The bare metal solution contains all the necessary infrastructure that is required for the user to run a specialized workload, such as Oracle Database close to Google Cloud. The infrastructure has a direct connection with a dedicated, low-latency, and highly resilient interconnect and is connected to all the native Google Cloud services.
Benefits
A fully managed certified database infrastructure
It offers end-to-end management, including compute, storage, and networking. It has fully managed and monitored data center operations like power, cooling, smart hand support, and facilities.
Experience the latest hardware
It allows the user to consolidate their workloads on Intel Cascade Lake servers with the industry's highest DRAM density. Allows the user to configure the latest NVMe Tier-1 storage with decades of industry experience for demanding workloads.
Lets the user experience all of the Google Cloud in a millisecond.
It offers a fully managed low latency network that makes all the google cloud services seamlessly accessible to all oracle workloads. Helps the user to set up an Oracle data guard within just a few clicks.
Key features
Seamlessly access all oracle capabilities
It allows the user to run the oracle databases the same way as they can do on-premises. The user can simply install the oracle real application cluster on certified hardware for HA and can use oracle data guard for discovery recovery and oracle recovery manager for backups.
Integrated support and billing
Provides the user with a seamless experience with infrastructure support, including SLAs for an initial response and defined enterprise-grade SLA for infrastructure uptime. It also offers 24/7 coverage for all Priority 1 and 2 issues, unified billing across the google cloud, and a bare metal solution for oracle.
Industry-leading data protection
It helps the user meet the demanding compliance requirements with top industry certifications such as ISO, PCI DSS, and HIPAA, along with regional certifications where applicable.
Tools and services to simplify operations.
Allows the user to automate the day-to-day operational database administrator tasks by using Google's open source Ansible-based toolkit or Google Cloud's Kubernetes operator for Oracle. The user can integrate these tools with the existing automation framework of their choice.
Plan for Bare metal solution
They provide a secure environment in which the user can run their specialized workloads on high-performance, bare-metal servers. Third-party virtualization software and applications that require direct, low-level access to the server are run using the bare metal solution.
What Bare Metal Solution provides
It is a managed solution that provides the user with purpose-built HPE or Atos bare-metal servers with regional extensions that are connected to the Google cloud by a managed, high-performance connection with low-latency fabric.
Along with the bare metal solution, google Cloud provides and handles the core infrastructure, the network, the physical and network security, and hardware monitoring capabilities in an environment in which the user can access all the google cloud services. The core infrastructure also contains secure, controlled-environment facilities and power. It also includes plans for provision and maintenance of custom, sole-tenancy servers along with local SAN and smart hands support.
User's responsibilities in a Bare Metal Solution Environment
The user is responsible for the software, applications, and data that the user uses and stores in the Bare metal solution environment. The responibilies include:
Data including Security & encryption, and Backups
Software & applications including: installation, configuration, and upgrades & patches
operating systems and hypervisors including: configuration changes
Server clusters including: Installation, configuration, and maintenance.
Databases including: installation, configuration, migration, administration, and upgrades.
Security includes: application security, OS patching, and security updates.
Application or workload maintenance.
Backups
The user themselves are responsible for licensing all their softwares, it includes a bring-your-own-license (BYOL) model. The initial OS or hypervisor is installed by the google cloud for the user. It's the duty of the user to get the latest available version of security patches and software updates to ensure proper security and compliance of their software and applications.
Storage choices
Regional extension's storage devices provide local storage to bare metal solution servers. Three types of local storage are available that the user can request
Logical unit numbers which are fibre channel-based block storage and are accessible by only one bare metal solution server.
Multipath LUNs which are fibre channel-based block storage and are shared with multiple bare metal solution servers. It's a good choice for high-availability applications.
NFS which is network file system storage. With this, the user can mount a shared storage directory on either one or more bare metal solution servers, and are accessible like any other file system.
There are some additional storage volume considerations that the user needs to understand
The volume size becomes fixed and can't be expanded when the user uses any fibre channel or NFS storage volume.
If required, then the user needs to purchase additional storage volumes.
The data must also be migrated when the user migrates the LUNs to a new storage volume.
The bare metal solution server reboots when the user removes the storage volume from service in a bare metal solution environment.
Storage performance
To improve the performance of the database and application in the bare metal solution environment, use the following storage recommendations.
To get consistent performance for databases as well as applications, use consistent volume sizes when deploying multiple storage volumes.
Configure 1 LUN for each volume of 4 TiB or less, and for a volume of more than 4 TiB configure 8 LUNs.
Always rescan the LUNs so that they detect new storage capacity whenever a new storage volume is added.
