OCI Network Services : cheatsheet

Networking Components

VCN : [Virtual Cloud Network]

  • VCN resides in a single Oracle Cloud Infrastructure region and covers one or more CIDR blocks (IPv4 and IPv6, if enabled).
    • The allowed size range is /16 to /30 
    • Can grow and sink after creation
    • Default components in VCN creation is, Internet gateway, Service Gateway, Nat Gateway

Subnet

  • Each subnet consists of a contiguous range of IP addresses (for IPv4 and IPv6, if enabled) that do not overlap with other subnets in the VCN.
    • Subnet can be in one AD or it can be regional.
    • Can grow and sink after creation

Route Table

  • have rules to route traffic from subnets to destinations outside the VCN by way of gateways or specially configured instances

Security Rules

  •  Virtual firewall rules for your VCN. ingress/egress, stateless/stateful/. This applied to whole subnet while the Security group only apply in VNIC

VNIC

A virtual network interface card (VNIC), which attaches to an instance and resides in a subnet to enable a connection to the subnet’s VCN

  • Each instance has a primary VNIC that’s created during instance launch and cannot be removed
  • You can add secondary VNICs to an existing instance (in the same availability domain as the primary VNIC). Secondary VNIC can be in a different subnet and different VCN, but the same AD

Public Ip

  • ephemeral IP : assigned to the resource till termination of the resource
  • Reserved Ip : this exist even after the resource is terminated and you can use that with another resource
  • You can Bring your own Ip

DRG [Dynamic Routing Gateway]

  • It provides a path for private network traffic between your VCN and on-premises network
  • DRG and vcn relationship is 1-to-1, max 5 DRG per region

Service Gateway

  • It provides a path for private network traffic between your VCN and supported services in OCI.
  • It is used to avoid traffic through internet for OCI service.

Internet Gateway

  • you can add to your VCN for direct internet access

LPG [Loca Perring Gateway]

  • To peer one VCN with another VCN in the same region

Local VCN Peering

  • Two VCNs with non-overlapping CIDRs, in the same region
    A local peering gateway (LPG) on each VCN in the peering relationship.
  • A connection between those two LPGs.
  • Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in the respective VCNs (if desired).
  • Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that need to communicate with the other VCN.
  • You can now use a single DRG (regional object) for local peering. You can attach multiple VCNs (within region) directly to the same DRG.

RPC [Remote Peering Gateway]

  • To peer one VCN with another VCN in a different region.

Remote Peering VCN

  • Two VCNs with non-overlapping CIDRs, in different regions that support remote peering. The VCNs must be in the same tenancy.
  • A dynamic routing gateway (DRG) attached to each VCN in the peering relationship. Your VCN already has a DRG if you’re using an IPSec VPN or an Oracle Cloud Infrastructure FastConnect private virtual circuit.
  • A remote peering connection (RPC) on each DRG in the peering relationship. A connection between those two RPCs.
  • Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in the respective VCNs (if desired).
  • Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that need to communicate with the other VCN.
  • support up to 300 DRG attachments. Attachments can be of type: VCN, IPSEC VPN

NAT Gateway

  • For resources without public IP addresses that need to initiate connections to the internet

Site-to-Site VPN

  • Offers multiple IPSec tunnels between your existing network’s edge and your VCN, by way of a DRG that you create and attach to your VCN
  • Both tunnels should be Up, as it created two tunnels

Fast Connect

  • Creates dedicated, private connections between your data center and OCI
  • Traffic does not traverse the internet
  • Offer both type of peering
    • Private peering: To extend your existing infrastructure into a virtual cloud network (VCN) in Oracle Cloud Infrastructure 
    • Public peering: To access public services in Oracle Cloud Infrastructure without using the internet
  • No Charge for Inbound and Outbound data transfer
  • Use BGP protocol
  • Used for Latency sensitive application in Hybrid Cloud, Data Migration, Sensitive Data transfer

Private End Point

  • Only for Autonomous database, Oracle Analytics Cloud, Oracle Data Safe, Streaming, and Data Catalog are the only services that can be accessed through service private endpoint.

Network Visualizer

  • OCI service to provide a visual representation of the network in a selected region or tenancy.
  • Shows Regional Network topology
  • Shows cloud network topology

Best Practice

When to use what

Connection from OnPremise To OCI

Fast Connect vs IPsec VPN

Stateless vs Stateful

Stateless: They remember nothing and check packets that cross the subnet border each way: inbound and outbound.  Need to define incoming and outgoing for a port separately

Stateful : They remember previous decisions made for incoming packets. For a port, if incoming allowed then outgoing also allowed

For more : https://docs.oracle.com/en/solutions/oci-best-practices/tune-and-monitor-network.html

Leave a Reply

Your email address will not be published. Required fields are marked *