Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Use Service Gateway

Introduction

If you’re a typical Oracle Cloud Infrastructure customer, you may have resources in your virtual cloud network (VCN) that need to access the Oracle Cloud Infrastructure Object Storage service, which has publicly addressable endpoints. Until now, you could use either public subnets or a NAT instance, with an internet gateway in your VCN to access the service. However, you might not have wanted to use these options because of privacy, security, or operational concerns.

Service Gateway alleviates the preceding concerns by enabling the following functions:

• Private connectivity between your VCNs and Object Storage: You can add a service gateway to a VCN and use the VCN’s private address space to access Object Storage without exposing the instances to the public internet. You don’t need a public subnet, NAT instance, or internet gateway in your VCN.

• Enhanced security for your Object Storage buckets: You can limit access to Object Storage buckets from an authorized VCN or from a specific range of IP addresses within the subnet. You can add conditional references to VCN and IP addresses in IAM policies, which can only be satisfied when you initiate connections through a service gateway.

Key Points

We recommend using Chrome or Edge as the broswer. Also set your browser zoom to 80%.

• Mac OS Users should use ctrl+C / ctrl+V to copy and paste inside OCI Console.

• Login credentials are provided later in the guide (scroll down). Every User MUST keep these credentials handy.

Note: Screenshots may be different than the actual UI.

Prerequisites

1. Oracle Cloud Infrastructure account credentials (user, password, tenant, and compartment).

2. OCI Training

3. Familiarity with OCI console

4. Overview of Networking

5. Familiarity with Compartment

6. Connecting to a compute instance

Sign in to OCI Console to Create an Object Storage Bucket and a VCN

1. Sign in to Oracle Cloud Infrastructure Console using your cloud tenant name, user name, and password.

2. From the OCI services menu, click Object Storage.

   

3. Choose your compartment under List Scope in the left navigation pane.

4. Click Create Bucket and fill out the dialog box:

   • Bucket Name: Provide a name
   • Storage Tier: STANDARD
   • Encryption: ENCRYPT USING ORACLE-MANAGED KEYS

5. Click Create Bucket.

6. Click the Apps icon in the toolbar and select Git-Bash.

   

   Alternatively, open a terminal window to run Git commands.

7. Change the directory to the Downloads folder. Enter command:

   $ cd /c/Users/PhotonUser/Downloads/
   

   

8. Create a sample file. Enter command:

   touch samplefile
   

   This should create a file with the name “samplefile” in the Downloads folder.

9. Switch to the OCI Console window and click the bucket name.

   Hint: You can swap between the OCI Console window and any other application (for example, git-bash) by clicking Switch Window.

   

10. The bucket detail window should be visible. Click Upload Object.

    

11. Click Upload Object. Fill out the dialog box:

    • OBJECT NAME PREFIX: Provide a prefix (optional)
    • CHOOSE FILES FROM YOUR COMPUTER: Click Select File and then browse to the location where ‘Sample File’ was created

12. Select the file, then click Upload Object in the dialog box.

    The file should be visible under Objects.

13. From the OCI services menu, click Virtual Cloud Networks under Networking.

    Select your compartment from the drop down menu on left part of the screen under Networking and click Start VCN Wizard.

    Note: Ensure that the correct compartment is selected under COMPARTMENT list.

14. Click VCN with Internet Connectivity and click Start Workflow.

15. Fill out the dialog box and click Next:

    • VCN NAME: Provide a name
    • COMPARTMENT: Ensure your compartment is selected
    • VCN CIDR BLOCK: Provide a CIDR block (10.0.0.0/16)
    • PUBLIC SUBNET CIDR BLOCK: Provide a CIDR block (10.0.1.0/24)
    • PRIVATE SUBNET CIDR BLOCK: Provide a CIDR block (10.0.2.0/24)

16. Verify all the information and click Create.

    This will create a VCN with following components: VCN, Public subnet, Private subnet, Internet gateway (IG), NAT gateway (NAT), and Service gateway (SG).

17. Click View Virtual Cloud Network to display your VCN details.

18. Click Create Subnet. Fill out the dialog box:

    • Name: Enter a name
    • Subnet Type: Regional
    • CIDR Block: Enter 10.0.5.0/24
    • Route Table: Select the Default Route Table

    Note: For Production deployment, we strongly recommend creating a seperate route table.

    • Subnet access: select Private Subnet
    • DHCP Options: Select the default
    • Security Lists: Select the Default Security List

    Note: For Production deployment, we strongly recommend creating a seperate security list.

