Space/Page/Page tree

Your content lives in pages ,i.e, the documents you create on your Confluence site. You can create pages for almost anything, from project plans to meeting notes, troubleshooting guides, SOPs, policies, and more. Use the Presenter mode option from More actions(…) of a published page to present it in full screen. Pages are stored in spaces,i.e, the workspaces where you can collaborate on work and keep all your content organized. It’s best to group related content together in the same space, but you can create as many or as few spaces as your team needs. Organize space content with a hierarchical page tree that makes finding work quick and easy. The page history helps you understand the number of changes made by users within a specific period of time. In addition, you can create a completely centralized content repository by hyperlinking the various pages.

Macros

Using macros helps you to extend the capabilities of your Confluence pages and live docs, allowing you to add extra functionality or include dynamic content. Typing “/” opens a list of available macros, allowing you to quickly search and insert them into a page without navigating through the toolbar. I will list a few of the macros that I have come across as follows.

• Table of contents
  • An automated table of contents can be built into Confluence pages. The macro automatically picks up the contents based on the headings within a page.
• Status
  • The Status macro displays a colored rounded box that is useful for reporting the status of a page, project, or task. It’s a simple yet effective way to communicate progress, priority, or any other relevant status information. 
• Roadmap planner
  • Add the Roadmap Planner macro to a page to create a simple, visual timeline that’s useful for planning projects, releases and much more. It’s a simple yet effective way to represent upcoming plans with lanes, bars, and markers.
• Quote
  • The Quote macro adds weight and credibility to your words with a visual cue, such as a vertical line on the left margin and a change in font color.
• Change history
  • The change history macro shows the history of updates made to a page. The information displayed here are version number, date and comment(author). It displays the information inline.
• Date
  • With the Date macro and the integrated date picker in an appealing calendar view, the current date or any other date can be quickly selected and integrated into pages.
• Anchor links
  • The anchor link macro allows you to hyperlink to a specific part of a page or live doc so that a reader can jump directly to that section upon selecting it. These can be especially useful for allowing your readers to navigate to specific parts of a long document. Anchor links are invisible to the reader when on a page in view-only mode. This macro is used in combination with the link macro. The anchor link is set to a particular name that will be input to the link macro section with the # prefix and the display text. The display text will be visible to the reader. When the visible text is clicked, the reader will be taken to the part of the page where the anchor link is set and is invisible.
• Decision
  • This macro gives you a nice and quick way to format and highlight any important decisions taken, especially during meetings. This macro adds some nice formatting and allows you to create decision reports. Starting your meetings with a review of past decisions and action items can make a huge difference.
• Excel/Word/ppt/pdf
  • Embed Excel, word, ppt or pdf with respective macros. To use each of these files upload the respective file using the image macro and select the file. Later on, use the respective file type macro as above to display it.
• Chart
  • The Chart macro allows you to display a chart based on tabular data. You can edit the macro parameters in the macro browser to configure the format of the chart.

Formatting toolbar & Content status

The formatting toolbar provides tools to format and color/highlight page content, create lists and tables, indent and align text, and insert other content into the page such as symbols, links, images, multimedia files, and macros. If a space admin allows statuses in a space, you can add or change them at the top of your content when editing. That means anyone with edit permissions can set the content status, choosing from the suggested options defined by the space admin or creating your own. Assign a status to your content to help set clear expectations for viewers and collaborators when they visit a page, live doc, or blog post.

Comments & Labels

For a page that is being prepared, you can use the comments feature to highlight the text and address the concerned team member with your comments. You can add comments to content while you’re editing it or viewing it in published status.

Labels are keywords that you can add to pages, live docs, and attachments to make them easier to group and find. For example, you could add the operations label to all pages related to operational activities. That would allow you to easily see, display, and search for related pages. It is handy for finding content across spaces if labels are consistently used. Labels are not only important to search results but can be extremely beneficial in dealing with certain macros. Since labels provide Confluence with another way of grouping information, you can use macros like Filter by label or the Labels list for more functionality and to easily navigate between content by looking for a topic or other articles if one does not meet your requirements. The Popular Labels macro can be used to generate the heat map of the most popular labels.

Whiteboard

Whether you’re brainstorming, planning projects, having a sprint retrospective or mapping out strategies, whiteboards provide a flexible canvas for collaboration. Use existing templates, sticky notes, shapes and connectors to visualize your thoughts and keep everyone on the same page. With real-time collaboration, your team can contribute simultaneously, making it easy to capture everyone’s input. Use a timer if you want to limit the sessions like in a retrospective.

If you have both a Confluence and Jira app in your Cloud site, you can seamlessly track project updates across both tools and create Jira work items without leaving the Confluence content you’re working on. To display Jira work items list on a Confluence page, use the Jira work items macro. Display a single work item, a list of work items, or show the total number of work items using separate macros. The simplest way to add a Jira work item to Confluence is to paste a Jira URL on a Confluence page or doc.

Further Reading:

• Jira Data Visualization: A Guide to Effective Dashboards
• Streamline Your Workflow with Jira Kanban Boards
• Jira Service Management Forms: Enhancing User Experience
• Getting started with Excel Macros
• Power Query Tips & Tricks

Procedure

Since we will be launching the web server on Azure cloud, the first and foremost thing would be to login to the Azure portal. The subscription that we will be using to login would be Free Trial. You can create your own free trial subscription that provides you with 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free.

Step 1 : Create a Virtual Machine, Vnet, Subnet

In order to create a Virtual Machine (VM), you need to click on the Virtual machines icon under Azure services as shown in the above homepage of the azure portal. In the next screen, you need to either click on Add button at the top or Create virtual machine button at the center to get started with the creation of VM.

In the Create a virtual machine screen as shown above, under the basics tab enter all the necessary information. Since ours is a Free Trial, select Free Trial for the Subscription, create a new Resource group by clicking on Create new under the Resource group box and enter appropriate department name. For our trial case we have named it as Temporary. Further down, the administrator account login details, inbound port rules (RDP) to the VM needs to be set. Enter the other details as shown above. Once done, click on the Next : Disks button at the bottom to move to the next tab ,i.e, Disks. Enter the information as shown above.

Now we are in the Networking tab, after entering the Disks tab information. Here we can select the information for Virtual network (Vnet), but as we have not created any let us go with the default one created. In order to create a new Vnet, basic information like the address range of the Vnet and the address range of the subnet within the Vnet would be needed. Since we are going with the default Vnet, we will go ahead with the default Subnet, the Public IP required to connect to the internet. The NIC nework security group / firewall is set to basic and appropriate rules will be set for the inbound RDP. Now click on the Next : Management button at the bottom to move to the Management tab and enter the necessary information as shown above.

Under the Advanced tab, the Extensions are a means to install clients on the VM like Antimalware. In the next, Tags tab, the purpose is mainly for charging and bill back so that others can know who/which department owns the VM. Click next to start the validation process that may take a minute or more to complete. The same is depicted in the picture below as “Validation passed”.

Once the validation is complete, you can create a VM by clicking on the Create button at the bottom of the page. The above screen shows up displaying “Your deployment is complete” once the creation of VM is complete that may take upto 4 to 5 minutes. The deployment details provides details of all deployments like VM, virtual network, public ip etc.

Step 2 : Logon to the VM

Navigate to the Azure Home screen > Virtual Machines, that will provide a list of VMs created. Since we have just created a single VM, click on the VMweb01 that will take you to the following screen. Inorder to connect to the VM, we need to launch the RDP. Just type in “mstsc” in the start menu and press enter to launch the following window. You need to type the public IP address of the VM here that is marked on the right. Once you click on Connect, the pop up to enter your VM credentials should show up. Type your account user name and password to connect to the virtual machine and load your profile.

Step 3 : Upgrade VM to a Web Server

In order to make a web server from the VM, you need to install the web server components. The component is called as IIS on a windows machine, apache/Tomcat on a linux machine. Click on the Server Manager icon next to the start icon on your VM that will open the following window. Click on the Add roles and features item from the list below to open the wizard.

Read through the contents and click next, select the Web Server (IIS) item during the Server Roles stage of the wizard. Click next subsequently and you will reach the final step wherein you need to click install. Once the installation is complete your VM can be called a Web server.

Step 4 : Verify the Web Server

Now that we are ready with the web server, the next step would be to verify the access locally within the VM and from the internet. In order to verify the access locally within the VM, open the IE browser and type in “http://localhost/”, that should open the default page as shown below. This means that the local IIS services are running properly.

Next step would be to verify the access from the internet. Minimize the RDP to go back to the main PC and launch the browser. Here the above http link will not work as that is used locally within the VM. Now we need to type in the public ip address of the VM ,i.e, “http://40.74.77.83” and connect through port 80 (http). However, this will not work as we had opened the port in security groups for RDP (3389) access and not for http (80) access. Now we need to open the necessary port on the VM. Navigating to the Azure portal home> Virtual machines> VMweb01 – Networking will open the following window.

As you can see in the first row of the above picture, the inbound port rules for RDP(3389) was already set. The outbound port rules from the VM to the internet is open by default. Inbound rules are more restrictive in nature. Our next objective is to add port 80. Click on Add Inbound port rule button to enter the information like port range, source, destination, protocol etc and Add the port. As per the final setting shown in the above picture, any website from any destination will be allowed on port 80 on any protocol. Now on your browser, refresh the earlier page with “http://40.74.77.83” address, which should display the default IIS page.

Step 5 : Customize the Web Server

When you install the web server component on the VM, you will have certain folders created under C drive (Ex: “C:\Windows\inetpub\wwwroot\”) . When somebody tries to access the public ip, they will be connecting to the file iisstart.html under wwwroot folder. We can either customize the earlier html page or put our own page here and name it as index.html as shown below. Open the page to write your own html content or enter simple text. NOTE : Check View>File name extensions to display the file extensions and change it.

Since i have input the simple text “sampath here” inside the above file, the same is displayed as shown below. One more point to note is that the local host is pointing to the new file index.html created ealier.

Similar operation needs to be performed on the main PC by minimizing the RDP. Refresh the earlier browser with “http://40.74.77.83” address, which will take you to the index.html file. The same is displayed in the figure below.

Further Reading :

• Microsoft Azure Fundamentals : An Overview
• Launch a Web Server on AWS Cloud
• Launch a DB Server and Interact with your DB on AWS Cloud
• An Introduction to AWS Cloud & APN
• An Introduction to OCI Cloud Operations

Azure Architectural Components

First and foremost thing is let us learn the organizing structure for resources. The top-down hierarchy of organization has four levels for organizing Azure resources, namely the management groups, subscriptions, resource groups, and resources.

• Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
• Resource groups: Grouping of resources like VMs, WebApps, DB of a business group or a department or an application to manage them effectively. Every Azure resource that you create must have a Resource group associated with it. This will be helpful in metering and billing, applying policies, monitoring, assigning quotas, granting access control permissions etc.
• Subscriptions: A subscription, groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources that you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
• Management groups: These groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group. For example, you can limit VM creation in a particular region by applying policies to the management groups in the region.

Resource Manager

Resource Manager being the management layer is responsible for the deployment and management of services, whether they are deployed through the Azure Portal/CLI/Power shell/Client SDK. The management layer enables you to create, update, and delete resources in your Azure account. Features like access control, locks, and tags to secure and organize your resources after deployment is also supported.

Azure Regions, Availability Zones and Availability Sets

A region is a geographical area on the planet that contains at least one but potentially multiple datacenters that are nearby and networked together with a low-latency network. The number of current Azure regions across the globe is 42 and 12 more are planned, which is more than any other major cloud provider.

Azure has specialized regions that you might want to use when you build out your applications for compliance or legal purposes. A few examples are, US DoD Central, US Gov Virginia, US Gov Iowa, China East and North, Germany Central and North-east, etc.

Availability zones are physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking. An availability zone is set up to be an isolation boundary. If one zone goes down, the other continues working providing high availability. Availability zones are connected through high-speed, private fiber-optic networks.

There is a minimum of three availability zones in a single region. It’s possible that a large disaster could cause an outage big enough to affect even two datacenters. That’s why Azure also creates region pairs. Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources across a geography that might be helpful during a huge disaster.

If you want to run a VM based workload in a single Azure Region, then the way you achieve improved availability is to use an Availability Set. An Availability Set allows you to take a Virtual Machine (VM) and improve it’s availability by configuring multiple copies of the VM to be deployed as a group which ensures that the Azure management plane will place the VMs such that the hosted workload/s (Ex: a VM based App) are resilient across Azure updates and faults. When you create a VM and define an Availability Set, the Azure management plane will ensure that each VM instance is deployed to different Fault and Update Domains thus promoting high availability.

Core Azure Services

The most commonly used services of Azure include compute, network, storage, and database. Other services are Web, IoT, Big Data and analysis, AI, DevOps etc.

Once you login to Azure portal, you will be directed to home screen as follows. The home screen shows a list of resources that is part of various services. If you want to view the resources by service name, click on the “Create a resource” that will take you to the below screen. Here you can click on any service name at the left to view all the resources under it. In order to create a resource you need to click on any resource icon in the list. One more method to create a resource is to click on the resource icon directly in the upper screen and enter the necessary information.

Azure Compute Services

Azure compute is an on-demand computing service for running cloud-based applications. It provides computing resources such as disks, processors, memory, networking, and operating systems. You pay only for the resources you use, and only for as long as you’re using them. A few of the prominent compute services are follows.

• Azure Virtual Machines

Virtual machines are software emulations of physical computers. They include a virtual processor, memory, storage, and networking resources. VMs host an operating system, and you can install and run software just like a physical computer. With Azure, you can create and use VMs in the cloud. When you need total control over an operating system and environment, VMs are an ideal choice.

• Azure Container Instances

Containers are becoming the preferred way to package, deploy, and manage cloud applications. Containers offer significant startup benefits over virtual machines (VMs). Azure Container Instances can start containers in Azure in seconds, without the need to provision and manage VMs. Azure Container Instances is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For complex scenarios, Azure Kubernetes Service is the solution.

• Azure Function App (or serverless computing)

This is ideal when you’re concerned only about the code running your service and not the underlying platform or infrastructure. They’re commonly used when you need to perform work in response to an event, timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less. The cloud provider manages the underlying infrastructure. One other example of serverless computing is Azure Logic App.

Azure Storage Services

Core storage services offer a massively scalable object store for data objects, disk storage for Azure virtual machines (VMs), a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.

• Azure Blob

It is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. It is highly scalable and powerful.

• Azure Disks

It provides disks for Azure virtual machines. Applications and other services can access and use these disks as needed, similar to how they would in on-premises scenarios. Disk Storage allows data to be persistently stored and accessed from an attached virtual hard disk.

• Azure Files

It offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) and Network File System (preview) protocols. These are managed file shares for cloud or on-premises deployments. Applications running in Azure virtual machine/s or cloud services can mount a file storage share to access file data, just as a desktop application would mount a typical SMB share.

• Azure Queues

A messaging store for reliable messaging between application components. It is used to store and retrieve messages. Queue messages can be up to 64 KB in size, and a queue can contain millions of messages. Queues are generally used to store lists of messages to be processed asynchronously.

• Azure Tables

It is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design. Because table storage is schemaless, it’s easy to adapt your data as the needs of your application evolve. On the Azure Portal, the NoSql table can be created but data can be pumped in only through powershell / REST API etc

• Azure Archive Storage

It provides a storage facility for data that is rarely accessed. Azure Archive Storage offers low-cost, durable, and highly available secure cloud storage for rarely accessed data with flexible latency requirements.

Azure Networking Services

Azure Networking services provide several capabilities to connect and manage your cloud resources securely. Azure networking by virtue of its various networking capabilities offers customers and users a delightful experience by patching cloud and/or on-premises infrastructure and services. A few of the core networking resources in Azure are as follows.

