Managing Traffic with Steering Policies

DNS can do more than return an IP address (if known) when given a string in the DNS name space for that zone. DNS is also a part of a system of traffic management, where traffic is distributed among multiple servers depending on some criterion, such as location. Steering policies are a way to distribute access to a single full-qualified name across multiple servers.

For example, the same content could be available from multiple source servers, whether it is a streaming video or records from a product database. One server might be in the United States, and the other in Europe. A traffic steering policy could distribute traffic based on IP address or CIDR. Other criteria can be used for this traffic distribution, such as load balancing, which strives to keep the load on multiple servers roughly equal.

Oracle Private Cloud Appliance offers two major types of traffic steering policies based on load balancing and some value of the IP address prefix (network portion of the IP address, such as 192.168.100.0/24).

Creating a Load Balancer Steering Policy

If you have more than one DNS server, you can distribute traffic in a load balancing fashion, based on the weight you assign to each of them.

Using the Compute Web UI

1. Open the Navigation Menu. Under DNS Zones, click Steering Policies.

2. Click Create Steering Policy.

3. Click the Load Balancer button to create a load balancer steering policy.

4. Enter the required information:

   • Name: Enter a name to display for the load balancer steering policy. Do not use confidential information.

   • Policy TTL: Enter a TTL in seconds for responses to steering policy requests. The maximum is 604800 seconds (equal to 168 hours or 7 days).

   • Answer(s): Supply the answer or answers to the DNS request for FILTER, WEIGHED, and LIMIT rules. You do not have to specify which condition the answers is for: that is all done by the load balancer template.

     • Name: Enter a name for the RData returned, such as Server1.

     • Type: Choose the type of resource record to return for the request from the drop-down list. Choices are items such as A (IPv4 address) or CNAME (canonical name).

     • RData: Enter the resource record RData that is returned that corresponds to the Type selected. For example, for Type = A, the RData would be an IPv4 address.

     • Weight: Enter a weight for this policy to use for load balancing. Values up to 256 are supported. The default is 10. Higher weights mean that policy answer is used more often. For example, if dns-server1 and dns-server2 have equal weights, DNS requests are split evenly between them. If dns-server1 has a weight twice that of dns-server2, then dns-server1 is used twice as often as dns-server2.

5. Disabled: The steering policy answer is enabled at creation by default. To disable this steering policy answer, click this toggle to change the Disabled value to TRUE.

6. Optionally, add or delete tags for this subnet resource.

   For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

7. Click Save Changes. The load balancing steering policy is created.

Using the OCI CLI

1. Gather the information you need.

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

2. Run the oci dns steering-policy create command with the LOAD_BALANCE parameter.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option. Complex types are long json strings.

   Syntax (entered on a single line):<dns_steering_policy_name>

   oci dns steering-policy create
   --compartment-id <compartment_OCID>
   --display-name <dns_steering_policy_name>
   --template <LOAD_BALANCE>
   --answers <complex type> 
   --rules <complex type>

   Example:

   oci dns steering-policy create 
   --compartment-id ocid1.compartment.….….….uniqueID 
   --display-name test-lb-policy-1 
   --template LOAD_BALANCE 
   --answers '[{"name": "server","pool": "server","rdata": "10.25.11.10","rtype": "A"},
   {"name": "trial","pool": "trial","rdata": "10.25.11.10","rtype": "A"}]' 
   --rules '[{"ruleType": "FILTER","defaultAnswerData": [{"answerCondition": 
   "answer.isDisabled != true","shouldKeep": true}]},{"ruleType": "WEIGHTED","defaultAnswerData": 
   [{"answerCondition": "answer.name == 'server'","value": 90},{"answerCondition": 
   "answer.name == 'trial'","value": 10}]},{"defaultCount": 1,"ruleType": "LIMIT"}]'
   
