This post is to help those who are preparing for Oracle Cloud Infrastructure 2018 Architect Associate exam. Please note I have collected important content from multiple Oracle websites and collated here for quick revision.
Exam Details Guide — https://learn.oracle.com/education/downloads/OracleCloudInfrastructurestudyguide.pdf
Passing Score: 65%
Number of Question: 66
An Oracle Cloud Infrastructure region is a localized geographic area composed of several availability domains, which in turn have several fault domains.
Regions are independent of other regions and can be separated by vast distances — across countries or even continents. You can deploy applications in different regions to mitigate the risk of region-wide events, such as large weather systems or earthquakes.
An availability domain is one or more data centers located within a region. Availability domains are isolated from each other, fault tolerant, and unlikely to fail simultaneously. Because availability domains don’t share physical infrastructure, such as power or cooling, or the internal availability domain network, a failure that impacts one availability domain is unlikely to impact others. Availability domains in a region are connected to each other by a low-latency, high-bandwidth network. This predictable, encrypted interconnection between availability domains provides the building blocks for both high availability (HA) and DR.
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain contains three fault domains.
Home Region — The region where your IAM resources reside. All IAM resources are global and available across all regions, but the master set of definitions resides in a single region, the home region.
Tenancy — The root compartment that contains all of your organization’s Oracle Cloud Infrastructure resources. Oracle automatically creates your company’s tenancy for you. Directly within the tenancy are your IAM entities (users, groups, compartments, and some policies; you can also put policies into compartments inside the tenancy).
Compartment — A collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating your cloud resources. After a resource is created, it can’t be moved to another compartment. Compartments can’t be deleted as well.
Policy — A document that specifies who can access which resources, and how. Access is granted at the group level and compartment level, which means that you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself. If you give a group access to the tenancy, the group automatically gets the same type of access to all the compartments inside the tenancy.
Resource — A cloud object that your company’s employees create and use when interacting with Oracle Cloud Infrastructure.
User — An individual employee or system that needs to manage or use your company’s Oracle Cloud Infrastructure resources.
Group — A collection of users who all need the same type of access to a particular set of resources or compartment.
IAM Service Components
You manage the following types of credentials with Oracle Cloud Infrastructure IAM:
- Console password: For signing in to the Console, which is the user interface for interacting with Oracle Cloud Infrastructure.
- API signing key (in PEM format): For sending API requests, which require authentication.
- Swift password: For using a Swift client with Recovery Manager (RMAN) to back up an Oracle Database System (DB System) database to Object Storage
Oracle Cloud Infrastructure IAM supports federation with Oracle Identity Cloud Service and Microsoft Active Directory Federation Services (AD FS), using the Security Assertion Markup Language (SAML) 2.0 protocol.
Policy Verb — Inspect, read, use and Manage
- Oracle Cloud Infrastructure Compute lets you provision and manage compute hosts, known as instances
- Oracle Ksplice to apply important security and other critical kernel updates to the hypervisor hosts without a reboot.
- The Compute service enables you to share custom images across tenancies and regions by using the image import/export feature.
- You can use the Console or API to import exported images from Object Storage.
- Image sources for launching an instance -
Platform Images: Pre-built images for Oracle Cloud Infrastructure. See Oracle-Provided Images for a list of these images.
Oracle Images: Pre-built Oracle enterprise images and solutions enabled for Oracle Cloud Infrastructure.
Partner Images: Trusted third-party images published by Oracle partners.
Custom Images: Custom images created or imported into your Oracle Cloud Infrastructure environment. See Managing Custom Images for more information.
Boot Volumes: Boot volumes available for creating a new instance in your Oracle Cloud Infrastructure environment. See Boot Volumes for more information.
Image OCID: Create an instance using a specific version of an image by providing the image OCID . See Oracle-Provided Image Release Notes to determine the image OCID for Oracle-provided images.
- The Database service offers autonomous and user-managed (bare metal, virtual machine, and Exadata DB)Oracle Database cloud solutions.
- Oracle Cloud Infrastructure supports a licensing model with two license types. With License included, the cost of the cloud service includes a license for the Database service. With Bring Your Own License (BYOL).
- Oracle Database Cloud Service also provides manageability features like database service patching, configuring high availability using Oracle Data Guard and backup/restore which simplifies day-to-day tasks required to run your Oracle databases.
- You can use the
dbaascliutility to perform a variety of life-cycle and administration operations on Oracle Database Cloud Service database deployments.
- Change the password of a database user.
- Start and stop a database.
- Start and stop the Oracle Net listener
- Check the status of the Oracle Data Guard configuration.
- Perform switchover and failover in an Oracle Data Guard configuration.
- Patch the database deployment.
- Perform database recovery.
- Rotate the master encryption key.
Autonomous Database (Transaction Processing)
- Autonomous databases are preconfigured, fully-managed environments that are suitable for either transaction processing or for data warehouse workloads.
- You have full access to the features and operations available with the database, but Oracle owns and manages the infrastructure.
- You can scale the number of CPU cores or the storage capacity of the database at any time without impacting availability or performance.
- Autonomous Database handles creating the database, as well as the following maintenance tasks:
Backing up the database
Patching the database
Upgrading the database
Tuning the database
- 2 Deployment option (Dedicated deployment and Serverless)
Autonomous Data warehouse
- Autonomous Data Warehouse provides an easy-to-use, fully autonomous data warehouse that scales elastically, delivers fast query performance and requires no database administration.
- As a service Autonomous Data Warehouse does not require database administration. With Autonomous Data Warehouse you do not need to configure or manage any hardware, or install any software. Autonomous Data Warehouse handles creating the data warehouse, backing up the database, patching and upgrading the database, and growing or shrinking the database.
- When you get started with Autonomous Data Warehouse, simply specify the number of OCPUs and the storage capacity in TB’s for the data warehouse. At any time, you can scale, increase or decrease, either the OCPUs or the storage capacity.
ADWH contains three database service names identifiable as
low. The predefined service names provide different levels of performance and concurrency for Autonomous Data Warehouse.
The basic characteristics of these consumer groups are:
- HIGH: Highest resources, lowest concurrency. Queries run in parallel.
- MEDIUM: Less resources, higher concurrency. Queries run in parallel.
- LOW: Least resources, highest concurrency. Queries run serially.
So it’s like For example, for an Autonomous Data Warehouse with 16 OCPUs, the HIGH consumer group will be able to run 3 concurrent SQL statements when the MEDIUM consumer group is not running any statements. The MEDIUM consumer group will be able to run 20 concurrent SQL statements when the HIGH consumer group is not running any statements. The LOW consumer group will be able to run 1600 concurrent SQL statements. The HIGH consumer group can run at least 1 SQL statement when the MEDIUM consumer group is also running statements. When these concurrency levels are reached for a consumer group new SQL statements in that consumer group will be queued until one or more running statements finish.
Bare Metal andVM DB
- Oracle Cloud Infrastructure offers 1-node DB systems on either bare metal or virtual machines, and 2-node RAC DB systems on virtual machines.
- You can manage these systems by using the Console, the API, the Oracle Cloud Infrastructure CLI, the Database CLI (DBCLI), Enterprise Manager, Enterprise Manager Express, or SQL Developer.
- Bare metal DB systems consist of a single bare metal server running Oracle Linux 6.8, with locally attached NVMe storage. If the node fails, you can simply launch another system and restore the databases from current backups
- A virtual machine DB system database uses Oracle Cloud Infrastructure block storage instead of local storage.
- The number of CPU cores on an existing virtual machine DB system cannot be changed.
- You cannot create multiple DB Homes in a VM database. Each VM database instance can only launch one database per instance.
