Kentik for OCI

The export of flow logs from Oracle Cloud Infrastructure (OCI) is covered in the following topics:

• About OCI Flow Logs
• OCI Logging Setup Overview
• Configure Log Export in OCI
• Add Cloud Export in Kentik
• OCI Policy Statements
• OCI API Operations

In an OCI "tenancy" (a.k.a. account; see What is a Tenancy?), flow logging is facilitated through Oracle Cloud Infrastructure Logging, a service that captures, stores, indexes, and monitors log data (see Oracle's Logging Overview). These logs include Virtual Cloud Network (VCN) Flow Logs, which are crucial for monitoring and diagnosing network traffic within OCI. As detailed in the Oracle article VCN Flow Logs, these logs may be enabled for an entire VCN — meaning on all existing and future Virtual Network Interface Cards (VNICs) in all of the VCN's subnets — or selectively on specific subnets, VNICs, or resources (e.g. instances or load balancers).

VCN flow logs are formatted in JSON and include detailed network flow information as specified in the OCI documentation Details for VCN Flow Logs. They are sent to an OCI Object Storage bucket, which aggregates logs from all VCNs within a specific compartment or across multiple compartments (see Oracle's Object Storage Buckets).

Kentik's OCI cloud export tool uses OCI APIs to access the OCI Object Storage bucket and retrieve flow logs, which it then forwards to the Kentik Data Engine (KDE). At KDE ingest, the logs are normalized to conform to Kentik's internal data format, supplemented with OCI-specific metadata, and then stored for analysis and access via Kentik's platform. Within Kentik (e.g. in the Kentik portal's Public Clouds page), these logs are typically presented as a single "cloud export" and are associated with a single "cloud device.”

Setting up a cloud export, which enables Kentik to access and ingest OCI flow logs, involves configuration in both the OCI console and the Kentik portal. The setup workflow, covered in detail in the topics below, is summarized here (performed in the OCI console unless otherwise stated). This workflow assumes that you already have a Virtual Cloud Network (VCN) in OCI:

1. Create a user representing the Kentik cloud export tool (see Create an OCI User).
2. Create a group and assign the user to it (see Create an OCI User Group).
3. Add a public key to enable secure authenticate of the Kentik cloud export tool (see Configure an API Key).
4. Create a policy whose "statements" (permissions) will allow read-only access to the flow logs, and assign the policy to the group created above (see Create an OCI Policy). As a member of the group, the export tool will be covered by this policy.
5. Create an Object Storage bucket to which logs can be published (see Configure an OCI Bucket).
6. Enable flow logs for your resources, e.g. VCN (see Enable Flow Logs).
7. Create a connector to move logs from monitored resources (e.g. VCN) to the Object Storage bucket (see Configure an OCI Connector).
8. In the Kentik portal, create a new cloud export (see Add Cloud Export in Kentik).

Successful completion of the workflow tasks listed above will typically have the following effect in the Kentik portal:

• A new cloud export will be shown as an added row in the Kentik portal’s Cloud Exports List (on the Settings » Public Clouds page). The cloud export will represent the collection of OCI resources whose logs are pulled by Kentik from one OCI Object Storage bucket.
• The Devices column in the Cloud Exports list will show one cloud device for the export, as will the Devices list on the export's Cloud Details Page.

Note: In some cases (e.g. high volume of flow records) Kentik may optimize the ingest of flow records by creating multiple cloud devices within a single cloud export.

The table below shows information that you can gather while you're making settings in the OCI console so that you'll have it when you need it later on the Monitor your OCI Cloud page in the Kentik portal.

The workflow to create a Kentik cloud export for OCI is covered in the following topics:

• Create an OCI User
• Create an OCI User Group
• Configure an API Key
• Create an OCI Policy
• Configure an OCI Bucket
• Enable Flow Logs
• Configure an OCI Connector

Note: This workflow assumes the following:
- That the steps will be followed in order.
- That you already have a VCN in OCI.
- That you are using the default compartment (see Oracle's What is a Compartment) of your tenancy (account) for flow log export. If using a compartment other than the default, select that compartment for any Compartment settings in the topics below.

We'll begin our OCI export setup by creating a separate user identity within our OCI tenancy (account) that will enable us to assign the permissions that the Kentik cloud export tool will need to access the flow logs. This user doesn't represent an actual person and can be assigned any name and email of your choosing. The topics below cover the creation of this user within the OCI dashboard.