19. Leave all other options as default and click Create Subnet.

    

Create SSH Keys, Create Two Compute Instances with OCI CLI Pre Installed

1. Click the Apps icon in the toolbar and select Git-Bash.

   

   Alternatively, open a terminal window to run Git commands.

2. Enter command:

   ssh-keygen
   

   Hint: You can swap between the OCI Console window, git-bash sessions, and any other application (Notepad, etc.) by clicking the Switch Window icon.

   

3. Press Enter when asked for ‘Enter File in which to save the key’, ‘Created Directory, ‘Enter passphrase’, and ‘Enter Passphrase again.

   

4. You should now have the public and private keys:

   /C/Users/ PhotonUser/.ssh/id_rsa (Private Key)

   /C/Users/PhotonUser/.ssh/id_rsa.pub (Public Key)

   Note: id_rsa.pub will be used to create the compute instance and id_rsa to connect via SSH into the compute instance.

   Hint: Enter command:

   cd /C/Users/PhotonUser/.ssh (No Spaces)
   

   and then:

   ls 
   
   

   to verify that the two files exist.

5. In git-bash, enter command:

   cat /C/Users/PhotonUser/.ssh/id_rsa.pub
   

   Highlight the key and copy.

   

6. Click the Apps icon, launch Notepad, and paste the key in Notepad (as backup).

   

7. Switch to the OCI Console. From the OCI services menu, click Instances under Compute.

8. Click Create Instance. Fill out the dialog box:

   • Name your instance: Enter a name

   • Choose an operating system or image source: Click Change Image Source. In the new window, click Oracle Images and choose Oracle Cloud Developer Image. Scroll down, accept the agreement, and click Select Image.

     

   • Availability Domain: Select availability domain

   • Instance Type: Select Virtual Machine

   • Instance Shape: Select VM shape

   Under Configure Networking

   • Virtual cloud network compartment: Select your compartment

   • Virtual cloud network: Choose the VCN

   • Subnet Compartment: Choose your compartment

   • Subnet: Choose the Public Subnet under Public Subnets

   • Use network security groups to control traffic: Leave un-checked

   • Assign a public IP address: Check this option

     

   • Boot Volume: Leave the default

   • Add SSH Keys: Choose ‘Paste SSH Keys’ and paste the Public Key saved earlier.

9. Click Create.

10. Note down the Public IP address of compute instance.

11. Create a second compute instance following steps previsouly outlined. Click Instances under Compute.

12. Click Create Instance. Fill out the dialog box:

    • Name: Enter a name

    • Image Operating System: Click Change Image Source. In the new window, click Oracle Images, and choose Oracle Cloud Developer Image. Scroll down, accept the agreement and click Select Image.

      

    • Availability Domain: Select availability domain

    • Instance Type: Select Virtual Machine

    • Instance Shape: Select VM shape

    Under Configure Networking

    • Virtual cloud network compartment: Select your compartment
    • Virtual cloud network: Choose the VCN
    • Subnet Compartment: Choose your compartment
    • Subnet: Choose the Private Subnet under Private Subnets
    • Use network security groups to control traffic: Leave un-checked
    • Boot Volume: Leave the default
    • Add SSH Keys: Choose ‘Paste SSH Keys’ and paste the Public Key saved earlier

13. Click Create.

    Note: If a ‘Service limit’ error is displayed, choose a different shape such as VM.Standard.E2.2 OR VM.Standard2.2.

14. Once the instance is in running state, click Instance name and note down its Private IP address.

    

15. In order to SSH into private instance, we will use the SSH proxy command. This command allows us to “tunnel” through the bastion host to our private instance.

    Storing private SSH keys on a public server such as a Bastion host (first compute instance) is not recommended.

16. Ensure that you have both the Public IP of the first compute and Private IP of the second compute. In the git-bash window, ensure that you are in the /C/Users/PhotonUser/.ssh directory. Enter command:

    bash 
    ssh -t -o ProxyCommand='ssh -i <SSH_Private_Key_Name> opc@<FIRST_COMPUTE_PUBLIC_IP> -W %h:%p %r' -i <SSH_Private_Key_Name> opc@<SECOND_COMPUTE_PRIVATE_IP>   
    

    

17. Enter Yes at the security prompt.

18. Check the oci CLI installed version. Enter command:

    oci -v
    

    Note: The version should be minimum 2.4.2X.

    

19. Next we will configure OCI CLI. Enter command:

    oci setup config
    

20. Accept the default directory location.

    For user OCI, switch to the OCI Console window. Click the Human icon and then your user name. In the user details page, click copy to copy the OCID. Also note down your region name as shown in the OCI Console window. Paste the OCID in the SSH session.

