How the Oracle OCI Proactively protect the customer workload in cloud from day one?

Current Challenge

Customer Engineer responsible for provisioning cloud resources might not be aware or not well trained for how to use the best security configuration as part of their cloud implementation. If the security is not follow during the starting phase then it always become very difficult to address later during the the cloud go live and often it became the reactive approach. The proactive approach to address the security from starting were missing in many CSP providers.

Oracle is helping to shift more of the security responsibilities from the customer to the cloud provider. 

Oracle OCI Gen2 Cloud built from ground level Built In Security Always On with Zero Trust Security Model

Oracle Security Zones

A service that helps ensures customers implement Oracle’s best practices for security by enforcing them from the start and removing the chance of configuration drift or someone violating them later. This brings clarity regarding what is needed to meet their security needs and removes guesswork from the equation when it comes to implementation.

Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.

Access the Security Zone in OCI

Security zone An association between a compartment and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.                                          

Security zone recipe A collection of security zone policies.

Security zone policy A security requirement for resources in a security zone.

When you create and update resources in a security zone, OCI validates these operations against the list of policies defined in the security zone recipe.

High Level Proposed Architecture

Creating Security Zone

Your tenancy has a predefined recipe named “Maximum Security Recipe”, which includes all available security zone policies. Oracle manages this recipe and you can’t modify it.

In general, security zone policies align with these security principles:

  1. Resources can’t be moved from a security zone to a standard compartment because it might be less secure
  2. Data in a security zone can’t be copied to a standard compartment because it might be less secure.
  3. All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance in a security zone can’t use a boot volume that is not in a security zone.
  4. Resources in a security zone must not be accessible from the public internet.
  5. Resources in a security zone must be encrypted using customer-managed keys.
  6. Resources in a security zone must be regularly and automatically backed up.
  7. Resources in a security zone must use only configurations and templates approved by Oracle.

A security zone policy differs from an IAM policy in the following ways:

  • Administrators create IAM policies to grant users the ability to manage certain resources in a compartment.
  • A security zone policy ensures that these management operations comply with the Oracle maximum security architecture and best practices.
  • A security zone policy is validated regardless of which user is performing the operation.
  • A security zone policy denies certain actions; it doesn’t grant capabilities.
  • Administrators can’t create, modify, or disable security zone policies.

Verify the Security Zone

  1. You can’t create the bucket without customer managed keys.

It is suggesting you to follow the workflow to create secure bucket.

2. You can’t create the public bucket in security zone.

3. You can’t move the bucket from security zone to standard compartment.

4. You can’t add Internet Gateway in Security zone

Reference Architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

Keep your Cloud operation Cost lower with Oracle Bastion Service

Organization Challenges

We all know that customer infrastructure should not be publicly accessible to the Internet… But at the same time, Any operator who is an authenticated operator are regulated operator, should be able to access that infrastructure.

Today. The customers who have their target resources in Cloud, There are certain the customers are forced to use certain access networking patterns because of the absence of a native accessors !!! So either customers go for in a private subnet or they launched a jump box in the public subnet…

Then they have to muck with the security rules, routing rules, and stuff like that. And also they have to add the public SSH keys onto that jump box for the operators to jump to that Jump Box into their target resources.

The disadvantages of these excess networking patterns is that,

  1. The connections that are established are persistent, which definitely decrease your security posture because back surface is open for a long period of time.
  2. The operational overhead to harden these jump boxes, patching them periodically, and also at the same time, taking care of availability for your operators to get into your mission critical workloads. All of that overhead is on the customers.
  3. Also, such architectures work if you have a couple of resources here and there. But as your organization scales up, these architectures become very difficult to maintain. And there is always a risk of a security loophole. Security should be easy.
  4. This jump boxes, they are running 24×7 so definitely customers have to pay a cost for, for running these jump boxes.
  5. There is no auditability. So you don’t know as a customer who got into which target resource.
  6. Even with the best efforts that the customers put in, this whole architecture is not controlled through IAM. So whoever has, whichever operator has that, SSH keys onto the Jump Box, again forever access your target resources. So the overall story of the life-cycle management of who can access your target resources. It’s very difficult to maintain.

Oracle Cloud Infrastructure Bastion Service

So to solve these issues, Oracle have created the fully managed service which is the OCI Bastion service, which will help you in improving the security posture of your resources in OCI by providing secure as well as an ephemeral access to your private target resources. But then you will receive the services free of cost. This is a very core infrastructure security blood. You don’t have to choose between cost and security.

The access to the target resources via OCI Bastions is time-bound which definitely helps in increasing your overall security posture. And also the access is governed by the OCI IAM policies so only the users who have the right IAM policies can access your target resources. And once they leave the organization, all you have to do is you have to just remove those users from your groups in from your IAM groups and you’re done. You don’t have to do anything beyond that.

You can also restrict the incoming SSH connections to certain IPv4 address ranges, the administrative actions, like who/when created/deleted/updated/fetched bastion and session are recorded in OCI event and audit service and also in the Cloud Guard.

The end-users on their on-premises laptops or desktops or workstations can basically use any open SSH client, they can access the Bastion Service as a pass through to get into their target resources.

Use Cases

OCI Bastion product is built on top of OpenSSH/SSH so whatever is possible to OpenSSH is possible to this service.

Types of target resources which are going to be supported by OCI Bastion would be:

Private target compute host running either native OCI images or customer Linux Images and Windows OS.

Autonomous transaction processing, Autonomous data warehouse, MySQL DB, OKE instances. We also support communities.

