Saturday, January 12, 2019

OCI―Knowing Virtual Cloud Network Basics

An Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) is a virtual version of a traditional network on which your instances run.

Video 1.  OCI Level 100 - Virtual Cloud Network (YouTube link)

Key Features of VCN


Virtual Cloud Network resides within a single region but can cross multiple Availability Domains and it has the following key features:
  • Includes subnets, route tables, security lists, and gateways
  • Covers a single, contiguous IPv4 CIDR block of your choice
  • Supports either private IP address ranges or a publicly routable range
    • Oracle recommends using one of the private IP address ranges in RFC 1918 (10.0.0.0/8, 172.16/12, and 192.168/16) for VCN address space.  However, you can use a publicly routable range
  • Allows VCN size range to be from /16 to /30
    • VCN reserves the first two IP addresses and the last one in each subnet's CIDR
To create a VCN refer to section "Task1: Set up the VCN and Subnet" in the document OCI VCN with Public and Private Subnet.  To peer your on-premise network with OCI VCN, you must whitelist for the public endpoint.  Refer to this document and peer using either VPN Connect or FastConnect.

Figure 1. Overview of VCN Key Components

Default VCN Components


Your VCN automatically comes with some default components:
  • Default route table, with no rules
  • Default security list, with default rules
  • Default set of DHCP options, with default values
You can’t delete these default components; however, you can change their contents (for example: individual route rules). And you can create more of each kind of component in your VCN (for example: additional route tables). 

Subnets


Each VCN network is subdivided into subnets, and each subnet is contained within a single Availability Domain.  But, you can have more than one subnet in an AD for a given VCN.

Each subnet has the following features:
  • It acts as a unit of configuration
    • All instances in a given subnet use the same route table, security lists, and DHCP options
    • Instances draw their internal IP address and network configuration from their subnet
    • Subnets can have one route table and up to 5 security lists associated with it
  • It has a contiguous range of IPs
    • Subnet IP ranges may not overlap
    • IP ranges are described in CIDR notation
  • It contains virtual network interface cards (VNICs), which attach to instances
    • You can add secondary VNICs to an existing instance and remove them as you like.  
    • All the VNICs must be in subnets in the same availability domain as the instance.
  • It can be designated as either Public or Private
    • Private subnet doesn't have access to Internet

Figure 2.  Internet Gateway (IGW) and Dynamic Routing Gateway (DRG)

Figure 3. IPSec VPN Overview
Figure 4. IPSec VPN vs FastConnect



Gateways


Read below article for more information:
OCI―Knowing Gateway Basics

Security List


When you create a subnet, you may optionally specify one or more security lists for the subnet to use (up to five). You can change which security list the subnet uses at any time. 

Security list is a common set of firewall rules associated with a subnet and applied to all instances launched inside the subnet. Each security list has the following features:
  • Provides ingress and egress rules 
    • Which specify the types of traffic allowed in and out of the instances
  • Rules can be either stateful (default) or stateless
    • Stateful security lists
      • When an instance receives traffic matching the stateful ingress rule, the response is tracked and automatically allowed regardless of any egress rules
      • Similarly for sending traffic from the host.
    • Stateless security lists
      • Response traffic is not automatically allowed
        • To allow the response traffic for a stateless ingress rule, you must create a corresponding stateless egress rule
      • Are better for scenarios with large numbers of connections
Default Security List

If you don't specify any security list for a subnet, the subnet uses the VCN's default security list which has the following features:
  • Allows TCP traffic on destination port 22 (SSH) from source 0.0.0.0/0 and any source port
    • Makes it easy for you to create a new cloud network and public subnet, launch a Linux instance, and then immediately connect through SSH to that instance without needing to write any security list rules yourself
  • Allows ICMP traffic type 3 code 4 from source 0.0.0.0/0 and any source port
  • Allows ICMP traffic type 3 (all codes) from your VCN's CIDR IPs and any source port.
    • Makes it easy for your instances to receive connectivity error messages from other instances within the VCN
  • Allows all outgoing traffic
    • Makes it easy for your instances talk to any Internet IP address if the cloud network has an Internet Gateway

Route Table


When you create a subnet, you may optionally specify a route table for the subnet to use. If you don't, the subnet uses the cloud network's default route table. You can change which route table the subnet uses at any time.

Each route table has the following features:
  • Has a set of route rules 
    • Which provide mapping for the traffic from subnets through gateways (represented by route target) to destinations (represented by CIDR blocks) outside the VCN
    • Route table at a subnet is used only if the destination IP address is not within the VCN's CIDR block
      • No route rules are required in order to enable traffic within the VCN itself
    • Each rule specifies 
For example, to configure your VCN to route all Oracle Service access via Service Gateway, refer to Access to Oracle Services via ServiceGateway.

DHCP Options (DNS)


When you create a subnet, you may optionally specify choices for DNS name resolution using the subnet's set of DHCP options.  Domain Name System (DNS) lets computers use hostnames instead of IP addresses to communicate with each other.[1]

You can choose the DNS for each subnet from two options
  • Internet and VCN Resolver (Default) 
    • This is an Oracle-provided option that includes two parts: 
      • Internet Resolver
        • Lets instances use host names that are publicly published on the Internet.
        • The instances do not need to have Internet access by way of either an IGW or an IPSec VPN DRG. 
      • VCN Resolver
        • Lets instances use host names (which you can assign) to communicate with other instances in the VCN.
  • Custom Resolver
    • Use your own DNS servers. 
      • These could be Internet IP addresses for DNS servers in your VCN, or DNS servers in your on-premises network, which is connected to your VCN by way of an IPSec VPN
Note that you can't change which set of DHCP options is associated with a subnet after the subnet is created. If you don't want to use the default set, make sure to create your desired set of DHCP options before creating the subnet. However, you can still change the values of these options at your discretion. For more details, see Important Notes about Your Instances and DHCP Options.

Video 2. OCI Level 100 - Connectivity (YouTube link)

References

  1. Oracle Cloud Infrastructure―OCI DNS Service Basics
  2. Virtual Cloud Network Overview and Deployment Guide
  3. Oracle Cloud Infrastructure Fundamentals
  4. FastConnect Partners
  5. IPSec VPN Overview
  6. Configuring Your CPE (OCI)
  7. Oracle’s Next Generation Cloud Infrastructure
    • Off-box virtualization: storage and network IO virtualization is put out into the network
  8. Best Practices for Deploying High Availability Architecture on Oracle Cloud Infrastructure (must read)
  9. Access to Your On-Premises Network (OCI)
  10. Hybrid DNS Configuration (OCI)
    • This document describes the process to enable resolution of DNS names of instances in the VCN from on-premises clients and vice-versa, when the on-premises datacenter is connected with the VCN (through VPN or FastConnect).
  11. Oracle Cloud Infrastructure―OCI DNS Service Basics
  12. OCI―Knowing Gateway Basics

No comments: