This post will cover different approaches to deploy Object Storage Gateway. You can call Object Storage gateway as a bridge that will connect your on-premise environment with Object Storage. It enables File-to-object transparency.
Object Storage buckets are mounted as nfs mount points in your on-prem environment. Substantial information is available on Object storage gateway and links are shared in this post.
Let's jump to understanding different approaches to deploy Object Storage Gateway.
My observations when implementing below POCs-
1. Object Storage gateway can be deployed either on-prem or on OCI. It can be downloaded for free here
2. SSDs drives and XFS (Extended File system) for mounting are recommended for storing storage gateway - metadata, cache and logs.
3. OSG does not support Windows operating environment.
4. If installing OSG on-prem, make sure you have proper access control onto storage gateway server and secure it with mfa.
5. If installing OSG on-cloud you can have Open VPN/IP-Sec to add another layer of security and OSG server can be placed in your private subnet.
6. Filesystem created on OSG management URL automatically creates a bucket. This bucket will be created and placed as per your inputs provided for compartment, username, API Signing Key (private key and its fingerprint)
7. Finally, an interesting discussion with me and Anil on securing Oracle object storage on Oracle Cloud Customer Connect -
https://cloudcustomerconnect.oracle.com/posts/cd615cf2eb
References -
https://www.oracle.com/cloud/storage/storage-gateway-faq.html
http://dineshbandelkar.com/how-to-setup-oci-storage-gateway/
https://docs.oracle.com/en-us/iaas/api/#/en/objectstorage/20160918/
| Sr. No. | Summary | Decription |
|---|---|---|
| 1 | Stored OS Username and Password | 1st Authentication Factor On-prem. |
| 2 | 2-FA with Google Authenticator | Verification code sent on sysadmin mobile device for authentication on-prem |
| 3 | On-prem NFS Share | on-prem NAS device protected by exportfs rules storing backups |
| 4 | Securing Data in-transit | Use of openssl encryption for applications files and Use of rman based encryption for db backups |
| 5 | OCI Datacenter | Oracle Cloud Jeddah Region as secondary backup location |
| 6 | VCN - virtual Cloud Network | VCN consist of public and private subnet |
| 7 | Security list for public subnet | Open Port for OpenVPN |
| 8 | Open VPN server | Public facing VPN Server for accessing OCI resources. |
| 9 | Security list for private subnet | Open port for object storage gateway mgmt console and Open port for nfs port |
| 10 | Object Storage Gateway Server | Object storage gateway server compute instance in private subnet. Creates filesystem which is mapped to auto-created bucket. |
| 11 | Object Storage | Object storage bucket automatically gets created when creating filesystem on Object storage server |
| Sr. No. | Summary | Decription |
|---|---|---|
| 1 | Stored OS Username and Password | 1st Authentication Factor On-prem. |
| 2 | 2-FA with Google Authenticator | Verification code sent on sysadmin mobile device for authentication on-prem |
| 3 | On-prem NFS Share | on-prem NAS device protected by exportfs rules storing backups |
| 4 | Fortigate Firewall(CPE) Public IP | Customer Premise Equipment that is one point of IP-Sec VPN Connectivity. |
| 5 | IP-Sec VPN connection | Pre-shared key authentication with DRG on OCI |
| 6 | Static Routing Method/BGP | Manual/automatic routing for IP-SEC VPN connectivity. |
| 7 | OCI Datacenter | Oracle Cloud Jeddah Region as secondary backup location |
| 8 | DRG | Dynamic Routing Gateway configured on OCI |
| 9 | Object Storage Gateway Server | "Object storage gateway server compute instance in private subnet.Creates filesystem which is mapped to auto-created bucket." |
| 10 | Object Storage | Object storage bucket automatically gets created when creating filesystem on Object storage server |
| Sr. No. | Summary | Decription |
|---|---|---|
| 1 | Stored OS Username and Password | 1st Authentication Factor On-prem. |
| 2 | 2-FA with Google Authenticator | Verification code sent on sysadmin mobile device for authentication on-prem |
| 3 | On-prem NFS Share | on-prem NAS device protected by exportfs rules storing backups |
| 4 | Open VPN Client-saved profile | Profile saved on staging server for OPEN VPN |
| 5 | Object storage gateway setup | OSG installed on-prem on a staging server. |
| 6 | Securing Data in-transit | "a. Use of openssl encryption for applications files. b. Use of rman based encryption for db backups" |
| 7 | OCI Datacenter | Oracle Cloud Jeddah Region as secondary backup location |
| 8 | VCN - virtual Cloud Network | VCN consist of public and private subnet |
| 9 | Security list for public subnet | Open Port for OpenVPN |
| 10 | Open VPN server | Public facing VPN Server for accessing OCI resources. |
| 11 | Object Storage | Object storage bucket automatically gets created when creating filesystem on Object storage server |
No comments:
Post a Comment