To navigate to the Create User drawer within OCI:

1. Sign in to the OCI dashboard using your OCI account credentials.
2. Click the hamburger icon at the top left of any OCI console page to open the main menu. In the menu's left sidebar, click Identity & Security, then choose Domains in the main menu (under Identity).
3. On the Domains page, check that the Compartment drop-down (in the left sidebar under List Scope) is set to "username (root)," then choose the default domain provided by OCI.
   Note: While the default domain can be used for the creation of a Kentik cloud export, it may be better practice to create and choose your own custom domain (see Creating an Identity Domain).
4. On the Overview page for your chosen domain (default or custom), choose Users from the left sidebar to take you to the Users page, where you’ll find a list of existing users.

To create the new user for a Kentik cloud export:

1. On the Users page, click the Create user button located at the top of the Users list. The Create user drawer will open from the right.
2. In the fields of the drawer, enter the following information:
   - First name: Provide a first name for the cloud export user.
   - Last Name: Provide a last name for the cloud export user.
   - Username / Email: Provide an email address, or uncheck the Use the email address as the username checkbox and provide both username and email.
   Note: The remaining settings within the Create User drawer are not required for the creation of a Kentik cloud export (see Adding Users).
3. Click the Create button to create the user, after which you'll be taken to the page for the new user.

Next we'll need to assign our new cloud export user to a user group to enable access to the permissions of the policies assigned to that group. To create a new group and associate the user to that group:

1. In the breadcrumbs on the new user's page, click the segment representing your chosen domain (e.g. "Default domain").
2. On your domain's page, use the left sidebar to navigate to the Groups page, where you’ll see a list of existing groups.
3. Click the Create group button at the top left of Groups list. The Create group drawer will open from the right.
4. In the fields of the drawer, enter the following information:
   - Name: Provide a unique name for the group.
   - Description: Enter a description of the group. This should briefly explain the group’s intended purpose.
5. In the list of users, assign the user to the group by checking the checkbox for the user that you created in Create Kentik Export User.
   Note: The remaining settings within the Create Group drawer are optional for the creation of a Kentik cloud export. Refer to the topic Create a group in Adding Users for more information.
6. Click the Create button to create the group, after which you'll be taken to the page for the new group.

Once we've created the user group, we can add the Kentik public key to our Kentik cloud export user, which is covered in the topics below.

To navigate to the API Keys table within OCI:

1. In the breadcrumbs on the new group's page, click the segment representing your chosen domain (e.g. "Default domain").
2. On your domain's page, use the left sidebar to navigate to the Users page, where you’ll see a list of existing users.
3. Click the link for the user that you created in Create Kentik Export User, which will open the user’s page.
4. Click API Keys in the left sidebar to show the API Keys list.

To add the API key to the user:

1. Click the Add API Key button at the top left of the API Keys list. The Add API Key drawer will open from the right.
2. Choose the Paste a public key radio button, which opens a text input field.
3. Paste the following public key into the field:
   -----BEGIN PUBLIC KEY-----
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2sbJHU32oEPOnqVpWD0GbeJwVvhyb4Y+rmJYCG1EyqH5PscIhJG6TLPs3iS599gpuUPeNR7WqKno6Bdrts6WgyQeJh+n9yInSvJPmGN1mU1EGiCuXYBSR0DaOUEN1ZMvUm5bm4yHxonbFSqTGn7yGe6/kY2eGVfs6tTbcC5eSswxIrolWahYAFGVHnHV4k3ER2acRMYrYjKWrjPyN2EYJAuzvPtIrDLiRCAM0WioGp6wx2bJJvpUaDxat2ka+Q6XviG6miPzYTo3YJoAbQ2sNEIhNFzpsNBGCDlaahGyt4cw0XBKKwPCzcDN3yU7BXHRZiiMIkvLpL/hnXmCWetwIDAQAB
   -----END PUBLIC KEY-----
   Note: Convert this key to plain text — keeping the BEGIN and END lines on separate lines — before pasting.
4. Click the Add button to save the key. This will add the key and open the Configuration file preview dialog.
5. Verify that the Select API key fingerprint field contains the following:
   d0:b4:75:ac:39:8a:90:b0:cf:ee:3e:ee:b9:0c:07:ff
6. Click the Copy link to save the Configuration file preview to your clipboard, from which you can paste it into a text file to save the information for later.
7. Close the dialog, which will leave you on the API Keys page for your Kentik cloud export user.