You can manage the bastion and sessions that are created via the service. So basically what that means is, at any point of time, if you feel if you see that assertion has gone malicious, or let’s say you see that you are under attack. You can simply delete the sessions. You can pick out those malicious users. You can delete the whole bastion and to protect your particular target resources. So you have all of those capabilities.

Once the session is created, customers can use the session metadata to tunnel into the target resources via bastion from their on-premises terminals.

You can use OCI bastion to access your private target resources in OCI irrespective of whether the target resources has the Oracle Cloud Agent installed or not.

The session type depends on the target host.

Managed SSH sessions can only be created for a target host that is a Compute instance configured to run both the Oracle Cloud Agent and an OpenSSH server.

SSH port forwarding sessions do not require a running Oracle Cloud Agent or OpenSSH server on the target host, and can be used with resources like Autonomous Transaction Processing databases.

High Level Architecture


Go to the Identity & Security and choose the Bastion

Create Compute Resource

Create Bastion Resource

Create Managed SSH Session

Create Session Port Forwarding

Access Window Server using Session Port Frwd

Reference architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

How to protect your application servers or containers in Cloud?

Most of the industry have compliance and regulations from Government or Standard authority that very from industry to industry for maintain the security standard as part of their application services delivery to the end user and so the Security is the crucial decision factor before go live the application in most of the industry today.

I have seen the customers to validate the security issues in their app server image and application packages or build before they go live for production, Traditionally customer relaying on security scanning tools like Nessus, OpenVAS, OpenSCAP, Nmap, Wireshark, Metasploit, but the real challenges for customer start when they have large scale deployment and overhead to keep them operating to meet the Security SLA. Also With cloud world the more and more responsibility raised on the customer head.

Vulnerability scanning is a common compliance requirement (e.g., NIST 800-53 Rev.4 FISMA) for customers and a recommended security best practice for all organizations.


Customers face challenges with scanning due to:

1. Disjointed vulnerability scanning tools— often, customers will buy or license multiple tools for scanning instances, containers, and applications. The total cost can add up, leaving customers to choose between cost and security.

2. Lots of manual processes to correct vulnerabilities—Customers must deploy, configure, and upgrade agents on their fleets, with large operational pain, and the potential for misconfiguration due to human error.

3. Large volume of alerts with a high false positive rate—Vulnerability reports can overwhelm customers with “noise”. Too many false positive findings will cause customers to get lost in the volume or get accustomed to it. As a result, this can reduce the time to resolution for critical issues or even worse, these critical issues can go unacknowledged.

Vulnerability Scanning Service

Oracle Cloud Infrastructure Vulnerability Scanning Service (OCI VSS) is simple, prescriptive, and tightly integrated with the OCI platform. VSS is available to all OCI customers that have paid accounts at no additional cost. The scanning platform includes default plugins and engines for instance and container scanning.

The Scanning service can identify several types of security issues in your compute instances :

  • Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
  • OS packages that require updates and patches to address vulnerabilities
  • OS configurations that hackers might exploit
  • Industry-standard benchmarks published by the Center for Internet Security (CIS).

The Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

The Scanning service can scan individual compute instances, or it can scan all compute instances within a compartment and its subcompartments. If you configure the Scanning service at the root compartment, then all compute instances in the entire tenancy are scanned.

The Scanning service detects vulnerabilities in the following platforms:

  1. Oracle Linux
  2. CentOS
  3. Ubuntu
  4. Windows (no CIS benchmarks)

Oracle Vulnerability Scanning Service helps improve your security posture in Oracle Cloud by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities

High Level Architecture

Key Service Concept

Scan Recipe

Scanning parameters for a type of cloud resource, including what information to examine and how often.


One or more cloud resources that you want to scan using a specific recipe. Resources in a target are of the same type, such as compute instances.

Host Scan

Metrics about a specific cloud resource that was scanned, including the vulnerabilities that were found, their risk levels, and CIS benchmark compliance. The Scanning service uses a host agent to detect these vulnerabilities

Port Scan

Open ports that were detected on a specific cloud resource that was scanned. The Scanning service can detect open ports using a host agent, or using a network mapper that searches your public IP addresses

Vulnerabilities Report

Information about a specific type of vulnerability that was detected in one or more targets, like a missing update for an OS package.

Integration with Cloud Guard

You can view security vulnerabilities identified by the Scanning service in Cloud Guard. Cloud Guard alerting can help customers reduce the time from detection to remediation.

Access the Service from OCI Console

Configure the VSS for your tenancy or specific compartment

Create Compute Resource

Result & Remediate

Reference Resources


Reference architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

Quick Start for OCI Vault

Historically customer store master encryption keys and secrets in Server configuration files or in code. As we all know that “Data Is the New Oil of the Digital Economy”. In cloud world customer have choice to choose the best option to secure their data and that is why cloud is more secure platform than on-premises.

In this article we will focus on the overview of service – OCI Vault, the types of offering based on the use case, key capabilities and how to use the Vault with various OCI services.

The Vault service helps you centrally manage the encryption keys that protect your data and the secret credentials that you use to access resources. Vaults securely store master encryption keys and secrets that you might otherwise store in configuration files or in code.

It lets you to centrally manage and control use of keys and secrets across a wide range of OCI services and applications. OCI Vault is a secure, resilient managed service that lets you focus on your data encryption needs without worrying about time-consuming administrative tasks such as hardware provisioning, software patching, and high availability.

Key Management uses hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification, to protect your keys. You can create master encryption keys protected either by HSM or software. With the HSM- protected keys, all the cryptographic operations and storage of keys are inside the HSM. With the software-protected keys, your encryption keys are stored and processed in software, but are secured at rest with a root key from HSM.

