0% found this document useful (0 votes)

225 views

Practical Guide To OCI Lab Guide

Uploaded by

Hemendra Kapadia

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

225 views

Practical Guide To OCI Lab Guide

Uploaded by

Hemendra Kapadia

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 156

Lab Guide

A Practical Guide to
Oracle Cloud for Infrastructure

Version 1.1

Table of Contents

DISCLAIMER ....................................................................... 3
Cost Saving Best Practices ...................................................... 3
Lab Guide Overview .............................................................. 3
Signing up for OCI .................................................... 5
Core OCI Compute ................................................... 9
Core OCI Networking ............................................. 26
Core OCI Block Storage .......................................... 53
Core OCI Object Storage ......................................... 77
Core OCI Load Balancer ....................................... 102
Core Identity and Access Management .................. 117
References .......................................................................... 152
Appendix A : How to Access Private OCI Compute Instances using a Jump Server 152

DISCLAIMER
The student performing the steps in this lab guide is solely responsible for any charges incurred. The Author of this course and
TechTipsOnDemand are not liable for any charges you may incur while performing any of the labs or exercises associated with this course
and lab guide.

While the Author makes every attempt to leverage OCI services that are part of the Oracle Free Tier Trial Period, the availability of such
services as part of a free trial period are subject to change by Oracle and may convert to a paid service.

Any service that is part of the Free Trial period becomes a paid service after the trial period expires, and as such is the financial responsibility
of the student and the organization which owns the OCI Tenancy where the costs are incurred.

Cost Saving Best Practices

The following tips are recommended for minimizing any costs you may incur during the course of this lab:

1. Stop compute instances when you are not using them. Running compute instances cost money. Stopped instances do not cost money.
2. Delete block and boot volumes when you are done with them. Persistent storage such as block storage costs money.
3. Delete object storage objects when you are done with them. Persistent objects cost money.

Lab Guide Overview

This lab guide will teach you how to create, manage, and secure infrastructure in OCI, using a variety of methods and tools. Each lab builds
upon the previous, so it is highly recommended you perform all the labs in sequence.

The References section of this document contains links to the software needed for this lab, as well as links to online documentation for
reference.

System Requirements

There are very few system requirements for this course. Since everything we are doing is in the cloud, we simply need a computer with one of
the common operating systems and an internet connection.
© 2020 TechTipsOnDemand.com 3
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

• Operating System: Windows, Linux or OSX

• Internet connection
• Ability to sign up for an OCI account using a credit card or an existing account with sufficient privileges to execute the labs.

Organization

Each lab is organized into the following structure:

• Skills Learned describes what you will get out of the lab
• Overview describes the overall details of the lab
• Configuration Parameters defines parameters and values you will need to perform the lab
• Instructions provide the details steps needed to perform the lab

Links to required software can be found in the References section of this lab guide.

Need Help?

If you need help with the labs or have questions please write us at [email protected]

Signing up for OCI

Duration 30 minutes

Skills Learned
At the end of this exercise, you will be able to:

▪ Sign up for a free-tier OCI account

▪ Log into your OCI account

Overview
In this first lab you will sign up for the free-tier version of OCI. This lab will get you familiar with navigating the OCI console, viewing
account details, changing your password, and view billing information including creating a budget.

Instructions

1 Sign up for a Free-Tier OCI account

1.1 Visit http://www.oracle.com/cloud/free and click the sign-up button to create a new Oracle Cloud account.
1.2 Fill out the signup form and go through the email verification process.
1.3 As part of the signup, you will be asked to specify a Default Geographic Region for your account. The region you pick will
serve as your home region. I suggest you pick a region that is geographically close to where you or your company
resides. You can always subscribe to other regions.
1.4 You will be asked to specify a Tenancy name. The tenancy name must be globally unique within Oracle. Organizations
can have multiple tenancies and tend to name their tenancies after their department names or computing environments
(dev, test, production).

The tenancy name will be used when logging into the OCI console.
1.5 For individual users of OCI, select the Pay-as-you-Go model (PAYGO).
1.6 After you complete the registration process, you will receive a welcome email from Oracle containing information on how
to log into your account.
© 2020 TechTipsOnDemand.com 5
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
1.7 Use the link in the welcome email to access the OCI Console. Log in using your email address and the credentials you
specified when signing up for OCI.
2 Preparing your Tenancy for this Lab Guide
2.1 Whether you are working in a brand new tenancy that is entirely yours alone or you are sharing one with your
organization or group, we are going to carve out an area within the tenancy where we are going to perform all the lab
exercises.

As you will learn in lectures on OCI IAM and Compartments, OCI has a feature concept called Compartments. A
compartment is a way to organize and group OCI resources in a tenancy. A compartment structure can be flat or it can
be hierarchical. Compartments are also used with OCI’s authorization policies so that types of resources can be
managed by one group in a compartment while permitting users of another group to use those resources.

It is fairly common to see large organizations set up a compartment structure that aligns with their corporate structure or
IT and development departments.

For this lab guide, you will do all your work under one top level compartment that we will call OCI_Labs.

2.2 To create a compartment, log into the OCI Console and navigate to Identity > Compartments from the stacked navigation
menu in the upper left-hand corner of the Console.

You will see at least two compartments already, possibly more. By default, every tenancy comes with at least a root
compartment. All other compartments will hang off the root compartment.

2.3 Create a new compartment by clicking on the Create Compartment button.

2.4 In the dialog that appears, enter the name of the compartment OCI_Labs and a description. Make sure the Parent
compartment is the root compartment.

2.5 Click Create Compartment after filling in the information. Your compartment will be created. You may have to refresh
your browser window if the compartment does not immediately appear in the list.

3 Setting a Budget and Monitoring Usage

3.1 The first thing you should do after you create your account is to set up a budget in OCI. By defining a budget, OCI will
notify you when you approach, reach, and exceed the budget.

In this section you will define a monthly budget and then specify when to get alerted based on forecasted or actual
usage.

3.2 Log into the OCI Console and click on the three stacked bars in the upper left to pop out the main navigation menu.
3.3 Navigate to Account Management > Budgets
3.4 Click Create Budget and provide the following details:

© 2020 TechTipsOnDemand.com 7
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Budget Scope: Compartment
Name: Provide any name for your budget
Description: Leave blank
Target Compartment: OCI_Labs
Monthly Budget Amount: Enter a value that you are comfortable with. Remember, this is the figure OCI will use to alert
you.

Under Budget Rules, specify whether you want to be notified based on actual spend or forecasted spend. For this
course, I would suggest actual spend.

Under Threshold Type, select whether you want to be notified if you come within a certain percentage of your budget or
an actual dollar amount. For example, if your budget was $100 and you specify a threshold of 80%, you will get notified
when you use $80 worth of OCI services. Likewise, if you specify an absolute amount, you will get notified when you
consume that absolute amount.

Under Email Addresses, be sure to include your email address and an email message to remind you why you are
getting an email from Oracle.

Once done, click Create.

3.5 You can use OCI’s Cost Analysis tool to determine what services are costing you money. This is useful if your free trial
expires and your account converts to a normal paid account.

Access the Cost Analysis tool by going to Account Management > Cost Analysis.
3.6 You will be presented with a fairly typical reporting page. You can specify a date range and what type of report you want
to run. If you have created a new account, then this page will not be very excited since we have not used any services
yet.

Conclusion

In this lab you should have signed up for an OCI Account and with that received a free trial period. We also set up a budget so that we can be
alerted if we are using services that cost money and exceed our budget. Lastly, you got to see the Cost Analysis Tool which can be used to
generate real-time cost usage reports.

Core OCI Compute

Duration 1 hour

Skills Learned
At the end of this exercise, you will be able to:

▪ Create a compute instance

▪ Generate SSH keypairs for logging into OCI compute instances
▪ Create a second VNIC
▪ Use PuTTy to log into a compute instance
▪ Stop, Start, and Terminate compute instance
▪ Monitor health

Overview
We are going to dive right into creating our first compute instance in OCI just to get our feet wet very quickly. In this lab we are going to keep
things simple by starting with how to create a compute instance and how to log into it, and of course how to stop and terminate the instance.

We start here because 1) Creating compute instances is why we are here so let’s just cut to the chase and 2) we need to know how to deploy
compute instances in order to demonstrate how all the other OCI IaaS features work.

Estimated Costs

You may incur costs associated with running compute instances that are not part of the Always Free Eligible tier. Oracle charges for how long
a compute instance is running and the OCPU/hour rate is based upon the compute shape being used, so it is recommended that you use the
smallest shape possible and stop all instances when you are done working with them to reduce your costs.

Oracle provides an online cost estimator which you can use to estimate your costs based on expected usage.
https://www.oracle.com/cloud/cost-estimator.html

© 2020 TechTipsOnDemand.com 9
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
A word of caution! A running compute instance costs money and requires that you have a paid account or are in the free trial period to
provision. While there is an Always Free Tier available, it limits you to two compute instances. To save on costs, always STOP your compute
instances when you are done using them. A stopped instance does not incur any costs associated with compute, however any persistent
storage will indeed incur some costs.

Instructions

1 Generating SSH Keys

1.1 Linux compute instances in OCI use SSH keys for authentication. In this lab you will create an SSH keypair first, then
create a new compute instance with the public half of the keypair which will allow you to log in using ssh and the private
half of the keypair.

Instructions for generating ssh keys on Linux and Windows machines will be provided below.

1.2 Generating SSH Keys on Linux machines

In a Linux terminal window run the following command to generate an RSA-based key with a size of 4096 bits.

Leave the password blank when prompted.

$ ssh-keygen -t rsa -b 4096 -f oci_lab.id_rsa

The command will generate the private key oci_lab.id_rsa and the public key oci_lab.id_rsa.pub.

You can find more information on generating and managing SSH keys here:

https://www.ssh.com/ssh/keygen/

1.3 Generating SSH Keys on Windows machines using PuTTY

If you are on Windows, one of the more common SSH clients is PuTTY, a free SSH client and toolset that supports SSH
key creation and management.

You can download PuTTY at https://www.putty.org/.

Step 1. Download and install PuTTy from www.putty.org

Step 2. Start the PuTTYgen application from the Start menu.

Step 3. Generate a private key by first selecting RSA as the key type and the number of bits as 4096.

Then click the Generate button and move your mouse cursor around the PuTTYgen window. This is used to generate
some randomness that’s used in creating the private key.

Step 4. Once the generating is complete, select all the text in the ‘Public key for pasting … ‘ window shown below. Save
the text in a text file (using notepad or something similar) using the filename oci_lab.id_rsa.pub.

Step 5. Save the private key by clicking the Save private key button. Do not set a passphrase. Save the file using the
name oci_lab.ppk.

© 2020 TechTipsOnDemand.com 11
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Be sure to save the ppk (private putty key) in a safe location.

1.4 Generating SSH Keys in Windows using Powershell

Power users can also use powershell and openSSH tools instead of using PuTTY.

Open a Powershell window (Press Win + R and type powershell) and follow the instructions for Generating SSH Keys on
Linux.
2 Creating a Virtual Cloud Network
2.1 In order to create a compute instance, we need a place to deploy it. When you deploy a server in a data center, you
physically mount it in a rack and then connect it to the network. In the cloud case, you will create a virtual network called
a VCN and subnets within that VCN.

There is an entire lab that focused on OCI Networking and VCNs in detail, however for this lab you will use a default
configuration from OCI that will give us a basic VCN to work with.
2.2 Log into the OCI console and navigate to Networking > Virtual Cloud Networks
2.3 Under List Scope, select the OCI_Labs compartment. Recall from Lab 1 that we created the OCI_Labs compartment. All
OCI resources we create will be created in this compartment.
2.4 Select Start VCN Wizard.
2.5 Select VCN with Internet Connectivity, then click Start VCN Wizard.
2.6 Under Basic Information, specify vcn1 for the VCN name.
Verify the compartment is set to OCI_Labs.

Leave all the other values alone as they are sufficient for this lab.
2.7 Click Next to move to the Summary screen. This screen shows us how the VCN will be created and with what OCI
resources.

The VCN wizard gives us a rather functional network which includes both a public and private subnet, and various
network gateways for accessing the internet and OCI services.
2.8 Click Create.
2.9 Once OCI creates the VCN and all its resources, you may click on the View Virtual Cloud Network button at the bottom
of the screen.

© 2020 TechTipsOnDemand.com 12
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
3 Creating a Compute Instance
3.1 In this section you will launch a Linux compute instance in one of the public subnets you created earlier and connect to it
using ssh.

3.2 Log into the OCI console and navigate to Compute > Instances.
3.3 Under List Scope, select the OCI_Labs compartment if not already selected.
3.4 Click the Create Instance button.
3.5 The Create Compute instance screen provides a wide variety of parameters for configuring a compute instance.

Specify the following configuration parameters.

Name: Leave the system generated name

Create in compartment: OCI_Labs
3.6 Select Change Image and browse all the available images. Images that are tagged Always Free Eligible incur no
additional cost to use.

Platform images are maintained by Oracle and are your typical general purpose OS images.
Oracle Images are also maintained by Oracle but are purpose built for specific workloads or configurations.
Partner Images are developed and maintained by trusted Oracle third parties.

Under Image, use the image – Oracle Linux 7.9

3.7 Select Show Shape, Network, and Storage options to reveal additional parameters.

3.8 If your region has more than one availability domain, you have the option of specifying which AD to launch the compute
instance in. It is a best practice to spread your compute instances across availability domains within a region to provide

© 2020 TechTipsOnDemand.com 14
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
some level of fault tolerance and high availability in the event one AD goes offline.

In the Networking lab, we created regional subnets which span all ADs within a region, whereas a regular subnet only
exists in one AD. Regional subnets eliminate the need to set up additional subnets in each region, create route rules and
configure security lists to permit compute instances to talk to one another.

For this lab we will leave it in AD 1.

3.9 Select Change Shape to select the type and size of compute instance we want to create. The selection of shapes will
be restricted depending on whether you have a paid account or a free tier account.

For this lab we are going to use one of the Always Free Eligible shapes.

*** Keep in mind that you are limited to the number of Always Free Eligible compute instances you can create in a
tenancy. If there are no free compute instances available, then you would need to register a form of payment with your
OCI account in order to provision additionfal compute instances. ***

Select Virtual Machine for Instance Type.

Select one of the Always Free Eligible shapes under Specialty and Legacy shapes.

Then click the Select Shape button to return to the compute instance screen.

3.10 Next we want to configure the networking for this compute instance by specifying which network and subnet to launch
the compute instance in, and whether we want to assign a public IP address.

For this lab, we want to launch the compute instance in the bastion subnet we created earlier and assign a public IP
address so we can ssh into it.

Specify the following details:

© 2020 TechTipsOnDemand.com 16
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Virtual Cloud Network Compartment: OCI_Labs
Select a Virtual Cloud Network: vcn1
Subnet Compartment: root
Subnet: Public Subnet-vcn1(regional)

Select Assign a Public IP Address

3.11 Under Add SSH Keys, you can upload a private SSH key or you can have Oracle generate one for you, or not specify
one at all.

For this lab we are going to use the SSH keys we generated earlier by specifying the public key. Oracle will take the
public key and bootstrap the compute instance with it. You hold on to the private key.

