Rohit Rahi

Virtual Cloud Network

Level 100 March 2018

Copyright © 2019, Oracle and/or its Copyright

affiliates.© All rights
2019, reserved.
Oracle 1 reserved.
and/or its affiliates. All rights
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 2

Objectives
After completing this lesson, you should be able to:
• Describe key Virtual Cloud Network (VCN) concepts
• Manage your cloud network components, such as:
– Subnets, Route Table, Security Lists, Private IP, Public IP
• Learn about various OCI connectivity options
– Internet Gateway, NAT Gateway, Service Gateway, Local and Remote Peering
– VPN, FastConnect

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 3

Virtual Cloud Network (VCN)

• A private network that you set up in the Oracle data centers, with firewall rules and specific
types of communication gateways that you can choose to use

• A VCN covers a single, contiguous IPv4 CIDR block of your choice

• A VCN resides within a single region but can cross multiple Availability Domains

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 4

CIDR Basics
• CIDR (classless inter-domain routing) notation
• xxx.xxx.xxx.xxx/n, where n is the number of bits used for subnet mask. E.g. /24 would be 255.255.255.0
• 192.168.1.0/24 would equate to IP range: 192.168.1.0 – 192.168.1.255
• 128 64 32 16 8 4 2 1 -> 27 26 25 24 23 22 21 20
• 192 is represented as 1 1 0 0 0 0 0 0

192.168.1.0 11000000.10101000 .00000001.00000000

255.255.255.0 11111111. 11111111. 11111111 .00000000 192.168.1.0 – 192.168.1.255
AND 11000000.10101000.00000001.00000000
• 192.168.1.0/27 would equate to IP range: 192.168.1.0 – 192.168.1.31
• Now network divided in 8 subnets with 32 hosts each due to /27 mask (255.255.255.224)

192.168.1.0 11000000.10101000 .00000001.00000000

255.255.255.224 11111111. 11111111. 11111111 .11100000
AND 11000000.10101000.00000001.00000000
• Subnets – 2 x 2 x 2 = 8. Hosts – 2 x 2 x 2 x 2 x 2 = 32
• Subnetworks – 192.168.1.0/27, 192.168.1.32/27, 192.168.1.64/27…

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 5

IP address range for your VCN
Avoid IP ranges that overlap with other on-premises or other cloud networks

10.0.0.0/16

Recommended RFC Recommended /16 size

1918 Range (65,536 IP addresses)

• Use private IP address ranges specified in RFC 1918 (10.0.0.0/8, 172.16/12, 192.168/16)

• Allowable OCI VCN size range is from /16 to /30

• VCN reserves the first two IP addresses and the last one in each subnet's CIDR

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 6

Subnet
Each VCN network is subdivided into subnets
• Each subnet can be a AD specific or can be a
ORACLE CLOUD DATA CENTER REGION Regional Subnet (recommended)
AVAILABILITY AVAILABILITY AVAILABILITY
DOMAIN-1 DOMAIN-2 DOMAIN-3
• Regional Subnet spans all three ADs in a multi-AD
region

• AD specific subnets is contained within a single AD

in a multi-AD region
SUBNET A, SUBNET B, SUBNET C,
10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 • Each subnet has a contiguous range of IPs,
described in CIDR notation. Subnet IP ranges cannot
overlap

SUBNET D • Instances are placed in subnets and can live across

10.0.4.0/24
• Instances draw their internal IP address and network
VCN, 10.0.0.0/16
configuration from their subnet

• Subnets can be designated as either

• Private (instances contain private IP addresses

assigned to vNICs)
• Public (contain both private and public IP
addresses assigned to vNICs)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 7

Internet Gateway

ORACLE CLOUD DATA CENTER REGION Internet gateway provides a path for network
traffic between your VCN and the internet
Availability Domains – AD1/AD2/AD3

Internet

Instance with
public IP
Internet
SUBNET B, Gateway
10.0.2.0/24
You can have only one internet gateway for
Regional
Public Subnet a VCN
VCN, 10.0.0.0/16
After creating an internet gateway, you must
add a route for the gateway in the VCN's
Route Table to enable traffic flow

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 8

Route Table
Route Table is used to send traffic out of
ORACLE CLOUD DATA CENTER REGION
the VCN
Availability Domains – AD1/AD2/AD3

Internet
Destination Route
Route Table
CIDR Target
Internet
0.0.0.0/0 Internet
Gateway
SUBNET B Gateway
10.0.2.0/24

Regional Public
Subnet
Consists of a set of route rules; each rule
VCN, 10.0.0.0/16 All traffic destined for
specifies
Internet Gateway • Destination CIDR block
• Route Target (the next hop) for the
traffic that matches that CIDR