• Azure Virtual Network (VNet)

VNet enables Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers. VNet is similar to a traditional network that you’d operate in your own data center, but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

• Azure Virtual Private Network (VPN) Gateway

A VPN is a type of private interconnected network, deployed to connect two or more trusted private networks to one another over an untrusted network ,i.e, the public internet. A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between Azure virtual networks or between an Azure virtual network and an on-premises location over the public Internet.

• Azure Load Balancer

An Azure load balancer is a Layer-4 (TCP, UDP) load balancer that provides high availability by distributing incoming traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to an operational VM. You define a front-end IP configuration that contains one or more public IP addresses. This allows your load balancer and applications to be accessible over the internet. Virtual machines connect to a load balancer using their virtual network interface card (NIC).

• Azure Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the OSI layer 4 and route traffic based on source IP address and port, to a destination IP address and port. However, Application gateway operates at the OSI layer 7 or application layer. Application Gateway can make routing decisions based on additional attributes of an HTTP request ,i.e, URL-based routing and more.

• Azure Traffic Manager

It is a DNS-based traffic load balancer. This service allows you to distribute traffic to your public facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness. Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an entire Azure region.

• Azure Content Delivery Networks (CDNs)

A CDN can significantly speed up the delivery of assets on a web site. It is a network of web servers that cache website content in different geographical locations. It helps to minimize latency by caching website content at point-of-presence (POP) locations that are close to large clusters of users.

Azure Database Services

Azure offers a choice of fully managed relational, NoSQL, and in-memory databases, spanning proprietary and open-source engines, to fit the needs of modern app developers. Infrastructure management—including scalability, availability, and security—is automated, saving you time and money. You can find a list of the most used database services as follows.

• Azure Cosmos DB

Azure Cosmos DB is a globally distributed, multi-model database service. You can elastically and independently scale throughput and storage across any number of Azure regions worldwide. Cosmos DB supports schema-less data, which lets you build highly responsive and “Always On” applications to support constantly changing data. You can use this feature to store data that’s updated and maintained by users around the world. Cosmos DB provides comprehensive service level agreements for throughput, latency, availability, and consistency guarantees.

• Azure SQL Database

Azure SQL Database being a relational DB is a platform as a service (PaaS) database engine. It handles most of the database management functions, such as upgrading, patching, backups, and monitoring, without user involvement. SQL Database provides 99.99 percent availability. You can use it to build data-driven applications and websites in the programming language of your choice, without needing to manage infrastructure.

• Azure SQL Managed Instance

Azure SQL Managed Instance is a scalable cloud data service that provides the broadest SQL Server database engine compatibility with all the benefits of a fully managed platform as a service. Azure SQL Managed Instance is designed for customers looking to migrate a large number of apps from an on-premises or IaaS, self-built environment to a fully managed PaaS cloud environment, with as low a migration effort as possible. Azure SQL Database and Azure SQL Managed Instance offer many of the same features; however, Azure SQL Managed Instance provides several options that might not be available to Azure SQL Database.

• Azure DB for MySQL

Azure Database for MySQL is a relational database service in the cloud, and it’s based on the MySQL Community Edition database engine, ver 5.6, 5.7, and 8.0. With it, you have a 99.99 percent availability service level agreement from Azure, powered by a global network of Microsoft-managed datacenters. With every Azure Database for MySQL server, you take advantage of built-in security, fault tolerance, HA, point in time restore and data protection that you would otherwise have to buy or design, build, and manage.

• Azure DB for PostgreSQL

It is a relational database service in the cloud. The server software is based on the community version of the open-source PostgreSQL database engine. Your familiarity with tools and expertise with PostgreSQL is applicable when you’re using Azure Database for PostgreSQL. Every Azure Database for PostgreSQL has benefits like HA, scale up or down as needed withing seconds, adjustable automatic backups and point in time restore, enterprise grade security and compliance.

Before closing this section on core services, it is worth mentioning about the big data and analysis services. Microsoft Azure supports a broad range of technologies and services to provide big data and analytic solutions, including Azure Synapse Analytics, Azure HDInsight, Azure Databricks, and Azure Data Lake Analytics.

General Security and Network Security Features

Many services on Azure include built in security features. However, tools on Azure like Azure Security Center, Azure Sentinel, Azure Key Vault ensure that all the systems of an organization meets a minimum level of security and that its information is protected against attacks.

• Azure Security Center

Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. Azure Security Center addresses the most urgent security challenges of rapidly changing workloads and increasingly sophisticated attacks. Azure security center assess your environment and enables you to understand the status of your resources, and whether they are secure. It assess your workloads and raises threat prevention recommendation and security alerts. Lastly, since security center is natively integrated, provides auto provisioning and protection with Azure services.

• Azure Sentinel

Security management on a large scale can benefit from a dedicated security information and event management (SIEM) system that aggregates security data from many different sources. Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis. Azure Sentinel enables you to collect data across all users, devices, applications, infrastructure, both on-prem and from multiple clouds. Other features include, investigation of threats with AI, respond to incidents rapidly through automation of common tasks.

• Azure Key Vault

Azure Key Vault is a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Key Vault makes it easier to create and control the encryption keys, provision and manage SSL/TLS certificates.

Network Security Features

Azure uses defense in depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it. You can visualize defense in depth as a set of layers, with the data to be secured at the center. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. It slows down an attack and provides alert telemetry that security teams can act upon, either automatically or manually. Azure provides security tools and features at every level of the defense-in-depth concept. Some of the tools/features are as follows.

• Azure Firewall

It is a managed, cloud-based network security service that helps protect resources in your Azure virtual networks. It analyzes the complete context of a network connection, not just an individual packet of network traffic. Azure Firewall features high availability and unrestricted cloud scalability.

• Azure Distribute Denial of Service (DDoS) Protection

It helps protect your Azure resources from DDoS attacks. DDoS Protection identifies the attacker’s attempt to overwhelm the network and blocks further traffic from them, ensuring that traffic never reaches Azure resources. Legitimate traffic from customers still flows into Azure without any interruption of service. DDoS protection provides these two service tiers, namely, Basic service tier and Standard service tier. The basic tier is automatically enabled for free as part of your Azure subscription. It ensures that Azure infrastructure itself is not affected during a large-scale DDoS attack. The Standard service tier provides additional mitigation capabilities. Here, protection policies are tuned through dedicated traffic monitoring and machine learning algorithms.

• Network Security Groups (NSG)

Azure Firewall and Azure DDoS Protection can help control what traffic can come from outside sources, while NSGs help protect its internal networks on Azure. A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

Identity, Governance and Compliance Features

With the rise of remote work, bring your own device (BYOD), mobile applications, and cloud applications, the primary security boundary has shifted from firewalls and physical access controls to identity. Understanding who is using your systems and what they have permission to do are critical to keeping your data safe from attackers. To stay organized, manage costs, and meet your compliance goals, you need a good cloud governance strategy.

• Azure Active Directory (Azure AD)

Two fundamental concepts that you need to understand when talking about identity and access are authentication (AuthN) and authorization (AuthZ). Authentication is the process of establishing the identity of a person or service that wants to access a resource. Whereas, authorization is the process of establishing what level of access an authenticated person or service has.

Microsoft introduced AD in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems by using a single identity per user. Azure AD is Microsoft’s cloud-based identity and access management service. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is available globally. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. Azure AD provides secure authentication by the processes, Multi-Factor Authentication and Conditional Access.

Governance Strategy

• Create and manage subscriptions

Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions: billing, access control, and subscription limits. You can create one billing report per subscription. If you have multiple departments and need to do a “chargeback” of cloud costs, one possible solution is to organize subscriptions by department or by project. Resource tags can also help in this respect. You can find more about tags in the subsequent section.

A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure AD tenant that provides administrators the ability to set granular access through defined roles by using Azure role-based access control. Subscriptions also have some resource limitations. If you hit a hard limit maximum, there’s no flexibility to increase it. If you’ll need to exceed the limits, you might need to add more subscriptions. Management groups are also available to assist with managing subscriptions.

• Locks

A resource lock prevents resources from being accidentally deleted or changed. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed. You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.

• Tags

As your cloud usage grows, it’s increasingly important to stay organized. A good organization strategy helps you understand your cloud usage and can help you manage costs. You can organize resources by subscriptions or resource groups. Resource tags are another way to organize resources. Tags provide extra information, or metadata, about your resources that are helpful for resource management, Security, Cost management and optimization etc.

• Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. Azure Policy enables you to define both individual policies and groups of related policies. Azure Policy evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. Azure Policy can also prevent non-compliant resources from being created. You can apply tags to a resource group, but those tags aren’t automatically applied to the resources within that resource group, unless you create Azure Policy to ensure that a resource/s inherits the same tags.

• Azure Blueprints

Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments. Azure Blueprints orchestrates the deployment of various resource templates and other artifacts like, Azure Resource manager templates, Resource groups, Role and Policy assignments.

Privacy and Compliance Features

The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses it, and for what purposes. The privacy statement covers all of Microsoft’s services, websites, apps, software, servers, and devices. This list ranges from enterprise and server products to devices that you use in your home to software that students use at school like Windows.

The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data. The OST applies specifically to Microsoft’s online services that you license through a subscription, including Azure, Dynamics 365, Office 365 etc. The Data Protection Addendum (DPA) further defines the data processing and security terms for online services.

The following link shows some of the popular compliance offerings that are available on Azure and other Microsoft services. These offerings are grouped under four categories: Global, US Government, Industry, and Regional. They show Microsoft’s commitment to compliance is comprehensive, ongoing, and independently tested and verified.

The Trust Center showcases Microsoft’s principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community. The Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.

Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure China 21Vianet is operated by 21Vianet. It’s a physically separated instance of cloud services located in China. Similarly, Azure Germany has a physically isolated instance of Microsoft Azure.

Azure Cost Management and SLA

Having a firm understanding of where your company is today will give you a greater sense of what cloud migration means in terms of cost. The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over time, instead of in your on-premises datacenter. With the TCO Calculator, you enter the details of your on-premises workloads. Then you review the suggested industry average cost for related operational costs. These costs include electricity, network maintenance, and IT labor. Using the report, you can compare those costs with the same workloads running on Azure.

Purchase Azure Services

Azure subscription provides you with access to Azure resources, such as virtual machines, storage, and databases. The types of resources you use impact your monthly bill. Azure offers both free and paid subscription options to fit your needs and requirements.

A free trial subscription provides you with 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free. Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription. Paid subscription involves, a pay-as-you-go subscription that enables you to pay for what you use by attaching a credit or debit card to your account. One more paid membership offer is on your existing membership to certain Microsoft products and services that might provide you with credits for your Azure account and reduced rates on Azure services.

There are three main ways to purchase services on Azure. Through an Enterprise Agreement, larger customers, known as enterprise customers, can sign an Enterprise Agreement with Microsoft for a period of 3 years. In the Web direct method, you purchase Azure services directly from the Azure portal website and pay standard prices. The final method is through a Cloud Solution Provider (CSP), a Microsoft Partner who helps you build solutions on top of Azure. Your CSP bills you for your Azure usage at a price they determine.

Minimize Costs

Azure infrastructure is distributed globally, which enables you to deploy your services centrally or provision your services closest to where your customers use them. Different regions can have different associated prices. Because geographic regions can impact where your network traffic flows, network traffic is a cost influence to consider as well. Some inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on billing zones.

The Pricing calculator displays Azure products in categories with accurate cost estimate. You add the categories to your estimate and configure according to your specific requirements. You then receive a consolidated estimated price, with a detailed breakdown of the costs associated with each resource you added to your solution. You can load a saved estimate and modify it to match updated requirements.

Calculate your projected costs by using the Pricing calculator and the Total Cost of Ownership (TCO) Calculator. Ideally, you want your provisioned resources to match your actual usage. Azure Advisor identifies unused or underutilized resources and recommends unused resources that you can remove. Spending limits and Azure reservations are some of the methods to prevent accidental overrun or save on Azure services respectively. Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use. You can apply tags to groups of Azure resources to organize billing data.

Service Level Agreements (SLA)

A service-level agreement is a formal agreement between a service company and the customer. Understanding the SLA for each Azure service you use helps you understand what guarantees you can expect from Microsoft and can help you establish the SLA you set with your customers.

An application SLA defines the SLA requirements for a specific application. This term typically refers to an application that you build on Azure. There are many design decisions that extend beyond just the SLA for a service, inorder to improve the availability and resiliency of the applications and services you build on Azure. Keeping the application SLA in mind, you need to design an efficient and reliable solution for the application on Azure. You’ll select the Azure products and services you need, and provision your cloud resources according to those requirements.

The process of combining SLAs helps you compute the composite SLA for a set of services. Computing the composite SLA requires that you multiply the SLA of each individual service used to build the app. In case the composite SLA doesn’t meet your requirement, the customization choices you make when you provision each workload affects that SLA like the disk type, tier etc. One more method to improve the availability of the application is to avoid having any single points of failure ,i.e, deploy one or more extra instances of the same VM across different availability zones in the same Azure region. Ensuring high availability for your application by having duplicate components across several regions, i.e, redundancy would also be an option.

Further Reading :

• Introduction to Virtualization and Cloud computing
• An Introduction to AWS Cloud & APN
• A Beginner’s Guide to Oracle Cloud Infrastructure
• An Introduction to OCI Cloud Operations
• Launch a Web Server on AWS Cloud

Introduction

Databases store critical business information and are essential for the efficient operation of modern organizations. Business applications add new records to existing databases or use database information to create reports, analyze trends, or perform other business transactions. DBAs are often overburdened with time-consuming manual tasks of managing and maintaining databases, that may lead to DBA errors resulting in catastrophic impact on uptime, performance, and security. Databases that are slow-running or unavailable due to downtime can negatively impact employee productivity and frustrate customers. As the amount and velocity of data available is accelerating, there is a need for efficient, secure database management that enhances data security, reduces downtime, improves performance and is not vulnerable to human error. An autonomous database can help achieve these objectives.

Autonomous Database Technical Overview

Autonomous Database Cloud marks the culmination of four decades of technology innovation. The Oracle Autonomous Database is built on components like the Exadata system that has been designed to run an Oracle database from day one. The next component as mentioned earlier is the Oracle database that should be of version of 19c or higher. The final component would be the Oracle Cloud Infrastructure, the Oracle Autonomous Cloud Platform, Oracle Autonomous Applications, and many other Oracle innovations, incorporating machine learning to eliminate human intervention once policies are set. The OCI can be setup for automated DC operations that may include provisioning, patching, upgrading, online backups, monitoring, scaling, diagnosing, performance tuning, optimizing, testing, change management of complex applications and workloads, automatically handling failures and errors.

Workloads

The Oracle Autonomous Database supports enterprise applications delivered by Oracle. Even customer and ISV applications that run on top of any Oracle database are supported. Cloud native applications running in Terraform or running as Kubernetes containers, as well as operations running with function as a service are also supported. And also, one thing to keep in mind is the Oracle Autonomous Database is absolutely capable of running performance-intensive workloads.

The Autonomous database is classified based on the workload types, namely : Autonomous data warehouse(ADW), Autonomous transaction processing(ATP) service. Now, the difference between the two is that the ADW, with data being stored in columnar format is well suited for analytic workloads. Also workloads where data is not changing too frequently, operations that are more suited to either a data warehouse, data mart, machine learning, a data lake etc. On the other hand, ATP, with data being stored in row format (best for single-row lookups) is well suited for workloads where they could be very transaction focused, or they could be batch or reporting focused.

Benefits and Attributes

There are several benefits of an autonomous database. The main ones are as follows.