Select Choose Public Key Files to load the oci_lab.id_rsa.pub (public key) that was created in the first part of the lab.

3.12 Click Create to launch the instance.

It will take a little bit of time to provision the instance. After you launch the instance, you will be taken to the instance
details page which has important information about the compute instance.
The work request status will change from Provisioning to Running (if all goes well).

3.13 Once the instance is running, you will see various details that are specific to the instance, such as networking details.

Note the public IP and private IP addresses that have been assigned to the instance. The public IP address is generated
by Oracle from their pool of public IPs. You will connect to this compute instance using its public IP.

The private IP address is assigned out of the subnet that the instance resides in.

3.14 Copy the public IP address of the instance.

4 Connect to the Compute Instance
4.1 This section provides instructions for connecting to the compute instance using SSH from Linux and Windows desktops.

4.2 Connecting to a Compute Instance from Linux

Open a terminal window in linux and run the following command to connect to the compute instance:

$> ssh -i /path/to/oci_lab.id_rsa ubuntu@public_IP_of_compute_instance

Be sure to specify the location of the private key you created earlier and the public IP address of the compute instance
© 2020 TechTipsOnDemand.com 18
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
you created. You can find the public IP address in the OCI console on the details page for the compute instance.

Let’s break this command down.

-i specifies what private key (identity file) to use. In this case you must specify the location of the private key you created
earlier.

opc@public_IP_of_compute_instance specifies what user and what host to connect to. For example,

$> ssh -i ~/.ssh/oci_lab.id_rsa [email protected]

This command will connect to the public IP address of a compute instance (129.146.132.172) as username opc (default OCI
username for Orale Linux images) using the identity file oci_lab.id_rsa.

4.3 Connecting to a Compute Instance from Windows using PuTTY

Launch PuTTY from the Windows Start Menu.

Enter opc@public_IP_of_compute_instance in the Hostname (or IP address) field.

Under SSH > Auth, specify the private key you created earlier by clicking the Browse button.

Go back to Session, enter a name for this session (ocilab) and click Save.

Click Open to open a connection to the compute instance. If you have any issues connecting to the new instance, be sure to
double-check:

1. You have specified the correct private key that goes with the public key on the compute
instance
2. You are connecting as user opc.
3. You are connecting to the correct public IP address for the compute instance. You can find the
public IP address in the OCI console under Compute > Instances.

4.4 Once you are connected to your compute instance, feel free to poke around the server.

Using the wizard to create a VCN automatically generated some basic network security rules that only allow us to SSH
into the network from the internet. We will learn more about securing VCNs in the OCI Networking lab.

© 2020 TechTipsOnDemand.com 20
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
5 Monitoring Health
5.1 Each OCI compute instance emits health and performance metrics to the OCI Monitoring service under the namespace
oci_computeagent.

The oci_computeagent namespace contains a variety of information specific to a compute instance, including CPU and
memory utilization, disk I/O, and network I/O.

5.2 You can quickly view the health of a particular compute instance by navigating to the compute instance (Compute >
Instances > bastion1 for example) and selecting Metrics as show in the screenshot below.

OCI provides an interactive report that allows you to look at metrics over a period of time. I

5.3 You can also access compute metrics from OCI Monitoring directly.

Navigate to Monitoring > Service Metrics from the main navigation menu.
Under Metric Namespace, select oci_computeagent
Select the OCI_Labs compartment.

This screen will display metrics for all compute instances in the OCI Labs compartment.

6 Create a Secondary vNIC

6.1 Creating additional nVNICs is akin to adding additional network cards to a server chassis. OCI supports creating
additional vNICs to support a variety of networking use cases, such as building your own NAT router for example.

The specific shape of a compute instance determines the number of vNICS that can be created. In this lab we will create
a new compute instance that supports additional vNICS. The compute instance will be created in a public subnet but the
secondary vNIC will be deployed in a private subnet. In essence this compute instance will have a ‘leg’ in each subnet.

6.2 Create a new compute instance using the method above, by placing it the public subnet for vcn1.

Use a compute shape that supports more than 1 vNIC. For example, under Specialty and Previous Generation shapes,
select the VM.Standard.E2.1 shape, which supports max of 2 vNICs.

Configure the instance to use the same SSH key you created earlier.

6.3 Once the instance has booted and is running, select Attached VNICS from the compute instance’s resources menu.

6.4 Click the Create VNIC button and specify the following details:

Name: secondvnic

© 2020 TechTipsOnDemand.com 22
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Network: Normal setup
Subnet: Use the private subnet in the vcn1 VCN. Be sure to select the OCI_Labs compartment.

Accept all other default values and save changes.

6.5 Once the secondary vnic is created, you must run a special Oracle script for the VNIC and local route table to be
configured on the compute instance.

SSH into the compute instance using your SSH key.

6.6 Run the following commands to download and execute the script as root.

$ sudo su
$ wget https://docs.oracle.com/en-
us/iaas/Content/Resources/Assets/secondary_vnic_all_configure.sh
$ chmod u+x secondary_vnic_all_configure.sh
$ ./secondary_vnic_all_configure.sh -c

6.7 Run the following ifconfig command to confirm that a second interface has been created. Take note of the IP address
assign to the second VNIC – in this example it is ens5. This IP address comes out of the CIDR block for the private
subnet in VCN1.

The primary VNIC, ens3, is assigned an IP address from the CIDR block for the public subnet.

$ ifconfig -a
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000
inet 10.0.0.12 netmask 255.255.255.0 broadcast 10.0.0.255
ether 00:00:17:02:03:be txqueuelen 1000 (Ethernet)
RX packets 88007 bytes 143391102 (136.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 78519 bytes 71557388 (68.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000

inet 10.0.1.2 netmask 255.255.255.0 broadcast 0.0.0.0
ether 02:00:17:05:d2:12 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)

© 2020 TechTipsOnDemand.com 23
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 11144 bytes 620808 (606.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11144 bytes 620808 (606.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
7 Managing Compute Instance Lifecycle
7.1 Compute instances go through several phases:

Stopped: Instance is powered off. No compute cost is incurred for a stopped instance.
Running: Instance is up and running. Compute costs are being incurred on an hourly basis.
Terminated: Instance has been deleted. No compute cost is incurred for a terminated instance.

Instances that are running incur cost since compute is charged on an hourly basis. Instances that are not running, either
stopped or terminated, do not incur compute costs.

7.2 When you create a compute instance using the OCI console, OCI will automatically launch the instance into a running
state.

You can use the console to stop, reboot, terminate or start an instance.

7.3 Let’s stop our running compute instance by navigating to Compute > Instances.

You will see a list of compute instances. Select the 3 dots (ellipsis) next to the instance we created earlier as shown in
the screenshot below.

Select Stop to shutdown the instance. You will be presented with a warning about shutting down the instance. Go ahead
and confirm the shutdown.

7.4 The compute instance’s state will change from Running to Stopping. Eventually the state will transition to Stopped.

7.5 To restart the instance, click on the ellipsis again and select Start. The state will change from Stopped to Starting, then
Running.

7.6 You can terminate an instance while it is either stopped or running. A terminated instance is effectively deleted.

Select Terminate from the ellipsis menu. You will be asked whether to preserve the boot volume. Go ahead and check
the box to delete the boot volume.

Boot volumes normally cost money since they are persistent storage, so be sure to delete your boot volumes when
terminating compute instances. We will cover boot volumes in a later lab.

Conclusion

This lab showed you how to quickly provision a compute instance in a virtual cloud network and access it using SSH.

Core OCI Networking

Duration 60 minutes

Skills Learned
At the end of this exercise, you will be able to:

▪ Create a Virtual Cloud Network

▪ Create public and private subnets
▪ Route network traffic using OCI Internet, NAT, and Service Gateways
▪ Control network access using network security rules
▪ Understand the difference between a network security group and a network security list

Overview

In this lab you will begin creating a virtual cloud network from scratch using a variety of OCI networking features. A VCN or virtual cloud
network is the foundation for building any network in OCI. Think of a VCN as your own virtual data center that is defined by a range of IP
addresses known as a CIDR block.

Subnets can be created to segment a VCN into smaller networks. Subnets are typically used to provide network isolation for different
workloads, such as application servers and databases. In a traditional environment, application servers would be deployed into a subnet
separate from the database. Firewall rules would then be implemented to permit network traffic to flow from the application server subnet to
the database subnet. In OCI we implement this sort of network security using network security lists. A security list is attached to a subnet and
defines what traffic is allowed in and out. You can specify what port, protocol, and even where the traffic is coming from or headed to.
While security lists are used to control network access, routing of network traffic in and out of a VCN is handled using a variety of routing
gateways and the route table. A routing gateway is a networking gateway similar to your router at home, directing traffic from your home
network to the internet and vice versa. In OCI there are gateways that route traffic to and from the Internet such as the Internet and NAT
gateways.

A Service Gateway is a special gateway that allows you to call OCI services privately. In plain speak this means when you call an OCI service
such as autonomous database or functions, OCI keeps the traffic inside the Oracle Service Network which remains private. The traffic never
flows over the internet.
© 2020 TechTipsOnDemand.com 26
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

A route table in a VCN contains route rules that determine how network traffic in a VCN is directed. No explicit route rules are needed to
route traffic within a VCN, such as between subnets. However, if you have a compute instance in a private subnet that needs to talk to the
internet, then a route rule must exist to send traffic from that compute instance to an OCI NAT Gateway.

A more modern method of providing network isolation rather than using subnets is a network security group. An NSG is a logical grouping
that associates compute instances with a set of security rules. NSGs are completely decoupled from the actual networking layout. In fact, you
could have a completely flat network with no subnetting, and still mimic secure network isolation through the creation and application of
various network security groups.

This is what you are going to build.

Figure 1 Core Network Lab Diagram

1. Creating a Virtual Cloud Network

1.1. In this section you will be creating the network shown in the figure above to support an eventual 3-tiered web
application deployment. For now we are going to start with creating a VCN and subnets for hosting a public bastion
server and private application servers.

1.2. Log into the OCI console using your web browser using the login URL that was in the welcome email from Oracle or go
to cloud.oracle.com and click on sign in.

1.3. Once logged into the OCI console, navigate to Networking > Virtual Cloud Networks by clicking on the stacked bars in
the upper left hand part of the OCI console.

1.4. Under List Scope, select OCI_Labs.

1.5. Create a new VCN by clicking on the Create VCN button.
© 2020 TechTipsOnDemand.com 28
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

1.6. Use the information below to create the VCN:

Name: vcn_oci_labs
Create in Compartment: OCI_Labs
CIDR Block: 10.0.0.0/16

Keep the remaining default values.

Your VCN configuration should look similar to the screenshot below.

1.7. Click the Create VCN button.

You will be taken to a page that shows the details of the VCN that you just created, including any resources that are
part of a VCN (Subnets, Route Tables, Internet Gateways, etc). When you create a VCN using the OCI console, OCI
automatically creates a few networking resources including:

- A default route table with no route rules.

- A default security list that allows SSH/22 and ICMP ingress, and allows any port/protocol to go out.

The default route table and security list are used as default values when you create a subnet in the OCI console. For
© 2020 TechTipsOnDemand.com 30
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
this lab we will be created our own security lists and route tables.
2. Creating Public and Private Subnets
2.1. With our VCN created, let’s create some subnets. A subnet is a way to carve up a large network into smaller networks.
Subnets are typically used to isolate application functions from one another in a multi-tier architecture. For example, in
a three-tier application, you would have one subnet for a public facing load balancer, another for the application
servers, and yet another subnet for the database.

A public subnet allows OCI resources such as compute to have a public IP address assigned to them, allowing them to
be reachable from the internet.

A private subnet does not allow resources to have a public IP, therefore these resources are not directly accessible
from the internet.

In this lab you will create both public and a private subnets to host a bastion server and application servers respectively.

2.2. In this section you will create a public subnet for hosting a bastion server. The bastion server will have a public IP
address, which will allow us to access it from the internet. We will then use the bastion server to access compute
instances in our VCN that have private IP addresses.

In the VCN details page of the VCN we created earlier, click on Subnets on the left-hand side of the console.

Create a public subnet by clicking the Create button and specify the following details for the public subnet.

Name: bastion-subnet
Subnet type: Regional
CIDR block: 10.0.0.0/28
Route table: Default Route Table for vcn_oci_labs
Subnet Access: Public – MAKE SURE THIS IS SELECTED!
DNS Resolution: Checked
DNS Label: Blank
DHCP Options: Default DHCP Options for vcn_oci_labs
Security Lists: Default Security List for vcn_oci_labs

The Public Subnet Access option is what enables public IP addresses to be assigned. Private subnets do not permit
public IP addresses to be defined.

2.3. Repeat the previous steps to create a private regional subnet named app-subnet with a CIDR block of 10.0.0.16/28. To
make the subnet private, be sure to select Private Subnet under Subnet Access.
3. Security Lists
3.1. Even though we get a default security list when a VCN is created, we are going to create our own security list so you
can learn how to do this for yourself.

© 2020 TechTipsOnDemand.com 33
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Each subnet will have its own security list controlling network traffic in and out. This is because the public subnet needs
to be treated differently than the private subnet. The bastion subnet will only allow SSH traffic in so that we can connect
to the bastion server using SSH. This will be the only protocol allowed.

The app subnet will have a security list that will only allow SSH traffic from the bastion subnet and no where else. For
now, it will be the only protocol that we allow in.

Both subnets will have a security rule that will allow any network traffic to leave the subnet for the internet.

Let’s create a security list to allow ssh into the public subnet, and allow ssh out of the public subnet to other subnets in
our VCN. The intent here is to create a subnet for a bastion server that we will deploy later on. A bastion server is a
compute instance that typically sits in a DMZ and is used to access all other servers that are deployed in private
subnets.

It is a best practice to minimize the number of resources exposed to the internet as much as possible. You can achieve
this by deploying all your compute instances and resources in private subnets, and then allowing access to these
servers through limited known access points such as a bastion server or a public load balancer.

Navigate to the VCN details page (Networking > Virtual Cloud Networks > vcn_oci_labs) and click on Security Lists.

3.2. Click Create Security List and specify the following details:

Name: Default Bastion SecList

Create in compartment: OCI_Labs

Add an ingress rule to allow ssh traffic over port 22 into the subnet.

Stateless: Unchecked
Source Type: CIDR
Source CIDR: 0.0.0.0/0
IP Protocol: SSH (TCP/22)

This rule will allow ssh traffic coming from anywhere into the subnet since the source CIDR is set to 0.0.0.0/0, which is
shorthand for any address.

*** For additional security, you should whitelist your own network address as the source CIDR so that OCI only permits
ssh coming from a trusted location.

For example, if you want to ssh into the bastion from your home, you could use the public IP address that is assigned

© 2020 TechTipsOnDemand.com 34
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
by your Internet Service Provider.

3.3. Add an egress rule to the same bastion security list to allow SSH traffic out of the public subnet to any location
within the VCN. This will allow us to SSH into any private compute instance.

Click the Additional Egress Rule button and specify the following rules:

Stateless: Unchecked
Destination Type: CIDR
Destination CIDR: 10.0.0.0/16 (This is the CIDR block for the entire VCN)
IP Protocol: SSH (TCP/22)

Click Create Security List once you are done.