Networking
Every bare metal solution resides in a secure region extension which is connected to the corresponding google cloud region through a partner interconnect, which is provided and managed by google cloud.
The round trip latencies between VM instances in compute engine and the bare metal solution environment in the same region are monitored by google cloud.
Networking options
The bare metal solution offers a basic type of network topology that is appropriate for small-scale deployment as a standard networking configuration. It includes
There are four physical interfaces that are bundled into two logical interfaces called bonds. They use a standard networking template to provide basic redundancy and load balancing.
One of the bonded interfaces connects to a single client VLAN network to reach google cloud.
The other bonded interface connects to a single, private VLAN network for those services and applications which are running locally in the bare metal solution environment.
The user can implement advanced networking capabilities if the standard network configuration does not meet its needs.The following are available options if the user opts for an advanced networking configuration.
Now the user can add multiple VLANs on the same bounded interface instead of the single VLAN for each bonded interface.
The additional VLANs can be either client, private, or both.
The user can add up to 10 VLANs per bonded interface.
Different Client VLANs can be routed in the same networking environment.
Multiple VLANs are attached over a partner interconnect connection to the user's bare metal solution environment.
It provides more bandwidth to the users between the VPC and bare metal solution environment than the bandwidth which was offered by a single set of VLAN attachments.
Traffic across the multiple VLANS attachments is balanced by network load.
Depending upon the network conditions, the total bandwidth can be lower than the sum of the bandwidth of the partner interconnect connections.
The user can connect the bare metal solution to multiple VPCs in its google cloud project.
The user can opt to use the same MTU for every VLAN to ensure consistent switching between devices.
The user can enable a flexible network design of their choice using network templates to meet their need for high availability, redundancy, and load balancing.
Defining IP address spaces
The bare metal solution enables the user to bring its own IP subnet for use in the bare metal employment this allows the user to fit its beer into any of the existing IP address schemas that the enterprise might have.
Whenever the user places an order for the bare metal solution, they need to provide two internal IP address ranges: a client IP address which is used for communication between Google cloud and the bare metal solution, and a private IP address range which is used for accessing services as well as devices within the bare metal solution environment.
The user can also specify specific IP addresses that each server should use.
Multi-region networking consideration
For any outside communication, such as communication with services or the user's on-premises environment, the communication from the user's bare metal solution environment must pass through the VPC network that the user is using to connect to its bare metal solution environment.
In case the user uses a single VPC network with global_dynamic routing enabled, then the user's bare metal solution environment will require access to other google cloud regions in order to connect to any of the below-mentioned resources
Other bare metal solution environment
VMs in other regions
Other google cloud services
The user can set up a routed environment to connect its bare metal solution instances directly to the Google cloud and extend it on the premises environment in other regions without any additional configuration in google cloud if the user Is using a VPC network with global dynamic routing enabled
Keeping routing simple
Inside the same bare metal solution region outside of the other servers, the user server is likely to communicate with one or more of the below mentioned
The endpoints in the Google cloud environment
The extended on-premises environment through the Google cloud environment
The servers in bare metal solution environment in other regions through the Google cloud environment
As all the communication from the bare metal solution environment is routed through the google cloud environment, to keep routing simple, consider advertising either a default route or all RFC 1918 private addresses based on the user's IP schemas towards your bare metal solution, this can be done by using a custom route advertisements at the BGP-session level to the bare metal solution environment.
Required networking information for bare metal solution order
The below-mentioned networking information must be included while submitting a bare metal solution order
The user must specify the Google cloud project ID that is being used with the bare metal solution environment.
The user must specify the IP ranges that they intend to use in their bare metal solution environment.
The user must specify the number of VLANs needed in their bare metal solution environment.
The required bandwidth in 1 Gbps increments that the user needs between the google cloud environment and the bare metal solution environment
Plan security for Bare metal solution environment
The user must consider the following six security pillars while planning the security strategy for Bare Metal Solution.
Physical security
The physical components of Bare metal Solutions are run by vendors and reside in a regional extension. A partner interconnect connection with high speed, and low latency is used to link the regional extension to the nearest google cloud region.
The regional extensions and their related facilities, such as power, cooling, racking, stacking, etc., are managed by the vendor. The vendor is also responsible for maintaining the industry standard physical security and safety features, including, but it is not limited to:
Cages have secure slab-to-slab walls.
All the cages, aisles, and doors are monitored using the video cameras at each facility 24 hours a day, 7 days a week.
There are alarms installed on each door to ensure that they are closed properly.
The authorized staff uses a biometric lock in order to enter the facility and a badge to exit.
