Technical Application Note - Oracle

Deploying Oracle SBC in Microsoft AzurePublic CloudTechnical Application Note

DisclaimerThe following is intended to outline our general product direction. It is intended for information purposes only, and may not beincorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be reliedupon in making purchasing decisions. The development, release, and timing of any features or functionality described forOracle’s products remains at the sole discretion of Oracle.2

Table of ContentsINTENDED AUDIENCE.4DOCUMENT OVERVIEW .4RELATED DOCUMENTATION .4ORACLE SBC . 4MICROSOFT AZURE . 4REQUIREMENTS .4CREATE AND DEPLOY ON AZURE .5PREREQUISITES TO DEPLOYING AN AZURE INSTANCE . 5RESOURCE GROUP . 5Creating a Resource Group . 5NETWORK SECURITY GROUPS . 7Creating Network Security Groups:. 7Management Security Rules . 7Media Security Rules . 9VIRTUAL NETWORKS. 10Creating a Virtual Network . 10Creating Additional Subnets . 11DEPLOYING THE OCSBC VHD FILE . 13Create a Storage Account . 13Creating A Blob Container: . 14CREATING AN IMAGE . 15CREATE A VIRTUAL MACHINE . 16Basics. 17Disks . 18Networking . 18Management. 19Advanced . 20Tags . 20Review and Create . 21CREATE NETWORKING FOR MEDIA INTERFACES . 22Create Network Interfaces . 23INITIAL ACCESS TO SBC . 24SET USER AND ADMIN PASSWORDS. 25INTERFACE MAPPING . 253 Page

Intended AudienceThis document is intended for use by Oracle Systems Engineers, third party Systems Integrators, and end users ofthe Oracle Enterprise Session Border Controller (E-SBC). It assumes that the reader is familiar with basicoperations of the Oracle Communications Enterprise Session Border Controller and Azure Cloud DeploymentsDocument OverviewYou can deploy the Oracle Communications Session Border Controller (OCSBC) on Azure public clouds. Azureprovides multiple ways of managing your environment(s), including via its web portal, using its powershell andits CLI interfaces. This document focuses on the portal. The portal provides navigation via a web-page panewith links to specified functions on the left side of portal pages. These procedure also assume you havereviewed Azure documentation, and can access portal pages and navigationRelated DocumentationOracle SBC Oracle Communications Session Border Controller Platform Preparation and Installation GuideOracle Enterprise Session Border Controller Web GUI User GuideOracle Enterprise Session Border Controller ACLI Configuration GuideOracle Enterprise Session Border Controller Release NotesMicrosoft Azure Introduction to AzureGet started with AzureAzure security best practices and patternsRequirements1) A subscription for Azure portal2) Access to Oracle Enterprise SBC VHD.i)The VHD file can be downloaded through the My Oracle Support portal, under the Patches andUpgrades tab, or can be obtained by reaching out to your Oracle Account representatives.Tip: You can utilize the search bar at the top of the Azure portal to quickly locate any element, resource ordocument during configuration and deployment of the Oracle SBC in Azure Public Cloud.4 Page

Create and Deploy on AzurePrerequisites to Deploying an Azure InstanceYou can create some of the objects required during the SBC deployment procedure prior to or during thedeployment. When created prior to SBC deployment, these objects become selectable, typically from dropdown lists in the appropriate deployment dialogs. You may use these objects for a single deployment or formultiple deployments.These Objects are as follows:1) Resource Groupi) Subscriptionii) Region2) Networkingi) Virtual Networksii) Subnetsiii) Network Security GroupsResource GroupResource group is a container that holds related resources like storage accounts, virtual networks, and VMs foran Azure solution. In Azure, you logically group related resources to deploy, manage, and maintain them as asingle entity.Creating a Resource GroupFrom the Azure Portal Home Page, on the left side, select “Resource Group”, then click “Add” Choose the correct Subscription from the drop down,Give the resource group a nameSelect the region that is right for you and your customers.At the bottom, click “Next:Tags” Enter a unique identifier under name Click Next: Review Create5 Page

Review the information and click Create6 Page

Network Security GroupsNetwork Security Groups are used to provide traffic control at the packet level.You can filter network traffic to and from Azure resources in an Azure virtual network with a network securitygroup. A network security group contains security rules that allow or deny inbound network traffic to, oroutbound traffic from, several types of Azure resources.For more detailed information, please see:Enable Network Security Groups in Azure Security CenterCreating Network Security Groups:For Oracle SBC deployment in Azure, each Security Group specifies the type of traffic allowed on a particulartype of subnet. There are three types of traffic on the possible 7 subnets (1 management, 2 HA and 4 mediainterfaces) that can be configured and assigned to the Oracle SBC in Azure.While it is certainly possible to create a different Network Security Group for each subnet, in most deployments,there is likely only need for two. Three if there are specific rules that must be applied only to the HA subnetsthat do not apply to a management subnet.For the purposes of this example guide, we’ll be creating two:One for the management interface (wancom0), and the other to be assigned to each of the media interfaces(S0P0 and S1P0).From Azure's navigation list on the left side of the portal, click Create a resource, Networking, Network SecurityGroup.Management Security RulesConfigure the following For Management Interface Network Security Group: Name Resource Group Location Click CreateOnce the security group is created, you should see it under Home/Recent Resources. Open it.Under Settings, click on “inbound security rules”, then “add”The following TCP/UDP protocols and/or ports should be opened for the Management Interface NSG.7 Page