- Oracle Databases on bare metal enables scaling your instances up or down based on demand to save costs and meet your mission-critical application needs. Oracle Database on virtual machines enables scaling storage from 256 GB to 40 TB, with no downtime when scaling up storage.
- To configure a Data Guard system across regions or between on-premises and Oracle Cloud Infrastructure DB systems, you must access the database host directly and use the DGMGRL utility.
- A Data Guard implementation requires two DB systems, one containing the primary database and one containing the standby database. When you enable Data Guard for a virtual machine DB system database, a new DB system with the standby database is created and associated with the primary database. For a bare metal DB system, the DB system with the database to be used as the standby must already exist before you enable Data Guard.
- To set up Data Guard, both primary and secondary DB systems should be in the same VCN, and port 1521 should be open on both DB systems. DB systems can be in different subnets.
- You can set up Data Guard across regions, but the Database Cloud Service Data Guard feature currently does not support it.
Block Volume -
The Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes
- You can also disconnect a volume and attach it to another instance without the loss of data.
- There are two types of volume attachments: iSCSI or Paravirtualized
- There are two types of volumes: boot and block
- Volumes are only accessible to instances in the same availability domain. However volume backups are not limited to the availability domain of the source volume, you can restore them to any availability domain within that region.
- The Oracle Cloud Infrastructure Block Volume service always encrypts all block volumes, boot volumes, and volume backups at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption.
- There is limit on Volumes per instance: 32
- When you launch a virtual machine (VM) or bare metal instance based on an Oracle-provided image or custom image, a new boot volume for the instance is created in the same compartment. That boot volume is associated with that instance until you terminate the instance. When you terminate the instance, you can preserve the boot volume and its data.
- You can create a clone from a volume using the Block Volume service. Cloning enables you to make a copy of an existing block volume without needing to go through the backup and restore process.
- Clone is a copy of the source volume it will be the same size as the source volume unless you specify a larger volume size when you create the clone.
- You can perform manual backups or implement automated policy-driven backups.
- For durability of data, multiple copies of data are stored redundantly across multiple storage servers within an availability domain. To protect against the impact of the failure or unavailability of an availability domain, Oracle recommend making regular backups to a remote region.
- You can also access a file system from outside the VCN using Oracle Cloud Infrastructure FastConnect and Internet Protocol security (IPSec) virtual private network (VPN).
- The File Storage service supports the Network File System version 3.0 (NFSv3) protocol.
Announcing NFS Export Options for File Storage
Hi, I am Mona Khabazan, Product Manager for Oracle Cloud Infrastructure File Storage. At the beginning of this year we…
Oracle Cloud Infrastructure provides locally attached NVMe devices in some specific compute shapes. These devices provide extremely low-latency, high-performance block storage that is ideal for big data, OLTP, and any other workload that can benefit from high-performance block storage.
Object Storage -
- Oracle Cloud Infrastructure offers two distinct storage class tiers — Archive Storage (rare access)and Object Storage ( fast, immediate, and frequent access)
- Each Oracle Cloud Infrastructure tenant is assigned an Object Storage namespace that spans all compartments within a region. The namespace is a unique and uneditable system-generated string assigned during account creation and applies to all regions.
- Any type of data, regardless of content type, is stored as an object.
- You don’t need to back up data that is stored in Object Storage. Object Storage is an inherently highly durable storage platform. All objects are stored redundantly on multiple storage servers within a region.
- Object Storage is a regional service.
- Object Storage also supports private access from Oracle Cloud Infrastructure resources in a VCN through a service gateway.
- You can optionally use IAM policies to control which VCNs or ranges of IP addresses can access Object Storage.
- The Oracle Cloud Infrastructure Object Storage service supports multipart uploading and downloading for objects. See Using Multipart Uploads for more information
Object Storage for data to which you need fast, immediate, and frequent access. Data accessibility and performance justifies a higher price point to store data in the Object Storage tier.
Archive Storage for data to which you seldom or rarely access, but that must be retained and preserved for long periods of time.
