Between the Oracle Cloud Infrastructure (OCI) Audit Service recording administrative operations and Oracle Identity Cloud Service (IDCS) tracking access and user management events, Oracle Cloud provides pretty comprehensive tracking of security events. Recently however, I have been in conversations with a number of organisations who have been seeking longer term retention of audit events for several different reasons, including governance, compliance and forensic requirements. The OCI Audit service supports requesting bulk export of audit events to Object Storage, which allows you manage the retention and archiving of those events yourself, so I started wondering if I could do the same for the IDCS access events. A bit of testing and some simple coding later, and I had events being pulled directly from the IDCS Audit Events API periodically and sent to Object Storage for retention.
In this blog post, I will provide this code as a sample, and discuss some of the techniques and technologies that are available in Oracle Cloud Infrastructure to enable simple, but highly secure and cost-effective, automation of cross-service tasks such as this.
Continue reading “Simple, Secure Log Retention using OCI Services”
Oracle Cloud Infrastructure provides a ton of useful services for automating and orchestrating behaviours in your cloud environment, and while they are often pretty handy on their own, leveraging them together gives almost complete flexibility on what you can achieve. Want to trigger a backup using a command in slack, then have a message get sent back when it completes? Sure! Want to periodically poll a log API and archive the results? Easy. Oracle Cloud Infrastructure provides a number of inbuilt capabilities, as well as the ability to jump into arbitrary code to build elaborate automation flows, and this blog post will focus upon the security constructs around this, looking at how services can be authorised to invoke one another, as well as how they authenticate themselves, while avoiding storing sensitive data in insecure ways. This post is intended as an overview of the concepts, and will be referenced in more concrete ways in future.
Continue reading “Secure Inter-Service Communication in OCI”
Over the past couple of weeks, I was getting back into the normal life of Cloud Engineering (the #BuildWithAI global hackathon isn’t the only thing that I focus on – check this article out #BuildWithAI Announces Winners). And something that I was doing was actually less about technology but more about budgeting – Cloud Estimations.
This is an interesting puzzle because of a couple of different elements.
Cloud is supposed to be elastic. But budgeting is typically not. Nor are project estimations and costs. Nor are approval processes. Nor are procurement processes. There are so many things in a business that are not elastic.
The people provisioning are not necessarily in charge of the costs. And I know as a developer, these overarching cost discussions aren’t necessarily the one you get invited to.
Continue reading “agile Oracle Cloud Infrastructure consumption”
I’ll keep this one short as we have done a specific writeup about this event. If you hasn’t seen it – check out this previous article #BuildWithAI – A Hackathon Experience. The winners have been announced and published … Here’s a quick summary of who won what.
Continue reading “#BuildWithAI Announces Winners”
On August 17th, we’ll be announcing winners of the #BuildWithAI hackathon and it will be live-streamed on youtube – https://youtu.be/URuB0FtBIJo (note – set your reminder). Cassie Kozyrkov (Chief Decision Scientist, Google), Steve Nouri (Board Member, Hackmakers), Cherie Ryan (Regional MD of ANZ and VP, Oracle) as well as an all-star judging line-up will be there.
Before we get to that, lets rewind, fast-forward and bring together some of the interesting points of the #BuildWithAI hackathon – an event that was truly global in its nature hosted by Hackmakers (https://hackmakers.com/).
July 24th 11:45am AEST – I received a calendar alert for the Leader Mentor Zoom session for the #BuildWithAI hackathon. Trying to finish as many of the things that I needed to get done before I joined this call. This will be interesting. Watching the number of competitors join the event’s slack workspace climbing from a hundred users when I first joined, to now over 3,500 users in the #introductions channel, it was an unique experience. I’m thinking about lots of different things from past hackathons that I’ve participated, mentored, sponsored, hosted – how will this one be any different. I’ll just have to wait and see. And better yet, give to the community and the competitors as much as I can in the time we have.
This moment was not the beginning nor the end of this experience. It was somewhere in between. I’ll give you some background.
Continue reading “#BuildWithAI – A Hackathon Experience”
In a two-part blog series I am exploring the available options in triggering an Oracle Integration Cloud (OIC) integration whenever a resource state change occurs within Oracle Cloud Infrastructure (OCI). One example of this event based pattern is the ability to trigger an OIC integration as soon as a file is uploaded to OCI Object Storage, thereby removing the need for any scheduled based integrations that rely on file polling.
In my previous blog, I provided some context and background on the OCI Event service and the available options that we have in triggering an OIC integration. Namely these are the OCI Notifications, Functions, and Streaming services. My previous blog also explored the first of these patterns, and detailed how this event based pattern can be achieved using the OCI Notification Service. In this follow up article I will cover how we can use Oracle Functions to achieve the same outcome.
