Professional Documents
Culture Documents
02 - OCI Deep Dive Day 1 - v5.3
02 - OCI Deep Dive Day 1 - v5.3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content 4
Enterprise Grade Governance &
Management
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Enterprise Grade Governance and Management
• Compartments
– Provides simple organization of all an enterprise’s cloud resources. This allows workgroups to freely innovate while remaining
accountable for the resources they consume.
• Audit Service
– Every action performed in Oracle Cloud is recorded to an audit log.
• Tagging
– Integrated tagging to categorize your resources – cost tracking, authorization, or any custom use
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content
IAM Service resources are global
Oracle Cloud Infrastructure Services
• IAM – allows control as to who can access the OCI account? what services and resources can be
used? how they can use these resources ?
• IAM Service resources (compartments, users, groups, and policies) are global, so one can access
them across all regions
• Home region is where you sign-up and your subscription resides (but can always subscribe to other
regions)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-7
IAM Service
Service Limits
Tenancy Policies
Users Groups
User_1 group_X PolicyA: Allow group_X to manage all-resources in
User_2 group_Y compartmentA
PolicyB: Allow group_Y to manage all-resources in
compartmentB
CompartmentA CompartmentB
PolicyA PolicyB
USER U01
VCN01
COMPARTMENT
TENANCY
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 4-9
Resource Locations
Service Resource Location
Users, Groups, Policies, Compartments,
Global
API Signing Keys
Images Regional
Instances can be attached only to volumes in the
Instances Availability Domain
same AD
Compute
Volumes Availability Domain
backups can be restored as new volumes to any AD
Volume backup Region
within the same region
Database DB Systems Availability Domain
Virtual Cloud Network (VCN) Region
Load
Load Balancer Region
Balancer
Bucket is a regional resource but it can be accessed
from any location as long as correct region-specific
Storage Buckets Region
URL is used
Backups Backups
Tagging is a metadata system
that customers use to organize
Volumes Volumes
their resources.
DBs DBs
Users Users
• Tagging allows you to organize based on your preferences. You can create tags to describe all your
organizational scenarios.
• Security and Auditing tags could describe which resources need to be audited, or have sensitive
information
• Technical tags could include descriptive tags for your the application, the network, the environment.
• Business type tags can include cost center, project, business owner etc.
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
OCI Software Defined Network
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Comprehensive Virtual Network with Off-box Virtualization
• Highly configurable private overlay networks – moves management and IO out of the
hypervisor and enables lower overhead and bare metal instances
VIRTUAL NETWORK
PHYSICAL NETWORK
VIRTUAL NETWORK
PHYSICAL NETWORK
A VCN covers a single, contiguous IPv4 CIDR block of your choice as specified in RFC 1918.These IP
ranges are not publically routable.
VCNs also support a publicly routable range and customers can bring in their Public IP addresses.
The allowable VCN size range is /16 to /30. VCN reserves the first two IP addresses and the last one in
each subnet's CIDR.
VCN, 10.0.0.0/16
Route Table: A set of route rules that provide
mapping for the traffic from subnets via gateways
to destinations outside the VCN
Its private IP is
deleted
Its instance is
terminated
Scope Availability domain Regional (can be assigned to a
private IP in any availability
domain in the region)
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Virtual Network: Secure, Fast Private Networks
Secure, reliable connectivity: IPSec VPN, FastConnect Deep VCN control: Subnets, routing rules, IP address space, firewall rules
Console or API-driven; same fabric for all core services; all traffic encrypted and isolated
Java CS
VMs VMs
Event Hub CS
VMs
ORACLE REGION
Database
Exadata RAC Systems Bare Metal
Bare Metal
MySQL CS
Virtual Network
NIC1
active
• Traffic is uniquely identified based on a unique
VLAN tag
VNIC5
primary
NIC1
VF2
VF1
VF3
Hypervisor
VNIC5
Guest VM3
Guest VM2
Guest VM1
Subnet X
Bare metal instance 172.16.0.0/24
NIC2
IP6
IP7
IP4
IP1
IP2
IP3
VM1 VM2
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly
39 Restricte
Hybrid DNS Configuration
ORACLE CLOUD REGION
Customer
Datacenter VCN to on-premises
VCN 10.0.0.0/16
DNS zone – custvcn.oraclevcn.com 1. DNS query from appvm1 (for
app1.customer.net) to DNS VM
Mgmt Subnet (10.0.10.0/24) (10.0.10.15).
