Before You Begin

This 30-minute tutorial describes options available for networking resources including multiple Virtual Cloud Network (VCNs), multiple compartments, private domain name service (DNS) zones, and Network Security Groups. Advanced users can consider these options to use with PeopleSoft Cloud Manager.

Background

When you use Resource Manager to install the Cloud Manager stack, you can create a VCN and necessary networking resources as part of the Resource Manager process. With a single VCN, the Cloud Manager instance and the provisioned PeopleSoft environments will use the same networking resources. The features described in this tutorial give you expanded flexibility in setting up networks.

The use of the Oracle Cloud Infrastructure resources described here require an advanced networking configuration. This material is meant for advanced users who want to design and set up the network resources manually.

This is the fifth tutorial in the Install PeopleSoft Cloud Manager series. Read the tutorials in the order listed. The optional tutorials offer alternate methods for setup.

Use Multiple VCNs and Compartments for Provisioned and Migrated Environments

When creating and migrating PeopleSoft environments, you can specify different VCNs and different compartments for the various nodes. For example:

  • Set up the Cloud Manager instance on one VCN, and the provisioned PeopleSoft environments on separate VCNs. 
  • Use different compartments and VCNs for development and test environments.
  • Set up the middle tier, database tier, and PeopleSoft Windows Client on separate VCNs.

This illustration shows four compartments with four VCNs.

Example of multiple VCNs and compartments for PeopleSoft environments
Description of illustration mult_vcn_compartment_example.png.
  • Compartment 1 and VCN 1 hold a full-tier node.
  • Compartment 2 and VCN 2 hold an Elasticsearch, Logstash, and Kibana (ELK stack) node.
  • Compartment 3 and VCN 3 hold a PeopleSoft Windows Client node.
  • Compartment 4 and VCN 4 hold a Database on Compute Database Service (DBS) and an Autonomous Database on dedicated infrastructure (ADB-D).
  • VCN peering has been set up to allow communication between the four VCNs.

To use multiple VCNs and compartments with Cloud Manager and provisioned PeopleSoft environments:

  1. Create the VCNs.

    When you use the Resource Manager stack to install Cloud Manager, you can create a VCN for the Cloud Manager instance. You must create other VCNs separately in Oracle Cloud Infrastructure.

    Review the tutorial Install the PeopleSoft Cloud Manager Stack with Resource Manager for information about the VCN that the Resource Manager process creates.

    Review the tutorial Create a Virtual Cloud Network for PeopleSoft Cloud Manager in the Oracle Cloud Infrastructure Console (Optional) for an example of creating a VCN with internet gateway, NAT gateway, service gateway, subnets, and basic security rules.

    See Virtual Networking Quickstart in the Oracle Cloud Infrastructure documentation for more information

  2. Set up local VCN peering.

    You must set up local VCN peering to allow the resources in the VCN to communicate. Local VCN peering connects two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premise network.

    See Local VCN Peering Using Local Peering Gateways in the Oracle Cloud Infrastructure documentation.

    Note:

    Instead of doing local VCN peering, you can set up a Dynamic Routing Gateway (DRG) to connect the different VCNs.

    See Dynamic Routing Gateways (DRGs) in the Oracle Cloud Infrastructure documentation.

  3. Set up domain name service (DNS) resolution between the VCNs if necessary.

    See the following section Add Private DNS Views to a Private DNS Resolver.

  4. As a result of the VCN peering and DNS configurations in items 2 and 3, VMs in the first VCN’s subnet and VMs in the second VCN’s subnet should be able to connect to each other using each other's private IP addresses and using the FQDNs assigned by OCI.
  5. In Cloud Manager, use multiple VCNs and compartments to:
    • Create environment templates.

      You can select separate VCNs and compartments for the nodes. See Managing Templates in the PeopleSoft Cloud Manager documentation, on the PeopleSoft Cloud Manager page on the Oracle Help Center.

    • Use Shared FSS (Linux Mid-Tier).

