02 - OCI Deep Dive Day 1 - v5.3

Oracle Cloud Infrastructure Deep Dive 1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Program Agenda – OCI Deep Dive 1
1 Enterprise Grade Governance and Management

2 Software Defined Network
3 Compute and BYOH
4 Storage – Block Volume Service
5 Object and Archive Storage
6 Edge Services & Container Native Applications
6
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content 4
Enterprise Grade Governance &
Management
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
and/oritsitsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.| Oracle OpenWorld 2017 Content
Enterprise Grade Governance and Management
• Compartments
– Provides simple organization of all an enterprise’s cloud resources. This allows workgroups to freely innovate while remaining
accountable for the resources they consume.
• Identity Access Management - Identity Federation

– Users retain one account between Oracle Cloud and other enterprise applications (IDCS and MS Active Directory).
• Audit Service
– Every action performed in Oracle Cloud is recorded to an audit log.
• Tagging
– Integrated tagging to categorize your resources – cost tracking, authorization, or any custom use
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content
IAM Service resources are global
Oracle Cloud Infrastructure Services
Region – PHX Region – IAD Region – LON Region – FRA
CompanyA Tenancy CompartmentA
Instance A Instance B Instance C Instance D
• IAM – allows control as to who can access the OCI account? what services and resources can be
used? how they can use these resources ?
• IAM Service resources (compartments, users, groups, and policies) are global, so one can access
them across all regions
• Home region is where you sign-up and your subscription resides (but can always subscribe to other
regions)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-7
IAM Service
Service Limits
Tenancy Policies
Users Groups
User_1 group_X PolicyA: Allow group_X to manage all-resources in
User_2 group_Y compartmentA
PolicyB: Allow group_Y to manage all-resources in
compartmentB
CompartmentA CompartmentB
PolicyA PolicyB

IAM – Typical Implementation
Each participant uses their assigned

compartment and:
• Launches an Oracle Linux VM
• Accesses the VM using ssh client
WP01 Block Volume
using ssh key pair GROUP G01
SUBNET01
USER U01
VCN01
COMPARTMENT
TENANCY
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 4-9
Resource Locations
Service Resource Location
Users, Groups, Policies, Compartments,
Global
API Signing Keys
Images Regional
Instances can be attached only to volumes in the
Instances Availability Domain
same AD
Compute
Volumes Availability Domain
backups can be restored as new volumes to any AD
Volume backup Region
within the same region
Database DB Systems Availability Domain
Virtual Cloud Network (VCN) Region
Network Subnet Availability Domain
Security Lists, Route Table, DRG, IGW, CPE, Region
Load
Load Balancer Region
Balancer
Bucket is a regional resource but it can be accessed
from any location as long as correct region-specific
Storage Buckets Region
URL is used

Tag Organizational Production Compartment Development Compartment
Models Compute Compute
Backups Backups
Tagging is a metadata system
that customers use to organize
Volumes Volumes
their resources.
DBs DBs
Users Users
• Tagging allows you to organize based on your preferences. You can create tags to describe all your
organizational scenarios.
• Security and Auditing tags could describe which resources need to be audited, or have sensitive
information
• Technical tags could include descriptive tags for your the application, the network, the environment.
• Business type tags can include cost center, project, business owner etc.

DEMO
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
OCI Software Defined Network
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Comprehensive Virtual Network with Off-box Virtualization
• Highly configurable private overlay networks – moves management and IO out of the
hypervisor and enables lower overhead and bare metal instances
VIRTUAL NETWORK
PHYSICAL NETWORK
Availability Availability Availability

Domain 1 Domain 2 Domain 3
REGION DATACENTERS
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 14

Technology-Enabled Cloud Infrastructure Innovation
?
COMPUTE & STORAGE
Bare metal hosts NVMe storage VMs Engineered Systems Any middlebox – IDS/IPS,…
VIRTUAL NETWORK
PHYSICAL NETWORK
Availability Availability Availability

Domain 1 Domain 2 Domain 3
REGION DATACENTERS

Virtual Cloud Network (VCN)
A Virtual Cloud Network is a virtual version of a traditional network— including subnets, route tables,
and gateways— on which your instances run. A cloud network resides within a single region but can
cross multiple Availability Domains.
A VCN covers a single, contiguous IPv4 CIDR block of your choice as specified in RFC 1918.These IP
ranges are not publically routable.
VCNs also support a publicly routable range and customers can bring in their Public IP addresses.
The allowable VCN size range is /16 to /30. VCN reserves the first two IP addresses and the last one in
each subnet's CIDR.

Subnet
A VCN resides within a single region but can
ORACLE CLOUD DATA CENTER REGION cross multiple Availability Domains (AD).
Subnet: each VCN network is subdivided into

AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 subnets, and each subnet is contained within a
single Availability Domain.
• You can have more than one subnet in an AD for a

given VCN
SUBNET A, SUBNET B,
10.0.1.0/24 10.0.2.0/24
• Each subnet has a contiguous non-overlapping
private RFC1918 IP space
VCN, 10.0.0.0/16 • Subnets can be designated as either Public or

Private
• Instance draw their internal IP address from
subnets

IGW, DRG
Internet Gateway: A virtual router that provides
ORACLE CLOUD DATA CENTER REGION
a path for network traffic between your VCN and
the internet.
AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2
Dynamic Routing Gateway (DRG): A virtual

router that provides a single point of entry
Internet coming in to your VCN. You can use it with a
Gateway
router in your on-premises network to establish
SUBNET A, SUBNET B,
10.0.1.0/24 10.0.2.0/24 a connection via IPSec VPN or FastConnect.
After creating the IGW or DRG, you must attach

VCN, 10.0.0.0/16 it to your VCN and add a route for the IGW/DRG
in the VCN's route table to enable traffic flow.

