Use Dedicated Vantage Points

You can set up a Dedicated Vantage Point to define a location within your own tenancy to run your monitors securely.

You can use a Dedicated Vantage Point to monitor applications behind a firewall or in a corporate network environment, which cannot be accessed by a public vantage point. The Dedicated Vantage Point cannot be used by anyone outside your tenancy and you have complete control over network settings. In this way, you can make a Dedicated Vantage Point a part of your corporate network and monitor endpoints that are not publicly accessible.

A Dedicated Vantage Point is an Application Performance Monitoring resource, which can be set up in a tenancy using the Oracle-provided APM Availability Monitoring Dedicated Vantage Point template available in the Oracle Cloud Infrastructure Resource Manager service. A template is a pre-built Terraform configuration used to deploy cloud resources in a common scenario. The APM Availability Monitoring Dedicated Vantage Point template can be used to provision the infrastructure and prerequisites for a Dedicated Vantage Point in Application Performance Monitoring. For more information on Resource Manager, see Overview of Resource Manager.

Here's an architecture diagram that provides an overview of a Dedicated Vantage Point within a secure network that includes a Virtual Cloud Network (VCN), and how it sends data from monitor runs to Application Performance Monitoring:

Dedicated Vantage Point Architecture

The following list describes the flow of data in the diagram:

  • A – Metrics, HTTP Archive (HAR) files, and screenshots sent to the APM domain
  • B – Flow of monitor configuration files and edits between the Deployment Manager and the APM domain
  • C – Traces, spans, and metrics sent to the APM domain

Perform Dedicated Vantage Point Prerequisite Tasks

Here are the prerequisite tasks that must be performed before you set up a Dedicated Vantage Point.

Task More Information
Ensure that you have sufficient quota for the resources required to create a stack using the Application Performance Monitoring Synthetic Dedicated Vantage Point template.

To check resource quota in the compartment in which the Dedicated Vantage Point will be set up:

  1. Open the navigation menu and click Governance & Administration. Under Governance, click Limits, Quotas and Usage.
  2. On the Limits, Quotas and Usage page, select the following services in the Services drop-down list and verify the availability of quota:
    • Streaming: At least 1 partition must be available.
    • Compute: At least 2 compute instances must be available for the selected shape, having 2 cores each. The supported compute shapes are VM.Standard.E3.Flex and VM.Standard.E4.Flex.
    • Container Engine: At least 1 cluster and 2 nodes must be available.
    • Key Management: If you want to use the Oracle Cloud Infrastructure Vault service, quota for the virtual-vault-count resource-type should be available in the required compartment.
    • Resource Management/Private Endpoints: When using private endpoints, at least one private-endpoint-count must be available.
For information on quota in Oracle Cloud Infrastructure, see Compartment Quotas.
Ensure that the user setting up the Dedicated Vantage Point has the permissions to access the Resource Manager service, create a stack (resource-type: orm-stacks) and view jobs (resource-type: orm-jobs), and create and access the following resources.
  • Container Registry repository (resource-type: repos)
  • Networking service resources (resource-types: vcns, subnets, private-ips, public-ips, vnics)
  • Compute instances (resource-type: instance-family)
  • Kubernetes clusters (resource-type: clusters)
  • Streams (resource-type: streams)
  • IAM resources (resource-types: policies, tag-namespaces, dynamic-groups)
  • Vault service resources (resource-types: vaults, keys)
  • Logging service resources (resource-types: log-groups, unified-configuration)

Note that the VCN must be created manually and the other resources listed above are created as part of the Resource Manager stack.

OKE Private Endpoints: In addition to the above resources access, ensure the user has the permission to create resource manager private endpoint,(resource-type: orm-private-endpoints)

For information on policies, see:

For examples of the policies that must be created to grant a non-admin user the required permissions to create the Resource Manager stack, see Dedicated Vantage Point Policies for Non-Admin Users (Optional).

