02 Architecture – Network Concepts and Bare Metal

This blog tries to explain some of the network Architecture related concepts and terminologies like Data Center, Hypervisor, Multi Tenancy, Network Switch, InfiniBand, Regions and Availability Domains, Virtual Cloud Network, Bare metal cloud, Instances, Images and Shape, Block and Object Storage, Bucket, Subnet, VNET and VLAN, Dynamic Routing, Regions and AD Availability Domain, Routing Policy or Policy based Routing, Ingress v/s Egress Filtering, intrusion detection system (IDS), Data loss prevention, Security monitoring – SYSLOG, Storage protocols – ZFS, iSCSI 

Data Center

A data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems. It generally includes redundant or backup power supplies, redundant data communications connections, environmental controls (e.g. air conditioning, fire suppression) and various security devices. A large data center is an industrial-scale operation using as much electricity as a small town

A Typical Data center will have following

  • Heat Exchanger is located on the data centers roof, heat exchangers release excess heat from the turbo cooling units into the air, when outside tempeatures are very high the exchangers are sprinkled with water to increase efficiency of heat dissipation .
  • Diesel Generators : When a power outage occurs, the diesel generators start up automatically within seconds. While the generators go through a short start-up phase, batteries deliver power so that operations can continue uninterrupted. The diesel generators then take over and provide the complete power supply for the data center.
  • Server Room : Servers and storage units are located in SAP standard racks in especially secured server rooms. The racks are kept in an enclosed area to enable optimal cooling. Server rooms are only entered sporadically and for short periods of time.
  • Batteries can provide power during short outages. When electricity fails completely, power is delivered via this uninterruptible power supply (UPS) until the emergency standby system is active. The UPS apparatus also compensates for voltage fluctuations and distortions. However, batteries cannot bridge the gap for power outages that last longer than a few hours or days.
  • Control stations for the IT and building security serve as command central in the data center. All important information is displayed here on large screens. Any variation from standard operation is promptly reported.
  • The wire to the outside world Telecommunications connect the data center to public data networks.
  • Extinguishing Gas Water, extinguishing foam, or powder fire suppression systems can cause more damage in a data center than a charred cable. For that reason, special extinguishing gases are preferred. INERGEN, an extinguishing gas, displaces the oxygen content in the air, which smothers the fire source. It is harmless to people and the equipment.
  • Turbo-Cooling Units High-efficiency cooling units remove the heat emitted by the air conditioning system and release it into the outside air via heat exchangers on the roof.

Hypervisor

A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.

Multi Tenancy

The term “software multi-tenancy” refers to a software architecture in which a single instance of software runs on a server and serves multiple tenants. A tenant is a group of users who share a common access with specific privileges to the software instance


Network Switch

network switch (also called switching hubbridging hub, officially MAC bridge) is a computer networking device that connects devices together on a computer network by using packet switching to receive, process, and forward data to the destination device. Unlike less advanced network hubs, a network switch forwards data only to the devices that need to receive it, rather than broadcasting the same data out of each of its ports.

A network switch is a multiport network bridge that uses hardware addresses to process and forward data at the data link layer (layer 2) . Some switches can also process data at the network layer (layer 3) by additionally incorporating routing functionality that most commonly uses IP addresses to perform packet forwarding; such switches are commonly known as layer-3 switches or multi layer switches.

Switches also exist for other types of networks including Fibre Channel, Asynchronous Transfer Mode, and InfiniBand

.

InfiniBand

InfiniBand (abbreviated IB) is a computer-networking communications standard used in high-performance computing that features very high throughput and very low latency. It is used for data interconnect both among and within computers. InfiniBand is also utilized as either a direct, or switched interconnect between servers and storage systems, as well as an interconnect between storage systems.

As of 2014 it was the most commonly used interconnect in supercomputers. Mellanox and Intel manufacture InfiniBand host bus adapters and network switches, and in February 2016 it was reported that Oracle Corporation had engineered its own Infiniband switch units and server adapter chips for use in its own product lines and by third parties. 

As an interconnect, IB competes with Ethernet, Fibre Channel, and proprietary technologies such as Intel Omni-Path.

The technology is promoted by the InfiniBand Trade Association.

Regions and Availability Domains

Oracle Bare Metal Cloud Services is hosted in regions and Availability Domains. A region is a localized geographic area, and an Availability Domain is one or more data centers located within a region. A region is composed of several Availability Domains. Most bare metal resources are either region-specific, such as a Virtual Cloud Network, or Availability Domain-specific, such as a compute instance.

Availability Domains are isolated from each other, fault tolerant, and very unlikely to fail simultaneously. Because Availability Domains do not share infrastructure such as power or cooling, or the internal Availability Domain network, a failure at one Availability Domain is unlikely to impact the availability of the others.

