You are on page 1of 74

Oracle Cloud Infrastructure

Practice: Identity and Access Management


V1.2
ORACLE LAB BOOK | MARCH 2018
Disclaimer
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Table of Contents

Disclaimer 1

Overview 2

Pre-Requisites 2

Practice 2-1: Signing in to the Console 3

Practice 2-2: Managing Users, Groups and Policies to Control Access 6

ORACLE OCI
Overview
The Oracle Cloud Infrastructure Identity and Access Management (IAM) Service lets you control who
has access to your cloud resources. You control the types of access a group of users has and to which
specific resources.
The purpose of this lab is to give you an overview of the IAM Service components and an example
scenario to help you understand how they work together.

Pre-Requisites
 Oracle Cloud Infrastructure account credentials (User, Password, and Tenant)

ORACLE OCI
Practice 2-1: Signing in to the Console

Overview
In this practice, you sign in to the Oracle Cloud Infrastructure console using your credentials.

Assumptions
Note: Some of the UIs might look a little different than the screenshots included in the instructions, but
students can still use the instructions to complete the hands-on labs.

Before You Begin


To sign in to the Console, you need the following:
 Tenant, User name and Password
 URL for the Console: https://console.us-ashburn-1.oraclecloud.com/
 Any browser from the supported browsers list (Recommended)
Note:
 For this lab we use cloud.admin and <your-name@oracle.com> as the user name to
demonstrate the scenarios. You must use your cloud.admin when you perform
these tasks.
 Oracle Cloud Infrastructure supports the latest versions of Google Chrome, Firefox and
Internet Explorer 11.
 When you are provisioned, you will receive a customized URL for your organization. For
example, https://console.us-ashburn-1.oraclecloud.com?tenant=<your-tenant-id>
 If you omit the tenant argument, the system will ask you to input your tenancy before you
can log in.

Duration: 5 minutes

Tasks
1. Sign In
a. Open a supported browser and go to the Console URL. For example, https://console.us-
ashburn-1.oraclecloud.com.
b. Enter your tenant name: <Tenant> and click Continue.

ORACLE OCI
c. Oracle Cloud Infrastructure is integrated with Identity Cloud Services, you will see a screen
validating your Identity Provider. You can just click Continue.

ORACLE OCI
d. Enter your user name and password
Username: cloud.admin
Password: <instructor will provide password>

When you sign in to the Console, the home page is displayed.

The home page gives you quick links to the documentation and to Oracle Support.

ORACLE OCI
Practice 2-2: Managing Users, Groups and Policies to Control Access

Overview
A user's permissions to access services comes from the groups to which they belong. The permissions
for a group are defined by policies. Policies define what actions members of a group can perform, and
in which compartments. Users can access services and perform operations based on the policies set
for the groups of which they are members.
We'll create users, groups, and policies to understand the concept.

Before You Begin


You should have completed Practice 2-1.

Duration: 20 minutes

Tasks
1. Create a Group in Your Tenancy
a. Sign in to the console, on the Home page click Identity, then select Groups.
b. Click Create Group.
c. In the Create Group dialog box, enter the following:
1) Name: Enter a unique name for your group such as "oci-group” Note that the group name
cannot contain spaces.
2) Description: Enter a description (for example, “New group for oci users”).
3) Click Submit.

ORACLE OCI
2. Create a Compartment in Your Tenancy
a. On the Home page click Identity, then select Compartments.
b. Click Create Compartment.
c. In the Create Compartment dialog box, enter the following:
1) Name: Enter a unique name for your compartment such as "OCI-Demo” Note that the
compartment name cannot contain spaces.
2) Description: Enter a description (for example, “New compartment for oci demo”).
3) Click Create Compartment.

ORACLE OCI
3. Now, let’s create a policy that gives your group permissions in your assigned compartment. For
example, creates a policy that gives permission to compartment OCI-Demo to members or group
oci-group:
a. In the Console, click Identity, and then click Policies.
b. On the left side, select your OCI-Demo compartment.
c. Click Create Policy.
d. Enter a unique Name for your policy (For example, "Policy-for-oci-group") Note that the name
can NOT contain spaces.
e. Enter a Description (for example, "Policy for OCI Group").
f. Enter the following Statement:
Allow group oci-group to manage all-resources in compartment OCI-Demo
g. Click Create.

4. Create a New User


a. In the Console, click Identity, and then click Users.

ORACLE OCI
b. Click Create User.
c. In the New User dialog box, enter the following:
i. Name: Enter a unique name or email address for the new user. For Example:
yourname@oracle.com
This value is the user's login name for the Console and it must be unique across all other
users in your tenancy.
ii. Description: Enter a description. For example, New oci user.

d. Click Create.
5. Set a Temporary Password for the Newly Created User
a. From the list of users, click on the user that you created to display its details.
b. Click Create/Reset Password.

c. In the dialog, click Create/Reset Password.

ORACLE OCI
d. The new one-time password is displayed.

e. Click the Copy link and then click Close. Make sure to copy this password to your notepad.

6. Sign out
a. Click Sign Out from the user menu and log out of the cloud.admin user account.

7. Sign in as the new yourname@oracle user using a different web browser window.
a. Go to https://console.us-ashburn-1.oraclecloud.com.
b. Enter the Tenant name, if prompted.
c. Sign in as yourname@oracle.com.
d. Enter the password that you copied in Task 4.