3.4. Security lists must be explicitly assigned to subnets. To assign the bastion security list to the bastion subnet, select
Subnets under Resources on the vcn_oci_labs details page (Networking > Virtual Cloud Networks > vcn_oci_labs >
Subnets).

Click on bastion-subnet in the Subnets table.

You will see the default security list assigned to the subnet on the Subnet details page.

3.5. Assign a security list by clicking the Add Security List button, then select the Default Bastion Security List.

3.6. Once the bastion security list is assigned, we can remove the default security list from the bastion subnet.
Select the ellipsis (3 vertical dots) next to the Default Security List for vcn1 and then select Remove.

© 2020 TechTipsOnDemand.com 36
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
3.7. Repeat the previous steps to:
1) Create a new security list named Default Private Security List that allows ssh/22 into the app subnet from the
bastion subnet. Be sure to use the bastion subnet’s CIDR (10.0.0.0/28) as the source CIDR in the new list.
2) Assign the security list to the app subnet.
3) Remove the default security list from the app subnet.

The new rule should look like the following:

3.8. Up to this point, you have created a virtual cloud network and two subnets. You have also implemented virtual firewalls
for each of the subnets using security lists. These security lists define what network traffic is allowed to flow in and out.

The next step is to define network routes to allow traffic to flow into and out of our VCN using OCI network gateways.

© 2020 TechTipsOnDemand.com 37
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
4. Routing Internet Traffic using Route Tables and an Internet Gateway
4.1. In OCI route tables and gateways are used to send traffic out of a VCN.

The OCI Internet Gateway is the first one you will create. An Internet Gateway is a virtual router that directs traffic to
flow from the internet into a VCN, and conversely allows traffic to flow out of a VCN to the internet. This is different than
a security list which is a firewall essentially that determines what protocols and ports are allowed.

Only public subnets can use an IGW to send traffic to the internet since public subnets allow for public IP addresses.
Resources with only private IP addresses cannot directly send traffic to the Internet. They need to use a NAT Gateway
which we will cover shortly.

To create an Internet Gateway, navigate to the vcn_oci_labs details page (Networking > Virtual Cloud Networks >
vcn_oci_labs), and select Internet Gateways under Resources.

4.2. Click Create Internet Gateway button. Specify igw as the name of the gateway and place it in the OCI_Labs
compartment.

4.3. With the internet gateway created, we need to create a route rule to tell the VCN how to route internet bound traffic.

Under Resources, select Route Tables.

4.4. Add a new route rule to the Default Route Table by clicking on the name of the route table then click on Add Route
Rules.

4.5. Specify the following details for the route rule:

Target Type: Internet Gateway

Destination CIDR Block: 0.0.0.0/0
Target Internet Gateway: igw

The route rule will direct traffic to the internet (0.0.0.0/0) through the internet gateway.

Hit the Create button to create the rule.

5. Create the Bastion Server

5.1. In this section we will create some compute instances to demonstrate how the routing and network security lists work.

Start by creating a public compute instance called bastion1 in the bastion subnet using the same procedures in the
previous lab. Be sure to check the box for assigning a public IP address. Use the same SSH key you generated earlier.

5.2. Verify you can access the bastion server using the public SSH key you provided.

If you can connect, then you successfully configured your VCN to allow ssh traffic to the bastion server.

If you cannot connect, verify the following:

1) The bastion server is assigned a public IP address (must be placed in a public subnet).
2) The bastion subnet has the correct security list and rules assigned to it to allow SSH/22 in (ingress).
3) The bastion subnet has a default route table with a route rule to use the internet gateway.
4) You are attempting to connect using the public IP address of the bastion server.
5) You are using the correct SSH key

6. Create a Private Compute Instance

6.1. After the public instance is created and started, create another compute instance in the private subnet called app1. This
time you will NOT assign a public IP address since this compute instance is private.

Use the same SSH key as before.

Start the instance and verify it is running in the OCI Console.

Take note of its private IP address. We will need this to connect to it from the bastion server.
6.2. Next let’s verify the security rules for allowing ssh into the private subnet are working properly.

SSH into the bastion server then ssh into the app server using its private IP address.

If you get challenged for a login, then the networking is working, however you will not be able to login because you are
not yet able to present your private SSH key to the app server. More on this in a moment.

If your attempt to connect times out or you get another error trying to connect, then there may be issue with the security
lists. If this is the case, verify the following:
1) The Default Bastion Security List has an egress rule that allows ssh/22 to the VCN CIDR (10.0.0.0/16).
2) The Default Private Security List has an ingress rule that allows ssh/22 from the bastion subnet 10.0.0.0/28.
3) The Default Private Security List is assigned to the app subnet.

6.3. Next you will use the bastion server to connect to the private compute instance. Since the private compute instance
does not have a public IP address, we cannot connect to it directly, however we can connect to it from the bastion
server because the bastion server has a private IP address in the same VCN as the app server.

You will ‘jump’ through the bastion server to private app server. To do this, you need to configure your SSH client to
proxy or forward our SSH connection to the app server.

© 2020 TechTipsOnDemand.com 41
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Follow the instructions in the Appendix A : How to securely connect to private OCI instances over the Internet.
This appendix covers both Windows and Linux/OSX SSH clients.

6.4. Once you have completed the instructions for setting up SSH agent-forwarding, verify you can connect to the private
compute instance by first connecting to the public server using its public IP address.

Once connected to the public server, ssh to the private server using its private IP address. If you properly set up your
SSH client to use agent forwarding, you should not be prompted for any authentication credentials when connecting to
the private instance.

6.5. Try accessing the public internet from the private compute instance.

$ curl -L https://www.google.com

Curl should not work for two reasons:

1) We have not told OCI how to handle internet-bound traffic. We need a route rule defined to solve this problem.
2) We have not created a network security rule to allow http traffic to leave the subnet for the internet. We need a
security rule to permit HTTP/HTTPS.

In the next section you will create routing gateways to allow access to the internet.
7. Routing Traffic to the Internet using OCI NAT Gateway
7.1. Compute instances need a public IP in order to send requests to the Internet. The Internet Gateway allows instances in
public subnets with public IP addresses direct access to the Internet.

Compute instances in a private subnet do not have a public IP address, so they cannot directly access the internet. For
this situation, OCI provides a NAT Gateway virtual router. The NAT Gateway (NATGW) is a virtual router that gets
provisioned in a public subnet and assigned a public IP. Private subnet traffic headed to the internet is routed through
the NATGW. NATGW allows responses from the internet back into the VCN. NATGW is only used for egress out of the
VCN, not for ingress.

In this section you will provision and configured a NAT Gateway to allow compute instances in a private subnet to
access the internet.
7.2. Navigate again to the VCN details page and select NAT Gateways under Resources.
7.3. Create a NAT Gateway by clicking the button and specifying the following details:

Name: natgw
Compartment: OCI_Labs

OCI will automatically assign a public IP address to the gateway. You can see the assigned public IP address for the
NAT gateway listed under NAT Gateways.

7.4. Next we need to define a route rule that will send internet bound traffic through the NAT Gateway. Since this route is
only for private compute instances, we need to separate this route from the other route we created using the Internet
Gateway. To do this, we will create a new route table.

Under Route Tables for the VCN, click the Create Route Table button to create a new table named Default Private
Route Table.

© 2020 TechTipsOnDemand.com 43
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
7.5. Next add a new route rule that will send traffic from the private subnet to the internet by clicking on the new route table
then clicking on the Add Route Rules button.

Here is the route rule that will send internet-bound traffic to the NAT Gateway.

Target Type: NAT Gateway

Destination CIDR block: 0.0.0.0/0
Target NAT Gateway: natgw

7.6. Assign the Default Private Route Table to the app-subnet by editing the subnet and changing the route table to Default
Private Route Table.

7.7. With our route defined, we now need to create a security rule to allow traffic to flow out of the app-subnet.

Create an egress rule in the Default Private Security List to allow TCP from the private subnet to the internet.

Stateless: Unchecked
Destination Type: CIDR
Destination CIDR: 0.0.0.0/0
IP Protocol: TCP

7.8. Verify the private compute instance app1 can now access the internet by connecting to it using SSH through the
bastion server as we did earlier in the lab, then run the following curl command.

$ curl https://www.google.com

curl should return HTML from Google. If you receive a connection time out or any other connection error, verify that you
have
1) Routed traffic from the app-subnet to the NAT Gateway using a route rule.
© 2020 TechTipsOnDemand.com 45
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
2) Allowed TCP traffic to leave the app-subnet for the Internet using a security rule.

8. Routing Traffic to OCI Services using Service Gateway

8.1. OCI Service Gateway is yet another virtual router that is used to access regional OCI services such as Object Storage
privately without sending the traffic over the public internet. OCI services are hosted on a special network known as the
Oracle Services Network.

The OCI Service Gateway allows compute instances in your VCN to access OCI services using public endpoints but
keeps the network flow from going over the internet. Using a Service Gateway is an alternative to configuring a NAT
Gateway. With a NAT Gateway, network traffic is routed out to the internet, ev

In this section you will create the Service Gateway in your VCN, then write a route rule to send traffic destinated for OCI
services through the Service Gateway.

8.2. Navigate to Service Gateways under Resources on the VCN details page.

8.3. Click Create Service Gateway and specify the following details:

Name: sgw
Compartment: OCI_Labs
Services: All <Region> Services in Oracle Services Network

The value for Services in the dropdown will vary depending on what region you are working in.

8.4. Next create a route rule to send network requests for OCI services (like object storage) to the service gateway.

In this exercise, only the private subnets will be accessing OCI services privately, so create the rule in the Default
Private Route Table.

Add the following route rule to the Default Private Route Table:

Target Type: Service Gateway

Destination Service: All <Region> Services in Oracle Service Network
Target Service Gateway: sgw

8.5. The Default Private Route Table should now look like the screenshot below. This route table contains two rules: one for
sending traffic for Oracle Services through the service gateway, and all other traffic intended for the internet through the
NAT gateway.

8.6. Now that we have our routes set up, we need to modify our security lists to allow compute instances in the private
subnet to talk to OCI services.

Add a new egress rule to the Default Private Security List:

Destination Type: Service

Destination Service: All <Region> Services in Oracle Services Network
IP Protocol: TCP

You can leave destination port blank for now. This egress rule will permit any TCP traffic to the Oracle Service Network.

Once the rule is created, requests for OCI services from our private subnet will be routed through the OSN and not out
to the public internet. This keeps the traffic more secure since it does not expose it publicly.
9. Shutdown all Compute Instances
9.1. Be sure to stop any running compute instances when you are finished with the lab. A stopped instance does not incur
any charges.

Do not terminate the instances as that will delete them. We will be reusing bastion1 and app1 in later labs.

Conclusion

In this lab you learned how to:

1) Create VCNs and subnets

© 2020 TechTipsOnDemand.com 51
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
2) Implement virtual firewalls using Network Security Lists
3) Route traffic in and out of the VCN using Internet and NAT Gateways
4) Route Oracle Services traffic privately to the Service Gateway

Core OCI Block Storage

Duration 60 minutes

Skills Learned
At the end of this exercise, you will be able to:

▪ Provision and attach block storage volumes to compute instances

▪ Backup and restore volumes
▪ Clone volumes
▪ Monitor storage usage

Overview

The OCI Block Volume Service provides raw high performance durable block volume storage for compute instances. If you need to install
and run software on your compute instances, you would do so on a block volume attached to the compute instance. In fact, the boot volume
on any OCI compute instance is just a special type of block volume.

In this lab you will learn how to provision, attach, and manage block volumes through backups and cloning.

Block volume storage, like all other storage services in OCI, costs money and the limits to the number of volumes and size of those volumes in
the Oracle Free Trial Period and Free Tier is quite limited. Block volume storage is billed based on total provisioned capacity per month. If
you provision a 1 TB volume but are only using 50 GB of it, you will be charged for the full 1 TB per month. This is different than object
storage where you pay for only what you consume.

To keep any potential costs down, it is highly recommended that students delete all volumes and volume backups at the end of each exercise.

Instructions

1. Adding Storage to a Compute Instance using a Block Volume

1.1. Block volumes provide a compute instance with durable storage which allows the data on the volume to persist between

© 2020 TechTipsOnDemand.com 53
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
reboots of a compute instance. The process for provisioning a volume and using it with a compute instance is as follows:

1) Create a block volume of a certain size with certain performance characteristics.

2) Attach the volume to the compute instance. This is the process of associating the volume with a compute
instance.
3) Format and mount the volume as a file system on the compute instance.

In this lab you will attach a 50 GB block volume to the private compute instance, app1, that you created in the Core
Compute lab.
1.2. First we need to find out what Availability Domain our app1 instance is in so we know where to create the block volume.
The block volume must live in the same AD as our compute instance. A block volume resource, much like a compute
resource cannot span different data centers or ADs. It is an AD-local resource.

1.3. In the OCI Console, navigate to Compute > Instance. Make sure to select the OCI Labs compartment.

Take note of the Availability Domain for app1.

1.4. Now create the block volume by navigating to Block Storage > Block Volumes from the navigation menu.

1.5. Click the Create Block Volume button and specify the following parameters:

Name: app1_datavol

© 2020 TechTipsOnDemand.com 54
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Create in Compartment: OCI_Labs
Availability Domain: Select same as app1

OCI allows us to define performance characteristics for block volumes. Performance is typically linear, meaning the
larger the volume, the more IOPS or throughput is provided.

To keep costs to a minimum, select Custom under Volume Size and Performance.
Volume Size (In GB): 50 GB
Default Volume Performance: Lower Cost

Keep the default values for the rest of the parameters.

Click Create Block Volume.

1.6. Once the volume is provisioned and available, you can attach it to a compute instance.

Click on the block volume you just created, then click on Attached Instances then Attach to Instance.

1.7. The Attach to Instance dialog will present several different options for configuring the attachment. There are two
attachment types available – Paravirtualized and iSCSI. Paravirtualized is far simpler to configure, however, iscsi
provides much better performance.

Let’s start with Paravirtualized first.

Attachment type: Paravirtualized

Access Type: Read/Write

Instance: app1 (OCI Labs compartment)

Device name: /dev/oracleoci/oraclevdb

The device name is where the volume will exist as a device in Linux.

Attach the volume by clicking the Attach button.

1.8. Once the volume is done attaching, your screen should look like the following:

1.9. The next step is to partition, format, and mount the volume on the host.

SSH into app1 by connecting to the bastion first then hopping over to app1.

1.10. Verify the volume is attached to the host by running fdisk. Look for /dev/sdb in the output.

[opc@app1 ~]$ sudo fdisk -l

WARNING: fdisk GPT support is currently new, and therefore in an experimental phase. Use
© 2020 TechTipsOnDemand.com 57
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
at your own discretion.

Disk /dev/sda: 50.0 GB, 50010783744 bytes, 97677312 sectors

Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 1048576 bytes
Disk label type: gpt
Disk identifier: 6F25D687-CAE6-428A-8AA0-E618C576A2EB

# Start End Size Type Name

1 2048 411647 200M EFI System EFI System Partition
2 411648 17188863 8G Linux swap
3 17188864 97675263 38.4G Microsoft basic

Disk /dev/sdb: 53.7 GB, 53687091200 bytes, 104857600 sectors

Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 1048576 bytes

1.11. Run fdisk to create a new primary partition on the volume.

$ sudo fdisk /dev/sdb

Command (m for help): n

Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-104857599, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-104857599, default 104857599):
Using default value 104857599
Partition 1 of type Linux and of size 50 GiB is set

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

1.12. Format the volume once it is partitioned.

[opc@app1 ~]$ sudo mkfs -t ext4 /dev/sdb1

1.13. Mount the volume under a new directory named /datavol

[opc@app1 ~]$ sudo mkdir /datavol

[opc@app1 ~]$ sudo mount /dev/sdb1 /datavol

1.14. Run df to view the mounted volumes.

[opc@app1 ~]$ df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 315M 0 315M 0% /dev
tmpfs 345M 0 345M 0% /dev/shm
tmpfs 345M 9.3M 336M 3% /run
tmpfs 345M 0 345M 0% /sys/fs/cgroup
/dev/sda3 39G 2.9G 36G 8% /
/dev/sda1 200M 8.6M 192M 5% /boot/efi
tmpfs 69M 0 69M 0% /run/user/0
tmpfs 69M 0 69M 0% /run/user/994
tmpfs 69M 0 69M 0% /run/user/1000
/dev/sdb1 49G 52M 47G 1% /datavol

2. Adding the volume to /etc/fstab

2.1. If you want the data volume to be permanently mounted on the host, it must be added to /etc/fstab. If you were to reboot
the compute instance now, the volume would not appear mounted.

Edit /etc/fstab and add the following line at the bottom of the file.

$ sudo vi /etc/fstab

Append the following line to /etc/fstab

/dev/sdb1 /datavol ext4 defaults 0 1

2.2. Run the commands to verify our changes work:

First unmount /datavol.

$ sudo umount /datavol

Remount the volumes in /etc/fstab

$ sudo mount -a

2.3. Verify /datavol has been remounted.

$ sudo df -h
2.4. Back in the OCI Console, restart the app1 compute instance.

Go to Compute > Instances > app1. Select Reboot from the menu.

2.5. After app1 reboots, ssh into app1 and confirm /datavol is automatically mounted.
3. Attaching a Block Volume using ISCSI
3.1. Paravirtualized attachments are a simple and easy way to attach a block volume to a host as we performed in the
previous lab. However, there are performance advantages to attaching volumes using ISCSI.

In this section you will detach the volume we just mounted and reattach using ISCSI.

3.2. On the app1, unmount the volume. You can run df again to see that is no longer mounted.

[opc@app1 ~]$ sudo umount /datavol

[opc@app1 ~]$ df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 315M 0 315M 0% /dev
tmpfs 345M 0 345M 0% /dev/shm
tmpfs 345M 9.3M 336M 3% /run
© 2020 TechTipsOnDemand.com 60
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
tmpfs 345M 0 345M 0% /sys/fs/cgroup
/dev/sda3 39G 2.9G 36G 8% /
/dev/sda1 200M 8.6M 192M 5% /boot/efi
tmpfs 69M 0 69M 0% /run/user/0
tmpfs 69M 0 69M 0% /run/user/994
tmpfs 69M 0 69M 0% /run/user/1000

3.3. In the OCI Console, detach the block volume from app1 by going to the app1 compute instance details page > Attached
Block Volumes and selecting Detach from the menu for the app_datavol volume.

3.4. Reattach the volume but this time specify ISCSI as the attachment type.

3.5. Once the volume shows as attached in the OCI Console, you will need to run a series of ISCSI commands on the app1
compute instance.

The ISCI commands are specific to the volume and the compute instance. To get the commands, click on the ellipsis
next to the attached volume and select iSCSI Commands and Information from the menu.

The screenshot below shows us the commands specific to this particular block volume.

3.6. It is recommended that you copy these commands into a text file or somewhere you can reference them later. You can
also come back to the console to retrieve the commands.

3.7. SSH into app1 and run the ISCSI commands for connecting to the volume.

3.8. Run fdisk -l to see the disk attached to the host. Notice that the partition you created earlier, /dev/sdb1, has been
preserved.

[opc@app1 ~]$ sudo fdisk -l

WARNING: fdisk GPT support is currently new, and therefore in an experimental phase. Use
at your own discretion.
© 2020 TechTipsOnDemand.com 63
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Disk /dev/sda: 50.0 GB, 50010783744 bytes, 97677312 sectors

# Start End Size Type Name

1 2048 411647 200M EFI System EFI System Partition
2 411648 17188863 8G Linux swap
3 17188864 97675263 38.4G Microsoft basic

Disk /dev/sdb: 53.7 GB, 53687091200 bytes, 104857600 sectors

Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 1048576 bytes
Disk label type: dos
Disk identifier: 0xfc457d0f

Device Boot Start End Blocks Id System

/dev/sdb1 2048 104857599 52427776 83 Linux

3.9. Mount the partition under /datavol as before.

[opc@app1 ~]$ sudo mount /dev/sdb1 /datavol

© 2020 TechTipsOnDemand.com 64
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
4. Creating a Backup of a Block Volume
4.1. OCI allows you to create a backup of a block volume, either scheduled or manual.

4.2. To create a full manual backup of a volume, navigate to Block Storage > Block Volumes > app_datavol

4.3. Under Block Volume Backups, select Create Block Volume Backup.

Specify the following parameters:

Name: app_datavol_backup_01
Backup Type: Full

Click Create.

4.4. The backup request will appear under Block Volume Backups.

4.5. You can also create an incremental backup as well by going through the same steps as a full backup. Simply select
Incremental as the Backup Type.

Here we created an incremental backup volume, however since we did not change anything on disk, the size of the
backup is similar to the full back in this case.

5. Restoring a Block Volume Backup

5.1. The process for restoring a block volume backup is to :

1) Create a new block volume from the backup directly.

2) Mount the new block volume on the compute instance where the data needs to be restored.

5.2. To restore from a set of backups, start with the last incremental backup. Select Create Block Volume from the last
incremental backup.

5.3. The dialog for creating a block volume will appear. Select the same parameters as the original volume, however for the
name specify restored_app_datavol.

5.4. The restored block volume will appear alongside the original as shown in the OCI Console.

5.5. [Optional Step]

Once the restored volume is available, you can then go through the process of attaching and mounting the volume as
done earlier in the lab.

6. Backing up a Block Volume on a Regular Basis

6.1. OCI allows you to define a backup policy so that a block volume can be backed up on a regular basis.

To create a backup policy, navigate to Block Volumes > Block Storage > Backup Policies.

6.2. Notice Oracle provides some out-of-the-box backup policies for you to use: Gold, Silver, and Bronze. Each policy has a
different set of backup schedules.

Feel free to click on any policy to view the different schedules and retention periods for each backup.

6.3. For this lab, you will create your own backup policy with two schedules to supply a daily incremental backup and one full
backup per week.

© 2020 TechTipsOnDemand.com 67
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Click the Create Backup Policy button and specify a name for the backup policy. Click Create.
6.4. On the backup policy page, you can define backup schedules that tell OCI when to take a backup and how long to keep
it.

Click Add Schedule to define a schedule for a daily incremental backup. This schedule will retain the daily backups for 7
days.

Set the following parameters:

Click Add Schedule when finished.

© 2020 TechTipsOnDemand.com 68
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
6.5. Define another schedule for a weekly full backup with a retention period of 4 weeks.

6.6. Once complete, your screen should look like this:

6.7. For the policy to work, it needs to be attached to a block volume.

Go back to the app_datavol details page (Block Storage > Block Volumes > app_datavol) and click the Edit button.

Scroll down to the bottom of the Edit page and select the backup policy you just defined.

Save changes when you are done.

The backup policy is now in effect for the block volume. This can be seen on the app_datavol’s details page.

7. Cloning a Block Volume

7.1. You can clone a block volume to create an exact copy of it instantaneously. A cloned block volume is different than a
backup for several reasons.

1) A clone is a point in time copy of a block volume.

2) Cloning creates another block volume of the same size and characteristics and data. A backup takes time to
perform and contains only data on the volume and is stored in object storage.
3) Cloning allows you to quickly duplicate an environment to support a variety of use cases, such as troubleshooting
production issues in a development environment for example.

7.2. To create a clone in the OCI Console, go back to the list of block volumes in the OCI Labs compartment (Navigate to
Block Storage > Block Volumes).

7.3. Select Create Clone from the ellipsis menu for app_datavol.

In the clone dialog, specify cloned_app_datavol as the name then click Create Clone.
© 2020 TechTipsOnDemand.com 72
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

7.4. The cloned volume will appear in the list of volumes.

8. Detaching a Block Volume from a Compute Instance

8.1. Detaching a block volume is the process of removing it from a compute instance. Detaching does not delete the volume.

To detach an ISCSI-attached volume, the following steps need to be performed.

1) Unmount the filesystem on the OS
2) Run the ISCS detach commands as provided by OCI
3) Detach the volume from the instance in the OCI Console

8.2. On the app1 host, unmount the file system.

[opc@app1 ~]$ sudo umount /datavol

[opc@app1 ~]$ df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 315M 0 315M 0% /dev
tmpfs 345M 0 345M 0% /dev/shm
tmpfs 345M 9.3M 336M 3% /run
tmpfs 345M 0 345M 0% /sys/fs/cgroup
/dev/sda3 39G 2.9G 36G 8% /
/dev/sda1 200M 8.6M 192M 5% /boot/efi
© 2020 TechTipsOnDemand.com 73
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
tmpfs 69M 0 69M 0% /run/user/0
tmpfs 69M 0 69M 0% /run/user/994
tmpfs 69M 0 69M 0% /run/user/1000
8.3. Run the iSCSI detach commands that you saved earlier.

If you need to get the commands again, navigate to the app1 compute instance in the OCI Console. Under Attached
Block Volumes, select iSCSI Commands and Information next to app_datavol.

8.4. After you have run the detach iSCSI commands on the host, go back to the OCI Console and select detach from the
app_datavol menu.

8.5. Confirm that you want to detach the volume.

8.6. Once the volume is detached, it will no longer appear on the list of attached volumes for app1.

9. Deleting a Block Volume

9.1. Volumes can only be deleted after they have been detached from all compute instances.

Navigate to Block Volumes > Block Storage and select Terminate next to the app_datavol volume. Confirm that you want
to terminate the volume.

9.2. Once the volume is terminated, it will appear as terminated in the list of volumes. A terminated volume no longer exists
and does not incur any charges.

9.3. Repeat the previous steps to terminate all remaining block volumes.
10. Cleaning up Block Volume Backups
10.1. Remove the block volume backups that we created earlier by navigating to Block Volume Backups under Block Storage.

Select Terminate next to each backup. Termianted backups are deleted are do not incur any charges.

11. Lab Cleanup – IMPORTANT!

11.1. 1) Shutdown any running compute instances.
2) Confirm all block volumes have been terminated.
3) Confirm all backups have been terminated.

Core OCI Object Storage

Duration 30 minutes

Skills Learned
At the end of this exercise, you will be able to:

▪ Create both public and private buckets

▪ Store and fetch objects using a variety of tools
▪ Grant access to objects using PARs
▪ Managing access with OCI IAM Policy

OCI Object Storage is an infinitely scalable cloud native persistent store for unstructured data, such as documents, videos, images, log files,
database backups, et cetera. Object storage has many use cases from hosting static content for a website to forming a data lake for data
analytics workloads.

In OCI, objects are stored in buckets which can be made either public or private. Public objects and buckets are accessible by anyone on the
internet, however access to private objects and buckets requires an OCI credential and an appropriate IAM policy that grants a user or group
or thing access. Access can be granted to private objects using a special OCI feature known as pre-authenticated requests, also known as a
PAR. A PAR is essentially a URL that contains a one-time generated access token that grants anyone with the URL permission to access an
object.

In this lab you will learn how to work with objects and buckets using your browser and the OCI command line interface or CLI.

Instructions

1. Working with Public Objects and Buckets

1.1. In this section you will learn how to store and access public objects in a public bucket.

A public object is one that is read-only accessible by anyone on the internet. They do not need to be an authenticated or
authorized user. Each public bucket and each public object have a unique HTTP URL associated with them that can be accessed
from the internet. A public bucket and a public object only allow read access though, not write.

You still need to be logged into OCI in order to write to a bucket, regardless of its visibility.

To get started, let’s create our first bucket.

Log into the OCI Console and navigate to Object Storage from the stacked navigation menu.

1.2. Under List Scope, select OCI_Labs.

1.3. Click the Create Bucket button and specify public1 as the bucket name. Leave all other values defaulted.

Your screen should look similar to the screenshot below. Click Create to create the bucket.

1.4. By default, all object storage buckets are created as private. In order to change them to public, you must change their visibility in
the OCI Console.

Click on the name of the bucket you just created, public1.

1.5. You will be taken to the bucket details page for public1.

To make the button public, click on the Edit Visibility button under the name of the bucket and select Public. This will make any
objects in the bucket accessible on the internet.

You also have the option to allow users to list objects in a bucket. This may or may not be desirable depending on the use case,
so let’s be safe and leave this option unchecked.

Click Save Changes.

1.6. You should now see the visibility status has changed from Private to Public on the bucket details page. OCI displays a little
warning icon letting you know that the bucket is public.
1.7. With the bucket created, you can now upload an object to the bucket right from the OCI Console.

On the bucket details page, click the Upload button. Select any file you wish to upload to the bucket.

1.8. After the file is uploaded, it will appear in the list of objects for the bucket.

1.9. The file you uploaded now exists on the public internet and is represented by a URL.

To get the URL of the object, click the three dots (ellipsis) next to the object. A menu will appear.

Select View Object Details from the menu. You will see some basic information about the object, including a URL.

Try copying and pasting the URL in another browser window.

Public object storage is a great way to host static website assets such as images and videos. This is just one use case of course.

© 2020 TechTipsOnDemand.com 82
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
1.10. Let’s delete the object now by clicking on the ellipsis and selecting Delete. Confirm the object was delete and the URL is no longer
valid.
2. Working with Private Buckets and Objects
2.1. Now you will work with a private bucbket and objects.

Create another bucket by clicking the Create Bucket button.

Specify the following information for the bucket:

Bucket Name: private1

Default Storage Tier: Standard (Default)

Click the Create Button to provision the bucket.

2.2. On the Objects screen you will see a table listing all the objects in the bucket, which should be empty since you just created the
bucket.

Click the Upload button and upload any type of file you wish.

Since the bucket is private, all objects within the bucket are private by default which means only authenticated OCI users with the
proper authorization (you) have access to objects in the bucket.

2.3. After the file is uploaded, you will see it appear in the list of objects.
2.4. Because the object was uploaded to a private bucket, it is no accessible on the internet. Users will need to be logged into OCI and
granted access to bucket or object explicitly.

To verify the object is indeed private, get the URL for the object by viewing the object details just like we did with the public object.

Try accessing the URL. You should receive an error message that the bucket doesn’t exist or you don’t have permission.
2.5. You can download objects from within the OCI Console using a browser by selecting Download from the ellipsis menu next to the
object.

Go ahead and give it a try.

2.6. Delete the object by going to the ellipsis menu for the object and selecting Delete.

The object will be removed from the bucket.

© 2020 TechTipsOnDemand.com 83
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
3. Using the OCI CLI with Object Storage
3.1. Up to now we have used the OCI Console exclusively to interact with OCI services. While the console is great tool, it is not as
powerful nor as flexible as using the OCI tools, APIs, and CLI to manage our cloud infrastructure.

In this section you will use the OCI command line interface to work with OCI object storage.

There are two options for install the CLI. You can go the easy route and use OCI’s Cloud Shell, which is a terminal window in the
cloud that has all the tools already installed configured to use your OCI credentials. This option is most suitable for a learning or
demo environment.

The other option is to install the OCI CLI on your machine, which is a more involved process, requiring you to download and install
the tools, along with configuring the tools to use an OCI authentication token; but is the preferred method for supporting
development and production environments in OCI.

In this lab guide, we will use Cloud Shell to run the CLI.

3.2. To use the OCI CLI already installed in the Cloud Shell, simply launch the Cloud Shell by selecting the Terminal icon located in
the upper right portion of the OCI Console.

A terminal window will appear in your browser window.

3.3. You can verify the OCI CLI is installed by running the oci command with no arguments.

$ oci

4. Managing Buckets with the OCI CLI

4.1. To use the OCI CLI, we first need to get the OCID or identifier for our tenancy. Each tenancy has a globally unique OCID.

To get the OCID for your tenancy, click on the Profile icon in the OCI Console then click on the name of your tenancy.

The OCID for the tenancy will appear on the Tenancy Details page in the Tenancy Information box. Click on either Show or Copy
next to the OCID value. Save the OCID somewhere on your computer as we will be using this throughout the rest of this lab guide.

4.2. Run the following command to create a private bucket named bucket2:

$ oci os bucket create --name bucket2 --compartment-id <Put your tenancy OCID here>
4.3. You can verify the bucket was created by using the OCI CLI to list all buckets in a compartment. The OCI CLI will return json
formatted results.

$ oci os bucket list –compartment-id <Your Tenancy or Compartment OCID>

5. Working with Objects using the OCI CLI
5.1. In this section you will store an object in a bucket using the CLI.

If you are using Cloud Shell or any other Linux environment, create a simple text file.

$ echo “This is my simple text file” >> object.txt

5.2. Upload the text file to object storage using the following command:

$ oci os object put –bucket-name bucket2 –file object.txt

© 2020 TechTipsOnDemand.com 86
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
5.3. You can verify the object was stored in the bucket by listing the contents of the bucket.

$ oci os object list –bucket-name bucket2

5.4. Here is the command to download an object.

$ oci os object get –bucket-name bucket2 –object object.txt –file object2.txt

The –file parameter tells OCI where to store the downloaded object on your filesystem.
5.5. To delete an object:

$ oci os object delete –bucket-name bucket2 –object object.txt

The OCI CLI will prompt you to confirm deletion of the object.
6. Working with Pre-Authenticated Requests
6.1. A PAR is a generated URL that allows anyone with the URL to access a private object. The generated URL serves as a secret
access token in a way, so the generation and storage of a PAR should be a protected operation.

PARs are commonly used when you want to share protected information with a client or customer that does not have an account
in your OCI tenancy. It is a best practice in this case to generate a PAR that has a short lifespan and securely hand that URL to
the end user.

In this section you will generate a PAR URL for an object. The PAR will grant access to the file to anyone with the URL. You are
going to configure the PAR to provide READ-ONLY access and for it to expire after a few minutes.
6.2. Use the OCI Console to upload a file to the bucket you created earlier.
6.3. Create a PAR by selecting the ellipsis next to the file you just uploaded then Create Pre-Authenticated Request.
6.4. The options for creating a PAR are fairly simple. You can create a PAR for a bucket or a file.

In this tutorial, configure the PAR to permit read-only access on the object.

Also configure the PAR to expire after 10 minutes. This forces the PAR to be no longer valid after a certain period of time – a best
practice for giving external users temporary access to files!

6.5. After you click Create Pre-Authenticated Request, the PAR URL will be displayed on the screen only once. Be sure to copy this
URL down somewhere safe since you will not be able to retrieve it from OCI again.

If you lose your PAR URL, you can always generate a new one in the OCI console.

6.6. Close the PAR dialog after you have saved your PAR URL.

Now navigate to the PAR URL using your browser and the object you upload should appear, depending on the type of object.

© 2020 TechTipsOnDemand.com 88
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
6.7. Back in the OCI Console, you can see an inventory of PARs by going to Object Storage > bucket2 > Pre-Authenticated Requests.

Here in this table you will see a list of PARs and whether they are expired or active. If it has been 10 minutes since you created
the PAR, it should show as expired by now.

6.8. If the PAR is not expired by now, go ahead and expire it by selecting the ellipsis next to the PAR.
6.9. After the PAR is expired, try accessing the PAR URL again from your browser. You should receive an error message that either
the bucket does not exist or you are not authorized to access it.

7. Working with PARs using curl

7.1. Curl is a command line URL utility that allows you to issue different types of HTTP requests such as GET and POST. Think of curl
as a very flexible and powerful command line HTTP client that lets you call any HTTP endpoint (Websites,

In this section you will use curl to download and upload objects using a PAR url.

7.2. Curl is already installed in the Cloud Shell environment, however if you want to install curl in your own environment there are
hundreds of articles on the internet that detail the procedure so it will not be covered here in this lab. For most linux systems, it’s a
simple one line command.

Depending on your Linux distribution:

For Debian-based distros, including Ubuntu:

$ apt-get install curl

For RHEL-based distros:

$ yum install curl

Curl comes with Windows and is available in Powershell.

7.3. In the OCI Console, create a PAR for bucket2 – this will allow someone with the URL to upload objects to a bucket. A bucket PAR
only allows writes to a bucket, it does not allow read. So someone with the URL will not be able to list objects in a bucket.

To create a PAR for a bucket, navigate to Object Storage in the navigation menu and click on the bucket name – in this case
bucket2.

7.4. Under Resources click on Pre-Authenticated Requests then click the button Create Pre-Authenticated Request.
© 2020 TechTipsOnDemand.com 89
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

7.5. In the dialog that appears, make sure Bucket is selected for Pre-Authenticated Request Target. Leave all other values default.

Click Create Pre-Authenticated Request and save the generated URL.

7.6. The syntax to upload a file to object storage using a PAR URL is:

$ curl -X PUT --data-binary '@<local-filename>' <unique-PAR-URL>/<target_objectname>

Take note that you must append the name of the object after the PAR URL. Unlike using the OCI CLI where you explicitly specify
the bucket and have to be an authenticated OCI user, a PAR URL combines both bucket and authorization to access the bucket in
the URL.

Use the curl command above to upload any file to object storage using the PAR you generated.

Here is an example uploading the object.txt file created earlier.

$ curl -X PUT –data-binary ‘@object.txt’ https://objectstorage.us-phoenix-

1.oraclecloud.com/p/vt4YH9HZ1BmgMLgHqD7wCCWvOCIJ9-AhHoSIC-
UPzBn8Sbte4MtkQYUNjBgBcCY4/n/axrldpz2wg7y/b/bucket2/o/object.txt

7.7. The PAR that you generated only permits a user to write objects to the bucket. If you want to share access to the object using a
PAR, you must create a PAR just for that object.

Back in the OCI Console, navigate to bucket2 to see a list of objects in the bucket. You should see the object that you just
uploaded using curl.

To create a PAR for the object, select Create Pre-Authenticated Request from the ellipsis menu next to the object.

7.8. In the PAR dialog, you can choose what type of access to allow on the object, either read, write, or both. Select read and write
then create the request. Be sure to save the PAR URL.

7.9. Back on the command line, use curl to fetch the object using the PAR for the object. The curl command below is equivalent to
putting the URL in your browser address bar.

$ curl -X GET https://objectstorage.us-phoenix-

1.oraclecloud.com/p/7cn6JIHk5RjqEKl5iRTxQ51urx5pze2iKyiwyKp8tc6K94xVozm9EoLz4UC5nppy/n/axrldpz2
© 2020 TechTipsOnDemand.com 90
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
wg7y/b/bucket2/o/object.txt

7.10. The PAR for the object also allows writes. Make a change to object.txt on your local file system and upload it back to object
storage using the same PAR.

$ curl -X PUT –data-binary ‘@object.txt’ https://objectstorage.us-phoenix-

1.oraclecloud.com/p/7cn6JIHk5RjqEKl5iRTxQ51urx5pze2iKyiwyKp8tc6K94xVozm9EoLz4UC5nppy/n/axrldpz2
wg7y/b/bucket2/o/object.txt

8. Granting Users and Groups Access to Object Storage

8.1. In this section you will be introduced to how OCI handles identity and access management within a tenancy. OCI provides a
robust policy-based authorization model that allows an administrator to author polices in natural language that permit users or
groups access to OCI resources.

In this section you will write an IAM policy that lets a group of users manage an object storage bucket and another group to only
read and write objects in the bucket.
8.2. For this scenario you are going to create two local OCI Groups: ObjectStorageAdmins and ObjectStorageUsers. The storage
admins will be responsible for creating and managing buckets in an OCI compartment. Recall an OCI compartment is a logical
construct that is used for organizing and manage OCI resources.

The storage users will be able to read and write to the object storage buckets only in the OCI compartment.

In the OCI Console, select the stacked navigation bars and navigate to Identity > Groups.

8.3. Create a group called ObjectStorageAdmins by selecting the Create Group button.

On the Create Group dialog, specify the name of the group and a description (it’s required).

8.4. Create another group called ObjectStorageUsers.

8.5. In this scenario you are going to only allow the object storage admins and users to work with buckets and objects in a dedicated
OCI compartment.

Navigate to Identity > Compartments. Select the OCI_Labs compartment under List Scope.

8.6. Create a new compartment called ObjectStorageLab under the OCI_Labs compartment by clicking on the Create Compartment
button.

8.7. Next you are going to write an IAM policy that allows the ObjectStorageAdmins to create and manage buckets and objects in the
ObjectStorageLab compartment.

Navigate to Identity > Policies.

8.8. Click Create Policy and fill in the following values:

Name: ObjectStorageLabPolicy
Description: Same as Name
Compartment: root

© 2020 TechTipsOnDemand.com 92
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Use the Policy Builder to quickly select from pre-defined commonly used policies.

Policy Use Cases: Storage Management

Common Policy Templates: Let Object Storage admins manage buckets and objects.

Under Groups, select the ObjectStorageAdmins group.

Under Location, select the ObjectStorageLab compartment.

As you select options, you will see the actual Policy Statement being generated at the bottom of the dialog. Notice the two
statements, one that allows the admin group to manage buckets in the compartment, and the another that allows the admin group
to manage objects in the compartment. The verb manage is special in that it allows the highest level of access for the resource
being secured.

There are other verbs like inspect and use which will see shortly.

Your screen should look similar to the screenshot below. Click the Create button once you are done.

8.9. Next you will author a set of policies to allow users to manage objects in a compartment. The storage users group will not have
permission to manage buckets, just objects.

This time you are going to author the policy directly without using the policy builder.

© 2020 TechTipsOnDemand.com 94
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Under Identity > Policies, click on the ObjectStorageLabPolicy you just created.

8.10. Select Edit Policy Statements.

8.11. On the Edit Policy Statements screen, click Add Another Statement and enter the following statement:

Allow group ObjectStorageUsers to manage objects in compartment ObjectStorageLab

8.12. Add another statement to let the users view buckets in a compartment.

Allow group ObjectStorageUsers to read buckets in compartment ObjectStorageLab

8.13. When are you done adding the statements, click the Save Changes button.

Your policy should now consist of the four statements:

8.14. Now in order for us to test to see if our policies work as they should, we need to create some users.

First we will create a storage admin user.

Under Identity > User, click Create User and fill in the following details:

Name: objectstorage_admin
Description object_storage_admin

Leave email blank and click the Create button.

8.15. On the User Details page for the admin user, set a password for this user by selecting the Create/Reset Password button.

You will be shown a one-time password for the user. Be sure to copy this down somewhere. This OTP will be reset upon first
login.
8.16. With the user created, you can now add the user to the storage admin group.

On the User Details page, click the Add User to Group button and select the ObjectStorageAdminGroup from the list.

The User Details page will list what groups this user is part of.

8.17. Repeat the above steps to create another user called objecstorage_user. Set a password as before and add the user to the
objectstorage_user group.

8.18. With both our users and our policies set up you can now test that everything works. Here are the steps.

1. Log in to the OCI Console as the storage admin user and set a new password.
2. Create an object storage bucket in the new compartment

© 2020 TechTipsOnDemand.com 99
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
3. Log in as the storage user and set a new password.
4. Read and write objects to the new bucket.

8.19. Log out of the OCI Console and log back in as the objectstorage_admin user using the OCI Direct Sign form (not Single Sign On).
You will be asked to set a new password.

8.20. Navigate to Object Storage from the main navigation menu.

8.21. By default you are working in the root compartment. You should see an authorization error since the objectstorage_admin user
has not been granted any access in the root compartment.

Select the ObjectStorageLab compartment under List Scope to change compartments. The authorization error should disappear.

8.22. Create a new object storage bucket, keeping all the default values.

After the bucket is created, your screen should look like this:

8.23. Next you will log in as the object storage user and try to write to the bucket.

Log back into the OCI Console as objectstoage_user. Again you will have to set a new password since this is the first time logging
in as this user.

8.24. Navigate to Object Storage and select the ObjectStorageLab compartment.

© 2020 TechTipsOnDemand.com 100

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

You should see the bucket that was just created by the admin user.

8.25. First verify that the storage user is not able to delete the bucket. Recall we only gave the regular user the ability to read buckets in
the compartment, not delete.

Try deleting the bucket by selecting the ellipsis next to the bucket name. The option will be visible but you should receive an
authorization error.
8.26. Next verify that this user can upload objects to the bucket by clicking on the bucket name and then the Upload button. Upload any
file you wish.
8.27. Verify the user can also delete objects in the bucket as well.

9. Lab Cleanup
9.1. Perform the following steps to clean up your lab environment:
1) Delete all objects that were created as part of this lab
2) Stop any running compute instances.

Conclusion

In this lab you were introduced to core object storage concepts buckets, objects, PARs and IAM policies. You used a variety of tools for
working with object storage, including the OCI Console, OCI CLI, and curl to create buckets and objects both public and private. We saw
how to grant access to objects using PARs for anonymous users, and how to use IAM policies and groups to grant users of our tenancy access
to buckets and objects.

© 2020 TechTipsOnDemand.com 101

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Core OCI Load Balancer

Duration 1 hour

Skills Learned
At the end of this exercise, you will be able to:

▪ Provision different types of load balancers and listeners

▪ Manage backend sets
▪ Enable SSL
▪ Enable and view access and error logs

Overview

A load balancer is typically used to provide high availability for an application or service that is deployed across two or more servers by
distributing requests using an algorithm. A load balancer is configured to manage requests for a service across a pool of servers known as a
backend set in OCI. The load balancer is intelligent to know which servers are healthy and which are unhealthy using a health check system
that involves polling each backend compute instance.