DNS label - mgmt Note: DHCP options for App subnet is configured with Custom DNS & DNS IP
address as 10.0.10.15
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly
40 Restricte
Compute Instances
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Compute: Bare Metal & Virtual Machines
Hypervisor
• VM compute instances runs on the same hardware as a Bare Metal instances, leveraging the same
cloud-optimized hardware, firmware, software stack, and networking infrastructure
• Pricing Info: https://cloud.oracle.com/infrastructure/pricing Price List for OPN Partners
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Restricted
NVMe SSD Devices
• Locally attached SSDs are not protected
• OCI provides no RAID, snapshots, backups capabilities for these devices
• Customers are responsible for the durability of data on the local SSDs
RAID 1: An exact copy (or RAID 10: Stripes data across multiple mirrored RAID 6: Block-level striping with two parity blocks
mirror) of a set of data pairs. As long as one disk in each mirrored pair is distributed across all member disks
on two or more disks functional, data can be retrieved
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 50
Compute: Bare metal & VMs with industry leading performance
Enterprise web, application, Enterprise application Oracle Database, HPC,
& authentication servers servers, Hadoop Rendering, AI/ML,
Spark, Containers
MORE
Bare metal
COMPUTE & RAM
Dense IO X7
Bare metal Bare metal 52 cores, 768 GB RAM,
Standard X7 51.2 TB NVMe,
GPU Standard X7 up to 512 TB block storage
52 cores, 768 GB RAM, VM Dense IO 2 P100 GPUs, 28 cores,
up to 512 TB block storage 8, 16, 24 cores, 192 GB RAM,
120, 240, 320 GB RAM, up to 512 TB block storage
VM Standard 6.4, 12.8, 25.6 TB NVMe,
1-24 cores,
up to 512 TB block
15-320 GB RAM,
storage
up to 512 TB block
storage
PERFORMANCE HIGHER
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Bring your own Hypervisor
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Compute : Bare Metal Use Cases Why Hypervisor ?
• High IOPS workloads
– SQL, NoSQL
– File Systems
• Bring Your Own Hypervisor (BYOH)
Bare Metal
• Type2 Virtualization
Cloud Services
• High Performance Computing
Programmatic API to create and terminate bare metal instances allows customers to
rethink their capital spend on hardware and DR strategies
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content 55
Hypervisors on OCI
Guest VM
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 58
Block Volume Service
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Overview of Storage Options
Local NVMe
Lowest • High performance NVMe SSD storage
Latency • Local to a bare metal compute instance
• Non-resilient: Data doesn’t survive beyond instance life
Object
• Regional network accessible, durable storage
Highest
• Data is replicated regionally for very high availability and
Durability durability
• Designed for big data, backup and unstructured content
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal 61
Local NVMe Storage
High performance local storage available with bare metal compute instances
Local NVMe SSD
Boot Volume
• 50GB Boot Volume exposed via iSCSI
NVMe storage with bare metal compute
• Local storage with High IO Compute
• CPU: 36-Cores; RAM: 512 GB; Local SSD: 4 X 3.2TB NVMe (12.8 TB total)
• Local storage with Dense IO Compute
• CPU: 36-Cores; RAM: 512 GB; Local SSD: 9 x 3.2TB NVMe (28.8 TB total)
– Backing up Local NVMe
• NVMe performance • Use the Storage Software
• Millions of IOPS Appliance to backup to
• 10-100 Microsecond latencies Object Storage
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal 62
Block
Volumes
Block Volume Service Characteristics
Metric or Feature Block Volume Service Characteristics
Cost per GB/month Still 4.25 cents! Still simple model, 1 option!
* For Bare Metal or 8-core+ VM compute instance, using 4KB blocks. VM perf is limited by VM network bandwidth.
** At 256 KB block size
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal 63
Block Volumes
Region Phoenix
• Persistent storage for compute instances
– Can be detached, then attached to a new compute AD1 AD2
instance
– Data at rest is always encrypted
• Service is local to Availability Domain Compute Compute
• Backups
– Backup to regional object storage (regional service)
– New volumes can be created from those backups
• Backed by enterprise grade storage
– Disk mirroring to enhance durability,availability Block Block
Volumes Volumes
• Performance
– The service offers 60 IOPS per GB and scales linearly
Backups
Copyright
Copyright ©
© 2015,
2017,Oracle
Oracleand/or
and/orits
itsaffiliates.
affiliates. All
All rights
rightsreserved.
reserved. ||
Block Volumes Clones
• Fast cloning
– clone a block volume in a few seconds,
regardless of the volume size (50 GB to 16
TB)
– while the cloned volume is being created
or accessed, there is no impact on the
original volume
– up to 10 clones at the same time
• Use Cases
– quickly create multiple dev/test copies of
production environments, to troubleshoot
problems, or test out configuration changes
without impacting production
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Under NDA
File
File Storage Service – Access Options Storage
FSS is an AD-local service that can be accessed from all ADs in the same region and by thousands
of OCI resources concurrently over OCI Console, APIs, CLI, Terraform, and data-path commands.
Scenario Recommendations
Local AD Access Mount from a local VM or BM machine*
Ensure network connectivity VCN is enabled and all required ports for NFS
Remote access from another AD*
are opened.
(within a region) Mount from a remote VM or BM machine*
Remote access from another region With FastConnect or VPN enabled, mount from customer data center.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Restricted
File
File Storage Service - Data Protection Options Storage
Snapshots provide a consistent point-in-time view of your entire file system. You can create 10,000 snapshots/file system.