   {
     "data": {
       "-self": "https://20180115/steeringPolicies/ocid1.dnspolicy..….….….uniqueID",
       "answers": [
         {
           "is-disabled": true,
           "name": "server",
           "pool": "server",
           "rdata": "10.25.11.10",
           "rtype": "A"
         },
         {
           "is-disabled": true,
           "name": "trial",
           "pool": "trial",
           "rdata": "10.25.11.10",
           "rtype": "A"
         }
       ],
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "display-name": "lr-policy",
       "freeform-tags": {},
       "health-check-monitor-id": null,
       "id": "ocid1.dnspolicy..….….….uniqueID",
       "lifecycle-state": "ACTIVE",
       "rules": [
         {
           "cases": null,
           "default-answer-data": [
             {
               "answer-condition": "answer.isDisabled != true",
               "should-keep": true
             }
           ],
           "description": null,
           "rule-type": "FILTER"
         },
         {
           "cases": null,
           "default-answer-data": [
             {
               "answer-condition": "answer.name == 'server'",
               "value": 90
             },
             {
               "answer-condition": "answer.name == 'trial'",
               "value": 10
             }
           ],
           "description": null,
           "rule-type": "WEIGHTED"
         },
         {
           "cases": null,
           "default-count": 1,
           "description": null,
           "rule-type": "LIMIT"
         }
       ],
       "template": "LOAD_BALANCE",
       "time-created": "2021-11-03T23:36:25.392833+00:00",
       "ttl": 30
     },
     "etag": "2c63fca5-f747-487e-b2f3-0ae5d6fe939c"
   }
   

The load balancer steering policy is created and available for attaching to a DNS domain.

Creating an IP Prefix Steering Policy

An IP prefix steering policy dynamically routes DNS request traffic to different servers based on the originating IP prefix (for example, 172.16.1.0/24).

Using the Compute Web UI

1. Open the Navigation Menu. Under DNS Zones, click Manage DNS.

2. From the list of DNS resources, click Steering Policies. The steering policies for that compartment are displayed.

3. Click Create Steering Policy.

4. Select IP Prefix Steering and supply the following properties:

   • Name: The name for the new steering policy.

   • Policy TTL:The Time To Live (TTL) for responses from the steering policy, in seconds. The maximum allowed value is 604800 (equal to 168 hours or 7 days).

5. In the Answer(s) box, supply the following properties:

   • Name: The name for response to requests sent to the new steering policy.

   • Type: The type of request and response. The choices are A, AAA, or CNAME.

   • RData: The zone record data to return for the query. It must match the type expected by the type chosen.

   • Pool: Select the IP address pool to use of the policy from the drop-down list.

   • +Add Answer: Click this box to add more answers to the requests received by the steering policy.

   • Disabled: This toggle determines if the IP prefix answer is enabled at creation or not. The default is enabled.

6. In the IP Prefix Steering Rules box, supply the following properties:

   • +Add Rule: Click this box to add rules to the IP prefix steering policy.

   • Order: Use the directional arrows to order the rule in the sequence of configured rules.

   • Subnet Address: Enter the IP subnet prefix to apply to this steering policy.

   • You can add more rules to this steering policy by clicking +Add Rule.

7. Tagging: Optionally, you can add tags to the steering policy.

   For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

8. Click Save Changes. The IP prefix steering policy is created.

Using the OCI CLI

1. Gather the information you need.

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

2. Run the oci dns steering-policy create command with the ROUTE_BY_IP parameter.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option. Complex types are long json strings.

   Syntax (entered on a single line):

   oci dns steering-policy create--compartment-id <compartment_OCID>
   --display-name <dns_steering_policy_name>
   --template <LOAD_BALANCE>
   --answers <complex type> 
   --rules <complex type>

