Oracle Free Tier VPS - Best Practices

Oracle Free Tier VPS - Best Practices
Oracle Cloud Free Tier + Tailscale - happiness

Oracle offers a very generous free tier (although a little too generous perhaps which has led to temporary capacity issues in some regions - see FAQ).

"Each tenancy gets the first 3,000 OCPU hours and 18,000 GB hours per month for free to create Ampere A1 Compute instances using the VM.Standard.A1.Flex shape (equivalent to 4 OCPUs and 24 GB of memory). Each tenancy also gets two VM.Standard.E2.1.Micro instances for free" --Oracle

I have the following instances on the free tier:

  • 2x VM.Standard.E2.1.Micro instances (AMD processor - each with 1 OCPU + 1GB RAM) running Ubuntu Minimal. Good for smaller workloads.
  • 2x VM.Standard.A1.Flex instances (ARM processor - each with 2 OCPUs and 12GB RAM) running Ubuntu Server. Great performance.

While this hasn't happened to me personally, I have seen many people locked out of their instances for various reasons, which can result in data loss or the loss of the instance if you have to delete it and then run into capacity issues in your region. So make sure you have a backup access plan...


Simple: Password Enabled User Account

Make sure you have a local user account which has sudo privileges and a password set. In an emergency, you can use the OCI Console Connection to login to your instances from the web.

I suggest using an account other than the default "ubuntu" (assuming youre using an Ubuntu imge) for security reasons, e.g. the default "opc" account - and then be sure to test it works before moving on:

sudo passwd opc
sudo usermod -aG sudo opc

I also recommend ensuring you use certificates for SSH authentication, not passwords. If you do use passwords for some reason, ensure the above account is not permitted to login.


Better: Enable Tailscale SSH on your instances

Tailscale is pure magic freely available to everyone :-)

I strongly recommend setting up a Tailnet and adding all your instances to it with Tailscale SSH enabled. This lets you SSH securely into your instances from any of your Tailscale machines (linux, windows, mac) without needing a separate password or certificate - and as if that isn't enough, you can even SSH into your instances from the web!

Once you have a Tailscale account, register each instance (and enable SSH access):

sudo tailscale up --ssh

then from any other machine on your Tailscale network (windows, mac, linux) you can connect to the instance (without needing a password or certificate):

ssh <tailscale-machine-ip>

Note: You might want to disable Tailscale key expiry on your instances - otherwise you'll need to reauthenticate each of them after the default 180 days, which may be an issue if the only way you can connect is via Tailscale - see the first recommendation above for enabling OCI Console connections).


Don't Let Your Instances Sit Idle for Long

Oracle will sometimes reclaim (free tier) instances which are idle for extended periods to free up scarce free-tier capacity.

Oracle defines an instance as idle if, during a 7-day period, these all apply:

  • CPU utilization for the 95th percentile is less than 10%
  • Network utilization is less than 10%
  • Memory utilization is less than 10% (applies to A1 shapes only)

So make sure you actually USE them - setup CrowdSec, a simple website, a container running your favourite service - the options are endless.

You can also convert your account to PAYG to avoid idle instances being reclaimed - highly recommended, as you still pay nothing if you stay within free tier limits.

Back Up Your Content

This should be obvious, and applies to everything not just Oracle - back up your data (content, config, etc). Anything you'd regret losing if you permanently lost access to your instances or account tomorrow - back it up.

Oracle allows multiple backups of each volume which don't count against your storage limit. And make you also backup offsite.

Enable 2FA

Oracle pretty much insists on this nowadays for good reasons - so enable 2-factor authentication on your OCI account to protect your setup.

Process is fairly straightforward - see my 2FA notes on my Oracle Free Tier  Notes and References page for a guide.

If you're paranoid (like me) you can also create a new local (non-federated) OCI user account which doesn't use 2FA for emergencies (with a very strong password, and only used in emergencies). Just to be sure to add it to the Administrators group.