1. Set up OCI Observability and Management for AWS RDS databases
  2. Configure the Solution

Configure the Solution

Configuing this solution is a two-stage process, configuring the networking infrastructure and then installing the Management Gateway and Management Agent. The following procedures will walk you through these stages.

Configure Networking

Use the following steps to set up the IPSec VPN tunneling between AWS to OCI to enable communication between the RDS and O&M services. This setup will work with OCI Site-to-Site VPN Version 2.

Create a Temporary Customer Gateway for AWS

Use the temporary customer gateway to initially provision the AWS Site-to-Site VPN, exposing the AWS VPN endpoint for your tunnel. OCI requires a public IP of the remote VPN peer before it you can create an IPSec connection. After you finish this process, a new customer gateway representing the actual OCI VPN endpoint public IP is configured.

  1. From the main AWS portal, expand the Services menu at the top left of the screen. Browse to VPC under Networking & Content Delivery.
  2. From the left-hand menu, scroll down and, under Virtual Private Network (VPN),click Customer Gateways.
  3. Click Create Customer Gateway to create a Customer Gateway.
    The Create Customer Gateway page appears.
  4. Enter the following details:
    • Name: Give this customer gateway an obviously temporary name. In this example, the name TempGateway is used.
    • Routing: Select Dynamic.
    • BGP ASN: Enter the OCI BGP ASN. Oracle's BGP ASN for the commercial cloud is 31898, except the Serbia Central (Jovanovac) region which is 14544.
    • IP Address: Use any valid IPv4 address for the temporary gateway. This example uses 1.1.1.1.
  5. When you are finished configuring your temporary customer gateway, complete the provisioning process by clicking Create Customer Gateway.

Create and Attach a Virtual Private Gateway for AWS

A virtual private gateway (VPG) allows resources that are outside of your network to communicate to resources that are inside of your network. To create and attach a VPG for AWS, use this procedure.

  1. From the AWS left-hand menu, scroll down and, under Virtual Private Network (VPN), click Virtual Private Gateways.
  2. Click Create Virtual Private Gateway to create a new virtual private gateway.
    The Create Virtual Private Gateway page appears.
  3. Enter the following details:
    • Name: Give your Virtual Private Gateway (VPG) a name.
    • ASN: Select Amazon default ASN.
  4. When you are finished configuring your virtual private gateway, complete provisioning by clicking Create Virtual Private Gateway.
  5. After the VPG has been created, attach it to your VPC of choice:
    1. While still on the Virtual Private Gateway page, ensure that your VPG is selected, open the Actions menu (Actions Menu), and select Attach to VPC. The Attach to VPC page for your selected Virtual Private Gateway appears.
    2. Select your VPC from the list, then, to complete attaching your VPG to your VPC, click Yes, Attach.

Create a VPN Connection for AWS

To connect OCI to AWS by using the native VPN services, use this procedure.

  1. From the left-hand menu, scroll down and click Site-to-Site VPN Connections under Virtual Private Network (VPN).
  2. Click Create VPN Connection to create a new virtual private gateway. You are taken to the Create VPN Connection page.
  3. Enter the following details:
    • Name tag: Give your VPN connection a name.
    • Target Gateway Type: Select Virtual Private Gateway, then select the previously created Virtual Private Gateway from the list.
    • Customer Gateway: Select Existing, then select the temporary Customer Gateway from the list.
    • Routing Options: Select Dynamic (requires BGP).
    • Tunnel inside Ip Version: Select IPv4.
    • Local/Remote IPv4 Network Cidr: Leave both of these fields blank, creating an any/any route-based IPSec VPN.

      Proceed to the next step. Do not click Create VPN Connection yet.

  4. While still on the Create VPN Connection page, scroll down to Tunnel Options.
  5. Choose a /30 CIDR from within the link local 169.254.0.0/16 range. Input the full CIDR in Inside IPv4 CIDR for Tunnel 1.
  6. Ensure that OCI supports the chosen /30 address for the inside tunnel IPs.
    OCI does not allow you to use the following IP ranges for inside tunnel IPs:
    • 169.254.10.0-169.254.19.255
    • 169.254.100.0-169.254.109.255
    • 169.254.192.0-169.254.201.255
    Proceed to the next step. Do not click Create VPN Connection yet.
  7. Under Advanced Options for Tunnel 1, select Edit Tunnel 1 Options.
    An extra set of options expands. If you want to restrict the cryptography algorithms used for this tunnel, configure the wanted Phase 1 and Phase 2 options here. You should use IKEv2 for this connection. Disable the IKEv1 checkbox to prevent IKEv1 from being used. See "Supported IPSec Parameters", which you can access from "Explore More", elsewhere in this playbook, for a description of which Phase 1 and Phase 2 options OCI supports, .
  8. After you have finished configuring all necessary options, complete the VPN connection provisioning process by clicking Create VPN Connection.