• Maximum database uptime, performance, and security―including automatic patches and fixes
• Elimination of manual, error-prone management tasks through automation
• Reduced costs and improved productivity by automating routine tasks

The autonomous database (ADB) is simple, fast and elastic. Exadata infrastructure provides highest performance, availability and seamless scale-up or scale-out. ADB leverages AI and machine learning to provide full, end-to-end automation for provisioning, security, updates, availability, performance, change management, and error prevention. In this respect, an autonomous database has specific characteristics as follows.

• Self-driving : All database and infrastructure management, monitoring, and tuning processes are automated.
• Self-securing : It stores all data in encrypted format and only the authenticated users and applications can access data. Encryption for data at rest and data in motion is provided along with automatic patching of all components like firmware, OS, database, hypervisor etc.
• Self-repairing : This can prevent downtime, including unplanned maintenance by making use of ML techniques and best practices to automate database operations. It provides an SLA of 99.95% availability.

Architectural Components

The Oracle Autonomous Database is tightly integrated with Oracle Cloud Infrastructure. The Autonomous Database runs on Exadata Systems hosted on OCI Datacenters. But the Autonomous Database storage runs on Exadata storage services that are directly connected to the Exadata compute nodes for the highest performance, as well as availability.The Oracle Machine Learning servers allow the operations that are available for managing all of the components to be run independently of the Exadata service themselves. The user processes, application services, and other things that end users would be running against these services all come in through the connection managed services, and these connection managers help route, and direct, and distribute the workload coming into the autonomous service to the appropriate Exadata service where the workload is running. This architecture is used in each AD of a region along with load balancer to provide high availability. OCI object storage is used to support ADB for file storage outside the database. All backups run automatically to a dedicated OCI object storage component. All user backups are pointing to user-defined object storage buckets that the user would have to create and configure.

The provisioning, deployment to the life cycle maintenance of an Autonomous Database can be done using the OCI Console, OCI CLIs and the REST APIs. Using Oracle Rest Data Services (ORDS) developers can easily build Rest APIs for data and procedures in the database. Developers can use the OCI SQL developer web or the desktop version of SQL developer, or any other developer tool that supports Oracle database connections. Monitoring is available through the cloud service dashboard. Securely connect to ADB using credential wallets via SQL*Net, JDBC, ODBC. Access from onprem to ADB through fastconnect public peering is possible. Extract, Transform and Load ,i.e, ETL/BI tools can directly connect to ADB instance and can also be run while still connected to ADB. When connecting to other cloud environments, FastConnect with Megaport cloud router is used to connect to ADB or OCI from/to other clouds.

The Oracle Machine Learning component or a solution is a product that is built on top of the notebooks, and it’s possible to quickly start running queries to utilize the algorithms without having to setup any additional component. You’ll also notice that we have Oracle Data Visualization Desktop, which is a client tool that runs on both Windows, Mac OS 10 for running workloads and visualizing data sets within the Autonomous Database. The ADB supports many data movement features such as ODI platform, Oracle GoldenGate, Oracle’s data guard to connect workloads to the Oracle Cloud. Oracle Data Safe, a free service provides a console, a centralized dashboard to manage and assess the security of your enterprise of database services. Simple widgets or wizards help you connect your Oracle Analytics Cloud to Autonomous Database to solve your analytics problems. So to summarize, the Autonomous Database provides a full set of capabilities to support workloads tied to analytics, tied to business intelligence, tied to machine learning etc.

ADB Workflow

There are six main steps to the migration and deployment to moving to an Autonomous Database.

• Determine level of automation and functionality required

• Determine main workload characteristics for the database
  This is about choosing a workload that fits with the ATP/ADW database. Is it a mission critical application that’s supporting a business operation? perhaps it’s a hybrid workload, where it’s a partial transaction workload and partial analytics or a bit of both. It could, in fact, be a very large database, with updates happening fairly frequently. Or it could even be used for real-time analytics and machine learning against a transactional workload. ATP would be the best fit for workloads where application developers would be using the sandbox/testing environment. Similarly, ADW would be the best choice for data scientists to perform the ML testing on their notebooks.

• Provision the ADW or ATP service
  The provisioning is automatically done for you. Here, you simply choose the shape and the type of workload, i.e, ADW or ATP. And then, provisioning the server, the storage, the virtual machines, and all of this is running on a scalable RAC cluster on top of an Exadata platform.

• Automated Configuration
  The configuration of the hardware layer is completely automated for you. The Exadata is ready to use. There’s no need for any Exadata software installation, no configuration, nor any management. All the initialization parameters are automatically optimized, depending on which workload you’re choosing.

• Load data to the new database
  If we look at one time loads, data is best staged through the Oracle Object storage. It’s extremely easy to access and configure. It’s secure, it’s encrypted, and it’s highly available. And it provides a seamless way to migrate, and move, and lift, and shift data into the Autonomous Database. Alternatively, in case of regular or repeating pattern of uploads, there are other approaches you may choose to take, and Oracle GoldenGate is one of those approaches. Your workload can run simultaneously or in real time synchronized with that alternative data source.

• Migrate Application
  For existing applications, you want to keep the application in its existing environment and replace the existing database. And in that case, it’s simply a case of rerouting the connectivity strings of that application to now point to the Autonomous Database. Another approach is to actually rehouse that existing application in the OCI through an exact image, by virtualization as well as containers. Another approach might be to actually pull down a marketplace image from Oracle Cloud Infrastructure Marketplace, and deploy a compute image of that, and populate or configure the application to work against your Autonomous Database. Also, the new applications developed on OCI can obviously be pointed to work with the ADB. The Oracle Cloud Migration Advisor provides valuable guidelines and use cases on cloud migration.

ADB Deployment Choices

There are two physical deployment choices, namely; Autonomous Database Shared and Autonomous Database Dedicated. The shared infrastructure means, your autonomous database service will be running on an Exadata system that is being shared with other customers running their database workloads on that same physical Exadata system. The dedicated infrastructure, on the other hand, is for tenants and customers who have workloads where they want control over the physical infrastructure in which they’re laying down and running their data workload.

The Autonomous Database Dedicated Infrastructure is built on top of Oracle’s Exadata E7 or E8. It has a virtual cloud network that you would need to configure. You will be creating an Autonomous Container Database– a CDB–where the number of databases is dependent upon the availability SLA type that you are deploying for. The container database will be deployed on a RAC cluster, if under 16 OCPUs the workload will be made local but if the OCPU count exceeds 16 then the workload is spread across multiple servers. So, when you provision an Autonomous Database Dedicated, you will indeed be carving up a container database. And then from within the container database, you also do have Autonomous Shared database style if you wish. The DBAs, developers, data scientists provision their databases within the container databases that have been already provisioned for them by the fleet administrators. Some of the notable differences between ADB dedicated and shared is as follows.

Provisioning an ADB

When provisioning an autonomous database dedicated infrastructure, it’s mandatory, that the VCN and subnet must be created before end users can connect to the ADB dedicated database. However in case of autonomous database shared it is not a mandatory requirement. Provisioning the dedicated autonomous databasae infrastructure would involve three steps. The first task is to provision the dedicated autonomous Exadata infrastructure, once that is configured it is possible to provision a dedicated autonomous container database. The first two tasks are performed by the fleet administrators whereas the final task ,i.e, provisioning the dedicated autonomous database can be performed by the regular DBAs.

On the OCI console, login as a fleet administrator and not as a regular tenant. Navigate to menu>Autonomous Transaction Processing and select the appropriate admin compartment and click on the Autonomous Exadata Infrastructure under Dedicated Infrastructure item. Now we can start with provisioning by clicking on Create Autonomous Exadata Infrastructure. Enter the compartment, Display name, Select the AD, Exadata system model and system configuration. Choose the VCN and subnet in which to run and set the network security group. Specify the maintenance schedule of Exadata infrastructure by clicking on Modify Schedule under Configure the Automatic Maintenance item. Choose a license type and click on the Create Autonomous Exadata Infrastructure button.

Once the Exadata infrastructure has been created, the next step would be to create the Autonomous Container Database (A-CDB). The same fleet administrator login is used here as well. Navigate to menu>ATP, maintain the same compartment as earlier and click on Autonomous Container Database under Dedicated Infrastructure item. Now we can Create Autonomous Container Database by clicking on the button of the same name. Enter the compartment, Display name. Select the Autonomous Exadata Infrastructure created earlier. Configure the automatic maintenance schedule of A-CDB by clicking on Modify Maintenance button. Enter the Backup retention policy by specifying the number of days and click on Create Autonomous Container Database button.

Now that the Autonomous Exadata Infrastructure and Autonomous Container Database are created, the DBA can login using his admin credentials. Navigate to menu>ATP or ADW and select the appropriate compartment and workload type. Select Autonomous Database under Autonomous Database item and click on Create Autonomous Database button. Enter the Compartment, Display name, Database name and choose the workload type and deployment type. Since the deployment type selected is Dedicated Infrastructure we can select the earlier created Exadata Infrastructure Compartment and Container Database. Enter the other necessary information like OCPU count, Storage, Auto scaling to configure the database. Enter the dba admin password once again and click on Create Autonomous Database to provision the ADB.

In case the deployment type selected is Shared Infrastructure, we can select the database version, OCPU count, Storage, Auto scaling to configure the database. Select the Access type ,i.e, non-VCN or VCN and license type. Click on Create Autonomous Database to provision the ADB.

Connecting to ADB

Wallet is mandatory when connecting to Autonomous Database Shared. However, with Autonomous Database Dedicated, you can choose to connect directly without using a wallet. All apps use a secure connection to connect to the Autonomous Database, and the Autonomous Database uses certificate authentication and SSL. Certificate authentication uses an encrypted key stored in a wallet on both client and server and is automatically generated by ADB. When you download the wallet from your Autonomous Database, you’ll see there’s a bundle of files that are included with it. There are two types of wallets for an ADB Shared. An instance wallet contains only the credentials and keys for the individual Autonomous Database being provisioned. The regional wallet, on the other hand used only by administrators, contain the credentials and keys for all of the Autonomous Databases in a specified region. For ADB Dedicated, the wallet file contains only the credentials and keys for a single ADB.

You can download the wallet both from the DB Connection button on your main instance details page, as well as through the Service Console. You can also use API calls to download the wallet as well. However, you would need the wallet file along with database password to connect. It provides a secure way to connect to your database to route you to it, but not to actually log into the database. In the Oracle cloud, the private instances in private subnet can connect to Oracle services network like ADB through service gateway for secure connection. Predefined DB service names are tpurgent, tp, high, medium and low. The tpurgent and tp are ATP services that are focussed on OLTP workloads, the other ADW services can be used as ATP services but doesnt provide the high priority. The ADW services high, medium and low are used for analytics.

ADB can be connected through client utilities such as SQL*Net, JDBC/thin or thick, ODBC and all connections use SSL for encryption. Clients require security credentials wallet to connect using these tools and can connect through public internet or fastconnect. Connection through the SQLdeveloper on the local PC is as follows. Inorder to connect to the autonomous database, click on New/Select DB Connection. Enter details like, Name, DB type(oracle), user name & Password, connection type(Cloud Wallet), upload the wallet_employee config file. Next click on “Test” button, if successful click on the “connect” button to connect to the database. Even tools like SQL Developer Web from the service console can be used to connect once the access permission is set by the administrator. Please refer to the link for details about the connection setup using various other tools. Also it is good to know that we can connect through Active Directory to the ADB. Even third party tools can be configured and used to connect to the ADB. Please refer to the link for details.

Migration to ADB

The first thing to consider when migrating to the Oracle Autonomous Database is how to load and move your data into the Autonomous Database. When it comes to loading your data, the traditional tools like Oracle SQL Loader, can be used to load data into the Oracle database, as well as tools such as Oracle Data Pump. Oracle supports many different types of data types, from SQL Loader text files, to export-input dump files, to CSV, to JSON, to parquet etc. When it comes to supporting object storage, third party cloud object storage platform, such AWS S3 and Azure Blob, and, Oracle’s own object storage can be used. Even, shifting data from an OCI application layer, as well as from virtual machines that may be hosted in your cloud tenancy is possible.

when migrating an existing database into the autonomous database, it’s important to realize that a physical database cannot simply be migrated to an autonomous database. The database must first be converted to pluggable database by upgrading to the latest version of the database, 18c or higher. And it must be TDE encrypted ,i.e, Transparent Data Encryption applicable to sensitive data. When we look at approaches to move data into the Autonomous Database, data can be obviously moved with Data Pump. It can perform upgrade versions. Its platform-independent. It’s a very portable way to load data into a pre-existing or pre-created, new Autonomous Database. Talking about Oracle GoldenGate, it is possible to set up GoldenGate between your on-premise or your other source system and use the Autonomous Database as a target database for replication in real time with zero down time.

There are many other approaches to data migration with loading tools like SQLDeveloper Data Import Wizard, SQLDeveloper Migration Workbench, DBMS_CLOUD Package, external tables, data sync, ETL that can be used according to situations where one will work better than the other. The DBMS_CLOUD package is the most preferred method for loading data. Because with this tool, we can load various types of data, like a CSV, an Avro file, a JSON file, or just a regular text file. The DBMS_CLOUD package will permit you to perform these upgrades, inserts, and data loads fairly efficiently. First step would be to copy your files, in whatever format they are, to the Oracle Object Storage, and then run the DBMS_CLOUD package from within your Autonomous Database to load that data into your Autonomous Database. Refer to the list of all procedures available at the following link. The package can work with very large data volumes to perform the operation, and it works independently of the Autonomous Database you’re connected through to.

Data Loading to ADB

Oracle is tightly integrated with Oracle’s own object storage, however, the Oracle Autonomous Database is fully integrated with other major object storages like AWS S3, Azure blob. So using object storage, we can load data directly from object storage into your database, or alternatively query object storage files without actually physically moving them into your database. The data can either be in CSV, delimited, JSON, Parquet etc. text file formats. Let us look at an example of loading data into the object storage and then to the ADB using the DBMS_CLOUD package.

• Download wallet by navigating to OCI console>user ADW>DB Connection>Download Wallet. Once downloaded copy the wallet to the necessary directory.
• Create a new user by navigating to Tools>Open SQL Developer Web. Type the below code to assign a new tablespace to the user.

 CREATE USER new_user IDENTIFIED BY "Newpwd123";
 GRANT dwrole to new_user;
 Alter user new_user default tablespace data;
 Grant unlimited tablespace to new_user;

• Next, open SQLdeveloper on the local PC. Inorder to connect to the database, click on New/Select DB Connection. Enter details like Name, DB type (oracle), user name & Password (mentioned in the abv code), connection type (Cloud Wallet), upload the wallet_employee config file. Next click on Test button, if successful click on the Connect button to connect to the Database.
• Navigate to Identity>Users>Existing or New User>Auth Tokens and click on Generate Tokens on the OCI console.
• In order to create a new user credentials used for running/executing packages or procedures, run the following code on desktop SQLdeveloper into which we had logged in earlier.

BEGIN
 DBMS_CLOUD.drop_credential(credential_name => 'OBJ_STORE_CRED');
END; /*Check for any existing credentials*/
/
BEGIN
 DBMS_CLOUD.create_credential (
  credential_name => 'OBJ_STORE_CRED',
  username => 'Existing or New User as on the OCI console',
  password => 'Auth Token generated earlier'
 );

• Inorder to stage the data files on Object storage, navigate to OCI console Object Storage>Object Storage and click on create bucket to create a new one with the default setting. Once bucket is created, click on Upload Objects to upload the necessary files.
• Create a sql file to generate multiple tables on the desktop SQLdeveloper. Once the tables have been created, data can be uploaded onto the tables from Object storage using the following code strip.

