{OCI 仮想クラウド・ネットワーク} サービス・ゲートウェイの使用

前提:
subnet01,vm01,sl01,rt01,パブリックサブネット
subnet02,vm02,sl02,rt02,プライベートサブネット,サービス・ゲートウェイのみ

subnet01～subnet02間の全通信許可

検証手順:

①vm01(OL9)作成
②vm01にOCI CLIインストール
③vm01のカスタムイメージからvm02を作成

④vm01からvm02にログイン
⑤vm02からインターネットアクセスできないことを確認
⑥vm02からociコマンドを実行できることを確認

-- 1. コンパートメント作成

oci iam compartment create \
--compartment-id ocid1.tenancy.oc1..000000000000000000000000000000000000000000000000000000000000 \
--description cmp01 \
--name cmp01

oci iam compartment list \
--query 'data[?"name"==`'cmp01'`].id | [0]' \
--raw-output

oci iam compartment delete \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--force

-- 2. VCN作成

oci network vcn list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network vcn create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--cidr-block 10.0.0.0/16 \
--display-name vcn01 \
--dns-label vcn01

oci network vcn list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data[?"display-name"==`'vcn01'`].id | [0]' \
--raw-output

oci network vcn delete \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 3. サブネット

oci network subnet list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network subnet create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name subnet01 \
--dns-label subnet01 \
--cidr-block 10.0.1.0/24

oci network subnet create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name subnet02 \
--dns-label subnet02 \
--cidr-block 10.0.2.0/24

oci network subnet list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id"}' \
--output table

oci network subnet delete \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 4. インターネット・ゲートウェイ

oci network internet-gateway list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network internet-gateway create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--is-enabled true \
--display-name igw01

oci network internet-gateway list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data[?"display-name"==`'igw01'`].id | [0]' \
--raw-output

oci network internet-gateway delete \
--ig-id ocid1.internetgateway.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 5. サービス・ゲートウェイ

oci network service-gateway list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \

oci network service list

oci network service-gateway create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name sgw01 \
--services '[
{
"service-id": "ocid1.service.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
}
]'

oci network service-gateway list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci network service-gateway delete \
--service-gateway-id ocid1.servicegateway.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 6. ルート表

oci network route-table list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network route-table create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name rt01 \
--route-rules '[
{"cidrBlock":"0.0.0.0/0","networkEntityId":"ocid1.internetgateway.oc1.iad.000000000000000000000000000000000000000000000000000000000000"},
]'

oci network route-table create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name rt02 \
--route-rules '[
{
"destination": "all-iad-services-in-oracle-services-network",
"destination-type": "SERVICE_CIDR_BLOCK",
"network-entity-id": "ocid1.servicegateway.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
"route-type": "STATIC"
}
]'

oci network route-table list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id"}' \
--output table

サブネットが使用するVCNルート表の変更

oci network subnet update \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--route-table-id ocid1.routetable.oc1.iad.000000000000000000000000000000000000000000000000000000000000

★ルート表削除前にサブネットにアタッチしたルート表をデフォルトルート表に変更必要
oci network subnet update \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--route-table-id ocid1.routetable.oc1.iad.000000000000000000000000000000000000000000000000000000000000

oci network route-table delete \
--rt-id ocid1.routetable.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 7. セキュリティ・リスト

oci network security-list list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network security-list create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--ingress-security-rules '[
{"source": "0.0.0.0/0", "protocol": "6", "isStateless": false, "tcpOptions": {"destinationPortRange": {"max": 22, "min": 22}, "sourcePortRange": null }},
{"source": "10.0.2.0/24", "protocol": "all", "isStateless": false, "tcpOptions": null }
]' \
--egress-security-rules '[
{"destination": "0.0.0.0/0", "protocol": "all", "isStateless": false, "tcpOptions": null }
]' \
--display-name sl01

oci network security-list create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--ingress-security-rules '[
{"source": "10.0.1.0/24", "protocol": "all", "isStateless": false, "tcpOptions": null }
]' \
--egress-security-rules '[
{"destination": "0.0.0.0/0", "protocol": "all", "isStateless": false, "tcpOptions": null }
]' \
--display-name sl02

oci network security-list list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id"}' \
--output table

サブネットが使用するセキュリティ・リストの変更

oci network subnet update \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--security-list-ids '[
"ocid1.securitylist.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
]' \
--force

★セキュリティ・リスト削除前にサブネットにアタッチしたセキュリティ・リストをデフォルトセキュリティ・リストに変更必要
oci network subnet update \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--security-list-ids '[
"ocid1.securitylist.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
]' \
--force

oci network security-list delete \
--security-list-id ocid1.securitylist.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 8. インスタンスvm01作成

oci compute instance launch \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--availability-domain OEIw:US-ASHBURN-AD-1 \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--assign-public-ip true \
--boot-volume-size-in-gbs 50 \
--display-name vm01 \
--fault-domain FAULT-DOMAIN-1 \
--image-id ocid1.image.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--shape VM.Standard.E2.1 \
--ssh-authorized-keys-file "$HOME/.ssh/id_rsa.pub"

oci compute instance list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci compute instance terminate \
--instance-id ocid1.instance.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 9. vm01にOCI CLIインストール
vm01での作業

ssh -i $HOME/.ssh/id_rsa opc@192.0.2.1

-- 9.1 インストール

bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"
exec -l $SHELL
oci -v

-- 9.2 セットアップ

下記をコンソールから取得
(1). ユーザーのOCID

(2). テナントのOCID

oci setup config

-- 9.3 Webコンソールで公開キーの追加

/home/opc/.oci/oci_api_key_public.pem

アイデンティティ > ユーザー > ユーザーの詳細 > APIキー

-- 9.4 動作確認

oci iam region list --output table

-- 10. vm01のカスタムイメージimage01作成

oci compute image create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name image01 \
--instance-id ocid1.instance.oc1.iad.000000000000000000000000000000000000000000000000000000000000

oci compute image list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all \
--query 'data[?"display-name"==`'image01'`]."id" | [0]' \
--raw-output

oci compute image delete \
--image-id ocid1.image.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 11. image01からvm02作成

oci compute instance launch \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--availability-domain OEIw:US-ASHBURN-AD-1 \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--assign-public-ip false \
--boot-volume-size-in-gbs 50 \
--display-name vm02 \
--fault-domain FAULT-DOMAIN-1 \
--image-id ocid1.image.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--shape VM.Standard.E2.1 \
--ssh-authorized-keys-file "$HOME/.ssh/id_rsa.pub"

oci compute instance terminate \
--instance-id ocid1.instance.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 12. vm01からvm02にログイン

scp -i $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa opc@192.0.2.1:/home/opc

ssh -i $HOME/.ssh/id_rsa opc@192.0.2.1

ssh -i $HOME/id_rsa opc@10.0.2.83

-- 13. vm02からインターネットアクセスできないことを確認

curl --connect-timeout 10 https://www.oracle.com/

-- 14. vm02からociコマンドを実行できることを確認

oci iam region list --output table