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 9

Route Table

ORACLE CLOUD DATA CENTER REGION • Each subnet uses a single route table
specified at time of subnet creation, but
Availability Domains – AD1/AD2/AD3 can be edited later

• Route table is used only if the destination

IP address is not within the VCN's CIDR
Destination Route
CIDR Target Route Table block
Internet
0.0.0.0/0 Internet
Gateway
SUBNET B, Gateway • No route rules are required in order to
10.0.2.0/24
10.0.0.0/16 local enable traffic within the VCN itself
Regional Public
Subnet
VCN, 10.0.0.0/16 • When you add an internet gateway, NAT
gateway, service gateway, dynamic routing
gateway or a peering connection, you
must update the route table for any subnet
that uses these gateways or connections

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 10

NAT Gateway
NAT gateway gives an entire private network
ORACLE CLOUD DATA CENTER REGION access to the internet without assigning each
host a public IP address
Availability Domains – AD1/AD2/AD3

Internet
Destination Route
CIDR Target
0.0.0.0/0 NAT Gateway
NAT
SUBNET B, Gateway
Instance with 10.0.2.0/24 Hosts can initiate outbound connections to
private IP Regional Private the internet and receive responses, but not
Subnet
receive inbound connections initiated from
VCN, 10.0.0.0/16
the internet. Use case: updates, patches)

You can have more than one NAT gateway

on a VCN, though a given subnet can route
traffic to only a single NAT gateway

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 11

Service Gateway

ORACLE CLOUD DATA CENTER REGION Service gateway lets resources in VCN
Object Storage
access public OCI services such
Availability Domains – AD1/AD2/AD3
as Object Storage, but without using an
Service Gateway
internet or NAT gateway

Any traffic from VCN that is destined for

Destination Route one of the supported OCI public services
Service Target
uses the instance's private IP address for
Object Storage Service SUBNET B,
Service Gateway 10.0.2.0/24 routing, travels over OCI network fabric,
Regional and never traverses the internet
Private Subnet
VCN, 10.0.0.0/16
Use case: back up DB Systems in VCN
to Object Storage)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 12

Dynamic Routing Gateway

ORACLE CLOUD DATA CENTER REGION A virtual router that provides a path for
private traffic between your VCN and
Availability Domains – AD1/AD2/AD3 destinations other than the internet

You can use it to establish a

Destination Route
connection with your on-premises network
CIDR Target via IPsec VPN or FastConnect (private,
0.0.0.0/0 DRG dedicated connectivity)
SUBNET B,
10.0.2.0/24
After attaching a DRG, you must add a
Regional Private
Subnet route for the DRG in the VCN's route table
VCN, 10.0.0.0/16 to enable traffic flow

DRG is a standalone object. You must

attach it to a VCN. VCN and DRG have a
CUSTOMER DATA CENTER 1:1 relationship
Customer Premises Equipment (CPE)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 13

Local Peering

Destination Route Destination Route

VCN peering is the process of connecting multiple
CIDR Target CIDR Target VCNs
192.168.0.0/16 LPG-1 10.0.0.0/16 LPG-2

Local VCN peering is the process of connecting two

VCNs in the same region so that their resources can
ORACLE CLOUD DATA CENTER REGION communicate using private IP addresses

A local peering gateway (LPG) is a component on a

VCN for routing traffic to a locally peered VCN
LPG-1 LPG-2
VCN-1, VCN-2, The two VCNs in the peering relationship shouldn’t
10.0.0.0/16 192.168.0.0/16 have overlapping CIDRs

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 14

Remote Peering

Destination Route Destination Route Remote VCN peering is the process of

CIDR Target CIDR Target connecting two VCNs in different regions
192.168.0.0/16 DRG-1 10.0.0.0/16 DRG-2 so that their resources can communicate
using private IP addresses

Oracle backbone
OCI REGION ASH OCI REGION PHX Requires a remote peering connection
(RPC) to be created on the DRGs. RPC's job
is to act as a connection point for a remotely
peered VCN

GA for ASH-PHX and LHR-FRA regions

(available through Oracle support for other
VCN-1, VCN-2,
10.0.0.0/16 192.168.0.0/16
combinations)

The two VCNs in the peering relationship

must not have overlapping CIDRs

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 15

Summary of OCI network connectivity options
Scenario Solution
Let instances connect to the Internet, and receive connections from it Internet Gateway
Let instances reach the Internet without receiving connections from it NAT Gateway

Let VCN hosts privately connect to object storage, bypassing the internet Service Gateway
Make an OCI extend an on-premise network, with easy connectivity in both IPsec VPN
directions FastConnect
Privately connect two VCNs in a region Local Peering Gateway
Remote Peering
Privately connect two VCNs in different regions
Connection (DRG)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 16