All the Availability Domains in a region are connected to each other by a low latency, high bandwidth network, which makes it possible for you to provide high-availability connectivity to the Internet and customer premises, and to build replicated systems in multiple Availability Domains for both high-availability and disaster recovery.

Regions are completely independent of other regions and can be separated by vast distances—across countries or even continents. Generally, you would deploy an application in the region where it is most heavily used, since using nearby resources is faster than using distant resources. However, you can also deploy applications in different regions to:

  • mitigate the risk of region-wide events, such as large weather systems or earthquakes
  • meet varying requirements for legal jurisdictions, tax domains, and other business or social criteria

Oracle Bare Metal Cloud Services

Oracle Bare Metal Cloud Service is a set of complementary cloud services that enables us to build and run a wide range of applications and services in a highly-available hosted environment. Oracle Bare Metal Cloud Services offers high-performance compute capabilities (as physical hardware instances) and storage capacity in a flexible overlay virtual network that is securely accessible from your on-premises network.

Virtual Cloud Network (VCN)

A Virtual Cloud Network is a virtual version of a traditional network—including subnets, route tables, and Gateways on which your instances run. A cloud network resides within a single region but can cross multiple Availability Domains. You can define subnets for a cloud network in different Availability Domains, but the Subnet itself must belong to a single Availability Domain. You need to set up at least one cloud network before you can launch instances. You can configure the cloud network with an optional Internet Gateway to handle public traffic, and an optional IPSec VPN connection to securely extend your on-premises network.

Instances

An instance is a compute host running in the cloud. An Oracle Bare Metal Cloud Services compute instance allows you to utilize hosted physical hardware, as opposed to the traditional software-based virtual machines, ensuring a high level of security and performance.

Image

The image is a template of a virtual hard drive that defines the operating system and other software for an instance, for example Oracle Enterprise Linux. When you launch an instance, you can define its characteristics by choosing its image. Oracle provides a set of images you can use. You can also save an image from an instance that you have already configured to use as a template to launch more instances with the same software and customization s.

Shape

In the Compute Service, the shape specifies the number of CPUs and amount of memory allocated to the instance. Oracle Bare Metal Cloud Services offers shapes to fit various computing requirements. In the Load Balancing Service, the shape determines the load balancer’s total pre-provisioned maximum capacity (bandwidth) for ingress plus egress traffic. Available shapes include 100 Mbps, 400 Mbps, and 8000 Mbps.

Key Pair

A key pair is an authentication mechanism used by Oracle Bare Metal Cloud Services. A key pair consists of a private key file and a public key file. You upload your public key to Oracle Bare Metal Cloud Services. You keep the private key securely on your computer. The private key is private to you, like a password.

Key pairs can be generated according to different specifications. Oracle Bare Metal Cloud Services uses two types of key pairs for specific purposes

l Instance SSH Key pair: This key pair is used to establish secure shell (SSH) connection to an instance. When you provision an instance, you provide the public key, which is saved to the instance’s authorized key file. To log on to the instance, you provide your private key, which is verified with the public key.

Block Volume

A block volume is a virtual disk that provides persistent block storage space for Oracle Bare Metal Cloud Services instances. Use a block volume just as you would a physical hard drive on your computer, for example, to store data and applications. You can detach a volume from one instance and attach it to another instance without loss of data.

Object Storage

Object Storage is a storage architecture that allow you to store and manage data as objects. Data files can be of any type and up to 50 GB in size. Once you upload data to the Object Storage Service it can be accessed from anywhere. Use the Object Storage Service when you want to store a very large amount of data that does not change very frequently. Some typical use cases for the Object Storage Service include data backup, file sharing, and storing unstructured data like logs and sensor-generated data.

Bucket

A bucket is a logical container used by the Object Storage Service for storing your data and files. A bucket can contain an unlimited number of objects.

Oracle Cloud Identifier (OCID)

Every Oracle Bare Metal Cloud Services resource has an Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). This ID is included as part of the resource’s information in both the Console and API.

Subnet, VNET and VLAN

A subnet is a small network inside a larger network. It is a logical grouping of connected network devices that tend to be located in close physical proximity to each other on a local area network—a LAN. 

Advantages of a Subnet include:

  • Network performance and speed improve.
  • Network congestion is reduced.
  • Data delivery is more efficient. 
  • An organization can take full advantage of the network’s capacity.
  • Network security improves.
  • Administration eases.
  • Troubleshooting can be limited to a subnet rather than the entire network.
  • The separation between different departments in an organization is maintained.

VNET is a virtual protocol which manages multiple physical network protocols. When opened with an IP address, VNET determines if the host can be reached directly on one of its physical networks. If it can, a session on that network is opened

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). … VLANs allow network administrators to group hosts together even if the hosts are not on the same network switch.

VLANs are configured through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs is that when a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration.

Dynamic Routing

Dynamic routing is a networking technique that provides optimal data routing. Unlike static routing,dynamic routing enables routers to select paths according to real-time logical network layout changes

Regions and AD Availability Domain

Oracle Bare Metal Cloud Services is hosted in regions and Availability Domains. A region is a localized geographic area, and an Availability Domain is one or more data centers located within a region. A region is composed of several Availability Domains. Most bare metal resources are either region-specific, such as a Virtual Cloud Network, or Availability Domain-specific, such as a compute instance.

Availability Domains are isolated from each other, fault tolerant, and very unlikely to fail simultaneously. Because Availability Domains do not share infrastructure such as power or cooling, or the internal Availability Domain network, a failure at one Availability Domain is unlikely to impact the availability of the others.

All the Availability Domains in a region are connected to each other by a low latency, high bandwidth network, which makes it possible for you to provide high-availability connectivity to the Internet and customer premises, and to build replicated systems in multiple Availability Domains for both high-availability and disaster recovery.

Regions are completely independent of other regions and can be separated by vast distances—across countries or even continents. Generally, you would deploy an application in the region where it is most heavily used, since using nearby resources is faster than using distant resources. However, you can also deploy applications in different regions to:

  • mitigate the risk of region-wide events, such as large weather systems or earthquakes
  • meet varying requirements for legal jurisdictions, tax domains, and other business or social criteria

Routing Policy or Policy based Routing

In computer networking, policy-based routing (PBR) is a technique used to make routing decisions based on policies set by the network administrator.

When a router receives a packet it normally decides where to forward it based on the destination address in the packet, which is then used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria. For example, a network administrator might want to forward a packet based on the source address, not the destination address.  

Policy-based routing may also be based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload. This permits routing of packets originating from different sources to different networks even when the destinations are the same and can be useful when interconnecting several private networks.

Ingress v/s Egress Filtering

 

Ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various spoofing attacks where the attacker’s packets contain fake IP addresses to make it difficult to find the source of the attack. This technique is often used in the denial-of-service attack, and this is a primary target of ingress filtering.

Egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled.

TCP/IP packets that are being sent out of the internal network are examined via a router, firewall, or similar edge device. Packets that do not meet security policies are not allowed to leave – they are denied “egress”

Security monitoring – intrusion detection system (IDS)

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.

The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of a HIDS, while a system that analyzes incoming network traffic is an example of a NIDS. It is also possible to classify IDS by detection approach: the most well-known variants are signature-based detection (recognizing bad patterns, such as malware) 

Security monitoring – Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.

Adoption of DLP is being driven by insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.

DLP products may also be referred to as data leak prevention, information loss prevention or extrusion prevention products.

Security monitoring – SYSLOG

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.

Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems.

Storage protocols – NFS

NFS means you access a file share like \\james\mySharedFolder, and you put files on it. In Windows, this is a mapped network drive. You access folders and files there, but you don’t see the network mapped drive in Computer Manager as a local drive letter. You don’t get exclusive access to NFS drives. You don’t need a separate network cable for NFS – you just access your file shares over whatever network you want.

Storage protocols –  ZFS

Oracle Intelligent Storage Protocol

ZFS is a local file system and logical volume manager created by Sun Microsystems Inc. to direct and control the placement, storage and retrieval of data in enterprise-class computing systems.

Oracle’s ZS4-4 features more than 120 processor cores (an increase from 80 in ZS3-4) and up to 3 TB of DRAM (up from 1.5 TB in the prior 3-4 release). The ZFS storage appliance serves 85% or more of the I/O out of DRAM through Oracle’s hybrid pool storage architecture for a distinct performance advantage, 

Storage protocols – iSCSI (Internet Small Computer System Interface)

iSCSI means you map your storage over TCPIP. You typically put in dedicated Ethernet network cards and a separate network switch. Each server and each storage device has its own IP address(es), and you connect by specifying an IP address where your drive lives. In Windows, each drive shows up in Computer Manager as a hard drive, and you format it. This is called block storage.

iSCSI works by transporting block-level data between an iSCSI initiator on a server and an iSCSI target on a storage device. The iSCSI protocol encapsulates SCSI commands and assembles the data in packets for the TCP/IP layer. Packets are sent over the network using a point-to-point connection. Upon arrival, the iSCSI protocol disassembles the packets, separating the SCSI commands so the operating system (OS) will see the storage as a local SCSI device that can be formatted as usual. Today, some of iSCSI’s popularity in small to midsize businesses (SMBs) has to do with the way server virtualization makes use of storage pools. In a virtualized environment, the storage pool is accessible to all the hosts within the cluster and the cluster nodes nodes communicate with the storage pool over the network through the use of the iSCSI protocol.

DOS & DDOS Attacks

DoS Short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks

DDoS is short for Distributed Denial oService. DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

<< Architecture Concepts – Compliance, Storage and Network 

References :

Data Centers

Network Switches

Infiniband

Oracle Bare metal FAQ