Scenario Recommendations
Use APIs, CLI, OCI Console, and data-path commands to snapshot your file systems for
File system data protection
replications, backup and data protection.
AD data protection Asynchronously copy your file system or snapshot data to another AD, using rsync*
Asynchronously copy your file system or snapshot data to another region, using rsync*
Regional data protection Asynchronously copy to local or remote Object Storage, using tar; or zip your file system
or snapshot data*
Use 3rd party software to protect application and file system data in another AD or
3rd Party data protection
region. Support for NFS v.3 is required
* Manual, customer driven process using data path, APIs or CLI. To speed data transfer, we recommend using @ to create parallel rsync jobs.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Restricted
DEMO : Block Volume and FSS
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Object Storage – Standard & Archive
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Object Storage
Internet
Scale Elastic
Storage
Highly
Strong
Durable and
Consistency
Available
Secure
Bucket ACLs Define IAM policy at the granularity of a bucket in a given compartment
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Restricted
Archive Storage
– Archive Storage tier exposed as a property of the Bucket
– Data must be restored to Std Object Storage before it can be accessed
– Takes ~ 4 hours to restore data
– Data accessible for a chosen duration after it is restored (up to 240 Hrs)
Coming Soon
– Object Lifecycle policies
– Batch Job Restores
– SEC Rule 17a-4(f) certification
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Restricted
Object Storage: Amazon S3 Compatibility API
– Set of Object Storage APIs that let you build products and services that interoperate with other storage
services, such as Amazon S3
– Following highlights the differences between Object Storage API and S3 Compatibility API
• Compartments
– any buckets created using the Amazon S3 Compatibility API are created in the root compartment of the Oracle Cloud
Infrastructure tenancy.
• Global bucket namespace
– Object Storage doesn't use a global bucket namespace.
– Bucket names must be unique within the context of a namespace, but bucket names can be repeated across namespaces.
• Encryption
– Encrypted data at rest by default.
– Encryption can't be turned on or off using the API.
• Object Level Access Control Lists (ACLs)
– Oracle Cloud Infrastructure does not use ACLs for objects. Instead, IAM policies are used to manage access to compartments,
buckets, and objects.
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
The Edge Can Be 50% of Cloud Performance
30-50% 50-70%
Internet Time to Database
DNS Lookup First Byte Processing Storage I/O
Connections Transaction
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content
What Makes Oracle Cloud Infrastructure DNS Different?
…Our Data
Authoritative DNS query logs 6TB/day: 32B queries/day from 240 countries
Recursive DNS query logs 360GB/day: 1B queries/day from 246 countries
Traceroute data 220GB/day: 650 million IPv4 & IPv6 traces/day from nearly 300
Superior
geolocation
locations
accuracy Network prefix and ASN 10GB/day: 50+ data sources (5 RIRs, 22 IRRs, 2 commercial geo
registration data
sources, etc.)
BGP routing data 2GB/day: 250 million BGP updates/day from over 700 IPv4 & IPv6
peers
Geolocation data 2GB/day: Dyn’s GeoExtensions contains over 610M IP addresses
and can be used as a validated overlay to commercial sources
Comprehensive
internet
performance
data
270,000,000,000 data points daily
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal
ROOT
How Does DNS Work? “.”
https://dyn.com/blog/dns-why-its-important-how-it-works/
TLD
COM, NET,
AR, etc.
Users Domain
Recursives
Example.com? Authoritative
Example.com?
1.1.1.1 1.1.1.1
*Any name registered in authoritative DNS is a
Initiates and receives Zone Info
Performs iterative domain name
responses queries to find the * A DNS zone is the mappings between domain
names and IP addresses. Zones can be
resource organized by geography, service, or resources.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal 99
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 100
Market Performance
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 104
Internet Intelligence
REGION
TENANCY
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Oracle Container Native Strategy
• Deliver a container native suite that is complete, integrated, open
– CI/CD, Orchestration/Scheduling, Management/Operations, Analytics/Introspection
– With a cloud neutral application development platform for microservices and serverless
• That is community driven, cloud neutral and open source
– Deep investment in open source communities and foundations (Kubernetes, Docker, Cloud
Native Cloud Foundation) via engineering resources, code contributions & sponsorship
• Differentiated on quality of service and operational excellence
– Full, transparent management
– Deployed to Oracle Cloud Infrastructure
– Enterprise grade security, HA and governance
In today’s market, there is no open cloud platform that solves
for the full container native application lifecycles
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Container Native Application Development Platform
Integrated Suite of Container Native Capabilities
fn
Container Container Container Container Container
Pipelines Engine Microservices Functions Diagnostics
A market leading solution Fully managed container A collection of services, Open source, cloud Unparalleled real-time
for application lifecycle service based on frameworks and libraries neutral, community observability and
management with a Kubernetes running on for the modern cloud driven functions as a diagnostics for large scale
Docker centric product Oracle Cloud developer; based on Service for any language, distributed Java systems
view Infrastructure Bare Metal Cloud Native Compute best of class for Java
Foundation – Istio/Envoy
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content 111