Ansible Automation | Quick Introduction to Ansible

-----------------------------------------------------------
https://www.youtube.com/watch?v=tJVkERqw8SI&list=PLLsor6GJ_BEEC9jUSc760iqaOx6u5lqRA

How to study for 1z0-1067 - Oracle Cloud Infrastructure 2019 Cloud Operations
Associate
-----------------------------------------------------------
http://alexzaballa.blogspot.com/2020/05/how-to-study-for-1z0-1067-oracle-cloud.html

Terraform - 001 Course Introduction

-----------------------------------------------------------
https://www.youtube.com/watch?
v=hgv2Iqr7qRs&list=PLx8IvB9fmFiyAgZvnzXXkHpFo4Zsq0syM&index=1

Topics : -
--------------------------------------
Automating Cloud Task
Performance Tunning and Troubleshooting
Managing Cost
Security And Compliannce
Monitoring and Alerting
Data retention and Archival
Desiging Cloud Scale agility

1. Cloud Operation & Automation : -

===================================================================================
===================

Getting Started with Cloud Operation :

-----------------------------------------------------------------
CLI (Command Line Interface) is abstraction of Cloud API that allow us to
generate Shell Script or PowerShell Scripts to perform series of action or series
of task with
single click or single command execution.

How to manage Cloud Resource -

Tagging of resource
Array of automation tools (OCI-CLI,Ansible,Terraform) to control those
resources like Terraform that build out infrastructure.
Cloud-Init (To run scripts like install apache when Server is building)
Custom Image

What is Cloud Operation -

Build
Configure
Monitor
Protect
Secure
Govern

Operation in OCI :
 Manual - Log into console , Click Process , No management
Scripting - Controlling deployments , Creating Central Repository , Scripting
can be created from SDK (Software Development Kit), CLI
Full Automation - Using Terraform , Combination of scripting and other tools
to achieve Cloud scaling

Introduction to Cloud Automation :

-----------------------------------------------------------------
Cloud Scale -
On-Prim Data Center -
Fixed amount of capacity
Often limited to a single physical location
Non-Standard set of management Tools

OCI -
Massive amount of capacity
16 location globally and growing (35 end of 2020)
Single unified API for management
Standard set of management tools

Common Terminology -
Idempotent - A change or other action is not applied more than once. Some
Tools validate wheather task has been completed before applying
Eg yum install httpd ( )
Immutable - We deploy it and we dont touch it.When it comes time to
troubleshoot or upgrade just replace the resource
Ephemeral - Temporary resouce assignment eg Ephemeral Public IP in OCI
Stateless - Stateless App it doesnt matter which server deliver service. All
data is central and all web server can access that data.
Eg E-Commerce website, Shopping cart application failover should
be transparent to user
Infrastructure As Code(IaC) - (Cloudformation AWS concept) The process of
managing and provisioning cloud resources and services through machine
readable definition file

Automation Basic -
Administration : Creating / Deploying new resource
Troubleshooting : changing configuration, restarting Services , gathering
logfile
Cleanup - destroy an entire sandbox env with one single clik

OCI-Automation Tool -
API REST Endpoint -
SDK (Java Python Ruby Go)- Abstract layer between the API and your software
development
CLI -
Terraform (Infrastructure as Code (IaC))-
Ansible (Deployment Playbook - Configuration Management Tool)

Auotmation Tool - Basic Capabilities -

API SDK Terraform Ansible
Programming Exp. Yes No
Provisioning Yes Yes
Monitoring Yes No
Actions Yes No
Multi-Cloud No (OCI Specific) Yes (Multi Cloud Compatible)
 Software Development Kit :
OCI SDK enable you to programmatically interact with OCI
SDK contain collection of libraries and functions
Eg. Application accepts customer uploads and store in object Storage. Using
SDK you could design your application to interact directly with Object Storage
Open source Monitoring application you can write custom code to evaluate
or even alter running resource

OCI CLI -
CLI is an essential tool for managing your OCI resources. same funtionality
like console. when combined with PowerShell or bash script
it can provide powerful automation capabilities
First need to configure OCI before using it.
Built with Python SDK and compatible with Python 2.7.5+ or 3.5+
Work on MAC Window Linux
Direct OCI API Interaction
Eg. : $oci compute instance list --region us-phoenix-1 --availability-domain
gKOA:PHX-AD-1 --limit 2 --sort by TimeCreated
service comp. action command parameters
$oci -? (to get full list of service name)

Terraform - Infrastructure as Code (IaC) -

Terraform is an open source tool for IaC , You can think of it as a platform
interpreter that reads declarative text and converts it into API
Its managed IaC for OCI and number of other platform
Key component is provider, Use Provider to interpret declarations for more
than 70 platforms
Manage resource lifecycle including dependencies, ensuring resources created
and deleted in proper sequence.
Its declarative tool all about what is end state, You define end state in
your Terraform Configuration, It will do it best to meet that end state
Ex. Creating network, Compute Resource, Database, Load Balancer,
Terraform is all abt resource and state management, Its not designed to be
configuration management tool, So in that case it work well with
Chef or Puppet or Ansible,
Can be used to export an existing env that was created manually
Often couple with Configuration Management Tool like Chef & Puppet or Ansible
Eg.
provider "oci" {
tenancy_ocid = "{var.tenancy_ocid}"
user_ocid = "{var.user_ocid}"
fingerprint = "{var.fingerprint}"
private_key_path = "{var.private_key_path}"
region = "{var.region}"
}
data "oci_identity_availibility_domain" "ads" {
compartment_id = "{var.tenancy_ocid}"
}
output "show-ads" {
value=
"{data.oci_identity_availibility_domain.ads.availibility_domain}"
}

