Connecting to Cluster Nodes with Private IP Addresses

By default, cluster nodes are assigned private IP addresses and are therefore not publicly available on the internet. You can make them available in any of the ways described in the following topics:

Map a Private IP Address to a Public IP Address

Big Data Service nodes are by default assigned private IP addresses, which aren't accessible from the public internet. One way to make a node accessible from the internet is to map a node's private IP address to a public IP address.

The instructions below use the Oracle Cloud Infrastructure Cloud Shell, which is a web browser-based terminal accessible from the Oracle Cloud Console. You'll gather some information about your network and your cluster nodes, and then you'll pass that information to commands in the shell. To perform this task, you must have a cluster running in a VCN in your tenancy, and that cluster must have a regional, public subnet.

To view cluster information, see Getting a Cluster's Details.

Required IAM Privileges for Mapping Private to Public IP Address

You must have appropriate Oracle Infrastructure Identity and Access Management (IAM privileges) to map private to public IP addresses.

The tenancy administrator or a delegated administrator with the appropriate privileges must create a policy according to the following guidelines.

Group

The policy can assign privileges to any Big Data Service group, to give members of that group the rights to map IP addresses.

Permissions

The policy must contain policy statements with the following IAM permissions:

vnic_read
private_ip_read
public_ip_read
public_ip_delete
public_ip_create
public_ip_update
private_ip_assign_public_ip
private_ip_unassign_public_ip
public_ip_assign_private_ip
public_ip_unassign_private_ip

Resource

The policy must specify the tenancy or the <compartment_name> of the compartment containing the subnet used for the IP addresses.

Example

allow group bds_net_admins to vnic_read in tenancy
allow group bds_net_admins to private_ip_read in tenancy
allow group bds_net_admins to public_ip_read in tenancy
allow group bds_net_admins to public_ip_delete in tenancy
allow group bds_net_admins to public_ip_create in tenancy 
allow group bds_net_admins to public_ip_update in tenancy 
allow group bds_net_admins to private_ip_assign_public_ip in tenancy 
allow group bds_net_admins to private_ip_unassign_public_ip in tenancy 
allow group bds_net_admins to public_ip_assign_private_ip in tenancy
allow group bds_net_admins to public_ip_unassign_private_ip in tenancy

Mapping the Private IP Address to a Public IP Address

In the Cloud Console, click the Cloud Shell icon at the top of the page. It might take a few moments to connect and authenticate you.
1. export DISPLAY_NAME=<display-name>
  
  export SUBNET_OCID=<subnet-ocid>
  
  export PRIVATE_IP=<ip-address>
  
  oci network public-ip create --display-name $DISPLAY_NAME --compartment-id `oci network private-ip list --subnet-id $SUBNET_OCID --ip-address $PRIVATE_IP | jq -r '.data[] | ."compartment-id"'` --lifetime "RESERVED" --private-ip-id `oci network private-ip list --subnet-id $SUBNET_OCID --ip-address $PRIVATE_IP | jq -r '.data[] | ."id"'`
  
  The export statements set variables that are used in the oci network command that follows. The variables are:
  - <display-name> (optional) is a "friendly name" that will be attached to the reserved public IP address. This name is not pre-existing. It's created when running this command.
    
    For convenience, you might want to use the name of the node whose private IP address you're mapping, for example myclusun0, which is the name of the first utility node in a cluster named mycluster.
  - <subnet-ocid> is the OCID of the customer public subnet used by the cluster for example, ocid1.subnet.oc1.iad....
  - <ip-address> is the private IP address assigned to the node you want to map, for example, 192.0.2.1.
  Enter the command beginning with oci network public-ip create --compartment-id... exactly as it's shown above, with no breaks.
  
  Example:
```
$ export DISPLAY_NAME="myclustun0"
$ export SUBNET_OCID="ocid1.subnet.oc1.…"
$ export PRIVATE_IP="192.0.2.1"
$ oci network public-ip create --display-name $DISPLAY_NAME --
compartment-id `oci network private-ip list --subnet-id $SUBNET_OCID --ip-
address $PRIVATE_IP | jq -r '.data[] | ."compartment-id"'` --lifetime 
"RESERVED" - private-ip-id `oci network private-ip list --subnet-id 
$SUBNET_OCID --ip-address $PRIVATE_IP | jq -r '.data[] | ."id"'`
```
  The output returned is:
```
{ "data": {
    "assigned-entity-id": "ocid1.privateip.oc1...",
    "assigned-entity-type": "PRIVATE_IP",
    "availability-domain": null,
    "compartment-id": "ocid1.compartment.oc1...",
    "defined-tags": {},
    "display-name": "publicip...",
    "freeform-tags": {},
    "id": "ocid1.publicip.oc1....",
    "ip-address": "203.0.113.1",
    "lifecycle-state": "ASSIGNED",
    "lifetime": "RESERVED",
    "private-ip-id": "ocid1.privateip....",
    "scope": "REGION",
    "time-created": "2020-04-13..."
   },
   "etag": "1234abcd" 
}
```
In the output returned, find the value for ip-address. In the above example, it's 203.0.113.1. That's the new reserved public IP address that is mapped to the private IP address for the node.

Then,
To see the reserved public IP address in the console, click the navigation menu.
Under Networking, click Virtual Cloud Networks.
In the navigation list on the left, under Networking, click IP Management.
The new reserved public IP address appears in the Reserved Public IP Addresses list. If you supplied a display name in the command you ran, above, that name will appear in the Name column. Otherwise, a name like publicipnnnnnnnnn is generated.

Deleting a Public IP Address

In the Cloud Console, click the Cloud Shell icon at the top of the page. It might take a few moments to connect and authenticate you.
Run oci network public-ip delete --public-ip-id ocid1.publicip.oc1....

The value for --public-ip-id is shown in output returned by the previous command, as shown above: "id": "ocid1.publicip.oc1....",.
(Optional) Alternatively, you can go to the Networking Reserved Public IP Addresses page in the Cloud Console and delete reserved public IPs there.

Opening Ports to Make Services Available

Making the node publicly available isn't enough to make a service like Apache Ambari or Cloudera Manager available from the internet. You must also open the port for the service by adding an ingress rule to a security list. See Defining Security Rules .

Use a Bastion Host to Connect to Big Data Service

You can use a bastion host to provide access to the a cluster's private network from the public internet.

A bastion host is a compute instance that serves as the public entry point for accessing a private network from external networks like the internet. Traffic must flow through the bastion host to access the private network, and you can set up security mechanisms on the bastion to handle that traffic. For more information, see Bastion.

Use Oracle Cloud Infrastructure site-to-site VPN to connect to Big Data Service

Site-to-site VPN provides a site-to-site IPSec VPN between your on-premises network and your virtual cloud network (VCN). The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.

For details for connecting to Big Data Service with VPN see Site-to-Site VPN.

Use Oracle Cloud Infrastructure FastConnect to connect to Big Data Service

Use FastConnect to access public services in Oracle Cloud Infrastructure without using the internet, for example, access to Object Storage, or the Oracle Cloud Console and APIs. Without FastConnect, the traffic destined for public IP addresses would be routed over the internet. With FastConnect, that traffic goes over your private physical connection.

For details for connecting Big Data Service with Oracle Cloud Infrastructure FastConnect see FastConnect Overview.

Oracle Cloud Infrastructure Documentation