The following key management capabilities are available when you use the Vault service.

  • Create your own encryption keys that protects your data
  • Bring your own keys
  • Rotate your keys
  • Support for cross-region backup and restore for your Keys
  • Constrain permissions on keys using IAM policies
  • Integration to OCI internal services: Oracle Autonomous Database, Exadata Databases (without Oracle Data Guard enabled),Oracle Block Storage, Oracle File storage, Oracle Object Storage, Streaming and Container engine for Kubernetes

High Level Vault Service Integration Architecture

Get Started with Vault

1. Ensure that the limits for your tenancy allow for creation of the Vault type you intend to create.

2. Ensure that Oracle Identity and Access Management (IAM) policies have been created for the user account to have the necessary permissions to create a Vault. See IAM Policy Reference to construct a statement.

3. You first create a Vault by selecting Security from the Oracle Cloud Infrastructure Console, and then Vault.

Create a Vault and select from one of the two available Vault types that best fits your isolation and processing requirements:

  1. Virtual Private Vault: Chose a Virtual Private Vault if you require increased isolation on the HSM and dedicated processing of encrypt/decrypt operations.
  2. Vault (Default): Choose the default Vault if you are willing to accept a moderate isolation (multitenant partition in HSM) and shared processing for encrypt/decrypt operations.

4. Create the [Master Encryption] Key(s) inside your Vault. Master encryption keys can have one of two protection modes: HSM or software.

  • A master encryption key protected by an HSM is stored on an HSM and cannot be exported from the HSM. All cryptographic operations involving the key also happen on the HSM.
  • A master encryption key protected by software is stored on a server and can be exported from the server to perform cryptographic operations on the client instead of on the server. While at rest, the software-protected key is encrypted by a root key on the HSM.

5. Ensure that IAM policies for the service or entity calling Vault has the necessary permissions.

Example: allow service objectstorage-us-ashburn-1 to use keys in compartment

Use the key(s):

  • With native Oracle Cloud Infrastructure storage: When creating storage (bucket, file, volume), mark with “ENCRYPT USING CUSTOMER-MANAGED KEYS”, then select the Vault and the Master Encryption Key. Data in that bucket/volume/file storage will be encrypted with a data encryption key wrapped with the Master Encryption Key in Vault.
  • With crypto operations, using Command Line Interface (CLI) as an example: oci kms crypto encrypt –key-id –plaintext
  • Crypto operations are available in SDK and API as well. For more details, see Overview of Vault in the documentation.

6. Monitor your usage of operations with metrics in the console and Monitoring service. See the metrics and dimensions

Using Keys

You can directly submit data to Key Management APIs to encrypt and decrypt using your master encryption keys stored in the Vault.

Also, you can encrypt your data locally within your applications and OCI services using a method known as Envelope encryption.

With envelope encryption, you generate and retrieve Data Encryption Keys (DEK) from Key Management APIs. DEKs are not stored or managed in Key Management service but are encrypted by your Master Encryption Key. Your applications can use DEK to encrypt your data and store the encrypted DEK along with the data. When your applications want to decrypt the data, you should call decrypt to Key Management API on the encrypted DEK to retrieve the DEK. You can the decrypt your data locally with the DEK.

Key Management supports sending up to 4 KB of data to be encrypted directly. In addition, envelope encryption can offer significant performance benefits. When you encrypt data directly with Key Management APIs, it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller DEK go over the network. The DEK is used locally in your application or encrypting OCI service, avoiding the need to send the entire block of data.

OCI Offer two choice of Encryption for customer while provisioning the resources

Oracle Managed is the default encryption for many OCI services. Oracle Managed means data will be encrypted at rest with an encryption key whose lifecycle management is controlled by Oracle. Customers who don’t want to manage or access their encryption keys and are looking for an easiest way to protect all their data stored in OCI can choose Oracle Managed encryption.

Customer-Managed encryption is offered by OCI Vault—Key Management service where the customer controls and manages the keys that protect their data. In addition, customers who require elevated security and FIPS 140-2 Level 3 protection to meet compliance choose Customer Managed as the encryption keys are stored in hardware security modules (HSMs).

Create Resource with OCI Vault

For more information, see OCI Documentation 

Reference OCI Vault FAQ

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

OCI DRG functionality expanded in Oracle Cloud

DRG functionality has been expanded to include the following capabilities:

  • You can attach a DRG to more than one VCN to provide inter-VCN network connectivity. VCNs can be in the same or different tenancies. 
  • You can now assign a different route table and policy to each network resource attached to your DRG enabling granular routing control.  For instance, by connecting all your VCNs and on-premises networks to a single DRG used as a “Hub,” you have a single central gateway to configure traffic routing and Layer 3 isolation.  One possible use case of routing policy is directing all traffic passing thru the DRG to a network virtual appliance or firewall.
  • Your on-premises network connected to a DRG in one region can access networks connected to a DRG in a different region using a remote peering connection (RPC).
  • You can now enable equal cost multi-path (ECMP) routing towards your IPSec VPN and FastConnect connections to support active-active scenarios. ECMP is controlled on a per route table basis.
  • Remote peering connections can now connect DRGs in the same region or different tenancies.

Use case demonstration in Oracle Blog

Introducing global connectivity and enhanced cloud networking with the dynamic routing gateway

Latest OCI Release Notes update

OCI Networking Release Notes

Preparation for Exam : Oracle Cloud Infrastructure Architect Professional

I would like to share my learning experience with Oracle Cloud Infrastructure, It took 6 months to prepare for OCI-P Exam.

Thank you Oracle University for providing a great free learning opportunity

This article covers useful tips and important URLs related to OCI-P Exam.