Create a VCN and add the following security rules:

For Oracle Kubernetes Engine (OKE) Public Endpoint:

  • Ingress rules for the Oracle Kubernetes Engine API public endpoint (Kubernetes API public endpoint) in a security list of the public subnet where the public endpoint is hosted. Note that the Worker Nodes CIDR is the CIDR range for the private subnet where the cluster worker nodes are hosted.
    • State: Stateful, Source: VCN CIDR, Protocol/Dest.Port: ICMP 3, Description: VCN to Kubernetes API endpoint communication
    • State: Stateful, Source: Worker Nodes CIDR, Protocol/Dest.Port: TCP/12250, Description: Kubernetes worker to control plane communication
    • State: Stateful, Source: Worker Nodes CIDR, Protocol/Dest.Port: ICMP 3,4, Description: Path Discovery
    • State: Stateful, Source: 0.0.0.0/0 or specific subnets, Protocol/Dest.Port: TCP/6443, Description: Client access to Kubernetes API endpoint, includes

      Source: Worker Nodes CIDR- For Kubernetes worker to Kubernetes API endpoint communication

      Source: 0.0.0.0/0- For Helm Chart deployment

  • Egress rules for the Kubernetes API public endpoint in a security list of the public subnet where the public endpoint is hosted. Note that the Worker Nodes CIDR is the CIDR range for the private subnet where the cluster worker nodes are hosted.
    • State: Stateful, Destination: All <region> Services in Oracle Services Network, Protocol/Dest.Port: TCP/443, Description: Allow Kubernetes control plane to communicate with OKE
    • State: Stateful, Destination: Worker Nodes CIDR, Protocol/Dest.Port: TCP/ALL, Description: All traffic to worker nodes
    • State: Stateful, Destination: Worker Nodes CIDR, Protocol/Dest.Port: ICMP 3,4, Description: Path Discovery
  • Ingress rules in the security list of the private subnet where the worker nodes will be hosted:
    • State: Stateful, Source: VCN CIDR, Protocol/Dest.Port: TCP/22, Description: Allow SSH
    • State: Stateful, Source: VCN CIDR, Protocol/Dest.Port: ICMP 3,4, Description: Path Discovery
    • State: Stateful, Source: VCN CIDR, Protocol/Dest.Port: UDP/ALL, Description: Prevent Unknown Host Issues and for Faster Monitor Execution
  • Egress rules in the security list of the private subnet where the worker nodes will be hosted:
    • State: Stateful, Destination: 0.0.0.0/0, Protocol/Dest.Port: All Protocols, Description: All traffic for all ports

For Oracle Kubernetes Engine (OKE) Private Endpoint:

  • Ingress rules in the security list of the private subnet where the worker nodes will be hosted:
    • State: Stateful, Source: VCN CIDR, Protocol/Dest.Port: TCP/22, Description: Allow SSH
    • State: Stateful, Source: VCN CIDR, Protocol/Dest.Port: ICMP 3,4, Description: Path Discovery
    • State: Stateful, Source: VCN CIDR, Protocol/Dest.Port: UDP/ALL, Description: Prevent Unknown Host Issues and for Faster Monitor Execution
    • State: Stateful, Source: Worker Nodes CIDR, Protocol/Dest.Port: TCP/ALL, Description: Allow Resource Manager to communicate with OKE when using OKE Private Endpoint.
  • Egress rules in the security list of the private subnet where the worker nodes will be hosted:
    • State: Stateful, Destination: 0.0.0.0/0, Protocol/Dest.Port: All Protocols, Description: All traffic for all ports
For information on creating a VCN, see To create a VCN.

For information on security rules for the Kubernetes API endpoint, see Security Rule Configuration in Security Lists and/or Network Security Groups.

Ensure that an APM Domain is created and generate a private data key for the Dedicated Vantage Point. The Dedicated Vantage Point will be registered to the APM Domain and the private data key is required to ensure that Application Performance Monitoring accepts the monitoring metrics and data collected by the Dedicated Vantage Point. It's recommended that the name of the private data key is in the following format:

dvp_<dvp name>_<region>

For information on creating an APM Domain and generating data keys, see Create an APM Domain.
Generate an auth token to pull Dedicated Vantage Point artifacts from the Container Registry. For information on generating an auth token, see Getting an Auth Token.

Set Up a Dedicated Vantage Point

To set up a Dedicated Vantage Point using Resource Manager, you must create a stack using the Application Performance Monitoring Synthetic Dedicated Vantage Point template.

