Create an Oracle SOA Cloud Service Instance Attached to a Private Subnet on Oracle Cloud Infrastructure

This topic does not apply to Oracle Cloud Infrastructure Classic.

When you create an Oracle SOA Cloud Service instance in an Oracle Cloud Infrastructure region, you can attach the instance to either a private subnet or a public subnet. If you attach the instance to a private subnet, then the nodes of the instance can’t have public IP addresses. They are isolated from the public Internet.

Topics:

• Create the Required Resources in Oracle Cloud Infrastructure

• Create an Oracle SOA Cloud Service Instance Attached to a Private Subnet

Create the Required Resources in Oracle Cloud Infrastructure

This topic does not apply to Oracle Cloud Infrastructure Classic.

Before creating an Oracle SOA Cloud Service instance attached to a private subnet, you must fulfill certain prerequisites, including creating the required identity, networking, and storage resources in Oracle Cloud Infrastructure.

1. Generate an SSH key pair.

   See Generate a Secure Shell (SSH) Public/Private Key Pair.

   Note the path and name of the files that contain the private and public keys. You’ll need the keys later.

2. Complete the following steps from the tutorial Creating the Infrastructure Resources Required for Oracle Platform Services:
   1. Create a compartment.
      If you want to create the Oracle Cloud Infrastructure resources in an existing compartment, then skip this step.
   2. Create a virtual cloud network (VCN) in the compartment you created or identified.
      If you want to use an existing VCN, then skip this step.
   3. Create a policy to allow Oracle Cloud platform services to use the networking resources in the compartment that you created or identified.
      If the required policy exists for the compartment that you want to use, then skip this step.
   4. Create a bucket in the Object Storage service to store backup of your Oracle SOA Cloud Service instance.

      Note:

      The user creating the bucket must be a user in Oracle Cloud Infrastructure Identity and Access Management (IAM), not a federated user.

      If you’d like to use a bucket that were created previously, then skip this step.

      Note the name of the bucket. You’ll need them later while creating the service instance.

   5. Generate authentication tokens for the users who created the bucket.

      If you have the required token already, then skip this step.

      Note the authentication token value. You’ll need it later while creating the service instance.

3. In the VCN that you created or identified earlier, create the required networking resources:
   1. Create a service gateway.

      The service gateway is required for the Oracle SOA Cloud Service instance to access the Object Storage service.

      See Setting Up a Service Gateway in the Oracle Cloud Infrastructure documentation.

   2. Create an internet gateway.

      The internet gateway enables communication between the public Internet and the Bastion node.

      See Working with Internet Gateways in the Oracle Cloud Infrastructure documentation.

   3. (Optional) Create a NAT gateway.

      The NAT gateway is required for the node of the Oracle SOA Cloud Service instance to access the public Internet. Such access would be useful when (for example) you want to allow the nodes to access the Oracle Yum server to download additional packages or OS patches.

      See Setting Up a NAT Gateway in the Oracle Cloud Infrastructure documentation.

   4. Create the following route table:

      See Working with Route Tables in the Oracle Cloud Infrastructure documentation.

      Route Table route.private for the Private Subnet

      Route Rule	Destination	Target
      To route traffic bound for the Object Storage service through the service gateway	Service: OCI region Object Storage	Service gateway
      (Optional) To route traffic bound for the public Internet through the NAT gateway	CIDR: 0.0.0.0/0	NAT gateway

   5. Create the following security lists:

      See Working with Security Lists in the Oracle Cloud Infrastructure documentation.

      Security List seclist.bastion for the Bastion Subnet

      Security Rule	Source / Destination	IP Protocol / Port
      (Ingress) To allow SSH connections to the Bastion node	Source CIDR: 0.0.0.0/0	SSH / 22
      (Egress) To allow all outbound traffic	Destination CIDR: 0.0.0.0/0	All protocols / ports

      Security List seclist.private for the Private Subnet

      Security Rule	Source / Destination	IP Protocol / Port
      (Ingress) To allow traffic from the other compute nodes in the VCN	Source CIDR: 10.0.0.0/16	All Protocols
      (Egress) To allow all outbound traffic	Destination CIDR: 0.0.0.0/0	All Protocols

   6. Create the following subnets:

      See Working with VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

      Subnet Purpose (Suggested Name)	Availability Domain	Attributes
      For the Bastion host (subnet.bastion)	AD1	Example CIDRFoot 1: 10.0.1.0/24 Route table: route.public Subnet access: Public Security list: seclist.bastion
      For the service instances (subnet.private)	AD1	Example CIDR: 10.0.4.0/24 Route table: route.private Subnet access: Private Security list: seclist.private

      ^Footnote 1 Assuming the VCN’s CIDR is 10.0.0.0/16

      Note:

      Make a note of the OCIDs of the subnets. You’ll need them later while creating the Bastion host and the service instance.
4. Create a compute instance and attach it to the public subnet that you created for the Bastion host.

   Through this node, administrators can access the administration console of the Oracle SOA Cloud Service instance, and they connect using ssh to the compute nodes of the service instance.

   See Creating an Instance in the Oracle Cloud Infrastructure documentation.

   After creating the Bastion compute instance, note its public IP address.

You’ve created the required resources in Oracle Cloud Infrastructure. You can now create the Oracle SOA Cloud Service instance.

Create an Oracle SOA Cloud Service Instance Attached to a Private Subnet

This topic does not apply to Oracle Cloud Infrastructure Classic.

