I’ve just posted a short video on YouTube that demonstrates how to use Cloud-init to automate the configuration of a VM instance in OCI during the creation process.
This is a great way to save time, drive consistency and reduce errors when configuring VM instances.
I’ve been working with a customer to setup an OCI Site-to-Site VPN between their On-Premises environment and OCI tenancy.
One thing we wanted to do was test the actual speed of the VPN to ensure that it was sufficient for the customers needs. I found the easiest way to do this was using the splendid tool iperf3 🏎️.
I had a play with this in my home lab, where I have an OCI Site-to-Site VPN configured between a Dream Router 7 and my test OCI tenancy – this provides private access to a number of VM instances that I have hosted within my OCI tenancy.
To get started I needed to install iperf3 on a server within my tenancy (this will be the endpoint for the speed test). To install iperf3 on Ubuntu, the following command can be used:
sudo apt install iperf3To install on Oracle Linux run the following command:
sudo yum install iperf3Once iperf3 had been installed on the server within OCI, I then needed to install it on my client machine that sits On-Premises (my house!), iperf3 supports Windows and macOS. I installed on my mac using the instructions found here – https://iperf.fr/iperf-download.php.
Now that I have iperf3 installed on the client and server, the next thing I needed to do was open the ports used by the iperf3 (TCP 5201 by default) on both the Linux server itself and the Security List/NSG within OCI 🔐.
Here are instructions for opening a local port on Ubuntu. To open the port on Oracle Linux, use these commands:
sudo firewall-cmd --add-port=5201/tcpsudo firewall-cmd --runtime-to-permanentUse these instructions to open a port in a Security List. To open a port in an NSG use these instructions.
In my case I’m only using Security Lists to secure access so have the configuration below, which permits traffic on TCP port 5201 from my home network (192.168.1.0) to the subnet containing my VM instance within OCI (172.16.1.0/24):
Now that the ports have been opened on the Linux server AND either the Security List or NSG (depending on what you use).
The next thing to do is to start iperf3 on the Linux server in listening mode, to do this I ran the following command.
iperf3 -s
I can now start the test from the client machine (macOS in my case) by running the following command, which connects to the IP address of my Linux VM instance – note, it’s using the private IP address so will route over the VPN tunnel:
sudo iperf3 -c 172.16.1.21
It will then run some speed tests and output the results:
From this I can see the transfer speed in MBit/s and MBytes/s for each of the 10 intervals and also the average send/receive speed.
In the example above, I was seeing ~30 Mbits/sec throughput.
This was super-helpful for me, hopefully you find it useful too.
Whilst I used it to benchmark VPN speeds, it can be used in other scenarios too, to understand the network throughput between two devices on the same or different networks.
I’ve previously documented the process for using the OCI Bastion service to securely connect to a Windows VM instance – https://brendg.co.uk/2023/12/14/connect-to-a-windows-vm-in-oci-using-rdp-through-a-bastion-%F0%9F%94%90/
I’ve recently created a short video to accompany this which steps through the process in further detail 📼.
I’ve previously written about the fantastic OCI Security Health Check – https://brendg.co.uk/2024/07/12/assessing-the-security-posture-of-your-oci-tenant-%F0%9F%94%92/
I decided to create a short video that walks through the process of performing an OCI Security Health Check…..a picture paints a thousand words and all that! 🌆
I’ve been helping a customer troubleshoot network connectivity between their On-Premises environment and OCI, one tool that has been super-useful is tcpdump (which I’d never used before).
I wanted to put together a short and simple guide on how to use this amazing tool to capture network traffic to help troubleshoot connectivity issues.
First things, first – what is tcpdump?
tcpdump is a powerful command-line packet analyzer that captures and displays network traffic (TCP/IP and other protocols) flowing through a system, acting as a vital tool for network troubleshooting, security analysis, and diagnosing performance issues by letting users filter and inspect individual data packets in real-time or from saved files.
I’ve using this tool on Oracle Linux to troubleshoot connectivity between a Windows server hosted On-Premises and an Oracle Linux VM instance hosted in OCI (where else 😀).
To get started, the tool can be installed on Oracle Linux using the following command:
sudo dnf install tcpdump
Once tcpdump has been installed, the first thing to do is list the network interfaces on the server – so you can select the relevant one to take the capture from.
sudo tcpdump -D
I’m interested in the traffic on the main NIC so will use “enp0s6” to take the capture.
Running the following command captures all network traffic on this NIC, it also disables name resolution so you see the IP addresses rather than hostnames of the devices (which makes things a little easier to read).
10.10.1.202 is the IP address of the Oracle Linux VM instance.
sudo tcpdump -i enp0s6 -n
This is obviously quite chatty, to see traffic on a specific port we can run the following command, in this case it will only list traffic on port 80 (HTTP):
sudo tcpdump -n -i enp0s6 port 80
Again, this is quite chatty. I’m only interested in traffic on port 80 from a specific machine, so ran the following – update the port/host parameter as needed to specifiy a different port/IP address combo.
sudo tcpdump -n -i enp0s6 host 213.249.245.216 and port 80
The trace now only shows port 80 traffic to/from the IP address 213.249.245.216.
One other useful parameter is -v which provides more verbose output (example below), in this case it captures the actual HTTP request and response – how cool 😎.
sudo tcpdump -n -i enp0s6 host 213.249.245.216 and port 80 -v
Another useful tool for me to have in my toolbelt 🔨.
Here is a short walkthrough of how to configure Block Volume replication in OCI to replicate a Windows VM instance between two different regions – this is useful for disaster recovery scenarios.
Want to learn more about Block Volume replication, check this out – https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/volumereplication.htm
I’ve been working with a customer that’s automation tool of choice is PowerShell…..the good news for them was that OCI provides PowerShell modules!
This means that customers can in theory do everything in PowerShell that they can with the OCI CLI.
The following guide steps through the process of setting up the PowerShell modules for OCI – OCI Modules for PowerShell
Once I’d got this setup (which wasn’t very painful), one of the first things that I helped them to automate is producing a list of all of the VM instances running within their tenancy, I’ve included the code for this below:
# Get all VMs
$Compartments = Get-OCIIdentityCompartmentsList -CompartmentId ocid1.tenancy.oc1.. -CompartmentIdInSubtree $true -LifecycleState Active
Foreach ($Compartment in $Compartments)
{
Write-Host "Compartment Name:" $Compartment.Name -ForegroundColor Green
$Instances = Get-OCIComputeInstancesList -CompartmentId $Compartment.Id
Foreach ($Instance in $Instances)
{
Write-Host "-Instance:" $Instance.DisplayName -ForegroundColor White
}
}
This loops through every Compartment from the root Compartment downwards and lists the VM instances within each of these Compartments.
The only thing that needs to be updated prior to running this script is the OCID of the root compartment (CompartmentId parameter).
Here is the output from my tenancy:
You can see all of the Compartments within the tenancy and the 3 x VM instances that I have:
Next up in random things Brendan has done……installing a desktop environment (Gnome) on a Linux instance (Ubuntu) hosted in OCI and making this available via Remote Desktop Protocol (RDP) with xrdp – it sounds quite complicated but there isn’t that much to getting it up and running ✅.
Basically, I wanted a VM that I can RDP to from anywhere….and any computer, importantly! To do basic coding (is in my coding is all basic 😀) using Visual Studio Code and Python.
To keep the costs down (I’m a tight Yorkshireman after all) I’m using an Always Free Ampere A1 VM instance running in OCI – so this will not cost me a penny to run 🙌.
To learn more about the OCI Always Free resources, check this article out.
To get started, I created a Linux instance using Ubuntu 24.04:
I placed this into a Public Subnet within a Virtual Cloud Network, to learn more about how to do this, check this guide out – the reason for placing the VM into a Public Subnet is so that it gets a public IP address and I can connect to this directly over the Internet, without requiring that a VPN or FastConnect be in-place.
Once the VM had been provisioned, I SSH’d onto the VM instance (if you are not sure how to do this, check this guide out) and then ran the following commands in order:
Update and Upgrade Installed Packages
sudo apt update && sudo apt upgrade -y
Install Ubuntu Desktop
sudo apt install ubuntu-desktop -y
Install xrdp
sudo apt install xrdp -y
Ensure that Gnome runs (the Ubuntu Desktop Environment) when logging in via RDP
echo "gnome-session" > ~/.xsession
Restart xrdp
sudo systemctl restart xrdp
Permit inbound traffic on TCP port 3389 (the port used by RDP)
sudo iptables -I INPUT 4 -m state --state NEW -p tcp --dport 3389 -j ACCEPT
sudo netfilter-persistent save
Set a password for the user “ubuntu” by default OCI configures the VM instance to authenticate the ubuntu user using SSH keys, for RDP you’ll need to use a password – you may prefer to use a separate non-root account for this.
sudo passwd ubuntu
Once those commands have been run, the final thing you’ll need to do is ensure that any Security Lists OR Network Security Groups (NSGs) that the VM instance is associated with permit inbound access to port 3389 – the port used by RDP.
More info on this (including how to do this) can be found here.
Here is how my Security List looks (there isn’t an NSG associated with my VM instance).
WARNING: This gives any machine on the Internet (source CIDR 0.0.0.0/0) access to this VM instance…..and any other resources in the subnet via RDP – port 3389! You’d likely want to restrict this to specific IP addresses or IP address ranges e.g. the public IP address you break out from your house/office to prevent any randomer on the Internet getting access.
Once the Security List had been updated. I fired up the Microsoft RDP client (other RDP clients are available!) and configured it to connect to the public IP address of the VM instance and Voilà – I now have access to the desktop on my Ubuntu VM instance from anywhere.
I’ve just (literally) delivered a session at the Oracle User Group UK 2025 Conference and have posted a recording of the session.
This demo-heavy session provides a high-level overview of the OCI Generative AI Agents service and walks through the process of creating an agent and configuring it to address common use-cases, this session was based on real-world customer experience rather than theoretical capabilities – which always help to bring things to life!
If you are unsure what the OCI UK Sovereign Cloud in, please check this out.
This week I’ve been helping a customer to deploy an OCI Landing Zone (the One Operating Entity variant) to their tenancy using Terraform, we ran into a couple of issues that I wanted to document and hopefully help others.
This is caused by two of the Terraform input configuration files having some hardcoded references to the OCI Commercial Cloud (OC1) rather than the UK Sovereign Cloud (OC4), which need to be updated for the configuration to apply correctly – otherwise the terraform apply command will fail.
Issue 1 ❌ – oci_open_lz_one-oe_iam.auto.tfvars.json has references to the services highlighted in the screenshot below:
To resolve this, replace Fssoc1Prod, objectstorage-eu-frankfurt-1 with Fssoc4Prod, objectstorage-uk-gov-london-1
The file should then look like this:
Issue 2 ❌ – oci_open_lz_one-oe_security_cisl1.auto.tfvars.json has 40 references to Security Policies using their actual OCIDs from OC1 – Commercial (see examples below):
The easiest way to fix this is by doing a find and replace of all instances of .oc1.. replacing this with .oc4..
Which should then look something like this:
Note❗️- If you are using the CIS2 version of this configuration file instead of the CIS1 version (as I used) you will also need to make these changes.
That’s it!
Brendan's Tech Ramblings 