Oracle Cloud Infrastructure (OCI) – governance

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello my name is ewan slater i'm a director in the emir oci center of excellence i'm joined for this session by my colleague rael gameth who is also a director in the emir oci center of excellence rao welcome and great to have you on the call thank you ewan my pleasure to share this skill with you so this is one of a number of sessions that we have put together to help people understand how they can move to enterprise cloud with oracle the goal of this particular session is to discuss governance how you can look at what's going on in your cloud tenancy how you can start to explore more complicated architectures like hybrid like multi-cloud and how you can control and manage your organization and its costs to ensure that you get the maximum value from the platform if you've watched the session so far and i strongly encourage you to watch all of them you will now understand what oci is that it's a generation 2 cloud that it is available in multiple data centers across the world that it has a number of unique features you'll understand its security model that it is security by default a security first approach and you've likely already deployed your first application this session is going to go beyond that and we're going to look at how you can start to log things that happen in your application how you can start to react to events and how you can start to look at more complicated architectures like say spanning across multiple clouds and how you can administer and optimize your usage of the cloud your first application deployment probably looks something like this you have a vcn a virtual cloud network created within a compartment which is probably hopefully a sub compartment of the route rather than created directly in route within that vcn you'll have subnets and you will have deployed your say a virtual machine with your application on it and maybe your database and probably these are in separate subnets and then you've exposed the application to the outside world through a load balancer so our application is now up and running we're we're flying but what if something happens that we weren't expecting what if an anomaly happens what if it crashes now if we were in an airplane we would look at the flight recorder that would show us the data that would show us the things that had happened up to this event taking place in oci logging is your flight recorder so here we can see a view from the the oci console the console is constantly under development so if you go to this console and you see some slightly different buttons depending on when you watch the video don't be alarmed however the important thing is that you would see that you have the log in this case is called parking gate execution you would see if you look under the log details that it's a service log it's generated by a service that it's generated by the api gateway service to be precise and that it is in the log group storage logs with a retention period of a month you can see that it looks at a number of events that happened on the 10th of march 2021 a number of successful requests to a function which is was actually to control a parking gate whether you allowed a car in or not and we can then further start to drill into the information about each of those log entries so if you click on one you'll see that the enter the information opens it drops down and you'll see all of the different information in there we can see that this log event has a level of info the message is that there was a successful request sent to the function and we can look at things like the log id the log group id you know what the exact time was all of these different things that happened within that execution so what oci logging gives us as a service is a way to see all of the things that have happened all of the things that have been written to logs and to collect them together and manage them not just for the oci services where it will collect the service logs as you saw for api gateway where it will collect the audit logs but also customer generated logs so things like application logs security logs and then we can take these and we can search on them and we can analyze and we can even take action against them so we might for example write them to a stream or invoke another function depending on what's in the log or just write them to object storage for posterity so this gives us an ability to view all of our logs through a single window or a single pane of glass to have them in one location to use the fluent d agent to help us acquire those logs to enrich events with additional metadata if we need to and to manage logs with our log groups for access control now log groups are logical containers to handle and manage your logs so your log is within a log group and we can set permissions on that log group now the permissions might be set at the compartment level or they might set be set at the log group level so you might for example want to restrict logs for a particular application they might contain sensitive data down to a specific set of users or you might have the logs for the production environment accessible to a different group of people than the logs to the development department and when changes are made to permissions or logs are accessed that is in fact audited when we look to search our logs there's a couple of ways we can do it there's a sort of graphic wizard based approach i'm showing here where i've gone and i've selected me my compartment storage logs and the parking gate execution log and that's what you see when you've run that search which is similar to what we saw before there's also an advanced mode you'll see there and that allows us to start defining our queries at a more granular level using a query language so it's sql-like it's not sql it allows us to search across multiple logs or data sources within a region and it also provides functions that we can use to slice and dice the data so for example we can filter we can check the average or the minimum or a sum and it enables us to build up more complicated queries we can also save our searches and then be able to rerun them again at a later time or specify a for a query frequency some examples of using the search log at search language are here so this is searching an application security log we might want to search for entries where the log level is error or info and in this case we've specified that it's for a particular host host one the second one we want to order the entries in the application security log by their impact so the higher the impact ones will appear higher we can look at those single them out for attention or we might in the bottom one use a function in this case concat to put the host and the us.oracle.com together to give us a fully qualified name as i said logging can integrate with other oracle services we can write to streams which we can then consume and process in additional ways we can archive them to object storage we can invoke a serverless function or emit a metric that's then used by the monitoring services so it's kind of a if then this if that then do this type of rules engine um based on those rules we can take actions we can send notifications as i said we can emit metrics and and with the integration with object storage we can give you options to export the logs to just to archive storage or we can stream them to other systems such as splunk for example now if logging is your flight recorder metrics is your multimeter there are a large number of system metrics available with oci if you look at the documentation for every oci service you will see it generates a set of default metrics you can also create your own custom metrics so for example with compute you would be typically looking at something say on an instance you could be looking at the memory consumption you could be looking at network consumption if we look at the as a network here so you see on the top right we've got metric name space oci vcn we're looking at a network and we're able to see things like you know the packets from the network the packets sent to the network the ingress packets that have been dropped by the security list and we can aggregate metric streams together we can drill into metric namespaces and add particular dimensions so the monitoring service gives us a it's a fully managed out-of-the-box monitor for cloud applications and services we choose the metrics we want to use in the same way that with a multimeter you choose which things like voltage or current you wanted to measure and you're able to take metric data about the health and the performance of your resources again like logging there's a query language that you can use to create more detailed queries and again we can integrate with notifications and send messages via email or page of duty so to take a you know a graphical view of this on the left we have the customer applications and services and resources that are generating custom metrics we have the oracle cloud infrastructure services that are generating their standard metrics that metric data can be collected and aggregated together we can then set triggers and alarms based on thresholds so you might say you know if my say my storage on a block volume is over a certain capacity then please send a message so that somebody knows that they need to go and do something even better you can have a function say that would be triggered off the basis of that alarm so you've got some auto you can set up automation to take action on the basis of that threshold being exceeded typical monitoring use cases we're measuring resource utilization because we want to optimize usage we want to be able to monitor trends um we want to as i say detect things that are going wrong in the system you know if some cpu utilization goes over a certain threshold if if we've used up certain amount of our storage or to quote from star trek the it's dead gym scenario we get a notification if no metric is generated for a resource in a particular period we might also want to use a breach of the threshold to trigger some kind of auto scaling event so monitoring is a very powerful tool we can use the metrics we can monitor them we can take action on them now if metrics are a multimeter logging analytics is our head up display and in the same way as when you're flying a fighter you want to be able to look forward and see all of the relevant data displayed for you in front of you without having to look down at the instrument panel logging analytics gives you a way to create that kind of dashboard to show business critical data that you can then use and at this point i'm going to hand over to rahul raul over to you thank you one that's right oc monitoring capabilities are really powerful but in locations we will need to manage hue volumes of logs and strut inside from them log analytics is a tool integrated in oci console to provide visual analytics capabilities you can inject oci logs and design amazing dashboards to transform the data containers in the logs in visual information more easy to analyze and understand tools like localities or or most advanced observability platform are key if we plan to open the multi-cloud box of chocolates but what does multi-cloud really mean and why do it well multi-cloud means bring the customer the freedom to choose and use the best class provider to run each of their workloads basically the customer can split their application into different layers and even run each of these layers into different cloud providers what happened with them previous facilities you can think you know premise like some type of private cloud provider so at the end you can manage all environments public and private as a cloud provider and how to connect multiple clouds to a ci or tool or service to provide this type of connectivity is called fastconnect fastconnect works with connectivity partners in order to provide end-to-end connectivity is agnostic it means that we can work with all providers not only the list of providers that you can find as 35 providers in each region fast connect has something that is unique at this moment in the market that is a flat free rate per data transfer it means that it doesn't exist having cost no extra data charge for ingress or aggressive traffic and why use fast connect maybe assist other reasons yes of course if you need performance if you need security or maybe high availability get your connectivity covered by slash or more simple reason your sensitive data cannot traverse the internet maybe you are thinking that implement a multi-class strategy is something really difficult or complex in fact it's not true actually connect the dots is really simple let me show how to implement this type of architecture if you want to connect on-premise facility here in the left to one of our oci regions we have multiple regions across the world here in the right you only need to provide connectivity between the premise facility with the connectivity partner's point of presence from here from this point of presence you can use the connectivity partner backbone in order to reach or ocr regions we have multiple points of presence in each region in order to provide high availability if you really want to build a multi-class architecture working with other class providers you can reuse this connectivity across the backbone of the partner in order to reach other cloud providers and in that way you can in a very easy way split your workloads into the different cloud providers oci has been designed from the root with multi-cloud in mind a perfect example of this mindset is our agreement with microsoft azure basically in such a location where we share collocation we implement a direct connection between both clouds in that way we can provide really low latencies and we can avoid shares per data transfer it means that no data transfer for egress or aggress in any of the clouds will be applied we have also transform scripts to automate the provisioning and the deployment and we also work in a shared support model in both companies taking a look to the architecture basically you can see in the left oci using our dlg that is our virtual network device where our fast connects are attached and you can see in the right the microsoft azure tenant using the virtual network gateway and implementing the express route so as you can see there's no assist a third-party connectivity provider providing this link between or trg and the virtual network gateway we only have working together our first connect and the spreadsheet and remember no extra data transfer church will be a play egress or egress valve open in front of us a world of possibilities to design and deploy our workloads it's also important keep cost under control in order to reach to the cloud and oci has a really easy and transparent cost model once you start working with oci you will have two different construction models pay as you go an annual flex basis in universal credit pay as you go is really simple basically you only pay for usage with no upfront commitment an annual flex model using universal credit is a really flexible and special model you will have a one year minimum term but you will get all the flexibility of the universal credits a universal credit means that you don't need to know in advance if you will deploy maybe copy compute or storage or maybe serverless or cloud native resource because you can use the universal credit to buy all the resource across oci you can also use your license implementing debris your license model there are some factors that impact in pricing that if you are using oci don't need to be scared about it for example speaking about your source the pricing of those resources are linearly it means that if you are using a smaller resource you will pay less and if you move to bigger resource you will pay a little bit more growing linearly all ci regions have the same pricing across the world for almost all the services we don't have hiding cost and speaking about networking we don't have increased cost and we eliminate the data transfer charge for egress for almost all situations let me de-dive a little bit more in our pressing model and explain the data transfer caused with more detail here you can see a typical ocl region with three availability domains and we plan to move data from one virtual machine to another virtual machine both virtual machines are located in the same availability domain basically the data transfer between both visual machines are totally free it means that inside the same availability domain the ingress and address traffic are totally free without the limit if we plan to move data from availabilities of mine 1 to a liability domain 2 or 3 inside the same region the ingress and address traffic is also free and unlimited it means that no charge will be a play for data transfer between resource located in availability domain 1 to availability domain 2 or 3. if you plan to connect and move data from oci region to an on-premise facility or maybe to other cloud providers using our fast connect services you will have also a free a totally free and unlimited data transfer rate it means that no ingress chairs will be a place and not egress chairs will be a play it means totally free if you plan to move data between different regions inside oci using our backbone basically you will see that the ingress traffic to the region is free and unlimited and the address traffic of the radio will be charged with the price that's applied to this specific radio if you plan to move data from one region to other location over the internet you will have a free fully flat free rate and you will have a aggressive church starting from 10 terabytes per month it means that the first centralized per month of regular traffic will be also free jumping into the governance part oci has something that is totally different from other cloud providers the compartment is a logical entity it's a collection of related resources that help you to isolate and control access to your resource after creating a compartment you will need to write at least one policy for it otherwise it cannot be assessed except obviously by administrators or users who have already permission to the tenancy here you can see a typical example of policy granting access to manage instance family in compartment called project a you can use compartment in different way to build the governance model that better work for you in addition to compartments or ci implement tags you can attach tags not only to compartments also to any oci resource in order to enrich this resource with metadata that you can use to implement a governance strategy to enforce security and maybe to implement a better course tracking strategy something that are really useful in order to keep costs under control are budgets and alerts basically a budget is a monthly threshold that you define for yourself spend can be set on cost tracking tags or compartments and track all spendings in the course tracking tag or compartment and any child compartment you can define email alerts that get sent out for your budget those alerts are evaluated every 50 minutes and can be triggered when your actual or forecasters pending hits the number that you define basically here in the screen you will see that you can define the threshold type and you can define the threshold metric basically as well as paint or cash spent and the transfer type basis in percentage of the budget or absolute amount another tools that oci provides in order to keep costs under control are the quotas and limits by default each oci service came with a protection limit to avoid accidental charge obviously you can raise those limits to something higher when you feel comfortable with socie governance model you can also define quotas quotas basically give tenant and compartment administrator better control over how many resources are consumed in oracle grant infrastructure enable administrator to easily allocate resource to compartment using the console oci has also subscription sharing model that let you link tenancy once the invitation is accepted the linking tenancy starts to consume universal credit from the private environment you can see the tenancy consumption in the course analysis taking a look to the course analysis dashboard you will see that this really easy to use visualization tool that lets you track and optimize your oracle cloud infrastructure spending that lets you filter cost by date by tax by compartment etc the trend lines show how spending butter are changing so it's a really friendly and useful tool congratulations you are now expert in oci governance if you want to know more about oca data platform and management please keep in touch and engage with the step five my colleague he wanna me want to say thank you if you want to know more you can reach close.oracle.com star trial maybe play with the live labs from oci or feel free to contact your oracle representative for further support
Info
Channel: Oracle
Views: 584
Rating: undefined out of 5
Keywords: 41383998, 6255091531001, 7 steps, cloud tenancy, cost management, governance, governance track, hybrid-cloud, multi-cloud, observation, oci, oracle cloud, oracle cloud infrastructure, video series, Oracle Cloud Infrastructure, OCI, Oracle Cloud, Video series, Governance, Multi-Cloud, Observation, Cost Management
Id: HRlDLAQK-5s
Channel Id: undefined
Length: 29min 12sec (1752 seconds)
Published: Fri Jul 09 2021
Related Videos
Oracle's Infrastructure Strategy for the Cloud and On Premise: Oracle OpenWorld 2019
Oracle
3.4K
Oracle Cloud Infrastructure (OCI) – compute, networking and storage
Oracle
3.7K
Oracle Live: Expanding the Possibilities of Hybrid Cloud
Oracle
1.9K
Highlights -- Oracle Live: Announcing New Autonomous Services
Oracle
1.1K
Oracle Cloud VMware Solution - A Technical Deep Dive
Oracle
1.8K
Enabling continuous innovation
Oracle
132
Oracle@Oracle: How we transformed our Order to Revenue systems
Oracle
48
Oracle@Oracle: How we transformed our infrastructure
Oracle
126
Oracle@Oracle: How we transformed global business finance
Oracle
44
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.