Before you set up a Dedicated Vantage Point, you must perform all the prerequisite tasks to obtain permissions and ensure the availability of the resources required. For information on the prerequisite tasks, see Perform Dedicated Vantage Point Prerequisite Tasks.
To set up a Dedicated Vantage Point:
  1. Open the navigation menu, click Developer Services. Under Resource Manager, click Stacks.
  2. On the left pane, select the compartment in which you want to set up the Dedicated Vantage Point.
  3. Click Create Stack.
    The Create Stack Wizard is displayed.
  4. On the Stack Information page:
    1. Select Template.
    2. Click Select Template.
    3. In the Browse Templates dialog box, click the Services tab, select Application Performance Monitoring Synthetic Dedicated Vantage Point, and click Select Template.

      The fields on the Stack Information page are updated with Dedicated Vantage Point details, and you can make changes to the name and description, select a different compartment in which to create a stack, and so on.

    4. Click Next.
  5. On the Configure Variables page, configure the variables for the infrastructure resources that the stack will create while setting up the Dedicated Vantage Point.
    • Dedicated Vantage Point Name
      1. Dedicated Vantage Point Name: Enter a unique name for the Dedicated Vantage Point. This name will be used to register the Dedicated Vantage Point with an APM Domain and will be prefixed to the infrastructure resources created by the stack.
    • VCN Configuration

      Note that the values selected in the VCN Configuration fields cannot be changed later.

      1. Use private Kubernetes API endpoint: Select to create OKE cluster on private subnet.
      2. Network Compartment: Select the compartment in which the VCN resides.
      3. VCN: Select the VCN that the Dedicated Vantage Point will use.
      4. Cluster Worker Nodes Subnet: Select the subnet used by the worker nodes in the Dedicated Vantage Point cluster.
      5. Public Kubernetes API Endpoint Subnet: Select the public subnet to host the Kubernetes API public endpoint.
      6. Private Kubernetes API Endpoint Subnet: Select the same subnet used in bullet d. Cluster Worker Nodes Subnet.
    • Domain Configuration
      1. Auth Token of the User Executing the Stack: Enter the auth token of the user executing the stack. The auth token is required to pull Dedicated Vantage Point artifacts from the Container Registry.
      2. Domain Private Data Keys: Enter the APM Domain private data key generated for the Dedicated Vantage Point in the following format:
        {"domainOcid":"<domain_OCID_value>" "domainDataKey":"<domain_private_datakey_value>" "domainRegion":"<domain_region_name>"}

        For example:

        {"domainOcid":"ocid1.apmdomain.oc1.phx.atrstahnenntlsundfserq8re3lfg6sw2dwedcfgthyuijk" "domainDataKey":"4WESK3ABCDE9LBTRUGSC9S2NG9STODRN" "domainRegion":"us-phoenix-1"}
    • OKE Configuration
      1. Kubernetes Version: Select the Kubernetes version of the cluster worker nodes. Note that the downgrade of the Kubernetes version is not supported.
      2. Shape: Select the compute instance shape of the worker nodes to be created in the Dedicated Vantage Point node pool. Note that only VM.Standard.E3.Flex and VM.Standard.E4.Flex are supported.
      3. Node Pool Size: Select the number of worker nodes in the Dedicated Vantage Point node pool.
      4. SSH Key: Optionally, provide the SSH public key to access private worker nodes in the cluster, by selecting the Choose SSH Key File option and uploading the SSH key (.pub) file, or selecting the Paste SSH Key option and pasting the SSH key. Note that the key will only be applied to new nodes.
    • Proxy Configuration
      1. Use Target URL Proxy?: Select to provide proxy details if the monitored targets are behind a proxy server. On selecting this check box, the following fields are displayed:
        1. Is HTTPS Proxy?: Select if proxy access is secure.
        2. Proxy URL: Enter the URL of the target proxy server. For example, https://proxy.example.com.
        3. Proxy Port: Enter the port number of the target proxy server. For example, 8080.
        4. Bypass URL: Enter comma-separated domain names to bypass proxy settings. For example, example1.com and example2.com. Note that you must avoid wild card characters such as an asterisk (*).
        5. Auth Type: Select the authentication type for the target proxy server. The default option is NONE, however, if you select BASIC in the drop-down list, you must specify the user name and password in the User Name and Password fields.
      2. Use Metric Data Upload Endpoint Proxy?: Select to provide proxy details to upload monitored metrics. On selecting this check box, the following fields are displayed:
        1. Is HTTPS Proxy?: Select if proxy access is secure.
        2. Proxy URL: Enter the URL for the metrics data upload endpoint proxy server to communicate with the APM Collector. For example, https://127.0.0.1.
        3. Proxy Port: Enter the port number for the metrics data upload endpoint proxy server. For example, 8080.
        4. Auth Type: Select the authentication type for the metrics data upload endpoint proxy server. The default option is NONE, however, if you select BASIC in the drop-down list, you must specify the user name and password in the User Name and Password fields.
    • Vault Configuration
      1. Enable Vault Support?: Select to use the Oracle Cloud Infrastructure Vault service to store secrets and manage encrypted resources. If you select the option to enable Vault support, the Use Existing Vault? option is displayed, and you can select this to use an existing vault to store secrets and manage encrypted resources. If the Enable Vault Support? check box is selected and the Use Existing Vault? check box is not selected, then a new vault will be created. Note that the option to disable Vault support is currently not available.
    • Log Configuration
      1. Upload Logs?: Select to upload logs to the Oracle Cloud Infrastructure Logging service.
    • Auto Upgrade DVP Artifacts
      1. Enable Auto Upgrade?: Select to auto upgrade the Synthetics Deployment Manager and monitors to the latest version.
  6. On the Review page, verify your stack configuration, and perform one of the following actions:
    • Select the Run Apply on the created stack? option and immediately provision the resources defined in the Terraform configuration by running the Apply action on the new stack, and click Create.
    • Click Create and optionally click Plan on the Stack Details page to generate an execution plan (run a plan job) to identify errors, if any. You can then click Apply to run the apply job for the stack.
      • For more information on Resource Manager concepts such as plans and jobs, see Key Concepts.
      • For more information on the options available on the Stack Details page and the tasks that can be performed, see Managing Stacks and Managing Jobs.
The resources are created and attached to the stack. After the stack is successfully set up, go to Availability Monitoring and click Dedicated Vantage Points on the left pane. The Dedicated Vantage Point is listed on the Dedicated Vantage Points page. To verify if the Dedicated Vantage Point is ready to be used, go to the Monitors page, click Create Monitor, and on the Run Settings page in the Create Monitor wizard, confirm that the newly created Dedicated Vantage Point is listed in the Vantage Points drop-down list. For information on creating a monitor, see Create a Monitor.

