Create an OCI Alarm for Compute CPU Utilization

Monitoring is an important part of cloud operations. After deploying compute instances, we need visibility into resource usage such as CPU, memory, disk, and network. CPU utilization is one of the most common metrics monitored for compute instances because high CPU usage may indicate application load, inefficient processes, or capacity limitations. Also high CPU usage will affect the workload performance and it further may create service disruptions.

Oracle Cloud Infrastructure provides the Monitoring service to collect metrics from OCI resources and create alarms when metric values cross defined thresholds. In this article, we will create an OCI alarm for compute CPU utilization. We will also simulate high CPU usage on a compute instance and validate that OCI sends an email notification when the alarm is triggered.

The test case requires OCI services -  OCI Compute, OCI Monitoring, OCI Notifications and Oracle Cloud Agent.  OCI Monitoring collects CPU utilization metrics from the OCI compute instance. An alarm is created on the CpuUtilization metric. When CPU utilization crosses the configured threshold, the alarm moves to firing state and sends a message to an OCI Notifications topic. The email subscription receives the alert.

Prerequisites

Before starting this setup, the following items should be available:  

OCI tenancy access
Required compartment
Running compute instance
Oracle Cloud Agent enabled on the instance
Compute Instance Monitoring plugin enabled
Permission to create alarm
Permission to create notification topic and subscription
Valid email address for receiving notification

Validate Compute Instance Monitoring Plugin

Before creating the alarm, the compute instance should be able to emit monitoring metrics. From the compute instance details page, we can review the Oracle Cloud Agent section and validate that the Compute Instance Monitoring plugin is enabled and running.

If the plugin is disabled, metrics may not appear in OCI Monitoring.

The metric used for this article is: CpuUtilization

Create Notification Topic

First, we will create a Notification topic. The topic will receive the alarm message and forward it to the email subscription.

From OCI Console, navigate to:

Developer Services → Application Integration → Notifications

Create a topic.

Example topic name:

compute-cpu-alarm-topic

After the topic is created, we will add an email subscription.

Create Email Subscription

Open the Notification topic and create a subscription.

Use the protocol:

Email

Provide the email address that should receive the alarm notification.

After creating the subscription, OCI sends a confirmation email. The email subscription must be confirmed before alarm notifications can be received. Oracle’s Notifications documentation explains that Notifications uses topics and subscriptions, and when a message is published to a topic, it sends the message to all subscriptions on that topic.  After confirmation, the subscription status changes to active.

More details are on this topic is available in article

“Send Email Notification When Object Is Uploaded to OCI Object Storage”

Create CPU Utilization Alarm

Now we will create the alarm.

From OCI Console, navigate to:

Observability & Management → Monitoring → Alarm Definitions

Create a new alarm.

Example alarm name:

High CPU Utilization Alarm

Select the metric details:

Metric namespace: oci_computeagent
Metric name: CpuUtilization
Interval: 1 minute
Statistic: Mean

Select the required compartment and compute instance dimension. For the trigger rule, we can use a low threshold for testing.

Example:

CpuUtilization greater than 50%

For a production environment, the threshold can be higher, such as 80% or 85%, based on workload behavior and operational standards.

For notification destination, select the Notification topic:

compute-cpu-alarm-topic

Save the alarm.

Alarm Query Example

The alarm query may look similar to the following:

CpuUtilization[1m].mean() > 50

This means OCI Monitoring evaluates the average CPU utilization over a one-minute interval. If the value is greater than 50, the alarm condition is met.

For testing, a lower threshold makes it easier to trigger the alarm. After validation, the threshold can be adjusted to a production-friendly value.

Simulate High CPU Usage

To validate the alarm, we need to generate CPU load on the compute instance.

Connect to the compute instance using SSH.

For Oracle Linux, we can use the stress tool which is easiest way.

Install stress if it is not already done. We can use yum utility or other available ways to install that.

sudo yum install -y stress

Generate CPU load:

stress --cpu 2 --timeout 300

This command generates CPU load using two CPU workers for 300 seconds.

Wait for Alarm Evaluation

After CPU load is generated, OCI Monitoring needs a few minutes to collect metrics and evaluate the alarm condition.

In the alarm details page, the alarm should move from:

OK

to:

Firing

Once the alarm enters firing state, OCI Notifications sends an email to the confirmed subscription.

A small delay is normal because metrics are collected and evaluated based on the selected interval and alarm configuration.

Validate Email Notification

After the alarm is triggered, check the email inbox.

The notification email should include details such as:

Alarm name
Alarm state
Alarm Type
Alarm Severity
Notification type
Alarm Summary
Body
Time
Query
Number of metrics breaching threshold
Dimensions
Metric values, ordered by dimension

This confirms that the CPU alarm was triggered successfully and the notification flow is working.

Stop CPU Load

After validation, stop the CPU load.

With the stress command, it stops automatically after the timeout

After CPU load stops, CPU utilization should decrease.

After the next alarm evaluation cycle, the alarm should return to:

OK

Depending on the alarm configuration, a notification may also be sent when the alarm clears.

In this article, we created an OCI alarm for compute CPU utilization and connected it with OCI Notifications. We also simulated high CPU usage on the compute instance to validate that the alarm moves to firing state and sends an email notification.

This is a useful monitoring pattern for OCI compute workloads. By using Monitoring alarms and Notifications, we can detect high CPU usage early and improve operational response without using custom scripts or external monitoring tools.

 

 Create a Private Compute Instance and Access It Through Bastion Host

In cloud environments, compute instances do not always need public IP addresses. For better security, application servers, database servers, and internal workloads are usually placed in a private subnet. These private compute instances are not directly accessible from the internet.

Oracle Cloud Infrastructure provides OCI Bastion service to securely access private resources without exposing them through a public IP address. Bastion provides controlled and time bound SSH access to private compute instances.

In this article, we will create a private compute instance in OCI and access it using OCI Bastion service. We will use the OCI services Virtual Cloud Network, Private Subnet, Compute Instance, Bastion Service, Security List or Network Security Group, SSH Key Pair.

Before starting the configuration, the following items should be available:

OCI tenancy access
Required compartment
Permission to create networking resources
Permission to create compute instance
Permission to create Bastion
SSH key pair

For this article, we will use a Linux compute instance and SSH access.

Step 1 : Create VCN

First, we need a Virtual Cloud Network.

From the OCI Console, navigate to:

Networking → Virtual Cloud Networks

Create a VCN with the required CIDR block.

Example:

VCN Name: PrivateAccessVCN
CIDR Block: 10.0.0.0/16

For a simple setup, we can create the VCN with internet connectivity option.

x

Since the compute instance will be private, the subnet used for the instance does not need to assign public IP addresses.

Example:

Subnet Name: PrivateSubnet
CIDR Block: 10.0.1.0/24
Subnet Type: Regional
Public IP Assignment: Disabled

The important point is that the subnet should not allow public IP assignment. This ensures compute instances launched in this subnet remain private.

Review Route Table

For this Bastion Managed SSH setup, the private compute instance does not need a public IP address. However, the VCN/subnet should have a valid route through a Service Gateway or NAT Gateway so that Oracle Cloud Agent and the Bastion plugin can communicate with required OCI services.

However, if the private compute instance needs to access OCI services or package repositories, we may need one of the following options:

Service Gateway for OCI services
NAT Gateway for outbound internet access

For this article, our focus is only on SSH access through Bastion.

Configure Security Rules

The private compute instance should allow SSH traffic from the Bastion service.

The required SSH port is:

TCP 22

The source can be controlled using a security list or Network Security Group.

For a simple lab, we can allow SSH traffic from the VCN CIDR or a more specific CIDR range.

Example ingress rule:

Source CIDR: 10.0.0.0/16
IP Protocol: TCP
Destination Port: 22

In production, more restrictive rules should be used wherever possible.

Create Private Compute Instance

Now create a compute instance in the private subnet.

Navigate to:

Compute → Instances → Create Instance

Use the following sample values:

Name: private-linux-instance
Image: Oracle Linux
Shape: VM.Standard.E2.1.Micro or available trial shape

In the Basic information page, make sure to enable Oracle cloud agent – Bastion plugin. Else we will get API error while creating Bastion session with this compute instance.

VCN: PrivateAccessVCN
Subnet: PrivateSubnet
Public IP: No public IP
SSH Key: Upload or paste public SSH key

After the instance is created, note down the private IP address.

Example:

Private IP: 10.0.1.112

This private IP will be used while creating the Bastion session.

Create Bastion

Now we will create the Bastion service.

Navigate to:

Identity & Security → Bastion

Create a new Bastion.

Example:

Bastion Name: PrivateInstanceBastion (kindly note bastion allows only alphanumeric characters)
Target VCN: PrivateAccessVCN
Target Subnet: PrivateSubnet

The Bastion should be created in the same VCN and subnet path where it can reach the private compute instance.

During Bastion creation, we need to provide a CIDR block for allowed client access.

Example:

Client CIDR Block Allowlist: <our public IP>/32

This controls which public IP addresses are allowed to create and use Bastion sessions.

If OCI Cloud Shell is used, the access behavior may differ because Cloud Shell does not always use the same public IP. For local access, using the current public IP with /32 is a more controlled option.

Create Bastion Session

After the Bastion is created, create a session.

Open the Bastion and select:

Create Session

Choose the session type:

Managed SSH Session

Select the target compute instance.

If the instance is not listed, we can use the private IP address option depending on the console flow.

Target Resource: private-linux-instance
Target OS Username: opc
SSH Public Key: Public key used for session

For Oracle Linux images, the common username is:

opc

The Bastion session will be created with a limited lifetime.

In case Bastion plugin is not enabled in compute instance, we will get API Error.

In that case enable the Bastion plugin in the compute instance. Compute Instance page -> Management -> Oracle cloud agent

After enabling the plugin, the plugin may initially show as stopped. We can wait for a few minutes and refresh the Oracle Cloud Agent page. If it remains stopped, the subnet route, egress rule, gateway configuration, and Oracle Cloud Agent status should be validated.

 

Copy SSH Command

After the session is created, OCI provides an SSH command.

The command usually includes a proxy command through the Bastion session.

It may look similar to this:

ssh -i <private_key_file> -o ProxyCommand="ssh -i <private_key_file> -W %h:%p -p 22 <bastion_session_ocid>@host.bastion.<region>.oci.oraclecloud.com" opc@<private_ip>

We need to replace:

<private_key_file>
<private_ip>
<region>

with the correct values.

Connect to Private Instance

Run the SSH command from the local terminal.

If the SSH key and Bastion session are correct, the login should be successful.

After login, we can confirm the hostname and private IP.

hostname
ip addr

This confirms that we have connected to the private compute instance through OCI Bastion.

Points to Note:

·       OCI Bastion does not require us to create and manage a jump server.

·       Bastion sessions are temporary and time-bound.

·       The compute instance does not need a public IP address.

·       Access can be limited using the client CIDR allowlist.

·       SSH access can be controlled using IAM, security rules, and session duration.

·       This makes Bastion a safer access pattern compared to exposing SSH directly to the internet.