ORACLE OCI
Note: Since this is the first-time sign-in, the user will be prompted to change the temporary
password, as shown in the screen capture.
e. Set the new password to Welc0me2*bmcs. Click Save New Password.

f. yourname@oracle.com lands on the home page.

8. Verify user permissions


a. Go to the Compute tab and click on Instances.
b. Select compartment OCI-Demo from the left menu, if it's not already selected.

ORACLE OCI
c. The message “You don’t have access to this compartment” appears.

d. Sign out of the Console.

9. Add User to a Group


a. Sign in back as the cloud.admin using the Single Sign-on (SSO) option. Click Identity >
Users.
b. From the Users list, click your user (for example, yourname@oracle.com) to go to the user
details page.
c. Under the Resources menu on the left, click Groups.
d. Click Add User to Group.
e. From the GROUPS drop-down list, select the oci-group that you created.
f. Click Add.
g. Sign out.

10. Verify user permissions when a user belongs to a specific group


a. Sign in as yourname@oracle.com
b. Go to the Compute tab and click Instances.
c. Select compartment OCI-Demo from the list of compartments on the left.

d. There is no message related to permissions.


e. Go to the Identity tab and select Groups.
a. The message “You don’t have access to these resources” appears. This is expected, since
your user has no permission to any groups.
b. Sign out.

ORACLE OCI
Oracle Cloud Infrastructure
Practice: Apache Webserver on Compute
Instance (HOL)
V1.2
ORACLE LAB BOOK | MARCH 2018
Disclaimer
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Table of Contents

Disclaimer 1

Overview 2

Pre-Requisites 2

Practice 4-1: Generate SSH Keys 3

Practice 4-2: Signing in OCI Console and Setting up the Network 5

Practice 4-3: Create a Virtual Cloud Network 7

Practice 4-4: Creating a Webserver on a Compute Instance 11

Practice 4-5: Expand the Compute Instance Storage using Block Volume 18

Summary 22

ORACLE OCI
Overview
Oracle has built Oracle Cloud Infrastructure(OCI) platform that can run both Oracle workloads and cloud
native applications. In this hands on lab, we will walk through getting an apache webserver running on
a compute instance on OCI. The purpose of this lab is to get familiar with Oracle Cloud Infrastructures
primitives. At the end of this lab, you will be familiar with creating a network, launching an instance, and
accessing the instance.

Pre-Requisites
 Oracle Cloud Infrastructure account credentials (User, Password, and Tenant)

ORACLE OCI
Practice 4-1: Generate SSH Keys
1. Generate SSH keys to be used later while launching an instance.

MAC/LINUX

a. Generate ssh-keys for your machine if you don’t have one. As long as an id_rsa and id_rsa.pub
keypair is present they can be reused. By default these are stored in ~/.ssh/

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:tAn6nKkcZDTXl/vXRAD/pfLzdmF5rQ2948MQgz5CWe8
The key's randomart image is:
+---[RSA 2048]----+
| ... |
| . o..|
| o o o = o . o|
| . + o * o + +.|
| + S o o +.=|
| o o o . + E.*+|
| . = . o B+=|
| .o ..B+|
| o .o=|
+----[SHA256]-----+

b. Make sure permissions are restricted, sometimes ssh will fail if private keys have permissive
permissions.

$ chmod 0700 ~/.ssh


$ chmod 0600 ~/.ssh/id_rsa
$ chmod 0644 ~/.ssh/id_rsa.pub

FOR WINDOWS:

a. Install git for windows. Download https://github.com/git-for-


windows/git/releases/download/v2.13.0.windows.1/Git-2.13.0-64-bit.exe and install.

b. Open Git-bash:

ORACLE OCI
c. Generate ssh-keys by running this command in Git Bash

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/username/.ssh/id_rsa):
Created directory '/c/Users/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /c/Users/username/.ssh/id_rsa.
Your public key has been saved in /c/Users/username/.ssh/id_rsa.pub.

Note: In Git-Bash, C:\Users\username\ is shown as /c/Users/username/

ORACLE OCI
Practice 4-2: Signing in OCI Console and Setting up the Network
1. Sign In
a. Open a supported browser and go to the Console URL. For example, https://console.us-
ashburn-1.oraclecloud.com.
b. Enter your tenant name: <Tenant> and click Continue.

c. Oracle Cloud Infrastructure is integrated with Identity Cloud Services, you will see a screen
validating your Identity Provider. You can just click Continue.

d. Enter your user name and password

ORACLE OCI
Username: cloud.admin
Password: <instructor will provide password>

When you sign in to the Console, the home page is displayed.

The home page gives you quick links to the documentation and to Oracle Support.

