Da On-Prem -> OCI Journey when UR on a Budget -- aka Cheep Like Me - Part 2 Cloud Stuff

Part II – Da OCI side


Hey, for this side pretty standard and you can follow the doc: https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/overviewIPsec.htm if you want to. Below is a re-hash of that with my chimp spin on it.

So, first of all what ya need:

1> your public ip address from your ISP provider (uhh if you read the Intro blog, I talked about it so go get it).

2> what ip CIDR you want for your overall VPN. This usually is a /16. in the example below, you can see what I did.

3> what subnet cidr you will use for the tunnels you will create later (has to be in the ip range of the VPN CIDR ya monkey).


So, here are a few screen shots.


I. set up ur VCN (Virtual Cloud Network): from Home Screen:> Networking→Virtual Cloud Networks. On that screen set your compartment and to the one you have created. Da screen shot.


 

So there you go. You will want to compare these settings within the actual ‘Create’ dialogues

you will use to create the VCN and its subnet. The main point is consistency in subnet masks

and NOT letting the WORLD in (what’s the point of that?!)


II. Ok so now what? Set up the guts of the network ya just created.


Part

A: Setup Dynamic Routing Gateway And Attach to the VCN


B: Create a Routing Table and Routing Rules of this Zoo


C: Create a Security List and any rules required ( don’t leave cage doors open)


D: Setup the subnet for the VCN (finally)


E: Setup the CPE (yer on-prem box)


F: Create the IPSEC connection (da cloud endpoints)

A: Setup Dynamic Routing Gateway And Attach to the VCN


purty easy: Just set the compartment and give it a name click create


 

 

Ok, How to attach it: again easy:


 Oh yeah, give it a name.


B: Create a Routing Table and Routing Rules of this Zoo


Ok, here is where you set traffic routes (via allowed CIDR ranges) for the attached

DRG you just did above. Note that the ip put in here is the INTERNAL CIDR subnet within the VirtualBox network built below. This will allow any traffic on that subnet into the VCN via the DRG gateway. Yeah I know kind of convoluted but hey this is pretty much the case for any cloud offerings (ya know ya seen one zoo ya seen’em all). So here we go:


 Yeah, get’s a little convoluted but basically you are piping this subnet through the public subnet of the physical on-prem. Don’t worry it will be clear as mud after we get to that part.


C: Create a Security List and any rules required ( don’t leave cage doors open).


Could use security groups but let’s not. Here is where you set what direction you allow in/out of the VCN via route table and DRG. You will want to set ‘ingress’ and ‘egress’ traffic via subnet you register here in the Security List.


Ingress:




Yeah, I have two. The difference is one for traffic (tcp) and the other for ping test.

Note that all Source and Destination ports are allowed here (it’s a demo man, you’ll want to lock this down more before you give it to all the apes). This ‘ingress’ set means your security will be checked that the TCP traffic will be allowed only from the VirtualBox subnet from your on-prem machine but you can ping away.


Egress:

Two here as well. Same type of logic on TCP and ICMP (ping). Just goin’ out TO a

destination, so’s the machines can go to any subnet if they want for ping but only to your on-prem VirtualBox Network as noted here.


 

D: Setup the subnet for the VCN (finally)

So now you are ready for the subnet. This CIDR range runs around inside the VCN subnet range (CIDR). As long as it fits within it, you are good.

So under Networking→ Virtual Cloud Networks → Virtual Cloud Network Details, You will see a ‘Create Subnet’ on clicking this, you will see the screen you need to fill out:


 















ok, a lot of stuff in this part I know but maybe a picture are a little monkey rant will help:


 

The below illustrates the last few steps you have done: the VCN, The DRG, The Route table, the Security list and finally the subnet. So for a flow example:


1. ya want data from da cloud routed from Vbox Network through yer machines Public IP.

2. if hits the DRG

3. DRG checks if from the expected routes (Vbox Internal Network subnet (CIDR).

4. Checks the kinda traffic it is (ingress/egress and checks of the incoming request is on a legit subnet.

5. yer in da cloud where the servers are to fulfill the request.