Security Lists, Route Table
ORACLE CLOUD DATA CENTER REGION Security List: A common set of firewall rules
associated with a subnet and applied to all
instances launched inside the subnet
• Security lists provide ingress and egress rules

that specify the types of traffic allowed in
and out of the instances
SUBNET A, SUBNET B,
10.0.1.0/24 10.0.2.0/24 • You can choose whether a given rule is
stateful or stateless
VCN, 10.0.0.0/16
Route Table: A set of route rules that provide
mapping for the traffic from subnets via gateways
to destinations outside the VCN

Stateful Security Lists
• Connection Tracking: when an instance receives traffic
matching the stateful ingress rule, the response is
tracked and automatically allowed regardless of any
egress rules
• Similarly for sending traffic from the host
• Default Security Lists are stateful

Stateless Security Lists
• With stateless rules, response traffic is not automatically
allowed
• To allow the response traffic for a stateless ingress rule,

you must create a corresponding stateless egress rule
• If you add a stateless rule to a security list, that indicates

that you do NOT want to use connection tracking for any
traffic that matches that rule

Default VCN components
Your VCN automatically comes with some default
ORACLE CLOUD DATA CENTER REGION
components
• Default route table
• Default security list
• Default set of DHCP options
Default Route Custom Route
Table Table
You can’t delete these default components;
however, you can change their contents (e.g.
SUBNET A, SUBNET B,
10.0.1.0/24 10.0.2.0/24 individual route rules). And you can create more
of each kind of component in your cloud
network (e.g. additional route tables).
VCN, 10.0.0.0/16

Public IPs
• Basics:
– A public IP address is an IPv4 address that is reachable from the internet. You can assign a public IP
address to a resource (such as an instance or load balancer) to enable communication with the
internet. The resource is assigned a public IP address from the Oracle Cloud Infrastructure address
pool.
– For a public IP address to be reachable over the internet, the VCN it's in must have an internet
gateway, and the public subnet must have route tables and security lists configured accordingly.
• Public IP assignment is actually to a private IP object on the resource. The VNIC that the
private IP is assigned to must be in a public subnet. A given resource can have multiple
secondary VNICs. And a given VNIC can have multiple secondary private IPs. So you can
assign a given resource multiple public IPs across one or more VNICs if you like.
• There are two types of public IPs:
– Ephemeral: temporary and existing for the lifetime of the instance.
– Reserved: persistent and existing beyond the lifetime of the instance it's assigned to.
You can unassign it and then reassign it to another instance whenever you like.
Ephemeral and Persistent Public IP’s
Characteristic Ephemeral Public IPs Reserved Public IPs
Automatic Its lifetime is tied to the Never. Exists until you delete it.
deletion private IP's lifetime.
Automatically unassigned
and deleted when:
 Its private IP is
deleted
 Its VNIC is detached

or terminated
 Its instance is
terminated
Scope Availability domain Regional (can be assigned to a
private IP in any availability
domain in the region)
Managing Public IP's

DNS Choice
– The Domain Name System (DNS) enables lookup of other computers using host names.
– You choose the DNS for each subnet in the cloud network.
• Default Choice: Internet and VCN Resolver. This is an Oracle-provided option that includes two parts:
– Internet Resolver: Lets instances use host names that are publicly published on the Internet. The instances do
not need to have Internet access by way of either an IGW or an IPSec VPN DRG.
– VCN Resolver: Lets instances use host names (which you can assign) to communicate with other instances in
the VCN.
• Custom Resolver: Use your own DNS servers. These could be Internet IP addresses for DNS servers in
your VCN, or DNS servers in your on-premise network, which is connected to your VCN by way of an
IPSec VPN connection.
Instance FQDN: <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com

(you can specify VCN, Subnet and hostname DNS labels)

VCN Configurations
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Virtual Network: Secure, Fast Private Networks
Secure, reliable connectivity: IPSec VPN, FastConnect Deep VCN control: Subnets, routing rules, IP address space, firewall rules
ORACLE CLOUD REGION

Virtual Cloud Network
Backend Subnet App Subnet DMZ Subnet

AVAILABILITY
DOMAIN-1 End users
FastConnect Datagaurd Sync
Backend Subnet App Subnet

AVAILABILITY
VPN DOMAIN-2
DMZ Subnet
Customer
Datacenter App Subnet DMZ Subnet
Virtual Cloud
Backend Subnet Network
AVAILABILITY
DOMAIN-3
Console or API-driven; same fabric for all core services; all traffic encrypted and isolated

Versatile workloads on the same virtual network
PaaS
Java CS
VMs VMs
Event Hub CS
VMs
ORACLE REGION
Database
Exadata RAC Systems Bare Metal
Bare Metal
MySQL CS
Virtual Network
Multiple Availability Domains

Advanced Features in VCN
• Following are the advanced features in VCN

– Private IP as Route Target – NAT
– VCN Peering
– Multiple vNICs on Virtual Instances
– Multiple vNICs on Bare Metal Instances
– Secondary IP addresses on vNICs