ORACLE OCI
Practice 4-3: Create a Virtual Cloud Network
Overview

A Virtual Cloud Network (VCN) is a virtual version of a traditional network—including subnets, route
tables, and gateways—on which your compute instances run. Customers can bring their network
topology to the cloud with VCN. Creating a VCN involves a few key aspects such as:
 Allocate a private IP block for the cloud (CIDR range for the VCN). Customers can bring their
own RFC1918 IP addresses.
 Create Subnets by partitioning the CIDR range into smaller networks (sub networks for front
end, back end, database)
 Create an optional Internet Gateway to connect VCN subnet with Internet. Instances created in
this subnet will have a public IP address.
 Create Route table with route rules for Internet access
 Create Security List to allow relevant ports for ingress and egress access

1. Create a Cloud Network - Public Subnets


Create a VCN with the following components:
 One public subnet per Availability Domain
 An Internet Gateway
 A corresponding route rule in the default route table
 The default security list
 The default set of DHCP options

Note: You can launch one or more compute instances in a subnet. Each instance gets both a
public and private IP address. The launch instance dialog now has a check box for choosing
whether the instance has a public IP address.
You can communicate with the instances over the Internet via the public IP address from your
on-premises network.
2. Open the Console, click Networking.
3. Select a compartment on the left that you have permission to work in.

a. Click Create Virtual Cloud Network.


b. Enter the following details:

ORACLE OCI
Create in Compartment: This field defaults to the currently selected compartment. Select
the compartment you want to create the VCN in, if not already selected.
Name: Enter a name for your cloud network (for example, VCN-DEMO).
Note: Enter a friendly name for the cloud network. It doesn't have to be unique, and it
cannot be changed later in the Console (but you can change it with the API).

c. Select Create Virtual Cloud Network plus related resources. The dialog box expands to list
the items that will be created with your cloud network.
Note: This option is the quickest way to get a working cloud network in the fewest steps.

ORACLE OCI
d. Scroll to the bottom of the dialog box and click Create Virtual Cloud Network.

e. A confirmation page displays the details of the cloud network that you just created.

ORACLE OCI
For example, the cloud network above has the following resources and characteristics:
 CIDR block range of 10.0.0.0/16
 An Internet Gateway
 A route table with a default route rule to enable traffic between VCN and the Internet
Gateway
 A default security list that allows specific ingress traffic to and all egress traffic from
the instance
 A public subnet in each Availability Domain
 The VCN will automatically use the Internet and VCN Resolver for DNS

ORACLE OCI
Practice 4-4: Creating a Webserver on a Compute Instance
1. Navigate to the Compute tab and click Launch Instance. We will launch a VM instance for this lab.

2. In order to launch the instance, choose an image (Oracle Linux 7 – Latest version), choose a shape
of the instance (VM.Standard 1.1), Availability Domain to launch the instance (AD1, AD2 or AD3), the
VCN network created above, subnet (in the appropriate Availability Domain) and the public SSH keys
to access the instance. In this lab, we will focus on launching only a single instance VM in one
Availability Domain.

ORACLE OCI
ORACLE OCI
Launching an instance is simple and intuitive with few options to select. Provisioning of the compute
instance will complete in less than a minute and the instance state will change from provisioning to
running.

ORACLE OCI
3. Once the instance state changes to Running, you can SSH to the Public IP address of the instance.

4. To connect to the instance, you can use ‘Terminal’ if you are using MAC or Gitbash if you are using
Windows.

You can use the following command to SSH into the OCI VM on UNIX-style system (including Linux,
Solaris, BSD, and OS X).

Note: For Oracle Linux VMs, the default username is opc

$ ssh –i </path/privateKey> opc@<PublicIP_Address>

For windows, use a tool like GitBash to login into the Linux instance.

$ ssh -i </path/privateKey> opc@<PublicIP_Address>

ORACLE OCI
5. For this lab, we are going to install an Apache HTTP Webserver and try to connect to it over the public
internet.
Apache HTTP Server is an open-source web server developed by the Apache Software Foundation.
The Apache server hosts web content, and responds to requests for this content from web browsers
such as Chrome or Firefox.

SSH into the Linux instance and run following commands.

Run Yum update


$ sudo yum update -y

Install Apache http


$ sudo yum install httpd -y

Start the apache server and configure it to start after system reboots
$ sudo apachectl start
$ sudo systemctl enable httpd

Run a quick check on apache configurations


$ sudo apachectl configtest

Create firewall rules to allow access to the ports on which the HTTP server listens.
$ sudo firewall-cmd --permanent --zone=public --add-service=http
$ sudo firewall-cmd --reload

Create an index file for your webserver


$ sudo su
$ echo ‘This is my webserver running on Oracle Cloud Infrastructure’ >> /var/www/html/index.html
$ exit

Navigate to http://<PublicIPAddress>:80 (the IP address of the Linux VM) in your browser.

NOTE: It doesn’t return anything because the Virtual Cloud Network needs to open port 80 for the
traffic to the reach the Linux VM.

6. Click on Virtual Cloud Network and then the VCN you created above (Training VCN). Click on
Security Lists on the left navigation bar for the VCN. Then click on the Default Security List. Here
you need to open port 80. Click on Edit all rules.

ORACLE OCI
a. Click on +Add Rule and add the following values as shown below under the Allow Rules for
Ingress.
Source CIDR: 0.0.0.0/0
Protocol: TCP
Source Port Range: All
Destination Port Range: 80

b. Click on Save Security List Rules at the bottom.

ORACLE OCI
7. Navigate to <http://<publicIPAddress:80> (the IP address of the Linux VM) in your browser. Now you
should see the index page of the webserver we created above.