For outbound, basically the vice of the versa of the above. Thats why ya need all this stuff so that

the apes at the other zoos don’t get to see what yer doin’ and can’t get in either.

E: Setup the CPE (yer on-prem box) Da glue.


Now yer ready to add the no-prem vbox to your cloud config so that Da cloud knows where yer goin’. Aka the CPE (stands for Customer Premise Equipment ya monkey)/


Here is the weird part, the address here is the public ip address of yer host – Not the virtual box ip!!!!. You shoulda got that address earlier if not go back up and find out how to get it.


Here is a good example:


Since yer PC is acting as the on-prem data center you will use the actual address here. For an enterprise, you would use a CIDR with the CIDR of course mapped in yer Routing and Security Listings. So the jump to enterprise is the same as here.



This is the building block schematic we will come back to when building the ipsec stuff on the on-prem side. I will go through the above in detail so It all makes sense (at least for this monkey).



So that’s the second part of this. More to come but time for a cigarette.

Comments

Post a Comment

Popular posts from this blog

DA On-Prem -> OCI Journey when UR on a Budget --aka Cheep like Me - Part 4 - Config Da Oracle Vbox

Image
  Part 4 : The VirtualBox Setup: The DBServer Vbox T his is Vbox is key to the final section dealing with the PFSense configuration. Note that this Vbox will be on the same internal subnet (192.168.2) CIDR range as the PFSense Box. So you will be able to access the configuration console of the PFSensee box from it. If you want o add additional boxes for different purposes, go ahead. Just remember resources, subnet and ability to reach the internet via this PFSense router Vbox for software, etc. So anyway. Let’s get to it. Here is the configuration – highlighted entries are what you need to configure:     Ok so to summarize Ya need to: 1> use an Oracle Linux 64-bit version (I used 8.5 – but as long as compatible with any db binary. Ur good. 2> Base memory 2gb and all the acceleration stuff as noted above (ur jus checking boxes so don’t forget. 3> You binary Iso (ya got to download this to ur host server)...
Read more

DA On-Prem -> OCI Journey when UR on a Budget --aka Cheep like Me - Part 5 - Plumbing another Tunnel

Image
  Part 5: Da Last Tunnel I said last time I was missing a tunnel...Ok so let’s put one there. This isn’t too bad really. A lot of the pre-work and config is there. Let’s see the stuff already there: On the Cloud:          So, two tunnels were constructed in OCI but onlyone configured. Note that all the ingress/egress rules still apply and do not required any modifications on the cloud. For example: On the PFSense router (Vbox): WAN (outward facing): Nothing more needed….Just have it opened from ANY machine on the OCI VCN subnet to the endpoint for the PFSense router in the outfacing subnet. LAN (Internal Subnet): These rules will work fine. Remember the DRG thatis attached to the VCN and also roues to the tunnels has everything it needs configured.     IPSEC: Again...no changes:     ...
Read more

DA On-Prem -> OCI Journey when UR on a Budget --aka Cheep like Me - Part 4 - The Secret Sauce: PFsense Config

Image
  Part5: Da PFSense Configuration. Ok now that you have the pfsense and the Oracle Linux Vboxes on the same subnet. You should be able to pull up the PFSense dashboard on the Oracle Linux Machine’s browser. Note that the ip address is 192.168.2.1. So let’s just take a look at the Dashboard first: A few things to note here: 1> the Oracle Linux Box is reported to be @ 192.168.2.77 – which is the IP address assigned to it when the Oracle Linux Box was created. 2> the Interface are the same as assigned on the pfsense (WAN,LAN and OPT1) Note the subnet differences between the WAN and the others. So you can see that the pFSense can get to both the outside and inside internal network. Again, this emulates an on-prem datacenter. Before we go through the configuration, lets look at the final result first. So from the dashboard above, go to the top menu bar and select Status → IPSEC. As below:    ...
Read more