Connect to Oracle Cloud Infrastructure GoldenGate using a public load balancer

Learn to create and configure a public load balancer in your tenancy to access a private OCI GoldenGate deployment.

Overview

When you create an OCI GoldenGate deployment, you can enable or disable the deployment's public endpoint. Because the OCI GoldenGate Public Endpoint is managed by the OCI GoldenGate service tenancy, it's not possible for you to create network security group (NSG) rules from your customer tenancy.

Description of secure-deployment.png follows
Description of the illustration secure-deployment.png

Before you begin

You must have the following in order to proceed:

  • A free or paid Oracle Cloud Infrastructure account
  • Access to OCI GoldenGate and Networking services
  • Access to DNS service or third-party DNS management system, such as GoDaddy

Task 1: Create a certificate bundle

Create a certificate bundle that includes the public certificate, the corresponding private key, and any associated Certificate Authority (CA) certificates. For more information, see SSL Certificate for Load Balancers.

Task 2: Create a deployment

Follow the instructions in Create a deployment.

Task 3: Create the load balancer

To create a load balancer with SSL:
  1. In the OCI Console navigation menu, select Networking, and then click Load Balancers.
  2. On the Load Balancers page, click Create Load Balancer.
  3. In the Select Load Balancer Type dialog, select Load Balancer, and then click Create Load Balancer.
  4. On the Add Details page, complete the following fields, and then click Next:
    1. For Load Balancer Name, enter a name.
    2. For Visibility, select either Public or Private.
    3. For Assign a public IP address, select Reserved IP.
    4. For Shapes, select Dynamic and then move the selector from Small to Micro.
    5. For Choose Networking, select your VCN and subnet from their respective dropdowns.
  5. On the Choose Backends page, complete the following fields, and then click Next
    1. For Specify a Load Balacing Policy, select Weighted Round Robin.
    2. Under Specify Health Check Policy, select TCP from the Protocol dropdown, and then enter 443 for Port.
    3. Leave SSL unchecked.
  6. On the Configure Listener page, completed the following fields, and then click Next:
    1. For Specify the type of traffic your listener handles, select HTTPS.
    2. For Specify the port your listener monitors for ingress traffic, ensure that 443 is displayed.
    3. For SSL Certificate, drag-and-drop or select the SSL Certificate (.cer).
    4. Select Specify CA Certificate and then drag-and-drop or select the CA Certificate (.crt).
    5. Select Specify Private Key, and then drag-and-drop or select the Private Key File.
  7. On the Managing Logging page, complete the following fields, disable Error Logs, and then click Submit.
  8. On the Load Balancer Details page, under Resources, click Backend Sets.
  9. Under Backend Sets, select the backend set displayed in the list, and then click Edit.
  10. In the Edit Backend Set panel, select Use SSL, ensure that your certificate is selected, and then click Save Changes.
  11. On the Backend Sets Details page, under Resources, click Backends, and then click Add Backends.
  12. In the Add Backends panel, select IP Addresses, enter the OCI GoldenGate deployment's Private IP Address (from Step 2) for IP Address, and 443 in for Port, and then click Add.
  13. In the breadcrumb, click Load Balancer Details, and then copy the IP Address.

    You can use a web browser to access this IP address, verify the certificate is the digitally signed certificate that you uploaded, and access the OCI GoldenGate Deployment Console. Next, you'll create a DNS record for the Load Balancer's IP.

Task 4: Create a DNS record

Create a DNS record for the Load Balancer's Public IP in a DNS management system.

You can use Oracle Cloud Infrastructure DNS Management or any public DNS management system.

After a few minutes, verify that you can access the OCI GoldenGate Deployment Console through the domain you created.

Task 5: Create OCI Network Security Rules to allow/deny ingress

  1. From the OCI Console navigation menu (hamburger icon), click Networking, then Virtual Cloud Networks.
  2. From the Virtual Cloud Networks list, select your VCN.
  3. On the VCN Details page, select your subnet.
  4. On the Subnet Details page, copy the IPv4 CIDR Block value, and then click Default Security List for <VCN> under Security Lists.
  5. On the Default Security Lists Details page, under Ingress Rules, locate the ingress rule for TCP that is currently open for all source and destination port ranges, and then select Edit from its Actions (ellipsis) menu.
  6. In the Edit Ingress Rule dialog, replace the Source CIDR value with the IPv4 CIDR Block value copied from Step 5d, and then click Save Changes.

    Wait a few minutes for the changes to take effect.

  7. Click Add Ingress Rule, and then replace the Source CIDR value with an IP address range that includes the Load Balancer's IP address, and then click Add Ingress Rules.

    You can also add an ingress rule for the IP address of your local machine to verify that the routing rules are in effect.