Monitor Dedicated Vantage Points

After setting up a Dedicated Vantage Point, you can monitor the Dedicated Vantage Point.

To monitor a Dedicated Vantage Point:

  1. Navigate to the Availability Monitoring page.
  2. On the left pane, click Dedicated Vantage Points, select the compartment in which you created the Dedicated Vantage Point, and the APM Domain to which it's registered.

    The Dedicated Vantage Point is listed.

  3. Click the name of the Dedicated Vantage Point.

    The <name of the Dedicated Vantage Point> page is displayed.

On the <name of the Dedicated Vantage Point> page, you can:
  • Review information such as the region, when the Dedicated Vantage Point was created, and so on. You can also perform actions such as adding tags or deleting the Dedicated Vantage Point. Note that if you delete the Dedicated Vantage Point, any monitor that is only running on the Dedicated Vantage Point will also be deleted. If the monitor is also running on other public or dedicated vantage points, then it will not be deleted.
  • Scroll down to view Dedicated Vantage Point-related Metrics.
  • Click Monitors under Resources on the left pane to view the monitors running on the Dedicated Vantage Point, if any.

Update an Existing Dedicated Vantage Point

You can update an existing Dedicated Vantage Point by updating the configuration of the Dedicated Vantage Point stack in Resource Manager.

Here are the steps to be performed to update a Dedicated Vantage Point:

  1. Create a stack using the latest Application Performance Monitoring Synthetic Dedicated Vantage Point template. For information, see Set Up a Dedicated Vantage Point.
  2. On the Stack Details page of the newly created stack, click Plan to generate an execution plan (run a plan job). The new plan job is listed under Jobs. For information, see To generate an execution plan (run a plan job) in Managing Stacks and Managing Jobs.
  3. On the Job Details page of the plan job, click Download Terraform Configuration to download the Terraform configuration .zip file. For information, see To view jobs and job details in Managing Stacks and Managing Jobs.
  4. Go to the Stacks page and for the Dedicated Vantage Point that you want to update, click the Edit option. For information, see To edit a stack in Managing Stacks and Managing Jobs.
  5. On the Stack Information page in the Edit Stack wizard, update the configuration stack using the Terraform configuration .zip file that you downloaded in step 3. For information, see To update the configuration for a stack in Managing Stacks and Managing Jobs.