BEGIN
  DBMS_CLOUD_copy_data(
   table_name => 'exampletable',
   credential_name => 'OBJ_STORE_CRED',
   file_url_list => 'https://objectstorage.us-......', 
/*respective object URL from the obj storage using option 'view object details'*/
   format => json_object('a' value 'true', 'b' value 'true')
   );
END;

• Run the above code strip and query using the code, SELECT * FROM exampletable; .You can see the data from object storage file loaded onto the table.
• Incase of multiple tables using multiple data files staged on the object storage, below code strip shows how the load operations went by.

SELECT *
FROM user_load_operations
WHERE type = 'COPY'
ORDER BY id;

• In case the data need not be stored on the ADB table from the Object storage, we can create an external table to just view the data as follows.

BEGIN
  DBMS_CLOUD_.create_external_table(
    table_name => 'exampletable_ext',
    credential_name => 'OBJ_STORE_CRED',
    file_url_list => 'https://.....',
    column_list   => 'acol,bcol,ccol,dcol,ecol,fcol',                     
/*columns info to match with the column data in object storage*/
    format => json_object('a' value 'true', 'b' value 'true')
);
END;

• Use select * from exampletable_ext; to query the external table data. The data can be loaded from oracle, AWS or Azure object storage.

Data Pump is very powerful for platform independence and also very powerful when you want to be able to do a very fast move or migration. It lets you manage data from any object store like AWS S3, Azure Blob Storage or from Oracle’s Object Storage. And the data can be loaded directly from those object stores or directly from your client onto ADB. Datapump expdp/impdp can be used for databases version 10.1 and above.

Administer the ADB

Autonomous database is a self managing database. However, there are some operations like start, stop, scale, backup, recovery etc that even a regular administrator would want to perform on their database.

The stop, scale operation on an ADB instance can be performed on demand to conserve resources. Similarly even the start operation can be performed on demand. On the console, navigate to your existing ADW instance>Scale Up/Down tab and enter the OCPU Count, Storage to scale. The ADB can be used when the ADW scaling is in progress. To stop the ADB, navigate to ADW>More Actions and select Stop option. Inorder to start again, from More Actions select Start. Auto scaling can be enabled while provisioning the instance or from the ADW instance>Scale Up/Down tab after the instance is provisioned.

ADB automatically backups your DB with a retention period of 60days with the option of point in time recovery. Manual backups are performed using the cloud object storage bucket. Autonomous Database instance>Backups section on the console give the list of automatic backups. To create a manual backup, one needs to create a bucket by navigating to Object Storage>Object Storage and click on create bucket. Once bucket is created, navigate to sql developer web and type the following code in the worksheet.

ALTER DATABASE PROPERTY SET default bucket='https://swiftobjectstorage.regionnameinfo.oraclecloud.com/v1/bucketnamespaceinfo';      /*OCI Object Storage tenancy URL*/
BEGIN
DBMS_CLOUD_drop_credential(credential_name => 'OBJ_STORAGE_CRED');
END;

BEGIN
 DBMS_CLOUD.create_credential (
   credential_name => 'OBJ_STORAGE_CRED',
   username => 'oracleusername',
   password => 'pwdabc'        /*pwd generated from user>Auth tokens>Generate*/ Tokens
  );
END;

alter database property set default_credential = 'ADMIN.OBJ_STORE_CRED';

Under Autonomous Database>Backups section click on Create Manual Backups button to create manual backups. In case of restoring the DB from the backup, navigate to More Actions>Restore and enter the time from which to restore or select a backup from the list. When selected the restore process will begin. Once complete, the additional task would be to stop and start the ADB inorder to open it in read-write mode. It is possible to create a brand new Autonomous Database from an existing Autonomous Database and to create that as a clone. You can create it as a full copy of the source Autonomous Database or you can create a clone that contains just the metadata/schema of that Autonomous Database. Navigate to your ADB instance>More Actions and select the Create Clone option, enter the necessary details to create the ADB Clone.

Oracle Machine Learning, Analytics, Other tools

Oracle ML is a sql notebook interface for data scientists to perform machine learning on Oracle ADB. It is a rich set of visualization tools and mechanism that allows collaboration on building and deploying predictive models. There a 30 plus ML algorithms available to data scientists on ADB. The OML can be interfaced with Oracle Analytics cloud or other 3rd party tools. Easiest way of creating OML users is through the console. Navigate to the Service Console>Administration>Manage Oracle ML Users. Create a new user by clicking on Create and enter details. Then, you would create the workspaces that these users are going to use to run their work within. Next is you create a project wherein multiple ML users participate and they each build notebooks. Click on Notebooks icon for data analytics. Here you can run an analytics operation or SQL statements/scripts that may have be saved earlier for a periodic operation task or any instant task. Chart icon can be clicked in the notebooks to display charts/groups etc.

Two of the most common tools that use the Autonomous Data Warehouse is the Oracle Analytics Cloud and Data Visualization Desktop (DVD). DVD is a desktop extension of OA Cloud that supports an isolated environment as well. These tools bring the power of data and analytics to every process interaction and decision in every environment– cloud, on-premises, desktop, and data center. Download and install the Oracle Analytics desktop software. On the console move to Menu> Analytics and create a new instance. Once done, move to analytics instance > Oracle Analytics Cloud URL to open the oracle analytics cloud home page. The home window of data visualization desktop software and analytics cloud appear the same. In the home window of DVD/OA Cloud you can create a new connection, project, dataset, script etc. For further information on Oracle Cloud Analytics refer to the link here.

If we click on the Tools in the instance console, we can see the earlier machine learning, SQLDeveloper Web, Oracle APEX ,i.e, Application Express, user administration, SODA drivers ,i.e, simple Oracle document access options. If we click the button to access APEX, it will take us to a screen where we can define our users. The first time we login, we’ll be requested to create a workspace. Upon setting up the workspace, creating an application is extremely easy. Upon connecting to the other option under Tools, SQLDeveloper Web, you’ll see that it gives you both the ability to run SQL statements to see your schema and to do data modeling. It also provides you with a dashboard to see the health and status of your database. Onpremise SQL Developer is the desktop version of SQL Developer Web. SQL Developer 17.4 and later can connect to ADB through Oracle Wallet.

Securing the ADB

The identity and access management is used to create OCI policies that work specifically with the autonomous dedicated database. So, in this case, the fleet and database administrators are configuring what a resource is. The RESOURCE we’re setting could be one of exadata infrastructure service. It could be a container database or an autonomous database or backups. The policy statement would be in the below format. GROUPA is a set of users in a Project with the same priviliges and COMPARTMENTA is a specific set of service resources only accessible to GROUPAs who are explicitly granted access. And the VERB refers to permission asssigned to the GROUPA that can be either inspect, read, use, or manage.

allow group <GROUPA> to <VERB> <RESOURCE> in compartment <COMPARTMENTA>

Access control lists (ACL) provides a mechanism to block all IP addresses that are not in a specified list from accessing the database. Once an ACL is set up, you need to be aware that the database will only accept connections from addresses that are in the access control list, and all other client connections and services that are subsets like SQL Developer Web, APEX, OML will be blocked. The ACL can be enabled while provisioning or by navigating to your existing ADB instance>More Actions and click on Access Control List to set the necessary IP addresses/CIDR block/VCN. Though the ADB is publicly routable, no one can access it if they are not part of the ACL. However, Private Endpoints allows you to keep all traffic to and from your ADB off the public internet. You can provision/clone an ADB to use private endpoints and configure a VCN in you tenancy to use with the private endpoint. Refer to the link for further details on configuring private endpoints.

The Network security groups (NSG) create a virtual firewall for your Autonomous Database using security rules. So just as we created access security rules or access controls to set up restrictions, we can do similar things with our security rules. And security rules, provide a mechanism to open or to allow certain ports, either ingress or egress rules, to talk in or out of your cloud service. And in the case of the autonomous database, we’re allowing an ingress of 1522. Upto five NSGs can be specified to control access to your ADB. For DBAs and developers that would prefer using cloud services programmatically rather than console, OCI offers REST APIs. This provides a mechanism for customized deployment and management scripts that can be reused. Calls to the OCI using REST APIs can be written in popular scripting languages like python, ruby, node.js, bash, curl etc. All OCI API requests must be signed for authentication purposes.

OCI Command Line Interface (CLI) is a tool that can be used on its own or with the console to complete OCI tasks.Tasks include ability to run scripts, extend console capability. CLI is built on python that makes calls to OCI REST APIs to provide functionalities implemented for various services. To use CLI, one should have OCI account, a user account in a group with a policy that grants the desired permissions to be able to make API calls. The Cloud shell/CLI shell can be accessed from the console by clicking on the icon at the top right, so there is no need of any client software. The command oci db autonomous-database lists all the services available to ADB on CLI. For example if we want to create an ADB, the necessary information would be compartment ID, db name, display name, admin password, cpu core count, data storage size in TB, db workload, license model, autoscaling enabled. When this is executed on CLI, we can observe on the console that the ADB is getting provisioned. There are many operations that can all be done very simply using the OCI CLI. It is also possible to provision an ADB using terraform.

Further Reading :

• A Beginner’s Guide to Oracle Cloud Infrastructure
• An Introduction to OCI Cloud Operations
• Launch a DB Server and Interact with your DB on AWS Cloud
• An Introduction to AWS Cloud & APN
• Launch a Web Server on AWS Cloud

Step 1 : Create VPC, Subnets and EC2 instance

Let us consider that the Web server/EC2 instance is already launched. The procedure for which is detailed in one of my previous blogs. Head to the Additional Reading section of this blog for the link. Now the status is that, you have the VPC, AZ1, AZ2, Public & Private Subnet 1, Public & Private Subnet 2 and Web Server 1/EC2 instance, internet & NAT gateway ready so that you can launch the DB Server.

Step 2 : Create a Security Group for RDS DB Instance

As a first step, you will create a security group (SG) for the web server to access your RDS DB instance. From the AWS Management Console, navigate to VPC > Security Groups and click on Create security group to configure as follows.

As you can see in the above screenshot, you can set the rules to the security group by specifying the same in the Inbound rules section. You can set the Web Security Group created for the Web Server since you are allowing access from the Web Server. The final picture of the setting would be as follows.

You will use this DB Security Group when launching the Amazon RDS database.

Step 3 : Create a DB Subnet Group

In this step you will create a DB subnet group that is used to tell the RDS which subnets can be used for the database. The group should contain subnets in atleast two availability zones. From the AWS Management Console, navigate to RDS > Subnet groups and click on Create DB Subnet Group and configure as follows.

As you can see in the above screeshot, after entering the subnet group details you need to add the two availability zone information. This is followed by selecting the necessary subnets ,i.e, private subnet 1(10.0.1.0/24) & private subnet 2(10.0.3.0/24) from their respective availability zone and click create. You will use this group while creating the database in the next step.

Step 4 : Launch a Multi-AZ Amazon RDS DB Instance

Amazon Relational Database Service (Amazon RDS) provides you with multiple database engines to choose from: Amazon Aurora, Oracle, Microsoft SQL Server, PostgreSQL, MySQL and MariaDB. When you provision a multi-AZ DB instance, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in another AZ.

On the left navigation pane, select Databases and click Create database to configure the details and create your DB. The below screenshot shows the summary details after the database is created.

As you can see, MySQL DB engine is used and the earlier created DB subnet group has been selected. Once the Create database button is clicked the database will be launched in a few minutes. The info item as shown in the above screenshot should change from Creating to Available for successful DB launch completion. Copy the Endpoint field from the above for later use.

Step 5 : Connect to your Database

Copy the IPv4 Public IP address from the description tab of the web server instance. Launch putty to connect to the EC2 instance/Server with SSH. Paste the earlier IP address in the Host Name/IP address section. Select the Auth item under Connection>SSH on the putty left navigation window. Navigate and select your EC2 key file on the local PC and click Open. This will open a window similar to the command prompt wherein you need to enter the default login name ec2-user and any password set for the earlier selected key file. Now you have logged on to the server. Type in the following commands to connect to RDS and perform the initial tests on the database.

#Install MySQL client
$ sudo yum install mysql
#Connect to the RDS DB
$ mysql -h <Endpointinfo> -u <dbadminusrnameinfo> -p
#Display the existing databases
MySQL [(none)]> show databases;
#Use any database from the list, "lab-db" used here
MySQL [(none)]> use lab-db;
#Create a table abc
MySQL [lab-db]> create table abc (name VARCHAR(25), batch INT(5), phone VARCHAR(17));
#Insert values in the table abc
MySQL [lab-db]> insert into abc values ('Sampath', 1, 1234567);
#display the contents of the table abc to verify
MySQL [lab-db]> select * from abc;

After the installation of MySQL client, dbadmin password that was set during the launch of Amazon RDS instance will be prompted that needs to be entered to connect to the DB. Once connected, execute the commands as mentioned above to test the connection to database.

Return to the AWS Management Console. On the navigation bar, click your account name. A drop down menu will open and choose Sign Out.

References :

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html
• https://aws.amazon.com/getting-started/hands-on/create-mysql-db/
• https://aws.amazon.com/premiumsupport/knowledge-center/rds-mysql-ssh-workbench-connect-ec2/

Additional Reading :

• Launch a Web Server on AWS Cloud
• An Introduction to AWS Cloud & APN

Procedure

Since we will be using AWS Service here, the first step would be to login to the AWS Management Console. Login using your respective IAM user name and password. After logging on to the console, you will use the VPC wizard to create a VPC, an Internet Gateway and two subnets in a single availability zone. If a subnet’s traffic is routed to an internet gateway, the subnet is known as public subnet else known as private subnet. The wizard will also create a NAT gateway which is used to provide internet access to instances in the private subnet. The internet gateway provides bidirectional access whereas the NAT gateway provides only unidirectional ,i.e, outbound access to the internet.

Step 1 : Launch the VPC Wizard

On logging in to your AWS Management console, you can see the top left screen wherein VPC letters can be typed to move to the VPC dashboard as shown in the center screen. Here click on the Launch VPC Wizard button to move to launch the wizard. On the wizard screen you can see that AWS supports 4 types of subnets for VPC. VPC with a Single Public Subnet, VPC with Public and Private Subnets, VPC with Public and Private Subnets and Hardware VPN Access, and VPC with a Private Subnet Only and Hardware VPN Access. In the current exercise, since you will be using both the public and private subnets the second option is to be selected and click on the Select button.

Step 2 : Create VPC & Subnets

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block. You can create a publicly routable CIDR block or use the standard private CIDR ranges for your VPC. The CIDR block for the VPC is set to 10.0.0.0/16. Next, the CIDR block for Public Subnet 1 and Private Subnet 1 are set to 10.0.0.0/24 and 10.0.1.0/24 respectively which means that it contains all IP addresses starting with 10.0.0.x and 10.0.1.x . When all the necessary fields are input, click on Create VPC. The wizard will now provision public subnet 1 and private subnet 1 in the same availability zone AZ1 with route tables for each subnet.

Step 3 : Create Additional Subnets

In this step you will create two additional subnets ,i.e, Public Subnet 2 and Private Subnet 2 in a second availability zone AZ2 to provide High Availability. On the VPC dashboard left navigation pane, Click Subnets. First, you will create a second public subnet by clicking on Create Subnet. Enter the other details as follows.

The public subnet is set to have all IP addresses starting with 10.0.2.x . Next, you will create a second private subnet by clicking on Create Subnet.

As you can see, the private subnet is set to have all IP addresses starting with 10.0.3.x .