- Unlike Object Storage, Archive Storage data retrieval is not instantaneous.
- Buckets are logical containers for storing objects. A bucket is associated with a single compartment and while creating you need to define tier (Archive Storage or standard Object Storage) you cannot change the storage tier property.
- An existing Object Storage bucket cannot be downgraded to an Archive Storage bucket and An Archive Storage bucket cannot be upgraded to an Object Storage bucket.
- When you upload an object to an Archive Storage bucket, the object is immediately archived. You must first restore the object before you can download it. Time To First Byte (TTFB) comes into picture.
Storage Gateway is a cloud storage gateway that lets you connect your on-premises applications with Oracle’s cloud. You can use Storage Gateway to move files to Oracle Cloud Infrastructure Archive Storage as a cost-effective backup solution.
VIRTUAL CLOUD NETWORK (VCN)
- A virtual, private network that you set up in Oracle data centers.
- A VCN resides in a single Oracle Cloud Infrastructure region and covers a single, contiguous IPv4 CIDR block of your choice. VCN size range is /16 to /30
- You can’t change its size once created. Follow RFC 1918 for creation
- The VCN’s CIDR must not overlap with your on-premises network or another VCN you peer with. The subnets in a given VCN must not overlap with each other.
- IPv6 addressing is currently supported only in the Government Cloud.
- VCN peering is the process of connecting multiple virtual cloud networks (VCNs).
- VCN Comes with following default components -
- Default route table, with no route rules
- Default security list, with default security rules
- Default set of DHCP options, with default values
- You can designate a subnet to exist either in a single availability domain or across an entire region.
- All VNICs in a given subnet use the same route table, security lists, and DHCP options.
- You can designate a subnet as either public or private when you create it. Private means VNICs in the subnet can’t have public IP addresses. Public means VNICs in the subnet can have public IP addresses at your discretion.
- Oracle recommends using regional subnets because they’re more flexible
- Each subnet always has these components
- One route table
- One or more security lists (for the maximum number, see Service Limits)
- One set of DHCP options
- Each instance has a primary VNIC that’s created during instance launch and cannot be removed.
- You can add secondary VNICs to an existing instance (in the same availability domain as the primary VNIC), and remove them as you like.
- Each secondary VNIC can be in a subnet in the same VCN as the primary VNIC, or in a different subnet that is either in the same VCN or a different one.
- The primary private IP address on an instance doesn’t change during the instance’s lifetime and cannot be removed from the instance.
- You can optionally assign a public IP to your instances or other resources that have a private IP.
DYNAMIC ROUTING GATEWAY (DRG)
- DRG as a virtual router that provides a path for private traffic
- You use a DRG when connecting your existing on-premises network to your virtual cloud network (VCN) with IPSec VPN or Oracle Cloud Infrastructure FastConnect
- It can also provide a path for private network traffic between your VCN and another VCN in a different region. Remote VCN Peering (Across Regions)
- DRG, you must specify the compartment
- A VCN can be attached to only one DRG at a time, and a DRG can be attached to only one VCN at a time.
- After attaching a DRG, you must update the routing in the VCN to use the DRG
- Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your on-premises data center and Oracle’s cloud infrastructure. FastConnect provides higher-bandwidth options and a more reliable and consistent networking experience compared to internet-based connections.
- A virtual circuit is a layer-2 or layer-3 Ethernet VLAN that isolates network traffic between customers. It is an isolated network path that runs over one or more physical network connections to provide a single, logical connection between the router on the edge of your network and the Oracle router.
- FastConnect Locations — A specific data center where you can connect to Oracle Cloud Infrastructure by using FastConnect.
- FastConnect Public peering enables you to access public services in the Oracle Cloud without traffic traversing the internet path. Using FastConnect Public peering, you can connect to public services like Oracle Object Storage, public load balancers in your VCN, public IPs on compute, or supported SaaS services.