Ansible Overview (Configuration Management Tool) (Coded in YAML)-

Ansible is Configuration Management Tool
 Simple - Human readable automation., No special coding is
required, Tasks are executed in Order
Powerful - App and Infrastructure deployment, Configuration
Management
Agentless - Uses OpenSSH and WinRM , No agent to exploit or
update.
Ansible often play import role in delivering code, Applying
configuration change as part of CI (Code Integration) /CD (Code Deployment)
pipeline
For Whom -
System Administrator , Devops Engineer
What it is -
Automation / Devops Tool , Infrastructure as code , Ansible
Module (Discrete Unit of Code)
What you can do -
Configuration Management
Infrastructure and Resource provisioning and management
One-off batch task execution across many hosts
Automating complex orchestration flows
Application development , Release management, Audit
Workflow Automation

How Ansible Work -

Utilize small module called Playbook to perform command execution via ssh
Utilizes SSH keypair for authentication (Kerberos is supported)
Inventory managed in simple text file also include plugins to read from
additional sources
Eg.
- name : Install Apache
hosts : webservers
tasks :
-name : Installed httpd
yum : name=httpd state=present
-name : start httpd
service : name=httpd state=running

Comparing Automation Tool -

CLI Chef Ansible
Terraform
Type Task Automation Config Mgmt Config Mgmt+
Orchestration & Infrastructure provisioning
Infrastructure Mutable Mutable
Mutable ImMutable (Replacement Activity)
Code Type Bash/PowerShell YAML YAML
HCL/JSON
Method Procedural Procedural Procedural
Declarative
Architecture Client Only Client/Server Client
Only Client Only

Automating Simple and Repeatable action - OCI CLI

Managing App deployment and Configuration - Ansible / Chef (Gardening
Activity - Regular caring and feeding of our Infrastructure)
Creating / Destroying complex arch. - Terraform
2. Infrastructure As Code : -
===================================================================================
===================

Command Line Infrastructure :

-----------------------------------------------------------------
Configure cli -
After installing cli need to configure it. Below config command will setup
default profile
$ oci setup config (Need to provide user , fingerprint, key_file,
tenancy, default-region)
$ oci compute image list --profile dev_compartment (profile name is
case sensitive)

The oci_cli_rc creates shortcut and command abreviation.

$ oci setup oci-cli-rc

Some of section inludes

$cat ~/.oci/oci_cli_rc
[OCI_CLI_CANNED_QUERIES]
[OCI_CLI_COMMAND_ALIASES]
rm = os.object.delete
[OCI_CLI_PARAM_ALIASES]
--cid = --compartment-id
--ad = --availability-domain

In CLI we can change the output from Standard JSON to Table format using
query feature
--output [json|table] : Alter the format of command output
--query : Allow input of JMESPath query to redefine the command ouput
--generate-full-command-json-input : prints out a json document containing
all available options for the specified command
--from-json : Will consume parameters as defined in the file created by
--generate-full-command-json-input

$oci compute image list --output table (Result is not user friendly due
to amount of Data.)
$oci compute image list --query "data [*].
{Image_name:\"display_name\",OCID:id }" --output table
$oci compute image list --query "data [?contain (\"display-
name\",`Oracle-Linux-7.7`)].{Image_name:\"display_name\",OCID:id }" --output
table

[OCI_CLI_CANNED_QUERIES]
get_image_id = reverse (sort_by(data[?contain ("display-name",`Oracle-
Linux-7.7`)], & "time-created")) | [0:1].["display-name",id]
$oci compute image list --query query://get_image_id

<Using JSON>
$ oci compute instance launch --generate-full-command-json-input >
compute_template.json (JSON input Template)
$ oci compute instance launch --from-json file://compute_template.json

<Using Script to Orchestrate Several Task>

#!/bin/bash
 instance_id =$(oci compute instance launch --from-json
file://compute_template.json --query 'data.id' --raw-output)
pub_id = $(oci compute image list-vnics --instance-id $instance_id
--query 'data[*]|[0]."public-ip"' --raw-output)

waitforstate "RUNNING"

$oci iam compartment list

$oci network vcn list
$oci network subnet list
$oci network private-ip list

Copy to/from Object Storage -

Automatically use multi-part downloads (GET) you can control chunksize and
parallelism
Automatically use multi-part Upload (PUT) you can control parameters or
disable it.

$oci os object get -bn MyBucket --file My10gbfile --name MyObject

--part-size 1024 --multipart-download-threshold 1024
$oci os object put -bn MyBucket --file My10gbfile --part-size 1024
--parallel-upload-count 5
$oci os object put -bn MyBucket --file My10gbfile --no-multipart

Practice OCI Command -

Create instance with "Oracle Cloud Developer Image"

$oci -v
$oci setup config (pass user ocid, tenancy ocid, generate new key pair,
paste new public key in user console)
$oci iam availability-domain list
$oci network vcn list --compartment-id <compartment ocid>
$export cid=<Compartment OCID Value>
$oci network vcn list --compartment-id $cid
$oci network vcn create --cidr-block 192.168.0.0/16 -c $cid --display-
name CLI-DEMO-VCN --dns-lable clidemovcn
$oci network subnet create -c $cid --vcn-id <vcn ocid> --cidr-block
192.168.0.0/16 --security-list-ids '["<SL OCID>"]' (Security List must be in
JSON Format)
$oci network internet-gateway create -c $cid --vcn-id <vcn ocid>
--is-enabled true --display-name DemoIGW
$oci network route-table update --rt-id <route ocid> --route-rules
'[{"cidrblock":"0.0.0.0/0","networkEntityid":"<IG OCID>"}]'
' $oci compute image list --compartment_id $cid --query 'data[?contains
("display-name",`Oracle`)]|[0:1].["display-name",id]'
$oci compute instance launch --compartment-id $cid --availability-
domain PHX-AD-1 --display-name demo-instance --image-id <Image OCID>
--subnet-id <subnet OCID> --shape VM.Standard2.1 --assign-
public-ip true --metadata '{"ssh_authored_key":"cli"}'
$oci compute instance get --instance-id <Instance OCID> --query
'data."lifecycle-state"'
$oci compute instance list-vnics --instance-id <Insance OCID> | grep
"ip.:"