Troubleshooting:
If you are unable to see the webserver on your browser, possible scenarios include

 VCN Security Lists is blocking traffic, Check VCN Security List for ingress rule for port 80
 Firewall on the linux instance is blocking traffic
o $sudo firewall-cmd --zone=public --list-services (this should show http service as part of
the public zone)
o $sudo netstat -tulnp | grep httpd (an httpd service should be listening on the port 80, if it’s
a different port, open up that port on your VCN SL)
 Your company VPN is blocking traffic

ORACLE OCI
Practice 4-5: Expand the Compute Instance Storage using Block Volume
Overview
A common usage of Block Volume is adding storage capacity to an Oracle Cloud Infrastructure instance.
Once you have launched an instance and set up your cloud network, you can create a block storage
volume through the Console or API. Once created, you attach the volume to an instance using a volume
attachment. Once attached, you connect to the volume from your instance's guest OS using iSCSI or.
The volume can then be mounted and used by your instance.

1. Navigate to the Storage tab on top right corner of the console and click on Block Volume.

2. In Bock Volume service, Click on Create Block Volume and provide the following details.

Compartment : <Your Compartment Name>


Name: A user-friendly name or description.
Availability Domain: It must be the same as the instance with which it is to be attached
Size: Please choose 50 GB. (Must be between 50 GB and 16 TB. You can choose in 1 GB
increments within this range. The default is 1024 GB)
Backup Policy: Gold

Quick recap on the block volume backup policies: There are three predefined backup policies,
Bronze, Silver, and Gold Each backup policy has a set backup frequency and retention period.

Bronze Policy: The bronze policy includes monthly incremental backups, run on the first day of the
month. These backups are retained for twelve months. This policy also includes a full backup, run
yearly on January 1st. Full backups are retained for five years.

ORACLE OCI
Silver Policy: The silver policy includes weekly incremental backups that run on Sunday. These
backups are retained for four weeks. This policy also includes monthly incremental backups, run on
the first day of the month and are retained for twelve months. Also includes a full backup, run yearly
on January 1st. Full backups are retained for five years.

Gold Policy: The gold policy includes daily incremental backups. These backups are retained for
seven days. This policy also includes weekly incremental backups that run on Sunday and are
retained for four weeks. Also includes monthly incremental backups, run on the first day of the month,
retained for twelve months, and a full backup, run yearly on January 1st. Full backups are retained
for five years.

Leave the tags options as it is and CLICK on Create Block Volume.

ORACLE OCI
The volume will be ready to attach once its icon no longer lists it as PROVISIONING in the volume list.
3. Once the Block Volume is created, you can attach it to the VM instance you just launched. Go to the
Compute instance tab, and navigate to the VM instance and click on the Attach Block Volume
button.

4. Select the volume created from the drop down menu and click Attach. Once it gets attached after
provisioning, the console shows the disk is attached.
5. Once the block volume is attached, you can navigate to view the iSCSI details for the volume in order
to connect to the volume. It takes a minute for the volume to complete attaching.

Click on the ellipsis and then click iSCSI Command and Information link. Connect to the instance
through SSH and run the iSCSI ATTACH COMMANDS as provided (shown below).

ORACLE OCI
Click on COPY to copy all commands and ssh into the compute instance and run all these commands by
pasting it in the terminal.
6. Once the disk is attached, you can run the following commands to format the disk and mount it.
$ ssh –i </path/privateKey> opc@<PublicIP_Address>
$ sudo lsblk

ORACLE OCI
When mounting a storage volume for the first time, you can format the storage volume and create a
single, primary partition that occupies the entire volume by using fdisk command (Caution: Using fdisk to
format the disk deletes any data on the disk).

Use mkfs to create a file system on the storage volume. Once filesystem is created, create a new mount
point and mount the new disk.

$ sudo mkfs -t ext4 /dev/sdb


# Press y when prompted
$ sudo mkdir /mnt/disk1
$ sudo mount /dev/sdb /mnt/disk1
$ lsblk

Summary

In this lab, you were able to quickly create a Virtual Cloud Network in the cloud, launch an instance, install
an apache webserver and successfully access the server by allowing TCP traffic on port 80 in the Security
Lists of the Virtual Cloud Network.

ORACLE OCI
Oracle Cloud Infrastructure
Practice: File Storage Service
V1.2
ORACLE LAB BOOK | MARCH 2018
Disclaimer
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Table of Contents

Disclaimer 1

Practice 5a-1: Signing in to the Console 2

Practice 5a-2: Creating Security Lists to support FSS 5

Practice 5a-3: Creating a File System 8

Practice 5a-4: Mounting a File System 9

ORACLE OCI
Practice 5a-1: Signing in to the Console

Overview
In this practice, you sign in to the Oracle Cloud Infrastructure console using your credentials.

Assumptions
Note: Some of the UIs might look a little different than the screenshots included in the instructions, but
students can still use the instructions to complete the hands-on labs.

Before You Begin


To sign in to the Console, you need the following:
 Tenant, User name and Password
 URL for the Console: https://console.us-ashburn-1.oraclecloud.com/
 Any browser from the supported browsers list (Recommended)
Note:
 For this lab we use cloud.admin and <your-name@oracle.com> as the user name to
demonstrate the scenarios. You must use your cloud.admin when you perform
these tasks.
 Oracle Cloud Infrastructure supports the latest versions of Google Chrome, Firefox and
Internet Explorer 11.
 When you are provisioned, you will receive a customized URL for your organization. For
example, https://console.us-ashburn-1.oraclecloud.com?tenant=<your-tenant-id>
 If you omit the tenant argument, the system will ask you to input your tenancy before you
can log in.