Use the REST API to create an Oracle SOA Cloud Service instance attached to a private subnet.

Note:

You cannot create an Oracle SOA Cloud Service instance on a private subnet using the Oracle SOA Cloud Service Console.

Prerequisite: Before creating an Oracle SOA Cloud Service instance, create an Oracle Cloud Infrastructure native database in the same private subnet. See Create an Oracle Cloud Infrastructure Database for Oracle SOA Cloud Service.

To create an Oracle SOA Cloud Service instance attached to a private subnet:

1. Create a request body in JSON format by using the following template, and save it in a plain-text file (for example, create-soacs-instance-on-oci.json):

   Notes:

   • This template includes only the minimum set of parameters required to create an instance of Oracle SOA Cloud Service running Oracle WebLogic Server Enterprise Edition.
   • This template creates an Oracle SOA Cloud Service instance with Oracle Traffic Director (OTD). If you do not want OTD to be provisioned along with the Oracle SOA Cloud Service instance, then set:

     "provisionOTD":"false",

     and remove the following under "components":

      "OTD":{
              "loadBalancingPolicy":"LEAST_CONNECTION_COUNT",
              "shape":"VM.Standard2.1"
           },

   {
      "region":"us-phoenix-1",
      "edition":"SUITE",
      "purchasePack":"soaosbb2b or mft",
      "vmPublicKeyText":"ssh-rsa vm_public_key_text_value",
      "availabilityDomain":"bcaH:PHX-AD-1",
      "provisionOTD":"true",
      "enableNotification":"false",
      "cloudStorageContainer":"https://swiftobjectstorage.us-ashburn-1.oraclecloud.com/v1/ocitenancey/soabackup",
      "cloudStorageUser":"user@example.com",
      "cloudStoragePassword":"authtoken",
      "serviceVersion":"12cRelease213 or 12cRelease214",
      "serviceLevel":"PAAS",
      "serviceName":"soacsInstanceName",
      "subnet":"ocid1.subnet.oc1.phx.aaaaaaaacukvw55crhp2ekd2f36vltcpsccx43igo3dlezejc3dqwft7dgga",
      "isBYOL":"false",
      "components":{
         "OTD":{
            "loadBalancingPolicy":"LEAST_CONNECTION_COUNT",
            "shape":"VM.Standard2.1"
         },
         "WLS":{
            "adminUserName":"weblogic",
            "adminPassword":"webLogicPassword",  (min 8 chars, at least 1 uppercase, 1 number, and special char _ or #)
            "dbaName": "sys",
            "dbaPassword": "sysPassword",   (min 8 chars, at least 1 uppercase, 1 number, and special char _ or #)
            "managedServerCount":"1",
            "connectString": "dbhost:1521/PDB.subnet.vcn.oraclevcn.com",  (use the correct PDB name)
            "shape":"VM.Standard2.1"
         }
      },
      "enableAdminConsole":"true",
      "meteringFrequency":"HOURLY"
   }

   where vm_public_key_text_value is the SSH key pair value.

   For information about the REST API payload, see REST API for Oracle SOA Cloud Service.

2. Send the REST API request.
   To determine the REST endpoint URL, see "REST API Endpoints for Platform Services" in Getting Started with Oracle Platform Services in the Oracle Cloud Infrastructure documentation.

   The following is an example of a REST API request to create an Oracle SOA Cloud Service instance:

   curl -X POST https://psm.us.oraclecloud.com/paas/api/v1.1/instancemgmt/identityServiceID/services/soa/instances \
   -u user:password \
   -H 'X-ID-TENANT-NAME: identityServiceID' \
   -H 'Content-Type: application/vnd.com.oracle.oracloud.provisioning.Service+json' \
   -d @create-soacs-instance-on-oci.json

   where:

   • identityServiceID: The identity service ID of your Oracle Cloud account.

     You can find this information on the service details page for any service in the Oracle Cloud Infrastructure Console.

   • user: Your Oracle Cloud user name.

   • password: Your Oracle Cloud password.

   A message similar to the following is displayed, indicating that the request was accepted:

   {
     "details": {
       "message": "Submitted job to create service [mySOACS] in domain [identityServiceID].",
       "jobId": "50572730"
     }
   }

3. Wait for the instance to be created.

Notes:

• If you followed all prerequisites and the instance creation fails, make sure that you don't have firewall settings blocking your request.

• If you want to scale out or scale in the instance, you must use the corresponding REST API. These operations will not succeed using the Oracle SOA Cloud Service Console.

• The compute nodes of Oracle SOA Cloud Service instances that are attached to private subnets in Oracle Cloud Infrastructure have private IP addresses, so you can’t ssh to the nodes or access the administration consoles of such instances from the public Internet.

• You can access the administration consoles and connect to the nodes of such instances through a Bastion host attached to a public subnet or through your on-premises network by using IPSec VPN connectivity. See Extend Your On-Premises Network with a VCN on Oracle Cloud Infrastructure.

  1. Connect to the Oracle SOA Cloud Service instance through SSH using the Bastion node. Note that the Bastion VM is in same VCN but in a different public subnet.

     ssh -i opc_key opc@publicBastionIP

  2. Inside the Bastion node, run the following command to copy the private key to the Bastion node, and connect to the Oracle SOA Cloud Service instance through SSH:

     ssh -i /tmp/opc_key opc@privateIP

     where privateIP is the WebLogic Server private IP address or the OTD private IP address.