Using Terraform Resource Manager : (Provider,Common Action & Function,Data Source &
Resource,Resource Manager) :
-----------------------------------------------------------------
Agenda -
Why IaC -Best Practice
Key Terraform functionality
Configure the provider
Use Plan,Apply,Destroy
Data Sources,Resource
Useful Features
Introduction to resource manager

Why infrastructure as code -

Define end state, let the tool manage it for you
Self documenting infrasturcture
Consistence and Repeatble results
increase efficency while reducing risk
IDE Software (Integrated development environment): Atom , Sublime, Vistual Studio
Code
Repository - BitBucket GitHub

IaC Best Practice -

Treat terraform config file as source code
Store in secure location
limit access based on requirement
Evaluate changes (pull request)
Audit changes regularly

Terraform Configuration Files -

Configuration can be in single file or split across miltiple files
Terraform will merge all files with extension .tf or .tf.json in current
working directory
Sub-folders are not included (non-recursive) (still can work with concept of
module)
Files are merged in alphabetical order ; resource defination sequence does
not matter
Any files with a different extension are ignored.
Two supported configuration file format (.tf & .tf.json) are for different
Audiences.
Humans - .tf is broadly human readable allow inline comments
Machine - .tf.json format is pure JSON and is meant for machine
interation

Terraform Configuration Files - OCI Provider -

Providers abstract the API from any given third party in order to create
Infrastructure
Below is an OCI example leverging an IAM user
provider "oci" {
tenancy_ocid = "${var.tenancy_ocid}"
user_ocid = "${var.user_ocid }"
fingerprint = "${var.fingerprint }"
private_auth_key= "${var.private_auth_key }"
region = "${var.region }"
}
The OCI Provider enables Terraform to create manage destroy resources within
your tenancy
The OCI Provider also support OCI resource principle
If you are running Terraform on a compute instance that is member of IAM
Dynamic Group you can instruct Terraform to reference Resource Principal
 provider "oci" {
auth = "${InstancePrincipal}"
region = "${var.region }"
}

Terraform Configuration Files - Data Source -

Data Source are used to look up information about existing information or env
parameter like AD,image OCID
Below example return array of ImageOCID that match given parameter

data "oci_identity_availibility_domain" "ads" {

compartment_id = "{var.tenancy_ocid}"
}

data "oci_core_images" "OL7ImageOCID" {

compartment_id = var.compartment_id
operating_system = "Oracle Linux"
operating_system_version = "7.1"
shape = "VM.Standard2.1"
}

Terraform Configuration Files - Resource -

Resource - Once a provider is configured we can start using that provider
resource
Combination of type and name must be unique in your configuration.

resource "oci_core_instance" "TFInstance" {

availbility_domain =
data.oci_identity_availibility_domain.ads.availibility_domain[var.AD - 1]["name"]
compartment_id = var.compartment_id
display_name = "TFInstance"
source_details {
source_type = "image"
source_id = data.oci_core_images.OL7ImageOCID.images[0]
["id"]
}
shape=var.InstanceShape
}

Terraform Action - init, plan, apply -

+ Create
- Delete
~ udpate
-/+ Resource will be destory and recreate

State File - (.tfstate) -

State is stored locally on local machine in JSON format
Tends not to scale for large team (OCI Resource Manager)

Terraform Destroy command -

If you create resource outside of Terraform, Terraform has no info abt this.
Destory running infrasturcture know to the current state file
Terrform destory command without any option destory everything, Also need
explict yes
If you want to destroy specific resource then you can use the -target flag
Terraform doest rollback or rollfarward by default if destory or apply
command failes its stopped at that point.
 Terraform Varibles -
Terraform support env. variable, defined variables and run time variables
Varibles can be string, list, boolean and map
String Variable
variable "AD" {
default = "1"
}

variable "InstanceShape" {
default = "VM.Standard2.2"
}

Map Vairables
variable "shape" {
type = "map"
default = {
dev = "VM.Standaard2.2"
test = "VM.Standaard2.2"
prod = "VM.Standaard2.2"
}
}
Assign and Overriding Variable -
Variable without default value have to have a value assigned
Variable that as no default value will cause terraform to prompt for variable
during plan or apply
Defaults variables can be overridden by env variables, command line , tfvars
file or line
Eg. $export TF_VAR_user_password="P@ssword"
$terraform apply -var InstanceShape='VM.Standaard2.2'

Useful Features for Managing IaC with Terraform :

-----------------------------------------------------------------
Terraform Targeting resource -
You can use -target flag on both terraform plan and terraform apply
command
It allow you to target resource or more if you specify multiple -target flat
$terraform plan -target=oci_identity_user.user02

Terraform output -
Terraform can be directed to display the variables that are generated
dynamically as part of the process of creating infrastructure
$cat output.tf
output = "PublicIP" {value = ["$
{data.oci_core_vnic.InstanceVnic.private_ip_address}"]}

output "user-01-password" {
sensitive = false
value = ["${oci_identity_ui_password.user01_password.password}"]
}

Terraform Module -
Terraform module give us ability to specify a different destination for a
collection of Terraform config.
module "user" {
source = "module/users"
 compartment_ocid = var.compartment_ocid
tenancy_ocid = var.tenancy_ocid
user_group = var.user_group_assign
}

Terraform Taint -
Terraform taint command manually marks a terraformed managed resource as
tainted forcing to be destroyed and recreated on next apply
$terraform taint -module=user1 oci_identity_user.user01

Terraform provisioner -
Provisioner are resource level component allow us to do execute commands or
configuration against resource that Terraform created previously.
provisioner "remote-exec"

Remote Backend for statefile management (Option 1)-

Built in in Terraform tool
Usage
terraform {
backend "http" {
address = https://objectstorage ..
}
}
Reference
data "terraform_remote_state" "example" {
backend = "http"
config = {
address = https://objectstorage ..
}
}

