When you create an OCI GoldenGate deployment, you can enable or disable the
deployment's public endpoint. Because the OCI GoldenGate Public Endpoint is
managed by the OCI GoldenGate service tenancy, it's not possible for you to
create network security group (NSG) rules from your customer tenancy.
A free or paid Oracle Cloud Infrastructure account
Access to OCI GoldenGate and Networking services
Access to DNS service or third-party DNS management system, such as
GoDaddy
Task 1: Create a certificate
bundle
Create a certificate bundle that includes the public certificate, the corresponding
private key, and any associated Certificate Authority (CA) certificates. For more
information, see SSL Certificate for Load Balancers.
Task 2: Create a
deployment
In the Console navigation menu, click Oracle Database, and then
select GoldenGate.
On the Deployments page, click Create deployment.
In the Create deployment panel, enter a name and optionally, a description.
From the Compartment dropdown, select a compartment in which to create the
deployment.
Select one of the following options:
Production: Sets up a deployment with
recommended defaults for a production environment. The minimum number of OCPUs is 4,
with auto-scaling enabled.
Development or testing: Sets up a deployment
with recommended defaults for a development or testing environment. The minimum number
of OCPUs is 1.
For OCPU count enter the number of
Oracle Compute units (OCPUs) to use.
Auto scaling enables OCI GoldenGate to scale up to three times the number of OCPUs you specify for
OCPU Count, up to 24 OCPUs. For example, if you specify your OCPU Count as 2 and enable
Auto Scaling, then your deployment can scale up to 6 OCPUs. If you specify your OCPU
Count as 20 and enable Auto Scaling, OCI GoldenGate can only scale up to 24
OCPUs.
From the Subnet in <Compartment> dropdown, select the
subnet to which a private endpoint is created from the OCI GoldenGate service
tenancy. This ensures that the deployment is always available over this subnet, as long as
the policies for this subnet allow access. The private endpoint is only used to access the
deployment console, and doesn't provide access to other resources in the subnet.
To select a subnet in a different compartment, click Change
compartment.
Note:
You can only select a private subnet
when creating a deployment.
Select a license type.
(Optional) Click Show advanced options for network options and
to add tags.
In the Network tab,
Select Enable GoldenGate console public
access to include a public endpoint in addition to a private
endpoint, and allow public access to the deployment console for users. If
selected, OCI GoldenGate creates a load balancer in your tenancy to
create a public IP. Select a subnet in the same VCN as this deployment in which to
create the load balancer.
Note:
The
load balancer is a resource that comes with an additional cost. You can manage
this resource, but ensure that you don't delete the load balancer while your
deployment is still in use. Learn more about load balancer
pricing.
Select Customize endpoint to provide a private fully
qualified domain name (FQDN) prefix that you'll use to access the private
service console URL. You can also optionally upload an SSL/TLS certificate
(.pem) and its corresponding private key, however, password protected
certificates are not supported.
It's your responsibility to ensure that the FQDN resolves to the
deployment's private IP address in the subnet you previously selected.
If the deployment is public, it's your responsibility to ensure
that the FQDN publicly resolves to the deployment's public IP address.
A self-signed certificate is generated for you, if you don't
provide one.
Note:
Your SSL certificate must meet the following requirements:
It's common name should match the deployment's FQDN. If it
doesn't, you'll encounter warnings when you access the deployment
console.
It must be signed using a strong hashing algorithm. arcfour,
arcfour128, arcfour256, none algorithm types are not permitted.
It must not be expired.
It's maximum validity should not exceed 13 months.
It must not be a self-signed certificate.
If you encounter "Invalid Private Key" errors, you can
check the correctness of the key using the following OpenSSL commands. Run
this command against the
certificate:
For GoldenGate instance name, enter the name that the deployment
will assign to the GoldenGate deployment instance upon creation.
For Credential store, select one of the following:
OCI Identity and Access Management (OCI IAM), to enable users
to log in to the the deployment console using their Oracle Cloud account (single sign
on) in IAM (Identity and Access Management) enabled tenancies.
Note:
Once you select IAM, you won't be able
to switch to GoldenGate when you edit the deployment settings at a later
time.
GoldenGate, for GoldenGate to manage users.
Enter the Administrator username
Select a password secret in your compartment or click Change
compartment to select one in a different compartment. You can also create a
new password secret.
To create a new password secret:
Click Create password secret.
