CIDR value will be used when you add an ingress rule to the private subnet security list.
  2. Check the default security list for the public subnet:
    1. From the Oracle Cloud console navigation menu, select Networking, and then Virtual Cloud Networks.
    2. From the list of Virtual Cloud Networks, select your VCN to view its details.
    3. Select the public subnet, and then select the security list to view its details. This security list must include a rule for SSH Access:
      Stateless Source IP Protocol Source Port Range Destination Port Range Type and Code Allows
      No 0.0.0.0/0 TCP All 22 N/A TCP traffic for ports: 22 SSH Remote Login Protocol

      If the security list doesn't include this rule, click Add Ingress Rules and complete the form using the values above.

  3. Add an Ingress rule to the Private subnet security list to allow connectivity to OCI GoldenGate from the public subnet.
    1. On the VCN details page, under Subnets, select the Private Subnet to view its details.
    2. On the Private Subnet details page, under Security Lists, select the security list to view its details.
    3. Under Ingress Rules, click Add Ingress Rules.
    4. In the Add Ingress Rules dialog, complete the fields as follows, and then click Add Ingress Rules:
      1. For Source Type, select CIDR.
      2. For Source CIDR, enter the public subnet CIDR value (10.0.0.0/24).
      3. For IP Protocol, select TCP.
      4. For Destination Port Range, enter 443.
  4. (Windows users) Create a session to connect to the bastion host using PuTTY:
    1. In the PuTTY Session configuration screen, enter the Compute instance's public IP for Host Name. You can leave 22 in as the value for Port.
    2. Under the Connection category, expand SSH, click Auth, and then click Browse to locate the private you used to create the Compute instance.
    3. Click Tunnels in the Category panel, enter 443 for Source port, and <deployment-hostname>:443 for Destination.
    4. (Optional) Return to the Session category and Save the session details.
    5. Click Open to connect.
  5. (Linux users) Create a session to connect to the bastion host using the command line:
    ssh -i <private-ssh-key> opc@<compute-public-ip> -L 443:<deployment-hostname>:443 -N
  6. After successfully connected, open a browser window and enter https://localhost in the address bar. You're brought to the OCI GoldenGate deployment console.

Known issues

Invalid redirect url error when trying to access an IAM-enabled deployment using an IP

When attempting to access an IAM-enabled deployment using the deployment's IP address, you encounter the following error:

{"error":"invalid_redirect_uri","error_description":"Client
        xxxxxxxx1ocioraclecloudcom_APPID requested an invalid redirect URL: https://192.x.x.x/services/adminsrvr/v2/authorization. ECID:
        xxxx"}

Workaround: You can do one of the following:

Option 1: Add the deployment IP address to your Identity Domain Application. To make this change, you must be part of the user group assigned to the application.

  1. In the Oracle Cloud navigation menu, select Identity & Security, then under Identity, click Domains.
  2. Select your domain from the Domains list.
  3. From the domain's Identity Domain resource menu, select Oracle Cloud Services.
  4. Select your application from the Oracle Cloud Services list. For example, GGS INFRA Application for Deployment Id:<deployment OCID>.
  5. On the application page under OAuth configuration, click Edit OAuth configuration.
  6. For Redirect URL, enter the deployment's Console URL with the deployment's IP in place of the domain. For example: https://<deployment-ip>/services/adminsrvr/v2/authorization.
  7. Save your changes.
Option 2: Add an entry in your client machine hosts file to map 127.0.0.1 to your deployment FQDN (replace <region> with the appropriate region). For example: 
127.0.0.1 xx.deployment.goldengate.<region>.oci.oraclecloud.com