Oracle Resource Manager for statefile management (Option 2)-

Managed Service (Terraform as Service)
Resource allocation define as stack
Stack represent a set of resources you manage within the compartment
Each Stack maps to Terraform config file and a terafrom state file
Only one action at a time per stack; Terrform state file stored and managed
by OCI
Utilized zip file collection of all terraform config.
Permission controlled by IAM

Ansible :
-----------------------------------------------------------------
Configuration Mangement - Cloud Scale Challenges -
Cloud workload is highly distributed, Appliction are often complex consist of
different soft., package reqrequisit, security, configuration
Configuration Drift
Inconsistence execution of manual steps
Limited Visibilty into hardware and software configuration of existing
resources
Time consuming deployment of applications or configuration change
We should be able to
Identify and track resource by name type functions
define and apply configuration in consistence manner
Eliminate/overwrite manual changes
 Discover and report hardware / software configuration that existing

Ansible is -
Simple
Human readable automation
No special coding skill required
Task are executed in order
Powerful
App and infrastructure deployment
Configuration management
Agentless
Uses OpenSSH and WinRM
No agent to deploy or update

Inventory -> Apply from Control Machine Cloud be Laptop or Central Server -

How Ansible Work -

Can be used to execute varities of adhoc commands initiate from Control point
Utilize small module called PLAYBOOK to perform command execution via Remote
SSH
Utilized Key Pair for authentication (Kerberos is supported)
Inventory is managed in simple text file also include plug-ins to read from
different source

Install Ansible -
Where you choose to run Ansible reffered as Control Machine
Current requirement
Linux Distro (RHEL,Debian,Centos,OS X)
Python 2.7 or Python 3.5
Window is not supported currently
$yum install -y anisble
$ansible --version

Working with Inventory -

Before you begin you must create hosts file. list of hosts managed by anisble
defaut location : /etc/ansible/hosts

ADHOC Commands -
With Ansible it is easy to execute remote commands against one or more your
hosts as define in inventory file.
Appropriate SSH key must be available on Control Machine (Consider
using ssh-agent)
Host key checking enabled by default, You can disable it
edit /etc/ansible/ansible.cfg
[default]
host_key_checking = false
Set env. variable for duration of session
$ export ANSIBLE_HOST_KEY_CHECKING=false

$ ansible 10.0.0.2 -m ping (For single Server)

$ ansible webserver -m ping (Group of servers define as
webserver in inventory )
$ ansible all -m ping (all servers in inventory irresptive of
host group)
Shell Command $ ansible webservers -m shell -a "touch
/home/opc/anisble.test"
Package mgt $ ansible webservers -m yum -a "name=httpd state=latest"
Manage Services $ ansible webservers -m service -a "name=httpd
state=restarted"
 Getting Started Common Errors -
Incorrect or missing private ssh keys
Host key checking enabled and no entry in know_hosts file

Ansible Playbooks -
Configuration deployment and orchestration "manuals"
Written in YAML
Design to be human readable
Can declare configuration and orchestration a series of serial task
- hosts : webserver
vars :
http_port : 80
max_clients : 200
remote_user : root
tasks :
- name : ensure apache is at latest version
yum :
name : httpd
state : latest

Ansible uses Jinja2 templating to enable dynamic expression and access to

variables
This is preferred method over writing static files via command execution
tasks :
- name : make sure apache is running
service :
name : httpd
state : started
- name : create simple file
templates :
src : 404error.j2
dest : /var/www/html/404error.html

Installing OCI Ansible Module -

OCI Anisble modules are available for download from a Github repository
$git clone https://githum.com/oracle/oci-anisble-modules.git
$cd oci-ansible-modules
$sudo ./install.py
Ansible require valid IAM user and API signing keys. Default behaviour is to
look for the OCI CLI config file in ~/.oci/config

$ansible-playbook oci_sample.yl
- name :List summary of existing buckets in OCI object storage
connection : local
hosts : localhost
tasks :
- name : List bucket fact
oci_bucket_facts :
namespace_name : mycompartment
compartment_id : "<ocid>"
register: result
- name : dump regult
debug :
msg : '{{result}}'

ansible-doc command can use to get view detailed help for each module
Sample Cloud Module
 oci_compartment_facts
oci_database_facts
oci_image_facts

3. Operational Activities on OCI : -

===================================================================================
===================

Managing Custom Images :

-----------------------------------------------------------------
Objectives -
Managing Custom Images
DR Considerations; Cross-region copy
Import/Export of Images

Which process and Why -

Import Image
Create custom images on OCI
Use published images with userdata
Market place image

Best Practice for instance -

Security - With Security List and open certain required port only like Port
80
Locking down rules upon creation -
Patching instance -

$sudo yum update -y > To update installed software

Launch instance > Update system and install require software > Create Custom
Image(Custom Image created with boot volume for data volume take
backup of clone and attach to instance ) > Launch instance with Custom Image

Custom Image with User Data (Cloud-init) :

-----------------------------------------------------------------
Launching instance
Click on advance option
Add script to configure the instance

#!/bin/sh < Must include in order to run shell command.

