Oracle Cloud Infrastructure Documentation

Access Private OAC through Public Load Balancer or Bastion

Resource Analytics can create Oracle Analytics Cloud instances as part of the solution to let customers analyze data. OAC can be provisioned with either a public or private endpoint (you select when provisioning). By default, OAC is provisioned with a private endpoint. Users with public endpoint OAC can skip this section altogether. To access these instances from their laptops, a public subnet and public Load Balancer must be configured to give access.

Note

These steps assume that a VCN with a private subnet, a provisioned Resource Analytics service, and a provisioned Oracle Analytics Cloud (OAC) already exist.

Configuring Access Through a Public Load Balancer

Configure access to a private OAC through a public Load Balancer.

  1. Create a public subnet in the same VCN as the private subnet containing Resource Analytics and OAC instance.
    The private subnet in this example is 10.0.1.0/24 and the public subnet is 10.0.0.0/24.
  2. Create an internet gateway.
    An Internet gateway is required so you can access the public Load Balancer.
  3. Create a route table.
    A route table must be setup and a route added for 0.0.0.0/0 (Internet access).
  4. Configure the private subnet.
    The private subnet has an existing route table and at least one security list associated with it. No routes needs to be added as routing isn't required within a VCN. A rule on a security list does need to be added to let traffic in on port 443 from the public subnet.

    Add the following for the rule:

    Stateless: No

    Source: 10.0.0.0/24

    IP Protocol: TCP

    Security Port Range: All

    Destination Port Range: 443

  5. Configure the public subnet.
    The public subnet has an existing route table and at least one security list associated with it. A route with a target for the Internet Gateway for CIDR block 0.0.0.0/0 (Internet access) must be added to the route table associated with the public subnet. A rule on a security list also needs to be added to let traffic in on port 443 from the Internet.

    1. Add the following route rule to the route table:

      Target Type: Internet Gateway

      Destination CIDR Block: 0.0.0.0/0

      Target Internet Gateway: <Your_gateway_name>

      Description: Optional text to describe the rule.

    2. Select Add Route Rules.
    3. Add the following rule to the security list:

      Stateless: No

      Source: 00.0.0.0/0

      IP Protocol: TCP

      Security Port Range: All

      Destination Port Range: 443

  6. Collect the OAC's details.
    Before creating the Load Balancer, collect the details of the OAC instance.
    1. Find the OAC you're targeting for access.
    2. From Additional Details collect the hostname and IP.
  7. Create a public Load Balancer.
    Note

    You must have limits available for Reserved Public IP addresses even if you select Ephemeral on the Load Balancer setup. The Load Balancer service only uses reserved IP addresses.
    1. Give the Load Balancer a name.
    2. Select Public as the type.
    3. Select Ephemeral IP address.
    4. Select the VCN where Resource Analytics and OAC reside.
    5. Select the public subnet configured in step 5.
    6. For Load balancing policy, select Weighted Round Robin.
    7. For Health Check, select TCP as the protocol and 443 as the port.
    8. Enter a name for the listener.
    9. Select TCP as the traffic type and 443 as the port.
    10. Select the default log group for error logs.
    11. Select Submit.
    12. When the Load Balancer is created make a note of the public IP address for use later on.
  8. Add a backend to the Load Balancer.
    The Load Balancer is marked as incomplete following creation and a backend needs to be added. The backend is the IP address of the OAC instance.
    1. On the creation screen select IP addresses.
    2. Under IP address, enter 443 as the port.
    3. Select Add.
  9. Configure the OAC Application in the identity domain.
    When OAC is provisioned, it's provisioned as part of an IDCS Domain and an associated IDCS application is created. Configuration must be done for user access to OAC in the domain. The domain being used in this example is dev-domain.
    1. Create a group for the users who need access to OAC.
    2. Create local user accounts for any users that need access to OAC.
    3. Add each user to the group.
    4. On Oracle Cloud Services, in the IDCS Domain, select the OAC instance that needs permissions configured.
    5. Select Application Roles.
    6. For each application role, select Manage for Assigned groups.
    7. Add the group created in step a.
    8. Repeat steps f and g for each application role.
  10. Add new users and update the group.
    1. Sign in to the OCI Console in the tenancy where Resource Analytics and OAC are set up.
    2. Navigate to Identity & Security.
    3. Select Domains.
    4. Select the domain that OAC resides in.
    5. Select Users.
    6. Select Create user.
    7. Enter a first name, last name, and email address. The user gets an email with title Activate your profile in account - <tenancy_name>. The user must activate their account and change the password.
    8. Select Groups.
    9. Select the group created for the OAC instance.
    10. Select Assign Users to groups.
    11. Select the user to be added.
  11. Update the /etc/hosts file with the name of the OAC and the IP of the public Load Balancer.
    1. Navigate to Analytics & AI.
    2. Select Analytics Cloud.
    3. Ensure the correct compartment is selected.
    4. Select the OAC to be accessed.
    5. Select Additional Details and collect the hostname of the OAC instance.
    6. To open the hosts file in a TextEdit window, open a terminal and run the command:
      sudo open -e /etc/hosts
    7. Add a line for the OAC which pairs the public Load Balancer IP with the private OAC instance hostname. For example: 
      <IP_address> <resource-analytics-ocid>
    1. Save the changes.
    2. Disconnect from VPN and then go to the following URL, xj5i3m6hc5c.analytics.us-dcc-phoenix-1.ocp.oraclecloud17.com/ui.
    3. Log in with the local username and password created earlier.

Configuring Access Through Bastion

Bastion can be setup to access a private Load Balancer.

  1. Create an OCI Bastion targeting the private subnet where OAC resides.
  2. To give access from OCNA, set CIDR block allowlist to 160.34.0.0/16.
  3. Create the session from Bastion (setup ssh keys as required).
  4. Follow the instructions provided to ssh on port 443.
    Note

    You might need to use sudo for the ssh command, as it's required to access the loopback 127.0.0.1 IP address on a Mac. For example, the ssh command is:
    ssh -i <private_key_location> -N -L 443:10.0.1.27:443 -p 22 <bastion_ocid>
  5. Add an entry in the /etc/hosts file for the loopback address with the hostname for the private OAC.
    For example:
    127.0.0.1 <resource-analytics-private-OAC-hostname>
    Note

    If you setup Bastion using the Console. it behaves like an end customer Bastion and only lets sessions last three hours maximum. At that point create a new session to reconnect.

    Logout of your BOAT session and sign in as the local user to access OAC. If OAC gives getting permission denied by application errors, your sign in might be cached, so either clear cache or switch browsers.