An OCI policy dictates what actions a group of users can perform on which resources. In the case of a cloud export it's used to provide permissions for the user group that includes the Kentik cloud export tool, enabling the tool to read resources from the storage bucket where flow logs are collected.

To create a policy:

1. Click the hamburger icon at the top left of any OCI console page to open the main menu. In the menu's left sidebar, choose Identity & Security, then click Policies on the main menu itself (under Identity).
2. On the Policies page, click the Create Policy button at the top left of the Policies table to open the Create Policy page.
3. Enter a unique Name for the policy.
4. Provide a Description.
5. The Compartment drop-down selects the compartment where the policy will be applied (policies affect the resources in the selected compartment and all its subcompartments). By default this will be your root compartment unless you created a different compartment for flow log export.
6. Turn on the Show manual editor switch, which opens a text input field.
7. Enter the "policy statements" (permissions) below into the input field, replacing the groupId placeholder with the group OCID (in quotes) found on the Group page from your created group.
   Example: Statements with highlighted placeholder:
   Define group groupRef as "groupId"
   Allow group groupRef to READ all-resources in tenancy
   Note: The policy above grants read-only access to all tenancy (account) metadata. To narrow your policy's permissions, see OCI Policy Statements.
8. Click the Create button to save the policy, after which you'll be taken to the page for the new policy.

An OCI bucket is a storage location from which Kentik can read your cloud network traffic data (flow logs). We need to create a new bucket and then associate it with a policy that grants read-only access to the OCI user that we created to represent the Kentik export tool.

To create a new OCI Bucket:

1. Click the hamburger icon at the top left of any page to open the main menu. In the menu's left sidebar, choose Storage, then click Buckets on the main menu itself (under Object Storage & Archive Storage).
2. On the Buckets tab of the Object Storage & Archive Storage page, click the Create Bucket button at the top left of the Buckets list. The Create Bucket drawer will open from the right.
3. Enter a Bucket Name.
   Note: The remaining settings within the Create Bucket drawer are not required for the creation of a Kentik Cloud Export (see Creating an Object Storage Bucket).
4. Click the Create button to close the drawer and create the bucket, which you'll now see in the Buckets list.

To create a policy for our new bucket, enabling access to it from the group we created in Create an OCI User Group (which includes the user we created for the Kentik cloud export tool):

1. As described in steps 1 to 6 of Create an OCI Policy, go back to the Create Policy form, create a new policy (this time for the new bucket), and open the manual editor.
2. Enter the policy statements (permissions) below into the input field, replacing the following placeholders with actual values:
   - groupId is the OCID for the group, which is on the Group page from your created group.
   - bucketName is the name that you specified earlier in the Create Bucket form.
   Example: Statements with highlighted placeholders:
   Define group groupRef as "groupId"
   Allow group groupRef to READ buckets in tenancy WHERE target.bucket.name=bucketName
   Allow group groupRef to READ objects in tenancy WHERE target.bucket.name=bucketName
3. Click the Create button to save the policy, after which you'll be taken to the page for the new policy.

Flow logs capture information about traffic going to and from your VCN. In OCI, flow log configuration consists of capture filters and enablement points. Assuming that you have a VCN in OCI to capture traffic information, we need to create a log group, create a capture filter, and add an enablement point to allow for the collection of flow logs.

To create a log group:

1. Click the hamburger icon at the top left of any page to open the main menu. In the menu's left sidebar, choose Networking, then click Flow logs on the main menu itself (under Network Command Center).
2. On the Flow Logs page, click the Enable flow logs button at the top left of the Flow log configurations table to open a drawer containing the first step in the Enable flow logs wizard.
3. Enter a File name prefix for the flow logs.
4. Click the drop-down in the Flow log destination pane and select Create new log group. The Create log group drawer will open from the right.
5. Enter a unique Name for the log group.
6. Check that the Compartment drop-down is set to "username (root)".
7. Enter a Description (optional).
8. Click the Create log group button to close the drawer and create the group, after which you’ll be returned to the Enable flow logs wizard.

