1. Secure on-premises observability data upload using Management Gateway
  2. Secure on-premises observability data upload using Management Gateway

Secure on-premises observability data upload using Management Gateway

For Enterprise class observability and management of on-premises environments, it is essential to have secured and efficient data transport, along with restricted access to management tools.

Observability and management applications are usually exposed and accessed over the internet, but occasionally customers might prefer to restrict access to their corporate networks only, and to provide dedicated, high-bandwidth connectivity to SaaS applications running in Oracle Cloud.

Architecture

This reference architecture illustrates how to transport your Oracle Cloud Observability and Management Platform data, collected on-premise or in a third-party cloud network, within a secure zone. The solution proposes routing data collected via agents to the Management Gateway, and then routing the traffic via a secure tunnel to Oracle Cloud Observability and Management Platform services.

Reference architecture with routing via Dynamic Routing Gateway using a Service Gateway

You can set up your on-premises network with private access to Oracle services through the VCN's service gateway . A service gateway allows hosts in your on-premises network to use and communicate with any of the supported Oracle services from your private IP addresses.

For information about the services supported by service gateway, see the Service Gateway: Supported Cloud Services in Oracle Services Network link in the Explore More section. It is recommended to set security lists on the on-premises edge nodes to allow traffic only for the OCI service IP range.

The following diagram illustrates the reference architecture.


Description of mgmtgw_secure_upload_sgw_arch.png follows
Description of the illustration mgmtgw_secure_upload_sgw_arch.png

mgmtgw-secure-upload-sgw-arch-oracle.zip

Reference architecture with Gateway Peering

You can set up your on-premises network with private access to Oracle services through Management Gateway Peering over a secure tunnel. The on-premises Management Gateway is configured to redirect traffic to the Management Gateway within the cloud VCN.

Using the service gateway, this traffic can be forwarded to Oracle Cloud Observability and Management Platform Services.

The following diagram illustrates the reference architecture.


Description of mgmtgw_secure_upload_peering_arch.png follows
Description of the illustration mgmtgw_secure_upload_peering_arch.png

mgmtgw-secure-upload-peering-arch-oracle.zip

The architecture has the following components:

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • VCN attachments

    You can attach multiple VCNs to a single DRG. Each VCN can be in the same tenancy as the DRG, or they can be in different tenancies.

  • Route table

    Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.

  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Site-to-Site VPN

    Site-to-Site VPN provides IPSec VPN connectivity between your on-premises network and VCNs in Oracle Cloud Infrastructure. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.

  • Dynamic routing gateway (DRG)

    The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • Management Gateway

    Management Gateway provides a single egress point for management agents and other clients to connect to OCI services.

  • Management Agent

    Management Agent allows a management service plug-in to monitor and collect data from sources that reside on the hosts or virtual hosts where the Management Agent is installed. The Management Agent can connect to OCI directly using the Management Agent service.

  • Logging Analytics

    Oracle Cloud Infrastructure Logging Analytics is a fully managed SaaS regional service available in more than 27 regions that provides collection, indexing, enrichment, query, visualization, and alerting for logs from any IT component running on-premises, on OCI, or on a third-party cloud.

  • Application Performance Monitoring

    Oracle Cloud Infrastructure Application Performance Monitoring provides deep visibility into the performance of applications and provides the ability to diagnose issues quickly in order to deliver a consistent level of service. This includes the monitoring of the multiple components and application logic spread across clients, third-party services, and back-end computing tiers, on premises or in the cloud.

  • Database Management

    Database Management Cloud Service provides DBAs to get a unified console for on-premises and cloud databases with lifecycle database management capabilities for monitoring, performance management, tuning, and administration. Use advanced database fleet diagnostics and tuning to troubleshoot issues and optimize performance. Optimize SQL with real-time SQL monitoring and simplify database configurations.

  • Operations Insights

    Oracle Cloud Infrastructure Operations Insights enables administrators to uncover performance issues, forecast consumption, and plan capacity using machine-learning based analytics on historical and SQL data. Organizations can use these capabilities to make data-driven decisions to optimize resource use, proactively avoid outages, and improve performance.

Considerations

When implementing this reference architecture, consider these options.

  • Cost

    Management Gateway, Management Agent, VCNs, subnets, DRGs, security lists, and route tables have no additional cost. The test VM in the deployment can use the Free Tier shape.

    If you use the Free Tier instances, set the test VM as a regular shape instance.

  • Availability and redundancy
    • Management Gateway HA supports deployment behind load balancers.
    • DRGs are redundant and fail over automatically.
    • Each connection can have multiple tunnels.
    • Consider using multiple internet links from different providers on Production environments.

Explore More

To learn more about the features of this reference architecture, review these additional resources:

Acknowledgments

  • Author: Parmeet Arora
  • Contributor: Zubair Ansari