Series: Setting up Oracle Cloud VM - III
This is a continuation from: [[002 Creating new OCI VCN]]
✅ Step 3: Create and Set Up the Traefik VM
This VM will act as your gateway, managing all incoming traffic via Traefik and routing it to other VMs/services.
🎯 Goal:
Provision a public VM with:
- 1 OCPU + 6GB RAM
- Ubuntu 22.04 aarch64
- Public IP
- Attached to the
public-subnet - Docker + Traefik installed
- Source/destination check disabled
🛠️ 3.1: Launch the Instance
- Go to: ☰ Compute → Instances
- Click Create Instance
Fill in:
| Field | Value |
|---|---|
| Name | traefik-gateway |
| Compartment | homelab |
| Image | Ubuntu 22.04 aarch64 |
| Shape | VM.Standard.A1.Flex → 1 OCPU, 6 GB RAM |
| Boot volume size | 50 GB (default is fine) |
| SSH Key | Paste your public SSH key (or generate a new one) |
| Network: | |
| - VCN | homelab-vcn |
| - Subnet | public-subnet |
| - Assign Public IP | ✅ Yes (very important) |
| - Hostname | traefik (optional) |
☑️ You can leave Advanced Options and Management as default.
Change VM Shape:
✅ Recommended Image:
Canonical Ubuntu 22.04 Minimal aarch64
🔍 Why This Image?
| Criteria | Reason |
|---|---|
| ✅ aarch64 (ARM) | Required for VM.Standard.A1.Flex, Oracle's ARM-based free-tier compute |
| ✅ Ubuntu 22.04 | Stable, LTS release supported till 2027 — widely supported by Docker, Traefik, Keycloak, Supabase, etc. |
| ✅ Minimal | Fewer preinstalled packages = faster boot, lower RAM usage — ideal for 6GB RAM limit |
| ✅ Canonical Official | Direct from Ubuntu, signed by Oracle, secure and maintained |
| ✅ Free | Part of Always Free — no hidden billing |
❌ Why Not Others?
| Image | Why Not |
|---|---|
| Ubuntu 20.04 | Older LTS, closer to end-of-life |
| Ubuntu 24.04 | Newer, but not all packages/tools have full support yet |
| Non-aarch64 | ❌ Won’t boot on ARM (A1.Flex) — Oracle only supports aarch64 here |
| Full images | More packages = unnecessary bloat (especially on 6GB RAM) |
✅ Final Answer:
Choose: Canonical Ubuntu 22.04 Minimal aarch64This is the best fit for your Free Tier VM running Docker, Traefik, and microservices.
Q. What is Instance Metadata Service?
Great — keeping the cloud-init minimal is smart for now. Let’s now address:
✅ Instance Metadata Service (IMDS)
🔸 Should You Enable It?
✅ Yes, leave it enabled (default setting)
🔍 What is It?
Instance Metadata Service (IMDS) in Oracle Cloud provides runtime metadata about your instance. Think of it like a read-only endpoint at:
http://169.254.169.254/opc/v1/
From your VM, you can query:
- Instance OCID, name, compartment
- SSH keys
- Region, availability domain
- Custom metadata you’ve set
✅ Why You Should Enable It
| Use Case | Benefit |
|---|---|
| Debugging | Know where the instance is running, what's attached |
| Automation | Pull instance data dynamically from within scripts |
| Monitoring | Can be used by logging/monitoring agents |
| DevOps Exam | IMDS is part of OCI security, automation, and bootstrapping questions |
🔐 Security Tip:
- Oracle’s IMDS is read-only and local to the instance, so it’s safe to enable by default
- You can disable V1 endpoint or restrict HTTP headers later, but not needed for basic usage
✅ Recommendation:
Leave “Enable Instance Metadata Service” ✅ enabled Leave “Allow V1 metadata service endpoints” ✅ enabled (for now)
You’ll likely use this in later steps (e.g., auto-registering VMs, monitoring, tagging).
Q. Do we want to use initialization script?
Excellent question — and yes, using an initialization script (cloud-init) is a smart move. It helps you:
- Automate first-time setup (like installing Docker)
- Ensure the VM is immediately ready after launch
- Make your blog post and Oracle DevOps prep even more robust (✨ infrastructure-as-code mindset)
✅ What You Can Automate in This Traefik VM's Init Script
Here’s a solid minimal cloud-init script to:
- Update packages
- Install Docker & Docker Compose plugin
- Add user to Docker group
- Enable Docker on boot
🔧 Recommended cloud-init Script (Traefik VM)
Paste this into the "Paste Cloud-Init Script" field under Advanced Options → Initialization script:
#cloud-config
package_update: true
package_upgrade: true
packages:
- docker.io
- docker-compose-plugin
runcmd:
- systemctl enable docker
- usermod -aG docker ubuntu
- echo "Docker installed and ready"
We will intentionally keep it minimal and setup curl, ufw, traefik, etc manually so that we get the chance to explore the process from both perspectives(automated scripting, and manual setup).
✅ What This Does:
| Line | Purpose |
|---|---|
package_update/upgrade | Ensures system is up-to-date |
docker.io, docker-compose-plugin | Installs both tools |
systemctl enable docker | Starts Docker on reboot |
usermod | Adds ubuntu user to Docker group so no need for sudo docker |
echo | Simple log line |
🧠 DevOps Certification Tip:
Cloud-init scripts are part of OCI instance provisioning and also connect with Terraform and CI/CD automation. Understanding and using them reflects good DevOps practice.
✅ Summary
| Task | Decision |
|---|---|
| Use initialization script? | ✅ Yes |
| Use cloud-init or shell? | ✅ cloud-init (#cloud-config) |
| Install Docker + Compose? | ✅ Yes |
| Automate user config? | ✅ Yes |
Q. Why does Estimated Cost is not zero?
Great observation — this is a common point of confusion in Oracle Cloud Free Tier.
Let me explain what’s going on:
💡 Why You're Seeing a Cost Estimate ($2.76–$5)
- Oracle Cloud always shows cost estimates, even for Always Free resources.
- The system doesn’t immediately know whether you’re staying within the Free Tier limits, so it shows the regular price.
- As long as your resource usage stays within Always Free quotas, you won’t be charged.
✅ You Are Still in Free Tier If:
| Resource | Limit | Your Setup |
|---|---|---|
| VM.Standard.A1.Flex | Up to 4 OCPUs + 24GB RAM total | You’re using 1 OCPU + 6GB RAM → ✅ ✅ |
| Block Storage | 200 GB total | Default 50 GB boot volume → ✅ |
| Public IPs | 2 max | Using 1 for Traefik → ✅ |
| Total VMs | Not limited by count, just quota | Only 1 so far → ✅ |
🧠 Certification Tip:
Understanding billing, quotas, and cost analysis tools is part of the OCI Foundations and DevOps Specialist exams. You’re expected to know:
- How cost estimates ≠ charges
- How to monitor usage via Cost Analysis + Usage Reports
🛑 TL;DR:
| Question | Answer |
|---|---|
| Am I being charged? | ❌ No — as long as you stay within Free Tier limits |
| Why does it show cost? | It shows regular pricing — doesn’t account for Free Tier credits in that view |
| Should I worry? | ✅ No — OCI’s billing system will bill you $0 unless you exceed the limits |
| Can I verify? | ✅ Yes — Use Billing → Cost Analysis after the instance runs for 24h+ |
Q. what should be the capacity type for this VM? Options are: On-demand, Preemptible, capacity reservation, dedicated host, compute cluster?
This directly affects cost and availability, and choosing the wrong one could disqualify you from Free Tier.
✅ Use: On-demand
🟢 On-demand (Default)
- ✅ Always Free eligible
- ✅ Stable — runs until you stop it
- ✅ Best for long-running services like Traefik
🔴 Do Not Use:
| Type | Why to Avoid |
|---|---|
| Preemptible | ✅ Cheaper (if paid), ❌ Not Free Tier eligible, VM can be terminated anytime |
| Capacity Reservation | Used for reserving capacity in advance — not needed, not relevant for Free Tier |
| Dedicated Host | Entire physical host — ❌ not free, very expensive |
| Compute Cluster | Advanced, for HPC/AI workloads — ❌ not Free Tier and overkill |
📘 Certification Insight:
In OCI DevOps and Architect certs, you'll be expected to know:
- When to use on-demand vs preemptible
- Preemptible = temporary workloads (e.g., CI/CD jobs)
- On-demand = long-living apps (e.g., microservices, proxies)
✅ Final Answer:
✅ Use On-Demand capacity type for your Traefik VM — it’s eligible for Always Free, and ideal for 24/7 workloads.
