Connectivity options

 

Internet Gateway: Public Internet

  • Internet Gateway provides a path for network traffic between your VCN and the internet.
  • Allows traffic from subnet’s components to the internet and from the internet to VCN components.
  • Instances are able to communicate with the internet, inbound, and outbound.
  • Define a public subnet: Example: 10.0.1.0/24 which ranges 10.0.1.0 to 10.0.1.255
  • Usually, this is the DMZ for public internet communications (outbound and inbound)
  • Usually, use it for the Public Load Balancer 
  • You can have only one Internet Gateway per VCN.
  • Must add a route to the gateway in the VCN routing table to enable traffic flow. Example route: 0.0.0.0/0 to Internet Gateway
  • Must add a stateful ingress and egress rule to the security list.

NAT Gateway - Private Network

  • Configured for Private subnet which needs to reach the internet (Outbound only)
  • Define a private subnet: Example: 10.0.0.0/24 which ranges 10.0.0.0 to 10.0.0.255
  • Attach NAT Gateway: this enables traffic from the internal network to access the internet but it blocks internet traffic from accessing the internal network.
  • Used for internal components (for databases and other internal components that needs to access the internet to download updates and patches)
  • Hosts on private networks can initiate outbound connections to the Internet and receive responses. But not receive inbound requests initiated from the internet.
  • Must add a route to the gateway in the VCN routing table to enable traffic flow. Example route: 0.0.0.0/0 to NAT Gateway
  • You can have multiple NAT Gateway on a VCN, but a subnet can route traffic to only one NAT Gateway.

DRG Gateway - Private communication with other Networks

  • Make OCI extend an on-premise network, with easy connectivity in both directions.
  • Other than the internet (example: On-Premise)
  • Attach a Dynamic Routing Gateway (DRG Gateway) to VCN. VCN can have one DRG and a DRG can be attached to one VCN.
  • Usually connects to customer internal data center
  • Dynamic routing gateway is a virtual router that provides a path for private traffic between your network and destinations other than the internet. 
  • Used in
    • IPsec VPN, also sometimes referred to as site-to-site VPN because you're connecting sort of to sites. 
    • Fast connect A private dedicated connectivity. Having your own high occupancy vehicle lane if the internet is this massive you set of highways
    • Remote peering with VNC in another region
  • After attaching the DRG, you must add a route for the DRG in the VCN’s route table to enable traffic flow to DRG
  • 0.0.0.0/0 to DRG
  • DRG and VCN have a 1:1 relationship

 

Service Gateway - Private communication with Oracle Public Services

  • Service Gateway lets resources in VCN access public OCI services such as Object Storage, but without using the internet or NAT gateway.
  • Any traffic from VCN that is destined for one of the supported OCI services uses the instances's private IP address for routing, travels over OCI network fabric, and never traverse the internet.
  • The Oracle public services are available with public IP addresses
  • Internal networks can reach the Oracle public services privately via a Service Gateway
  • Usecases: Backup DB systems in VCN
  • Example: Object Storage and All-Region Services, target Service Gateway


Local Peering Gateway

  • Local Peering Gateway: The process to connect two local VCNs (In the same Region).
  • So that their resources can communicate over private IP addresses
  • Must not have overlapping CIDRs
  • Peering is not transitive
  • Steps:
    • In each VCN create a Local Peering Gateway
    • In each VCN, Add a routing rule with a target to Local Peering Gateway with target IP of the second VCN as shown in the diagram below
    • In each VCN, Need to define a security rule to allow traffic to/from the other VCN CIDR.
    • Select the Local Peering Gateway and click to establish a connection.


Remote Peering (DRG)

  • Connect two OCI remote regions
  • DRG is a virtual router that provides a path for privileged traffic between your VCN and destinations other than the internet.
  • After attaching a DRG, you must add a route for the DRG in the VCN’s route table to enable traffic flow.
  • Is the process of connecting two VCN in different regions so that their resources can communicate using private IP addresses
  • Requires a remote peering connection (RPC) to be created on the DRGs. RPC job is to act as a connection point for a remotely peered VCN
  • Used for Disaster Recovery
  • Must not have overlapping CIDRs
  • The same setup as Local Peering, but use DRG instead.

Comments

Post a Comment

Popular posts from this blog

Exam Study

 In the left side sections (Study Guide), you will find a list of subjects that helps in the exam study.  I will be adding more pages to cover other subjects. Being an OCI Architect requires practical experience. I advise you to get a free account to practice your knowledge. To get OCI free access, follow this link Using the Oracle documentation, this study guide and practicing in your free Oracle OCI instance should help you to accomplish your goals and pass the OCI Architect Exam.  If you have questions, let me know in the comments and I will try to help.
Read more