Duration: 5 minutes

Tasks
1. Sign In
a. Open a supported browser and go to the Console URL. For example, https://console.us-
ashburn-1.oraclecloud.com.
b. Enter your tenant name: <Tenant> and click Continue.

ORACLE OCI
c. Oracle Cloud Infrastructure is integrated with Identity Cloud Services, you will see a screen
validating your Identity Provider. You can just click Continue.

ORACLE OCI
d. Enter your user name and password
Username: cloud.admin
Password: <instructor will provide password>

When you sign in to the Console, the home page is displayed.

The home page gives you quick links to documentation and to Oracle Support.

ORACLE OCI
Practice 5a-2: Creating Security Lists to support FSS

Overview
Oracle Cloud Infrastructure File Storage Service provides a durable, scalable, distributed, enterprise-
grade network file system. You can connect to a File Storage Service file system from any bare metal,
virtual machine, or container instance in your Virtual Cloud Network (VCN). You can also access a file
system from outside the VCN using Oracle Cloud Infrastructure FastConnect and Internet Protocol
security (IPSec) virtual private network (VPN).

Assumptions
Get familiar with the Key Concepts and Terminology of Oracle Cloud Infrastructure. You have been
provisioned a tenancy in Oracle Cloud Infrastructure. Make sure you have an Oracle Linux instance
running.

Tasks
2. Create a Security List
Note: To use Oracle Cloud Infrastructure, you must be given the required type of access in
a policy written by an administrator in the compartment you are going to work in. Before you create
a file system, you need at least one Virtual Cloud Network (VCN) in the compartment. You must
configure security list rules for the VCN subnet in which you are planning to create the file system
mount target. Security list rules specify what type of traffic can enter and exit a mount target. You
configure security lists at the subnet level, but rules are enforced at the instance level. File systems
require you to configure bi-directional rules for each port range they use. Therefore, you must set up
two stateful rules for each port range, one where the port is the source, and one where the port is
the destination.

a. Sign in to the Console, click Network, and then click Virtual Cloud Networks.
b. Select your VCN Create Block Volume.
c. On the details page for the cloud network, click Security Lists, and then find the security list
used by the subnet to be associated with your file system.
d. On the details page of the security list, click Edit All Rules
e. Add the following ingress rule for access of NFS and NLM traffic:
1) Source CIDR: 10.0.0.0/16
2) IP Protocol: TCP
3) Source Port Range: All
4) Destination Port Range: 2048-2050

ORACLE OCI
f. Click + Add Rule to add more rules.
g. Create a second ingress rule for NFS and NLM traffic with a Source Port Range of 2048-
2050.
1) Source CIDR: 10.0.0.0/16
2) IP Protocol: TCP
3) Source Port Range: 2048-2050
4) Destination Port Range: All

h. Click + Add Rule to add more rules.


i. Create a third ingress rule allowing traffic to a Destination Port Range of 111for the
NFS rpcbind utility.
1) Source CIDR: 10.0.0.0/16
2) IP Protocol: TCP
3) Source Port Range: All
4) Destination Port Range: 111

j. Click + Add Rule to add more rules.


k. Create a fourth ingress rule allowing traffic to a Source Port Range of 111 for the NFS
rpcbind utility.
1) Source CIDR: 10.0.0.0/16
2) IP Protocol: TCP
3) Source Port Range: 111
4) Destination Port Range: All

l. When you're done, click Save Security List Rules.

ORACLE OCI
ORACLE OCI
Practice 5a-3: Creating a File System
Note: File systems are encrypted by default. You cannot turn off encryption. The mount target must be
in the same availability domain as the file system. You cannot change the availability domain.

Tasks

3. Open the Console, click Storage, and then click File Systems.
4. Click Create File System.
5. In the Create File System dialog, under File System Information, enter the following:
a) Name: FSS-Storage
b) Availability Domain: AD-1

6. Under Mount Target Information enter the following:


a) Name: FSS-Mount
b) Virtual Cloud Network: Select your VCN
c) Subnet: select a subnet for the mount target.
d) IP Address: Leave it blank
e) Hostname: Leave it blank
f) Path Name: /
g) Maximum Free space: Select 100GiB

7. Click Create File System

ORACLE OCI
Practice 5a-4: Mounting a File System
Overview

Users of Ubuntu and Linux operating systems can use the command line to connect to a file system and
write files. Mount targets serve as file system network access points. After your mount target is assigned
an IP address, you can use it to mount the file system. On the instance from which you want to mount
the file system, you need to install an NFS client and create a mount point. When you mount the file
system, the mount point effectively represents the root directory of the File Storage file system, allowing
you to write files to the file system from the instance.

Tasks

8. Connect to the instance, you can use ‘Terminal’ if you are using MAC or Gitbash if you are using
Windows.You can use the following command to SSH into the OCI VM on UNIX-style system
(including Linux, Solaris, BSD, and OS X).