Step 4 : Configure the Route Table of Subnets to connect to the Internet

First, you will configure the private subnet to route internet bound traffic to the NAT gateway (resides in the public subnet), so that resources in the private subnet are able to connect to the internet, while still keeping the resources private. This is done by configuring the Route Table. On the left navigation pane, click Route Tables. Select the route table with VPC name as Lab VPC and Main = Yes. In the lower pane, click Routes tab. Note that the traffic destined for the internet (0.0.0.0/0) will be sent to the NAT gateway. In the upper pane Name column, click the pencil mark and then type Private Route Table to edit the name.

Next, click on Subnet Associations tab in the lower pane. Click Edit subnet associations button and select both the private subnet 1 and private subnet 2 and click save. Thus both the private subnets have been associated with the Private Route Table.

Now that you are done with configuring the route table for private subnets, you will configure the route table that is used by public subnets. Similar to the steps performed above, under the Route Tables item, select the route table with VPC name as Lab VPC and Main = Yes. Type Public Route Table to customize the name display. In the lower pane, click Routes tab. Note that the internet bound traffic (0.0.0.0/0) will be sent straight to the internet via the internet gateway.

Now you will associate the above route table with both the public subnets by moving to the Subnet Associations tab as shown below. Click Edit subnet associations button and select both the public subnet 1 and public subnet 2 and click save.

You now have a VPC with Public and Private Subnets that is configured in two Availability Zones.

Step 5 : Create a VPC Security Group

In this step you will create a VPC security group that can be associated with instances. You can add rules to each security group that allow traffic to or from its associated instances. In the left navigation pane, click Security Groups. Click Create security group and configure as follows :

You will now add a rule to the above security group to permit inbound web requests. In the Inbound rules section, click Add rule, then configure (Type : HTTP, Source : Anywhere, Description : Permit web requests). Scroll down to click on create Create Security group. The settings will appear as follows.

Step 6 : Launch a Web Server Instance

In this step you will launch an AWS EC2 instance into the public subnet 2. This EC2 instance will be configured to act as a webserver. On the AWS Management Console Services menu, click EC2 and launch instance by clicking on the Launch Instance button. In the page, Choose an Amazon Machine Image (AMI) you can select a free tier eligible OS, Amazon Linux 2. In the next page, Choose an Instance Type you can select the hardware resources assigned to the instance. Here you can select the free tier eligible instance type, t3.micro. In the next page, Configure Instance Details you will configure the instance to launch in the public subnet 2 of the VPC by the setting, Network : Lab VPC, Subnet : Public Subnet 2, Auto-assign Public IP : Enable. Under the Advanced Details > User Data box enter the below code.

#!/bin/bash
# Install Apache Web Server and PHP 
yum install -y httpd mysql php 
# Turn on web server 
chkconfig httpd on 
service httpd start
# Create a PHP test file 
usermod -a -G apache ec2-user
chown -R ec2-user:apache /var/www
chmod 2775 /var/www
find /var/www -type d -exec chmod 2775 {} \;
find /var/www -type f -exec chmod 0664 {} \;
echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php

This script will run automatically when the instance launches for the first time. The script creates and configures a PHP test file. Next, click on the Next: Add Storage button and use the default settings. Next, click on Next: Add Tags and configure as follows. As tags are used to assign a name to the instance, you will assign the name as Web Server 1 here.

Next, click on Next: Configure Security Group and configure the instance to use the Web Security Group created in the earlier step as follows. This will permit HTTP access to the instance.

Once group is set as above, click the Review and Launch button that will display all the set parameters for review as follows. Once done, click Launch.

In the Select an existing keypair dialog, check the I acknowledge… option. Then click on the Launch Instances button followed by click View Instances to check the status. Wait until Web Server 1 shows 2/2 checks passed in the Status Checks column. Now we are ready with the Web Server.

Step 7 : Connect to the Web Server and Close

In this step you will check the connection to the webserver running on the EC2 instance through internet. Copy the Public DNS (IPv4) value shown at the bottom of the page in the Description section of the above screenshot. Open a new web browser tab, paste the Public DNS value and press Enter. Or, type the following command.

http://my.public.dns.amazonaws.com/phpinfo.php

You should see the PHP information page that confirms your web server has been launched successfully. In case you have not specified anything in the User Data box while launching the web server. The following method would be needed to connect to the Web Server.

Copy the IPv4 Public IP address from the description tab of the web server instance. Launch putty to connect to the EC2 instance/Server with SSH. Paste the earlier IP address in the Host Name/IP address section. Select the Auth item under Connection>SSH on the putty left navigation window. Navigate and select your EC2 key file on the local PC and click Open. This will open a window similar to the command prompt wherein you need to enter the default login name ec2-user and any password set for the earlier selected key file to logon to the server. The following commands need to entered.

#Change to the root user
$ sudo su -
#Install Apache Web Server 
$ yum install httpd
#Start the Apache web server
$ systemctl start httpd
#Create a file and make an entry "test server"
$ vi /var/www/html/index.html

Once the Apache server is installed and a file is created, the Public DNS (IPv4) value from Step 6 should be entered into a browser. The browser should display the text entered in the file ,i.e, test server.

Return to the AWS Management Console. On the navigation bar, click your account name. A drop down menu will open and choose Sign Out.

References :

• https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html
• https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
• https://docs.aws.amazon.com/quickstarts/latest/vmlaunch/step-1-launch-instance.html
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html
• https://www.guru99.com/creating-amazon-ec2-instance.html

Additional Reading :

• An Introduction to AWS Cloud & APN
• Launch a DB Server and Interact with your DB on AWS Cloud

Introduction

Cloud Operation refers to managing resources on the cloud using different tools that help to gain insight and automation control to deploy applications faster. The operation tasks may involve build, configure, monitor, protect, govern and secure the cloud resources. Operation tasks can be performed either manually or can be automated. Manual operation involves logging on to the console, controlling deployments and creating central repository through scripting. Automation involves using terraform or ansible, combination of scripting and other tools to achieve scaling.

In OCI operation tasks, there are a few frequently used terms that one must get accustomed to. The list of terms is as follows :

• Idempotent – This means that a change or other action is not applied more than once avoiding duplication.
• Immutable – It is a type of infrastructure or service on which changes are never done. When time comes to troubleshoot, just replace the resource.
• Ephemeral – A term used to refer to impermanent resources or temporary resource assignments.
• Stateless – The notion that an application is constructed in such a way as to avoid reliance on any single component to manage transactional or session related information. Here immutable instances may be used for stateless application deployment.
• Infrastructure as a code (IaaC) – The process of managing and provisioning cloud resources and services through machine readable definition files, rather than physical hardware configuration file or interactive configuration tools.

The OCI Automation tools can be listed as follows :

• Application Programming Interface (API) – It is a set of clearly defined methods of communication among various components for building software. It forms the crux of cloud environment.
• Software Development Kit (SDK) – A set of tools that can be used to create and develop applications. It is an abstract layer between API and Software Development that enables you to programmatically interact with your OCI. Eg: Ruby, Python, Java
• Command Line Interface (CLI) – A client only tool used to execute commands to affect resources in the form of create, modify and delete. It is an essential tool for task automation using OCI resources. It provides the same or extended capabilities than found in console. When combined with powershell /bash scripts it can provide power automation capabilities. Direct OCI API interaction is possible.
• Terraform – It is a client only open source tool for managing IaaC/orchestration. You can think of it as a platform interpreter that reads declarative text and converts it into API calls. Immutable resources are used here.
• Ansible – A client only tool that can be used as a configuration management tool, DevOps tool and as a IaaC tool.
• Chef – It is a client/server configuration management tool.

Each of above tool has many capabilities that can be classified into :

• Programming – API, SDK
• Provisioning – API, SDK, Ansible, Terraform
• Monitoring – API, SDK
• Various other actions – API, SDK
• Multi Cloud Compatible, Provisioning – Terraform, Ansible (Non OCI specific tools)
• Automation of simple repeatable tasks – CLI
• Manage application deployment & configuration – Ansible / Chef
• Creating or destroying complex application architecture – Terraform

Infrastructure as Code

For a long time, manual intervention was the only way of managing computer infrastructure. Servers had to be mounted on racks, operating systems had to installed, and networks had to be connected and configured. At the time, this wasn’t a problem as development cycles were so long-lived that infrastructure changes were infrequent and there was a relatively limited scale of deployment. Later, however, several technologies such as virtualization and the cloud, combined with the rise of DevOps and agile practices, shortened software development cycles dramatically. As a result, there was a demand for better infrastructure management techniques. Organizations could no longer afford to wait for hours or days for servers to be deployed which is where the IaC technique was helpful in raising the standard.

At present, the scale of infrastructure is also much, much higher, because instead of a handful of large instances, we might have many smaller instances, so there are many more things we need to provision. We might need to scale up or scale down to handle a load in order to save on cost. Implementing IaC technique, you can just run a script everyday that brings up a thousand instances, and every evening, hit the same script to bring it back down to whatever the evening load is. In case of OCI, following are the three types of IaC one can make use of :

Scripting

Writing scripts is the most direct approach to IaC. Ad-hoc scripts are best for executing simple, short, or one-off tasks. For complex setups, however, it’s best to use a more specialized alternative. The OCI CLI is a unified tool that allows interaction with most service through a single command. Scripting options can be used with CLI in order to make life easier. Installation of CLI can be done using a command in the below format. After entering the program command ,i.e, “$ oci” ,specify the service name like “compute” followed by action on the component like “list” on instance and any additional switches.

$ oci compute instance list --additional parameters

Moving on to configuration, before using CLI you must provide IAM credentials with appropriate access. The credentials provided will be separated into profiles and stored in ~/.oci/config. Credentials may be input manually or by using the following setup command.

$ oci setup config

The above command will create your default profile. This is displayed as default in square brackets in config file. Multiple profiles can be specified in the same config file with different region, tenancy, compartment and other details under different square bracket for each user. During authentication, just specify the profile name “dev_compartment” as follows in order to use it.

$ oci compute image list --profile dev_compartment

Once the CLI is setup, configured and allocated the profiles and user credentials, next is to use optional configurations to extend CLI functionality. The default location and file name for the CLI-specific configuration file is ~/.oci/oci_cli_rc . The special configuration file can be used to specify a default profile, define aliases for commands and options, set default compartment per CLI profile etc. Use the following command for setup.

$ oci setup oci-cli-rc

Other helpful features are : output, query, generate-full-command-json-input, from-json that can be used as part of “$ oci” command and can reduce the effort of command execution, simplify the resulting command output.

Launching a Compute Instance :

The command parameter –generate-full-command-json-input can be used to create a template shell into which you may configure specific values. This is great for creating resource templates such as development compute instance. The following is the command used to generate the template.

$ oci compute instance launch --generate-full-command-json-input > compute_template.json

Once the template is ready, the required and optional parameters can be updated and the unused parameters be removed. After which you can simply do an OCI compute instance launch as below using —from-json and specify the JSON template. There is no need to input additional parameters from CLI.

$ oci compute instance launch --from-json file://compute_template.json

A script can be used to orchestrate several tasks. Through a bash script, you can launch a new instance, wait for it to respond to a ssh request, test the sample website. Through a single script stored in the source control area like github, the OCI compartment list, network VCN list, subnet list, private IP list, compute name can be displayed of all the concerned servers in a single region. Data backups, simple archival tasks to/from object storage can be automated using CLI with the get and put commands. In the below example, you can see multipart download(get)/upload(put), controlling the parameters or disabling it.

$ oci os object get -bn MyBucket --file My5Gfile --name MyObject --part-size 512 -multipart-download-threshold 512

$ oci os object put --bn Mybucket --file My5Gfile --no-multipart

Using the Console :

Now let us get a view of working on the console using the OCI CLI. A user can login to his tenancy in the OCI using the console with the user name and password provided. Once logged in, the screen appears as follows :

One more prerequisite to get started is to have a terminal to SSH login (Git-bash terminal used for windows) to the instance. Once this is ready, you can create a VCN by clicking on the bottom left icon in the above figure. Provide an arbitrary name, other suitable options and click on Create Virtual Cloud Network button to create your VCN. Once created, you can observe that a total of 3 public subnets are created automatically, one each in the 3 Fault Domains.

Navigate to Compute > Instances on the console. But before creating an instance, open the Git bash terminal to generate the SSH key using the command ssh-keygen . Once the key file is given appropriate name and generated (*.pub file), you can go ahead and create the the instance by clicking on Create Instance button in the console. Provide suitable name (CLI-ex) to the instance and click on Change Image Source to select the appropriate image for the instance. The rest of the settings like AD, Instance type, Instance shape, compartment, VCN, Subnet, Assign a public IP address, Boot volume, SSH Key (earlier key) should be appropriately set. Finally the Create button should be clicked to create the instance.

Next hop on to the Git bash terminal to SSH/securely login to the instance. Type the command ssh -i cli opc@Public IP address of instance. If the connection is a success, the left side of the terminal will be populated as [opc@CLI-ex ~]$. Now we can type command here to check the version of the instance using the command oci -v. Next you can type the oci setup config command, after which the user OCID and tenancy OCID will be prompted that needs to be entered by referring to information under the Identity > Users and Profile > Tenancy option respectively.

Next you will be prompted to set the location information and the RSA key. The public RSA key can be output with the command, cat oci_api_key_public.pem. The key data needs to be copied and pasted onto Profile > Add Public Key . Finally, type the following command to get an error free output in which case the instance is configured properly.

[opc@CLI-ex .oci]$ oci iam availability-domain list

In the following steps you will be introduced to commands to verify the compartment ID, create VCN, create, subnet, launch instance. To start with, navigate to Identity > Compartments and copy your newly created compartment id.

[opc@CLI-ex .oci]$ oci network vcn list --compartment-id PASTE THE COMPARTMENT ID

[opc@CLI-ex .oci]$ export cid=PASTE THE COMPARTMENT ID

[opc@CLI-ex .oci]$ oci network vcn list --compartment-id $cid

Once the compartment ID is verified, next step would be to create a new VCN followed by creating a subnet within the VCN. The following command would provide the necessary output for VCN creation.

[opc@CLI-ex .oci]$ oci network vcn create --cidr-block TYPE IP ADDRESS -c $cid --display-name CLI-Demo-VCN --dns-label clidemovcn

[opc@CLI-ex .oci]$ oci network subnet create --cidr-block TYPE IP ADDRESS -c $cid --vcn-id GRAB IT FROM ABOVE CMD O/P --security-list-ids '["GRAB THE SECURITY ID FROM ABOVE CMD O/P"]'

Now that you are ready with subnet, the next step would be to create internet gateway and update the route table as follows.

[opc@CLI-ex .oci]$ oci network internet-gateway create -c $cid --is-enabled true --vcn-id GRAB IT FROM ABOVE CMD O/P --display-name DemoIGW

[opc@CLI-ex .oci]$ oci network route-table update --rt-id GRAB IT FROM THE ABOVE O/P --route-rules '[{"cidrblock":"0.0.0.0/0","networkEntityId":"TYPE THE INTERNET GATEWAY OCID"}]'

Now that you have all this up and running, you can use query feature to find Oracle Linux Image IDs, and launch instances inside this subnet.

[opc@CLI-ex .oci]$ oci compute image list --compartment-id TYPE COMPARTMENT ID --query 'data[?contains("display-name",'oracle')]|[0:1].["display-name",id]'

The following commands will help to launch and check the status of instance.

[opc@CLI-ex .oci]$ oci compute instance launch --availability-domain TYPE AD --display-name demo-instance --image-id TYPE THE ABOVE IMAGE ID --subnet-id TYPE SUBNET OCID --shape TYPE COMPUTE SHAPE --compartment-id $cid --assign-public-ip true --metadata '{"ssh_authored_keys":"cli"}'

[opc@CLI-ex .oci]$ oci compute instance get --instance-id GRAB IT FROM ABOVE O/P --query 'data."lifecycle-state"'

If the instance is getting properly executed, the output shows as running. You can check for the public and private IP using the following command. Also connect via SSH to the instance and terminate all resources created in the lab at the end.