   Example:

   oci dns steering-policy create --compartment-id ocid1.compartment..….….….uniqueID
   --display-name test-ip-steering-1 
   --template ROUTE_BY_IP  
   --answers file:///root/users-stuff/ip-steering-answers.json 
   --rules file:///root/users-stuff/ip-steering-rules-2.json
   {
     "data": {
       "-self": "https://20180115/steeringPolicies/ocid1.dnspolicy..….….….uniqueID",
       "answers": [
         {
           "is-disabled": null,
           "name": "server",
           "pool": "server",
           "rdata": "10.20.10.10",
           "rtype": "A"
         },
         {
           "is-disabled": null,
           "name": "trial",
           "pool": "trial",
           "rdata": "10.20.10.10",
           "rtype": "A"
         }
       ],
       "compartment-id": "ocid1.compartment..….….….uniqueID",
       "defined-tags": {},
       "display-name": "test-ip-steering-1",
       "freeform-tags": {},
       "health-check-monitor-id": null,
       "id": "ocid1.dnspolicy..….….….uniqueID",
       "lifecycle-state": "ACTIVE",
       "rules": [
         {
           "cases": null,
           "default-answer-data": [
             {
               "answer-condition": "answer.isDisabled != true",
               "should-keep": true
             }
           ],
           "description": null,
           "rule-type": "FILTER"
         },
         {
           "cases": [
             {
               "answer-data": [
                 {
                   "answer-condition": "answer.pool == 'internal'",
                   "value": 1
                 }
               ],
               "case-condition": "query.client.address in (subnet '10.0.3.0/24')"
             },
             {
               "answer-data": [
                 {
                   "answer-condition": "answer.pool == 'external'",
                   "value": 1
                 }
               ],
               "case-condition": null
             }
           ],
           "default-answer-data": null,
           "description": null,
           "rule-type": "PRIORITY"
         },
         {
           "cases": null,
           "default-count": 1,
           "description": null,
           "rule-type": "LIMIT"
         }
       ],
       "template": "ROUTE_BY_IP",
       "time-created": "2021-11-09T16:53:34.963177+00:00",
       "ttl": 30
     },
     "etag": "aad5bbcc-9d89-40cd-ab10-03dcc2e4ee0a"
   }
              

The IP steering policy is created and available to attach to a DNS domain.

Editing a Steering Policy

Using the Compute Web UI

1. Open the Navigation Menu. Click DNS, and then click Steering Policies.

2. For the policy that you want to update, click the Actions menu, and click the Edit option.

3. Make the necessary changes on the Edit Steering Policy dialog.

4. When you have finished making changes, click the Save Changes button on the dialog.

   The details page for this steering policy is displayed with the updated information.

Using the OCI CLI

1. Get the steering policy OCID.

   Use the following command to list all of the steering policies in the specified compartment to get the OCID of the steering policy that you want to update:

   # oci dns steering-policy list --compartment-id <compartment_OCID>

2. Run the steering policy update command.

   Syntax:

   oci dns steering-policy update --steering-policy-id <steering_policy_OCID> \
   <options_with_values_to_update>

   Example:

   This example shows replacing the answers block of the steering policy. You can also change the display name, health check monitor, rules or rules template, TTL, and scope.

   # oci dns steering-policy update --steering-policy-id ocid1.dnspolicy.unique_ID \
   --answers file://answers.json

   This command returns the same output as the steering-policy get command.

Moving a Steering Policy to a Different Compartment

Using the OCI CLI

1. Get the following information:

   • The OCID of the compartment where the steering policy is currently located, and the OCID of the compartment where you want to move the steering policy.

     # oci iam compartment list --compartment-id-in-subtree true

   • The steering policy OCID.

     # oci dns steering-policy list --compartment-id <current_compartment_OCID>

2. Run the steering policy update command.

   Syntax:

   oci dns steering-policy change-compartment -c <destination_compartment_OCID> \
   --steering-policy-id <steering_policy_OCID>

   This command returns the same output as the steering-policy get command. Verify the new compartment-id.

Attaching a Domain to a Steering Policy

A steering policy must be attached to a domain for the policy to answer DNS queries for that domain. The attachment is automatically placed into the same compartment as the domain's zone.