Note: For Oracle Linux VMs, the default username is opc

$ ssh –i </path/privateKey> opc@<PublicIP_Address>

9. Then, get the NFS client and install it as root by typing the following:

$ sudo yum install nfs-utils

10. Create a mount point by typing the following:

$ sudo mkdir -p /mnt/nfs-data

11. Mount the file system by typing the following. Replace 10.x.x.x: with the local subnet IP address
assigned to your mount target. The export path is the path to the file system (relative to the mount
target’s IP address or hostname). If you did not specify a path when you created the mount target,
then 10.x.x.x:/ represents the full extent of the mount target.

$ sudo mount 10.x.x.x.x:/ /mnt/nfs-data

Example: $ sudo mount 10.0.0.3:/ /mnt/nfs-data

Note: You can mount FSS in multiples nodes at the same time.

ORACLE OCI
Oracle Cloud Infrastructure
Practice: Load Balancer Service
V1.2
ORACLE LAB BOOK | MARCH 2018
Disclaimer
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Table of Contents

Disclaimer 1

Overview 2

Pre-Requisites 2

Practice 6-1: Signing in to the Console 3

Practice 6-2: Create Virtual Cloud Network (VCN) 6

Practice 6-3: Creating Two Web Servers 11

Practice 6-4: Creating and Testing Load Balancer 13

ORACLE OCI
Overview
The Load Balancing Service provides automated traffic distribution from one entry point to multiple
servers within your Virtual Cloud Network (VCN). The service offers a Public load balancer with a public
IP address, provisioned bandwidth, and high availability. The Load Balancing Service provisions the
public IP address across two subnets within a VCN to ensure accessibility even during an Availability
Domain outage.
In this practice, you create a simple public load balancer and verify it with a basic web server application.

Pre-Requisites
 Oracle Cloud Infrastructure account credentials (User, Password, and Tenant)

ORACLE OCI
Practice 6-1: Signing in to the Console

Overview
In this practice, you sign in to the Oracle Cloud Infrastructure console using your credentials.

Assumptions
Note: Some of the UIs might look a little different than the screenshots included in the instructions, but
students can still use the instructions to complete the hands-on labs.

Before You Begin


To sign in to the Console, you need the following:
 Tenant, User name and Password
 URL for the Console: https://console.us-ashburn-1.oraclecloud.com/
 Any browser from the supported browsers list (Recommended)
Note:
 For this lab we use cloud.admin and <your-name@oracle.com> as the user name to
demonstrate the scenarios. You must use your cloud.admin when you perform
these tasks.
 Oracle Cloud Infrastructure supports the latest versions of Google Chrome, Firefox and
Internet Explorer 11.
 When you are provisioned, you will receive a customized URL for your organization. For
example, https://console.us-ashburn-1.oraclecloud.com?tenant=<your-tenant-id>
 If you omit the tenant argument, the system will ask you to input your tenancy before you
can log in.

Duration: 5 minutes

Tasks
1. Sign In
a. Open a supported browser and go to the Console URL. For example, https://console.us-
ashburn-1.oraclecloud.com.
b. Enter your tenant name: <Tenant> and click Continue.

ORACLE OCI
c. Oracle Cloud Infrastructure is integrated with Identity Cloud Services, you will see a screen
validating your Identity Provider. You can just click Continue.

ORACLE OCI
d. Enter your user name and password
Username: cloud.admin
Password: <instructor will provide password>

When you sign in to the Console, the home page is displayed.

The home page gives you quick links to the documentation and to Oracle Support.

ORACLE OCI
Practice 6-2: Create Virtual Cloud Network (VCN)
Overview
When you work with Oracle Cloud Infrastructure, one of the first steps is to set up a Virtual Cloud
Network (VCN) for your cloud resources. This practice gives you an overview of Network
Service components and a typical scenario for using a VCN.
For an instance in a given subnet to have direct access to the Internet, it must have the following
networking components:
 The VCN must have an Internet Gateway that is enabled
 The subnet must have a route rule that directs traffic to the gateway and must be a Public
Subnet
 The subnet must have security list rules that allow the traffic (and each instance's firewall must
allow the traffic)
 Each instance must have a public IP address

Before You Begin


You need the following:
 User name, password and compartment
 URL previously used for signing into the Console: (https://console.us-ashburn-
1.oraclecloud.com/)
Note: Some of the UIs might look a little different than the screenshots included in the instructions, but
students can still use the instructions to complete the hands-on labs.

Duration: 10 minutes

Tasks
2. Create a Cloud Network - Public Subnets
Create a VCN for Load Balancer with the following components:
 One public subnet per Availability Domain
 The default security list
 The default set of DHCP options

Note: You can launch one or more compute instances in a subnet. Each instance gets both a
public and private IP address. The launch instance dialog now has a check box for choosing
whether the instance has a public IP address.
You can communicate with the instances over the Internet via the public IP address from your
on-premises network.
a. Open the Console, click Networking.
b. Select a compartment on the left that you have permission to work in.

ORACLE OCI
c. Click Create Virtual Cloud Network.
d. Enter the following details:
1) Create in Compartment: This field defaults to the currently selected compartment. Select
the compartment you want to create the VCN in, if not already selected.
2) Name: Enter a name for your cloud network (for example, LB-DEMO).
Note: Enter a friendly name for the cloud network. It doesn't have to be unique, and it cannot
be changed later in the Console (but you can change it with the API).

e. Select Create Virtual Cloud Network plus related resources. The dialog box expands to list
the items that will be created with your cloud network.
Note: This option is the quickest way to get a working cloud network in the fewest steps.