Compliance
It meets the current demanding compliance requirements with industry certifications like ISO, PCI DSS, and HIPAA, along with regional certifications where applicable.
Network Security
It offers two layers:
Layer 3 VLAN attachments connect to the user Google Virtual Private Cloud to a unique virtual routing and forwarding instance on the bare metal solution edge router.
Layer 2 VLANs provide security and isolation, which is necessary for the user's data within the bare metal solution environment. The user can use a client subnet to connect to the Google cloud, and an optional subnet is used for hosting the user's services and storage.
Enforce a secure perimeter with private google access
VPC service controls or the Private Google Access allows the user to define security parameters around the sensitive data which is present in the google cloud services and offers the below-mentioned benefits:
Accesses google cloud services privately from on-premises.
Enforces context-aware access from the internet
Using a central location, it manages the security policies.
Using the partner interconnect, the user can leverage the google cloud's cloud-native and scalable services. By enabling the VPC service controls-based perimeter, the user can further ensure that access to all the google cloud services like BigQuery happens without any data exfiltration to the internet.
Data Security
While planning for data security in a bare metal solution environment, the user must be aware about how encrypted data gets stored and how to secure the applications running on google cloud.
Storage encryption
The bare metal solution encrypts data at rest by default. Some facts about storage encryption at rest are mentioned-below:
An SVM is usually created for storage on the NetApp cluster for each customer. The SVM is associated with a reserved data volume before being it to the customer.
The keys are not displayed in plain text.
Google cloud and the vendors do not have access to the user's keys.
All the data that is at rest, including the operating system and boot partitions, is stored and encrypted by the Netapp storage cluster.
Application security
The only network path to or from the bare metal solution regional extension is through a partner interconnect to the associated google cloud region. Suppose the user wishes to connect their bare metal solution servers from the user's on-premises environment. In that case, the user must connect their on-premises data center to Google Cloud using a dedicated interconnect, partner, interconnect, or Cloud VPN.
Suppose the user enables the routes to their on-premises network. In that case, the user must modify the redundant cloud routers with custom advertisements pointed to the CIDP range of the on-premises subnet.
Operational security
Several options are available for operational security. One of the solutions that integrate natively with the google cloud is blue Medora's bindplane product. The bindplane integrates with the google cloud's operations suite and enables the user to capture metrics as well as logs from the bare metal solution infrastructure, including the Oracle database.
Another option is Prometheus, an open-source monitoring solution that the user can use to monitor the bare metal solution infrastructure and oracle databases that run on top of it. The user can also direct the database and system audit trails into Prometheus, which then acts as a single pane of glass to monitor and send alerts for any suspicious activity.
One more option is to use the oracle enterprise manager which is popular with those who it as an on-premises environment. The user can use the OEM in a bare metal solution environment to perform monitoring and alerting tasks like the on-premises data center.
Database security
The bare metal solution is designed in such a way that it is very similar to the user's on-premises environment so that the user can use it with the least amount of effort and learning. It allows enables the user to bring their existing security-related oracle database features, security practices, and processes to the bare metal solution.
The user should enable the below-mentioned oracle's security controls:
User authentication
If using basic authentication, then implement password policies like complexity and length.
Use TLS certificates, Kerberos, etc., to strengthen the authentication system.
To allow authentication and auditing at the database level using proxy-based authentication.
Authorization and access control
Manage authorization through object privileges, system privileges, and roles identified inside the database.
Use CMU to manage users and groups. It can also be used to leverage your active directory infrastructure to centralize the management of database users.
To introduce separation of duties as well as access control for highly privileged users, use a database vault.
To create fine-grained access to data by modifying user queries dynamically, user VPD, and OLS. These tools manage rows and user labels to identify whether the user should have access to a specific row.
Auditing
Leverage unified auditing is a feature that enables the user to send all the audit data to a unified audit trail. This feature creates a central trail file for all the database-related audit events and enhances audit report performance.
If the user wants to extend traditional auditing capabilities, then the user must enable fine-grained auditing. One advantage of using this is that it captures audit data only when a user accesses a specific column.
The user can use an audit vault database firewall to manage audit policies and captured events. One major use is to prevent SQL injection attacks.
Encryption for data at rest and in transit
The user can enable transparent data encryption to gain more control over the encryption key lifecycle when the bare solution automatically encrypts the user's data at rest using a unique AES 256-bit key per data volume.
To secure data between the client and the database, the user can use native network encryption.
The user should use advanced security options to enable encryption, cryptographic network checksums, and authentication services between the primary and standby systems in the data guard while using customer-managed encryption keys.
