Networking and Connectivity Options in OCI

In this blog post we are going to cover all important aspects of Networking in Oracle Cloud Infrastructure .Below are the Components which constitute the building blog for OCI Networking.

Basics Of Cloud Computing

  1. Virtual Cloud Network (VCN) basics
  2. IP addresses(Public/Private) and CIDR
  3. Gateways and Routing -- done
  4. Peering (Local Peering "LPG" , Remote Peering "RPG")
  5. Transit Routing
  6. Security rules
  7. Dynamic Routing gateway
  8. VPN Connect (IPSEC VPN )
  9. Oracle Fast Connect
  10. Route Table
  11. Security List
  12. Virtual Circuit
  13. Internet Gateway
  14. NAT Gateway
  15. Service Gateway
  16. DNS and DHCP
  17. Subnet (Public Subnet and Private subnet)

What is VCN in Oracle Cloud Infrastructure ? And Why it is used for?

A VCN is a private network that you set up in the Oracle data centers, with firewall rules and specific types of communication gateways that you can choose to use

  • A VCN covers a single, contiguous IPv4 CIDR block of your choice
  • A VCN resides within a single region

IP address range for your VCN

Avoid IP ranges that overlap with other on-premises or other cloud networks

  • Use private IP address ranges specified in RFC 1918 (10.0.0.0/8, 172.16/12, 192.168/16)
  • Allowable OCI VCN size range is from /16 to /30
  • VCN reserves the first two IP addresses and the last one in each subnet's CIDR

Subnet

Subset or a smaller division of your VCN. Each VCN network is subdivided into subnets

  • Each subnet can be AD-specific or Regional (recommended)
  • AD specific subnet is contained within a single AD in a multi-AD region
  • Regional subnet spans all three ADs in a multi-AD region
  • Each subnet has a contiguous range of IPs, described in CIDR notation. Subnet IP ranges cannot overlap.
  • Instances are placed in subnets and draw their internal IP address and network configuration from their subnet
  • Subnets can be designated as either
    • Private Subnet (instances contain private IP addresses assigned to VNICs)
    • Public Subnet (contain both private and public IP addresses assigned to VNICs)
  • VNIC is a component that enables a compute instance to connect to a VCN. The VNIC determines how the instance connects with endpoints inside and outside the VCN.

IP Addresses

Can be of two types :

  • 1. Public IP :Public IP address is an IPv4 address that is reachable from the internet; Possible to assign a given resource multiple public IPs across one or more VNICs. You can optionally assign a public IP to your instances or other resources that have a private IP. Public IPs can be either ephemeral or reserved.
  • 2. Private IP :Each instance in a subnet has at least one primary private IP address. Each VNIC has a primary private IP, and you can add and remove secondary private IPs. The primary private IP address on an instance doesn't change during the instance's lifetime and cannot be removed from the instance.

Networking and Connectivity Options in OCI

INTERNET GATEWAY

You can add Internet Gateway to your VCN for direct internet access. It's an optional virtual router provides a path for network traffic between your VCN and the Internet.

One VCN can have only one Internet Gateway associated with .After creating a IGW (Internet Gateway) you have to update your route table to enable traffic flow .

NETWORK ADDRESS TRANSLATION (NAT) GATEWAY

NAT is a networking technique commonly used to give entire private network access to the internet without assigning each host a public IPv4 address. The hosts can initiate connections to the internet and receive responses, but not receive inbound connections initiated from the internet.

You can have more than one NAT gateway on a VCN, though a given subnet can route traffic to only a single NAT gateway

SERVICE GATEWAY

Service gateway allows your resources in VCN can access public OCI services like Object Storage, but without using an internet or NAT gateway.

It provides a path for private network traffic between your VCN ans supported service in Oracle Service Network like Object Storage , ATP and ADW services.

DYNAMIC ROUTING GATEWAY (DRG)

A virtual router that provides a path for private traffic between your VCN and destinations other than the internet

You can use it to establish a connection with your on-premises network via IPsec VPN or Fast Connect (private, dedicated connectivity) .After attaching a DRG, you must add a route for the DRG in the VCN's route table to enable traffic flow. Use DRG to connect On-Premise network to Oracle Cloud using IPSec VPN Tunnel & Fast Connect.

VCN PEERING

VCN Peering is way and a process of connecting multiple virtual cloud networks (VCN).With peering, instances in two VCNs can communicate with each other.

VCN peering can be of two types :

1: Local peering - Local VCN peering is the process of connecting two VCNs in the same region so that their resources can communicate using private IP addresses, A local peering gateway (LPG) is a component on a VCN for routing traffic to a locally peered VCN.

2: Remote VCN Peering (across Regions) - Remote VCN peering is the process of connecting two VCNs in different regions so that their resources can communicate using private IP addresses. Requires a remote peering connection (RPC) to be created on the DRGs. RPC's job is to act as a connection point for a remotely peered VCN.

OCI VPN (IPSec VPN)

It's a site-to-site Virtual Private Network (VPN) Connection between your on-premises network and your Oracle virtual cloud network (VCN) over a secure encrypted VPN . The VPN connection uses industry-standard IPSec protocols.

OCI Fast Connect

It’s a process of connecting your On-Premise network with Oracle Virtual Cloud VCN over dedicated, private connection between the two. Fast Connect  provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections.

What are the network level securities in Oracle Cloud Infrastructure?

Route Table

Each subnet uses a single route table specified at time of subnet creation, but can be edited later

  • Route table is used only if the destination IP address is not within the VCN's CIDR block
  • No route rules are required in order to enable traffic within the VCN itself
  • When you add an internet gateway, NAT gateway, service gateway, dynamic routing gateway or a peering connection, you must update the route table for any subnet that uses these gateways or connections.

Security List

A Virtual firewall rules for your VCN ,A common set of firewall rules associated with a subnet and applied to all instances launched inside the subnet. Security list consists of rules that specify the types of traffic allowed in and out of the subnet. Security list apply to a given instance whether It's talking with another instance in the VCN or a host outside the VCN.

Network security group (NSG)

  • A network security group (NSG) provides a virtual firewall for a set of cloud resources that all have the same security posture.
  • NSG consists of set of rules that apply only to a set of VNICs of your choice in a single VCN
  • Currently, compute instances, load balancers and DB instances support NSG.
  • Oracle recommends using NSGs instead of SLs because NSGs let you separate the VCN's subnet architecture from your application security requirements
Like us!
Follow us!
Follow us!
Follow us!
Chat us!
Mail us!
Watch us!