Learn About Network Monitoring, Observability, and Management

Use the OCI Network Command Center Tools

The OCI Network Command Center brings all of OCI's native network observability tools together in one place for easier access and a unified user experience. Familiarize yourself with all the OCI tools in the Network Command Center. Learn how to utilize them to simplify your operations and reduce the time to identify issues.

The OCI Network Command Center offers the following observability tools to support various operations use cases:

Network Visualizer: Offers intuitive topology visualization to understand connections and relationships between your virtual network resources, inspect the configuration from one place, and visually troubleshoot any configuration issues.
Network Path Analyzer: Allows you to troubleshoot complex virtual network configurations when you have reachability problems. It provides automated configuration analysis to determine the network path the traffic takes, identify routing and security configuration issues, and provide configuration information along the path.
Inter-Region Latency: Provides real-time and historical latency information between OCI regions.
VCN Flow Logs: Offers network traffic telemetry critical to support your security and network operations use cases. You can gain extensive insights on the network traffic, stream the flow logs to your chosen tool using standard protocols such as Kafka, and archive the flow logs in OCI Object Storage for compliance purposes.
Virtual Test Access Point (VTAP): Offers traffic mirroring capabilities that enable full packet capture for security analysis, troubleshooting applications, or network performance issues. VTAP is also useful for troubleshooting complex network problems by analyzing the packet contents and headers.

Oracle recommends the following:

Review OCI documentation, and videos linked in the Explore More section to become familiar with the Network Command Center tools and their capabilities and limitations.
Try out the Network Visualizer, Network Path Analyzer, Inter-Region Latency, and VCN Flow Logs as they are non-intrusive tools.
For VTAP, read through the documentation and blogs to learn how to use VTAP and try it out in your environment.

Tip:

Pin the Network Command Center and relevant tools to your OCI Console Home page for quick and easy access.

Set Up Notifications for Key Network Changes

The OCI Audit service automatically records calls to all supported OCI public Application Programming Interface (API) endpoints and logs them to the Audit Log. This includes all API calls made by the OCI console, Command Line Interface (CLI), Software Development Kits (SDK), other OCI services. As a result, anytime a change is made to your OCI environment or resources it will show up in the Audit Log. You can utilize the OCI Events and Notifications service to be proactively alerted when a change is made to a critical or key network component.

The following are examples of some key or critical OCI network components that you may want to set up notifications on are:

Security List or Network Security Groups
Dynamic Routing Gateway (DRG)
Network Firewall
Route Table
Virtual Cloud Network (VCN) or Subnet

More components are available with the Events service. You can set up notifications anytime these resources are created, deleted, or updated.

Oracle recommends the following:

Identify the key and critical network resources that you want to be proactively notified about when changes are made. For example, a specific security list applied to a particular public subnet is important and you want to know when someone adds, updates, or deletes a rule in that security list. Another example could be identifying network components in a production compartment.
Review the OCI documentation and blogs to understand how the OCI Audit, Events, and Notification services work.

Set Up Alarms for Key Network Metric Threshold Breaches

The OCI Monitoring service uses metrics to monitor resources. Alarms notify you when these metrics meet alarm-specified triggers. You can create an alarm on any of these metrics that are measured and collected in OCI. By combining these metrics and alarms with the OCI notification service, you can be notified when one of these thresholds on a specific metric is breached.

The following are some examples of notifications you can receive:

When the state of a FastConnect or Site-to-Site Virtual Private Network (VPN) goes from up to down
When FastConnect or Site-to-Site VPN traffic goes above or below a set threshold
When the Border Gateway Protocol (BGP) state on FastConnect or Site-to-Site VPN goes from up to down
When the number of unhealthy backends in a Flexible Load Balancer backend set reaches a set threshold

Tip:

You can create an alarm on any metric that you see inside the OCI Console. On the metric graph, just click the options drop-down list and select Create an alarm on this query.

Oracle recommends the following:

Identify the key or critical metrics and associated thresholds that you want to be notified on
Familiarize yourself with the OCI documentation for the relevant OCI services such as OCI Monitoring and Notifications.

Enable VCN Flow Logs for Each Subnet

VCN flow logs show details about traffic flow that is sourced from, or destined to your VCN. VCN flow logs are not enabled by default when a subnet is created.

Enabling VCN flow logs on all subnets will help you later with auditing traffic and troubleshooting your VCN and security lists.

Oracle recommends the following:

Enable VCN flow logs for each subnet after you create the subnet
Consider creating a separate log group just for VCN flow logs
VCN flow logs should be one piece of an overall OCI logging architecture and design

Tip:

There is a cost for OCI logging storage above a certain threshold. Make sure you understand your OCI logging needs and budget and consider only enabling VCN Flow Logs on a temporary and as needed basis for troubleshooting purposes if you want to limit the usage.