Continue reading “Triggering an OIC integration via OCI Events – the Oracle Functions Approach”
Kubernetes has been proven the best way that we have today to run microservices deployments, whether it is via a Serverless approach or by managing your own deployments in the cluster. This has solidified with the strong adoption of Kubernetes by all the major Cloud Vendors, as the strategic way to orchestrate containers and run serverless functions.
However, one of the situations that we need to be mindful, is that kubernetes creates by default a super powerful user that has full access to almost every resource in the cluster (accessible via kubectl or directly though APIs). This is very convenient for most dev & test scenarios, but it is imperative that for production workloads, we limit such power and use Role Base Access Control (RBAC), stable since version 1.8, for fine-grained authorisation access control to kubernetes cluster resources.
For the purpose of this demo, I am assuming some familiarity with Kubernetes and kubectl. I will mainly focus on the Authentication and Authorisation aspects that allow us to use Client certificates to get access to protected resources in a Kubernetes cluster.
In a nutshell this is what I am going to do:
- Create and use Client certificates to authenticate into a Kubernetes cluster
- Create a Role Base Access Control to fine grain authorise resources in the Kubernetes cluster
- Configure kubectl with the new security context, to properly limit access to resources in the Kubernetes cluster.
This is a super simplified visual representation:
Continue reading “OCI – Oracle Container Engine for Kubernetes (OKE) – Using Client Certificates and RBAC”
In a previous blog, I explained how to local peer two Virtual Cloud Networks (VCNs) located in the same Region. In this blog, I am going to show you how you can remote peer two VCNs located in different Regions. You might want to use this approach for High Availability or Disaster Recovery scenarios or simply to interconnect private workloads across multiple regions. In order to remote peering 2 VCNs, we are going to use a new type of Networking Gateway in Oracle Cloud Infrastructure, called Dynamic Routing Gateway (DRG). It is important to mention that the communication between the 2 regions does not route over the Internet, but via a dedicated network pre-established private fast connection/backbone, so the communication is secured and low latency. Just for the record, DRGs are the same type of gateways that you would use to establish connectivity between any other Data centres (e.g. on-premise DC or other Cloud providers, e.g. AWS, MS Azure, GCP), as well as to establish IPsec VPN connections or during a dedicated Fast Connect Private Peering communication, but that would be another blog.
For this demo, we are going to connect workloads between Phoenix and Ashburn. Each region will have its own VCN and within each VCN we are going to deploy a private subnet with 1 Linux VM, used to test the inter-communication across the regions.
For the purpose of this demonstration, I am going to show how to:
- Attach and configure DRG to each of your VCNs, located in different regions and establish the remote peering.
- Configure 2 private VMs, each in a different VCNs (different AD)
- Use public bastion host to connect to 1 of the private VMs and then confirm connectivity into the other private VM (cross-region connectivity).
This is a high-level visual representation:
Ok, let’s have fun!!!
Continue reading “OCI – Remote Peering 2 Virtual Cloud Networks across different Regions”
In a previous blog, I showed how to develop microservices to connect to Autonomous Databases and consume data (read/write) via REST APIs. Although I still highly recommend that approach, the reality is that there is an easier way to do it using Oracle REST Data Services modules that come included with any Oracle Autonomous Database (ADW/ATP).
This way you simply have to:
- Configure the API endpoint (Method + URL) that you want to expose as a REST API
- Define the underlying SQL statement that will serve to your endpoint (i.e. SELECT, INSERT, UPDATE, DELETE statements or a more complex PL/SQL script)
Define the security mechanism to properly protect your APIs
That’s pretty much it, this should be a very quick, yet powerful alternative to building your own microservices to consume data from Autonomous DBs.
Continue reading “Enabling REST APIs to consume data from Oracle Autonomous Databases (ADW/ATP)”
Oracle’s Cloud Infrastructure has been designed in an API-first manner, which is awesome for all sorts of infrastructure automation tasks. It also implements an interesting API security model, in which all requests must be signed using a private key, associated with a public key which has already been configured in OCI (here, the developers are showing their infrastructure roots, as this echoes how SSH Auth is normally handled). The documentation of this model provides sample code in a number of languages, which is perfect if you are writing automation scripts, but is a little inflexible for ad-hoc testing. Typically I much prefer to use a rich graphical REST client, such a Postman, so that I can easily tweak my parameters and try out different types of calls before I write any code. Unfortunately while Postman is well equipped for Basic and Token based Auth, HTTP-Signature is not natively implemented, and rather than abandon Postman for a new tool, I set out to implement it using Postman’s powerful scripting capabilities. In this blog post I provide the result of this, which is a downloadable collection which provides all of the required scripts, and discuss the approach used.
Continue reading “Calling OCI APIs from Postman”