Q. what's a fault domain?
Great question — fault domains are an important concept in cloud infrastructure design and appear frequently in Oracle Cloud certifications.
🔍 What is a Fault Domain in Oracle Cloud?
✅ Definition:
A fault domain (FD) is a logical grouping of hardware within an availability domain (like a rack of servers). Oracle Cloud uses fault domains to help minimize the impact of physical hardware failures.
🧠 Think of it like:
Availability Domain (AD)
├── Fault Domain 1 (FD-1)
├── Fault Domain 2 (FD-2)
└── Fault Domain 3 (FD-3)
Each Availability Domain (data center) typically contains 3 fault domains.
🧯 Why It Matters
- If a hardware failure (e.g., power, network switch, server crash) happens in one fault domain, other FDs remain unaffected.
- Placing VMs in different FDs gives high availability within the same region.
📘 Example: If you're deploying a Kubernetes cluster or a database with replicas — put each node in a different fault domain.
🧠 For You (Free Tier Use Case)
You don’t need to worry much unless you're building a highly available architecture.
But:
- If you deploy multiple VMs (e.g., Traefik + Keycloak + Supabase), you can optionally place them in different FDs to simulate HA best practices — a plus for certification and blog posts.
🔧 Where to Set It:
When creating a VM:
In Advanced Options → Placement, you'll see:
Fault Domain: [Let Oracle choose] [FD-1] [FD-2] [FD-3]
✅ It’s safe to let Oracle choose — or pick a specific one if you're doing HA testing.
✅ Summary
| Feature | Description |
|---|---|
| Fault Domain | Logical isolation zone within a data center |
| Purpose | Protect against localized hardware failures |
| Best Practice | Distribute critical workloads across FDs |
| Free Tier | Optional — but good practice if running >1 VM |
✅ Networking Options
Download both Public and Private SSH keys and store them securely. We will need them to connect via SSH
Q. On the netwokring options, under advanced options - should I enable "use network security groups to control traffic" option? Also, what about DNS record - shall we assign a private DNS record or not?
Great questions — both options impact your network architecture and security, and they're relevant for best practices and certification knowledge. Here's how to decide:
🔒 1. Use Network Security Groups (NSGs)?
✅ Short Answer:
Yes — enable NSGs now, or plan to set them up soon. But since we have not created NSG until this point, we will defer until later. Leave it disabled for now and let's move on.
🔍 What are NSGs?
- NSGs (Network Security Groups) are like firewall groups for specific VNICs/instances
- Unlike Security Lists, which apply to the entire subnet, NSGs apply to specific instances
✅ Benefits:
| NSG | Security List |
|---|---|
| Applies to specific VMs | Applies to all VMs in a subnet |
| Fine-grained control | Broad, less flexible |
| Preferred for microservices, DevOps pipelines | Good for simple setups |
✅ OCI Best Practice (and required for DevOps exam prep): use NSGs for services like Keycloak, Redis, Traefik to restrict inbound/outbound traffic per role/function.
👌 Recommendation:
| Option | Do This |
|---|---|
| Use NSG | ✅ Enable the NSG option now |
| Create NSG later | Still OK — you can add NSGs post-launch |
| Skip forever | ❌ Avoid — not scalable or secure for production setups |
🌐 2. Assign a Private DNS Record?
🧾 Option: Assign a private DNS record
| Field | Meaning |
|---|---|
| ✅ Assign | Adds an internal DNS name for your instance like traefik.homelab.oraclevcn.com |
| ❌ Do not assign | Leaves it with only a private IP, no internal DNS |
✅ Recommendation:
Enable: “Assign a private DNS record”
- This will let you refer to internal VMs/services by name inside the VCN (e.g.,
keycloak.homelab.oraclevcn.com) - Useful when setting up Traefik routing, Docker containers, internal microservice calls
✅ Final Answers:
| Setting | Recommendation | Why |
|---|---|---|
| Use Network Security Groups | ✅ Yes | Granular firewall rules for your Traefik gateway and services |
| Assign Private DNS Record | ✅ Yes | Enables internal DNS name like traefik.homelab.oraclevcn.com — very useful for internal routing |
✅ Final Configuration for Traefik Gateway VM:
OCI VM Instance Provisioning Screen:
✅ Click Create and wait 2–3 minutes.
See you in next part: [[004 Connecting via SSH and setting up Traefik]]