If the load balancer detects one of the servers in a backend set is unhealthy, then it will mark it as such and not forward any requests to it, so
the client or user never gets sent to a bad server. When the load balancer detects the server is healthy again, its status is updated and can start
receiving requests again.

In this lab you will configure a load balancer to provide high availability and SSL for a simple website running on two compute instances.

Below is a picture showing what our VCN will look like when we are done. We will add an additional compute instance in app-subnet to
provide a two-node web server setup. A load balancer will be deployed in a new public subnet and will be configured to handle http and https
requests for our website.

© 2020 TechTipsOnDemand.com 102

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Instructions

1. Setting up a 2-Node Apache Cluster

1.1. WARNING:
Setting up a 2 node cluster requires provisioning another compute instance which is not part of the Always Free Tier. If
you proceed with creating another compute instance you will certainly incur charges. You can minimize these charges by
only running the instance for the duration of the lab and then immediately stopping it after the lab.
In this section we are going to set up a website using Apache running on two compute instances.

We will use the app1 compute instance we created previously in addition to a new instance we will create right now.

© 2020 TechTipsOnDemand.com 103

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Create a new private compute instance called app2 in the same compartment and private subnet as app1.

Use the same Oracle Linux image as you did with app1.

Select the smallest compute shape available to keep costs down. Since you will have reached the service limits for the
Always Free tier, pick the smallest compute shape available.

For convenience use the same SSH key as you did with app1.

1.2. The next step is to install Apache on each server.

SSH into app1 through the bastion and run the following commands to install and enable Apache

$ sudo dnf install httpd

$ sudo systemctl enable --now httpd.service

Run the following commands to open up port 80 on app1.

$ sudo firewall-cmd --add-service=http --permanent

$ sudo firewall-cmd –-reload

It is important to note that every Oracle Linux image comes with a host-based firewall enabled. So in additional to using
security lists, you must also enable ports on the host itself.
1.3. Verify Apache is up and running by executing curl on the host.

$ curl -L http://localhost

The Apache default page should be returned in the response.

1.4. For this lab we want to create our own custom web page and not use the default page that comes with Apache. We are
going to create a very simple index.html.

$ sudo su
$ echo “Hello welcome to $HOSTNAME ” > /var/www/html/index.html

1.5. Run the curl command again and verify the new html page is returned instead of the default page. The hostname should
© 2020 TechTipsOnDemand.com 104
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
also appear on the page.
1.6. Repeat the previous steps to setup Apache on app2 with the same index.html page and configure the firewall to allow
http/80.

2. Preparing the Network

2.1. In this lab you are going to create a public load balancer – one that has a public IP address and is accessible on the
public internet. Visitors will access the website using the LB’s public IP address. Before we create a load balancer, we
need a place to put it.

The diagram at the beginning of this lab shows the public load balancer being provisioned in a new public subnet that is
called front-subnet.

Log into the OCI Console and create the new public subnet with the following parameters:

Name: front-subnet
Type: regional
Compartment: OCI_Labs
CIDR: 10.0.0.32/28
Route table: Default Route Table for vcn_oci_labs
Subnet access: Public
Security List: Leave blank – we will create a new one next.

© 2020 TechTipsOnDemand.com 105

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.2. We need some new security rules to allow HTTP into the load balancer on port 80 and another rule to allow HTTP traffic
to leave the load balancer and hit the web servers app1 and app2.

The first rule will allow HTTP on port 80 in to the load balancer’s subnet. The second rule will allow the load balancer to
send http traffic to the web servers running on port 80.

Create a new security list called Public_LB_SecList and add the following rules:

Ingress
Allow TCP from 0.0.0.0/0 to destination port 80

Egress
Allow TCP to 10.0.0.16/28 on port 80

© 2020 TechTipsOnDemand.com 106

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.3. Add this new security list to the public load balancer’s subnet.
2.4. Now we must create a corresponding security rule for the app-subnet to allow HTTP traffic in from the load balancer.

Create another security list call Private_App_SecList and add the following rule:

Ingress
Allow TCP from 10.0.0.32/28 to destination port 80.
2.5. Add the security list to the app-subnet.
3. Creating a Public Load Balancer
3.1. With our network prepared, we can now create a public load balancer. This public load balancer will be configured to
listen for HTTP traffic on port 80 and load balance requests across a backend set that has both app1 and app2 web
servers in it.

In the OCI Console, navigate to Networking > Load Balancers.

3.2. Click the Create Load Balancer button and specify the following parameters.

Load Balancer Name: website_lb

Choose Visibility Type: Public
Assign a public IP address: Ephemeral
Under shapes, keep the default values for bandwidth.

Under Choose Networking, place the load balancer in the front-subnet in the vcn_oci_labs VCN.

Click Next to configure the load balancer backend set.

3.3. Under Load Balancing Policy, select Weighted Round Robin. This policy will distribute requests evenly across our web
servers.

Click the Add Backends button and add app1 and app2 to the backend set. A backend is essentially our web server
cluster. The load balancer will load balance requests across every compute instance in the backend set.

Leave the default values under Health Check policy. The Health Check Policy is used by the load balancer to know if a
compute instance in the backend set is healthy or not. If it is not healthy, the load balancer will not forward requests to
that instance.

© 2020 TechTipsOnDemand.com 107

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Click Next to configure the Listener.
3.4. The Listener is what listens for incoming requests. You can define what protocol and what port the listener should be
listening on, and whether SSL/TLS should be configured.

In this lab:

1) Keep the default listener name

2) Specify HTTP as the traffic type
3) Specify port 80 as the listen ingress port

Click the Submit button to create the load balancer.

Oracle will assign a public IP address to the public load balancer, which you can see on the Load Balancer’s details
page. It is this public IP address that will be used to visit our website.
3.5. Once the load balancer is provisioned, it will take time for the Overall Health status to update showing healthy.

Verify the health of your backend set by clicking on the load balancer website_lb > Backend Sets > the backend set >
backends.

app1 and app2 should appear in the backend set.

© 2020 TechTipsOnDemand.com 108

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

3.6. Confirm the health of each backend – app1 and app2 – is healthy.

© 2020 TechTipsOnDemand.com 109

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
If the health is unknown or critical, verify the following:

1) Apache is up and running with our custom web page

2) The firewall on the web server host allows HTTP in
3) Security list for the app-subnet allows TCP/80 in from the load balancer subnet (front-subnet).
4) Security list on the public load balancer subnet (front-subnet) allows egress to app-subnet on port 80.

4. Verify the Load Balancer is Working

4.1. In this section you will confirm that the load balancer is load balancing requests across each web server and that it can
detect and handle one of the servers going offline.

In order to proceed, the backend set must be healthy as noted in the previous section.

4.2. When you installed and setup Apache to host our really simply website, you create an index.html page for each server.
To demonstrate what server is returning the request, you put the name of the server in the index.htm, such that when
you hit the public IP address of the load balancer, you will see a different index.html depending on what server the load
balancer is sending the request to.

To demonstrate, use your browser to go to the public IP address of the load balancer. You should see the index.html
that you created earlier with the name of the server.

Refresh your browser to reload the request. The load balancer will round robin your request across each server,
returning the index.html page for that server.

5. Testing Server Failure

5.1. In this section you will observe what happens when one of the web servers goes offline.

SSH into app1

5.2. Shutdown the webserver by running the command:

$ sudo systemctl stop httpd

5.3. Use your browser to revisit the public IP address of the load balancer. Verify that app2 is returning the request by
observing the output from the web page. Keep refreshing your browser window to confirm that only app2 is returning the
© 2020 TechTipsOnDemand.com 110
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
response.

5.4. In the OCI Console, check the health status of the backend set by going to Networking > Load Balancers > website_lb
> Backend Sets.

app1 should appear in a critical state.

OCI will check the health status of a server on a regular interval that you can configure. By default, the interval is 10000
ms.

5.5. Restart apache on app1

$ sudo systemctl start httpd

5.6. Verify the health of the backend set returns to OK. It may take some time for the change to be reflected in the UI, but you
should be able to test using your browser to hit the load blanacer IP address after a few seconds of restarting apache.

6. Enabling SSL
6.1. In this section you will enable SSL for your website by loading a certificate bundle into a new load balancer listener that
you will create.

The certificate bundle is a combination of a signed SSL certificate plus a private key. The load balancer uses this bundle
to accept SSL requests from users and to terminate the SSL connection at the load balancer. The request or network
traffic then moves from the load balancer to the web server unencrypted.

6.2. First let’s generate a certificate bundle to be used with the load balancer. For this exercise you will be created a self-
signed certificate using openssl.

This step requires the use of openssl, which is available for installation on most operating systems.

Run the following commands:

$ openssl genrsa -aes256 -passout pass:gsahdg -out server.pass.key 4096

$ openssl rsa -passin pass:gsahdg -in server.pass.key -out server.key
$ openssl req -new -key server.key -out server.csr

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

The server.key is the private key for the server, in this case, for the load balancer. It is used to terminate the SSL
connection before sending it to the web server.

The server.crt is the SSL certificate used to establish an SSL connection with end user.

6.3. Next we need to create a certificate bundle to be used with our load balancer.

In the OCI Console, navigate to Networking > Load Balancers > website_lb > Certificates.

6.4. Click the Add Certificate button.

Name the certificate ocilabs_selfsigned

Under SSL certificate, you can either upload the server.crt file or you can paste in its contents.

Add the private key by checking the box for Specify Private Key and uploading or pasting in the contents of server.key.

Click Add Certificate when done.

6.5. Once the certificate has been added, we now need to create a new listener to listen for https/443 requests using the
certificate we just uploaded.

Under Resources heading for the load balancer, select Listeners.

6.6. Click Create Listener.

Provide the following information:

Name: website_secure_listener
Check the box for Use SSL. This should update the Port to 443.

Certificate name: Select the ocilabs_selfsigned certificate.

Uncheck Verify Peer Certificate
Backend set: Select the backend set – there should be only one in the list.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Click the Create Listener button.

6.7. It will take OCI a moment to provision the listener with the certificate you specified.

You can check the status and any error messages under the Resources heading > Work Requests.

Typically the listener will fail if the SSL certificate or private key are invalid or malformed. If this is the case, then confirm
the certificate bundle was created properly. If not, recreate the bundle and add it to the listener.

6.8. Once the HTTPS listener is up and running, you may access the website using HTTPS instead of HTTP.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Using your browser, go to https://public_IP_address_of_LoadBalancer

Since we are using a self-signed certificate, the browser will warn you that you are accessing an unsafe website. In the
real world you would use a proper certificate from a trusted Certified Authority rather than a self-signed certificate.
However the process for using CA-signed cert and a self-signed cert with OCI is the same.

7. Enabling Logs
7.1. The OCI Load Balancer has the ability to write both access and error logs to the OCI Logging Service.

To enable logs, go to Logs under the Resources heading for the load balancer.

7.2. You can enable either the access log or error log or both.

Click on the Enable toggle for the Access Log and specify the following details:

Compartment: OCI_Labs
Log Group: Default_Group
Log Name: website_access_logs
Log Retention: 1 month

Click the button when you are done.

OCI Logging organizes logs into groups called Log Groups. You are free to create your own log groups, however in this
section we are using the default log group for simplicity.

7.3. You can access the log file from the Logs screen by clicking on the name of the log:

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
7.4. You can also get to OCI Logging in the OCI Console by navigating to Logging > Logs.

7.5. In another browser window, visit the website again a few times, refreshing the browser window. Doing so will create
entries in the access log.

7.6. View the access log by clicking on its name in the OCI Console. You should now see access log entries.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

7.7. Expanding one of the log entries will reveal more details about the request, including which web server handled the
request.
8. Cleaning Up
8.1. Perform the following steps to once you are done with the lab

1) Stop all running compute instances

2) Terminate the Load Balancer we created by going to the OCI Console > Networking > Load Balancers. Select the
ellipsis for the website-lb, then select Terminate, which will delete the load balancer and its configuration.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Core Identity and Access Management

Duration 30 minutes

Skills Learned
At the end of this exercise, you will be able to:

▪ Organize resources using Compartments

▪ Create local OCI users and groups
▪ Manage access to resources using policies
▪ Create and manage users and groups using Identity Cloud Service

Overview

Up to this point in the lab, you have done everything as a tenancy administrator. As a tenancy administrator, you are a member of the
administrators group, which automatically grants access to do anything in the tenancy without needing explicit permission to do so. In the
real world however, resources need governance – there needs to be a separation of duties to ensure the security, integrity, and availability of
the resources in a tenancy. In plain English, this means putting users in groups and granting access to OCI resources using OCI IAM policies.

An IAM policy is a statement or set of statements that let someone or something do something with an OCI resource. The policy syntax is
based on natural language so it is easy to read and learn.

In this lab you will learn how to organize resources based on a typical organizational structure into compartments and manage them using
IAM policies.

We will also touch on using Identity Cloud Service or IDCS as the preferred method for managing users and groups rather than using local
IAM accounts. Every tenancy comes with an instance of IDCS, which allows you to federate with your company’s identity provider. This
allows you to easily and securely tie into your company’s identity management system without needing to maintain a duplicate set of users in
OCI. You can use IDCS on its own, even if you do not have a corporate identity management system.

Let us pretend that our organization’s IT department has the following teams, members, and responsibilities.

Team Responsibilities Members

Network Designing, implementing, and managing all networks in the cloud, including joe_smith
© 2020 TechTipsOnDemand.com 117
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Admins controlling security lists, routes, and gateways.

Storage Creating and managing block volumes, including managing backups, snapshots, jane_doe
Admins and migrations.

Developers Developing and deploying applications to compute nodes in the cloud. Team is han_lee
also responsible for creating and managing compute instances, including
attaching storage volumes to compute instances.

We want to set up our tenancy so that it aligns with our organizational structure. Each team will have its own OCI group and each team
member will be given an OCI account.

Compartments will be created to organize and manage OCI resources in alignment with our organizational structure. IAM policies will be
written to grant the groups access to resources.

Instructions

1. Creating a Compartment Structure

1.1. In this section you will create compartments to support the scenario outlined above. You will create the following
compartments:

Networks – used to organize certain virtual networking resources

DevTeam – used to organize compute and any other resources the development team is responsible for managing.

** You need to have the proper permissions in OCI to execute this lab. This lab presumes that you personally created the
OCI tenancy and therefore have the necessary permissions to create and manage resources already. **

1.2. Log into the OCI console using your web browser using the login URL that was in the welcome email from Oracle or go
to cloud.oracle.com and click on sign in.

You should be presented with a login screen that looks similar to the screenshot below. If you have never signed in, you
may be presented with a single dialog asking you for a cloud account name first. Enter in the name of the tenancy that
you specified when signing up. This will also be in your welcome email.

You will then see two options on the login screen. The first option (on the left) allows you to login using SSO. The second
© 2020 TechTipsOnDemand.com 118
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
option (on the right) allows you to login using a local account. Select the second option and use the credentials you
specified when signing up for OCI.

1.3. Once you have logged in, you will be in the OCI console.

Click the stacked bars in the upper left and then click on Identity (near the bottom).