- FastConnect Private peering enables you to extend your on-premises private (RFC1918) networks to the Oracle Cloud. You can connect to Oracle Cloud resources like Compute “IPNetworks” or Private Subnet resources in VCNs from your on-premises private (RFC1918) networks without the need to use IPSec VPN or Network Address Translation (NAT).
FastConnect with Colocation
LOCAL PEERING GATEWAY (LPG)
- It lets you peer one VCN with another VCN in the same region.
- Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.
- Two VCNs with non-overlapping CIDRs, in the same region.
REMOTE PEERING CONNECTION (RPC)
- Remote VCN peering is the process of connecting two VCNs in different regions (but the same tenancy)
- dynamic routing gateway (DRG) attached to each VCN and A remote peering connection (RPC) on it
- Virtual router that you can add to your VCN for direct internet access
- There can be only one IG in a VCN
- The subnet must be public. The subnet must have a route rule that directs traffic to the internet gateway. The subnet must have security list rules that allow the traffic (and each instance’s firewall must allow the traffic). The instance must have a public IP address.
NETWORK ADDRESS TRANSLATION (NAT) GATEWAY
- Virtual router that you can add to your VCN for internet access when instances are not having public IP.
- There’s a limit on the number of NAT gateways per VCN
- private network traffic between your VCN and Oracle services like autonomous database.
- For example, DB Systems in a private subnet in your VCN can back up data to Object Storage without needing public IP addresses or access to the internet.
- The service gateway is regional and enables access only to supported Oracle services in the same region as the VCN.
- Resources in your on-premises network that is connected to the service gateway’s VCN with FastConnect or VPN Connect can also use the service gateway.
- A new network tool available in the Console to help you measure and analyze network performance.
- The second tool, OCI IP Troubleshooting, helps troubleshoot issues with public facing IP addresses.
- Your VCN comes with an empty default route table, and you can add custom route tables of your own
- They have rules to route traffic from subnets to destinations outside the VCN by way of gateways or specially configured instances.
The Networking service offers two virtual firewall features to control traffic at the packet level. Both of these features use security rules -
- Security lists act as virtual firewalls.
- A security list consists of a set of ingress and egress security rules.
- A subnet can be associated with a maximum of five security lists. Any VNICs that are created in that subnet are subject to the security lists associated with the subnet.
- They are ingress and egress rules that specify the types of traffic (protocol and port) allowed in and out of the instances.
- To implement security rules, you can use network security groups or security lists.
- Compared to security lists, NSGs let you separate your VCN’s subnet architecture from your application security requirements.
- Unlike with security lists, the VCN does not have a default NSG.
- A VNIC can be added to a maximum of five NSGs.
- Using DNS service You can create zones, add records to zones, and allow Oracle Cloud Infrastructure’s edge network to handle your domain’s DNS queries.
- When customers configure a subnet within a VCN, they can choose Internet and VCN Resolver or Custom Resolver when configuring the DHCP options.
- The default is Internet and VCN Resolver. If customers want to use their on-premises DNS servers (typically Microsoft Active Directory) across the FastConnect or IPSec VPN, they can select Custom Resolver.
- If you set DNS Type = Custom Resolver, you can specify up to three DNS servers of your choice.
- Internet Resolver lets instances resolve hostnames that are publicly published on the internet. The instances do not need to have internet access. VCN Resolver lets instances resolve hostnames (which you can assign) of other instances in the same VCN.
- Common DNS Zone Record Types:
Data Transfer Service
- Oracle offers offline data transfer solutions that let you migrate data to Oracle Cloud Infrastructure.
- Data Transfer documentation, we generically refer to Object Storage to mean that you can transfer data into a bucket in either the Object Storage tier or Archive Storage tier.
- Data Transfer Service is a FREE Service! You just need to procure the hard drives you need to ship your data on and pay for the shipping costs to and from the Oracle Data Transfer Site
DISK-BASED DATA TRANSFER — You send your data as files on encrypted commodity disk to an Oracle transfer site. Operators at the Oracle transfer site upload the files into your designated Object Storage bucket in your tenancy.