    

21. Repeat the step to find the tenancy OCID (Human icon followed by clicking the tenancy name). Paste the Tenancy OCID in the SSH session to compute instance followed by providing your region name (for example, us-ashburn-1, us-phoneix-1).

22. When asked for Do you want to generate a new RSA key pair?, answer Y. For the rest of the question, accept the default by pressing Enter.

    

Upload API Keys and Verify Functionality

1. oci setup config also generated an API key. We will need to upload this API key into our OCI account for authentication of API calls. Switch to SSH session to compute instance to display the content of the API key. Enter command:

   cat ~/.oci/oci_api_key_public.pem
   

2. Highlight and copy the content from the SSH session. Switch to OCI Console, click the Human icon followed by your user name. In the user details page, click Add Public Key. In the dialg box, paste the public key content and click Add.

   

   

3. A new finger print will be generated. Switch to the git-bash window and enter command:

   cat /home/opc/.oci/config 
   

   Compare the finger print in the output of the config file to the one in the OCI console window and make sure they match.

   We will now upload an object to object storage and access it from the second compute instance. This download will use the Public IP of the compute instance.

4. Switch back to the OCI Console window and navigate to your object storage bucket details page. Note down the name space and object storage name.

   

5. Switch to git-bash window (ssh session to second compute instance) and download samplefile. Enter command:

   `bash oci os object get --namespace <NAME_SPACE> --bucket-name <BUCKET_NAME> --name samplefile --file ./
   

   Hint: In this example, the command will be: oci os object get --namespace us_training --bucket-name Service-Gateway-Bucket --name samplefile --file ./samplefile

   

6. No output will be displayed and no file will be downloaded. Enter Ctrl+C to terminate the command. Enter command:

   ls
   

   and verify that samplefile was not downloaded.

   Since there is no Public IP on the second compute instance, it cannot access object storage. Next, we will initialize the route table and re-download the file.

7. Switch to OCI Console. From the OCI services menu, click Virtual Cloud Networks under Networking. Locate your VCN and click the VCN name to display VCN details.

8. Click Route tables and click Default Route Table for <VCN_NAME>.

   

9. Click Add Route Rules. Fill out the dialog box:

   • TARGET TYPE: Service Gateway
   • DESTINATION SERVICE: OCI IAD-ObjectStorage
   • COMPARTMENT: Choose your compartment
   • TARGET SERVICE GATEWAY: Choose the service Gateway created earlier

10. Click Add Route Rules. A new route entry should be created.

    

11. In Your VCN, click Security Lists, then click Default Security List for <VCN_NAME>. Click Add Egress Rules.

12. Add following Egress rule; Ensure to leave the STATELESS flag un-checked.

    • DESTINATION TYPE: Service
    • DESTINATION SERVICE: OCI IAD Object Storage
    • SOURCE PORT RANGE: ALL
    • DESTINATION PORT RANGE: ALL

    

13. Click Add Egress Rules.

14. Switch to the git-bash window (with SSH to the second compute instance).

15. Re-enter the download command:

    bash oci os object get --namespace <NAME_SPACE> --bucket-name <BUCKET_NAME> --name samplefile --file ./
    

    

Using Service Gateway, the compute instance was able to access Object stored in Object Storage. This was done using the private backbone network of OCI rather than public internet.

Delete the Resources

As practice, you will need to figure out any errors encountered during deletion of resources.

1. Switch to the OCI Console window.

2. If your compute instance is not displayed, from the OCI services menu, click Instances under Compute.

3. Locate the compute instance, click the Action icon, and then click Terminate.

   

4. Make sure Permanently delete the attached Boot Volume is checked and click Terminate Instance. Wait for the instance to fully terminate.

   

5. Repeat these steps to delete the second compute instance.

6. From the OCI services menu, click Virtual Cloud Networks under Networking.

   A list of all VCNs will appear.

7. Locate your VCN, click the Action icon, and then click Terminate. Click Delete All in the confirmation window. Click Close once the VCN is deleted.

   

8. From the OCI services menu, navigate to OBject Storage. Click your bucket name. Under Objects, your file should be visible. Click the Action icon (3 vertical dots) and click Delete to delete the object.

9. Once the object is deleted, click Delete to delete the bucket.

Acknowledgements

• Authors - Flavio Pereira, Larry Beausoleil
• Contributors - Yaisah Granillo (Cloud Solution Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Use Service Gateway

F36278-03

December 2021

Copyright © 2021, Oracle and/or its affiliates.