In the Create secret panel, enter a name for the secret, and
optionally, a description.
Select a compartment from the Compartment
dropdown in which to save your secret.
Select a vault in the current compartment, or click Change
compartment to select a vault in a different compartment.
Select an Encryption key.
Note:
Only AES keys, Software
protected keys, and HSM keys are supported. RSA and ECDSA keys are not
supported for GoldenGate password secret keys.
Enter a password 8 to 30 characters in length, containing at least
1 uppercase, 1 lowercase, 1 numeric and 1 special character. The special
characters must not be '$', '^' or '?'.
Confirm the password.
Click Create.
Note:
You can manage GoldenGate
users in the deployment console. Learn more.
Click Create.
Task 3: Create the load
balancer
To create a load balancer with SSL:
In the OCI Console navigation menu, select
Networking, and then click
Load Balancers.
On the Load Balancers page, click Create Load
Balancer.
In the Select Load Balancer Type dialog, select
Load Balancer, and then click
Create Load Balancer.
On the Add Details page, complete the following fields,
and then click Next:
For Load Balancer Name, enter a
name.
For Visibility, select either
Public or Private.
For Assign a public IP address, select
Reserved IP.
For Shapes, select Dynamic and
then move the selector from Small to Micro.
For Choose Networking, select your VCN
and subnet from their respective dropdowns.
On the Choose Backends page, complete the following
fields, and then click Next
For Specify a Load Balacing Policy,
select Weighted Round
Robin.
Under Specify Health Check Policy,
select TCP from the
Protocol dropdown, and then enter
443 for
Port.
Leave SSL
unchecked.
On the Configure Listener page, completed the following
fields, and then click Next:
For Specify the type of traffic your
listener handles, select
HTTPS.
For Specify the port your listener monitors
for ingress traffic, ensure that
443 is displayed.
For SSL Certificate, drag-and-drop or
select the SSL Certificate (.cer).
Select Specify CA
Certificate and then drag-and-drop or
select the CA Certificate (.crt).
Select Specify Private
Key, and then drag-and-drop or select
the Private Key File.
On the Managing Logging page, complete the following
fields, disable Error Logs, and then
click Submit.
On the Load Balancer Details page, under
Resources, click
Backend Sets.
Under Backend Sets, select the backend set displayed in
the list, and then click Edit.
In the Edit Backend Set panel, select Use
SSL, ensure that your certificate is
selected, and then click Save
Changes.
On the Backend Sets Details page, under
Resources, click Backends, and
then click Add Backends.
In the Add Backends panel, select IP
Addresses, enter the OCI GoldenGate
deployment's Private IP Address (from Step 2) for
IP Address, and
443 in for
Port, and then click
Add.
In the breadcrumb, click Load Balancer
Details, and then copy the IP
Address.
You can use a web browser to access this IP
address, verify the certificate is the digitally
signed certificate that you uploaded, and access the
OCI GoldenGate Deployment Console. Next, you'll
create a DNS record for the Load Balancer's IP.
Task 4: Create a DNS record
Create a DNS record for the Load Balancer's Public IP in a DNS management
system.
After a few minutes, verify that you can access the OCI GoldenGate
Deployment Console through the domain you created.
Task 5: Create OCI Network
Security Rules to allow/deny ingress
From the OCI Console navigation menu (hamburger icon), click
Networking, then Virtual Cloud
Networks.
From the Virtual Cloud Networks list, select your
VCN.
On the VCN Details page, select your subnet.
On the Subnet Details page, copy the IPv4
CIDR Block value, and then click Default Security
List for <VCN> under Security Lists.
On the Default Security Lists Details page, under
Ingress Rules, locate the ingress rule for TCP that
is currently open for all source and destination port ranges, and then select
Edit from its Actions
(ellipsis) menu.
In the Edit Ingress Rule dialog, replace the
Source CIDR value with the IPv4 CIDR Block value
copied from Step 5d, and then click Save Changes.
Wait a few minutes for the changes to take effect.
Click Add Ingress Rule, and then replace the Source
CIDR value with an IP address range that includes the Load Balancer's IP
address, and then click Add Ingress Rules.
You can also add an ingress rule for the IP address of your local
machine to verify that the routing rules are in effect.
Oracle customer access to and use of Oracle support
services will be pursuant to the terms and conditions specified in their Oracle
order for the applicable services.