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

1.4. Select Compartments under Identity.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

1.5. Create a compartment by clicking the button and specifying the following parameters.

Name: Networks
Description: Put whatever you want here but it is a required field.
Parent Compartment: Select the OCI_Labs compartment

Your screen should look similar to the screenshot below.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Click the button at the bottom of the dialog to create the compartment.

1.6. The Networks compartment should now appear in the list of compartments in the OCI console under the OCI_Labs
compartment.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

1.7. Create the DevTeam compartment following the same steps as the Networks compartment.

2. Creating Local Users and Groups

2.1. In this section you will create local users and groups in OCI for each of the teams:

NetworkAdmins
StorageAdmins
DevTeam

You will eventually write IAM policies that grant these groups access to certain OCI resources.

2.2. Access OCI Groups by selecting Groups under Identity. You can also click on the stacked bars in the upper-left, then
navigate to Identity then Groups.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Notice there is one group already created: Administrators. This group was created when we created the tenancy and
contains at least one user – the person who created the tenancy.
2.3. Click Create Group and specify the following parameters for the Network Admins group.

Name: NetworkAdmins
Description: Put whatever you want here but it is a required field.

Once you are done click Create.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.4. Repeat the process for the StorageAdmins group and the DevTeam group.

Your group list should look like this:

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.5. You may have seen various warnings and notices about creating federated groups. What we are doing here in this lab is
creating local users and groups, which live and are managed only within OCI. OCI supports federation with an external
identity provider (IdP) that allows users to log in using SSO. Federated users and groups are managed by the IdP, not
by OCI.

2.6. Now let’s create some users. Click on Users on the left side of the screen under Identity.

2.7. Use the Create User button to create the following users. You can leave the email addresses blank.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Name: joe_smith
Name: jane_doe
Name: han_lee

2.8. Your Users screen should look like the following:

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.9. Next let’s assign these users to the right groups. You can either add a user to a group, or a group to a user.

For this tutorial we will be adding users to a group through the Group interface. This is preferred if you are adding users
in bulk.

Navigate to Groups and select the NetworkAdmins group.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.10. Under Group Members, select Add User to Group.

Select joe_smith from Users list and click Add.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.11. Repeat the above steps to add jane_doe to the StorageAdmins group and han_lee to the DevTeam group.

2.12. At this point, users have been created and assigned to groups, but the users do not yet have any credentials to login or
access OCI.

You can assign a one-time password to a user in the Console. When the user logs into the console for the first time, they
will be asked to change the password.

Navigate to Users under Identity and select joe_smith.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.13. Generate a password for joe_smith by clicking the Create/Reset Password button. Then click Create/Reset Password
button again to confirm the action.

2.14. A new password will be generated for the user. You must save the password somewhere until you log in as this user.

If you lose the password, you can always repeat the above steps to rest the password.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

2.15. Repeat the above steps to create passwords for jane_doe and han_lee. Be sure to save each of the passwords.

2.16. Let’s verify that we can log in as one of the users using the new password.

First you need to log out of the OCI Console. Locate the profile icon in the upper right of the screen and select Sign out.

2.17. Log back in using the joe_smith local user and the password that was generated.
2.18. You will be asked to change the password when you log in for the first time.
© 2020 TechTipsOnDemand.com 132
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
2.19. The users we created do not yet have any permissions assigned to them. We did add users to a group, but we have not
yet written any IAM policies granting users access to really do anything.

To verify this, try creating a compartment as before.

Go to Identity > Compartments.

2.20. Notice how the user can only see the root compartment and the managed compartment for PaaS. This user cannot see
any of the compartments that were created earlier because we have not granted this user any permissions. Users need
INSPECT permission at a minimum to see a list of compartments.

2.21. Try creating a compartment by clicking the Create Compartment button.

The dialog will appear, and you are able to fill it out. However when you click the create button, you will receive an
authorization error. This is expected since this user has not been given any permissions.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

3. Writing an OCI IAM Policy

In this section you will write a couple IAM policies to grant our users access based upon each group’s responsibilities
3.1.1.
that were called out earlier in the lab. We will write the remaining policies in future labs. This section is meant to
demonstrate policy writing.

3.2. Log back into the OCI console as a tenancy administrator. (In most cases, this is the account you used to sign up for
OCI).

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
Remember only the Tenancy Administrator has access to write IAM policies at this point.

3.3. Navigate to Identity > Policies

3.4. Policies are created in a compartment, just like most other OCI resources you will create.

Under List Scope, select the root compartment.

You will see two default policies – one for the Tenancy Admin and one called PSM-root-policy.

3.5. To see what a policy looks like, click on the Tenancy Admin policy. This policy grants the group Administrators access to
manage all resources in the tenancy.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

3.6. Click on Policies in the breadcrumbs near the upper left to go back to the list of policies.

3.7. The first policy we want to write is to allow everyone in our tenancy to see the list of compartments. This will allow users
to see what compartments are available through the OCI Console or through the OCI API, however it will not allow users
to create compartments. Only administrators will be allowed to create compartments.

Under List Scope, select the root compartment so that we are viewing policies for the root compartment.

3.8. Click Create Policy. This will launch the create policy dialog.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Specify the following parameters for the policy:

Name: Default_User_Policy
Description: Default policy that will apply to all users
Keep Policy Current: Enabled
Compartment: (root)

Policy Statement #1:

Allow any-user to inspect compartments in tenancy

This policy will let everyone in the tenancy read all compartments. Any-user is a special group that automatically refers to
every user in the tenancy.

Save the policy when you are done.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

3.9. Notice that a policy can have more than one statement, which is handy if you wish to group related policy statements into
a single policy.

4. Let Network Admins Management Networks

4.1. The next policy you are going to create is to allow the network admins to create and manage all network related
resources under the OCI_Labs compartment. This includes virtual cloud networks, security lists, subnets, and network
security groups.

Click on the Customize(Advanced) link and Create a new policy with the following parameters.

Name: Network_Management_Policy
Description: Network management policy
Compartment: root
© 2020 TechTipsOnDemand.com 138
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Policy Statement #1:

Allow group NetworkAdmins to manage virtual-network-family in compartment OCI_Labs

Save the policy when you are done.

Let’s break down this policy statement.

The subject of this policy statement is the group NetworkAdmins.

The resource that is being granted access to is virtual-network-family, which represents a collection of OCI networking
resources, including VCNs, security lists, subnets and network security groups.

The last portion of the policy statement specifies the location where the access is being granted, in this case the
OCI_Labs compartment, which will include any child compartments as well.

4.2. Let’s verify this policy statement actually works by logging in as the network admin and see if we can create a virtual
cloud network.

4.3. Log out of the OCI console and log back in as joe_smith. You will be asked to set a password for this user upon first
login.
4.4. Navigate to Networking > Virtual Cloud Networks from the left-hand navigation pane.

By default you are in the root compartment after logging into the OCI console. You should see an authorization failed
error on the Virtual Cloud Networks screen. This is because joe_smith has not been granted any network-related access
in the root compartment.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
4.5. On the left-hand side under List Scope, select the OCI_Labs:Networks compartment. The error should disappear since
joe_smith has manage permissions in this compartment, which gives Joe the ability to create a virtual network.

Let’s verify that right now by creating a virtual cloud network using the VCN Wizard.

a. Start the VCN Wizard.

b. Create a VCN with Internet Connectivity and name it test-vcn.

c. Select the Networks compartment.

d. Accept all other default values and finish creating the VCN.

The Wizard will create the VCN and all supporting networking services in the Networks compartment.

4.6. Let’s see if Joe can create any compute instances in the private subnet.

Navigate to Compute Instances and try provisioning a compute instance in the OCI Labs, Networks, or DevTeam
compartments.
You can tell immediately that the Joe, who is a network admin, cannot even see a list of available compute instances in
any compartment as the OCI Console displays an authorization error when trying to render the page.

A Network Admin should be able to at least see what compute instances are deployed in a VCN.

You will have to log back into the OCI Console as yourself to create the policy.

Add this statement to the Network Management Policy.

Allow group NetworkAdmins to read instances in OCI_Labs

4.7. Log back into the OCI Console as Joe Smith and review the list of compute instances in the OCI Labs compartment by
going to Compute > Instances.

Joe should now be able to see the two compute instances that were created earlier in this lab: bastion1 and app1.

If you try to create an instance as Joe, you will be met with an authorization error since the NetworkAdmins only have
READ permission on compute instances.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
5. Let Storage Admins manage Block Volumes
5.1. Log back into the OCI Console as yourself again since we are about to create some additional IAM policies.

The next policy you will write will allow the storage team the ability to create block volumes and take backups.

Create the following policy named Storage_Admin_Policy in the root compartment:

Allow group StorageAdmins to manage volume-family in compartment OCI_Labs

Allow group StorageAdmins to use instance-family in compartment OCI_Labs

The first statement lets the storage admins manage volumes in the OCI Labs compartment, while the second policy
allows the storage admins to attach volumes to compute instances that are deployed in any compartment under OCI
Labs.
The verb USE includes the ability for the storage admins to read compute instances but also attach volumes as well.

5.2. Log into the OCI Console as Jane Doe and verify the following actions:

a. Create a block volume in the DevTeam compartment called app_datavol2.

6. Let the Dev Team create Compute Instances

6.1. The development team has the ability to provision compute instances in VCNs and attach block volumes, but it does not
have the authority to create networks or block volumes. Create the following policy statements in a single policy named
DevTeam_Policy.

1) Allow group DevTeam to manage instance-family in compartment OCI_Labs:DevTeam

2) Allow group DevTeam to use volumes in compartment OCI_Labs:DevTeam
3) Allow group DevTeam to manage volume-attachments in compartment OCI_Labs:DevTeam
4) Allow group DevTeam to use virtual-network-family in compartment OCI_Labs:Networks

The first statement lets the dev team manage instance-family in the DevTeam compartment. Instance-family refers to a
family of compute resources. The verb manage lets the group do everything with those resources.

The second and third statements let the dev team attach block volumes to compute instances, however they cannot
create, delete, or backup those volumes.

The fourth statement lets the dev team use networking resources in the Networks compartment. This policy is required to
provision compute instances in a subnet. Similar to the second policy statement, the dev team only has permission to

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
use resources, not manage them.
7. Verify the Policies Work
7.1. Log in to the OCI Console as Han Lee, who is a member of the DevTeam.

7.2. Create an Always Free Eligible compute instance in the DevTeam compartment with the following parameters:

Create in compartment: DevTeam

Shape: Any Always Free Eligible Shape

Under Networking…
Select the test-vcn from the Networks compartment.
Select the Private Subnet-test-vcn from the Networks compartment.

Accept all other default values and click Create. A compute instance should be provisioned in the DevTeam
compartment as shown below:

7.3. Try to attach the app_datavol2 block volume created earlier to the compute instance.

Click on the compute instance you just created, then select Attached Block Volumes under Resources.

Disregard the authorization error you may see in the OCI Console, as the Console is attempting to list block storage
volumes in the DevTeam compartment, to which you do not have access.

7.4. Click Attach Block Volume

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

a. Select Paravirtualized
b. Select the app_datavol2 from the DevTeam compartment
c. Click Attach

8. Creating Federated Users and Groups

8.1. Up to this point we have created and worked with local users and groups only. OCI allows you to use federated users
and groups with an external Identity Provider. Federation between an IdP and OCI allows your users to login to OCI
using Single-Sign-On (SSO) with the IdP being responsible for authentication of those users.

Users and groups are created and managed in the Identity Provider and are federated with your OCI tenancy. The
federated groups are mapped to local OCI groups so that those federated users can be granted access to OCI resources
through IAM policies.

When you sign up for an Oracle cloud tenancy, you get a free Oracle Identity Cloud Service instance. This IDCS
instance is automatically federated with OCI.

In this lab you will learn how create and manage a federated user and group.

8.2. Log into the OCI Console as yourself or someone with tenancy administration privileges.
8.3. Under Identity select Federation.

8.4. Select OracleIdentityCloudService.

An identity federation with IDCS is already setup for you to use.

8.5. On the OracleIdentityCloudService details page, click the link for the Oracle Identity Cloud Service Console.

This link will launch the login page for the IDCS console, which is a separate console from the OCI console.
8.6. Log in using your OCI credentials. You will be presented with the IDCS console.

IDCS is a full-featured Identity Management Service from Oracle that supports federation with on-prem IdP as well as
acting as an IdP itself. In this lab, IDCS is our IdP and we will create a user and group in the IdP.

8.7. In the upper left, click on the stacked bars and select groups.
© 2020 TechTipsOnDemand.com 143
A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

8.8. Click the Add button to add a group, specifying the following parameters:

Name: NetworkAdminsFederated

Click Finish.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

8.9. Click on Users in the left hand side then click the Add button to add a new user.

8.10. In the New User dialog, first uncheck the ‘Use the email address as the user name’ box enter the following information:

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide
First Name: Joe
Last Name: Smith
Username: joe_smith
Email: Use your email address here. Unlike Local users, Federated users require an email address.

8.11. Click Next and then select the NetworkAdminsFederated group then click Finish.

IDCS will create the user and map it to the group. IDCS will also send an email with a link to activate the account and for
setting a password.

8.12. Before activating the account, log out of both IDCS and the OCI Console.

Activate the account and set a password using the link provided in the email from Oracle.
8.13. Now navigate back to the OCI console login page.

Select the oracleidentitycloudservice Identity Provider under Single Sign-On and click Continue.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

8.14. Log in using joe_smith as the username and the password you specified.

You have now logged in using the joe_smith federated account.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

8.15. Once you are logged in, you can tell that you are logged in through SSO using IDCS by clicking on the profile icon in the
upper right hand corner of the console. Your username will be prefixed with the name of the identity provider.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

8.16. Under Profile, click on oracleidentitycloudservice/joe_smith.

You will be taken to the user’s profile page. Under Groups you will see a message stating that group membership for
federated users is done by the identity provider, not by OCI.

When we created joe_smith in IDCS, we placed him in a group called NetworkAdminsFederated. This IDCS group is
also federated with OCI, so it is available for us to use in OCI.

8.17. Log out of the OCI Console and log back in as yourself or someone with tenancy admin privileges.
8.18. Navigate to Identity > Federation in the OCI Console and click on OracleIdentityCloudService.

8.19. You should see a list of federated users from IDCS.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

8.20. Click on Groups to see a list of federated groups, including NetworkAdminsFederated.

8.21. OCI allows you to use federated groups and users in IAM policies. To do this, you must map the federated group to a
local OCI group.

Let’s map the NetworkAdminsFederated group to the NetworkAdmins local OCI group.

a. Click on Group Mappings under Resources for the OracleIdentityCloudService federation.

b. Click Add Mappings and select NetworkAdminsFederated and NetworkAdmins
c. Click Add Mappings again to create the mapping.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

8.22. The federated group is now mapped to the NetworkAdmins group and is subject to all existing IAM policies. So Joe
Smith, our network admin, can log into OCI using SSO/IDCS and create and manage network resources just like a local
user.