[opc@CLI-ex .oci]$ oci compute instance list-vnics --intance-id GRAB IT FROM ABOVE O/P | grep "ip,:"

Provisioning Tools

Provisioning tools focus on creating infrastructure. Using these type of tools, developers/admins can define exact infrastructure components. In case of terraform, a declarative tool, the end state is defined and the tool manages the rest. If you have to manually build a VCN with mutiple subnets and multiple resources, it would take more than 20 to 25 mins. However with terraform, just declare the resources needed and the tool with automatically build it within a few minutes. We just modify the terraform config file in case of any additions and the tool will automatically recognize it. Also the replication in a different region for a different account becomes easier using the same config file. Finally in case of repeatable workloads as well this is helpful since we can deploy and delete infrastructure on need basis.

Now let us look at some of the IaC best practices. Use a good IDE like vim, sublime, IntelliJ etc. Source control is important so better to use a source control repository like github or bitbucket.

Terraform code is written in the HashiCorp Configuration Language(HCL) in files with extensions .tf / .tf.json . Here we have the human readable (.tf) and machine readable (.tf.json) configuration files. The first step to using terraform is typically to configure the provider (AWS, OCI ..) you want to use. Once provider is configured you can start using the provider resources to create instances, block and object storage, network etc.

provider "oci" {
  tenancy_ocid = "${var.tenancy_ocid}"
  user_ocid = "${var.user_ocid}"
  fingerprint = "${var.fingerprint}"
  private_key_path = "${var.private_key_path}"
  region = "${var.region}"
}

The above code tells Terraform that you will be using OCI as the provider and deploy infrastructure in the region mentioned. Also the OCI provider enables Terraform to create, manage and destroy resources within the IAM user tenancy. The general syntax for a Terraform resource is:

resource "PROVIDER_TYPE" "NAME" {
   [CONFIG ...]
}

PROVIDER_TYPE refers to the type of resources (ex:instance) to create in the provider ,i.e, OCI. NAME is an identifier you can use throughout the Terraform code to refer to the resource and CONFIG consists of one or more configuration parameters that are specific to that resource.

A data source refers to a piece of read-only information that is fetched from the provider (OCI here) everytime you run Terraform. Its just a way to query the provider’s APIs for data. Data sources can be used to fetch data like availability domain names, image OCIDs, IP address ranges etc. Below is an example to fetch the AD name data.

data "oci_identity_availability_domains" "ADs" {
      compartment_id = "${var.tenancy_ocid}"
}

Launching an instance :

Now lets build our first resource using Terraform configuration file. The definition for a VCN would be as follows:

resource "oci_core_virtual_network" "simple-vcn" {
  cidr_block     = "10.0.0.0/16"
  dns_label      = "vcn1"
  compartment_id = "${var.compartment_ocid}"
  display_name   = "simple-vcn"
}

The code declares a VCN resource named simple-vcn in the compartment identified from the compartment OCID environment variable. Execute the following commands for the creation of Virtual Cloud Network.

$ terraform init
$ terraform plan
$ terraform apply

The terraform init performs several different initialization steps in order to prepare a working directory for use. The terraform plan command shows you what will happen when you execute your TF configuration file. The terraform apply command will try to create resources and also manage dependencies, or the pre-determined set of actions generated by a terraform plan execution. Finally, the terraform destroy command will eradicate all the resources in a proper sequence.

There are various features that can be used with Terraform inorder to better manage IaC. The features are : –target flag on terraform plan and terraform apply commands allows you to target a single/multiple resource. output command can be used to display the variables that are generated dynamically as part of creating infrastructure. Terraform modules are portable terraform configurations and module command can be used to reference to another module to create a reusable set of content. The terraform taint command is used to forcibly destroy and recreate a resource on the next apply. Terraform provisioners (ex: remote-exec) help you do additional setup and configuration when a resource is created or destroyed. You can move files, run shell scripts, and install software. Remote backend feature is used for state file management wherein the state data is written to a remote data storage like Object Storage Bucket. One more feature that can be leveraged is the Oracle Resource Manager. This can be used for state file management, stack management and access control management.

Configuration Management Tools

Also known as configuration as code, these are specialized tools designed to manage software. They usually focus on installing and configuring servers. Examples of these tools are Chef, Ansible etc. Starting with the definition of configuration management, that is a process for maintaining computer systems, servers and software in a desired, consistent state. It’s a way to make sure that a system performs as it is expected to as changes are made over time.

With the scaling of cloud resources, there are many challenges to address. Many cloud workloads are highly distributed. Common management challenges include, inconsistent execution of manual changes, time consuming deployment of applications etc. The configuration management solution for this would be to track and manage resources in different parts of the world using the right toolkit with features that should include; identify and track resources, define and apply configuration consistently, eliminate and overwrite manual changes, discover and report hardware or software configurations that exist etc.

The tool that satisfies most of the above points is Ansible. It is simple with no coding skills required, powerful as it can be used for application and infrastructure deployment and configuration management as well, no agents to exploit or manage. Ansible client does not run on windows. The best method is to deploy Ansible as a control machine on one of your OCI compute instances and have it as a central point to managing all the resources in your environment. It utilizes small modules called “playbooks” to perform command execution via remote SSH. The ansible installation command is :

$ sudo yum install -y ansible

Before starting to use the tool, you need to create a hosts file to organize the servers that will be managed by Ansible. Default file location is /etc/ansible/hosts. Also, you can run remote ad-hoc commands(refer to ex below) against one or more of your hosts as defined in the inventory file.

$ ansible ipaddress -m ping
$ ansible servergroupname -m ping
$ ansible all -m ping

Moving on to Ansible Playbooks, which is where we define or specify what is going to happen. The code is written in YAML and is human readable. This is procedural where we define the steps to be performed and is not declarative where the end state is defined. OCI Ansible modules are a set of interpreters, similar to the OCI provider for Terraform that allow us to use Ansible features to make API calls against the OCI API endpoints. This allows us to create infrastructure and apply configuration management with the same tool. OCI Ansible modules are available for download from a Github repository. Once the OCI Modules for Ansible are installed and your user credentials are configured, it is time to run a quick test. Run the below cmd.

$ ansible-playbook oci_sample.yml

The “oci_sample.yml” file consists of a code to display the summary of buckets in OCI bucket storage in a compartment. The OCI Ansible module in the code is oci_bucket_facts that is used to query information from your infrastructure and display the result on screen.

In addition to online documentation, the ansible-doc command can be used to view detailed help for each module. Example OCI modules are oci_compartment_facts, oci_image_facts etc.

Operational Activities

Managing OCI images involves importing an image or creating a new image. In case of migration from onpremise to cloud, whatever is present onpremise can be moved to cloud but may not be good in all cases. Sometimes there may be a legacy hardware with application that contains lot of data. In such a case creating a new instance would be better. Sometimes the user may not want to install the application, in which case the applicable image can be chosen from the partner image section that would contain preinstalled application with BYOL feature. Managing custom images would involve creating a new image with the boot volume, but if you want to attach the block volume you will need to clone and attach them to the newly created instance. Managing custom images on the console would involve the following steps.

• Navigate to Compute, select you compartment under the compartment subsection. From the compartment, launch the instance that you need.
• When the instance is created you can connect through ssh using the command ; ssh -i oci opc@instancepublicipaddress
• Once you have logged into the instance, you can patch the latest updates onto it using command ; sudo yum update -y
• Once the instance is updated, you can take the custom image and launch an instance from it. But before that if you want to create a file on the instance you can do so with the command ; touch web_server.txt
• Since you are still inside the instance on the console. Navigate to Actions > Create Custom Image. In the new window, select appropriate Compartment & the name. Navigate to Compute > Custom Images to check the status of the instance image creation.
• Once the custom image is created, create a new instance from the Create Instance button in it. Choose appropriate options to create an instance.
• As the instance from the image is created, connect through ssh using the command ; ssh -i oci opc@instancepubicipaddress
• Once connected, just check for the earlier created file on the instance using the command ; ls the web_server.txt file should exist.
• While creating an instance you can specify the User data file/script ,i.e, the startup script that will run when instance boots up or restarts. These are helpful to install software and updates, ensure services are running within the VM.

Disaster Recovery

In this section we will be dealing with disaster recovery on OCI using the cross region copy of the instance/custom image. This is implemented by exporting/importing to or from the object storage. The same is depicted in the picture below :

Now let us look at the implementation of the same on OCI console as follows.

• As a first step you can use the above web_server instance on the console. Navigate to Actions > Create Custom Image. In the new window, select appropriate Compartment & the name to create the custom image.
• Next, navigate to the DR destination region (B) by selecting the region on the top right of the console. In order to create a bucket here, click the button Create Bucket under Object Storage > Object Storage.
• Inside the bucket, you need to create pre-authenticated requests by clicking on the button of the same name and in the new window select object, enter object name, select access type. Copy the resulting URL.
• Now move back to the earlier region (A) by selecting from the top right and navigate to Compute > Custom Images. Here you can find the earlier created image, click on the 3 dotted icon next to the image name, select Export Custom Image. Click on Object storage URL & paste the earlier copied URL. Finally, click on Export Image to export to bucket.
• Once the export status shows as complete, hop over to the destination region and navigate to Object Storage > Object Storage. In the bucket that you created earlier, you should be able to see the exported image.
• Next navigate to Compute > Custom Images, click on Import Image. Populate the Name, Object storage URL, Image type, launch mode and click on Import Image.
• Once the image is imported, you can create a compute instance from the image of the migrated instance by clicking on the Create Instance button. Enter the necessary information along with SSH key pair.
• Once the instance is created, connect through SSH. Type the command : ssh -i oci opc@instancepubipaddressfollowed by the command : ls , the web_server.txt file should exist which is same as the output that you got for the other region.
• From a security standpoint, it is good to delete the URL by deleting the existing item under pre-authenticated request.

Security

As explained in my earlier blog on OCI introduction, the OCI follows the shared responsibility model. Here customer is responsible for “security in the cloud”, that involves handling user credentials and other information, securing user access behavior, strengthening IAM policies, patching, security lists, route tables, VCN configuration, key management etc. Oracle is responsible for “security of the cloud” that involves protecting the hardware, software, network and facilities that run Oracle Cloud Services. OCI security is based on the 7 pillars of a trusted enterprise cloud platform that includes; customer isolation, data encryption, security controls, visibility, secure hybrid cloud, high availability, verifiable secure infrastructure.

In case you want to meet the security and compliance requirements for your cloud resources you can do so by isolating them from other tenants, Oracle staff, external threat or isolate different departments from each other based on compartmentalization. Let us consider a compute resource, where you can opt for the single tenant or multi tenant model. In case of single tenant model, the customer gets the full bare metal server access. However in case of a multi tenant VM model each of the VM may belong to a different customer. Next let us look into the security on the networking side,

• Each customer’s traffic is isolated in a private L3 overlay network.
• Network segmentation is done via subnets that may be set as either private with no internet access or as public with public IP address.
• Customers can control the inter subnet and external VCN traffic by appropriately setting the security lists and route table rules.
• Service gateway can be used for private network traffic between VCN and object storage.
• VCN peering can be used for securely connecting between multiple VCNs.

Now that we have looked into the compute, networking related security, next we will be dealing with the security of data. Data encryption deals with the security of data at rest in block storage, boot volume, object storage, file system and data in transit. In each of the above storage types data encryption will be done by using specific keys and data transfer is done over highly secure network.

• In order to transfer the data between two regions, customer managed keys (KMS) can be used for end to end encryption ,i.e, a VPN tunnel from region to region.
• Oracle TDE encryption can be used for DB files and backups at rest. Native Oracle Net services encryption can be used for data in transit.
• The keys can be managed using Oracle Key management service that is highly available, durable and secure. It is centralized with create, delete, disable, enable and rotate facilities.
• User authentication in the form of password would be required to login to the console to access OCI resources, API signing key to access REST APIs, SSH key to authenticate compute login, Auth token can be used to authenticate with 3rd party APIs. Multi-factor Authentication provides additional security with additional authentication requirement.
• Instance Authentication/Principal is the functionality in which rather than a particular user name and password being hard coded into an instance, a dynamic group method is used wherein all instances in a group can make API calls against OCI services.

Data Backup

In case of data backup, first we will be looking into the terms RPO and RTO. These are vital and need to be defined in prior before an infrastructure is deployed.

• RPO (Recovery Point Objective) – It refers to a company’s loss tolerance ,i.e, the amount of data that can be lost before significant harm to the business occurs.
• RTO (Recovery Time Objective) – It refers to how much time an application can be down without causing significant damage to the business.

In case of block volume the data backup options are as follows;

• A complete point in time snap shot copy of block volume.
• Can be encrypted and stored in object storage and can be restored as a new volume in any Availability Domain within the same region.
• On demand one off block volume backups provide a choice of incremental (bronze, silver, gold types) vs full backup options.
• Can restore a volume in less than a minute regardless of size.
• Cross region backup possible, provided there is no customer restriction.

In case of other storage, the backup options are as follows;

• Object Storage Life Cycle Management – Define rules to automatically archive or delete data after a specified number of days.
• Database – Autonomous Transaction Processing (ATP)/ Autonomous Data Warehouse (ADW) are the auto backup options available. Even with these, its always better to take a manual backup. Managed backup and restore feature for VM/BM DB systems is present. Backups are stored in object storage or local storage for which Incremental or Full backup options are available.
• Storage Gateway Service – Storage gateway is installed as a Linux docker instance on one or more hosts in your on-premise data center. The end users can login to the application server in on-premise and connect through NFSv4 client to the docker/storage gateway that maps to the object storage/archive directly on OCI.

Cloud Scale

As discussed in the earlier OCI foundation blog, there are two types of scaling namely : Vertical and Horizontal scaling. In case of vertical scaling, scaling up/down is performed by stopping the instance first and then adding resources like CPU, RAM, Storage. Vertical scaling is supported for block volume and boot volume. The vertical scaling can be done in three ways;

• Expand an existing volume in place with offline resize.
• Restore from a volume backup to a larger volume.
• Clone an existing volume to a new, larger volume.

Once the boot volume size is increased, the partition should be resized as well. The auto-resize is done as follows; Provide a cloud-init userdata script at provisioning time that includes the growpart, gdisk, reboot to automate the process for Oracle Linux and CentOS.

DB systems provide the ability to vertically scale with no downtime for the VM, BM and Exadata type of machine.

In case of horizontal scaling/autoscaling, scaling enables you to automatically adjust the number of compute instances in an instance pool based on performance metrics such as CPU or memory utilization. The order of adjustment starts from AD to Fault Domain and finally the instances. Scaling of instances is cost dependent. The rules of scaling is as follows;

• The metric that triggers an increase/decrease in the number of instances can depend on CPU or memory utilization.
• Scaling rules depend on thresholds that the performance metric must reach in order to trigger a scaling event. The metrics must be carefully set.
• The cool down period value gives the system time to stabilize before scaling.

A load balancer when attached to an instance pool configuration would function as follows during auto-scaling; on scale out new nodes would automatically be added and on scale in terminated nodes would automatically be removed. In a autonomous DB there are two scaling options; ondemand that is based on choice and autoscaling.

Cost Management

OCI cost management is all about creating and monitoring budget, accessing and understanding usage reports, service limits and compartment quotas. Let’s begin with the cost analysis tool;

• Can be accessed from the console through Governance and Administration > Billing , click on Cost Analysis.
• A visualization tool that help understand spending patterns at a glance.
• Costs can be filtered by tags, compartments and date.
• Only administrators group members can use cost analysis.
• Trend lines show how spending patterns are changing.

Next we shall be looking at the OCI Budget. While creating a budget, the minimum fields to be entered are budget scope, target compartment if compartment is selected as scope, monthly budget amount. Others fields are optional. Some of the important points about budget are as follows;

• Track actual and forecasted spending for the entire tenancy or per compartment.
• Set alerts on your budgets at predefined thresholds to get notified.
• View all your budgets and spending from one dashboard.
• To use budgets, you must be in a group that can use “usage-budgets” in tenancy. IAM policy should be set for accountants to inspect/access usage-budgets.
• All budgets are created in the root compartment, regardless of the targeted compartment.

A usage report is a breakdown of the consumption of your OCI resources such as the compute, networking, storage, etc where you get a granular report in CSV format. These reports are generated in another tenancy and stored in an oracle owned object storage bucket. User needs to set up a cross tenancy IAM policy to access usage reports. The reports can be downloaded by accessing Governance and Administration > Billing ,select Usage Report and click the report to download.

Last but not the least, we shall be looking into the OCI Service Limits and Compartment Quotas.

• On the console, navigate to Governance > Limits, Quotas and Usage.
• When signed up for OCI, a set of service limits are pre-configured for your tenancy.
• The service limit is the quota or allowance set on a resource, that can be increased by submitting a request.
• Compartments quotas are somewhat similar to service limits but are set up administrators unlike oracle in case of service limits.
• Quotas give a better control over how resources are consumed by letting you allocate specific resources to projects or departments.

Oracle Cloud Infrastructure (OCI) Architecture

Knowing the architecture will provide a proper foundation in understanding the future topics. Here you will come across terms like Regions, Availability Domains(similar to Availability Zones in AWS), Fault Domains, High Availability Design and Compartments.

There are 21 OCI Regions available worldwide and additional regions are scheduled to be setup. Moving on to the definitions, a Region is localized area comprised of one or more Availability Domains (AD). Availability Domains are one or more fault tolerant, isolated data centers located within a region that are connected to each other by a low latency, high bandwidth network. Since they are physically isolated, the failure of one AD is unlikely to affect the availability of others. Fault Domains refer to the grouping of hardware and infrastructure within an Availability Domain. Each AD has three Fault Domains (FD). These act as logical data centers within an AD.

The whole idea of a Region having multiple ADs and an AD having multiple FDs is to provide High Availability and avoid single points of failure. Hence designing an architecture to deploy an instance that performs same tasks in different FDs in a single AD region and in different ADs for a multiple AD region is the best practice. Finally, a compartment is a collection of related resources. It helps to isolate and control access to your resources independent of region. Resources in one compartment can be moved to another compartment and also one compartment resources can interact with resources in another compartment.

OCI Core Services

The core services offered by OCI include Compute, Storage, Networking, IAM, Database. I will brief on each of the topic as follows ;

Compute

There are multiple offerings under this based on customer workload and application requirements. The offerings are Bare metal, Dedicated virtual hosts, Virtual machines, Container engine and Functions. In case of the bare metal, the physical server is provided with no virtualization and the other requirements are taken care by the customer. However in case of dedicated virtual machine hosts, a dedicated machine with virtualization is provided so that all single tenant VMs can be deployed. Next is the virtual machine based offering which is a multi tenant one. This is similar to the earlier hypervisor based offering but is multi tenant , i.e, multiple customer VMs are present on a single physical machine. In case of a container engine, the customer manages the code and App container (container run time which executes containers and manages container images on a node). Finally, functions provides a feature wherein the customer only writes the code and the underlying infrastructure is taken care of by OCI, which follows a consumption based pricing model.

The term compute instance applies to all the offerings from bare metal to VM types mentioned above. The size depends on the workloads i.e, the CPU, RAM etc. The compute instance depends on other services like networking and storage for booting and data access. The instances support vertical (CPU, Memory etc) and horizontal/auto scaling (instance/VM count ). In comparison to the VMs, containers include the application and all its dependencies but share the OS with other containers unlike the VM that have separate OS. Also, containers are not tied to any specific infrastructure like on-premise, public cloud etc and can run anywhere. Oracle Kubernetes Engine is a fully managed, scalable and highly available service that you can use to deploy your containerized apps in OCI. Here you come across terms like pod and node. Pod refers to a group of containers with shared memory in a Fault Domain. Each pod is connected to a node where it is scheduled. These nodes are the actual instances that can be either bare metal or VM type.

Storage

There are multiple offerings here as well, but the choice of a particular type is based on the storage workload requirements. The storage requirements are based on parameters like persistent/non-persistent type, type of data, performance of storage(capacity, IOPS, throughput), durability, connectivity, storage protocol etc. The storage types are block volume, local NVMe, file storage, object storage.

• Block volume – This is a block storage for compute instances on hard drive in a server except the hard drive is installed on a remote chassis. The 2 types are boot volume(OS) and block volume(data). It is persistent type and highly durable as it replicates the same data in 3 seperate fault domains. There are 3 block volume tiers namely; Basic, Balanced and Higher Performance based on IOPS and throughput. Usage depends on the workloads like the throughput intensive big data, streaming (Basic) to the IO demanding large databases (Higher Performance).
• local NVMe – This is a directly attached block storage to the instance that is non-persistent and non-durable. This is designed for applications that require high-performance local storage.
• File storage – Distributed file systems that look like local file systems and are hierarchically structured. It is frequently used as a shared file system storage for compute instances. This storage is persistent and highly durable like the block volume.
• Object storage – Here, all data are stored in a single, flat structure without a folder hierarchy. Also, unlike block storage, metadata is present for an object that makes it easier to index and access. This is a regional service, not tied to any compute instance and is ideal for storing unlimited amount of unstructured data like images, media files etc. It is also persistent and highly durable like the block and file storage. There are 2 Object storage tiers namely; Standard Storage Tier (Hot) and Archive Storage Tier (Cold). In case of the hot type, data retrieval is instantaneous and can’t be downgraded to archive storage. Whereas the archive type is seldom accessed but must be retained for long periods of time and can’t be upgraded to standard storage.

Networking

Under networking services, Virtual Cloud Networking (VCN) is a software defined private network set up in OCI that is highly available, scalable and secure. Enables OCI resources such as compute instances to securely communicate with internet, other instances or on-premise data centers. The compute instances are placed in subnets that are sub networks within a VCN. The below picture depicts a VCN with subnets, instances and connectivity.

Next let us have a look at the various gateways available that is depicted in the above figure. Starting with the Internet gateway(A) provides a path for network traffic between your public subnet instance in the VCN and internet. NAT gateway(B) provide a secure connection by enabling outbound connections to the internet, but blocks inbound connections initiated from the internet. Dynamic Routing Gateway(C) is a virtual router that provides a path for private traffic between your VCN instance and destinations other than internet like an onpremise data center. Service gateway(D) lets resources in VCN access public OCI services like an Object storage without an internet/NAT gateway. There is security provided within a VCN for the subnets in the form of security list. Security list specifies the types of traffic allowed in and out of the subnet, and applies to the instance communication with another instance in the VCN or a host outside the VCN.

Moving on to the next service, i.e, VCN peering that is a process of connecting multiple VCNs. Here you have the Local VCN peering to connect two VCNs in the same region and Remote VCN peering to connect two VCNs in different regions so that their resources can communicate using private IP addresses. The final networking service, i.e, the load balancer interfaces between the clients and backends by providing benefits like fault tolerance and HA, scale.

Identity and Access Management (IAM)

IAM, Authentication, Authorization and Policies are the topics we shall be looking into. Principal is an IAM entity used to refer to IAM users and Instances that are allowed to interact with OCI resources. In order for a user to access an OCI resource, the person/application should be part of a group, which in turn should have a policy with permission to tenancy or a compartment. Here tenancy refers to a secure and isolated partition within OCI where you can create, organize, and administer your cloud resources. Next is the authentication topic that deals with user identity. OCI IAM service authenticates a Principal by User name and Password, API signing key, Auth Tokens. The various actions that can be performed by an authenticated principal is called authorization. OCI Authorization can be specified by writing policies in the form of allowing a group to access a specific tenancy/account or compartment with conditions if any.

Database

Let me start this service by listing out the various DB options.

• VM DB systems – Virtual Machine with managed DB instance running.
• Bare metal DB systems – Running the oracle DB in the bare metal machine.
• Oracle RAC – Oracle Real Application Clusters enable multiple servers to mount a single database. In the event any computer in the cluster fails, the database continues to provide service on the remaining computers. Oracle DB is available from any of the node in the cluster and provides High Availability.
• Exadata DB systems – It is a database machine or server using Oracle database software and hardware server equipment and acts as a computing platform for running Oracle Database.
• Autonomous DB Shared/Dedicated – Autonomous DB is a fully managed database with 2 workload types namely: Autonomous Transaction Processing (ATP), Autonomous Data Warehouse (ADW). Incase of the dedicated type, the user has exclusive access to the Exadata hardware whereas in the shared type the user can only provision and manage the autonomous db while oracle handles the infrastructure. Both the db types support ATP and ADW. Autonomous DB in general is self driving where the DB automatically patches, updates and tunes without human intervention or downtime. It provides encryption by default and protects from system failure or downtime.

DBsystem operations include launch, start, stop or rebooting the BM/VM DB systems. The scaling or patching the BM/VM DB systems is also part of operations task. DB systems backup/restore involves manual or automatic backups to the object storage from the private DB instance through the service gateway. In case of DB systems DR, oracle data guard provides standby databases to enable oracle db to survive disasters and data corruptions. It maintains synchronization between primary and standby db. This has two modes, namely: switchover or planned migration with no data loss and failover or unplanned migration with minimal data loss. The HA and DR can be used together to achieve maximum availability within a single region or across multiple regions.

OCI Security

In case of an on-premise environment, starting from the infrastructure (networking, storage, server, virtualization) to everything running on top of it like the OS, middle ware, runtime, data and application will be handled by the customer. But in OCI shared security model, only the infrastructure is managed by Oracle whereas the rest is customer responsibility. Even here similar to AWS, Oracle is responsible for “security of the cloud” that involves physical security of the data centers, hardware, software and networking. Whereas, customer is responsible for “security in the cloud” that involves patching applications and OS, IAM, Network security, End point protection, data classification and compliance.

Security Services

Under security services, Oracle provides IAM, Data Protection, OS and workload management, Infrastructure protection.

IAM consists of the OCI IAM (as discussed above), Multi Factor Authentication (user authentication by password and additional factor), Federation(federate with a supported identity provider like AD to login to OCI).

In case of data protection, data is either encrypted at rest or in transit for the block volume, file storage with bring your own keys feature. Object storage supports encryption at rest and pre-authenticated requests. The database supports transparent data encryption, data safe (managed service for protection of data on OCI DB) and data vault (prevents administrators from snooping on user data) features to safeguard data.

Moving on to OS and workload management, dedicated VM host provides the security of bare metal combined with ease and flexibility of VMs. Since it is a single tenant, HW is not shared with another customer’s VM. In case of the instances, OS Management Service executes and automates common, complex and critical tasks. Security/compliance reporting feature is also present.

Finally, considering the network protection part of infrastructure, VCN tiered subnet strategy is used ,i.e, DMZ for the load balancers, public sub-net for web servers and private subnet for internal hosts provide necessary protection. Gateways also provide the necessary connectivity related protection. Lastly, the security lists and network security groups provide the necessary traffic related protection. The OCI Web Application Firewall is a cloud based global security service that protects applications from malicious and unwanted internet traffic.

OCI Pricing and Cost Management

There are 3 pricing models, namely :

• Pay as you go (PAYG) – Charged only for the resource consumed with no upfront commitment.
• Monthly Flex – A minimum monthly charge and a minimum term commitment is present. However, 33%-60% savings observed compared to PAYG type pricing.
• Bring Your Own License (BYOL) – The current on-premise Oracle license can be applied to the equivalent highly automated oracle IaaS & PaaS services in the cloud.

Factors that impact pricing are resource size, resource type (VM, BM, Functions etc), data transfer costs (No Ingress cost,Egress cost is conditional), region independent pricing unlike other cloud providers.

Block Volume(BV) pricing uses the formula, storage cost(x BV size) plus the performance cost(x BV size) to get the total pricing. Calculating the data transfer costs, takes into account the transfer between the instances in an AD where the ingress/egress is free. Same with data transfer between ADs in a region. However, data transfer charges vary between regions,i.e, ingress is free but egress is charged. Even the access of internet from an instance follows the same rule as between regions. Data transfer between an instance and on-premise data center using DRG router is free for ingress/egress.

In case of OCI there is a concept called cost tracking tags that can be used to tag resources when created. Benefits include, grasping the spending pattern, filter costs by date, compartment and tags for better cost management. Another feature called the budget is used, where a monthly threshold is defined for your OCI spend that can be set on compartment or cost tracking tags. Email alerts can be set for the budget when the spending reaches a certain threshold.

Free tier service includes $300 free credits for 30days that includes access to a wide range of OCI services. Upto 5TB of storage, 8 instances can be used here. The OCI services that are always free include 2 autonomous databases, 2 OCI compute VMs; block, object and archive storage; Load balancer and data egress; Monitoring and notifications.

OCI SLA and Support

Service Level Agreement (SLA) is a financially backed commitment to provide a minimum level of service to customers. This is usually defined as a number of “nines” for a month and a percentage credit based on tiers and definition. Ex: (99.9%, 10% credit) .

An example tier for an OCI service would be as follows:
Monthly uptime between 99.9 - 99.0% -> Service credit 10%
Monthly uptime between 99.0 - 95.0% -> Service credit 25%
Monthly uptime less than 95.0%      -> Service credit 100%

Among cloud service providers, only Oracle offers end-to-end SLAs covering performance, availability and manageability.

• Availability applies to data plane where resources are utilized. Incase of OCI functions service, data plane would involve InvokeFunction API. Availability refers to services are in operation with uptime and connectivity commitments.
• Manageability applies to control plane where resources are administered.In case of OCI functions service, control plane would involve CreateFunction API. Manageability is about manage, monitor and modifying OCI resources.
• Performance parameter refers to services consistently performing as expected.

Compute and Block Volume services are measured on all the 3 SLAs, whereas other services like File storage, DB Cloud Service, Data Safe etc are measured on the data plane and control plane SLAs. Other services like API gateway, ATP, ADW etc are measured only on the data plane/availability SLA.

OCI Support

Moving on to OCI Support, Oracle provides OCI status dashboard to display all the different OCI services present in all the regions that shows operation status like services running/not running, incident history etc. Notifications are sent when OCI creates or resolves an incident in the form of email, text, rss etc. The dashboard can be accessed using the link here. First time users need to signup for an oracle support account that is different from the oracle cloud infrastructure account and needs to be linked together to get the unique Customer Support Identifier(CSI) number.

Only paid accounts can open service requests. Customers using always free resources are not eligible for OCI support, but free tier account holders with free trial credits are provided limited support.

To register and log support requests; CSI number, Tenancy OCID (Oracle cloud Identifier), Resource OCID would be needed. Once logged in, the paid account holders can open service request for : resolving technical issues (incase cloud customer connect doesn’t provide the answers), resetting/unlocking the password, adding/changing a tenancy administrator, service limit increase.

Necessity of moving to the Cloud

As mentioned in one of my previous blogs, the benefits of moving to the cloud are many. I would like to highlight a few of the major points here.

• Reduces opex, improves speed and agility of business operations, enhances business outcomes.
• Accelerates time to business value, improves ROI.
• Streamlines and enhances operational efficiency, lowers cost.
• Increases innovation by providing a platform for experimentation.
• Organizations with a global footprint particularly benefit by migrating to the cloud.