Private IP as Route Target – NAT
ORACLE CLOUD REGION
Availability Domain 1 • Ability to use a private IP as the target of
VCN 10.0.0.0/16 a route rule in situations where you want
Frontend Subnet to route a subnet's traffic to another
10.0.0.0/24
instance
NAT/Firewall HA Pair Route Table
172.16.0.0/16  DRG
0.0.0.0/0 10.0.0.15
• Use Cases
Customer
Datacenter • To implement NAT in VCN
• To implement a virtual network
Backend Subnet
10.0.1.0/24
function (such as a firewall or
intrusion detection)
• To manage an overlay network on the
FastConnect
VCN, which lets you run container
Private Instances orchestration workloads

Local VCN Peering (within region)
Local VCN peering is the process of connecting two VCNs in the same
region. A local peering gateway (LPG) is a component on a VCN for
routing traffic to a locally peered VCN.
Explicit Agreement Required from Both Sides

• Peering involves two VCNs that might be owned by the same party or
two different ones. The two parties might both be in your company
but in different departments.
• Peering between two VCNs requires explicit agreement from both
parties in the form of Oracle Cloud Infrastructure Identity and Access
Management policies that each party implements for their own VCN's
compartment.

Remote VCN Peering (across regions)
Remote VCN peering is the process of connecting two VCNs in different regions
(but the same tenancy) without routing the traffic over the internet or through on-premises.
Same explicit agreement required as

with local VCN peering.
Currently, supported between these

regions (more coming soon) :
Phoenix (PHX) region
Ashburn (IAD) region

Multiple VNICs on virtual machines
• Every VM has one primary VNIC created at launch,
and a corresponding Ethernet device on the
ORACLE CLOUD INFRASTRUCTURE (REGION)
Availability Domain 1 AD2 AD3
instance with the IP address configuration of the
primary VNIC.
Subnet A Subnet B
10.0.0.0/24 10.0.1.0/24 • When a secondary VNIC is added, new Ethernet
device is added and is recognized by the instance
VNIC1 VNIC2 VNIC3 VNIC4 OS.
– VM1 - single VNIC instance
primary primary primary
– VM2 - connected to two VNICs from two
subnets within the same VCN. Used for virtual
appliance scenarios
– VM3 - connected to two VNICs from two
VM1 VM2 VM3
subnets from separate VCNs. Used to connect
instances to a separate management network
VNIC5 for isolated access
VCN
Subnet X
172.16.0.0/24

Multiple VNICs on bare metal instances
• Every BM instance has two physical NICs.
ORACLE CLOUD INFRASTRUCTURE (REGION)
– Only one physical NIC is active in first
generation BM (X5 Servers)
Subnet A
10.0.0.0/24
Subnet B
10.0.1.0/24 – Both NICs are active in second generation BM
(X7 servers)
VNIC1 VNIC2 VNIC3 VNIC4 – Each NIC has 25 Gbps bandwidth.
• NIC1 is configured as primary VNIC, created at
instance launch.
• Secondary VNICs can be on either NICs if both are
primary
NIC1
active
• Traffic is uniquely identified based on a unique
VLAN tag
VNIC5
– attach a secondary VNIC

– update the instance OS
Bare metal instance Subnet X
172.16.0.0/24
NIC2

Multiple VNICs on bare metal instances
ORACLE CLOUD INFRASTRUCTURE (REGION) • In a BYOH scenario, each guest VM can get one or
more secondary VNICs.
Subnet A
10.0.0.0/24
Subnet B
10.0.1.0/24
• In case Single Root –IO Virtualization (SR-IOV)
virtual functions (VF) are being used by the
hypervisor to provide network access to the guest
VNIC1 VNIC2 VNIC3 VNIC4
VMs, each VF can be configured with the VLAN tag
and MAC address of a secondary VNIC.
primary
NIC1
VF2
VF1
VF3
Hypervisor
VNIC5
Guest VM3
Guest VM2
Guest VM1
Subnet X
Bare metal instance 172.16.0.0/24
NIC2

Secondary IP addresses on VNICs
ORACLE CLOUD INFRASTRUCTURE (REGION) • Every VNIC is assigned a primary private IP address
Availability Domain 1 AD2 AD3 when it is created, which is configured
automatically on the corresponding Ethernet device
Subnet A
10.0.0.0/24
Subnet B
10.0.1.0/24
in the instance OS.
• Two step process to use secondary IP addresses
– assign a secondary private IP address to VNIC
using console/API/SDK
– update the instance OS to configure an
IP5
IP6
IP7
IP4
IP1
IP2
IP3
primary primary primary
VNIC1 VNIC1 VNIC3 additional IP address on the corresponding

Ethernet device.
• Secondary IP addresses can be assigned to a
primary primary different VNIC in the same subnet, in case of a
failover scenario.
VM1 VM2

Hybrid DNS Configuration
ORACLE CLOUD REGION
Customer
Datacenter On-premises to VCN
VCN 10.0.0.0/16
DNS zone – custvcn.oraclevcn.com 1. DNS query (for
db1.exaclient.custvcn.oraclevcn.com) to
Mgmt Subnet (10.0.10.0/24) on-prem DNS server (172.16.0.5)
DNS label - mgmt
2. DNS query forwarded to DNS VM in VCN
(10.0.10.15)
FastConnect DNS VM 3 3. DNS query forwarded to VCN DNS resolver