Feel free to verify group mapping and policies work by logging in to OCI using SSO rather than Direct Sign-in.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

References
Create an Oracle Account
https://login.oracle.com/mysso/signon.jsp

SSH Agent Forwarding

https://www.cloudsavvyit.com/25/what-is-ssh-agent-forwarding-and-how-do-you-use-it/

Appendix A : How to Access Private OCI Compute Instances using a Jump Server
To connect to a private compute instance that does not have a public IP address, you use another server to jump through that has a public IP
address. This jump server, sometimes called a bastion has both a public IP address and a private IP address that is part of the VCN where the
private compute instance lives. To connect to a private instance, you first ssh to the bastion using its public IP address, then jump to the
private instance using the private instance's private IP.

SSH agent forwarding handles passing your private SSH key to the private instance that you are trying to connect to without having to store
the private key on the bastion host.

This guide will show you how to set up SSH agent forwarding for both Windows and Linux

SSH Agent Forwarding on Windows using PuTTy

You will need the following things before proceeding:

1. PuTTy installed
2. Paegant installed (usually comes bundled with PuTTy)
3. Private SSH keys for the bastion and private compute instance you want to connect to. This is covered in the lab on Core
Compute.
Step 1: Load your SSH keys into Paegant

Pageant is a Putty utility that allows you to load SSH keys into memory.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

1) Launch Paegant from the Start Menu. Paegant will appear in the system tray.

2) Right click on the Paegant icon and select View Keys.

3) Click Add Key and add any private SSH keys you need to access the bastion and the private compute instance.

Step 2: Configure a PuTTy Session

Next we need to configure PuTTy to forward our SSH keys to the target private compute instance by configuring SSH agent forwarding.

1) Launch PuTTy
2) Create a new session for connecting to the bastion server by specifying the username and public IP address in the Hostname field. The
default username for Oracle Linux images is opc or oci. The default username for Ubuntu images is ubuntu.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

3) Under Connections > SSH > Auth, check the box to allow agent forwarding.
4) On the same screen, under Private key file for authentication, specify the private key for the bastion server.

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

4) Go back to the Session category and save the session.

Step 3: Connect to the private instance through the jump server

1) In PuTTy connect to the bastion server by opening the session.

2) Once connected to the bastion, verify that you see the message: "imported-openssh-key" from agent.” This message indicates that SSH
agent forwarding is working. If you do not see this message, ensure that you have configured SSH agent forwarding and loaded your
SSH key into Paegant.
3) Once connected to the bastion, you should be able to ssh into the private compute instance using its private IP address. The username
will be the default username for the type of VM image used on the compute instance (oci/opc for Oracle Linux, ubuntu for Ubuntu).

A Practical Guide to Oracle Cloud for Infrastructure Lab Guide

Oracle Cloud Infrastructure Foundations STUDENT Guide
No ratings yet
Oracle Cloud Infrastructure Foundations STUDENT Guide
114 pages
OCI 2023 Multicloud Architect Associate Sure Pass
No ratings yet
OCI 2023 Multicloud Architect Associate Sure Pass
41 pages
Oracle Cloud Infrastructure Foundations PDF
50% (2)
Oracle Cloud Infrastructure Foundations PDF
121 pages
CorelDraw Training For Laser Cutting Machines With Many Examples Learn and Master Many Example You Can Do With Coreldraw.... (Kaşoğlu, Abdulkadir Kaşoğlu, Abdulkadir)
No ratings yet
CorelDraw Training For Laser Cutting Machines With Many Examples Learn and Master Many Example You Can Do With Coreldraw.... (Kaşoğlu, Abdulkadir Kaşoğlu, Abdulkadir)
59 pages
1z0-1072 Updated PDF
100% (2)
1z0-1072 Updated PDF
72 pages
OCI Architect 2023 - Exam
100% (1)
OCI Architect 2023 - Exam
62 pages
Question#1/104: Not Be The Same
100% (1)
Question#1/104: Not Be The Same
61 pages
Oracle 1z0-1072 New PDF
No ratings yet
Oracle 1z0-1072 New PDF
79 pages
Oracle DBA Workshop I - Introduction
0% (1)
Oracle DBA Workshop I - Introduction
242 pages
SnapLogic Second Edition
From Everand
SnapLogic Second Edition
Gerardus Blokdyk
No ratings yet
Oracle Essbase 11 Development Cookbook
From Everand
Oracle Essbase 11 Development Cookbook
Jose R. Ruiz
No ratings yet
Golden Notes CSS Current Affairs 2020
100% (1)
Golden Notes CSS Current Affairs 2020
120 pages
Concurrent Requests
No ratings yet
Concurrent Requests
24 pages
OCI Fast Track Tutorial-OCI
No ratings yet
OCI Fast Track Tutorial-OCI
52 pages
OCI Fast Track Tutorial-OCI v26
No ratings yet
OCI Fast Track Tutorial-OCI v26
68 pages
Oracle Infrastructure Architect Associate All One PDF
No ratings yet
Oracle Infrastructure Architect Associate All One PDF
663 pages
Exam 1z0-1067-20: IT Certification Guaranteed, The Easy Way!
No ratings yet
Exam 1z0-1067-20: IT Certification Guaranteed, The Easy Way!
50 pages
Real Oracle 1Z0-1072-20 Exam Practice Questions (June 2021)
No ratings yet
Real Oracle 1Z0-1072-20 Exam Practice Questions (June 2021)
7 pages
Oci-Architect-Associate 2020
No ratings yet
Oci-Architect-Associate 2020
20 pages
A. Disable Cookie-Based Session Persistence On Your Backend Set
No ratings yet
A. Disable Cookie-Based Session Persistence On Your Backend Set
28 pages
1Z0-1072-20 - DumpsTool - Mansoor
No ratings yet
1Z0-1072-20 - DumpsTool - Mansoor
3 pages
Practice Exam For The Oracle Cloud Infrastructure 2021 Architect Professional (1Z0-997-21) Certification
No ratings yet
Practice Exam For The Oracle Cloud Infrastructure 2021 Architect Professional (1Z0-997-21) Certification
14 pages
OCI 1Z0-997 Verified 27july2020
No ratings yet
OCI 1Z0-997 Verified 27july2020
32 pages
OCI-Cloud Operation
67% (3)
OCI-Cloud Operation
27 pages
OCI Architect Associate (1Z0-1072)
No ratings yet
OCI Architect Associate (1Z0-1072)
52 pages
OCI Architect 2021 Professional (1Z0-997-21) Dumps
No ratings yet
OCI Architect 2021 Professional (1Z0-997-21) Dumps
26 pages
OCI 2025 Multicloud Architect Associate
100% (1)
OCI 2025 Multicloud Architect Associate
42 pages
Oracle 1z0 997 PDF
No ratings yet
Oracle 1z0 997 PDF
9 pages
OCI Professional 2023
No ratings yet
OCI Professional 2023
43 pages
Oracle-1Z0-1072-20: Comprehensive Cheat Sheet To Pass Oracle 1Z0-1072-20 Exam
No ratings yet
Oracle-1Z0-1072-20: Comprehensive Cheat Sheet To Pass Oracle 1Z0-1072-20 Exam
8 pages
Answer
86% (7)
Answer
39 pages
Oracle: Question & Answers
No ratings yet
Oracle: Question & Answers
6 pages
Oracle-1z0-932 Testking Pass 82% Acuraccy
100% (1)
Oracle-1z0-932 Testking Pass 82% Acuraccy
36 pages
OCI ARCHITECT ASSOCIATE
No ratings yet
OCI ARCHITECT ASSOCIATE
24 pages
Test Oracle 1z0-997-20 Part 2
No ratings yet
Test Oracle 1z0-997-20 Part 2
5 pages
OCI Architect Associate (1Z0-1072)
No ratings yet
OCI Architect Associate (1Z0-1072)
43 pages
Oracle Cloud Infrastructure Architect Associate All-in-One Exam Guide (Exam 1Z0-1072) Roopesh Ramklass - The ebook is available for quick download, easy access to content
100% (1)
Oracle Cloud Infrastructure Architect Associate All-in-One Exam Guide (Exam 1Z0-1072) Roopesh Ramklass - The ebook is available for quick download, easy access to content
58 pages
Oracle: Oracle Cloud Infrastructure 2019 Architect Professional
No ratings yet
Oracle: Oracle Cloud Infrastructure 2019 Architect Professional
33 pages
1Z0 997 21 - PDFVersion
100% (2)
1Z0 997 21 - PDFVersion
44 pages
Topic 1 - Exam A: Hide Solution Discussion
No ratings yet
Topic 1 - Exam A: Hide Solution Discussion
14 pages
D89113GC10 Ag
No ratings yet
D89113GC10 Ag
316 pages
Exam Topics 1Z0-082
No ratings yet
Exam Topics 1Z0-082
5 pages
Best Practices For Iam On Oci
No ratings yet
Best Practices For Iam On Oci
12 pages
Oracle: Question & Answers
No ratings yet
Oracle: Question & Answers
22 pages
Actualpdf: Unlimited Lifetime Access To 5000+ Certification Actual Exams PDF
No ratings yet
Actualpdf: Unlimited Lifetime Access To 5000+ Certification Actual Exams PDF
8 pages
Rac Trouble
No ratings yet
Rac Trouble
20 pages
Skill Check: OCI Introduction: 1 H T A e T T I R I
No ratings yet
Skill Check: OCI Introduction: 1 H T A e T T I R I
27 pages
Oracle 19c DataGuard Step by Step
No ratings yet
Oracle 19c DataGuard Step by Step
6 pages
Exam 1z0-1072: IT Certification Guaranteed, The Easy Way!
No ratings yet
Exam 1z0-1072: IT Certification Guaranteed, The Easy Way!
81 pages
Resolving Gaps in DataGuard Apply Using Incremental RMAN Backup
No ratings yet
Resolving Gaps in DataGuard Apply Using Incremental RMAN Backup
6 pages
1
No ratings yet
1
4 pages
OCI Material
No ratings yet
OCI Material
11 pages
Oracle Database Security Primer
No ratings yet
Oracle Database Security Primer
160 pages
Test OCI Architect
No ratings yet
Test OCI Architect
35 pages
Oracle Cloud Infrastructure (OCI) Architect Associate Exam 2019 (1Z0-1072) Study Guide
No ratings yet
Oracle Cloud Infrastructure (OCI) Architect Associate Exam 2019 (1Z0-1072) Study Guide
7 pages
1Z0-1072-23 28question Update 16nov2023
No ratings yet
1Z0-1072-23 28question Update 16nov2023
8 pages
Oracle Database Security
No ratings yet
Oracle Database Security
160 pages
Oracle Cloud Infrastructure (OCI) Foundations 2021 Associate (1Z0-1085-21) Sample Question & Answer
No ratings yet
Oracle Cloud Infrastructure (OCI) Foundations 2021 Associate (1Z0-1085-21) Sample Question & Answer
4 pages
Oracle RAC Commands
100% (1)
Oracle RAC Commands
2 pages
1Z0 1072 Questions
No ratings yet
1Z0 1072 Questions
4 pages
Oracle 1z0 931 - Dumpspedia
No ratings yet
Oracle 1z0 931 - Dumpspedia
25 pages
Oracle Autonomous Database Notes PDF
0% (1)
Oracle Autonomous Database Notes PDF
5 pages
Oracle Data Guard A Clear and Concise Reference
From Everand
Oracle Data Guard A Clear and Concise Reference
Gerardus Blokdyk
No ratings yet
Provisional Balance Sheet of 2021-22
No ratings yet
Provisional Balance Sheet of 2021-22
3 pages
04 Civil Judge Ocr
No ratings yet
04 Civil Judge Ocr
17 pages
03 Senior Civil Judge Ocr
No ratings yet
03 Senior Civil Judge Ocr
23 pages
01 District Judge Ocr
No ratings yet
01 District Judge Ocr
14 pages
Class: 1A1 Period I II III IV Break V VI VII Viii
No ratings yet
Class: 1A1 Period I II III IV Break V VI VII Viii
1 page
Alfresco Metadata Mapping
No ratings yet
Alfresco Metadata Mapping
12 pages
Assignment Database Maheshika PearsonNo Reg 11179
No ratings yet
Assignment Database Maheshika PearsonNo Reg 11179
77 pages
Manual
No ratings yet
Manual
458 pages
Aioseo Buysalegocom
No ratings yet
Aioseo Buysalegocom
11 pages
Api Practice 576, Forth Edition April 2017 PDF
No ratings yet
Api Practice 576, Forth Edition April 2017 PDF
133 pages
HPC Lab Manual Zeel
No ratings yet
HPC Lab Manual Zeel
22 pages
ARANDA MALVAR PERALTA EBrgyRecord A Web Application Barangay Monitoring and Management System
No ratings yet
ARANDA MALVAR PERALTA EBrgyRecord A Web Application Barangay Monitoring and Management System
68 pages
Belkin BOOST Charge Pro USB-C Wall Charger 20W With USB-C To Lightning Cable (1.2m) - Apple
No ratings yet
Belkin BOOST Charge Pro USB-C Wall Charger 20W With USB-C To Lightning Cable (1.2m) - Apple
1 page
Customer Information Rechargable Lewi R LI and Risa R LI and Acessories
No ratings yet
Customer Information Rechargable Lewi R LI and Risa R LI and Acessories
29 pages
ITIL 4 Foundation Important Abbreviations and Definitions
No ratings yet
ITIL 4 Foundation Important Abbreviations and Definitions
9 pages
Neuron Spiking Code in Python
No ratings yet
Neuron Spiking Code in Python
2 pages
OS CDAC Question Paper PDF
No ratings yet
OS CDAC Question Paper PDF
3 pages
Servers For Hackers Casestudies
No ratings yet
Servers For Hackers Casestudies
59 pages
Nisha Shetty Resume New
No ratings yet
Nisha Shetty Resume New
3 pages
SST Esr2 CLX RLL and SST Sr4 CLX RLL User Reference Guide
No ratings yet
SST Esr2 CLX RLL and SST Sr4 CLX RLL User Reference Guide
385 pages
Pcnse Study Guide Strony 1 36
No ratings yet
Pcnse Study Guide Strony 1 36
36 pages
Administering Manufacturing Planning
No ratings yet
Administering Manufacturing Planning
178 pages
Paper - II Web Technology
No ratings yet
Paper - II Web Technology
248 pages
5
No ratings yet
5
3 pages
60 Remote Jobs by Ayobami Olu Ajibola _20250115_184919_0000
No ratings yet
60 Remote Jobs by Ayobami Olu Ajibola _20250115_184919_0000
6 pages
NFPA 13 2016 2019 Roadmap
No ratings yet
NFPA 13 2016 2019 Roadmap
26 pages
Practical Assignment-10 Mini Project Nutrition Calculator - Calculate Nutrition For Recipes
No ratings yet
Practical Assignment-10 Mini Project Nutrition Calculator - Calculate Nutrition For Recipes
16 pages
AJP (Kunal)
No ratings yet
AJP (Kunal)
9 pages
Module 10 - IO Systems
No ratings yet
Module 10 - IO Systems
46 pages
Ip Sample Paper 4 Answer Key
No ratings yet
Ip Sample Paper 4 Answer Key
5 pages
PW 1
No ratings yet
PW 1
3 pages
Easttom PPT 01 Final
No ratings yet
Easttom PPT 01 Final
24 pages
Unit4 DrCSYadav
No ratings yet
Unit4 DrCSYadav
99 pages