Creating an OCI Capture Filter is required to enable flow logs. A capture filter decreases the size of the incoming data stream by capturing filtered traffic. To create a capture filter:

1. In the Capture filter pane of the Enable flow logs drawer, click the drop-down and choose Create new capture filter. The Create capture filter drawer will open from the right.
2. Enter a unique Name for the capture filter.
3. Check that the Compartment drop-down is set to "username (root)".
4. Click the Sampling rate drop-down to select a preferred sampling rate, which is the percentage of network flows for which OCI will generate flow logs.
   Note: The remaining settings within the Create capture filter drawer are optional for the creation of a Kentik cloud export (see Creating a Capture Filter).
5. Click the Create capture filter button to close the drawer, after which you’ll be returned to the Enable flow logs wizard.

Note: A capture filter may be set to capture flows based on criteria other than sampling rate. For more information, see the Oracle article Capture Filters.

To add an enablement point :

1. In the Enable flow logs wizard, click the Next button to continue to the Enablement points step.
2. Click the Add enablement points button to open the Add enablement point dialog.
3. Select Virtual Cloud Network.
4. Click the Continue button. The Add virtual cloud network enablement points drawer will open from the right.
5. Use the Virtual cloud network drop-down to select a VCN. Multiple VCNs may be added with the + Another Enablement point button.
6. Click the Add enablement points button to close the drawer, after which you’ll be returned to the Enable flow logs wizard.
7. Click the Next button to continue to the Review and create step of the wizard.
8. Click the Enable flow logs button to close the drawer, after which you’ll be taken to the page for the new flow log configuration.

An OCI Connector is a managed service offered by Oracle that allows for the integration and automation of data flows across various OCI services. The service connector facilitates the flow of logs or metrics to external destinations such as Kentik. The topics below outline the steps to create an OCI Connector.

To create an OCI connector:

1. Click the hamburger icon at the top left of any page to open the main menu. In the menu's left sidebar, choose Analytics & AI, then click Connector Hub on the main menu itself (under Messaging).
2. On the Connectors page, click the Create Connector button at the top left of the Connectors table. The Create connector drawer will open from the right.
3. Enter a Connector name for the connector.
4. Enter a Description.
5. Check that the Resource compartment drop-down is set to "username (root)".
6. Click the Source drop-down and select Logging. This will display the Configure source pane.
7. Fill out the Configure source pane as described in Configure Source Connection.
8. Click the Target drop-down and select Object Storage for the connector. This will display the Configure target pane.
9. Fill out the Configure target pane as described in Configure Target Connection.
   Note: The remaining settings within the Create connector page are optional for the creation of a Kentik cloud export (see Creating a Connector).
10. Once the target is configured a callout with "Create policy…" will appear beneath the Configure target pane. Click the Create button in the callout. The callout will change to "Policy created…" and include a link to the new policy.
11. Click the overall Create button for the Create connector drawer, which closes the drawer and takes you to the page for the new connector.

Note: The switch in the Enable logs pane of the Create connector drawer refers to connector logging rather than flow logging and can be left off.

To configure the source connection in the Create connector drawer:

1. Check that the Compartment name drop-down is set to "username (root)".
2. Click the Log group drop-down and select the log group created from Create a Log Group.
3. Click the Logs drop-down and select the flow log created from Enable Flow Logs.

Note: The remaining settings within the Configure source pane are optional for the creation of a Kentik cloud export (see [Creating a Connector).

To configure the target connection in the Create connector drawer:

1. Check that the Compartment name drop-down is set to "username (root)".
2. Click the Bucket drop-down and select a bucket for Kentik to read data from, which will be the bucket created in Create an OCI Bucket.
3. The target of the connector will be an object, equivalent to a folder, in the bucket to which the connector writes the flow logs. The object's name is the path to that object. To optimize the location of the object by the connector you may optionally specify a prefix, e.g. flow-logs-bucket, in the Object Name Prefix field. The prefix will be prepended to the object name.

Note: The default batch size is 100MBs, and the default batch time is 7 seconds. If you'd like to change the defaults, click Show additional options at the bottom of the pane.

To complete the setup of a cloud export from OCI, you'll work through the steps in the following topics:

• About OCI Cloud Exports
• Create a Kentik Cloud Export
• Flow Log Collection
• Name this Cloud Export

Once you've set up logging as covered in Configure Log Export in OCI, you'll finish the setup of your OCI cloud export in the Kentik portal. The export is configured on the Monitor your OCI Cloud page, which opens from the Add OCI Cloud button on the Public Clouds Page. Configuration of the export is detailed in the topics below.

Note: For a reference to the settings and controls of the Monitor your OCI Cloud page, see OCI Provider Settings.

To create a Kentik cloud export for OCI, you'll open the Monitor Your OCI Cloud page, fill in information from the OCI console, and then complete the remaining configuration settings.

To open the Monitor Your OCI Cloud page:

1. In the Kentik portal, click the hamburger icon at the top left of any page to open the main menu. In the menu's left sidebar, choose Settings to open the Settings page. Then click Public Clouds to open the Public Clouds Page.
2. At the top of the Public Clouds page, click the Add OCI Cloud button, which takes you to the Monitor your OCI Cloud page.

Next we'll fill in some fields on the Monitor Your OCI Cloud page that take information that you get from the OCI console. There are several different ways to accomplish this:

• Gather the information in advance by copying it into a text file as you configure OCI, then paste it from that file into the fields. For a list of the information you'll need, see OCI Console Info for Portal.
• Start on the Monitor Your OCI Cloud page and use the links below each field to go to the console location where the information can be found.
  Note: If you're not already logged into the OCI console, these links will take you to OCI sign-in page, after which you'll go to the link destination.
• Keep the console open in one browser window and the portal page open in another, so you can easily copy and paste from one to the other.

To fill in the fields using the last method above:

1. In the OCI console, click the user icon at the far right of the navbar to drop down the Profile menu, then choose Tenancy to go to the Tenancy details page.
2. In the Tenancy information pane, click the Copy link next to the OCID field.
3. In the Kentik portal, paste the copied tenancy OCID into the Tenancy ID field.
4. If you haven't created any compartments in this tenancy, skip to step 6 and use the tenancy OCID as the compartment OCID. Otherwise, in the OCI console, click the hamburger icon at the far left of the navbar to open the main menu. In the menu's left sidebar, click Identity & Security, then choose Compartments in the main menu (under Identity) to go to the Compartments page.
5. In the table listing compartments you'll see the compartment you used when configuring flow logs in the topics above (either the default compartment or a different compartment that you custom-created for logging). In the compartment's OCID column, hover over the displayed OCID fragment, which opens a popup. Click the copy button in the popup.
6. In the Kentik portal, paste the copied compartment OCID into the Compartment ID field.
   Note: If you haven't created any compartments in this tenancy then the compartment ID will be the same as the tenancy ID.
7. In the OCI console, click the Profile drop-down again, then choose Identity domain to go to the Domain page. In the Domain information pane, copy the value (city name) in parentheses in the Home Region field.
8. In the Kentik portal, click the OCI Default Region drop-down and paste the city name from the console's Home Region field into the drop-down's filter field. Click the resulting menu item to specify the region.
9. In the OCI console, click Users in the sidebar at the left of the Domain page, which will take you to the Users page.
10. In the table listing users, click the link for the user that you created for the Kentik export tool in Create an OCI User, which takes you to the details page for that user.
11. In the User information pane, click the Copy link next to the OCID field.
12. In the Kentik portal, paste the copied user OCID into the User ID field.
13. Click the Verify button to verify your OCI IDs are valid.
    - Valid: The entered credentials (OCIDs) have been successfully verified.
    - Not Authenticated: The credentials can't be validated.
    - Internal Error: The credentials caused an unexpected error.

Note: If the Verify operation doesn't return "Valid":
- Check that you chose the correct OCIDs and region when specifying the fields.
- Check that the user created in Create an OCI User is assigned to a group as covered in Create an OCI User Group.
- Check for errors (e.g. placeholders instead of actual values) in the statements of the policies created in Create an OCI Policy and Create Policy for Bucket.
- Check for other skipped or incorrect configuration steps in the topics above.
- If troubleshooting is unsuccessful, contact Customer Support.

Assuming that the configuration so far returns "Valid" we can specify the flow log collection fields, which also use some information that we'll need from the OCI console. In the following procedure we'll once again do this by copying from the console, open in one browser window, and pasting into the Monitor Your OCI Cloud page, open in another.

To specify the flow log collection fields:

1. In the OCI console, click the hamburger icon at the top left of any page to open the main menu. In the menu's left sidebar, choose Storage, then click Buckets on the main menu itself (under Object Storage & Archive Storage) to go to the Buckets page.
2. In the table listing buckets you'll see the bucket you used when configuring flow logs in the OCI console. Click the link, which takes you to the bucket's page. Copy the bucket's name.
3. In the Kentik portal, turn on the Flow Log Collection switch, which will show the Flow Log Collection Controls. Paste the bucket name into the Bucket Name field.
4. Back in the console, copy the value of the Namespace field In the Bucket information pane, then paste It into the Bucket Namespace field in the portal page.
5. Back in the console, click the hamburger icon at the top left to open the main menu. In the menu's left sidebar, choose Analytics & AI, then click Connector Hub on the main menu itself (under Messaging).
6. In the table listing connectors you'll see the connector you used when configuring flow logs in the OCI console. Click the link, which takes you to the connector's page.
7. In the information pane, click the Copy link next to the OCID field, then paste the value into the Service Connector OCID field in the portal page.
8. If you specified an Object Name Prefix in Configure Target Connection, switch back to the console and click the Edit button on the connector page, which opens the Edit connector drawer.
9. Scroll down to the Configure target pane, copy the value of the Object Name Prefix field, and paste it into the Flow Object Name Prefix field on the portal page.
10. Click the Verify Flow Logs Bucket Access button to verify the correct permissions have been associated to the bucket:
    - Valid: The entered resources have been successfully verified.
    - Not Authenticated: Read access to resources was unsuccessful due to incorrect credentials or permissions.
    - Internal Error: The resources caused an unexpected error.
11. If the validation succeeds, you may next wish to reduce the flows per second of Kentik's flow log ingest below the fps that is captured in OCI based on the sampling rate that you set in Create a Capture Filter. If so, click the Sampling Rate button in the Sampling pane of the Monitor your OCI Cloud page, and enter a number in the Sampling Rate field that represents n in the following formula: ingest 1 of every n flow logs.
    Example: Assume that the actual rate of network flows within a monitored OCI VCN is 1000 fps, and the sampling rate set with the OCI Capture Filter is 50%, resulting in logs for 500 fps. If you then set Sampling Rate in the portal to 10, the ingest rate for this cloud export will be 50 fps.
    Note: This setting does not change the Sampling rate setting in the OCI capture filter.

Next we'll finalize the cloud export by completing the Name this Cloud Export pane of the Monitor your OCI Cloud page, then saving the export.

To complete the configuration of the export:

1. Enter a Name for your cloud export.
2. Enter a Description. This is optional but can be helpful in explaining the intended use for your cloud export.
3. Select a Billing Plan from the drop-down.
4. Click the Save button to create your cloud export. This will save the cloud export and take you back to the Public Clouds Page.

With the setup process complete, you'll now see the new OCI cloud export in the Cloud Exports List as shown below. The Devices column will initially indicate "No Devices" but after some time will show "1 device."

The policy created in the above workflow gives the Kentik cloud export tool broad access across your entire OCI tenancy. If preferable, given your organization's security policies, you can instead limit Kentik to the narrowest subset of OCI API calls needed to access your metadata and resources for flow export. The policy statements (permissions) below, which grant read-only access to these specific calls, can be used in step 7 of Create an OCI Policy (in place of the example statements).

Define group groupRef as "groupId"
Allow group groupRef to INSPECT tenancies in tenancy
Allow group groupRef to READ vcns in tenancy
Allow group groupRef to READ capture-filters in tenancy
Allow group groupRef to READ cpes in tenancy
Allow group groupRef to READ nat-gateways in tenancy
Allow group groupRef to READ drg-object in tenancy
Allow group groupRef to READ cross-connects in tenancy
Allow group groupRef to READ route-tables in tenancy
Allow group groupRef to READ virtual-circuits in tenancy
Allow group groupRef to READ local-peering-gateways in tenancy
Allow group groupRef to READ network-security-groups in tenancy
Allow group groupRef to READ drg-attachments in tenancy
Allow group groupRef to READ drg-route-distributions in tenancy
Allow group groupRef to READ drg-route-tables in tenancy
Allow group groupRef to READ subnets in tenancy
Allow group groupRef to READ security-lists in tenancy
Allow group groupRef to READ ipsec-connections in tenancy
Allow group groupRef to READ internet-gateways in tenancy

Note: groupID is the group OCID found on the group's page in the OCI Console.

The Kentik cloud export tool uses the following API operations.