1 CPE
(10.0.10.15) (169.254.169.254)
client 4
VCN DNS Resolver
machine (169.254.169.254) 4. DNS VM gets the IP address of the FQDN
ExaClient Subnet (10.0.0.0/24) and sends it back to on-prem DNS server
2 DNS label - exaclient
5. On-prem DNS server gets the IP address
5 and responds to the client machine
testdb
AD/DNS (10.0.0.20)
Server
(172.16.0.5)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly
39 Restricte
Hybrid DNS Configuration
ORACLE CLOUD REGION
Customer
Datacenter VCN to on-premises
VCN 10.0.0.0/16
DNS zone – custvcn.oraclevcn.com 1. DNS query from appvm1 (for
app1.customer.net) to DNS VM
Mgmt Subnet (10.0.10.0/24) (10.0.10.15).
DNS label - mgmt Note: DHCP options for App subnet is configured with Custom DNS & DNS IP
address as 10.0.10.15
2 2. DNS VM forwards to on-prem DNS server

DNS VM
(172.16.0.5)
FastConnect
(10.0.10.15)
client
CPE
4 3. On-prem DNS server sends the IP address
machine to DNS VM
App Subnet (10.0.1.0/24)
1 4. DNS VM responds to the appvm1 with the
IP address
3
appvm1
AD/DNS (10.0.1.20)
Server
(172.16.0.5)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly
40 Restricte
Compute Instances
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Compute: Bare Metal & Virtual Machines
Bare Metal (BM) Virtual Machine (VM)

No hypervisor involved – customers get the full bare A hypervisor to virtualize the underlying bare metal server
metal server with 36 or 52 cores into smaller VMs
(single-tenant model) (multi-tenant model)
VMs
Hypervisor
• VM compute instances runs on the same hardware as a Bare Metal instances, leveraging the same
cloud-optimized hardware, firmware, software stack, and networking infrastructure
• Pricing Info: https://cloud.oracle.com/infrastructure/pricing Price List for OPN Partners

Available Shapes
Shape Instance type OCPU RAM (GB) Local Disk (TB)

BM.Standard1.36 Standard compute capacity 36 256 Block Storage only
BM.DenseIO1.36 Dense I/O compute capacity 36 512 28.8 TB NVMe SSD
BM.Standard2.52 X7-based standard compute capacity 52 768 Block storage only
BM.DenseO2.52 X7-based dense I/O compute capacity 52 768 51.2TB NVMe SSD
BM.GPU2.2 X7-based GPU: 2 P100 NVIDIA GPUs 28 192 Block storage only
BM.GPU3.8 X7-based GPU: 8 V100 NVIDIA GPUs 52 768 51.2TB NVMe SSD
VM.Standard1.1 Standard 1 7 Block Storage only

VM.DenseIO1.4 Dense I/O compute capacity 4 60 3.2 TB NVMe SSD
VM.Standard.2.24 Standard 24 320 Block Storage only

X7-based GPU instance
Summary: Customer Benefit:
 Bare Metal GPU Standard: 28 core, 2 NVIDIA P100  Addresses GPU opportunities
GPUs, 192 GB of memory and 52 core, 8 NVIDIA like AI, Machine Learning, HPC,
V100, 768 GB of memory Rendering, CAD, 3D renderings
 Latest GPUs: NVIDIA's Pascal and Volta generations  At least 2X faster than
 Workloads based on CUDA or OpenCL utilizing Tesla comparable instances at Azure
P100 and AWS
 Coming soon: NVIDIA GPU Cloud (GGC) for Deep  Competitors cost 2.4X more for
Learning and HPC workloads comparable instances
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Restricted
NVMe SSD Devices
• Locally attached SSDs are not protected
• OCI provides no RAID, snapshots, backups capabilities for these devices
• Customers are responsible for the durability of data on the local SSDs
Instance type NVMe SSD Devices ubuntu@nvme:~$ lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 46.6G 0 disk
BM.DenseIO1.36 9 drives = 28.8TB raw ├─sda1 8:1 0 46.5G 0 part /
├─sda14 8:14 0 4M 0 part
BM.DenseO2.52 16 drives = 51.2TB raw └─sda15 8:15 0 106M 0 part /boot/efi
nvme0n1 259:4 0 2.9T 0 disk
VM.DenseIO1.4 1 drive = 32. TB raw nvme1n1 259:5 0 2.9T 0 disk
nvme2n1 259:3 0 2.9T 0 disk
VM.DenseIO1.8 2 drives = 6.4 TB raw nvme3n1 259:6 0 2.9T 0 disk
nvme4n1 259:7 0 2.9T 0 disk
nvme5n1 259:8 0 2.9T 0 disk
VM.DenseIO1.16 4 drives = 12.8 TB raw nvme6n1 259:1 0 2.9T 0 disk
nvme7n1 259:0 0 2.9T 0 disk
nvme8n1 259:2 0 2.9T 0 disk

Protecting NVMe SSD Devices
RAID 1: An exact copy (or RAID 10: Stripes data across multiple mirrored RAID 6: Block-level striping with two parity blocks
mirror) of a set of data pairs. As long as one disk in each mirrored pair is distributed across all member disks
on two or more disks functional, data can be retrieved