[1]  Candidate must have one of the following certifications.
Oracle Cloud Infrastructure 2018|2019|2020 Certified Architect Associate

[2] Register for the OCI free tier

Spend enough time for OCI HandsOn on Oracle Cloud free tier and always free tier.

[3] OCI-P Exam Preparation Session.

[4] OCI-P Study Guide

[5] Oracle University Free Training to Become OCI Architect Professional
Oracle Cloud Infrastructure 2019|2020 Architect Professional

[6] OCI Sessions recordings

[7] Oracle Cloud Infrastructure Documentation

[8] My Personal Study Materials (Tips / FAQs / Screen Captured Material during OU. training and documentation)

[9] Register the OCI-P Exam.

[10] OCI-P Badges

Oracle Cloud Infrastructure 2019 Certified Architect Professional

[11] OCI-P Certification

Thank you for visiting this blog 🙂

Launch OCI free tier ATP and ADW using Terraform on Window platform

Terraform template available at GitHub will not work directly with OCI free tier ADB database service. You have to adjust some parameter inside the Terraform template to make it compatible with free tier ADB services.

We will Launch two ADB databases one for the ATP database and one for the ADW database using a single command then we will play with ADB using OCI CLI and then finally we will destroy the created infrastructure using a single command.

Download the terraform for window10.

Installation Steps
copy the downloads for windows version.
copy inside program file and configure windows path variable



Usage: terraform [-version] [-help] <command> [args]

The available commands for execution are listed below.
The most common, useful commands are shown first, followed by
less common or more advanced commands. If you're just getting
started with Terraform, stick with the common commands. For the
other commands, please read the help and docs before usage.

Common commands:
apply Builds or changes infrastructure
console Interactive console for Terraform interpolations
destroy Destroy Terraform-managed infrastructure
env Workspace management
fmt Rewrites config files to canonical format
get Download and install modules for the configuration
graph Create a visual graph of Terraform resources
import Import existing infrastructure into Terraform
init Initialize a Terraform working directory
output Read an output from a state file
plan Generate and show an execution plan
providers Prints a tree of the providers used in the configuration
refresh Update local state file against real resources
show Inspect Terraform state or plan
taint Manually mark a resource for recreation
untaint Manually unmark a resource as tainted
validate Validates the Terraform files
version Prints the Terraform version
workspace Workspace management

All other commands:
0.12upgrade Rewrites pre-0.12 module source code for v0.12
debug Debug output management (experimental)
force-unlock Manually unlock the terraform state
push Obsolete command for Terraform Enterprise legacy (v1)
state Advanced state management


C:\Users\oracle-learn>terraform --version
Terraform v0.12.18

Prepare the Environment.

oracle-learn MINGW64 ~/projects/adb (master)
$ cat .profile
export TF_VAR_user_ocid=ocid1.user.oc1..pqr
export TF_VAR_fingerprint=
export TF_VAR_region=ap-mumbai-1
export TF_VAR_private_key_path=<path/oci_api_key.pem>
export TF_VAR_private_key_password={put-here-the-private-key-password}
export TF_VAR_compartment_ocid=ocid1.compartment.oc1..cid

You may refer OCI Documentation to find these variable values.


$ cat
// Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.

provider "oci" {
  tenancy_ocid     = "${var.tenancy_ocid}"
  user_ocid        = "${var.user_ocid}"
  fingerprint      = "${var.fingerprint}"
  private_key_path = "${var.private_key_path}"
  region           = "${var.region}"

provider "local" {
  version = ">=1.3.0" # Need this version of the local provider to support base64 encoded inputs
$ cat
// Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.

variable "tenancy_ocid" {}
variable "user_ocid" {}
variable "fingerprint" {}
variable "private_key_path" {}
variable "region" {}
variable "compartment_ocid" {}

variable "autonomous_database_db_workload" {
  default = "OLTP"

variable "autonomous_data_warehouse_db_workload" {
  default = "DW"

variable "autonomous_database_defined_tags_value" {
  default = "value"

variable "autonomous_database_freeform_tags" {
  default = {
    "Department" = "Finance"

variable "autonomous_database_license_model" {
  default = "LICENSE_INCLUDED"

variable "autonomous_database_is_dedicated" {
  default = false

I have modified the template accordingly for the free tier template available at GitHub

$ cat
// Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.

resource "random_string" "autonomous_database_wallet_password" {
  length  = 16
  special = true

data "oci_database_autonomous_database_wallet" "autonomous_database_wallet" {
  autonomous_database_id = "${}"
  password               = "${random_string.autonomous_database_wallet_password.result}"
  base64_encode_content  = "true"

resource "local_file" "autonomous_database_wallet_file" {
  content_base64 = "${data.oci_database_autonomous_database_wallet.autonomous_database_wallet.content}"
  filename       = "${path.module}/"

output "autonomous_database_wallet_password" {
  value = "${random_string.autonomous_database_wallet_password.result}"

$ cat
// Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.

resource "random_string" "autonomous_database_admin_password" {
  length      = 16
  min_numeric = 1
  min_lower   = 1
  min_upper   = 1
  min_special = 1

resource "oci_database_autonomous_database" "autonomous_database" {
  admin_password           = "${random_string.autonomous_database_admin_password.result}"
  compartment_id           = "${var.compartment_ocid}"
  cpu_core_count           = "1"
  data_storage_size_in_tbs = "1"
  db_name                  = "atpdb1"
  is_free_tier             = true
  db_workload                                    = "${var.autonomous_database_db_workload}"
  display_name                                   = "example_autonomous_database"
  is_auto_scaling_enabled                        = "false"
  is_preview_version_with_service_terms_accepted = "false"

data "oci_database_autonomous_databases" "autonomous_databases" {
  compartment_id = "${var.compartment_ocid}"

  display_name = "${oci_database_autonomous_database.autonomous_database.display_name}"
  db_workload  = "${var.autonomous_database_db_workload}"

output "autonomous_database_admin_password" {
  value = "${random_string.autonomous_database_admin_password.result}"

output "autonomous_database_high_connection_string" {
  value = "${lookup(oci_database_autonomous_database.autonomous_database.connection_strings.0.all_connection_strings, "high", "unavailable")}"

output "autonomous_databases" {
  value = "${data.oci_database_autonomous_databases.autonomous_databases.autonomous_databases}"

Follow the same steps for and

[1] Initialize a Terraform working directory
$ terraform init

[2] Generate and show an execution plan
$ terraform plan

[3] Builds or changes infrastructure
$ terraform apply

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

random_string.autonomous_database_admin_password: Creating...
random_string.autonomous_data_warehouse_admin_password: Creating...
random_string.autonomous_data_warehouse_wallet_password: Creating...
random_string.autonomous_database_wallet_password: Creating...
random_string.autonomous_database_admin_password: Creation complete after 0s [id=0++6KrIV8T?=F1*k]
random_string.autonomous_data_warehouse_admin_password: Creation complete after 0s [id=Dtbt2t!0KZ]y0Y<&] random_string.autonomous_data_warehouse_wallet_password: Creation complete after 0s [id=a?*>RADQ+]Uv[Xgt]
random_string.autonomous_database_wallet_password: Creation complete after 0s [id=_HLrXaT*Zf@eXqu#]
oci_database_autonomous_database.autonomous_data_warehouse: Creating...
oci_database_autonomous_database.autonomous_database: Creating...
oci_database_autonomous_database.autonomous_database: Still creating... [10s elapsed]
oci_database_autonomous_database.autonomous_data_warehouse: Still creating... [10s elapsed]
oci_database_autonomous_database.autonomous_database: Still creating... [20s elapsed]
oci_database_autonomous_database.autonomous_data_warehouse: Still creating... [20s elapsed]
oci_database_autonomous_database.autonomous_data_warehouse: Still creating... [1m50s elapsed]
oci_database_autonomous_database.autonomous_database: Still creating... [2m0s elapsed]
oci_database_autonomous_database.autonomous_data_warehouse: Still creating... [2m0s elapsed]
oci_database_autonomous_database.autonomous_database: Still creating... [2m10s elapsed]
oci_database_autonomous_database.autonomous_data_warehouse: Still creating... [2m10s elapsed]

oci_database_autonomous_database.autonomous_data_warehouse: Still creating... [2m20s elapsed]
local_file.autonomous_data_warehouse_wallet_file: Creating...
local_file.autonomous_data_warehouse_wallet_file: Creation complete after 0s [id=a2cfa32740b9dcdffb8524d72fc703f62c5cfcdf]

Apply complete! Resources: 8 added, 0 changed, 0 destroyed.


[4] Play with ADB

#List of all the ADBs
$ oci db autonomous-database list –compartment-id $TF_VAR_compartment_ocid

#List of all the ADWs
$ oci db autonomous-data-warehouse list –compartment-id $TF_VAR_compartment_ocid

#Stop ADW
$ oci db autonomous-data-warehouse stop –autonomous-data-warehouse-id

#Start ADW
$ oci db autonomous-data-warehouse start –autonomous-data-warehouse-id

#Get details about specific ADW
$ oci db autonomous-data-warehouse get –autonomous-data-warehouse-id

[5] Destroy Terraform-managed infrastructure
$ terraform destroy

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

local_file.autonomous_database_wallet_file: Destroying... [id=6c0eff5f4d195f0e38a364ef7d414dc7c39ed027]
local_file.autonomous_data_warehouse_wallet_file: Destroying... [id=a2cfa32740b9dcdffb8524d72fc703f62c5cfcdf]
local_file.autonomous_data_warehouse_wallet_file: Destruction complete after 0s
local_file.autonomous_database_wallet_file: Destruction complete after 0s
random_string.autonomous_data_warehouse_wallet_password: Destroying... [id=a?*>RADQ+]Uv[Xgt]
random_string.autonomous_data_warehouse_wallet_password: Destruction complete after 0s
Destroy complete! Resources: 8 destroyed.

Thank you for visit this blog.
Happy Learning. 🙂

Launch your first Compute Instance from OCI CLI on Window 10 OS Platform

First of all, We have to install OCI CLI in the windows machine then we will configure OCI CLI and further we will play with compute instance life cycle operations like launch instance, start, stop and other possible actions and at the end, we will terminate the instance from oci cli.

#Install OCI CLI 
Follow the below commands provided in OCI Documentation.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32> Set-ExecutionPolicy RemoteSigned

PS C:\WINDOWS\system32> powershell -NoProfile -ExecutionPolicy Bypass -Command “iex ((New-Object System.Net.WebClient).DownloadString(‘;))”

You have started the OCI CLI Installer in interactive mode. If you do not wish
to run this in interactive mode, please include the -AcceptAllDefaults option.
If you have the script locally and would like to know more about
input options for this script, then you can run:
help .\install.ps1
If you would like to know more about input options for this script, refer to:
VERBOSE: Python found in registry: HKCU:\Software\Python\PythonCore
VERBOSE: Downloading install script to C:\Users\oracle-learn\AppData\Local\Temp\tmpDDAF.tmp
VERBOSE: False False
VERBOSE: Using Python executable: C:\Users\oracle-learn\AppData\Local\Programs\Python\Python37\python.exe to run install
VERBOSE: Arguments to python script: “C:\Users\oracle-learn\AppData\Local\Temp\tmpDDAF.tmp”
— Verifying Python version.
— Python version 3.7.5 okay.

===> In what directory would you like to place the install? (leave blank to use ‘C:\Users\oracle-learn\lib\oracle-cli’):
— We will install at ‘C:\Users\oracle-learn\lib\oracle-cli’.

===> In what directory would you like to place the ‘oci.exe’ executable? (leave blank to use ‘C:\Users\oracle-learn\bin’):
— The executable will be in ‘C:\Users\oracle-learn\bin’.

===> In what directory would you like to place the OCI scripts? (leave blank to use ‘C:\Users\oracle-learn\bin\oci-cli-scripts’):
— The scripts will be in ‘C:\Users\oracle-learn\bin\oci-cli-scripts’.

===> Currently supported optional packages are: [‘db (will install cx_Oracle)’]
What optional CLI packages would you like to be installed (comma separated names; press enter if you don’t need any optional packages)?:
— The optional packages installed will be ”.
— Downloading virtualenv package from
— Downloaded virtualenv package to C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\15.0.0.tar.gz.
— Checksum of C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\15.0.0.tar.gz OK.
— Extracting ‘C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\15.0.0.tar.gz’ to ‘C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h’.
— Copying DLLs into virtualenv.
— Copying C:\Users\oracle-learn\AppData\Local\Programs\Python\Python37\python3.dll to C:\Users\oracle-learn\lib\oracle-cli\Scripts
— Copying C:\Users\oracle-learn\AppData\Local\Programs\Python\Python37\python37.dll to C:\Users\oracle-learn\lib\oracle-cli\Scripts
— Copying C:\Users\oracle-learn\AppData\Local\Programs\Python\Python37\vcruntime140.dll to C:\Users\oracle-learn\lib\oracle-cli\Scripts
— Executing: [‘C:\\Users\\oracle-learn\\AppData\\Local\\Programs\\Python\\Python37\\python.exe’, ‘’, ‘–python’, ‘C:\\Users\\oracle-learn\\AppData\\Local\\Programs\\Python\\Python37\\python.exe’, ‘C:\\Users\\oracle-learn\\lib\\oracle-cli’]
Already using interpreter C:\Users\oracle-learn\AppData\Local\Programs\Python\Python37\python.exe
Using base prefix ‘C:\\Users\\oracle-learn\\AppData\\Local\\Programs\\Python\\Python37’ DeprecationWarning: the imp module is deprecated in favour of importlib; see the module’s documentation for alternative uses
import imp
New python executable in C:\Users\oracle-learn\lib\oracle-cli\Scripts\python.exe
Installing setuptools, pip, wheel…done.
— Executing: [‘C:\\Users\\oracle-learn\\lib\\oracle-cli\\Scripts\\pip’, ‘install’, ‘–cache-dir’, ‘C:\\Users\\oracle-learn\\AppData\\Local\\Temp\\tmpukxf413h’, ‘oci_cli’, ‘–upgrade’]
Collecting oci_cli
Downloading (6.3MB)
|████████████████████████████████| 6.3MB 363kB/s
Collecting jmespath==0.9.3
Collecting oci==2.8.0
Downloading (3.1MB)
|████████████████████████████████| 3.1MB 409kB/s
Collecting cryptography==2.4.2
Downloading (1.3MB)
|████████████████████████████████| 1.3MB 726kB/s
Collecting six==1.11.0
Collecting configparser==3.5.0
Collecting pytz==2016.10
Downloading (483kB)
|████████████████████████████████| 491kB 1.3MB/s
Collecting PyYAML==5.1.2
Downloading (215kB)
|████████████████████████████████| 225kB 285kB/s
Collecting pyOpenSSL==18.0.0
Downloading (53kB)
|████████████████████████████████| 61kB 218kB/s
Collecting click==6.7
Downloading (71kB)
|████████████████████████████████| 71kB 353kB/s
Collecting python-dateutil==2.7.3
Downloading (211kB)
|████████████████████████████████| 215kB 504kB/s
Collecting certifi
Downloading (156kB)
|████████████████████████████████| 163kB 409kB/s
Collecting idna<2.7,>=2.5
Downloading (56kB)
|████████████████████████████████| 61kB 563kB/s
Collecting terminaltables==3.1.0
Collecting retrying==1.3.3
Collecting arrow==0.10.0
Downloading (86kB)
|████████████████████████████████| 92kB 368kB/s
Collecting cffi!=1.11.3,>=1.7
Downloading (175kB)
|████████████████████████████████| 184kB 1.1MB/s
Collecting asn1crypto>=0.21.0
Downloading (103kB)
|████████████████████████████████| 112kB 1.3MB/s
Collecting pycparser
Downloading (158kB)
|████████████████████████████████| 163kB 328kB/s
Building wheels for collected packages: configparser, terminaltables, retrying, arrow, pycparser
Building wheel for configparser ( … done
Created wheel for configparser: filename=configparser-3.5.0-cp37-none-any.whl size=20865 sha256=abc942bac573f3e5f612d62de463f504320677dc1a6d2788edfb03ed52de7aed
Stored in directory: C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\wheels\a3\61\79\424ef897a2f3b14684a7de5d89e8600b460b89663e6ce9d17c
Building wheel for terminaltables ( … done
Created wheel for terminaltables: filename=terminaltables-3.1.0-cp37-none-any.whl size=15362 sha256=53403741f831f93681673c00903de32d313f57c3d539207141a994b5a75026d8
Stored in directory: C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\wheels\30\6b\50\6c75775b681fb36cdfac7f19799888ef9d8813aff9e379663e
Building wheel for retrying ( … done
Created wheel for retrying: filename=retrying-1.3.3-cp37-none-any.whl size=11435 sha256=662b2240b6aaa349ae3edc39b178cb9bd2cafa4ffd22333154573f356f63434a
Stored in directory: C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\wheels\d7\a9\33\acc7b709e2a35caa7d4cae442f6fe6fb
Building wheel for arrow ( … done
Created wheel for arrow: filename=arrow-0.10.0-py2.py3-none-any.whl size=32856 sha256=358422ae1a2eaa31691be7ded73643fd
Stored in directory: C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\wheels\ce\4f\95\64541c7466fd88ffe72fda5164f8323c91d695c9a77072c574
Building wheel for pycparser ( … done
Created wheel for pycparser: filename=pycparser-2.19-py2.py3-none-any.whl size=111018 sha256=402b3b5fcdf0280d8ca2389825fed90efcdb20185d76b36fab57cc6008fdbf4c
Stored in directory: C:\Users\oracle-learn\AppData\Local\Temp\tmpukxf413h\wheels\f2\9a\90\de94f8556265ddc9d9c8b271b0f63e57b26fb1d67a45564511
Successfully built configparser terminaltables retrying arrow pycparser
Installing collected packages: jmespath, idna, pycparser, cffi, asn1crypto, six, cryptography, configparser, certifi, pytz, pyOpenSSL, python-dateutil, oci, PyYAML, click, terminaltables, retrying, arrow, oci-cli
Successfully installed PyYAML-5.1.2 arrow-0.10.0 asn1crypto-1.2.0 certifi-2019.11.28 cffi-1.13.2 click-6.7 configparser-3.5.0 cryptography-2.4.2 idna-2.6 jmespath-0.9.3 oci-2.8.0 oci-cli-2.7.0 pyOpenSSL-18.0.0 pycparser-2.19 python-dateutil-2.7.3 pytz-2016.10 retrying-1.3.3 six-1.11.0 terminaltables-3.1.0

===> Modify PATH to include the CLI and enable tab completion in PowerShell now? (Y/n): Y

— ** Close and re-open PowerShell to reload changes to your PATH **
— In order to run the autocomplete script, you may also need to set your PowerShell execution policy to allow for running local scripts (as an Administrator run Set-ExecutionPolicy RemoteSigned in a PowerShell prompt)

— Installation successful.
— Run the CLI with C:\Users\oracle-learn\bin\oci.exe –help
VERBOSE: Successfully installed OCI CLI!
PS C:\WINDOWS\system32>

#Configure the OCI CLI

C:\Users\oracle-learn\bin> oci setup config
This command provides a walkthrough of creating a valid CLI config file.

The following links explain where to find the information required by this

User OCID and Tenancy OCID:


General config documentation:

Enter a location for your config [C:\Users\oracle-learn\.oci\config]: C:\Users\oracle-learn\.oci\config
Enter a user OCID: ocid1.user.oc1..fddsfdsfdsfjhgjhjhg54534vcxvcxvcxv
Enter a tenancy OCID: ocid1.tenancy.oc1..dfdsfljfsdjf433sdfsdlfjsfjsdf
Enter a region (e.g. ap-mumbai-1, ap-seoul-1, ap-sydney-1, ap-tokyo-1, ca-toronto-1, eu-frankfurt-1, eu-zurich-1, sa-saopaulo-1, uk-gov-london-1, uk-london-1, us-ashburn-1, us-gov-ashburn-1, us-gov-chicago-1, us-gov-phoenix-1, us-langley-1, us-luke-1, us-phoenix-1): ap-mumbai-1
Do you want to generate a new RSA key pair? (If you decline you will be asked to supply the path to an existing key.) [Y/n]: Y
Enter a directory for your keys to be created [C:\Users\oracle-learn\.oci]:
Enter a name for your key [oci_api_key]:
Public key written to: C:\Users\oracle-learn\.oci\oci_api_key_public.pem
Enter a passphrase for your private key (empty for no passphrase):
File C:\Users\oracle-learn\.oci\oci_api_key.pem already exists, do you want to overwrite? [y/N]: y
Private key written to: C:\Users\oracle-learn\.oci\oci_api_key.pem
Fingerprint: 29:80:a7:d8:4d:5b:a1:54:d1:c6:cc:b3:de:6c:ef:52
Config written to C:\Users\oracle-learn\.oci\config

If you haven’t already uploaded your public key through the console,

follow the instructions on the page linked below in the section ‘How to
upload the public key’:

C:\Users\oracle-learn\bin>oci –help

Once everything is configured correctly you can run a few commands to try out the client. The basic syntax is:
$ oci

$ oci
Some of the available services are:

Core (Networking, Compute, Block Volume, etc.)
Load Balancing
Object Storage

#Launch Compute instance

When you launch an instance you have to provide the following information, some of which you’ve already obtained:


Sample commands to find the required information.
oci iam user list –compartment-id
oci iam availability-domain list
oci compute shape list -c
oci compute image list -c

You can use -h option at end of the command to find an help related to specific command option.
oci compute image list -h
oci compute shape list -h

oci compute instance launch –availability-domain “” -c –shape “” –display-name “” –image-id –ssh-authorized-keys-file “” –subnet-id


oci compute instance launch --availability-domain "AARS:AP-MUMBAI-1-AD-1" -c ocid1.compartment.oc1..ggfdh434332sfsdfsdfsdfsf --shape "VM.Standard.E2.1" --display-name "MyFirstMachineFromCLI" --image-id ocid1.image.oc1.ap-mumbai-1.aaaaaaaaka7f3qhfuobx2s7dqfgbcx5klllh5xlflbgzb5pymqsnuphehk2a --ssh-authorized-keys-file "C:\Users\oracle-learn\.ssh\" --subnet-id ocid1.subnet.oc1.ap-mumbai-1.aaaaaaaah44xlfte72zz4yrgrp5pqc3ndqy5atc3kqlfmz4lzwdlsdlhyoya

#List Compute instances
oci compute instance list --compartment-id ocid1.compartment.oc1..ggfdh434332sfsdfsdfsdfsf

Performs one of the following power actions on the specified instance

[1] * **START** – Powers on the instance.

oci compute instance action --instance-id ocid1.instance.oc1.ap-mumbai-1.fdsfdsfsdfsdfdsf343sdfsdfsfsdf --action START --wait-for-state RUNNING

[2] * **STOP** – Powers off the instance.

oci compute instance action --instance-id ocid1.instance.oc1.ap-mumbai-1.fdsfdsfsdfsdfdsf343sdfsdfsfsdf --action STOP --wait-for-state STOPPED

[3] * **SOFTRESET** – Gracefully reboots instance by sending a shutdown
command to the operating system and then powers the instance back

oci compute instance action --instance-id ocid1.instance.oc1.ap-mumbai-1.fdsfdsfsdfsdfdsf343sdfsdfsfsdf --action SOFTRESET --wait-for-state RUNNING

[4] * **SOFTSTOP** – Gracefully shuts down instance by sending a
shutdown command to the operating system.

oci compute instance action --instance-id ocid1.instance.oc1.ap-mumbai-1.fdsfdsfsdfsdfdsf343sdfsdfsfsdf --action SOFTSTOP --wait-for-state STOPPED

[5] * **RESET** – Powers off the instance and then powers it back on.

oci compute instance action --instance-id ocid1.instance.oc1.ap-mumbai-1.fdsfdsfsdfsdfdsf343sdfsdfsfsdf --action RESET --wait-for-state RUNNING

#Terminate Compute instance
oci compute instance terminate --instance-id ocid1.instance.oc1.ap-mumbai-1.fdsfdsfsdfsdfdsf343sdfsdfsfsdf

#OCI Documentation References

Thank you for visit this blog

Happy Learning 🙂

Learning Python

This is a very good course to start learning python.
Course : Learning Python
By Instructor: Joe Marini
Learning Objectives:
Installing Python
Choosing an editor or IDE
Working with variables and expressions
Writing loops
Using the date, time, and datetime classes
Reading and writing files
Fetching internet data
Parsing and processing HTML
Thank you, Joe Marini, for sharing your practical experience.

Preparation for Exam : Oracle Cloud Infrastructure 2018 Architect Associate

Below are the self study approach to start learning oracle OCI…

Study Guide for  Oracle Cloud Infrastructure 2018 Architect Associate | 1Z0-932

Chapter 1 Identity and Access Management (IAM) 10%

1.1 Apply core Identity and Access Management components
Users, groups and policies, instance principals and dynamic groups

1.2 Explain resource locations
IAM resource component

1.3 Design federation with various identity providers
Active Directory Federation Services
Oracle Identity Cloud Service
Security Assertion Markup Language (SAML) is a standard protocol for web browser Single Sign-On (SSO) using secure tokens.

1.4 Apply IAM, governance, and security best practices
Audit, encryption

Oracle Cloud Infrastructure Identity and Access Management FAQ

Chapter 2 Networking 30%

2.1 Apply design concepts related to VCN components
Including subnets, route tables, security lists,and DNS options

2.2 Describe Public and Private IP addresses and virtual NICs
Reserved Public and Private IP

2.3 Apply VCN connectivity options
Internet gateway, remote peering connections,and local peering gateways, NAT and service gateway

2.4 Understand remote network connectivity
VPN and FastConnect using Dynamic Routing Gateway (DRG), connecting to on-premises

2.5 Apply OCI Load Balancer concepts
Listeners, backend sets, health checks, public and private load balancers, high availability design practices

2.6 Understand OCI Edge services
DNS service and internet intelligence

2.7 Apply OCI networking best practices
Load balancing, VCN peering, VPN, FastConnect, fault tolerance

Oracle Cloud Infrastructure VCN – FAQ

Chapter 3 Compute 15%

3.1 Understand compute and sizing
Best practices, available OCI shapes, network bandwidth, SLA, NVMe, performance

3.2 Troubleshoot options using console connections and boot volume
Console connection options and boot volume management

3.3 Architect High Availability and Disaster Recovery solutions
Fault domain, availability domains, cross regions

3.4 Describe image options
Oracle provided, customer provided, custom images, BYOI

Oracle Cloud Infrastructure Compute FAQ

Chapter 4 Storage 20%
4.1 Understand OCI Storage options
Storage best practices, storage performance metrics, block volumes, object storage, file storage service

4.2 Designing storage solutions for applications and database
Based on use case, performance, scalability

Chapter 5 Database 25%

5.1 Describe OCI Database options
Best practices, sizing, Autonomous Transaction Processing (ATP), Database
Systems, Autonomous Data Warehouse(ADW)

5.2 Explain OCI Database Operations
Backup/restore, patching and Migration, Data Loading for ATP and ADW

5.3 Architect HA and DR solutions
RAC, Data Guard

5.4 Managing Autonomous Database

Click to access adw-technical-faq-public-5069016.pdf


Training by  Deepak Brahmbhatt

Finally I cleared the exam 🙂

My badge 🙂