DR Consideration -
Cross Region copy of your instance
Cross Region copy of your custom image
Taking your current data and migrating to anthor region
You can use object storage by using copy option
VM > Export > Object Store > Import > VM

Import Image / Export Image - (Custom Image > Export Bucket,Pre-Authnicated URL
(in Import Region) > Import (oci,qcow2,vmdk) > Create Instance)
Compute service enable you to share custom image across tenancies and regions
using Export/Import
Image export/import uses object storage
You can import Linux and Window both
 Support
Emulated : fully emulated NIC, block boot, legacy BIOS
Native : Offer maximum performace with modern OS

Bring your own Image (BYOI) -

Onprim > qcow2 image > object storage > custom image > instance

Security Best Practices :

-----------------------------------------------------------------
Agenda -
OCI Overview
Shared Security Responsibility model
Security Capabilities at a glance
OCI Security Capabilities
Customer isolation
Data encryption
Security control
visiblity
Security consideration

Shared responsibility Model in OCI -

Customer (Security in Cloud)
Customer data User Credentails, Other
account information
Account Access management, Application management Insecure user
access behaviour, Strong IAM Policies, Patching
Network and Firewall configuration Security list, Route
Table, VCN configuration
Client Side encryption Key management

Oracle (Security in Cloud)

Other infrastructure Services (LB,WAF,CASB,DDoS protection)
Compute Network Storage isolation IAM Framework Protect
Hardware,Software,Networking and facilities that run Oracle Cloud Service
Physical Security

7 Pillars of a Trusted Enterprise Cloud Platform -

Customer Isolation
Data Encryption
Security Controls
Visibility
Secure Hybrid Cloud
High Availability
Verifiably Secure Infrastructure

OCI Security Capabilities -

Customer Isolation : BM,VM ,VCN,IAM,Compartment
Data Encryption : Default encryption for storage, Key management, DB
Encrytpion
Security Controls: User Authentication Authorization, Instance Principal,
Network Security Control (SL,NSG), Web Access Firewall (WAF)
Visibility : Audit Logs, CASB Based monitoring and enforcement
Secure Hybrid Cloud : Identity federation, 3rd party security solution,IPsec
VPN,FastConnect
 High Availability : Fault independent DC, FD,SAL
Verifiably Secure Infrastructure : Security Operation,Compliance
certification and attestation,Customer peneration and vulnerability test

Tenant and Resource Level Isolation :

-----------------------------------------------------------------
I want to isolate my cloud resources -
I want to isolate different departments -

Compute -
Baremetal - Single Tenant, Direct access to hardware
Virtual Machine - Multi Tenant - Hypervisor to virtualize the underlying Bare
MEtal Server into smaller VM

VCN & Subnets

Each customer traffic is complete isolated in a private L3 overlay network
Network segmentation done via subnet
Private Subnet - No internet access
Public Subnet - Internet and Public IP Address
Customer can control VCN traffic
VCN statefull and stateless Security List
Route Table rules
Customer can use Service Gateway for reaching public service like Object
Storage
Customer can use Peering (Local/remote) for securing connecting multiple VCN

Storage Encryption :
-----------------------------------------------------------------
At rest Encryption using 256-bit Key
In-transit encryption can be done if we have para virutalized volume attach

Block Storage & Remote Boot Volume -

Volume and Backups are encrypted at rest using AES 256-Bit Key (Managed by
Oracle)
Data moving between instance and block volume is traffered over internal and
highly secure network
in-transit encryption can be enabled (paravirtualized volume attach)

Object Storage -
Client side encryption using customer keys
Data encrypted with per-object keys managed by oracle
All tarffic to and from object storage encrypted with TLS
Object integrity verifiction

File System Storage -

Encrypted at rest and between backends (NFS Server and storage server)

Data Transfer Service -

Use standard linux dm-crypt and LUKS utility to encrypt block volume

DBaaS Database Encryption-At rest & Transit -

Oracle TDE encryption for DB Files and Backup at rest, Key store/wallet to
manage master key
Backup encryption for Rman backup set
Native Oracle net Service encryption and integrity capabilities for
encrypting data in transit
 Advance encryption standard (AES) DES,3DES,RC4 symmetric cryptosystems for
protecting of Oracle net service traffic

Key Management -
Oracle key management provide you with
Highly available durable and secure key storage
Centralized key management (create/delete disable/enable rotate)
IAM Policies for users and group
key life cycle management
FIPS 140-2 security level 3 security certificate
Customer key protection - Hardware security module (HSM)
Managed Service - Oracle Taking care of keys
Enchance Compliance - using IAM and policies

IAM Identity and Access management -

Control type of access to which resource
Use concept of User Group Principal Compartment
Dynamic Group are define for instance or resources as opposed to individual
users
Eg.
allow group Groupx to manage all-resources in compartment A
allow group Groupy to manage all-resources in compartment B
allow dynamic-group Groupz to use bucket in compartment B

User Authentication -
Username/Password
API Sign key to access REST API
SSH Key pair to authenticate compute login
Auth Token
MFA - Multi factor authentication
First authentication using password
Second authentication using authen. app such as oracle mobile
authenticator or google authenticator
Instance Authentication (Instance Principal)
Instances have their own credentails that are provisioned and rotated
automatically
Dynamic group allow customer to group instances as principal actors
similar to user group
Customer can create policies to permit instance in these group to make
API calls againt OCI
Eg. allow dynamic-group <group name> to <verb> <resource-type> in
<tenancy>/compartment <compartment name>

Data backup operation :

-----------------------------------------------------------------
Agenda -
Understanding RTO (time to bring DB/App up) & RPO (Data loss tolerence)
Block Volume backup options
Object storage life cycle
Database Backup options
Backup strategy

Block Volume Backup and Restore -

Complete point-in-time complete snapshot copy of your block volume
Encrypt and store in object store and can be restored as new volume in any AD
within same region
On-demand or one-off backup provide choice of incremental versus full backup
 Can restore volume in less than a minute regardless of size
Automated and Policy based schedule block storage backup
Bronze - incremental-montly-12 months, full-yearly-5 Year
Silver - incremental-weekly-4 weeks, montly, yearly
gold - incremental-daily-7 days , weekly, montly , yearly
Volume Group Backup - Crash consistent , Point in time , online no downtime
Block Volume Cross region backup -

Object Storage Life Cycle Management -

Define lifecyle rules to automatically archive or delete objects after
specified amount of days
Applied at bucket or object name prefix level.
Delete rule take priority over archive rule over same bucket or object
Rule can be enable or disable

Database Backup Options -

ATP/ADW automaticlly backup to object storage and retention period 60 days
ATP/ADW-Manual Backup are put in your Object Storage