Launching a Compute Instance – BM or VM
• Operations: Launch an instance, access it securely from your computer, restart it, attach
and detach volumes, and terminate it when you're done.
• Components required to Launch an Instance:
– Key Pairs for ssh access
– Choose a Compartment
– Create a Virtual Cloud Network
– Select an Image
– Select a Shape -- format: [BM|VM].[Standard|DenseIO][1|2].[#CPUs], BM.GPU2.2, BM.GPU3.8
– Optionally cloud-init scripts
– Launch the instance
– Optionally attach block volumes
• Each Oracle Bare Metal Cloud Services resource has a unique, Oracle-assigned identifier
called an Oracle Cloud IDentifier (OCID).
Machine Images
Oracle Provided Images Custom Images Managed Boot Volumes
• Oracle-Provided Images • Build Online • When you terminate your

• User – Instance Freezes for a while instance, you can keep
– OPC with sudo privileges – Do no include the data from the associated boot
– Root login is disabled any attached volumes volume
– Cannot be > 50 GB in size • Can be used for instance
• cloud-init compatible
• Build Offline scaling
• Linux Firewall enabled – Bring Your Own Custom • Can be mounted on any
Image for Emulation Mode working instance for
Virtual Machines Troubleshooting

Bring Your Own Image Lift Shift
Emulation mode Para-virtualized mode Native mode
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 50
Compute: Bare metal & VMs with industry leading performance
Enterprise web, application, Enterprise application Oracle Database, HPC,
& authentication servers servers, Hadoop Rendering, AI/ML,
Spark, Containers
MORE
Bare metal
COMPUTE & RAM
Dense IO X7
Bare metal Bare metal 52 cores, 768 GB RAM,
Standard X7 51.2 TB NVMe,
GPU Standard X7 up to 512 TB block storage
52 cores, 768 GB RAM, VM Dense IO 2 P100 GPUs, 28 cores,
up to 512 TB block storage 8, 16, 24 cores, 192 GB RAM,
120, 240, 320 GB RAM, up to 512 TB block storage
VM Standard 6.4, 12.8, 25.6 TB NVMe,
1-24 cores,
up to 512 TB block
15-320 GB RAM,
storage
up to 512 TB block
storage
PERFORMANCE HIGHER
10,000’s to 100,000’s 100,000’s to millions Millions of IOPS

of IOPS of IOPS

DEMO : Create an Instance
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Bring your own Hypervisor
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Compute : Bare Metal Use Cases Why Hypervisor ?
• High IOPS workloads
– SQL, NoSQL
– File Systems
• Bring Your Own Hypervisor (BYOH)
Bare Metal
• Type2 Virtualization
Cloud Services
• High Performance Computing
Programmatic API to create and terminate bare metal instances allows customers to
rethink their capital spend on hardware and DR strategies

Bring Your Own OVM / KVM Hypervisor
Nested KVM Virtualization on Oracle Cloud Infrastructure

https://blogs.oracle.com/cloud-infrastructure/nested-kvm-virtualization-on-oracle-iaas
OVM on OCI Whitepaper:

https://docs.us-phoenix-1.oraclecloud.com/Content/Resources/Assets/ovm_on_oci.pdf
Hyper-V on OCI Whitepaper:

https://docs.us-phoenix-1.oraclecloud.com/Content/Resources/Assets/deploy-hyper-v-with-routing.pdf
Hypervisors on OCI
• Run your own KVM hypervisor

• Full control over all KVM configuration
• Manage your own Virtual Machines
• Support Operating Systems not currently supported natively in OCI
• VMs participate on network as first class citizens
Full control over your hypervisor

Hypervisors on OCI
• Currently only Type-2 Hypervisors are supported (only KVM
currently)
• VM disks can be stored on local NVMe or Block Storage
• A single Bare Metal instance can have up to 16 vNICs
– Up to 32 private IP addresses per vNIC
• Assign one or more VNICs to the VMs
• VMs can be on the same or different subnets
Full control over your hypervisor

Lift and shift custom applications as hypervisor guests VMs
ORACLE CLOUD REGION • Applications may need a custom OS
image not supported on OCI
VCN
10.0.0.0/16 • KVM hypervisor on a Bare Metal
Frontend Subnet instance, and launch guest VMs with
10.0.1.0/24
Customer Management Subnet OS images exported from on-premises
Datacenter 10.0.10.0/24 VNIC1
• Guest VMs use a Virtual Network
FastConnect App Subnet
Interface Card (VNIC) from a subnet
Guest VM
10.0.2.0/28 based on application requirements.
VNIC2
Guest VM
Guest VM
BM instance Backend Subnet

with KVM 10.0.3.0/24
VNIC3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 58
Block Volume Service
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Overview of Storage Options
Local NVMe
Lowest • High performance NVMe SSD storage
Latency • Local to a bare metal compute instance
• Non-resilient: Data doesn’t survive beyond instance life
Block Volumes • Resilient storage: Data is persisted beyond instance life

• Volumes can be detached and attached to different instances
• Shared storage: Data is persisted beyond instance life