Download the AWS Configuration

While your VPN connection is provisioning, download the configuration of all tunnel information. This text file is required to complete configuring the tunnel in the OCI Console.

  1. Ensure that your VPN connection is selected, then click Download Configuration.
  2. Select the Vendor and Platform setting "Generic" then click Download to save a text copy of the configuration to your local hard drive.
  3. Open the downloaded configuration file in your text editor of choice. Look under IPSec Tunnel #1, section #1 Internet Key Exchange Configuration. Here you find your automatically generated pre-shared key for your tunnel. Save this value.
    AWS might generate a pre-shared key using the period or underscore characters (. or _). OCI does not support using those characters in a pre-shared key. A key that includes these values must be changed. To change your pre-shared key in AWS for a tunnel:
    1. Select your VPN connection, open the Actions menu and select Modify VPN Tunnel Options.
    2. While still under Tunnel 1 in the downloaded configuration, scroll down to section #3 Tunnel Interface Configuration.
    3. To complete the Site-to-Site VPN configuration in OCI, record the following values:
      • Outside IP address of the Virtual Private Gateway
      • Inside IP for the Customer Gateway
      • Inside IP for the Virtual Private Gateway
      • Virtual Private Gateway BGP ASN. The default ASN is 64512.

Create Customer Premises Equipment for OCI

Next, you need to configure the on-premises device (Customer Premises Equipment, or CPE) at your end of the Site-to-Site VPN so traffic can flow between your on-premises network and virtual cloud network (VCN). Use this procedure.

  1. Open the navigation menu and click Networking. Under Customer connectivity, click Customer-premises equipment.
  2. Click Create Customer Premises Equipment.
  3. Enter the following values:
    • Create in Compartment: select the compartment for the VCN you want.
    • Name: Enter a descriptive name for the CPE object. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information. This example uses TO_AWS as the name.
    • IP Address: Enter the outside IP address of the Virtual Private Gateway shown in the configuration downloaded from AWS.
    • CPE Vendor: Select Other.
  4. Click Create CPE.

Create an IPSec Connection for OCI

Now, you need to create the IPSec tunnels and configure the type of routing, either static or BGP Dynamic routing. Use this procedure.

  1. Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
  2. Click Create IPSec Connection.
    A new IPSec connection dialog appears.
  3. Enter the following values:
    • Create in Compartment: Leave as is (the VCN's compartment).
    • Name: Enter a descriptive name for the IPSec connection (Example: OCI-AWS-1). It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Customer-Premises Equipment Compartment: Leave as is (the VCN's compartment).
    • Customer-Premises Equipment: Select the CPE object that you created earlier, named TO_AWS.
    • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
    • Dynamic Routing Gateway: Select the DRG that you created earlier.
    • Static Route CIDR: Enter a default route, 0.0.0.0/0.

      Since the active tunnel uses BGP, OCI ignores this route. An entry is required for the second tunnel of the IPSec connection, which by default uses static routing, but the address not used in this scenario. If you plan to use static routing for this connection, input static routes representing your AWS virtual networks. You can configure up to 10 static routes for each IPSec connection.

  4. Enter the following details on the Tunnel 1 tab (required):
    • Name: Enter a descriptive name for the tunnel (Example: AWS-TUNNEL-1). It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Provide custom shared secret: Enter the pre-shared key used by IPSec for this tunnel. Check this box and input the pre-shared key from the AWS VPN configuration file.
    • IKE Version: Select IKEv2.
    • Routing Type: Select BGP Dynamic Routing.
    • BGP ASN: Input the BGP ASN used by AWS as found in the AWS VPN configuration file. The default AWS BGP ASN is 64512.
    • IPv4 Inside Tunnel Interface - CPE: Enter the Virtual Private Gateway inside IP address from the AWS VPN configuration file. Use full CIDR notation for this IP address.
    • IPv4 Inside Tunnel Interface - Oracle: Enter the inside IP address used by OCI. From the AWS VPN configuration file, enter the inside IP address for the Customer Gateway. Use full CIDR notation for this IP address.
  5. Click Create IPSec Connection.
    The IPSec connection is created and displayed on the page. the connection is in the Provisioning state for a short period.
  6. After your IPSec connection is provisioned, make note of the Oracle VPN IP Address of your tunnel. This address will be used to create a new customer gateway in the AWS portal.
    1. Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.

