48_N‐W‐ SGW ‐ Connect Object storage From Instance in Private Subnet Spoke VCN - Nirvan-Pandey/OCI_DOC GitHub Wiki

48_1: Introduction

In Oracle Cloud Infrastructure (OCI), secure and efficient access to Object Storage from an instance within a private subnet is crucial. By default, instances in a Virtual Cloud Network (VCN) access Object Storage over the public internet, requiring a Public IP and an Internet Gateway. However, for enhanced security and private connectivity, a Service Gateway is needed.

This guide walks through setting up Object Storage (Bucket) in a Spoke VCN, accessing a private instance, and configuring a Service Gateway for seamless communication between your instance and Object Storage.

48_2: Accessing Private Instance

In OCI, instances in a private subnet do not have public IPs, so they cannot be directly accessed via SSH from the internet. The common approach is to first SSH into a public instance (Bastion/Jump Host) and then access the private instance using SSH key authentication.

Step1: Login to public instance(Bastion_Server1)

image

Step2: Check connectivity.

Ping and telnet the private IP (Application Server) to verify connectivity.

image

Step3: Creation of keys

mkdir keys

cd keys

vi privkey.pem

image

Paste the corresponding private key used in creation of the Private Instance(Application Server).

image

Save and exit using Esc + :wq.

image

List the file.

ls-lrth

image

Ensure correct permissions for the private key.

chmod 600 privkey.pem

image

Step4: Accessing the private instance

ssh -i /root/keys/privkey.pem [email protected]

hostname -i

image

48_3: Object Storage To Instance Through_API connectivity

For a detailed guide on API-based connectivity, refer to my GitHub wiki: https://github.com/NirvanPandey/OCI_DOC/wiki/22_Object_Storage_To_Instance_Through_API-connectivity

48_4:Uploading a File to Object Storage

Step1: Creating a test file

We will create a test file in /tmp folder and will upload this file to OCI.

cd /tmp

touch trial2.txt

image

Step2: Executing the upload command

oci os object put -bn Test_Bucket --file trial2.txt

image

The upload is stuck due to a missing Service Gateway.

48_5: Need for a Service Gateway

To enable private connectivity between a VCN and Object Storage without using the public internet, a Service Gateway is required. It ensures:

✔ Secure communication via OCI’s private network. ✔ No Public IP required for private instances. ✔ Faster and cost-effective access to OCI services.

How Service Gateway Works

  1. A Service Gateway acts as a private connection between your VCN and Oracle services like Object Storage, Autonomous Database, etc..
  2. Your compute instances communicate privately with Object Storage using the OCI Service Network instead of the internet.
  3. Traffic to Object Storage is routed through the Service Gateway instead of the Internet Gateway.

48_6: Steps to Create a Service Gateway

Step1: Navigate to Private VCN

image

Step2: Create a Service Gateway

image image image

Service Gateway is successfully created.

48_7: Adding Route to Service Gateway

After creating the Service Gateway, it needs a route from the subnet.

image image

Navigate to route table.

image

Add the necessary route rules.

image

image

Route rules has been created.

image

48_8: Uploading the Object Again (Successful)

image image

48_9: Conclusion:

By implementing a Service Gateway, we successfully established a secure and private connection between our VCN and OCI Object Storage. This ensures that instances in a private subnet can access Object Storage without requiring a Public IP or Internet Gateway.

🔹 Key Takeaways:

  • Private instances can access OCI services securely via a Service Gateway.

  • Route tables must be updated for proper routing.

  • The upload issue was resolved after configuring the gateway correctly.

This setup ensures a more secure, faster, and cost-effective way to interact with OCI services