File Service
• Volumes and file shares* can be detached and attached to
different instances
Object
• Regional network accessible, durable storage
Highest
• Data is replicated regionally for very high availability and
Durability durability
• Designed for big data, backup and unstructured content
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal 61
Local NVMe Storage
High performance local storage available with bare metal compute instances
Local NVMe SSD
Boot Volume
• 50GB Boot Volume exposed via iSCSI
NVMe storage with bare metal compute
• Local storage with High IO Compute
• CPU: 36-Cores; RAM: 512 GB; Local SSD: 4 X 3.2TB NVMe (12.8 TB total)
• Local storage with Dense IO Compute
• CPU: 36-Cores; RAM: 512 GB; Local SSD: 9 x 3.2TB NVMe (28.8 TB total)
– Backing up Local NVMe
• NVMe performance • Use the Storage Software
• Millions of IOPS Appliance to backup to
• 10-100 Microsecond latencies Object Storage
Block
Volumes
Block Volume Service Characteristics
Metric or Feature Block Volume Service Characteristics
Configurable: 50GB to 16TB (1GB increments)

Flexibility
All NVMe-based
Perf: IOPS/Volume 60 IOPS/GB - up to 25K IOPS*

Perf: Throughput/Volume 480 KBPS/GB - up to 320 MBPS**
Perf: Latency/Volume (P95) <1 msec
• 32 attachments/instance, up to ½ PB
Perf: Per-instance Limits
• Up to 400K IOPS, near line rate throughput
Volume Durability Multiple replicas across AD
Restore from Backups (RTO) <1 minute, regardless of size
Backup Performance (RPO) ~30 minutes (for 2TB), via snapshot
Cost per GB/month Still 4.25 cents! Still simple model, 1 option!
* For Bare Metal or 8-core+ VM compute instance, using 4KB blocks. VM perf is limited by VM network bandwidth.
** At 256 KB block size
Block Volumes
Region Phoenix
• Persistent storage for compute instances
– Can be detached, then attached to a new compute AD1 AD2
instance
– Data at rest is always encrypted
• Service is local to Availability Domain Compute Compute
• Backups
– Backup to regional object storage (regional service)
– New volumes can be created from those backups
• Backed by enterprise grade storage
– Disk mirroring to enhance durability,availability Block Block
Volumes Volumes
• Performance
– The service offers 60 IOPS per GB and scales linearly
Backups
Copyright
Copyright ©
© 2015,
2017,Oracle
Oracleand/or
and/orits
itsaffiliates.
affiliates. All
All rights
rightsreserved.
reserved. ||
Block Volumes Clones
• Fast cloning
– clone a block volume in a few seconds,
regardless of the volume size (50 GB to 16
TB)
– while the cloned volume is being created
or accessed, there is no impact on the
original volume
– up to 10 clones at the same time
• Use Cases
– quickly create multiple dev/test copies of
production environments, to troubleshoot
problems, or test out configuration changes
without impacting production

Block Volume Cloning
• A block volume cloning feature which creates a point-in-time direct disk-to-disk
deep copy of a source volume without a backup.
• A clone can only be created in the same AD with no need of detaching the source
volume before cloning it
• Volume Cloning and Backup operation are mutually exclusive operations
• A clone can be attached and used as regular volume when its lifecycle state changes
from ”PROVISIONING” to "AVAILABLE", usually within seconds (At this time, the
data is being copied in the background)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 5b - 66

Backup and Restoration
• Backup is a complete point-in-time complete snapshot copy of your block volumes.
• Backups are encrypted and stored in the Object Storage Service, and can be restored as new
volumes to any Availability Domain within the same region.
• This capability provides you with a spare copy of a volume and gives you the ability to
successfully complete recovery within the same region.
• Restoration of volume from a backup takes less than a minute regardless of the volume size
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 5b - 67

File
Storage
File Storage Service (FSS)
FSS Benefits Description
Enterprise Grade File Storage • A dynamic, enterprise grade file storage service that scales to
meet the storage needs of enterprise customers.
Ease of Deployment • With just a few clicks customers receive a mount point in their
network that can be shared among local bare metal and virtual
compute resources in a region.
Fully Managed • Oracle manages capacity growth, software upgrades, and failed
components.
Elastic Growth • No minimum capacity requirements.
• Start with Kilobytes, scales to Exabytes.
• Pay only for what you use.
Data Protection • Highly available.
• Multi-way replication for data and metadata.
• High performance AD local service.
File
Storage
File Storage Service – Summary
GA Features Use Cases
• NFS v3
• Network Lock Management
• Full POSIX semantics
• Read-only, capacity efficient snapshots General Purpose Big Data HPC
Archive Analytics Scale Out Apps
• Data-at-rest encryption
• Performance:
• SSD, low latency EBS
• ~150 MB/s per TB
• Console management, API and CLI Oracle Applications Test / Dev Micro Services
• AD-local service in all regions Lift and Shift Databases Containers
• Cost per GB/month, $0.0425
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Under NDA
File
File Storage Service – Access Options Storage
FSS is an AD-local service that can be accessed from all ADs in the same region and by thousands
of OCI resources concurrently over OCI Console, APIs, CLI, Terraform, and data-path commands.
Scenario Recommendations
Local AD Access Mount from a local VM or BM machine*
Ensure network connectivity VCN is enabled and all required ports for NFS
Remote access from another AD*
are opened.
(within a region) Mount from a remote VM or BM machine*
Remote access from another region With FastConnect or VPN enabled, mount from customer data center.
Install a secure S3 gateway (Instructions and Terraform template available)

