Category: OCI

Oracle Cloud InfraStructure

OCI High Availability and Disaster Recovery

High Availability for Network Resources

  • Computing environments configured to provide
    nearly full-time availability are known as high
    availability systems
  • Well-designed high availability systems avoid having single points-of-failure by the redundancy of resources
  • When failures occur, the failover process moves the processing performed by the failed component to the backup component

OCI Services and High Availability

  • AD, Availability domains are isolated from each other, fault-tolerant, and very unlikely to fail simultaneously annd do not share physical infrastructure, such as power or cooling
  • Fault Domains (FD) enable you to distribute your instances so that they are not on the same physical. hardware within a single AD. Each AD will have 3 FDs.
  • Load Balancer, Regional service, used to distribute load among AD
  • In Storage service, Block Volume is AD service and replicated in AD, can be used volume replication. Object Storage is Highly Available in regional. File System is also regional and shared among AD. Highly available.
  • Compute as AD service, ASG [Auto Scaling group] can be used ot make service highly available.

Best Practices

Networking

To provide high availability across availability domains, you can configure multiple private load balancers on Oracle Cloud Infrastructure and use on-premises or private DNS servers to set up a round-robin DNS configuration with the IP addresses of the private load balancers. The following is an overview of this process:

  1. Deploy two private load balancers, one in each availability domain.
  2. Configure two custom DNS VMs in the VCN.
  3. Modify the VCN Default DHCP options to use a Custom DNS Resolver and set the DNS servers to the IP addresses of the DNS VMs.
  4. Add a new round-robin DNS zone entry for the private load balancer FQDN with a low TTL.
  5. Add two A records with the IP addresses of the two private load balancers.
  6. Use the FQDN of the private load balancer when accessing the private load balancer.
  7. The most robust option is to use multiple FastConnect connections with circuits from different network service providers.

High Availability: https://docs.oracle.com/en/solutions/design-ha

Resilience & Availability

Unacceptable variance in performance (latency or throughput) for any reason, including the following ones:

  • Multitenant “noisy neighbors” (failure of QoS mechanisms)
  • Inability to efficiently reject overload (accidental or malicious) while continuing to do useful work
  • Distributed thrash, message storms, retry storms, and other expensive “emergent” interactions
  • Cold-shock (empty caches) after power-cycle, particularly simultaneous power-cycle of multiple systems
  • Overhead when scaling the system

OCI Security: cheatsheet

WAF

  • Protects from  cross-site scripting, sql injection, bot management
  • Allow request to pass / error page due to blocked request/audit log the request
  • Actions: Log and allow, Detect only, Block, Redirect, By-Pass, Show Captcha
  • Condition include [country region/ url path/ ip address/ http header]

Vault

  • Dedicated Hardware [Virtual Private Vault]
  • Shared Hardware
  • Protection Mode
    • HSM [Hardwar]
    • Software : those are not kept inside the vault
  • Algorithm
    • AWS
    • RSA
    • ECDSA
  • Master encryption will provide a Data encryption key, which will be used for encryption
  • Master encryption key can be rotated without affecting encrypted data
  • Vault are not available for direct deletion, there is a grace period of 30 days
  • There are two endpoints, cryptographic and management
  • After rotation, a new version is created for the master key and old will also remain

Security Zone

A security zone is associated with a compartment and a security zone recipe.OCI validates the creation/update operations of resources against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.

  • Resources can’t be moved from a security zone to a standard compartment because it might be less secure.
  • Data in a security zone can’t be copied to a standard compartment because it might be less secure.
  • All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance (Compute)  in a security zone can’t use a boot volume  that is not in a security zone.
  • Resources in a security zone must not be accessible from the public internet.
  • Resources in a security zone must be encrypted using customer-managed keys.
  • Resources in a security zone must be regularly and automatically backed up.
  • Resources in a security zone must use only configurations and templates approved by Oracle.

Security Advisor

Available for

  • Secure Bucket
  • Secure File System
  • Secure Instance
  • Secure Block Volume

Cloud Guard

Cloud Guard examines your Oracle Cloud Infrastructure resources for security weakness related to configuration, and your operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.

there are

  • Target
  • Detecter / Detected Receipe
  • Responder

Oracle recommends that you enable Cloud Guard in your tenancy. You can configure a Cloud Guard target to examine your entire tenancy (root compartment and all subcompartments), or you can configure targets to check only specific compartments 

Security Best Practices

Secure Your Database

Data Safe is a unified control center for Oracle cloud and on-premises databases. Use Data Safe to asses database and data security configuration, detect associated risk for user accounts, identify existing sensitive data, implement controls to protect data, and audit user activity.

  • Extend Data Safe audit retention policy to one year.
  • Mask data identified as sensitive by Data Discovery.
  • Use Security Assessment to identify recommended security controls by Center for Internet Security (CIS), General Data Protection Regulation (GDPR), and Department of Defense library of Security Technical Implementation Guides (STIG).
  • Setup alerts for key events in Data Safe Activity Auditing

Securing Compute

  • Putting up the instance in private subnet and access to instance utilizing Bastion Host
  • Instance Shield while provision the instance for boot time security
  • To prevent inadvertent or malicious termination of critical instances (for example, production instances), Oracle recommends that you give INSTANCE_DELETE permission to a minimal set of groups. Give DELETE permissions only to tenancy and compartment admins.

Securing Object Storage

  • Bucket PAR to allow writes to a bucket
  • Object PAR for reading an object
  • Object PAR for writing an object
  • Object PAR to read or write an object
  • All data in Object Storage is encrypted at rest by using AES-256. Encryption is on by default and cannot be turned off. Each object is encrypted with its encryption key, and the object encryption keys are encrypted with a master encryption key
  • By default bucket is private

Securing Block Storage

  • The resource types in volume-family arevolumes ,volume-attachments, and volume-backupsVOLUME_DELETEVOLUME_ATTACHMENT_DELETE and VOLUME_BACKUP_DELETE
  • By default, volumes and their backups are encrypted at rest using AES-256

General

  • Separate the internet-facing components from the back-end, not just using subnets and security lists, but by separating the compartments completely into their own Virtual Cloud Networks, linked by a Local Peering Gateway
  • Added Web Application Firewall to protect the load balancer, and ultimately the web application.
  • Made the Autonomous Database and Object Storage only available over private IP addresses.
  • Changed from using Oracle-managed keys to customer-managed encryption keys for all block, boot, and object storage.
  • You can enforce MFA for a resource in the access policy that allows access to the resource. For example, the following policy enforces MFA when users in GroupA manage resources that belong to the instance family in any compartment.
allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'

the following policy only allows users in the PolicyAdmins group to create policies, but not to edit or delete them.

Allow group PolicyAdmins to manage policies in tenancy where
      request.permission='POLICY_CREATE'

References: