{"id":943,"date":"2026-04-17T05:31:14","date_gmt":"2026-04-17T05:31:14","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-dns-and-traffic-management-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/"},"modified":"2026-04-17T05:31:14","modified_gmt":"2026-04-17T05:31:14","slug":"oracle-cloud-dns-and-traffic-management-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-dns-and-traffic-management-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/","title":{"rendered":"Oracle Cloud DNS and Traffic Management Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking, Edge, and Connectivity"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Networking, Edge, and Connectivity<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Oracle Cloud Infrastructure (OCI) DNS and Traffic Management<\/strong> is the set of capabilities used to publish authoritative DNS records for your domains and intelligently direct users to the best endpoint (or a healthy endpoint) using policy-based DNS responses.<\/p>\n\n\n\n

In simple terms: DNS<\/strong> makes your application reachable by name (like www.example.com<\/code>), and Traffic Management<\/strong> helps decide which<\/em> IP address (or endpoint) DNS should return to each client\u2014based on health, geography, weights, or other rules.<\/p>\n\n\n\n

Technically, OCI DNS provides public and private managed DNS zones<\/strong>, record management APIs, and DNSSEC<\/strong> (where applicable). OCI Traffic Management is implemented through Traffic Management steering policies<\/strong> and steering policy attachments<\/strong> that dynamically answer DNS queries according to defined rules\u2014often integrating with OCI Health Checks<\/strong> for failover and high availability.<\/p>\n\n\n\n

This service solves problems like:\n– Replacing manual DNS changes during outages with automatic DNS-based failover<\/strong>\n– Sending users to the closest<\/strong> or best-performing<\/strong> endpoint\n– Implementing blue\/green<\/strong> or canary<\/strong> rollouts via weighted DNS\n– Centralizing DNS governance in Oracle Cloud with IAM-controlled<\/strong> changes and auditability<\/p>\n\n\n\n

\n

Naming note (scope clarification): In OCI, DNS<\/strong> is the primary service name in the console and documentation, and Traffic Management<\/strong> is a closely related capability delivered through Traffic Management steering policies<\/strong>. Oracle documentation often presents them together. This tutorial uses \u201cDNS and Traffic Management\u201d<\/strong> as the umbrella term, exactly as provided.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is DNS and Traffic Management?<\/h2>\n\n\n\n

Official purpose<\/h3>\n\n\n\n

DNS and Traffic Management<\/strong> in Oracle Cloud provides:\n– Authoritative DNS hosting<\/strong> (public DNS zones) to publish records on the internet\n– Private DNS<\/strong> (private zones\/views associated with VCNs) for internal name resolution\n– Traffic steering<\/strong> (Traffic Management steering policies) to control DNS answers dynamically for routing and resilience<\/p>\n\n\n\n

Core capabilities<\/h3>\n\n\n\n
    \n
  • Create and manage DNS zones (public and private, depending on your needs)<\/li>\n
  • Create and update DNS records (A\/AAAA\/CNAME\/TXT\/MX and other supported types\u2014verify supported record types in official docs for your use case)<\/li>\n
  • Apply Traffic Management steering policies<\/strong> (failover, load distribution, geo steering, and more)<\/li>\n
  • Integrate with Health Checks<\/strong> to avoid returning unhealthy endpoints<\/li>\n
  • Sign zones with DNSSEC<\/strong> (where supported) to protect DNS integrity<\/li>\n<\/ul>\n\n\n\n

    Major components (OCI terminology)<\/h3>\n\n\n\n

    Common OCI objects you will see:\n– Zone<\/strong>: A DNS zone you manage (public or private)\n– Record \/ RRSet<\/strong>: Resource records for names in the zone\n– Steering policy<\/strong>: A Traffic Management policy defining how DNS answers are selected\n– Steering policy attachment<\/strong>: Binds a steering policy to a specific DNS name (like www.example.com<\/code>) and a zone\n– Health check<\/strong> (separate OCI service): Actively probes endpoints and supplies health signals to steering policies\n– Views \/ Private DNS constructs<\/strong>: Used for split-horizon and internal DNS patterns (verify current Private DNS constructs and naming in docs, as OCI has evolved this area over time)<\/p>\n\n\n\n

    Service type<\/h3>\n\n\n\n
      \n
    • Managed cloud networking service<\/strong> (authoritative DNS + policy-driven DNS answering)<\/li>\n
    • Control plane accessed via OCI Console, OCI CLI, SDKs, and REST APIs<\/li>\n<\/ul>\n\n\n\n

      Scope: regional\/global and tenancy boundaries<\/h3>\n\n\n\n
        \n
      • DNS is generally treated as a global<\/strong> service in OCI from an authoritative DNS standpoint, even though you select regions in the Console experience for administration.<\/li>\n
      • DNS resources are tenancy-scoped<\/strong> and organized with compartments<\/strong> for access control and governance.<\/li>\n
      • Traffic Management steering policies<\/strong> are managed within OCI and attached to names in zones.<\/li>\n<\/ul>\n\n\n\n
        \n

        Always confirm current scope details (global vs region-specific behavior) in the official docs for DNS, Traffic Management, and Health Checks, especially for compliance-driven architectures.<\/p>\n<\/blockquote>\n\n\n\n

        How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n

        DNS and Traffic Management sits at the front door of OCI deployments within Networking, Edge, and Connectivity<\/strong>:\n– Points users to OCI Load Balancers<\/strong>, Compute instances<\/strong>, API Gateways<\/strong>, or external endpoints<\/strong>\n– Works alongside OCI WAF<\/strong> (application protection), OCI CDN<\/strong> (content caching, if used), and Load Balancing<\/strong> (L4\/L7 routing)\n– Uses OCI IAM<\/strong> for fine-grained change control, and Audit<\/strong> for API-call tracking\n– Integrates strongly with OCI Health Checks<\/strong> for resilient routing decisions<\/p>\n\n\n\n

        \n\n\n\n

        3. Why use DNS and Traffic Management?<\/h2>\n\n\n\n

        Business reasons<\/h3>\n\n\n\n
          \n
        • Reduce downtime impact<\/strong>: automatic DNS failover can keep customer-facing services reachable during incidents.<\/li>\n
        • Improve global experience<\/strong>: steer users to regionally appropriate endpoints, improving latency and satisfaction.<\/li>\n
        • Simplify operations<\/strong>: centralize DNS ownership and change process within OCI.<\/li>\n
        • Support migrations<\/strong>: gradually move traffic from on-prem or another cloud into OCI using weighted steering.<\/li>\n<\/ul>\n\n\n\n

          Technical reasons<\/h3>\n\n\n\n
            \n
          • Authoritative DNS hosting<\/strong> with API-driven management<\/li>\n
          • Policy-based DNS responses<\/strong> (Traffic Management steering policies)<\/li>\n
          • Health-aware routing<\/strong> (avoid dead IPs)<\/li>\n
          • DNSSEC support<\/strong> to reduce DNS spoofing risks (where applicable)<\/li>\n<\/ul>\n\n\n\n

            Operational reasons<\/h3>\n\n\n\n
              \n
            • Compartment-based governance<\/strong>: separate dev\/test\/prod and enforce least privilege<\/li>\n
            • Automation<\/strong>: manage zones\/records\/policies via Terraform (commonly used), CLI, or SDKs (verify latest provider support and resource names)<\/li>\n
            • Auditability<\/strong>: track who changed DNS and when via OCI Audit<\/li>\n<\/ul>\n\n\n\n

              Security\/compliance reasons<\/h3>\n\n\n\n
                \n
              • IAM enforcement<\/strong>: only approved groups can modify zones\/records\/policies<\/li>\n
              • DNSSEC<\/strong>: strengthen integrity of DNS answers (subject to your registrar and DNSSEC chain of trust)<\/li>\n
              • Change control<\/strong>: implement tagging, approvals, and automation pipelines<\/li>\n<\/ul>\n\n\n\n

                Scalability\/performance reasons<\/h3>\n\n\n\n
                  \n
                • DNS is inherently a scale component\u2014OCI runs authoritative DNS infrastructure so you don\u2019t have to build and maintain it.<\/li>\n
                • Traffic Management policies let you scale across multiple endpoints\/regions<\/strong> without forcing all traffic through a single load balancer.<\/li>\n<\/ul>\n\n\n\n

                  When teams should choose it<\/h3>\n\n\n\n

                  Choose OCI DNS and Traffic Management when you need:\n– Managed DNS for public zones used by applications\n– DNS-based global routing and\/or failover\n– A clean way to run multi-region or hybrid routing strategies\n– OCI-governed DNS changes integrated with your IAM model<\/p>\n\n\n\n

                  When teams should not choose it<\/h3>\n\n\n\n

                  Consider alternatives when:\n– You need application-layer routing<\/strong> decisions (headers, paths, cookies). DNS can\u2019t see those; use OCI Load Balancing<\/strong> or an ingress\/API gateway layer.\n– You require instant<\/strong> traffic shifting with no caching effects. DNS is cached; even low TTLs are not perfect.\n– You need DoH\/DoT endpoint services<\/strong> from your authoritative provider (verify OCI capabilities; do not assume).\n– You want a \u201csingle pane of glass\u201d DNS provider across many clouds and registrars with advanced vendor-specific features (some organizations use Cloudflare\/NS1, etc.).<\/p>\n\n\n\n

                  \n\n\n\n

                  4. Where is DNS and Traffic Management used?<\/h2>\n\n\n\n

                  Industries<\/h3>\n\n\n\n
                    \n
                  • SaaS and internet applications (public endpoints)<\/li>\n
                  • Financial services (careful change control, DNSSEC, high availability)<\/li>\n
                  • E-commerce (multi-region resilience)<\/li>\n
                  • Media and gaming (traffic steering, rollout control)<\/li>\n
                  • Enterprise internal platforms (private DNS for internal services)<\/li>\n<\/ul>\n\n\n\n

                    Team types<\/h3>\n\n\n\n
                      \n
                    • Platform engineering and SRE teams managing shared DNS platforms<\/li>\n
                    • Network engineers managing authoritative zones and delegations<\/li>\n
                    • DevOps engineers automating record changes and cutovers<\/li>\n
                    • Security teams enforcing DNSSEC and least privilege<\/li>\n
                    • Application teams needing controlled rollouts (canary\/blue-green)<\/li>\n<\/ul>\n\n\n\n

                      Workloads<\/h3>\n\n\n\n
                        \n
                      • Public web applications and APIs<\/li>\n
                      • Multi-region active-active or active-passive designs<\/li>\n
                      • Hybrid (on-prem + OCI) with staged migrations<\/li>\n
                      • Kubernetes ingress endpoints (DNS to LB frontends)<\/li>\n
                      • Disaster recovery designs using DNS failover to a standby region<\/li>\n<\/ul>\n\n\n\n

                        Architectures<\/h3>\n\n\n\n
                          \n
                        • Single region + DR region (DNS failover)<\/li>\n
                        • Global multi-region with geolocation steering<\/li>\n
                        • Weighted rollouts during migration or version releases<\/li>\n
                        • Split-horizon internal DNS (private zones) for service discovery patterns<\/li>\n<\/ul>\n\n\n\n

                          Real-world deployment contexts<\/h3>\n\n\n\n
                            \n
                          • Production: delegated zones at registrar, DNSSEC enabled (when required), change approvals, health checks, and tested failover runbooks<\/li>\n
                          • Dev\/test: non-delegated zones queried directly by authoritative nameserver (useful for learning), short TTLs, and isolated compartments<\/li>\n<\/ul>\n\n\n\n
                            \n\n\n\n

                            5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                            Below are realistic ways teams use Oracle Cloud DNS and Traffic Management<\/strong>.<\/p>\n\n\n\n

                            1) Automatic regional failover for a public API<\/h3>\n\n\n\n
                              \n
                            • Problem:<\/strong> Region A outage makes api.company.com<\/code> unreachable.<\/li>\n
                            • Why it fits:<\/strong> Steering policy + health checks can stop returning Region A endpoint and return Region B instead.<\/li>\n
                            • Example:<\/strong> Primary endpoint is an OCI Load Balancer in us-ashburn-1<\/code>, secondary in us-phoenix-1<\/code>.<\/li>\n<\/ul>\n\n\n\n

                              2) Active-active multi-region DNS load distribution<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> One region can\u2019t handle peak load alone.<\/li>\n
                              • Why it fits:<\/strong> Weighted answers distribute traffic across endpoints.<\/li>\n
                              • Example:<\/strong> Return both regions with weights 60\/40 and adjust during events.<\/li>\n<\/ul>\n\n\n\n

                                3) Blue\/green deployment cutover<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Need low-risk release with easy rollback.<\/li>\n
                                • Why it fits:<\/strong> Weighted steering gradually increases traffic to \u201cgreen.\u201d<\/li>\n
                                • Example:<\/strong> Start 95% old LB, 5% new LB; ramp to 50\/50; then 100% green.<\/li>\n<\/ul>\n\n\n\n

                                  4) Canary testing with internal users<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Want a small subset of clients to hit a new endpoint.<\/li>\n
                                  • Why it fits:<\/strong> DNS policies can target by geography\/ASN (capability depends on supported rules\u2014verify).<\/li>\n
                                  • Example:<\/strong> Route EU traffic to new endpoint first.<\/li>\n<\/ul>\n\n\n\n

                                    5) Hybrid migration from on-prem to OCI<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Move workloads without a \u201cbig bang\u201d DNS cutover.<\/li>\n
                                    • Why it fits:<\/strong> Use weighted or priority rules between on-prem VIP and OCI LB.<\/li>\n
                                    • Example:<\/strong> 80% on-prem, 20% OCI; gradually invert.<\/li>\n<\/ul>\n\n\n\n

                                      6) Multi-cloud continuity design<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> OCI is primary, but must fail over to another provider.<\/li>\n
                                      • Why it fits:<\/strong> Steering answers can include non-OCI endpoints as well.<\/li>\n
                                      • Example:<\/strong> Primary OCI LB, secondary AWS ALB IP\/hostname (depending on DNS record type suitability).<\/li>\n<\/ul>\n\n\n\n

                                        7) Maintain availability during maintenance windows<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Planned maintenance requires draining a site.<\/li>\n
                                        • Why it fits:<\/strong> Adjust weights or priority to steer away temporarily.<\/li>\n
                                        • Example:<\/strong> Move all traffic to Region B for 2 hours.<\/li>\n<\/ul>\n\n\n\n

                                          8) Improve latency by steering users geographically<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Global users experience high latency to a single region.<\/li>\n
                                          • Why it fits:<\/strong> Geolocation steering returns region-local answers.<\/li>\n
                                          • Example:<\/strong> APAC users -> Singapore, EMEA -> Frankfurt, AMER -> Ashburn.<\/li>\n<\/ul>\n\n\n\n

                                            9) Health-aware endpoint selection for IoT ingest<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Devices post to a DNS name; endpoints occasionally degrade.<\/li>\n
                                            • Why it fits:<\/strong> Health checks prevent returning unhealthy collectors.<\/li>\n
                                            • Example:<\/strong> Return only healthy ingest nodes for ingest.example.com<\/code>.<\/li>\n<\/ul>\n\n\n\n

                                              10) SaaS tenant isolation by DNS subdomain patterns<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> Different tenants must resolve to different frontends.<\/li>\n
                                              • Why it fits:<\/strong> Separate DNS names and attachments per tenant, managed by compartments\/tags.<\/li>\n
                                              • Example:<\/strong> tenant-a.app.com<\/code> -> endpoint group A, tenant-b.app.com<\/code> -> endpoint group B.<\/li>\n<\/ul>\n\n\n\n
                                                \n\n\n\n

                                                6. Core Features<\/h2>\n\n\n\n

                                                This section focuses on commonly used, current capabilities of OCI DNS and Traffic Management. Always confirm exact record types, policy rules, and limits in official documentation.<\/p>\n\n\n\n

                                                6.1 Managed DNS zones (public)<\/h3>\n\n\n\n
                                                  \n
                                                • What it does:<\/strong> Hosts authoritative DNS zones and answers internet queries for delegated domains.<\/li>\n
                                                • Why it matters:<\/strong> You don\u2019t manage DNS servers, patching, scaling, or availability.<\/li>\n
                                                • Practical benefit:<\/strong> Faster domain changes via API\/console; consistent governance via OCI IAM.<\/li>\n
                                                • Caveats:<\/strong> You must delegate your domain at the registrar for real-world usage; DNS propagation and caching apply.<\/li>\n<\/ul>\n\n\n\n

                                                  6.2 Private DNS capabilities (private zones \/ split-horizon patterns)<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does:<\/strong> Provides internal-only DNS naming within OCI networking contexts (commonly VCN-associated).<\/li>\n
                                                  • Why it matters:<\/strong> Clean service discovery and internal routing without exposing names publicly.<\/li>\n
                                                  • Practical benefit:<\/strong> Avoid hardcoding IPs; standardize internal naming conventions.<\/li>\n
                                                  • Caveats:<\/strong> Private DNS behavior depends on OCI networking constructs (views\/resolvers). Verify current Private DNS features and constraints in docs before designing.<\/li>\n<\/ul>\n\n\n\n

                                                    6.3 Record management (RRsets, TTL control, common record types)<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Create\/update\/delete DNS records and sets (e.g., A, AAAA, CNAME, TXT, MX, SRV, NS).<\/li>\n
                                                    • Why it matters:<\/strong> DNS is the canonical directory for many systems (web, email, service discovery).<\/li>\n
                                                    • Practical benefit:<\/strong> Use short TTLs for migration windows, longer TTLs for stable records.<\/li>\n
                                                    • Caveats:<\/strong> Apex CNAME is generally not allowed in DNS standards; providers often offer ALIAS\/ANAME-style features\u2014verify OCI support and semantics for your needs.<\/li>\n<\/ul>\n\n\n\n

                                                      6.4 Traffic Management steering policies<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> Defines how OCI chooses DNS answers based on a rule set (weights, priority, filters, geo, ASN, health, limits\u2014verify supported rule types in current docs).<\/li>\n
                                                      • Why it matters:<\/strong> Enables resilient and controlled routing without changing application code.<\/li>\n
                                                      • Practical benefit:<\/strong> Implement failover, active-active, regional steering, and rollout strategies.<\/li>\n
                                                      • Caveats:<\/strong> DNS is still DNS\u2014client caching, recursive resolver behavior, and TTLs affect responsiveness.<\/li>\n<\/ul>\n\n\n\n

                                                        6.5 Steering policy attachments<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Attaches a steering policy to a specific domain name in a zone (for example, apply policy to www.example.com<\/code>).<\/li>\n
                                                        • Why it matters:<\/strong> You can reuse the same policy pattern across names, or apply different policies to different subdomains.<\/li>\n
                                                        • Practical benefit:<\/strong> Clean separation between policy logic and DNS naming.<\/li>\n
                                                        • Caveats:<\/strong> Attachments are part of the DNS answer path for that name; plan lifecycle and ownership carefully.<\/li>\n<\/ul>\n\n\n\n

                                                          6.6 Integration with OCI Health Checks<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Performs active probing (HTTP\/HTTPS\/TCP\u2014verify options) from OCI vantage points and reports health.<\/li>\n
                                                          • Why it matters:<\/strong> Traffic steering without health can send users to dead endpoints.<\/li>\n
                                                          • Practical benefit:<\/strong> Automated failover and safer load distribution.<\/li>\n
                                                          • Caveats:<\/strong> Health checks are an external signal and can be affected by firewall rules, WAF policies, rate limits, and transient internet routing.<\/li>\n<\/ul>\n\n\n\n

                                                            6.7 DNSSEC (Domain Name System Security Extensions)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Cryptographically signs DNS responses to help resolvers validate authenticity.<\/li>\n
                                                            • Why it matters:<\/strong> Reduces risk of DNS spoofing\/cache poisoning for validating resolvers.<\/li>\n
                                                            • Practical benefit:<\/strong> Stronger trust in your domain answers.<\/li>\n
                                                            • Caveats:<\/strong> DNSSEC requires careful key and delegation handling with your registrar; misconfiguration can cause resolution failures.<\/li>\n<\/ul>\n\n\n\n

                                                              6.8 Automation (Console, API, CLI, SDKs, Terraform)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Manage DNS zones\/records\/policies programmatically.<\/li>\n
                                                              • Why it matters:<\/strong> DNS changes are infrastructure changes; they benefit from version control and CI\/CD.<\/li>\n
                                                              • Practical benefit:<\/strong> Repeatable environments, safer migrations, standardized naming.<\/li>\n
                                                              • Caveats:<\/strong> Ensure your automation handles eventual consistency and safe rollbacks.<\/li>\n<\/ul>\n\n\n\n

                                                                6.9 IAM governance via compartments and policies<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Controls who can create\/modify zones, records, and steering policies.<\/li>\n
                                                                • Why it matters:<\/strong> DNS changes can cause outages or security incidents.<\/li>\n
                                                                • Practical benefit:<\/strong> Least privilege, separation of duties, and auditable operations.<\/li>\n
                                                                • Caveats:<\/strong> Mis-scoped IAM policies can block incident response or allow overly broad access.<\/li>\n<\/ul>\n\n\n\n
                                                                  \n\n\n\n

                                                                  7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                  High-level architecture<\/h3>\n\n\n\n

                                                                  At a high level:\n1. A client queries a recursive resolver<\/strong> (ISP, enterprise, or public resolver).\n2. The resolver follows delegation to your OCI authoritative DNS nameservers<\/strong>.\n3. OCI DNS returns records:\n – Standard static records, or\n – Dynamic answers computed from a steering policy<\/strong> (Traffic Management)\n4. Client connects to the returned endpoint (IP\/LB hostname target).<\/p>\n\n\n\n

                                                                  Request\/data\/control flow<\/h3>\n\n\n\n
                                                                    \n
                                                                  • Control plane:<\/strong> You create zones, records, and steering policies through OCI Console\/API\/CLI\/SDK\/Terraform.<\/li>\n
                                                                  • Data plane:<\/strong> DNS queries from resolvers to OCI authoritative nameservers; health-check probes from OCI Health Checks to your endpoints.<\/li>\n<\/ul>\n\n\n\n

                                                                    Key integrations (common patterns)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • OCI Load Balancing:<\/strong> DNS points to public LB. Traffic Management can distribute\/fail over between LBs.<\/li>\n
                                                                    • OCI Compute:<\/strong> DNS points directly to instance public IPs (simple labs; less common in production).<\/li>\n
                                                                    • OCI Health Checks:<\/strong> Provides endpoint health to steering policies.<\/li>\n
                                                                    • OCI IAM + Audit:<\/strong> Access control + change tracking.<\/li>\n
                                                                    • OCI WAF \/ CDN (where used):<\/strong> DNS points to WAF\/CDN front door; steering can operate at that level across regions.<\/li>\n<\/ul>\n\n\n\n

                                                                      Dependencies to plan for<\/h3>\n\n\n\n
                                                                        \n
                                                                      • A working endpoint<\/strong> (LB or instance) that accepts traffic from health checkers<\/li>\n
                                                                      • Network security rules<\/strong> (security lists\/NSGs) allowing health checks and user traffic<\/li>\n
                                                                      • A domain strategy<\/strong> (public delegation at registrar for production)<\/li>\n
                                                                      • A monitoring strategy<\/strong> for the endpoints (DNS won\u2019t tell you app performance, only where clients go)<\/li>\n<\/ul>\n\n\n\n

                                                                        Security\/authentication model<\/h3>\n\n\n\n
                                                                          \n
                                                                        • Management uses OCI IAM:<\/li>\n
                                                                        • Users\/groups with policies to manage DNS and Traffic Management objects<\/li>\n
                                                                        • API calls are signed with OCI credentials (Console\/CLI\/SDK)<\/li>\n
                                                                        • Query plane is public DNS protocol; security is improved with DNSSEC where applicable.<\/li>\n<\/ul>\n\n\n\n

                                                                          Networking model (practical view)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • DNS authoritative endpoints are managed by OCI.<\/li>\n
                                                                          • Your endpoints (LBs\/instances) sit in your VCN or outside OCI.<\/li>\n
                                                                          • Health checks originate from OCI-managed vantage points; endpoints must allow that inbound traffic (verify recommended allowlists in Health Checks docs).<\/li>\n<\/ul>\n\n\n\n

                                                                            Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Use OCI Audit<\/strong> to track DNS changes.<\/li>\n
                                                                            • Monitor endpoint availability with OCI Health Checks<\/strong> and\/or OCI Monitoring<\/strong> on the workloads.<\/li>\n
                                                                            • Use tags<\/strong> and compartment structure for cost allocation and governance.<\/li>\n
                                                                            • Consider external monitoring from another provider to validate real-world DNS resolution and application reachability.<\/li>\n<\/ul>\n\n\n\n

                                                                              Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                              flowchart LR\n  U[User Device] --> R[Recursive Resolver]\n  R -->|DNS query| OCI_DNS[OCI Authoritative DNS]\n  OCI_DNS -->|Steering policy answer| R\n  R --> U\n  U -->|HTTP\/HTTPS| EP1[Endpoint A\\n(OCI LB \/ Compute)]\n  U -->|HTTP\/HTTPS| EP2[Endpoint B\\n(OCI LB \/ DR Region)]\n  HC[OCI Health Checks] -->|Probes| EP1\n  HC -->|Probes| EP2\n<\/code><\/pre>\n\n\n\n
                                                                              Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                              flowchart TB\n  subgraph Internet\n    Users[Users]\n    Resolvers[Recursive DNS Resolvers]\n  end\n\n  subgraph OCI_Global[\"OCI DNS and Traffic Management (Global)\"]\n    AuthDNS[Authoritative DNS Zones]\n    Steering[Traffic Management\\nSteering Policies + Attachments]\n  end\n\n  subgraph RegionA[\"OCI Region A\"]\n    WAF_A[WAF \/ Edge Policy\\n(optional)]\n    LB_A[Public Load Balancer]\n    App_A[App Tier]\n    DB_A[(Database)]\n  end\n\n  subgraph RegionB[\"OCI Region B (DR or Active-Active)\"]\n    WAF_B[WAF \/ Edge Policy\\n(optional)]\n    LB_B[Public Load Balancer]\n    App_B[App Tier]\n    DB_B[(Database \/ Replica)]\n  end\n\n  Health[OCI Health Checks]:::svc\n\n  Users --> Resolvers\n  Resolvers -->|DNS| AuthDNS\n  AuthDNS --> Steering\n  Steering -->|Answer A or B| Resolvers\n  Users -->|HTTP\/HTTPS| WAF_A\n  Users -->|HTTP\/HTTPS| WAF_B\n  WAF_A --> LB_A --> App_A --> DB_A\n  WAF_B --> LB_B --> App_B --> DB_B\n\n  Health -->|Probe| LB_A\n  Health -->|Probe| LB_B\n\n  classDef svc fill:#f6f6f6,stroke:#888,stroke-width:1px;\n<\/code><\/pre>\n\n\n\n
                                                                              \n\n\n\n
                                                                              8. Prerequisites<\/h2>\n\n\n\n
                                                                              Tenancy\/account requirements<\/h3>\n\n\n\n
                                                                                \n
                                                                              • An Oracle Cloud<\/strong> (OCI) tenancy with permission to create networking and DNS resources.<\/li>\n
                                                                              • A compartment strategy:<\/li>\n
                                                                              • One compartment for the lab (recommended), separate from production.<\/li>\n<\/ul>\n\n\n\n
                                                                                Permissions \/ IAM policies<\/h3>\n\n\n\n
                                                                                You need permission to manage:\n– DNS zones and records\n– Traffic Management steering policies and attachments\n– Health Checks (for health-based steering)\n– Compute\/Networking (for lab endpoints)<\/p>\n\n\n\n
                                                                                Example IAM policies (adjust group and compartment names):<\/p>\n\n\n\n
                                                                                Allow group DNS-Lab-Admins to manage dns in compartment DNS-Lab\nAllow group DNS-Lab-Admins to manage health-checks in compartment DNS-Lab\nAllow group DNS-Lab-Admins to manage virtual-network-family in compartment DNS-Lab\nAllow group DNS-Lab-Admins to manage instance-family in compartment DNS-Lab\n<\/code><\/pre>\n\n\n\n
                                                                                \n
                                                                                Exact policy verbs and resource families can vary by OCI service design. Verify required IAM policy statements in the official OCI docs if you see authorization errors.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                Billing requirements<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • DNS may not have a direct line-item charge in many cases, but related resources<\/strong> do:<\/li>\n
                                                                                • Compute instances, Load Balancers, outbound data transfer, and possibly Health Checks depending on your usage and pricing model.<\/li>\n
                                                                                • Use Oracle Cloud Free Tier \/ Always Free<\/strong> where possible for a low-cost lab (verify current Free Tier eligibility and quotas in your tenancy\/region).<\/li>\n<\/ul>\n\n\n\n
                                                                                  Tools (recommended)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • OCI Console<\/strong> (web UI)<\/li>\n
                                                                                  • OCI CLI<\/strong> (optional but helpful): https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/li>\n
                                                                                  • dig<\/strong> (DNS query tool) on your workstation<\/li>\n
                                                                                  • ssh<\/strong> client if you create compute instances for endpoints<\/li>\n<\/ul>\n\n\n\n
                                                                                    Region availability<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • OCI DNS is generally available across OCI regions (service availability can vary).<\/li>\n
                                                                                    • Choose a region where you can also create compute instances for the lab.<\/li>\n<\/ul>\n\n\n\n
                                                                                      Quotas \/ limits<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • DNS zones, records, steering policies, and health checks have service limits.<\/li>\n
                                                                                      • Check OCI Service Limits<\/strong> for DNS, Traffic Management, and Health Checks in your region\/tenancy.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Prerequisite services for the lab<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • OCI Virtual Cloud Network (VCN) with a public subnet (for HTTP endpoints)<\/li>\n
                                                                                        • Two compute instances (optional but used in this tutorial)<\/li>\n
                                                                                        • OCI Health Checks<\/li>\n<\/ul>\n\n\n\n
                                                                                          \n\n\n\n
                                                                                          9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                          Pricing model (how costs are typically incurred)<\/h3>\n\n\n\n
                                                                                          For DNS and Traffic Management<\/strong>, costs can come from:\n1. DNS service usage<\/strong> (zone hosting, queries, and advanced features) \u2014 pricing may be $0 or billed depending on Oracle\u2019s current model and your contract.\n2. Traffic Management<\/strong> (steering policies\/attachments) \u2014 often priced as part of DNS, but confirm.\n3. Health Checks<\/strong> \u2014 may have its own pricing dimension (number of checks, frequency, probe regions\/vantage points). Verify current pricing.\n4. Endpoints you route to<\/strong>:\n   – Compute instances\n   – Load Balancers (commonly a major cost driver)\n   – WAF\/CDN (if used)\n5. Data transfer<\/strong>:\n   – Internet egress from your endpoints (not DNS itself, but the traffic you direct)<\/p>\n\n\n\n
                                                                                          Official pricing sources (verify current SKUs)<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Oracle Cloud Pricing overview: https:\/\/www.oracle.com\/cloud\/pricing\/<\/li>\n
                                                                                          • Oracle Cloud Price List (search for DNS, Health Checks, Load Balancer): https:\/\/www.oracle.com\/cloud\/price-list\/<\/li>\n
                                                                                          • OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/li>\n<\/ul>\n\n\n\n
                                                                                            \n
                                                                                            Do not rely on third-party blogs for OCI pricing. Always validate on Oracle\u2019s official pricing pages or your contracted rate card.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                            Pricing dimensions to expect (conceptually)<\/h3>\n\n\n\n
                                                                                            Depending on Oracle\u2019s current pricing for your region\/contract, you may see:\n– Number of DNS zones<\/strong> (public and\/or private)\n– Volume of DNS queries<\/strong> (authoritative query count)\n– Number of steering policy attachments<\/strong> (names using Traffic Management)\n– Number of health checks<\/strong>, check interval, and probe distribution\n– Compute\/LB hourly rates and throughput\n– Outbound internet data transfer (GB)<\/p>\n\n\n\n
                                                                                            Free tier considerations<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • OCI Free Tier often includes Always Free compute shapes and limited networking usage.<\/li>\n
                                                                                            • Whether DNS and Traffic Management<\/strong> and Health Checks<\/strong> are free or included depends on Oracle\u2019s current policy\u2014verify in pricing docs and your tenancy\u2019s Free Tier details.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Cost drivers (what increases your bill)<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Large DNS query volumes to authoritative servers<\/li>\n
                                                                                              • Many attachments and many endpoints per policy<\/li>\n
                                                                                              • Short health check intervals (more probes)<\/li>\n
                                                                                              • Using paid LBs\/WAF\/CDN in multiple regions<\/li>\n
                                                                                              • High outbound traffic from endpoints (internet egress)<\/li>\n<\/ul>\n\n\n\n
                                                                                                Hidden\/indirect costs<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Operational costs<\/strong>: staff time to manage DNS changes, incident response, and testing<\/li>\n
                                                                                                • Multi-region duplication<\/strong>: duplicate LBs and app stacks in two regions<\/li>\n
                                                                                                • Certificate management<\/strong>: if you add HTTPS endpoints, cert operations may involve other services\/tools<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Cost optimization tips<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Use longer TTLs<\/strong> for stable records; use shorter TTLs only for migration windows.<\/li>\n
                                                                                                  • Prefer Traffic Management<\/strong> at strategic entry points (like www<\/code> and api<\/code>) rather than on thousands of per-tenant names unless needed.<\/li>\n
                                                                                                  • Avoid over-provisioning health checks; align check frequency with RTO\/RPO goals.<\/li>\n
                                                                                                  • For production, consider routing to Load Balancers<\/strong> (stable) rather than ephemeral instance IPs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n
                                                                                                    A minimal lab can be near-zero cost if you:\n– Use Always Free compute (if available)\n– Avoid paid load balancers\n– Keep DNS zones and health checks within free allowances (if applicable)<\/p>\n\n\n\n
                                                                                                    Because exact pricing varies by region and Oracle policy, verify in the official price list<\/strong> before assuming $0.<\/p>\n\n\n\n
                                                                                                    Example production cost considerations<\/h3>\n\n\n\n
                                                                                                    In production, the bill is commonly dominated by:\n– Regional load balancers (hourly + bandwidth\/LCU-style metrics depending on SKU)\n– Multi-region duplication (two of everything)\n– Outbound internet data transfer\nDNS and steering policies are usually a smaller fraction, but high query volume<\/strong> can change that\u2014measure authoritative query rates and plan accordingly.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                    Objective<\/h3>\n\n\n\n
                                                                                                    Deploy a small, real DNS and Traffic Management<\/strong> setup in Oracle Cloud:\n– Create two HTTP endpoints (two small OCI compute instances)\n– Create health checks for both endpoints\n– Create a DNS zone and a Traffic Management steering policy\n– Attach the policy to a DNS name and verify automatic failover<\/strong><\/p>\n\n\n\n
                                                                                                    Lab Overview<\/h3>\n\n\n\n
                                                                                                    You will build:\n– web-a<\/code>: Nginx server returning \u201cA\u201d\n– web-b<\/code>: Nginx server returning \u201cB\u201d\n– Health checks: probe both servers\n– DNS zone: lab.example<\/code> (not delegated; we\u2019ll test by querying OCI authoritative nameservers directly)\n– Steering policy attachment for www.lab.example<\/code>:\n  – Return web-a<\/code> when healthy\n  – Fail over to web-b<\/code> when web-a<\/code> is unhealthy<\/p>\n\n\n\n
                                                                                                    Estimated time:<\/strong> 60\u2013120 minutes\nRisk level:<\/strong> Low (uses small instances; you can fully clean up)<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                    If you own a real domain, you can optionally delegate a subdomain to OCI DNS and test with normal resolvers. This lab does not require domain ownership.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 1: Create a compartment for the lab<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    1. In the OCI Console, go to Identity & Security \u2192 Compartments<\/strong>.<\/li>\n
                                                                                                    2. Click Create Compartment<\/strong>.<\/li>\n
                                                                                                    3. Name: DNS-Lab<\/code><\/li>\n
                                                                                                    4. Create.<\/li>\n<\/ol>\n\n\n\n
                                                                                                      Expected outcome:<\/strong> A compartment to isolate all lab resources.<\/p>\n\n\n\n
                                                                                                      \n\n\n\n
                                                                                                      Step 2: Create IAM group and policies (if you don\u2019t already have access)<\/h3>\n\n\n\n
                                                                                                      If you already have sufficient privileges, you can skip.<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                      1. Go to Identity & Security \u2192 Groups<\/strong> \u2192 Create Group<\/strong>\n   – Name: DNS-Lab-Admins<\/code><\/li>\n
                                                                                                      2. Add your user to the group.<\/li>\n
                                                                                                      3. Go to Identity & Security \u2192 Policies<\/strong> \u2192 Create Policy<\/strong> in the root compartment<\/strong> (or appropriate parent).<\/li>\n
                                                                                                      4. Add policy statements (edit group\/compartment names as needed):<\/li>\n<\/ol>\n\n\n\n
                                                                                                        Allow group DNS-Lab-Admins to manage dns in compartment DNS-Lab\nAllow group DNS-Lab-Admins to manage health-checks in compartment DNS-Lab\nAllow group DNS-Lab-Admins to manage virtual-network-family in compartment DNS-Lab\nAllow group DNS-Lab-Admins to manage instance-family in compartment DNS-Lab\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome:<\/strong> You can create DNS zones\/policies, health checks, VCNs, and instances within DNS-Lab<\/code>.<\/p>\n\n\n\n
                                                                                                        Verification:<\/strong> Try opening the DNS service page and ensure you don\u2019t see \u201cNot authorized\u201d.<\/p>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 3: Create a VCN with internet connectivity<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        1. Go to Networking \u2192 Virtual Cloud Networks<\/strong>.<\/li>\n
                                                                                                        2. Choose compartment DNS-Lab<\/code>.<\/li>\n
                                                                                                        3. Click Start VCN Wizard<\/strong>.<\/li>\n
                                                                                                        4. Select VCN with Internet Connectivity<\/strong>.<\/li>\n
                                                                                                        5. Create with defaults (or set):\n   – VCN name: dns-lab-vcn<\/code>\n   – Public subnet: dns-lab-public-subnet<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                                                          Expected outcome:<\/strong> A VCN with:\n– Internet Gateway\n– Route table allowing 0.0.0.0\/0 to IGW\n– Public subnet<\/p>\n\n\n\n
                                                                                                          \n\n\n\n
                                                                                                          Step 4: Create two compute instances (web-a and web-b)<\/h3>\n\n\n\n
                                                                                                          We\u2019ll use small Linux instances and install Nginx.<\/p>\n\n\n\n
                                                                                                            \n
                                                                                                          1. Go to Compute \u2192 Instances<\/strong> \u2192 Create Instance<\/strong><\/li>\n
                                                                                                          2. Compartment: DNS-Lab<\/code><\/li>\n
                                                                                                          3. Name: web-a<\/code><\/li>\n
                                                                                                          4. Image: Oracle Linux (or another supported Linux)<\/li>\n
                                                                                                          5. Shape: pick an Always Free eligible shape if available (verify availability)<\/li>\n
                                                                                                          6. Networking: select dns-lab-vcn<\/code> and dns-lab-public-subnet<\/code><\/li>\n
                                                                                                          7. Assign a public IPv4 address<\/strong><\/li>\n
                                                                                                          8. Add your SSH public key<\/li>\n
                                                                                                          9. Create.<\/li>\n<\/ol>\n\n\n\n
                                                                                                            Repeat for web-b<\/code>.<\/p>\n\n\n\n
                                                                                                            Expected outcome:<\/strong> Two running instances, each with a public IP.<\/p>\n\n\n\n
                                                                                                            Verification:<\/strong> In each instance details page, copy the Public IPv4 address<\/strong>.<\/p>\n\n\n\n
                                                                                                            \n\n\n\n
                                                                                                            Step 5: Open inbound port 80 to the instances<\/h3>\n\n\n\n
                                                                                                            To allow HTTP and health checks, permit inbound TCP\/80. Depending on how your subnet is configured, you\u2019ll update either:\n– Security List rules (subnet-level), or\n– Network Security Group (NSG) rules (instance-level)<\/p>\n\n\n\n
                                                                                                            For a basic wizard VCN using security lists:\n1. Go to Networking \u2192 Virtual Cloud Networks \u2192 dns-lab-vcn<\/strong>\n2. Security Lists<\/strong> \u2192 open the one attached to your public subnet\n3. Add Ingress Rules<\/strong>\n   – Source CIDR: 0.0.0.0\/0<\/code> (lab only; production should be tighter)\n   – IP Protocol: TCP\n   – Destination Port Range: 80<\/p>\n\n\n\n
                                                                                                            Expected outcome:<\/strong> Instances accept inbound HTTP from the internet.<\/p>\n\n\n\n
                                                                                                            Verification:<\/strong> From your laptop:<\/p>\n\n\n\n
                                                                                                            curl -I http:\/\/<WEB_A_PUBLIC_IP>\/\ncurl -I http:\/\/<WEB_B_PUBLIC_IP>\/\n<\/code><\/pre>\n\n\n\n
                                                                                                            You may get a connection error until Nginx is installed (next step), but the TCP path should be open.<\/p>\n\n\n\n
                                                                                                            \n\n\n\n
                                                                                                            Step 6: Install and configure Nginx on both instances<\/h3>\n\n\n\n
                                                                                                            SSH to each instance and install a web server.<\/p>\n\n\n\n
                                                                                                            For web-a<\/code>:<\/p>\n\n\n\n
                                                                                                            ssh opc@<WEB_A_PUBLIC_IP>\nsudo dnf -y install nginx\necho \"Hello from web-a\" | sudo tee \/usr\/share\/nginx\/html\/index.html\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n
                                                                                                            For web-b<\/code>:<\/p>\n\n\n\n
                                                                                                            ssh opc@<WEB_B_PUBLIC_IP>\nsudo dnf -y install nginx\necho \"Hello from web-b\" | sudo tee \/usr\/share\/nginx\/html\/index.html\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n
                                                                                                            Expected outcome:<\/strong> Both endpoints return unique content.<\/p>\n\n\n\n
                                                                                                            Verification:<\/strong><\/p>\n\n\n\n
                                                                                                            curl http:\/\/<WEB_A_PUBLIC_IP>\/\ncurl http:\/\/<WEB_B_PUBLIC_IP>\/\n<\/code><\/pre>\n\n\n\n
                                                                                                            You should see:\n– Hello from web-a<\/code>\n– Hello from web-b<\/code><\/p>\n\n\n\n
                                                                                                            \n\n\n\n
                                                                                                            Step 7: Create OCI Health Checks for both endpoints<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            1. Go to Networking \u2192 Health Checks<\/strong> (service name may appear under Networking).<\/li>\n
                                                                                                            2. Compartment: DNS-Lab<\/code><\/li>\n
                                                                                                            3. Create Health Check<\/strong>\n   – Name: hc-web-a<\/code>\n   – Targets: <WEB_A_PUBLIC_IP><\/code>\n   – Protocol: HTTP\n   – Port: 80\n   – Path: \/<\/code>\n   – Interval\/timeout: choose defaults or a reasonable low interval for the lab<\/li>\n
                                                                                                            4. Create.<\/li>\n<\/ol>\n\n\n\n
                                                                                                              Repeat for hc-web-b<\/code> targeting <WEB_B_PUBLIC_IP><\/code>.<\/p>\n\n\n\n
                                                                                                              Expected outcome:<\/strong> Two health checks showing status for each endpoint.<\/p>\n\n\n\n
                                                                                                              Verification:<\/strong>\n– Wait for the checks to run.\n– Status should become Healthy<\/strong>.<\/p>\n\n\n\n
                                                                                                              \n
                                                                                                              If health checks remain unhealthy, verify your security rules allow inbound TCP\/80 and the instance is running Nginx.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                              \n\n\n\n
                                                                                                              Step 8: Create a public DNS zone (not delegated)<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              1. Go to Networking \u2192 DNS Management<\/strong> (or DNS<\/strong> in OCI Console).<\/li>\n
                                                                                                              2. Compartment: DNS-Lab<\/code><\/li>\n
                                                                                                              3. Create Zone<\/strong>\n   – Zone type: Public<\/strong>\n   – Zone name: lab.example<\/code> (you can use any domain-like name for testing)<\/li>\n
                                                                                                              4. Create.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                Expected outcome:<\/strong> Zone exists and OCI provides authoritative nameservers for it.<\/p>\n\n\n\n
                                                                                                                Verification:<\/strong>\n– In the zone details, note the nameserver<\/strong> hostnames.\n– You will query these nameservers directly with dig<\/code>.<\/p>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                Step 9: Create a steering policy (Failover) in Traffic Management<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                1. In DNS, find Traffic Management<\/strong> (or steering policies).<\/li>\n
                                                                                                                2. Create Steering Policy<\/strong>\n   – Name: sp-failover-www<\/code>\n   – Template\/Policy type: choose Failover<\/strong> (if templates are offered)\n   – Add answers\/endpoints:
                                                                                                                    \n
                                                                                                                  • Primary answer: <WEB_A_PUBLIC_IP><\/code> (A record)<\/li>\n
                                                                                                                  • Secondary answer: <WEB_B_PUBLIC_IP><\/code> (A record)<\/li>\n
                                                                                                                  • Attach health checks:<\/li>\n
                                                                                                                  • Primary uses hc-web-a<\/code><\/li>\n
                                                                                                                  • Secondary uses hc-web-b<\/code><\/li>\n
                                                                                                                  • Set TTL appropriate for lab (lower TTL makes testing faster, but caching still applies)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                    If OCI uses rule-based steering instead of a \u201cfailover template,\u201d implement failover using:\n– A HEALTH<\/strong> rule referencing monitors, combined with\n– A PRIORITY<\/strong> rule choosing primary then secondary\n(Exact UI terms can vary\u2014follow the current console workflow and verify in official docs.)<\/p>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> A steering policy exists that will prefer web-a<\/code> when healthy, otherwise answer web-b<\/code>.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 10: Attach the steering policy to www.lab.example<\/code><\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    1. Create a Steering Policy Attachment<\/strong>\n   – Zone: lab.example<\/code>\n   – Domain name: www.lab.example<\/code>\n   – Steering policy: sp-failover-www<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                                                                      Expected outcome:<\/strong> DNS queries for www.lab.example<\/code> are answered by the steering policy rather than a static A record.<\/p>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Step 11: Validate DNS answers using the OCI authoritative nameserver<\/h3>\n\n\n\n
                                                                                                                      Because we didn\u2019t delegate the domain, query OCI nameservers directly.<\/p>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. \n
                                                                                                                        Pick one authoritative nameserver from the zone details, such as:\n   – ns1.p##.dns.oraclecloud.net<\/code> (example format; use your actual value)<\/p>\n<\/li>\n
                                                                                                                      2. \n
                                                                                                                        Query it:<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                        dig @<AUTHORITATIVE_NS_HOSTNAME> www.lab.example A +short\n<\/code><\/pre>\n\n\n\n
                                                                                                                        Expected outcome:<\/strong> You see <WEB_A_PUBLIC_IP><\/code> (primary) while healthy.<\/p>\n\n\n\n
                                                                                                                        Also validate HTTP content:<\/strong><\/p>\n\n\n\n
                                                                                                                        curl http:\/\/$(dig @<AUTHORITATIVE_NS_HOSTNAME> www.lab.example A +short)\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                        You should see Hello from web-a<\/code>.<\/p>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Step 12: Trigger failover and confirm Traffic Management behavior<\/h3>\n\n\n\n
                                                                                                                        Simulate failure on web-a<\/code> by stopping Nginx:<\/p>\n\n\n\n
                                                                                                                        ssh opc@<WEB_A_PUBLIC_IP>\nsudo systemctl stop nginx\n<\/code><\/pre>\n\n\n\n
                                                                                                                        Wait long enough for the health check to detect failure (depends on interval and failure threshold).<\/p>\n\n\n\n
                                                                                                                        Now query DNS again:<\/p>\n\n\n\n
                                                                                                                        dig @<AUTHORITATIVE_NS_HOSTNAME> www.lab.example A +short\n<\/code><\/pre>\n\n\n\n
                                                                                                                        Expected outcome:<\/strong> After health transitions, the answer becomes <WEB_B_PUBLIC_IP><\/code>.<\/p>\n\n\n\n
                                                                                                                        Confirm content:<\/p>\n\n\n\n
                                                                                                                        curl http:\/\/$(dig @<AUTHORITATIVE_NS_HOSTNAME> www.lab.example A +short)\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                        You should see Hello from web-b<\/code>.<\/p>\n\n\n\n
                                                                                                                        \n
                                                                                                                        Note about caching: Since you query the authoritative server directly using @nameserver<\/code>, caching is minimized. If you test through normal resolvers, TTL and resolver caching can delay visible changes.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Validation<\/h3>\n\n\n\n
                                                                                                                        Use this checklist:\n– [ ] web-a<\/code> and web-b<\/code> respond on http:\/\/<public-ip>\/<\/code>\n– [ ] Health checks show healthy when Nginx is running\n– [ ] dig @<authoritative-ns> www.lab.example A +short<\/code> returns web-a<\/code> when healthy\n– [ ] When web-a<\/code> is unhealthy, the DNS answer shifts to web-b<\/code>\n– [ ] Restoring web-a<\/code> returns traffic to primary (depending on policy logic and health state)<\/p>\n\n\n\n
                                                                                                                        To restore web-a<\/code>:<\/p>\n\n\n\n
                                                                                                                        ssh opc@<WEB_A_PUBLIC_IP>\nsudo systemctl start nginx\n<\/code><\/pre>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Troubleshooting<\/h3>\n\n\n\n
                                                                                                                        Problem: Health checks stay unhealthy<\/strong>\n– Confirm port 80 is allowed in Security List\/NSG.\n– Confirm Nginx is running: sudo systemctl status nginx<\/code>\n– Confirm the instance has a public IP and route to IGW.\n– Check if your organization IP reputation or firewall blocks probe sources.\n– Verify Health Checks documentation for current probe IP ranges and allowlist guidance.<\/p>\n\n\n\n
                                                                                                                        Problem: dig<\/code> returns no answer<\/strong>\n– Ensure you are querying the correct authoritative nameserver hostname from zone details.\n– Confirm the steering policy attachment is for the exact name (www.lab.example<\/code>).\n– Confirm record type (A) matches the attachment\/policy behavior.<\/p>\n\n\n\n
                                                                                                                        Problem: Failover doesn\u2019t happen<\/strong>\n– Health checks might still be considered healthy due to thresholds.\n– Wait longer, or reduce health check interval\/failure threshold (lab only).\n– Ensure the steering policy is actually using the health checks (not created but not referenced).<\/p>\n\n\n\n
                                                                                                                        Problem: You see both IPs or unexpected ordering<\/strong>\n– Your policy might be load-balancing rather than failover.\n– Re-check the steering template\/type and rules.<\/p>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Cleanup<\/h3>\n\n\n\n
                                                                                                                        To avoid ongoing charges:\n1. Delete steering policy attachment.\n2. Delete steering policy.\n3. Delete health checks.\n4. Delete the DNS zone (only if not used elsewhere).\n5. Terminate compute instances web-a<\/code> and web-b<\/code>.\n6. Delete the VCN dns-lab-vcn<\/code> (will remove subnets, IGW, etc., if not in use).<\/p>\n\n\n\n
                                                                                                                        \n
                                                                                                                        Delete in this order to avoid dependency errors.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        11. Best Practices<\/h2>\n\n\n\n
                                                                                                                        Architecture best practices<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Route users to stable front doors<\/strong> (Load Balancers, API Gateways, CDN\/WAF endpoints) rather than directly to ephemeral instance IPs.<\/li>\n
                                                                                                                        • Use Traffic Management for:<\/li>\n
                                                                                                                        • Cross-region<\/strong> routing decisions<\/li>\n
                                                                                                                        • Failover<\/strong> and coarse traffic shifting\n  Use load balancers\/ingress for fine-grained<\/strong> L7 routing.<\/li>\n
                                                                                                                        • Design with DNS caching in mind:<\/li>\n
                                                                                                                        • Keep TTLs higher for normal operation<\/li>\n
                                                                                                                        • Lower TTLs temporarily during migrations (and raise them back)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Separate duties:<\/li>\n
                                                                                                                          • Zone administration vs record changes vs traffic policies<\/li>\n
                                                                                                                          • Use compartments:<\/li>\n
                                                                                                                          • prod-dns<\/code>, nonprod-dns<\/code>, shared-services<\/code><\/li>\n
                                                                                                                          • Apply least privilege:<\/li>\n
                                                                                                                          • Only CI\/CD or a limited group can change production DNS<\/li>\n
                                                                                                                          • Require MFA and strong identity hygiene for privileged users<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Cost best practices<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Avoid \u201cpolicy sprawl\u201d: too many attachments and health checks can add cost and complexity.<\/li>\n
                                                                                                                            • Use health check frequency appropriate to your RTO (don\u2019t probe every few seconds unless necessary).<\/li>\n
                                                                                                                            • Monitor and forecast costs for Load Balancers<\/strong> and egress<\/strong>, which usually dominate.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Performance best practices<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Use geo steering<\/strong> (when appropriate and supported) to reduce latency.<\/li>\n
                                                                                                                              • Use multiple endpoints per region and multi-A answers where it makes sense.<\/li>\n
                                                                                                                              • Keep DNS responses small (avoid excessive record bloat).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Test failover regularly (game days).<\/li>\n
                                                                                                                                • Ensure secondary endpoints are truly independent (different region, separate dependencies).<\/li>\n
                                                                                                                                • Don\u2019t rely on DNS alone for resilience:<\/li>\n
                                                                                                                                • Combine with multi-region data replication and application-level resilience.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Operations best practices<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Track DNS changes with:<\/li>\n
                                                                                                                                  • Ticketing\/approvals (where required)<\/li>\n
                                                                                                                                  • CI\/CD pipelines and versioned DNS configurations<\/li>\n
                                                                                                                                  • Maintain runbooks:<\/li>\n
                                                                                                                                  • \u201cFailover to DR region\u201d<\/li>\n
                                                                                                                                  • \u201cRollback to primary\u201d<\/li>\n
                                                                                                                                  • Document TTL strategy and expected propagation delays.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Naming conventions:<\/li>\n
                                                                                                                                    • zone-prod-example-com<\/code><\/li>\n
                                                                                                                                    • sp-failover-www-prod<\/code><\/li>\n
                                                                                                                                    • hc-us-ashburn-lb-https<\/code><\/li>\n
                                                                                                                                    • Tag resources with:<\/li>\n
                                                                                                                                    • Environment=Prod<\/code><\/li>\n
                                                                                                                                    • Owner=Platform<\/code><\/li>\n
                                                                                                                                    • CostCenter=...<\/code><\/li>\n
                                                                                                                                    • Define standard policy templates:<\/li>\n
                                                                                                                                    • Failover, weighted rollout, geo steering patterns<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      \n\n\n\n
                                                                                                                                      12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                      Identity and access model<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • OCI IAM controls DNS and Traffic Management resources:<\/li>\n
                                                                                                                                      • Zones, records, steering policies, attachments<\/li>\n
                                                                                                                                      • Use separate groups for:<\/li>\n
                                                                                                                                      • Read-only DNS viewers<\/li>\n
                                                                                                                                      • DNS editors<\/li>\n
                                                                                                                                      • DNS admins<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Encryption<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Management plane traffic uses HTTPS to OCI APIs.<\/li>\n
                                                                                                                                        • DNS query plane is standard DNS (UDP\/TCP 53) without inherent encryption.<\/li>\n
                                                                                                                                        • If your requirement is encrypted DNS transport (DoH\/DoT), verify OCI DNS capabilities and consider an alternate approach if required.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Network exposure<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Public zones expose names publicly once delegated.<\/li>\n
                                                                                                                                          • Private DNS avoids internet exposure but must be carefully designed to prevent unintended access across networks.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Secrets handling<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • DNS itself doesn\u2019t typically store secrets, but TXT records are sometimes misused for sensitive data.<\/li>\n
                                                                                                                                            • Avoid putting secrets in TXT records.<\/li>\n
                                                                                                                                            • Use OCI Vault or another secrets manager instead.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Use OCI Audit<\/strong> to track who changed DNS and steering policies.<\/li>\n
                                                                                                                                              • For query-level visibility, you may need external DNS analytics or upstream resolver logs (verify what OCI natively provides today; do not assume query logs exist).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • DNSSEC may be required in some industries.<\/li>\n
                                                                                                                                                • Change management and least privilege are common audit requirements.<\/li>\n
                                                                                                                                                • Document delegation, key management (for DNSSEC), and failover testing evidence.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Allowing too many users to modify production zones<\/li>\n
                                                                                                                                                  • Using very low TTLs permanently (can increase query load and operational sensitivity)<\/li>\n
                                                                                                                                                  • Forgetting to restrict health check probe traffic rules (or accidentally blocking it)<\/li>\n
                                                                                                                                                  • Storing sensitive verification tokens longer than needed<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Enable DNSSEC where required and validated end-to-end (registrar \u2192 OCI \u2192 resolvers).<\/li>\n
                                                                                                                                                    • Use separate compartments and policies for prod\/non-prod.<\/li>\n
                                                                                                                                                    • Use automation pipelines with approvals for production record changes.<\/li>\n
                                                                                                                                                    • Keep a well-defined break-glass procedure for incidents.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                      DNS caching is unavoidable<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Even with a low TTL, recursive resolvers and clients may not honor it perfectly.<\/li>\n
                                                                                                                                                      • Failover won\u2019t be instantaneous for all users.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Health check realism<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • A health check can only test what you configure (HTTP status, TCP connect, etc.).<\/li>\n
                                                                                                                                                        • Your app can be \u201chealthy\u201d by check but still broken for users (dependency failures, auth issues).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Apex record constraints<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Standard DNS does not allow CNAME at the zone apex.<\/li>\n
                                                                                                                                                          • If you need \u201capex to LB\u201d style behavior, verify OCI\u2019s ALIAS-like support and its exact semantics.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Multi-region dependencies<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • DNS failover is pointless if both regions depend on the same:<\/li>\n
                                                                                                                                                            • Identity provider<\/li>\n
                                                                                                                                                            • Database<\/li>\n
                                                                                                                                                            • Third-party API<\/li>\n
                                                                                                                                                            • Network path<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Quotas\/service limits<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Limits exist for zones, records, policies, attachments, and health checks.<\/li>\n
                                                                                                                                                              • Check Service Limits<\/strong> and plan capacity before large migrations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                Operational propagation<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Changes may take time to apply across authoritative infrastructure.<\/li>\n
                                                                                                                                                                • Coordinate changes with TTL reduction windows.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Vendor-specific nuances<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • Traffic Management rules and health check integration are OCI-specific.<\/li>\n
                                                                                                                                                                  • If you later migrate DNS providers, you must map policies to the new provider\u2019s model (not always 1:1).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                    14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                    Nearest services in Oracle Cloud<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • OCI Load Balancing<\/strong>: best for L4\/L7 traffic distribution within a region; can be multi-region only with external mechanisms (DNS\/clients).<\/li>\n
                                                                                                                                                                    • OCI WAF \/ CDN<\/strong> (if used): protects and accelerates HTTP(S) at the edge; still typically uses DNS to direct users to the edge endpoint.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Nearest services in other clouds<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • AWS Route 53<\/strong> (DNS + routing policies + health checks)<\/li>\n
                                                                                                                                                                      • Azure DNS + Azure Traffic Manager<\/strong> (DNS + DNS-based traffic steering)<\/li>\n
                                                                                                                                                                      • Google Cloud DNS<\/strong> plus other traffic products (DNS is separate from traffic steering; global load balancing can play a similar role depending on design)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        Open-source \/ self-managed alternatives<\/h3>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • BIND \/ Knot \/ PowerDNS<\/strong> authoritative DNS (you run it)<\/li>\n
                                                                                                                                                                        • Health checking + dynamic updates via custom automation<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          Comparison table<\/h4>\n\n\n\n
                                                                                                                                                                          \n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                          Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                          OCI DNS and Traffic Management<\/strong><\/td>\nOCI-centric DNS governance + DNS-based steering<\/td>\nIntegrated IAM\/compartments, steering policies, OCI-native patterns<\/td>\nDNS caching limits; policy model differs from other vendors<\/td>\nYou run workloads in OCI and want OCI-governed DNS + traffic steering<\/td>\n<\/tr>\n
                                                                                                                                                                          OCI Load Balancing<\/strong><\/td>\nIn-region traffic distribution<\/td>\nL7 routing, TLS termination, backend health, sticky sessions<\/td>\nNot a global routing solution by itself<\/td>\nYou need application-layer routing within a region\/VCN<\/td>\n<\/tr>\n
                                                                                                                                                                          AWS Route 53<\/strong><\/td>\nAWS-heavy or multi-cloud DNS<\/td>\nMature routing policies, deep ecosystem integration<\/td>\nDifferent IAM\/governance model; data residency considerations<\/td>\nYour core platform is AWS or you standardize on Route 53<\/td>\n<\/tr>\n
                                                                                                                                                                          Azure Traffic Manager + Azure DNS<\/strong><\/td>\nAzure-heavy architectures<\/td>\nSimple DNS-based traffic steering<\/td>\nDNS-only steering (same caching limits)<\/td>\nYour workloads are primarily in Azure<\/td>\n<\/tr>\n
                                                                                                                                                                          Cloudflare DNS + steering<\/strong><\/td>\nInternet edge performance + security<\/td>\nStrong edge network, advanced features<\/td>\nDifferent governance\/vendor dependency<\/td>\nYou want a third-party edge-first DNS\/security platform<\/td>\n<\/tr>\n
                                                                                                                                                                          Self-managed BIND\/PowerDNS<\/strong><\/td>\nFull control, niche requirements<\/td>\nCustomization, on-prem integration<\/td>\nYou manage uptime, scaling, patching, DDoS considerations<\/td>\nYou have strict sovereignty\/air-gapped needs or legacy constraints<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                          15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                          Enterprise example: Multi-region customer portal with DR failover<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Problem:<\/strong> A financial services portal must survive regional outages and meet recovery objectives. The organization requires strict IAM controls and auditable DNS changes.<\/li>\n
                                                                                                                                                                          • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                                          • www.bank.com<\/code> uses OCI DNS zone<\/li>\n
                                                                                                                                                                          • Traffic Management steering policy implements priority failover:
                                                                                                                                                                              \n
                                                                                                                                                                            • Primary: OCI WAF \u2192 OCI Load Balancer in Region A<\/li>\n
                                                                                                                                                                            • Secondary: OCI WAF \u2192 OCI Load Balancer in Region B<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                            • OCI Health Checks monitor \/healthz<\/code> over HTTPS<\/li>\n
                                                                                                                                                                            • DNSSEC enabled for the zone (subject to registrar support)<\/li>\n
                                                                                                                                                                            • Compartments: prod-network<\/code>, prod-dns<\/code>, prod-security<\/code><\/li>\n
                                                                                                                                                                            • Why this service was chosen:<\/strong><\/li>\n
                                                                                                                                                                            • Tight integration with OCI IAM and compartment governance<\/li>\n
                                                                                                                                                                            • Built-in steering policies and attachments<\/li>\n
                                                                                                                                                                            • Straightforward health-check-based failover<\/li>\n
                                                                                                                                                                            • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                            • Reduced manual intervention during incidents<\/li>\n
                                                                                                                                                                            • Auditable DNS change history<\/li>\n
                                                                                                                                                                            • Predictable DR entry procedure and periodic failover testing<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              Startup\/small-team example: SaaS migration from single VM to OCI with safe rollout<\/h3>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • Problem:<\/strong> A startup runs a single VM on another provider and wants to migrate to OCI with minimal risk and an easy rollback.<\/li>\n
                                                                                                                                                                              • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                                              • Stand up new OCI Load Balancer + app instances<\/li>\n
                                                                                                                                                                              • Use Traffic Management weighted steering:
                                                                                                                                                                                  \n
                                                                                                                                                                                • 90% old endpoint<\/li>\n
                                                                                                                                                                                • 10% new OCI endpoint<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                                • Gradually increase OCI weight while monitoring errors and latency<\/li>\n
                                                                                                                                                                                • Why this service was chosen:<\/strong><\/li>\n
                                                                                                                                                                                • Enables gradual cutover without complex proxying<\/li>\n
                                                                                                                                                                                • Minimizes downtime risk<\/li>\n
                                                                                                                                                                                • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                                • Controlled migration with rapid rollback (set weight back)<\/li>\n
                                                                                                                                                                                • Clear operational playbook for future releases<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                  16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                                  1) Is DNS and Traffic Management a single OCI service?<\/strong>\nIn OCI, DNS<\/strong> is the core service, and Traffic Management<\/strong> is delivered through steering policies<\/strong> and attachments<\/strong> that work with DNS. Oracle documentation often presents them together.<\/p>\n\n\n\n
                                                                                                                                                                                  2) Is OCI DNS authoritative?<\/strong>\nYes\u2014public DNS zones hosted in OCI act as authoritative DNS for delegated domains.<\/p>\n\n\n\n
                                                                                                                                                                                  3) Do I need to own a domain to practice?<\/strong>\nNo. You can create a public zone and query OCI authoritative nameservers directly using dig @nameserver<\/code>. For real production resolution, you must delegate the domain at your registrar.<\/p>\n\n\n\n
                                                                                                                                                                                  4) What is a steering policy attachment?<\/strong>\nIt binds a steering policy to a specific DNS name (like www.example.com<\/code>) within a zone.<\/p>\n\n\n\n
                                                                                                                                                                                  5) How does DNS-based failover differ from load balancer failover?<\/strong>\nDNS failover changes which endpoint name resolves to. Load balancer failover (within a region) typically changes backend selection without changing DNS answers. DNS failover is subject to caching and TTL delays.<\/p>\n\n\n\n
                                                                                                                                                                                  6) Can I route traffic based on geography?<\/strong>\nOCI Traffic Management supports geographic-style steering via policy rules (verify the exact rule types and behaviors in current docs).<\/p>\n\n\n\n
                                                                                                                                                                                  7) Can steering policies use health checks?<\/strong>\nYes. OCI steering policies can integrate with OCI Health Checks so unhealthy endpoints are not returned.<\/p>\n\n\n\n
                                                                                                                                                                                  8) Does Traffic Management replace a CDN or WAF?<\/strong>\nNo. It decides DNS answers. CDN\/WAF provide caching\/protection\/edge delivery for HTTP(S).<\/p>\n\n\n\n
                                                                                                                                                                                  9) Should I point DNS directly at compute instance IPs?<\/strong>\nFor labs, it\u2019s fine. In production, it\u2019s usually better to point at stable front doors like OCI Load Balancers<\/strong>, because instance IPs can change and instances are not ideal as internet entry points.<\/p>\n\n\n\n
                                                                                                                                                                                  10) How quickly does failover happen?<\/strong>\nIt depends on health check intervals and thresholds, plus DNS TTL and resolver caching. Some clients may continue using cached answers until TTL expiry.<\/p>\n\n\n\n
                                                                                                                                                                                  11) Can I use very low TTL (like 5 seconds) to get instant failover?<\/strong>\nVery low TTLs can increase query load and still won\u2019t guarantee instant change due to resolver behavior. Use low TTLs strategically and test with real resolvers.<\/p>\n\n\n\n
                                                                                                                                                                                  12) Does OCI DNS support DNSSEC?<\/strong>\nOCI DNS includes DNSSEC capabilities for zones (verify current support and required steps, including registrar DS record management).<\/p>\n\n\n\n
                                                                                                                                                                                  13) How do I manage DNS changes safely in teams?<\/strong>\nUse compartments, least-privilege IAM, automation with code review, and OCI Audit tracking. Consider a formal DNS change process for production.<\/p>\n\n\n\n
                                                                                                                                                                                  14) Can I integrate OCI DNS with Terraform?<\/strong>\nCommonly yes via the OCI Terraform provider, but verify current resource support for zones, records, and steering policies\/attachments in the provider documentation.<\/p>\n\n\n\n
                                                                                                                                                                                  15) What\u2019s the biggest operational gotcha?<\/strong>\nAssuming DNS failover is immediate. Always design and test with DNS caching realities and have runbooks for incident scenarios.<\/p>\n\n\n\n
                                                                                                                                                                                  16) Can I fail over between OCI and on-prem endpoints?<\/strong>\nYes, DNS can return any reachable endpoints. Ensure health checks can probe on-prem endpoints (firewall rules, allowlists, and routing must permit it).<\/p>\n\n\n\n
                                                                                                                                                                                  17) Do I get query logs for DNS?<\/strong>\nOCI provides strong control-plane auditing (who changed what). Query logging availability and format should be confirmed in official docs for your region and service version\u2014do not assume per-query logs exist.<\/p>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                  17. Top Online Resources to Learn DNS and Traffic Management<\/h2>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                  Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                  Official Documentation<\/td>\nOCI DNS Documentation \u2013 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/DNS\/home.htm<\/td>\nCore concepts, zones, records, DNSSEC, and operational guidance<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official Documentation<\/td>\nOCI Traffic Management Documentation \u2013 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/TrafficManagement\/home.htm<\/td>\nSteering policies, rule types, attachments, and examples (verify URL if Oracle reorganizes docs)<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official Documentation<\/td>\nOCI Health Checks Documentation \u2013 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/HealthChecks\/home.htm<\/td>\nHealth check configuration, probe behavior, and troubleshooting<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official CLI Reference<\/td>\nOCI CLI DNS Commands \u2013 https:\/\/docs.oracle.com\/en-us\/iaas\/tools\/oci-cli\/latest\/oci_cli_docs\/cmdref\/dns.html<\/td>\nAutomate DNS zones\/records and learn object models<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official CLI Reference<\/td>\nOCI CLI Health Checks Commands \u2013 https:\/\/docs.oracle.com\/en-us\/iaas\/tools\/oci-cli\/latest\/oci_cli_docs\/cmdref\/health-checks.html<\/td>\nAutomate monitors used in Traffic Management<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official Pricing<\/td>\nOracle Cloud Pricing \u2013 https:\/\/www.oracle.com\/cloud\/pricing\/<\/td>\nHigh-level pricing model and service entry points<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official Pricing<\/td>\nOracle Cloud Price List \u2013 https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\nSKU-level detail (search for DNS, Health Checks, Load Balancer)<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official Cost Tool<\/td>\nOCI Cost Estimator \u2013 https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\nBuild estimates for multi-region and LB-heavy designs<\/td>\n<\/tr>\n
                                                                                                                                                                                  Official Labs<\/td>\nOracle LiveLabs Catalog \u2013 https:\/\/apexapps.oracle.com\/pls\/apex\/r\/dbpm\/livelabs\/home<\/td>\nHands-on labs; search for DNS\/Traffic Management\/Networking<\/td>\n<\/tr>\n
                                                                                                                                                                                  Architecture Guidance<\/td>\nOCI Architecture Center \u2013 https:\/\/docs.oracle.com\/solutions\/<\/td>\nReference architectures; search for DNS, multi-region, DR patterns<\/td>\n<\/tr>\n
                                                                                                                                                                                  Community Learning (Reputable)<\/td>\nOCI GitHub \u2013 https:\/\/github.com\/oracle\/oci<\/td>\nSamples and tools; verify DNS-related examples by repo and date<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                  18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n\n\n\n\n\n
                                                                                                                                                                                  Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                  DevOpsSchool.com<\/td>\nDevOps engineers, SREs, architects, beginners<\/td>\nOCI fundamentals, DevOps practices, cloud networking basics<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  ScmGalaxy.com<\/td>\nStudents, engineers learning tooling<\/td>\nSCM\/DevOps foundations; may include cloud modules<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  CLoudOpsNow.in<\/td>\nCloud ops and platform teams<\/td>\nOperations, monitoring, reliability practices<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  SreSchool.com<\/td>\nSREs, platform engineers<\/td>\nReliability engineering, incident response, operations<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  AiOpsSchool.com<\/td>\nOps + automation practitioners<\/td>\nAIOps concepts, automation, observability<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                  19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n\n\n\n\n
                                                                                                                                                                                  Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                  RajeshKumar.xyz<\/td>\nDevOps\/cloud training content (verify specific OCI coverage)<\/td>\nBeginners to intermediate engineers<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  devopstrainer.in<\/td>\nDevOps training and mentoring (verify course catalog)<\/td>\nEngineers seeking guided learning<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  devopsfreelancer.com<\/td>\nFreelance DevOps help\/training (treat as a platform unless verified)<\/td>\nTeams needing short-term expert assistance<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  devopssupport.in<\/td>\nDevOps support\/training services (verify offerings)<\/td>\nOps teams and DevOps practitioners<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                  20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n\n\n\n
                                                                                                                                                                                  Company Name<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                  cotocus.com<\/td>\nCloud\/DevOps consulting (verify OCI specialization)<\/td>\nArchitecture, automation, operations improvements<\/td>\nDNS governance design, migration runbooks, IaC enablement<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  DevOpsSchool.com<\/td>\nDevOps enablement and training\/consulting<\/td>\nPlatform engineering practices, CI\/CD, cloud ops<\/td>\nDNS automation pipeline, production change management, DR testing process<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                  DEVOPSCONSULTING.IN<\/td>\nDevOps consulting services (verify portfolio)<\/td>\nDevOps transformation, tooling, operations<\/td>\nMulti-region readiness assessment, monitoring + runbooks, Terraform adoption<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                  21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                                  What to learn before this service<\/h3>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  • DNS fundamentals:<\/li>\n
                                                                                                                                                                                  • Authoritative vs recursive DNS<\/li>\n
                                                                                                                                                                                  • NS delegation, SOA, TTL, record types<\/li>\n
                                                                                                                                                                                  • OCI fundamentals:<\/li>\n
                                                                                                                                                                                  • Tenancy, compartments, IAM policies<\/li>\n
                                                                                                                                                                                  • VCN basics: subnets, IGW, route tables, security lists\/NSGs<\/li>\n
                                                                                                                                                                                  • Basic Linux and networking:<\/li>\n
                                                                                                                                                                                  • dig<\/code>, curl<\/code>, ssh<\/code>, firewall basics<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    What to learn after this service<\/h3>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    • OCI Load Balancing (L7 routing, TLS termination, backends)<\/li>\n
                                                                                                                                                                                    • Multi-region design patterns in OCI:<\/li>\n
                                                                                                                                                                                    • Data replication, DR drills, RTO\/RPO planning<\/li>\n
                                                                                                                                                                                    • Security services:<\/li>\n
                                                                                                                                                                                    • OCI WAF, OCI Vault, Cloud Guard (as applicable)<\/li>\n
                                                                                                                                                                                    • Observability:<\/li>\n
                                                                                                                                                                                    • OCI Monitoring\/Logging, distributed tracing (service-dependent)<\/li>\n
                                                                                                                                                                                    • Infrastructure as Code:<\/li>\n
                                                                                                                                                                                    • Terraform for OCI DNS, health checks, and networking<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                      Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                        \n
                                                                                                                                                                                      • Cloud Engineer \/ Cloud Administrator<\/li>\n
                                                                                                                                                                                      • Network Engineer (cloud)<\/li>\n
                                                                                                                                                                                      • DevOps Engineer<\/li>\n
                                                                                                                                                                                      • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                                                      • Solutions Architect \/ Cloud Architect<\/li>\n
                                                                                                                                                                                      • Security Engineer (DNS governance, DNSSEC, change control)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                        Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                                                        Oracle updates certification tracks over time. Start by checking Oracle University certification paths relevant to:\n– OCI Foundations\n– OCI Architect\n– OCI Networking (if offered)<\/p>\n\n\n\n
                                                                                                                                                                                        Verify current certification names and exam codes at: https:\/\/education.oracle.com\/<\/p>\n\n\n\n
                                                                                                                                                                                        Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                          \n
                                                                                                                                                                                        • Build a multi-region \u201chello world\u201d with DNS failover (this lab, extended to two regions)<\/li>\n
                                                                                                                                                                                        • Implement weighted rollouts for an API version upgrade<\/li>\n
                                                                                                                                                                                        • Create a private DNS zone for internal services in a VCN (verify Private DNS constructs)<\/li>\n
                                                                                                                                                                                        • Automate DNS changes with Terraform and a CI\/CD pipeline including approvals<\/li>\n
                                                                                                                                                                                        • Implement DNSSEC on a test domain and validate with common DNSSEC tools<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                                          22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                            \n
                                                                                                                                                                                          • Authoritative DNS<\/strong>: DNS servers that provide official answers for a domain\u2019s zone data.<\/li>\n
                                                                                                                                                                                          • Recursive resolver<\/strong>: A DNS server that queries other DNS servers on behalf of a client and caches results.<\/li>\n
                                                                                                                                                                                          • DNS zone<\/strong>: Administrative boundary containing DNS records for a domain (e.g., example.com<\/code>).<\/li>\n
                                                                                                                                                                                          • Record (RR)<\/strong>: A DNS entry (A, AAAA, CNAME, TXT, MX, etc.).<\/li>\n
                                                                                                                                                                                          • RRSet<\/strong>: A set of records with the same name and type (e.g., multiple A records for www<\/code>).<\/li>\n
                                                                                                                                                                                          • TTL (Time to Live)<\/strong>: Cache duration for a DNS answer.<\/li>\n
                                                                                                                                                                                          • DNSSEC<\/strong>: Security extensions that sign DNS data to allow validation by resolvers.<\/li>\n
                                                                                                                                                                                          • Traffic Management steering policy<\/strong>: OCI policy defining how DNS answers are selected (failover, weighted, geo, etc.).<\/li>\n
                                                                                                                                                                                          • Steering policy attachment<\/strong>: Object that applies a steering policy to a specific DNS name in a zone.<\/li>\n
                                                                                                                                                                                          • Health check<\/strong>: Active probe to determine if an endpoint is reachable\/healthy.<\/li>\n
                                                                                                                                                                                          • Endpoint<\/strong>: The destination returned by DNS (IP address, or sometimes hostname depending on record type).<\/li>\n
                                                                                                                                                                                          • Compartment (OCI)<\/strong>: A logical container for resources in OCI, used for access control and organization.<\/li>\n
                                                                                                                                                                                          • IAM policy (OCI)<\/strong>: Authorization rules controlling access to OCI resources.<\/li>\n
                                                                                                                                                                                          • VCN (Virtual Cloud Network)<\/strong>: OCI\u2019s virtual network construct.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n
                                                                                                                                                                                            23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                            DNS and Traffic Management<\/strong> in Oracle Cloud<\/strong> (within Networking, Edge, and Connectivity<\/strong>) combines managed authoritative DNS with policy-driven routing through Traffic Management steering policies<\/strong>. It helps you publish reliable DNS records, implement health-aware failover, and steer users across endpoints or regions for resilience and performance.<\/p>\n\n\n\n
                                                                                                                                                                                            Key takeaways:\n– DNS gives you naming; Traffic Management helps decide which endpoint<\/em> DNS should return.\n– Costs are usually driven more by load balancers, compute, and egress<\/strong> than by DNS itself, but verify DNS\/health-check pricing in Oracle\u2019s official price list.\n– Security and governance depend on strong OCI IAM<\/strong>, compartment design, auditability, and careful DNSSEC implementation where required.\n– Use it when you need multi-endpoint or multi-region routing<\/strong>, failover, and controlled rollouts\u2014while accepting DNS caching realities.<\/p>\n\n\n\n
                                                                                                                                                                                            Next step: read the official OCI DNS and Traffic Management docs, then extend the lab to two OCI regions<\/strong> with real delegation of a subdomain and a production-grade front door (OCI Load Balancer + TLS).<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                            Networking, Edge, and Connectivity<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74,62],"tags":[],"class_list":["post-943","post","type-post","status-publish","format-standard","hentry","category-networking-edge-and-connectivity","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=943"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/943\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}