Remote access over the internet
to enable ingesting files/file systems or sharing them externally via S3/URL
*For best performance we recommend mounting locally, due to latency across AD’s
File
File Storage Service - Data Protection Options Storage
Snapshots provide a consistent point-in-time view of your entire file system. You can create 10,000 snapshots/file system.
Scenario Recommendations
Use APIs, CLI, OCI Console, and data-path commands to snapshot your file systems for
File system data protection
replications, backup and data protection.
AD data protection Asynchronously copy your file system or snapshot data to another AD, using rsync*
Asynchronously copy your file system or snapshot data to another region, using rsync*
Regional data protection Asynchronously copy to local or remote Object Storage, using tar; or zip your file system
or snapshot data*
Use 3rd party software to protect application and file system data in another AD or
3rd Party data protection
region. Support for NFS v.3 is required
* Manual, customer driven process using data path, APIs or CLI. To speed data transfer, we recommend using @ to create parallel rsync jobs.
DEMO : Block Volume and FSS
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Object Storage – Standard & Archive
Oracle Cloud Infrastructure
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Object Storage
Internet
Scale Elastic
Storage
Highly
Strong
Durable and
Consistency
Available
Secure

Common Use Cases
Backup/Archive Unstructured Content Big Data
• Backup / Archive data cost • Store a variety of content e.g. • Store and analyze petabytes of
effectively using RMAN, Object images, logs, video, etc. Content data with Hadoop and Spark,
Storage Tooling or other third can be directly served from the leveraging HDFS connector
party backup solutions Object Storage

Object Storage – Access Interfaces
Multiple Access Interfaces API choices

– API – OCI Native API
– SDK (Java, Python) – Amazon S3 Compatibility API
– CLI
– HDFS Plug-in
– NFS Gateway
– Terraform

Object Storage Resources
• Object
• All data, regardless of content type, is managed as objects. Buckets
• Each Object is composed of object itself and metadata of the object
• Bucket
• A logical container for storing objects Object
• Each object is stored in a bucket Data Metadata Object Object
Object Object
• Namespace Object
Object
• Each tenant is associated in one default namespace that spans all compartments
• Buckets names within a namespace are unique
• Buckets and objects exist in flat hierarchy,
– Compartment
• Buckets can only exist in a one compartment

Available Object Storage Features
Feature Description
Upload object in part, each part can be 10 MiB - 50 GiB in size

Multipart Upload Pause and resume upload
Server side Temporary URLs, used to share data
Pre-Authenticated Requests (PAR) Defined on Objects and/or Buckets
Support for listing and deleting previously generated PARs
Large Object Support Support for large 10 TiB objects
Audit Service support Audit support for bucket operations

Anonymous public access to data stored on object storage
Public Buckets Read and/or List privileges supported
Custom Object/Bucket metadata Define custom metadata (~2kb) per Object or Bucket
Tagging Tag bucket resources for chargeback or resource management
Move buckets between compartments
Compartment Management Designate default compartments for use with Amazon S3 API
Bucket ACLs Define IAM policy at the granularity of a bucket in a given compartment

Object Storage Tiers
– Standard Storage Tier (Hot)
• Fast, immediate, and frequent access
• Object Storage Service always serves the most recent copy of the data
when retrieved
• Data retrieval is instantaneous
• Standard buckets can’t be downgraded to archive storage
– Archive Storage Tier (Cold)
• Seldom or rarely accessed data but must be retained and preserved for
long periods of time
• Minimum retention requirement for Archive Storage is 90 days
• Objects need to be restored before download
• Archive Bucket can’t be upgraded to Standard storage tier
• Time To First Byte (TTFB) after Archive Storage restore request is made: 4
Hours

Archive Storage
Storage for Infrequently accessed Durable and Available like Object Storage
cold data
Object Storage API for data management

90% Cheaper than Object Storage
Scalable | Store EB of data Support management interfaces API/SDK/UI/CLI
Archive Storage
– Archive Storage tier exposed as a property of the Bucket
– Data must be restored to Std Object Storage before it can be accessed
– Takes ~ 4 hours to restore data
– Data accessible for a chosen duration after it is restored (up to 240 Hrs)
Coming Soon
– Object Lifecycle policies
– Batch Job Restores
– SEC Rule 17a-4(f) certification
Object Storage: Amazon S3 Compatibility API
– Set of Object Storage APIs that let you build products and services that interoperate with other storage
services, such as Amazon S3
– Following highlights the differences between Object Storage API and S3 Compatibility API
• Compartments
– any buckets created using the Amazon S3 Compatibility API are created in the root compartment of the Oracle Cloud
Infrastructure tenancy.
• Global bucket namespace
– Object Storage doesn't use a global bucket namespace.
– Bucket names must be unique within the context of a namespace, but bucket names can be repeated across namespaces.
• Encryption
– Encrypted data at rest by default.
– Encryption can't be turned on or off using the API.
• Object Level Access Control Lists (ACLs)
– Oracle Cloud Infrastructure does not use ACLs for objects. Instead, IAM policies are used to manage access to compartments,
buckets, and objects.