Security Lists

ORACLE CLOUD DATA CENTER REGION A common set of firewall rules associated
with a subnet and applied to all instances
AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 launched inside the subnet

Security List Security List

• Security lists provide ingress and egress
rules that specify the types of traffic
allowed in and out of the instances

SUBNET A, SUBNET B, • Security lists apply to a given instance

10.0.1.0/24 10.0.2.0/24
whether it's talking with another instance
Private Subnet Public Subnet
in the VCN or a host outside the VCN
VCN, 10.0.0.0/16
• You can choose whether a given rule is
stateful or stateless

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 17

Stateful Security Rules

• Connection Tracking: when an instance receives

traffic matching the stateful ingress rule, the
response is tracked and automatically allowed
regardless of any egress rules; similarly for
sending traffic from the host

• Default Security List rules are stateful

Hosts in this group are reachable

from the internet on Port 80

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 18

Stateless Security Rules
• With stateless rules, response traffic is not
automatically allowed

• To allow the response traffic for a stateless ingress

rule, you must create a corresponding stateless
egress rule

• If you add a stateless rule to a security list, that

indicates that you do NOT want to use connection
tracking for any traffic that matches that rule

• Stateless rules are better for scenarios with large

numbers of connections (Load Balancing, Big Data)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 19

Default VCN components

AVAILABILITY DOMAIN-1
Default RT
ORACLE CLOUD DATA CENTER REGION
AVAILABILITY DOMAIN-2
Custom RT
Your VCN automatically comes with some
default components
• Default Route Table
• Default Security List
• Default set of DHCP options

Default SL Custom SL
You can’t delete these default components;
however, you can change their contents (e.g.
SUBNET A,
10.0.1.0/24
SUBNET B, individual route rules). And you can create
10.0.2.0/24

Private Subnet
more of each kind of component in your
Public Subnet
cloud network (e.g. additional route tables).
VCN, 10.0.0.0/16

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 20

VCN Review
• Subnets can have one Route Table and multiple (5*) Security Lists associated to it
• Route table defines what can be routed out of VCN
• Private subnets are recommended to have individual route tables to control the flow of traffic
outside of VCN

• All hosts within a VCN can route to all other hosts in a VCN (no route table required)

• Security Lists manage connectivity north-south (incoming/outgoing VCN traffic) and east-
west (internal VCN traffic between multiple subnets)

• OCI follows a white-list model (you must manually specify white listed traffic flows); By
default, things are locked down

• Instances cannot communicate with other instances in the same Subnet, until you permit
them to!

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 21

VCN Review Destination CIDR Route Target

0.0.0.0/0 Internet
OCI REGION Gateway
AVAILABILITY DOMAINs – AD1

Frontend, 10.0.1.0/24 Source Dest

Type CIDR Protocol
Port Port
Stateful Ingress 0.0.0.0/0 TCP All 80
Stateful Egress 10.0.2.0/24 TCP All 1521

SL - Frontend RT - Frontend
Internet
Destination CIDR Route Target
SL - Backend RT - Backend Internet
Gateway
0.0.0.0/0 NAT/ Service
gateway /DRG

Source Dest
Type CIDR Protocol
Port Port
Backend, 10.0.2.0/24
Stateful Ingress 10.0.1.0/24 TCP All 1521

VCN, 10.0.0.0/16 Stateful Egress All All

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 22

Internal DNS
• The VCN Private Domain Name System (DNS) enables instances to use hostnames instead of IP
addresses to talk to each other
• Options:
• Internet and VCN Resolver: default choice for new VCNs
• Custom Resolver: lets instances resolve the hostnames of hosts in your on-premises network
through IPsec VPN/FastConnect
• Optionally specify a DNS label when creating VCN/subnets/instances
• VCN: <VCN DNS label>.oraclevcn.com
• Subnet: <subnet DNS label>.<VCN DNS label>.oraclevcn.com
• Instance FQDN: <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com

• Instance FQDN resolves to the instance's Private IP address

• No automatic creation of FQDN for Public IP addresses (e.g. cannot SSH using <hostname>.<subnet
DNS label>.<VCN DNS label>.oraclevcn.com)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 23

Private IP
• Each instance has at least one primary private IP address
• A private IP can have an optional public IP assigned to it
• Instances ≥ 2 VNICs (additional VNICs called secondary VNICs)
• Each VNIC has one primary private IP; can have additional private IPs called secondary private IPs

Primary VNIC
• Primary private IP address
• Secondary private IP, #1, #2…#31

Secondary VNIC
Instance • Primary private IP address
• Secondary private IP, #1, #2…#31

