Amit's Oracle DBA Blog

Service Gateway in OCI

A simple way to remember Service Gateway (SGW) in OCI is:

Trick 1: "S = Services, Not Internet"


IGW = Internet Gateway = Internet
NAT = Internet Outbound Only
SGW = Oracle Services Only

Remember:

Service Gateway = Private access to Oracle Services without using the Internet

Trick 2: "Private VM → Oracle Services"


Private VM
     |
     v
Service Gateway
     |
     v
Object Storage / Autonomous DB / OCI Services

Think:

Service Gateway is a private highway inside OCI to OCI services.

No Internet involved.

Whatever you are downloading from NAT Gateway , this is not required because

using Service Gateway , you are going to connect to OCI and OCI knows what DB wants like patches etc,

everything you will be getting from Service Gateway. No need to go to NAT gateway.

Drop NAT gateway

Create New Route rule and attached to Subnet and use Service Gateway because Service Gateway internally connected to OCI network.

If the requirement is to access Oracle Cloud Infrastructure services such as Object Storage, database patches, backups, or other OCI-managed resources, a NAT Gateway is not necessary.

Instead, configure a Service Gateway and update the private subnet's route table to direct OCI service traffic through the Service Gateway. Since the Service Gateway provides private connectivity to OCI services over Oracle's internal network, traffic does not traverse the public internet.

Implementation steps:

Create a Service Gateway in the VCN.
Add a route rule in the private subnet's route table with the OCI Services destination and the Service Gateway as the target.
Associate the updated route table with the private subnet.
Validate connectivity to the required OCI services.

By using a Service Gateway, database servers in private subnets can securely access OCI resources such as patch repositories, Object Storage, and backup services through Oracle's backbone network, eliminating the need for internet access via a NAT Gateway for these OCI-specific services.

[opc@public-instance-vm2 .ssh]$ ssh -i mykey opc@192.168.20.80

[opc@private-instance-vm2 ~]$

[opc@private-instance-vm2 ~]$ hostname

private-instance-vm2

[opc@private-instance-vm2 ~]$

Installation of OCI CLI

oci cli will need python 3.6+ to be installed on OS .
Linux 7.9 it has python 2.6 which will need an upgrade to --> python 3.6 for running oiclcli commands after 1 august 2021
If you use OS as Oracle linux 8 it has by default libraries installed for python 3.
refer below links for installing oci cli

https://gmusumeci.medium.com/how-to-configure-oracle-oci-cli-in-5-minutes-a52bbf5d6d51

run below command :

bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

install OCI CLI and will create a config file to connect to Tenancy and run the commands

to setup config file and provide details

--> oci setup config

********TENANT INFORMATION *********

tenancy / user and compartment details :

Tenancy ocid : ocid1.tenancy.oc1..aaaaaaaamz5yv2kaq55jq63ui3dyv24ldgtzs5lkaj4hsahdyp6nvpew7woa

User ocid : ocid1.user.oc1..aaaaaaaaaxr7ceztnxa2ywht74tq2hks6x5rkodv5nfpyaltfad767yup4umq

compartment id : ocid1.compartment.oc1..aaaaaaaazdthyw3osunklxqvy6cyipzpihfe4tfm5nmse2jjfzwt2qaltscq

Are you planning to install the OCI CLI on this specific private-instance-vm2 instance? If so, we first need to ensure that the outbound network connectivity issue from our previous troubleshooting steps is fully resolved.