Edge Services
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
The Edge Can Be 50% of Cloud Performance
Edge Cloud Infrastructure
30-50% 50-70%
Internet Time to Database
DNS Lookup First Byte Processing Storage I/O
Connections Transaction
User Access Time

Cloud-Hosted
Resource / Asset
Constant Disruptions Demand a New Kind of Performance Management…

Introduction to Oracle Cloud Infrastructure DNS
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2017 Content
What Makes Oracle Cloud Infrastructure DNS Different?
…Our Data
Authoritative DNS query logs 6TB/day: 32B queries/day from 240 countries
Recursive DNS query logs 360GB/day: 1B queries/day from 246 countries
Traceroute data 220GB/day: 650 million IPv4 & IPv6 traces/day from nearly 300
Superior
geolocation
locations
accuracy Network prefix and ASN 10GB/day: 50+ data sources (5 RIRs, 22 IRRs, 2 commercial geo
registration data
sources, etc.)
BGP routing data 2GB/day: 250 million BGP updates/day from over 700 IPv4 & IPv6
peers
Geolocation data 2GB/day: Dyn’s GeoExtensions contains over 610M IP addresses
and can be used as a validated overlay to commercial sources
Comprehensive
internet
performance
data
270,000,000,000 data points daily
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal
ROOT
How Does DNS Work? “.”
https://dyn.com/blog/dns-why-its-important-how-it-works/
TLD
COM, NET,
AR, etc.
Users Domain
Recursives
Example.com? Authoritative
Example.com?
1.1.1.1 1.1.1.1
*Any name registered in authoritative DNS is a
Initiates and receives Zone Info
Performs iterative domain name
responses queries to find the * A DNS zone is the mappings between domain
names and IP addresses. Zones can be
resource organized by geography, service, or resources.
Market Performance
Internet Intelligence

Email Delivery
Enable applications that need to send email

Email Delivery: Typical Reference Architecture
•An approved sender is
configured to authorize mail
from specific “From:” addresses.
•SMTP credentials are generated
for SMTP Sending
•A customer application is used
to send email to the Email AS
Delivery SMTP endpoint. Email Delivery
Customer Approved
(SMTP
•Note: Outbound internet access Application Sender
Endpoint)
is necessary for the SMTP

endpoint currently. Roadmap for
local delivery coming soon. COMPARTMENT
REGION
TENANCY

Container Cloud – Docker,
Kubernetes, Werker
Copyright
Copyright©©2017,
2017,Oracle
Oracleand/or
affiliates.All
Allrights
rightsreserved.
Oracle Container Native Strategy
• Deliver a container native suite that is complete, integrated, open
– CI/CD, Orchestration/Scheduling, Management/Operations, Analytics/Introspection
– With a cloud neutral application development platform for microservices and serverless
• That is community driven, cloud neutral and open source
– Deep investment in open source communities and foundations (Kubernetes, Docker, Cloud
Native Cloud Foundation) via engineering resources, code contributions & sponsorship
• Differentiated on quality of service and operational excellence
– Full, transparent management
– Deployed to Oracle Cloud Infrastructure
– Enterprise grade security, HA and governance
In today’s market, there is no open cloud platform that solves
for the full container native application lifecycles
Oracle Container Native Application Development Platform
Integrated Suite of Container Native Capabilities
fn
Container Container Container Container Container
Pipelines Engine Microservices Functions Diagnostics
A market leading solution Fully managed container A collection of services, Open source, cloud Unparalleled real-time
for application lifecycle service based on frameworks and libraries neutral, community observability and
management with a Kubernetes running on for the modern cloud driven functions as a diagnostics for large scale
Docker centric product Oracle Cloud developer; based on Service for any language, distributed Java systems
view Infrastructure Bare Metal Cloud Native Compute best of class for Java
Foundation – Istio/Envoy
Build --- Deploy --- Operate

Tomorrow's Agenda – OCI Deep Dive 2 – See you at 9am
(Same Webex details)
1 Load Balancer as a Service
2 Oracle Database Choices
3 Enterprise Business Applications
4 Compliances
5 Oracle Ravello

02 - OCI Deep Dive Day 1 - v5.3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02 - OCI Deep Dive Day 1 - v5.3

Uploaded by

Copyright:

Available Formats

Oracle Cloud Infrastructure Deep Dive 1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

1 Enterprise Grade Governance and Management

• Identity Access Management - Identity Federation

Region – PHX Region – IAD Region – LON Region – FRA

CompanyA Tenancy CompartmentA

Instance A Instance B Instance C Instance D

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Each participant uses their assigned

Network Subnet Availability Domain

Security Lists, Route Table, DRG, IGW, CPE, Region

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Models Compute Compute

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Availability Availability Availability

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 14

Availability Availability Availability

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 15

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Subnet: each VCN network is subdivided into

• You can have more than one subnet in an AD for a

VCN, 10.0.0.0/16 • Subnets can be designated as either Public or

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Dynamic Routing Gateway (DRG): A virtual

After creating the IGW or DRG, you must attach

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

• Security lists provide ingress and egress rules

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

• Similarly for sending traffic from the host

• Default Security Lists are stateful

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

• To allow the response traffic for a stateless ingress rule,

• If you add a stateless rule to a security list, that indicates

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

 Its VNIC is detached

Managing Public IP's

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Instance FQDN: <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

ORACLE CLOUD REGION

Backend Subnet App Subnet DMZ Subnet

Backend Subnet App Subnet

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 27

Multiple Availability Domains

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

• Following are the advanced features in VCN

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Explicit Agreement Required from Both Sides

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Same explicit agreement required as

Currently, supported between these

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

– attach a secondary VNIC

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

primary primary primary

VNIC1 VNIC1 VNIC3 additional IP address on the corresponding

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

FastConnect DNS VM 3 3. DNS query forwarded to VCN DNS resolver