ORACLE OCI
ORACLE OCI
f. Scroll to the bottom of the dialog box and click Create Virtual Cloud Network.

g. A confirmation page displays the details of the cloud network that you just created.

ORACLE OCI
For example, the cloud network above has the following resources and characteristics:
 CIDR block range of 10.0.0.0/16
 An Internet Gateway
 A route table with a default route rule to enable traffic between VCN and the Internet
Gateway
 A default security list that allows specific ingress traffic to and all egress traffic from
the instance
 A public subnet in each Availability Domain
 The VCN will automatically use the Internet and VCN Resolver for DNS

ORACLE OCI
Practice 6-3: Creating Two Web Servers

Overview
You will create two web servers that will work as backend servers for your Public Load Balancer.

Duration: 10 minutes

Tasks
1. Launch Two Instances
This example uses a VM.Standard2.1 shape.
a. In the Console, click Compute.
b. Click Launch Instance.
c. In the Launch Instance dialog box, enter the following:
1) Name: Enter a name (for example: Webserver1).
2) Availability Domain: Select the first Availability Domain in the list, AD-1.
3) Image: Select the Oracle-Linux-7.x image. (The image name has the latest patch date
appended to it.)
4) Shape: Select VM Standard2.1.
5) Virtual Cloud Network: Select the cloud network that you created (LB_Network).
6) Subnet: Select the public subnet LB Subnet 1 in Availability Domain 1.
7) DNS name: Leave blank.
8) SSH Keys: Use the pub key generated to create this instance. NOTE: Make sure to use
the keys that you have access too as you will use this key to ssh into the instances in next
steps.
d. Click Launch Instance.
e. Repeat the previous steps, but this time enter the name Webserver2, select Availability
Domain AD-2, LB_Network for the VCN, and LB Subnet 2 for the subnet.

ORACLE OCI
2. Start a Web Application on Each Instance. Use ssh to access the instances and start the web
server by executing the following commands on each instance:
Note: You can use two separate ssh sessions to execute these commands on both instances in
parallel to save time.

a. ssh –i </path/privateKey> opc@<PublicIP_Address>

b. Run yum update:


$> sudo yum -y update
c. Install the Apache HTTP Server:
$> sudo yum -y install httpd
d. Open port 80 on the firewall to allow http and https traffic through:
$> sudo firewall-cmd --permanent --add-port=80/tcp
e. Reload the firewall:
$> sudo firewall-cmd --reload

f. Start the web server:


$> sudo systemctl start httpd

g. Add an index.htm file on each instance to indicate which server it is.


On the first instance enter:
$> sudo su
$> echo 'WebServer1' >>/var/www/html/index.html
$> exit

h. On the second instance enter:


$> sudo su
$> echo 'WebServer2' >>/var/www/html/index.html
$> exit

ORACLE OCI
Practice 6-4: Creating and Testing Load Balancer

Note: Your load balancer should always reside in different subnets than your application instances.
This allows you to keep your application instances secured in private subnets, while allowing public
Internet traffic to the load balancer in the public subnets.

Duration: 26 minutes Tasks

1. Add Two Subnets to Your VCN to Host Your Load Balancer

a. Add a Security List.

1) In the Console, click Networking, and then click Virtual Cloud Networks. This
displays the list of VCNs in the current compartment. 


2) Click the name of the VCN that includes your Web Instances. 


3) Under Resources, click Security Lists. 


4) Click Create Security List

a) Create in Compartment: This field defaults to the current compartment

b) Enter a Name (for example, LB Security List). 


c) Delete the entry for the ingress rule and the entry for the egress rule by
clicking on the red X icon.

Note: The security list should have no rules. The correct rules are automatically added during the load
balancer workflow.

d) Click Create Security List. 


e) Return to your Virtual Cloud Network Details page.

b. Add a Route Table.

1) Under Resources, click Route Tables. 


2) Click Create Route Table. Enter the following:

ORACLE OCI
a) Create in Compartment: This field defaults to your current compartment.
Select the compartment you want to create the route table in, if not already selected. 


b) Name: Enter a name (for example, LB Route Table) 


c) Destination CIDR Block: Enter 0.0.0.0/0 


d) Target: Select the Internet Gateway for your VCN. 


e) Click Create Route Table. 


2. Create the first subnet.

a) Under Resources, click Subnets. 


b) Click Create Subnet. 


c) Enter the following:

Name: Enter a name (for example, LB Subnet 1). 


ORACLE OCI
Availability Domain: Choose the first Availability Domain (AD-1). 


CIDR Block: Enter 10.0.4.0/24. 


Route Table: Select the LB Route Table you created.

Subnet Access: Make sure you have Public selected.

DHCP Options: Leave blank. 


Security Lists: Select the LB Security List you created. 


d. Click Create.

ORACLE OCI
3. Create the second subnet.

Create a second load balancer subnet in a different Availability Domain from the subnet you previously
created.

1) In the details page of your VCN, click Create Subnet. 


2) Enter the following:

a) Name: Enter a name (for example, LB Subnet 2). 


b) Availability Domain: Choose the second Availability Domain (AD-2). 


c) CIDR Block: Enter 10.0.5.0/24. 