DB System Backup & Restore -

Managed backup and restore feature for VM/BM DB System; Exadata backup
process require creating backup config file
Backup store in object or local disk
DB system in private subnet can leverage object storage
Backup options
Automtic-incremental : runs once/day repeat cycle every week
retention 30 days
Manual : full

DB System auotmatic backup -

By default backup are written in Oracle owned object storage customer
will not be able to view object storage backup
Default policy cannot be change
Backup window define by oracle
Backup jobs are written to be automatically re-tried
Oracle automatically notify if backup job stuck
all backup encrypted in object storage

Backup strategy using Storge Gateway - Hybrid or Migration

Storage gateway is installed as linux docker instance in one or more
host in your on prim data center
Storage gateway exposes and NFS mountpoint that can be mounted in any
host supporting NFSv4
Storage gateway mount point maps to object storage bucket
Storage gateway two use main cases :
Backups
Hybrid Cloud : On prim application actively use cloud storage
content
Use Cloud Storage and Archive as a low cost, High durable
data tier
Create permanent data archive in cloud
Extend on prim data center to cloud with limitless backend
storage
Enhance DR and business continuity using remote cloud
resources.

One time Data migration or periodic transfer :

Move data to cloud for migration or adjacent analysis
Move existing bulk data one time
 copy data to cloud as written

Hybrid Cloud-Tiering using Cloud Syn feature -

Move on prim data sets from local NAS via the gateway into the cloud
Storage gateway cloud sync
Multi threaded data transfer and synchronization
Create and run multiple sync jobs in parallel
report upload status.

4. Achieving Cloud Scale : -

===================================================================================
===================
Agenda -
Describe scaling option
identify horizontal and Vertical scaling
Desc compute storage and database vertical scale
desc autoscaling and metrics

Scaling Operation :
-----------------------------------------------------------------
Vertical Scaling -
Scale up and down approach
increase of decrease capacity of a sinle instance
Pro -
Adapt to host monolithic application
Workload not compatible with distributed env.
Cons -
Require downtime
Limited flexibility

Horizontal Scaling -
Scale in and out approch
increase decrease number of host
Pros -
Adapt to host clusterd application and distributed env.
Unlimited scaling
Cons -
May require re-structured and old application

Vertical Scaling - Block Volume Resize -Block Volume Max 32TB -

OCI Block volume service let u expand size of block volume and boot volume
3 options to increase block volume
offline resizing
restore from volume backup with bigger size
clone an existing volume to larger size
You can only increase size of volume you cannot decrease.

Vertical Scaling - Boot Volume linux partition resize -

To take advantage of larger size you need to extend partition for the boot
volume
Linux support both offline and online partition resize.
Offline :
Stop - deattach - attach to 2nd instance - run parted to edit partition
-run xfs_growfs - Deattch from 2nd instance - attach to 1st instance -
restart instance
 Online -
Online Manual Partition resize
ssh to instance - resize partition using growpart and gdisk -
Grow the file system using xfs_growfs or resizefs
Online Auto Partition resize
On linux and Centos you can install cloud-utils-growpart along
with gdisk
You need to povide a cloud init userdata script at provisioning
time

Vertical Scaling - Boot Volume Window Partition Size -

Window based images you can extend parrition using Window interface or
Diskpart utility
Window Interface :
disk management
extend volume wizard
Command line :
open cmd as admin
run diskpart
select and extend volume

Vertical Scaling - DB System -

DB system provides the ability to scale with no downtime
VM - storage scale up with no downtime
BM - CPU scale up and down with no downtime
Exadata - CPU scale up/dwon with no downtime

Horizontal Scaling / Autoscaling -

Instance config file :
Clone instance save to a config file
Create standard baseline instance template
Easily deploy instace from CLI with single config file
Automate provisioning of many instance
Instance Pool :
Centrally manage a group of instance
Update large number of instance with a single instance config change
Maintain high availability and distribute instance across AD
Scale out instance on demand by increasing instance size in instance
pool

AutoScaling & Load Balancer -

Load Balancer instance can be attached to an instance pool configuration.

Autonomous DB Scaling option -

On Demand Scaling :
Independently scale compute or storage
Resize occur instantly full online
Memory, IO bandwidth, concurrency scale with CPU
no downtime

AutoScaling :
Automatically increase number of CPU cores by upto 3 time the assigned
CPU core count unit.
The autoscaling feature reduce number of CPU when not needed.
no downtime
Billing and Cost Management :
-----------------------------------------------------------------
Agenda-
Billing and account management options in OCI
Cost Analysis
Budgets --------------------> Account Management
Usage report
Service Limit and Usage
Compartment Quotas
Cost Management Best practice

OCI Cost Analysis -

Vistulaization tool help to undersand spending patterns
Filter cost by Date,Tags,and Comparment
Trend lines show how spending patter changing
To use Cost Analysis you must be member of the Admin group

OCI Budget -
Track actual and forecasted spending for entire tenancy or per compartment
Set alerts on your budgets at predefined thresholds to get notified
View all your budgets and spending from one dashboard.
To use budgets you must be in a group that can use "usage-budget" in the
tenancy
All budgets are created in root compartment, regardless of the compartment
they are targeting
Eg. Allow group accounts to inspect usage-budget in tenancy > Account group
can inspect budget incuding spending
Allow group accounts to read usage-budget in tenancy > Account group
can read budget incuding spending
Allow group accounts to use usage-budget in tenancy > Account group
can create edit budget and alert rules
Allow group accounts to manage usage-budget in tenancy > Account group
can create edit & delete budget and alert rules

OCI Accessing Usage Report -

Reports are generated in another tenancy and stored in an Oracle-owned object
storage bucket
Setup cross tenancy IAM Policy to access your usage report
1. define tenancy usage-report as ocid1.tenancy.oc1...abc..
2. endorse group Mygroup to read objects in tenancy usage-report
Download from Console-
from Governance & Administration > Billing > Usage report
Download from API -
Use object storage API
stored in tenancy home region
object storage namespace used for the reports is bling; the bucket name
is tenancy OCID
Sample Dashboard from Usage Report -
Billed Cost
Cost by region
Cost by service
Cost by resource type over time
Cost per resource type
Cost by compartment name