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 24

Multiple VNICs on virtual machines
ORACLE CLOUD INFRASTRUCTURE (REGION)
• Every VM has one primary VNIC created at launch,
Availability Domains AD1/AD2/AD3 and a corresponding Ethernet device on the
instance with the IP address configuration of the
Subnet A
10.0.0.0/24
Subnet B
10.0.1.0/24
primary VNIC
• When a secondary VNIC is added, new Ethernet
VNIC1 VNIC2 VNIC3 VNIC4 device is added and is recognized by the instance
OS
primary primary primary
• VM1 - single VNIC instance
• VM2 - connected to two VNICs from two
subnets within the same VCN. Used for virtual
VM1 VM2 VM3 appliance scenarios
• VM3 - connected to two VNICs from two
VNIC5 subnets from separate VCNs. Used to connect
VCN instances to a separate management network
Subnet X
172.16.0.0/24
for isolated access

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 25

Secondary IP addresses on VNICs
ORACLE CLOUD INFRASTRUCTURE (REGION) • Every VNIC is assigned a primary private IP
Availability Domain AD1/AD2/AD3
address when it is created, which is configured
automatically on the corresponding Ethernet device
Subnet A
10.0.0.0/24
Subnet B
10.0.1.0/24
in the instance OS
• Every VNIC can have additional private IPs called
Secondary private IPs (max of 31)
• Secondary private IP assigned only after the
instance is launched (or the secondary VNIC is
IP5

IP6

IP7
IP4
IP1

IP2

IP3

primary primary primary

VNIC1 VNIC1 VNIC3 created/attached)

• Two step process to use secondary IP addresses
primary primary • assign a secondary private IP address to VNIC
using console/API/SDK
• update the instance OS to configure an
additional IP address on the corresponding
VM1 VM2 Ethernet device

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 26

Secondary IP addresses on VNICs
ORACLE CLOUD INFRASTRUCTURE (REGION)
• Possible to move a secondary private IP from a
Availability Domain 1
VNIC on one instance to a VNIC on another
instance if both VNICs belong to the same
Subnet A
10.0.0.0/24
Subnet B
10.0.1.0/24
subnet (use case: instance failover)
• The instances can be in same or different
Availability Domains if we use Regional subnets

IP5

IP6

IP7
IP4
IP1

IP2

IP3

primary primary primary

VNIC1 VNIC1 VNIC3

primary primary

VM1 VM2

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 27

Public IP
• Public IP address is an IPv4 address that is reachable from the internet; assigned to a private IP object
on the resource (Instance, load balancer)
• Possible to assign a given resource multiple public IPs across one or more VNICs

Primary VNIC
• Primary Private IP address, Public IP address
• Secondary Private IP #1, Public IP address
• Secondary Private IP #2, Public IP address
Instance • …

• Public IP assigned to
• Instance (not recommended in most cases)
• OCI Public Load Balancer (Oracle provided; you cannot choose/edit)
• NAT Gateway (Oracle provided; you cannot view/choose/edit)
• DRG – IPsec tunnels (Oracle provided; you cannot choose/edit)
• Autonomous Data Warehouse (Oracle provided; you cannot view/choose/edit)
• Autonomous Transaction Processing (Oracle provided; you cannot view/choose/edit)
• OKE cluster master and worker nodes (Oracle provided; you cannot choose/edit)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 28

Public IP
• Public IP types: Ephemeral and Reserved
• Ephemeral: temporary and existing for the lifetime of the instance
• Reserved: Persistent and existing beyond the lifetime of the instance it's assigned to (can be
unassigned and then reassigned to another instance)
• Ephemeral IP can be assigned to primary private IP only (hence, only 1 per VNIC v/s a max 32 for
Reserved IP)

• No charge for using Public IP, including when the Reserved public IP addresses are unassociated

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 29

Virtual Cloud Network Demo

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 30

VCN Pricing

• Data Transfer charges apply at the published rates below

Metric Pay as You Go Monthly Flex

Outbound Data Transfer - First 10 TB / Month GB/month Free Free
Outbound Data Transfer - Over 10 TB / Month GB/Month $0.0085 $0.0085
Inbound Data Transfer GB/Month Free Free

• No charge for data transfer between Availability Domains within a region

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 31

Summary
• Key Virtual Cloud Network (VCN) concepts
– Subnets, Route Table, Security Lists, Private IP, Public IP
• OCI connectivity options
– Internet Gateway, NAT Gateway, Service Gateway, Local and Remote Peering
– VPN, FastConnect (next module)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 32

cloud.oracle.com/iaas

cloud.oracle.com/tryit

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 33