Using the Compute Web UI

1. Open the Navigation Menu. Click DNS, and then click Steering Policies.

2. Click the name of the policy to which you want attach a domain.

3. Scroll to the Resources section and click Attached Domains.

4. In the list of attached domains, click the Add Attached Domain button.

5. In the Add Attached Domain dialog, enter the domain name and select a zone.

6. Click the Submit button.

   The new domain is added to the Attached Domains list for this steering policy.

Using the OCI CLI

1. Get the following information:

   • The steering policy OCID. Use the following command to list all of the steering policies in the specified compartment to get the OCID of the steering policy to which you want to attach a domain:

     # oci dns steering-policy list --compartment-id <current_compartment_OCID>

   • The name of the domain that you want to attach to the steering policy.

   • The OCID of the attached zone. Use the following command to list all of the zones in the specified compartment to get the OCID of the zone where the domain that you want to attach is located:

     # oci dns zone list <compartment_OCID>

2. Run the steering policy attachment create command.

   Syntax:

   oci dns steering-policy-attachment create --steering-policy-id <steering_policy_OCID> \
   --domain-name <domain-name> --zone-id <zone_OCID>

   The value of the --domain-name argument is the attached domain within the attached zone specified in the --zone-id argument.

   This command returns the same output as the steering-policy-attachment get command.

Editing an Attached Domain

Using the Compute Web UI

1. Open the Navigation Menu. Click DNS, and then click Steering Policies.

2. Click the name of the policy for which you want to edit an attached domain.

3. Scroll to the Resources section and click Attached Domains.

4. Click the name of the attached domain that you want to edit.

5. On the top of the details page for the attached domain, click the Edit button.

6. Make the necessary changes on the Edit Steering Policy Attachment dialog.

7. When you have finished making changes, click the Save Changes button on the dialog.

   The details page for this steering policy attachment is displayed with the updated information.

Using the OCI CLI

1. Get the steering policy attachment OCID.

   Use the following command to list all of the steering policy attachments in the specified compartment to get the OCID of the steering policy attachment that you want to update:

   # oci dns steering-policy-attachment list --compartment-id <compartment_OCID>

2. Run the steering policy attachment update command.

   Syntax:

   oci dns steering-policy-attachment update \
   --steering-policy-attachment-id <steering_policy_attachment_OCID>

   This command returns the same output as the steering-policy-attachment get command.

Deleting a Steering Policy Attachment

Using the Compute Web UI

1. Open the Navigation Menu. Click DNS, and then click Steering Policies.

2. Click the name of the policy for which you want to delete an attachment.

3. Scroll to the Resources section and click Attached Domains.

4. For the attached domain that you want to delete, click the Actions menu, click the Delete option, and confirm the deletion.

   The steering policy attachment is removed from the Attached Domains list.

Using the OCI CLI

1. Get the steering policy attachment OCID.

   Use the following command to list all of the steering policy attachments in the specified compartment to get the OCID of the steering policy attachment that you want to delete:

   # oci dns steering-policy-attachment list --compartment-id <compartment_OCID>

2. Run the steering policy attachment delete command.

   Syntax:

   oci dns steering-policy-attachment delete \
   --steering-policy-attachment-id <steering_policy_attachment_OCID>

Deleting a Steering Policy

A policy that is attached to any zones cannot be deleted. To detach a policy from a zone, see Deleting a Steering Policy Attachment.

Using the Compute Web UI

1. Open the Navigation Menu. Click DNS, and then click Steering Policies.

2. Click the name of the policy that you want to delete.

3. Scroll to the Resources section, click Attached Domains, and ensure that this policy has no attached domains.

4. Click the Delete button at the top of the steering policy details page, and confirm that you want to delete this steering policy.

   The steering policies list page is displayed.

Using the OCI CLI

1. Get the steering policy OCID.

   Use the following command to list all of the steering policies in the specified compartment to get the OCID of the steering policy that you want to delete:

   # oci dns steering-policy list --compartment-id compartment_OCID

2. Run the steering policy delete command.

   Syntax:

   oci dns steering-policy delete --steering-policy-id steering_policy_OCID