Service Limits & Usage -

When you sign up for OCI a set of service limit are configured for your
tenancy
 The service limit is the quotas or allowance set on a resources
You can view your tenancy limits, Quotas in console
you can submit request to increase service limit from within console

Compartment Quotas -
Compartment Quotas are similar to Service limit but Compartment Quotas are
define by admin
Quotas give you better control over how resources are consumed by letting you
allocate resources ot project or dept.
Allocate high and expensive resource to specific compartment
Restrict resource count or disable service
Quotas Policy
Set - Set maximum number of resource that can be used by compartment
Unset - reset quotas to default service limit value
Zero - remove access to cloud resource for a compartment
set - family - quota - name - to - value - in -location - condtion
unset - family - quota - name - in -location - condtion
zero - family - quota - name - in -location - condtion

Eg. Zero database quotas /*exadata*/ in tenancy

Unset database quotas /*exadata*/ in compartment ProductionApp
Zero compute quotas in tenancy
set compute quotas vm-standard2-1-count to 10 in compartment IT where
request.region=us-phonex-1

Zero compute quotas in tenancy

unset compute quotas vm-dense-io-1-count in tenancy

xc

Troubleshooting Performance :
-----------------------------------------------------------------
Agenda -
IAM Policy troubleshooting
Subnet and VCN deletion
Block Volume Performance
Unable to connect/ssh to Webserver

IAM Policy troubleshooting -

Where is policy located in the account ?.
At compartment level , is at root level, who has access to that

Subnet or VCN Deletion -

When trying to clean up resources in the account may be unable to remove
subnet or VCN
Steps to take :
Make sure there is nothing running in either level

Block Volume Performance -

sudo yum install fio

Unable to connect/ssh to Webserver -

Check Security List
Check Network Security group
Check Route configuration
Make sure internet gateway connected to VCN
If use VPC Connect or FAST Connect make sure route connect is setup and make
sure CIDR range are not overlapping
Firewall on OS set correctly

OCI Level 100 - Resource Manager

-------------------------------------------------------------------------------
RM - Stack & Jobs

allow group admin-xyz to manage orm-stack in tenancy

allow group admin-xyz to manage orm-job in tenancy

DEV-XYZ is Developer - Read stack , execute job except destory only within specific
compartment
allow group DEV-XYZ to use orm-stack in compartment xyz
allow group DEV-XYZ to use orm-job in compartment xyz where target.job.operation
!='DESTROY'

RM needs only IAM permission and can omit user OCID,Private Key, Fingerprint,
tenancy Ocid

Define Configuration (Terraform) > Create Stack > Run a job

Each Stack maps to Terraform Configuration file and a Terraform state

OCI Level 100 - Monitoring

-------------------------------------------------------------------------------
OCI Monitoring Service
Understanding metrics , alarms , and monitoring query language
Create a query in the Metrics explorer and trigger alarm

OCI MS supports Metric and Alarm feature

Support Compute,VCN,LB,Block and Oject Storage,Notification & Streaming
Offer predefine standard metrics
support custom metrics as well
include MQL (Monitoring Query Language)
Alarm feature work with Notification Service to notify you when metric reach alarm,
Notification sent via
notification service for email or pagerduty
OCI MS is avialable via OCI Console,API,SDK,Terraform

Metric : Measurement related to health capacity or performance of a give resource

eg CPUutilization

Metric : Namespace + Dimension + Metadata

Namespace : Source service or application that emit metric eg : oci_computeagent,
oci_blockstore
Dimension : qualifier to filter or group metric data eg availability domain = ''
Metadata : a reference of getting additional information about metric eg unit
(bytes ) for oci_computeagent metric diskbyteswritten

Metric Stream :

Compute Metric Namespace:

oci_compteagent - diskbyteswrite > Aggregated across all
instance,netwrokbytein
 oci_blockstore - individual
oci_vcn - individual
oci_objectstorage
oci_notification
oci_streaming

Metric Queries : MQL expression can be used to evalute returning aggregated

data.query must specify metric,statistic,interval
Syntax :
metric[interval]{dimensionname=dimensionvalue}.groupfunction.statistic
metric : Metric name like CPUutilization , IOPSRead
interval :
dimension (filter)-
groupingfunction : groupby()-aggregate query result by grup
(dimension),grouping()-aggregiate all result
statistics :funtion include count max min rate mean sun and percentile

eg max cpu utilization in 1 min interval : CpuUtilization[1m].max()

max cpu utilization in 1 min interval filter to a single resource :
CpuUtilization[1m]{resourceid=''}.max()
All read iops at a one min interval filter to compartment aggregated for maximum
:IOPSread[1m]{compartmentid=''}.grouping().max()

Alarms :
Alarm feature publish alarm message to configured destination managed by
notification service
MQL expression can be used to evalute alarm, Alarm query must include metric,
statistic,interval,triggerrule (threshold, absense)
Alarm State
Firing - alarm triggered
Reset - alarm is not detecting metric firing, metric is no longer being
emitted
Suppress - avoid publishing message for period of time eg system
maintenance

Notification :
Service which has topic and subscription
Topic as channel for sending message to subscription
Subscription is endpoints

OCI Level 100 - Events

-------------------------------------------------------------------------------
OCI Event serivce is fully managed event-routing platform and customer can
subscribe to changes in their resource and automaticlly react to them
using Trigger a FN,Publish Notification or write to steam for later
analysis