ORACLE OCI
d) Route Table: Select the LB Route Table you created.

e) Subnet Access: Make sure you have Public selected 


f) DHCP Options: Leave blank. 


g) Security Lists: Select the LB Security List you created. 


h) Click Create. 


4. Create a Load Balancer

When you create a load balancer, you choose its shape (size) and you specify two subnets from
different Availability Domains. This ensures that the load balancer is highly available and is only
active in one subnet at a time.

a. In the Console, click Networking, and then click Load Balancers. Ensure that the
compartment designated for you is selected on the left. 


b. Click Create Load Balancer. 


c. Enter the following:

1) Name: Enter a name for your load balancer. 


2) Shape: Select 100Mbps. This specifies the bandwidth of the load balancer. For this
tutorial, use the smallest shape. Note that the shape cannot be changed later. 


3) Virtual Cloud Network: Select the Virtual Cloud Network for your load balancer.

4) Visibility: Create Public Load Balancer

4) Subnet (1 of 2): Select LB Subnet 1. 


5) Subnet (2 of 2): Select LB Subnet 2. Note that the second subnet must reside in a
different Availability Domain from the first. 


d. Click Create. 


ORACLE OCI
When a load balancer is created, you're assigned a public IP address to which you route all incoming
traffic. The IP address is highly available, meaning it is available from both subnets that you specified.
Note that it is only active in one subnet at a time.

ORACLE OCI
5. Create a Backend Set with Health Check

A backend set is a collection of backend servers to which your load balancer directs traffic. Define the
backend set policy and health check.

a. Click the name of your load balancer to view its details. 


b. Click Create Backend Set. 


c. In the dialog box, enter:

1) Name: Give your load balancer backend set a name. The name cannot contain
spaces. 


2) Policy: Choose Weighted Round Robin. 


d. Enter the Health Check details.

1) Protocol: Select HTTP 


2) Port: Enter 80 


3) URL Path (URI): Enter "/" 
 The rest of the fields are optional and can be left blank for
this practice. 


ORACLE OCI
e. Click Create.

When the Backend Set is created, the Work Request status changes to Succeeded. Close the
Work Request dialog box.

4. Add Backend Servers to Your Backend Set

a. On the details page of your load balancer, click Backend Sets. The backend set you created is
displayed. 


b. Click the name of the backend set to view its details. 


c. Click Edit Backends
In the dialog box, do the following:

1) Ensure that Help me create proper security list rules is selected.

a) Updates to the security list for your load balancer subnets are as follows:

(i) Allow egress traffic to the backend server 1 subnet (for example, Public-Subnet-AD1)

(ii) Allow egress traffic to the backend server 2 subnet (for example, Public-Subnet-AD2)

b) Updates to the security list for your backend server subnets are as follows:

ORACLE OCI
(i) Allow ingress traffic from load balancer subnet 1 


(ii) Allow ingress traffic from load balancer subnet 2 


2) OCID: Paste the OCID of the first instance (Webserver1).

a) In the dialog box, click View Instances.

This opens a new browser tab that displays the instances in the current compartment.

b) If your instances are not in the current compartment, select the compartment to which the
instance belongs (select from the list on the left side of the page). A shortened version of the
instance's OCID is displayed next to each instance. 


c) Click Copy to copy the OCID. You can then paste it into the Instance ID field. 


3) Port: Enter 80. 


4) Weight: Leave blank to weight the servers evenly. 


ORACLE OCI
5) Repeat Steps 2 through 4, pasting in the OCID for the second instance (Webserver2).

6) Click Submit. 


7) Scroll down and click Create Rules once it turns green.

ORACLE OCI
5. Create a Listener

A listener is an entity that checks for connection requests. The load balancer listener listens for ingress
client traffic using the port you specify within the listener and the load balancer's public IP. In this
practice, you define a listener that accepts HTTP requests on port 80.

a. On your Load Balancer Details page, click Listeners. 


b. Click Create Listener. 


c. Enter the following:

1) Name: Enter a friendly name.


2) Hostname: Leave it blank. 

3) Protocol: Select HTTP. 

4) Port: Enter 80 as the port on which to listen for incoming traffic. 

5) Backend Set: Select the backend set you created. 


ORACLE OCI
d. Click Create.

ORACLE OCI
1. Update the Load Balancer Subnet Security List to Allow Internet Traffic to the Listener. To
enable the traffic to get to the listener, update the load balancer subnet's security list.

a. Go to your VCN details page. 


b. Click Security Lists. A list of the security lists in the cloud network is displayed.

c. Click the LB Security List. This displays the details of the LB Security List. 


d. Click Edit All Rules. 


e. Under Allow Rules for Ingress, click Add Rule. 


f. Enter the following ingress rule:

Source CIDR: Enter 0.0.0.0/0 

IP Protocol: Select TCP

Destination Port Range: Enter 80 (the listener port).

ORACLE OCI
g. Click Save Security List Rules.

7. Verify Your Load Balancer

Test the functionality of the load balancer by navigating to its public IP address on a web browser.

a) Open a web browser. 



b) Enter the load balancer's public IP address. The index.htm page from one of your web
servers is displayed. 

c) Refresh the web page. The index.htm page from the other web server should now be
displayed. This demonstrates that the load of the web server is being shared between both
instances. 


ORACLE OCI
ORACLE OCI