An Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) is a virtual version of a traditional network on which your instances run.
When you create a subnet, you may optionally specify one or more security lists for the subnet to use (up to five). You can change which security list the subnet uses at any time.
When you create a subnet, you may optionally specify a route table for the subnet to use. If you don't, the subnet uses the cloud network's default route table. You can change which route table the subnet uses at any time.
Key Features of VCN
Virtual Cloud Network resides within a single region but can cross multiple Availability Domains and it has the following key features:
- Includes subnets, route tables, security lists, and gateways
- Covers a single, contiguous IPv4 CIDR block of your choice
- Supports either private IP address ranges or a publicly routable range
- Oracle recommends using one of the private IP address ranges in RFC 1918 (10.0.0.0/8, 172.16/12, and 192.168/16) for VCN address space. However, you can use a publicly routable range
- Allows VCN size range to be from /16 to /30
- VCN reserves the first two IP addresses and the last one in each subnet's CIDR
To create a VCN refer to section "Task1: Set up the VCN and Subnet" in the document OCI VCN with Public and Private Subnet. To peer your on-premise network with OCI VCN, you must whitelist for the public endpoint. Refer to this document and peer using either VPN Connect or FastConnect.
 |
| Figure 1. Overview of VCN Key Components |
Default VCN Components
Your VCN automatically comes with
some default components:
- Default route table, with no rules
- Default security list, with default rules
- Default set of DHCP options, with default values
You can’t delete these default
components; however, you can change
their contents (for example: individual
route rules). And you can create more
of each kind of component in your
VCN (for example: additional
route tables).
Subnets
Each VCN network is subdivided into subnets, and each subnet is contained within a single Availability Domain. But, you can have more than one subnet in an AD for a given VCN.
Each subnet has the following features:
Each subnet has the following features:
- It acts as a unit of configuration
- All instances in a given subnet use the same route table, security lists, and DHCP options
- Instances draw their internal IP address and network configuration from their subnet
- Subnets can have one route table and up to 5 security lists associated with it
- It has a contiguous range of IPs
- Subnet IP ranges may not overlap
- IP ranges are described in CIDR notation
- It contains virtual network interface cards (VNICs), which attach to instances
- You can add secondary VNICs to an existing instance and remove them as you like.
- All the VNICs must be in subnets in the same availability domain as the instance.
- It can be designated as either Public or Private
- Private subnet doesn't have access to Internet
 |
| Figure 2. Internet Gateway (IGW) and Dynamic Routing Gateway (DRG) |
 |
| Figure 3. IPSec VPN Overview |
 |
| Figure 4. IPSec VPN vs FastConnect |
Gateways
Read below article for more information:
OCI―Knowing Gateway Basics
Security List
Security list is a common set of firewall rules associated with a subnet and applied to all instances launched inside the subnet. Each security list has the following features:
- Provides ingress and egress rules
- Which specify the types of traffic allowed in and out of the instances
- Rules can be either stateful (default) or stateless
- Stateful security lists
- When an instance receives traffic matching the stateful ingress rule, the response is tracked and automatically allowed regardless of any egress rules
- Similarly for sending traffic from the host.
- Stateless security lists
- Response traffic is not automatically allowed
- To allow the response traffic for a stateless ingress rule, you must create a corresponding stateless egress rule
- Are better for scenarios with large numbers of connections
Default Security List
If you don't specify any security list for a subnet, the subnet uses the VCN's default security list which has the following features:
- Allows TCP traffic on destination port 22 (SSH) from source 0.0.0.0/0 and any source port
- Makes it easy for you to create a new cloud network and public subnet, launch a Linux instance, and then immediately connect through SSH to that instance without needing to write any security list rules yourself
- Allows ICMP traffic type 3 code 4 from source 0.0.0.0/0 and any source port
- Makes it possible to do Path MTU Discovery if you're using jumbo frames
- Allows ICMP traffic type 3 (all codes) from your VCN's CIDR IPs and any source port.
- Makes it easy for your instances to receive connectivity error messages from other instances within the VCN
- Allows all outgoing traffic
- Makes it easy for your instances talk to any Internet IP address if the cloud network has an Internet Gateway
Route Table
Each route table has the following features:
When you create a subnet, you may optionally specify choices for DNS name resolution using the subnet's set of DHCP options. Domain Name System (DNS) lets computers use hostnames instead of IP addresses to communicate with each other.[1]
You can choose the DNS for each subnet from two options
- Has a set of route rules
- Which provide mapping for the traffic from subnets through gateways (represented by route target) to destinations (represented by CIDR blocks) outside the VCN
- Route table at a subnet is used only if the destination IP address is not within the VCN's CIDR block
- No route rules are required in order to enable traffic within the VCN itself
- Each rule specifies
- Destination CIDR block
- Route Target (the next hop) for the traffic that matches that CIDR
- Which can be DRG, IGW, NAT Gateway, Service Gateway, Local Peering Gateway or Private IP
For example, to configure your VCN to route all Oracle Service access via Service Gateway, refer to Access to Oracle Services via ServiceGateway.
DHCP Options (DNS)
You can choose the DNS for each subnet from two options
- Internet and VCN Resolver (Default)
- This is an Oracle-provided option that includes two parts:
- Internet Resolver
- Lets instances use host names that are publicly published on the Internet.
- The instances do not need to have Internet access by way of either an IGW or an IPSec VPN DRG.
- VCN Resolver
- Lets instances use host names (which you can assign) to communicate with other instances in the VCN.
- Custom Resolver
- Use your own DNS servers.
- These could be Internet IP addresses for DNS servers in your VCN, or DNS servers in your on-premises network, which is connected to your VCN by way of an IPSec VPN
Video 2. OCI Level 100 - Connectivity (YouTube link)
References
- Oracle Cloud Infrastructure―OCI DNS Service Basics
- Virtual Cloud Network Overview and Deployment Guide
- Oracle Cloud Infrastructure Fundamentals
- FastConnect Partners
- IPSec VPN Overview
- Configuring Your CPE (OCI)
- Oracle’s Next Generation Cloud Infrastructure
- Off-box virtualization: storage and network IO virtualization is put out into the network
- Best Practices for Deploying High Availability Architecture on Oracle Cloud Infrastructure (must read)
- Access to Your On-Premises Network (OCI)
- Hybrid DNS Configuration (OCI)
- This document describes the process to enable resolution of DNS names of instances in the VCN from on-premises clients and vice-versa, when the on-premises datacenter is connected with the VCN (through VPN or FastConnect).
- Oracle Cloud Infrastructure―OCI DNS Service Basics
- OCI―Knowing Gateway Basics
No comments:
Post a Comment