OCI Event integrate with Oracle Funtion, Oracle Stream Service,Oracle Notifiation
Service
Integrated with IAM and Monitoring service
Accessibility - Console,API,SDK,Terraform
Subscribe to event and get notify
Three core concept in OCI Event :
Event - Compute,NEtwork,storage,database,block and object
Rule (JSON Def file) - Event they are abt and trigger an action if it occur
ACtion - Response to event

ACtion :
Trigger a function (FN)- Serverless Code
Publish Notification (ONS)- Alert vai email or pager duty
Write to Stream (OSS)- for analysis

Event (Json format File) can be :

User Initiated CRUD ops -Bucket updated , bucket deleted
Resource life cycle state change - Instance stopped, backup started
System Event - Instance rebooted , Hardware failure
EVent has - event source , timestamp, event type

Rule :
Compartment inspect permission to create rule , Rule validated for IAM
permission
'manage cloudevent' to be able to CRUD rule
Rule are compartment based
default max rule 50

IAM Policy required to work with Events. : -

allow service cloud-event to use ons-topic in tenancy
allow service cloud-event to use function-family in tenancy
allow service cloud-event to use stream-push in tenancy
allow service cloud-event to read stream in tenancy

Policy for users so that they can crreate and manage rules : -
allow group <ruleadmin> to inspect compartment in tenancy
allow group <ruleadmin> to manage cloudevent-rules in tenancy

allow group <ruleadmin> to inspect stream in tenancy

allow group <ruleadmin> to use stream-push in tenancy
allow group <ruleadmin> to use stream-pull in tenancy

allow group <ruleadmin> to use ons-topic in tenancy

allow group <ruleadmin> to use function-family in tenancy

OCI Level 100 - Billing and Cost Management - Cost Analysis, Budgets
-------------------------------------------------------------------------------
Cost Analysis -
Filter cost by compartment,tag date
To use cost analysis you must be member of admin

OCI Budget -
Track actual and forecast spending for the entire tenancy or per compartment
set alerts on your budget at predefine threshold to get notified
Budget can be set on compartment or Cost tracking tag
To use budgets you must be in a group that can use usage-budget in the
tenancy
all budget are created in root compartment
Eg allow group account to inspect/read/use/manage usage-budget in compartment
Usage Report -
Deetailed information abt your OCI consumption
CSV file one record per resouce per hr with metadata and tag
automatically genrated and store in oracle owned bucket, Retain for one year
Usage report generates in another tenancy and stored in Oracle owner object
storage
Setup cross tenancy IAM policy to access your Usage Report
Download using console
Download using API

Quotas Policies
set family quota_name to value in location condition
unset family quota_name in location condition
Zero family quota_name in location condition
Eg zero compute quota in tenancy
set compute quotas vm-standard-count to 10 in compartment IT where
request.region='us-phoenix-1'

Eg zero compute quota in tenancy

unset compute quota vm-standard-count in tenncy

OCI Level 100 - Key Management

-------------------------------------------------------------------------------
OCI-Key management is managed service that enable you to encrypt data using keys
that you control
OCI-Key management provide you with
Centralized key management
Highly available durable secure key storage
OCI-Key management uses HSM (Hardware Secure Module)

Key Management Capabilities -

Create highly available key vault to store your encryption key
Key can be disable and reenable, Rotate keys , Govern by IAM policies
Monitor lifecycl of your keys and key vautls

IAM Integration with Key management -

allow group vaultadmin to manage vaults in compartment vaultcompartment

allow group keyadmin to manage keys in compartment vaultcompartment

allow group keyadmin to use vaults in compartment v

allow service objectstorage-us-phoenix-1 to manage keys in compartment

vaultcompartment
allow service blockstorage to manage keys in compartment vaultcompartment

Key management - Design consideration -

Regional service replicat encryption key to 3 region
Block volume and object storage integrated with Key management
Rotating key does not automatically re-encrypt data that was previously
encrypted by old key
If you suspect key has been compromised, You should re-encrypt all data
protected by this key and disable the prior key version
You cannot import key from existing key management to OCI-key management or
export from Oracle key management key vault
You cannot delete a key but can be disabled, You can delete key Vault
After key vault is deleted it cannot be reverted and data encyted by deleted
key cannot be accessible

OCI Level 100 - Security Overview

-------------------------------------------------------------------------------
Shared responsibility model in Oracle Cloud -
7 Pillar of a trusted Enterprise Cloud Platform
Customer isolation
Data Encryptiion
Security Controls
Visibility
Secure hybrid cloud
High Availbility
Verifiable security infrastructure

Customer Isolation -
Tenanat Level Isolation
Resource level isolation > VCN, Subnet,Compartment

Data Encryption -

Authentication -
IAM,Instance Principal

Authorization -
tenant compartment

Resouce Access -
Security List
WAF

Visibility -
Audit
CASB

Secure Hybrid Cloud-

Fast Connect
VPN Connect
Identity Fedration
Customer peneration and Vulnerability test

High Availability -

OCI Level 100 - DNS Zone Management

-------------------------------------------------------------------------------
DNS Zone Management -
Highly scable,global anycast DNS network that assure high site availability
and low latency
Offer complete set of functions for zone management
Create and manage zone and records
import/export zone file
Filter and sort views of zones and records
Secondary DNS Support
API & SDK
OCI Level 100 - Traffic Management Policy
-------------------------------------------------------------------------------
Traffic management allows customer to configure routing policy for serving
intelligent responses to DNS Queries.
Common Use Case -
Load Balancer - Round Robin Load balancing can be used to evenly distribute
traffic or weighted via ration assignment
Failover -
Cloud Migration - Weight Ratio load balancing
Load Balancing for Scale -
Hybrid Env. -
Worldwide GeoLocation Steering -Dynamically route traffic based on Physical
location
IP-Prefix Steering -Dynamically route traffic based on originating IP
ASN Steering -Dynamically route traffic based on originating ASN
Zero-Rating Service

OCI Level 200 - Terraform

-------------------------------------------------------------------------------

OCI Level 200 - High Availability & Disaster Recovery

-------------------------------------------------------------------------------