APPLIANCE-BASED DATA TRANSFER — You send your data as files on secure, high-capacity, Oracle-supplied storage appliances to an Oracle transfer site. Operators at the Oracle transfer site upload the data into your designated Object Storage bucket in your tenancy.
- The Load Balancing service enables you to create a public or private load balancer within your VCN.
- The Load Balancing service ensures high availability by providing one primary and one standby load balancer.
- The Load Balancing service enables you to create a public or private load balancer within your VCN. A public load balancer has a public IP address that is accessible from the internet. A private load balancer has an IP address from the hosting subnet, which is visible only within your VCN.
- Your load balancer has a backend set to route incoming traffic to your Compute instances. The backend set is a logical entity that includes:
A list of backend servers.
A load balancing policy.
A health check policy. (TCP-level or HTTP-level health checks)
Optional SSL handling.
Optional session persistence configuration.
- BACKEND SET, A logical entity defined by a list of backend servers, a load balancing policy, and a health check policy.
- LISTENER, A logical entity that checks for incoming traffic on the load balancer’s IP address.
- LOAD BALANCING POLICY, RR, Least Conn, IP Hash
Public/Private LB Creation in OCI is almost same except subnet defining. A public load balancer is regional in scope and requires two subnets, each in a separate availability domain. When you create a private load balancer, the service requires only one subnet to host both the primary and standby load balancers. In this case, private load balancer service is bounded within an availability domain. (Use round-robin DNS zone entry concept for two private LB in case of high avail)
Let’s create a Public LB to get an idea(Screenshots)—
Note: It is optional to define Backend set while LB creation. You can add them later.
If you want to convert this LB backend set in Active Passive Mode in case of failover scenarios.
High Availability Design
An Oracle Cloud Infrastructure region is a localized geographic area composed of one or more availability domains, each composed of three fault domains.
An availability domain is one or more data centers located within a region.
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain contains three fault domains. Fault domains let you distribute your instances so that they are not on the same physical hardware within a single availability domain.
HA Should consider — Redundancy/Backups/ Monitoring/ Failover
You can use either synchronous or asynchronous replication to protect your data if your Compute instance fails. If your application needs an instant failover and can’t tolerate data loss, we recommend synchronous replication. Because of its network performance requirements, synchronous replication is typically used within one region. For applications that need the protection of data availability across regions, we recommend asynchronous replication.
Terraform is used to create, manage, and manipulate infrastructure resources. Almost any infrastructure noun can be represented as a resource in Terraform.
A provider is responsible for understanding API interactions with the underlying infrastructure like a cloud (AWS, GCP, Azure), a PaaS service (Heroku), a SaaS service (DNSimple, CloudFlare), or on-prem resources (vSphere). It then exposes these as resources users can code to.
NVMe (non-volatile memory express) is a host controller interface and storage protocol created to accelerate the transfer of data between enterprise and client systems and solid-state drives (SSDs) over a computer’s high-speed Peripheral Component Interconnect Express (PCIe) bus.
Cloud@Cusotmer is a subscription-based service where both Hardware & Cloud Software is on Customer Premises, this option is only available on OCI-C. Leveraging our Public Cloud’s PaaS and IaaS capabilities
Point-in-time recovery (PITR) in the context of computers involves systems whereby an administrator can restore or recover a set of data or a particular setting from a time in the past. Once PITR logging starts for a PITR-capable database, a DBA can restore that database from backups to the state that it had at any time since.
Border Gateway Protocol (BGP) is the postal service of the Internet. When someone drops a letter into a mailbox, the postal service processes that piece of mail and chooses a fast, efficient route to deliver that letter to its recipient. Similarly, when someone submits data across the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems.
BGP is the protocol that makes the Internet work. It does this by enabling data routing on the Internet.
Part 2 of this Notebook.
Please make sure you read: