Configuring a Private Subnet

This section explains how to configure a private subnet for your clusters:

Configuring a Private Subnet for Oracle OCI Clusters

Proceed as follows:

  1. Create a Qubole support ticket to get a tunnel IP address and public key to allow Qubole access to the Bastion host you are going to create.

  2. To create a Bastion node, launch an instance using the Oracle-Linux-7.3 image. This instance must be in the same VCN as the private subnet.

  3. Add the public key provided by Qubole support to the authorized key list of user opc on the Bastion node. To do this, append the public key to /home/opc/.ssh/authorized_keys on the Bastion node.

  4. Run the following commands in the bash shell on the Bastion node.

    useradd ec2-user -p ''
    mkdir -p /home/ec2-user/.ssh
    cp /home/opc/.ssh/authorized_keys /home/ec2-user/.ssh/
    chown -R ec2-user:ec2-user /home/ec2-user/.ssh
    # Need to open port 7000 to private subnet CIDR block using firewall if required.
    firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=<private subnet cidr block> port=7000 protocol=tcp   accept'
    firewall-cmd --reload
    bash -c 'echo "GatewayPorts yes" >> /etc/ssh/sshd_config'
    sudo service sshd restart
    
  5. If your private subnet does not already exist, create it in the same VCN where you launched the Bastion host.

    At a minimum, the subnet should have these rules:

    • A stateful rule to allow ingress via all protocols to all ports from the private subnet’s CIDR block.
    • A stateful rule to allow ingress via all protocols to all ports from the Bastion node’s private IP address.
    • A stateful rule to allow egress via all protocols and all ports to destination 0.0.0.0/0
  6. Configure the Bastion host’s security list. This list should have these rules at a minimum:

    • A stateful rule to allow ingress via TCP to port 22 for ssh access from the tunnel server IP address specified by Qubole support.
    • A stateful rule to allow ingress via TCP protocols to port 22 for ssh access from the public IP address of the Bastion node.
    • A stateful rule to allow ingress via TCP to port 7000 for metastore access from the private subnet’s CIDR block (see step 5 above).
    • A stateful rule to allow egress via all protocols and all ports to destination 0.0.0.0/0.
  7. Create a Qubole support ticket to provide your Bastion host’s public IP address. Qubole will enable private subnet support for your clusters.