      If you use a shared FSS for your mid-tier nodes, you can set up the FSS in a separate VCN. This applies to both provisioning new environments and environments you lift and shift. You cannot select different compartments. See the topics Managing Environments and Using the Shift Process to Provision the Migrated Environment in Oracle Cloud, in the PeopleSoft Cloud Manager documentation on the PeopleSoft Cloud Manager page on the Oracle Help Center.

      Note:

      This applies only to Shared FSS for mid-tier. You cannot use multiple VCNs for the Cloud Manager instance and the FSS file system that is used for the Cloud Manager repository. See the tutorial Use File Storage Service for PeopleSoft Cloud Manager for information on the network requirements.
    • Provision a migrated (lifted) environment.

      You can select separate VCNs and compartments for the nodes. See Using the Shift Process to Provision the Migrated Environment in Oracle Cloud, in the PeopleSoft Cloud Manager documentation on the PeopleSoft Cloud Manager page on the Oracle Help Center.

    • Set up the PeopleSoft Update Manager (PUM) source for Cloud Manager self-updates.

      You can select separate VCNs for the full-tier and PeopleSoft Client nodes. You cannot select different compartments for the nodes in the PUM source. See Automatically Applying Updates Using Manage Updates, in the PeopleSoft Cloud Manager documentation on the PeopleSoft Cloud Manager page on the Oracle Help Center.


Add Private DNS Views to a Private DNS Resolver

Set up DNS resolution in the VCNs in such a way that:

  • Any VM in the first VCN's subnet will be able to resolve the fully-qualified domain name (FQDN) of any VM in the second VCN's subnet.
  • The reverse is true: Any VM in the second VCN's subnet will be able to resolve the fully-qualified domain name (FQDN) of any VM in the first VCN's subnet.

One way to set up DNS resolution is by adding private views to the private DNS resolver associated with the VCN. When you create a VCN and select the Use DNS hostnames in this VCN option, this choice creates a dedicated private DNS resolver and a default private view with system-managed zones. A private DNS resolver answers DNS queries for a VCN per a configuration you create.

See DNS in Your Virtual Cloud Network, Private DNS Resolvers, in the Oracle Cloud Infrastructure documentation.

  1. In Oracle Cloud Infrastructure, locate the first VCN, and select View Details from the Action menu.
  2. Select the DNS Resolver link on the VCN details page.
    View Cloud Network Details page
    Description of this illustration (private_dns_resolver.png)
  3. On the Private Resolver Details page, click Manage Private Views.
    Private Resolver Details page
    Description of this illustration (priv_dns_manage_priv_views.png)
  4. Choose a private view for the second VCN.
  5. Click Save Changes.
    Manage Private Views dialog box
    Description of this illustration (prv_dns_select_priv_view.png)
  6. Similarly, view details for the second VCN and access the Private Resolver Details page.
  7. Choose a private view for the first VCN and save.
  8. Verify by trying to resolve a FQDN in the second VCN from a host in the first VCN, and also resolve a FQDN in the first VCN from a host in the second VCN.

Configure a Private DNS Zone

Create a private DNS zone in Oracle Cloud Infrastructure to contain records that associate your private domain names with their IP addresses. This applies to the following scenarios:

  • VM instances in different subnets in the same VCN
  • VCNs connected through peering
  • VCN connected with a customer's on-premises network through a Dynamic Routing Gateway (DRG)

To create a private DNS zone and associate it with a VCN, see Private DNS in the Oracle Cloud Infrastructure documentation. The tutorial Configure private DNS zones, views, and resolvers gives an example of setting up two private zones and records.

Set Up Private Endpoints and Rules

Use listening and forwarding endpoints and rules to direct DNS queries from one VCN to another. A listening endpoint monitors for DNS queries from other networks. A forwarding endpoint directs DNS queries from one VCN on to other networks. By connecting the first VCN's forwarding endpoint with another VCN's listener endpoint, or the listener endpoint for an on-premises DNS, DNS queries can be forwarded from the first VCN to the other VCN. This will allow VMs in the first VCN to resolve DNS names in the other VCNs or on-premise network.

See DNS in Your Virtual Cloud Network, Private DNS resolvers in the Oracle Cloud Infrastructure documentation.

Use Network Security Groups

When you create an instance, you assign it to a subnet of a VCN. Each subnet has a primary VNIC, and a list of security rules.  With network security group (NSGs), you can organize security rules into smaller groups. In this way you have more control over the rules associated with the components of an instance, such as the nodes of a PeopleSoft environment.

An NSG consists of a set of VNICs and a set of security rules that apply to those VNICs. An NSG provides a virtual firewall for a set of cloud resources that all have the same security posture. For example: a group of Compute instances that all perform the same tasks and thus all need to use the same set of ports.

See Network Security Groups in the Oracle Cloud Infrastructure documentation.

After you create one or more NSGs in Oracle Cloud Infrastructure, you can associate them to components in provisioned and migrated environments in Cloud Manager. Here is a summary of the steps:

  1. Select the VCN that you want to use for your NSGs.

    If you want to use more VCNs in addition to that created by the Cloud Manager installation, create them in Oracle Cloud Infrastructure. To create a VCN with internet gateway, NAT gateway, service gateway, subnets, and basic security rules, see Virtual Networking Quickstart in the Oracle Cloud Infrastructure documentation.

  2. Add one or more NSGs to the VCN and add the required security rules.

    See Network Security Groups in the Oracle Cloud Infrastructure documentation.

  3. In Cloud Manager, use NSGs in these cases:
    • Create environment templates.

      You can associate up to five NSGs with each tier. See Managing Templates in the PeopleSoft Cloud Manager documentation, on the PeopleSoft Cloud Manager page on the Oracle Help Center.

    • Add a node to an environment.

      You can associate up to five NSGs with each node. See Managing Environments in the PeopleSoft Cloud Manager documentation on the PeopleSoft Cloud Manager page on the Oracle Help Center.

    • Provision a migrated (lifted) environment.

      You can associate up to five NSGs with each tier. See Using the Shift Process to Provision the Migrated Environment in Oracle Cloud in the PeopleSoft Cloud Manager documentation on the PeopleSoft Cloud Manager page on the Oracle Help Center.

Create a Network Security Group

In this example, we add network security group, NSG1, to VCN, pscm_network. NSG1 is set up to allow ingress only from CIDR 10.0.1.0/24, which is the subnet for a full-tier instance in this example, on TCP ports 5601 and 9200 for Elasticsearch and Kibana, and SSH on port 22.

  1. In the details page for the VCN, select Network Security Groups from the list of Resources on the left.
    Virtual Cloud Network Details page
    Description of this illustration (vcn_details_select_nsg.png)
  2. Click Create Network Security Group.
    Virtual Cloud Network Details page with Create Network Security Group button
    Description of this illustration (vcn_details_click_create_nsg.png)
  3. Enter a name for the NSG and select the compartment where you want to create it.

    Click Next.

    Create Network Security Group page
    Description of this illustration (create_nsg_page.png)
  4. Specify values to allow incoming traffic on port 9200 for Elasticsearch.
    Create Network Security Group page with one NSG
    Description of this illustration (create_nsg_add_sec_rule.png)
    • Direction: Ingress
    • Source Type: CIDR
    • Source CIDR: 10.0.1.0/24
    • IP Protocol: TCP
    • Source Port Range: All
    • Destination Port Range: 9200
  5. Click +Another Rule.
  6. Specify the following values to allow incoming traffic on port 5601 for Kibana.
    • Direction: Ingress
    • Source Type: CIDR
    • Source CIDR: 10.0.1.0/24
    • IP Protocol: TCP
    • Source Port Range: All
    • Destination Port Range: 5601
  7. Click +Another Rule.
  8. Specify the following values to allow SSH access on port 22.
    • Direction: Ingress
    • Source Type: CIDR
    • Source CIDR: 10.0.1.0/24
    • IP Protocol: SSH
    • Source Port Range: All
    • Destination Port Range: 22
  9. Click Create to finish.
  10. Use the NSG in Cloud Manager as described in the section Use Network Security Groups.

Next Steps

Create a Custom Linux Image for PeopleSoft Cloud Manager (Optional)

Learn More