Cloud Deployment Models

In case of AWS, the deployment will be in either the private, public or the hybrid format. Please refer to the description of each of these models done in my earlier blog.

Common Workloads on Cloud

With a lot of positivities to look forward to, next is to know what are the workloads that the customers would want to run on the cloud. Below are a few of the examples.

• Run customer facing web applications that power eCommerce, mobile, gaming, social media and marketing websites.
• Create customer business applications to support the need of internal functions like the HR, finance, sales etc.
• Process big data and high performance computing workloads like medical, imaging, web analytics, BI, genome sequencing etc.
• Use AWS services that support backup, DR, archiving of business critical data to the cloud.

AWS Cloud Services

The Infrastructure-as-a-Service (IaaS) cloud model has transformed the way cloud computing and storage infrastructure services are attained and administered. Because of this, most of the organizations have migrated their legacy on-premise processes and applications to the public cloud, avoiding the costs and effort that goes into tasks like backup, archiving and so on. Amazon Web Services (AWS) is a leader in IaaS as mentioned by Gartner. It has the broadest of services to offer on the cloud with more than 175 services.
AWS offers a broad set of global cloud-based products including compute, storage, databases, analytics, networking, mobile, developer tools, management tools, IoT, security and enterprise applications.These services help organizations move faster, lower IT costs, and scale.

AWS Security and Compliance

Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system, other associated application software as well as the configuration of the AWS provided security group firewall.

AWS responsibility “Security of the Cloud” – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall on each instance. 

AWS has the concept of a Region, which is a physical location around the world where we cluster data centers. We call each group of logical data centers an Availability Zone. Each AWS Region consists of multiple, isolated, and physically separate AZ’s within a geographic area. Whereas, Edge Location is the nearest Data Center from where contents can be fetched easily. Edge locations are used to provide low latency access to the data.

AWS customers focused on high availability can design their applications to run in multiple AZ’s to achieve even greater fault-tolerance. AWS infrastructure Regions meet the highest levels of security, compliance, and data protection.

AWS Products

The products offered by AWS are compute, storage, databases, security, management tools, networking, analytics, mobile, developer tools, IoT and enterprise applications. I will brief on a few of them as follows.

• Compute
  The services here can be used to develop, deploy, run and scale workloads on AWS cloud. The most important service in this section is the EC2 compute service. Unlike your local server, you can launch or shut down servers at any time. No up-front investment, no hardware maintenance, elastic or scalable, flexible and secure are some of the prominent features.
• Storage
  AWS provides low-cost data storage with highly durable, available, scalable and secure place for data. Amazon S3 is the major storage service on AWS. It is highly durable, uses scalable object storage with 99.99% availability and reliability. It is elastic, flexible, low cost and secure with data transfer over transport layer.
• Database
  Databases are purpose built for specific application use cases. DB instance is an isolated DB environment deployed in private network segments in the cloud. RDS provides API to create and manage one or more DB Instances. Amazon RDS is cost efficient and is easy to administer. It is reliable, elastic, fast and secure.
• Security
  AWS provides security services like encryption, access management and securing regulated workloads. AWS Identity and Access Management is a web service that enables AWS customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems in the cloud that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.
• Management
  With AWS Management and Governance services, customers can have both innovation and control in one service. With AWS, customers can enable, provision, and operate their environment for both business agility and governance control. Amazon CloudWatch is a monitoring service for AWS cloud resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB and the applications you run on AWS. You can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application running smoothly.
• Networking
  AWS provides the Networking tools and resources that enable you to securely connect to the cloud and then isolate, control, and distribute your applications across EC2 compute resources and all other relevant services in AWS. Amazon VPC is the networking layer for Amazon EC2. Amazon Virtual Private Cloud enables you to launch AWS resources into a virtual network that you’ve defined. It also has the benefits of using the scalable infrastructure of AWS.

AWS Partner Network

The AWS Partner Network (APN) is the global partner program for technology and consulting businesses who leverage Amazon Web Services to build solutions and services for customers. The APN helps companies build, market, and sell their AWS offerings by providing valuable business, technical, and marketing support.

APN Technology Partners
APN Technology Partners provide hardware, connectivity services, or software solutions that are either hosted on, or integrated with, the AWS Cloud. Technology Partner products are often delivered as components to broader AWS customer solutions and can be delivered globally by Consulting Partners through AWS Marketplace, bundled solutions, or directly from APN Technology Partners.

APN Consulting Partners
APN Consulting Partners are professional services firms that help customers of all types and sizes design, architect, build, migrate, and manage their workloads and applications on AWS, accelerating their journey to the cloud. APN Consulting Partners often implement Technology Partner solutions in addition to the professional services they offer.

Partner Tiers

Becoming a Select Partner makes you eligible for a range of funding benefits and marketing opportunities to help you grow your customer base on AWS. As an Advanced Partner, you will be able to take advantage of a wealth of additional resources to continue to grow your customer base and move forward with innovation in your solutions. This is the highest achievable tier for APN Technology Partners . Partners at this level are striving to differentiate their business to AWS customers.

Under APN Consulting partner, the Select Partner and Advanced Partner tier benefits remain the same as above. However, there is an additional tier called the Premier Partner tier. On becoming a Premier Partner, you will be recognized as an industry leader who consistently pushes the boundaries of your AWS-based practices in one or more regions. You’ll be able to take advantage of a wealth of dedicated AWS resources to help you continue to raise the bar.

The APN is structured to be performance-based within the Select, Advanced, and Premier (for Consulting Partners) tiers. All APN Partners join the APN as Registered Partners by signing up and creating a Partner account.

Implementation of AWS at Customer place

Any new technology to be implemented at customer place goes through the Experimentation, Limited Use, Wide spread Use and the Corporate Standard phases. Similarly the journey of AWS customer’s across all verticals would involve the following stages;

• Development and Test
  In some enterprises, development and test environments account for more than 50% of the overall infrastructure. With AWS, organizations can experiment more with no CapEx, resource projects instantly, eliminate idle servers, maintain consistency across teams.
• True Production
  In this phase the value of cloud implementation become clear. AWS cloud can be used to develop applications faster, augment existing data center resources, multiple data centers for high availability, auto-scale up and down with demand, hardware upgrades with no downtime, easy global deployment.
• Mission Critical
  This is the phase during which the customer wants to move mission critical workloads to the cloud. To reach this stage the customer would have deeply invested in leveraging the benefits of cloud.
• All-in
  This is the phase during which the customer aims to continuously optimize their environment without any physical hardware. In this phase, organizations can see virtual elimination of IT CapEx, flexibility in resource assignments, time to market, zero hardware maintenance, multiple availability zone deployment.

During the initial implementation stage, partners can provide advisory, infrastructure design, readiness and health check services. As customers move workloads to the cloud, partners can provide migration services. In case of long term customer relationship, partners can provide managed services for cloud workloads. Overtime, partners can provide consulting services to innovate and expand client vision.

Cloud Adoption Framework (CAF)

The AWS Cloud Adoption Framework(CAF) helps organizations understand how adopting cloud transforms the way they will function. CAF begins by identifying the stakeholders that are critical to cloud adoption. It groups related stakeholders into 6 perspectives. The perspectives allows us to understand cloud adoption from these stakeholder’s point of view. The perspectives are as follows and can be grouped under 2 categories;

Outcome Based Account Management (OBAM)

OBAM is the process, tools, competencies, and dialogue architecture for initiating and solidifying AWS customer-obsessed relationships, fixated on the journey of transforming the seller-customer engagement into a lifelong strategic relationship. It consists of the following four stages that works in a cyclic pattern:

• Explore
  Preliminary discovery and value hypothesis creation.
• Engage
  Solidifying credibility, earning trust, qualification & delivery, initial value proposition. This involves initiate, expand and transform phases that may take 18+ months in total.
• Empathize
  Relationship building and persona-centric engagement.
• Enable
  Building out account value proposition & defining roles and responsibilities of AWS resources.

Cost Optimization with AWS

Cost optimization is a continual process of refinement and improvement of a system over its entire life cycle. The following processes are used to show cost saving to customers in order to build and operate cost-aware systems that achieve business outcomes while minimizing costs, allowing business to maximize its return on investment.

• Gather requirements
  Grasp of the current on-premise customer environment and their expectation from AWS.
• Map requirements to AWS services
  Once the customer needs are identified, mapping needs to be done with respect to AWS services. In the process of refining the requirements along with mapping, frequent meeting with the customer on Total Cost of Ownership (TCO) , capacity and license assessment would be needed. The result would be a project plan with appropriate solution and service instance.
• Right size service choices
  Right size the service choices like region, instance type, storage to AWS pricing models based on customer requirement. Right sizing is using the lowest cost resource that still meets the technical specifications of a specific workload. You can right size iteratively by adjusting the size of resources to optimize for costs.
• Evaluate pricing models
  In AWS, there are a number of different purchasing models that allow customers to use services and resources in the most cost-effective way that suits their business needs.The models are On demand, Spot instances, Reserved instances etc.
• Deliver estimate
  The AWS Simple Monthly Calculator and AWS Total Cost of Ownership Calculator lets one anticipate real-world usage costs for AWS deployments and compare the spends with on premise equivalent. The final Proof of concept ready for submission would need a review from the customer so that it meets all their requirements and can be closed.

GTM Strategy for Partners from AWS

Here i would like to highlight various programs undertaken by AWS to help Partners grow and/or gain traction.

AWS Partner Solutions Finder

The AWS Partner Solutions Finder provides AWS customers with a centralized place to search, discover, and connect with trusted APN Technology and Consulting Partners, based on customers’ business needs. Customers can use the AWS Partner Solutions Finder to find an APN Partner to help design, migrate, manage, and optimize workloads on AWS.

APN Partner Success Stories

Promote your business by creating case studies to outline your success with customers.

APN Marketing Tools

• APN Marketing Central
  APN Marketing Central provides marketing tools and resources that enable you to generate demand for your solutions on AWS. As a benefit for Select tier and above APN Partners, access self-service marketing campaigns that allow you to quickly co-brand and launch solution-based campaigns or engage participating agencies for select marketing services.
• AWS Global Sponsorship Program
  The AWS Sponsorship program has helped AWS Partners, customers and brands to grow their business. AWS Sponsorships offer in-person access to over 300,000 AWS customers and prospects each year. Here impactful benefits such as broad networking opportunities, brand awareness, thought leadership, custom activations, turnkey booths, and spaces for personalized customer interactions are offered.
• APN How-to Guides
  As an APN Partner, you will learn best practices for joint marketing initiatives with AWS.These guides provide simple steps to extend the skills of your marketing team and help you showcase your products and services when marketing with AWS. Find the guides under the Marketing Tab in the APN Portal.

AWS Training and Certification

• Partner Training
  Free digital training, classroom training, and accreditations designed to help APN Partners better serve customers.
• AWS Certification
  Exams to validate expertise with an industry-recognized credential.
• APN Navigate
  APN Navigate is the AWS Partner Network’s (APN) enablement program that provides prescriptive guidance from trusted AWS experts on how to transform your business on AWS. It provides a step-by-step path to help you build, market, and sell as an APN Partner.
• AWS Partner Transformation Program (PTP)
  The AWS Partner Transformation Program (PTP) is a comprehensive assessment, training, and enablement program focused on helping you build a successful and profitable AWS Cloud business. Whether you are new to the cloud or in the advanced stages of building your cloud business, this program provides partners with the guidance to accelerate the development of your AWS skills and expertise to better serve your customers’ journey to the cloud.

AWS Business Transition

• APN Training Partner Program
  The APN Training Partner Program is part of the AWS Partner Network (APN), the global partner program for Amazon Web Services (AWS). The AWS Partner Network allows customers to easily identify APN Partners that provide training which will enhance their knowledge of the AWS platform, while providing members of the APN Partner ecosystem with the business, technical, marketing, and go-to-market support they need to build a successful business on AWS.
• AWS Community
  This is designed to educate about the AWS platform, architecture best practices and new services. AWS brings together the APN cloud computing community to connect and collaborate.
• AWS Competency Program
  The AWS Competency Program is designed to highlight APN Partners who have demonstrated technical proficiency and proven customer success in specialized solution areas. Attaining an AWS Competency allows partners to differentiate themselves to customers by showcasing expertise in a specific solution area.
• AWS Marketplace
  AWS Marketplace is a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on AWS.
• APN Partner Central
  APN Partner Central is that the partner-only, section of the AWS website that gives all AWS Partners the tools and content they need to grow their business on AWS. Through APN Partner Central, APN Partners will access AWS technical and non-technical coaching, request promoting and business support, transfer partner-focused content, and connect with different AWS partners around the world.

AWS Partner Journey Summary

The various milestones of a partner’s journey with AWS would involve the following;

• Join the AWS Partner Network
• Build a Business Plan
• Get Trained and Certified on AWS
• Move up the Partner Tier ladder and unlock the benefits
• Join APN Partner programs that meet specific business needs
• GTM with AWS

CloudBand is the Nokia platform for NFV. CloudBand delivers an integrated NFV environment based on the ETSI/MANO architecture and includes the infrastructure, management and orchestration engine that optimizes, automates and abstracts operational tasks for carrier network services.

A portfolio optimized for ETSI NFV MANO

The CloudBand portfolio – CloudBand Infrastructure Software, CloudBand Application Manager, and CloudBand Network Director has been optimized for NFV management and orchestration (MANO). This reduces complexity and ensures applicability in single and multi-vendor infrastructures. It is available to the customers as a complete MANO solution or as individual products in a multi-vendor deployment.

The below three CloudBand products fall under OSS/BSS, which manages end-to-end customer facing and resource facing services across Physical Network Functions(PNFs) and VNFs(CloudBand).

CloudBand Infrastructure Software (CBIS)

CloudBand Infrastructure Software is OpenStack(Iaas) aligned and provides multi-purpose NFV infrastructure (NFVI) and virtualized infrastructure manager (VIM) support. It virtualizes and manages compute, storage, and network resources. It enables VNFs to run and ensures that they meet strict robustness, performance, and security requirements.

CloudBand Application Manager (CBAM)

CBAM automates VNF lifecycle management and cloud resource management, and its standards based APIs make it easy to work with any vendor’s VNF, Element Management System (EMS), Virtualized Infrastructure Manager (VIM) and NFV Orchestrator (NFVO).

CloudBand Network Director (CBND)

CloudBand Network Director is an NFV resource and network service orchestrator. It manages virtual resources across geo-distributed NFV infrastructure nodes. It visualizes and automates the lifecycle of network services in the virtual domain, decomposing them into VNFs and virtual links(VLs).

To get a better understanding of the CloudBand w.r.t the NFV MANO architecture, refer to the below picture;

A fully deployed “business service” comprises of various Physical Network functions interconnected by network service. Further to this, for a business service to run successfully the “network service” need to be implemented which is the point where the CBND is used to manage the network service to decompose it to VNFs and VLs. The VNFs, basically virtualized tasks formerly carried out by proprietary dedicated hardware are instances of several applications running on various VMs. These VNFs are linked together in a process called service chaining.

Here the role of CBAM would be to manage the lifecycle of various VNFs. Finally, the CBIS virtualizes and manages compute, storage, and network resources.

Conclusion

CloudBand is aligned with the ETSI NFV framework.CloudBand’s three products are optimized to fit the NFVI/VIM, VNFM and NFVO roles. The modular design lets customers flexibly decide between deploying only what’s needed to get started (such as the NFVI/VIM), a completely integrated MANO stack (encompassing NFVI, VIM, VNFM, NFVO), or select individual items for multivendor deployments.

Sources :
Workplace Learning