Please note, the port matrix below is an example only. The ports opened during installation should depend on the environment needs anduser preferences. eter22161/162181212344380493868XXXUDPXXXXXXXClick “Add” at the bottomNext, follow the same procedure as above to create a second inbound security rule for ICMP traffic, using thefollowing parameters: Source: AnySource Port Ranges: *Destination: AnyDestination Port Ranges: *Priority: 130Name: MGMT ICMP8 Page

Media Security RulesFollowing the same procedure above under Creating Network Security Groups, configure the following for theMedia Interface Network Security Group: NameResource GroupLocationClick CreateThe following TCP/UDP protocols and/or ports should be opened for the Media Interface NSG. This is not acomplete list, but should work for most applications.Please note, the port matrix below is an example only. The ports opened during installation should depend on the environment needs anduser 500506050611719172010000-65535XXXXXUDPXXXX9 Page

Click “Add”Virtual NetworksAzure Virtual Network enables many types of Azure resources, such as Azure Virtual Machines (VM), tosecurely communicate with each other, the internet, and on-premises networks. A virtual network is scoped to asingle region; however, multiple virtual networks from different regions can be connected together using VirtualNetwork Peering.To deploy the SBC in a particular Resource Group, at least one virtual network (VN) must be created.Creating a Virtual NetworkFrom the Azure portal Home Screen, Select “Virtual networks” from the left side menu, then click “Add”:Provide the following information in the designated fields: Virtual Network NameAddress Space: (below example is Azure provided)SubscriptionResource Group (created above)Location (same as Resource Group location)We’ll also be creating the first subnet which will be used for the management interface (wancom0) of the SBCinstance Subnet NameSubnet Address Range: (Ex.10.4.1.0/24)Click Create10 P a g e

Once the Virtual network is successfully created, open it by clicking on the virtual network name, From herewe will create the additional subnets needed for deployment.Creating Additional SubnetsThe Oracle SBC has 3 types of vNICs management (wancom0) HA (wancom1/wancom2) Media (s0p0, s1p0 etc).To maintain traffic separation, each of the vNICs should be connected to a separate subnet. For the purposesof this app note, we will be creating two additional subnets for Media interfaces, as deploying a HighAvailability SBC pair is outside of the scope of this document. Once you are in the Virtual Networks Dialog, click Subnets (in the settings section)11 P a g e

At the top, click “ Subnet”Name (S0P0)Address Range (CIDR block) (10.4.2.0/24)Network Security Group: (ESBC SN Media)Click “OK”Repeat these steps to create additional subnets for your deployment needs. For the purposes of thisexample, we’ll create one additional subnet with name of S1P0, and Address range of 10.4.3.0/24 to beused for a second media interface.12 P a g e

Deploying the OCSBC VHD FileAs mentioned previously in this document, you acquire the OCSBC VHD file via your Oracle Support account,or via your Oracle account representative.Create a Storage AccountFrom Azure's navigation list, on the left side of the portal, click on: “Storage accounts”.At the top, click “Add”Enter the following Fields: SubscriptionResource GroupStorage Account Name (must be all lower case)LocationAccount kindReplication Access tier Click “Next: Advanced”Under advanced, no changes are required, click “next: Tags” at the bottom.13 P a g e

From the drop down list, under name, choose the correct tag Click on “Review Create” Click “Create”Once the deployment is complete, go to the resource.Creating A Blob Container: Click on “Blobs”, and at the top, click “ Container”Set name, and public access Level,click OK:14 P a g e

Select the container under blob services and click upload buttonChoose the VHD file you want to upload by using the folder icon under FilesEnsure that the Blob type is set to Page Blob. This parameter is found under “Advanced” Click “Upload”This process might take a long time depending on your network connection and the location of your Azurestorage account.Creating an ImageAfter uploading the file, you create an bootable image from the Create image dialogYou will need to specify: An Image Name.An OS disk: Set the OS disk type to Linux. Paste or select your VHD file URI as the Storage blob. Set the Account Type to Standard HDD. Set Host caching to Read/write15 P a g e

At the very Top of Azure Portal, in the search bar, type “Images”, then click on the Images option when itappears. Click “ Add” Click “Create”This process typically takes minutes to complete.When the process has completed, return to the Images panel, and verify the new image was created.This image can now be used to deploy new Security Access Manager virtual machines in Azure.Create a Virtual MachineThis is the main instance configuration procedure. It includes a multi-dialog wizard that presents configurationoptions in the preferred sequence. The result of this wizard is an installed, operational OCSBC. You add mediainterfaces after deployment. From the Images Panel, at the top, click “Create VM”Alternatively, you can deploy from Azure's navigation list, on the left side of the portal, by clicking on:“Virtual machines”, then, at the top, hit “Add”The instance deployment wizard sequence includes:1. Basics2. Disks3. Networking4. Managment5. Advanced6. Tags7. Review and CreateYour Azure workspace may present dialogs and fields that differ from this procedure. For full information ondeploying Azure instances, see the Azure documentation.16 P a g e