      A list of the IPSec connections in the compartment that you're viewing appears. If you don't see the connection you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).

    2. Click the IPSec connection you're interested in (Example: OCI-AWS-1).
    3. Find the Oracle VPN IP Address of AWS-TUNNEL-1.

Create a New AWS Customer Gateway

Now, create a new customer gateway on top of the existing customer gateway by using the details captured from the OCI IPSec connection.

  1. In the AWS console, browse to Customer Gateways and create a Customer Gateway by entering the following details:
    • Name: Give this customer gateway a name.
    • Routing: Select Dynamic.
    • BGP ASN: Enter the OCI BGP ASN. Oracle's BGP ASN for the commercial cloud is 31898, except the Serbia Central (Jovanovac) region which is 14544.
    • IP Address: Enter the Oracle VPN IP address for tunnel 1. Use the IP saved in the previous task.
  2. To complete provisioning, click Create Customer Gateway.

Modify the VPN Connection with the New AWS Customer Gateway

This task replaces the temporary Customer Gateway with one that uses the OCI VPN IP address.

  1. On the AWS console, browse to Site-to-Site VPN Connections and select your VPN connection.
  2. Open the Actions menu and select Modify VPN Connection.
    The Modify VPN Connection page appears.
  3. Enter the following details:
    • Target Type: Select Customer Gateway from the list.
    • Target Customer Gateway ID: Select the new Customer Gateway with the OCI VPN IP address from the list.
  4. When you are done, click Save to save the configuration . After a couple minutes, AWS will finish provisioning the VPN connection and your IPSec VPN between AWS and OCI will come up.
  5. At this point you can delete the temporary customer gateway.

Validate the Connectivity

Browse to your IPSec connection in OCI and the Site-to-Site VPN connections in AWS to verify tunnel status.

  • Your OCI tunnel under IPSec connection displays Up for IPSec status to confirm an operational tunnel.
  • The IPv4 BGP Status also displays Up, indicating an established BGP session.
  • The tunnel status on the Tunnel Details tab for your Site-to-Site VPN connection in AWS displays Up.

Install the Management Gateway and Agent

Refer Secure on-premises observability data upload using Management Gateway to learn about the architecture to install the Agent and gateway in a Site-to-Site VPN environment.

Install the Management Gateway

Next, you need to install the Management Gateway. The Management Gateway should be able to communicate with the OCI Services through the IPSec VPN tunnel, not through the public subnet. Since this task is beyond the scope of this document, refer to "Management Gateway Installation" for detailed steps. You can find a link to this procedure in the "Explore More" topic, elsewhere in this playbook.

Install the Management Agent

First, you need to install the Management Agent. Since this task is beyond the scope of this document, you can refer to "Management Agent Installation" for detailed steps. You can find a link to this procedure in the "Explore More" topic, elsewhere in this playbook.

Deploy Service Plug-ins

Management Agents allow you to deploy service plug-ins for different Oracle Cloud Infrastructure (OCI) services. Service plug-ins can be deployed to management agents enabling to perform tasks for those services. Any given management agent can have multiple service plug-ins.

Deploy the following plug-ins on the management agent.

  • Database Management and Operations Insights Service
  • Logging Analytics
  • Operations Insights Host Service
  • Stack Monitoring.

Deploy a Service Plug-in on the Agent

Use this method when the Management Agent is already installed as described in Install Management Agents.

To deploy a plug-in, do the following:
  1. From the left menu, click Agents to open up the Agents page.
  2. From the Agents list, click the desired agent where you want to deploy the plug-in. The Agent detail page appears.
  3. Click Deploy Plug-ins. The Deploy Plug-ins window appears. Select the plug-in and click Update. The selected plug-in will be deployed on the desired agent.
  4. Check the status of the agent and plug-ins on the Agent home page.