Create a VLAN attachment for Cloud interconnect connection
The user needs to create a VLAN attachment in the same region as the servers and pre-activate them in order for the user to access the bare metal solution server. When the user creates the VLAN attachments, pairing keys are generated by the system that the user needs to share with the Google Cloud. These pairing keys are used by Google Cloud to activate the connection between the bare metal solution environment and the VPC network.
The VLAN attachment allocates VLANs on the partner interconnect connection.
Steps
If the user doesn't already have Cloud Router instances in the network and region that the user is using with the bare metal solution, then the user needs to create one for each VLAN attachment. Specify 16550 as the ASN for each Cloud router when a router is created.
In the google cloud console, go to the Cloud Interconnect VLAN attachments tab.
Select the create VLAN attachment option available at the top of the console.
Choose a partner to interconnect to create Partner VLAN attachments, and then press on continue.
Select the option which says," I already have a service provider".
Choose to create a redundant pair of VLANs. Since both the attachments can serve traffic, the user can route the traffic to load-balance between them.
Choose the VPC network and Google Cloud region where the user's attachments will connect in the Network and Region fields.
Mention the details for each of the VLAN attachments.
Cloud router: specify a cloud router that is to be associated with this attachment. The user can choose a cloud router in the VPC network and region that the user has selected with an ASN of 16550. The user can assign only one Cloud router per attachment.
VLAN attachment name: specify a name for each attachment. These names are displayed in the console and are used by the google cloud CLI to reference the attachments.
Description: specify the information for each VLAN attachment.
MTU: mention the maximum packet size for network transmission.
Select Create, it will take a few moments to create the attachments and complete the process.
Once the creation process is complete, copy the pairing keys. The keys consist of an alpha-numeric code, the region's name, and the network availability zone number.
Click on enable for pre-activating both the attachments. Doing this will start passing traffic immediately once the google cloud completes the bare metal solution configuration.
To view the list of all the attachments, click on OK.
In the Google Cloud console, go to the VLAN attachments tab after being notified by the google cloud that your bare metal solution servers are ready.
Check for the status column, it should appear as Up.
VPC firewall setup
The new VPC networks have active default firewalls rules that restrict most of the traffic in the VPC network. Suppose the user wants to connect to their bare metal solution environment. In that case, the network traffic must be enabled between the bare metal solution environment and the network destinations on google cloud.
Use the below-mentioned steps for creating a firewall rule in your VPC network on google cloud
Go to the firewall rules page.
Select create a firewall rule.
Define the firewall rule.
Give a name to the firewall rule.
Inside the network field, select the network where the VM is located
Inside the targets field, select either the specified target tags or the specified service account.
Mention an IP range to allow incoming traffic from the bare metal solution environment in the source IP ranges field.
Mention the IP addresses of the servers in the source IP ranges field.
Mention the protocols and ports that are required in your environment in the protocols and ports section.
Click on create.
Setting up access to Google cloud APIs and services
Users can access their google cloud APIs and services privately from their bare metal solution environment. They can set up the private access to the google cloud APIs and services from a bare metal solution environment the same way a user would do for an on-premises environment.
The below-mentioned instructions guide the user through high-level steps:
Configuring routes for the google API traffic.
To allow the outgoing traffic to the restricted google APIs IP range, configure firewall rules in any bare metal solution firewall.
To resolve *.googleapis.com as a CNAME to restricted.googleapis.com, configure your bare metal solution DNS.
Frequently Asked Questions
Mention any two cases where you can use bare metal solution
You can use a bare metal solution to run third-party virtualization software and applications that require low-level access to the server.
What are the two types of storage volume snapshots?
The two types of storage volume snapshots are OS boot volume and data volume.
What is the use of cloud IAM?
Cloud IAM is used to grant bare metal solution permissions to users and administrators.
Conclusion
In this article, we have extensively discussed the initials of bare metal solutions.
After reading about bare metal solutions, are you not feeling excited to read/explore more articles on AWS? Don't worry; Coding Ninjas has you covered. To learn about the difference between GCP and AWS, why to get certified by AWS, and how to prepare for AWS certification.
If you wish to enhance your skills in Data Structures and Algorithms, Competitive Programming, JavaScript, etc., you should check out our Guided path column at Coding Ninjas Studio. We at Coding Ninjas Studio organize many contests in which you can participate. You can also prepare for the contests and test your coding skills by giving the mock test series available. In case you have just started the learning process, and your dream is to crack major tech giants like Amazon, Microsoft, etc., then you should check out the most frequently asked problems and the interview experiences of your seniors that will surely help you in landing a job in your dream company.