If you have organized your resources in multiple VCN’s, connecting all those VCNs to your on-premises networks can be a real challenge.
- Until now, your only option was to have a FastConnect or IPSec VPN Connect terminate at each of your VCNs.
- However, this option means you incur costs for multiple FastConnect links, and you have the operational burden of provisioning a new FastConnect or IPSec connection for each new VCN you add.
To overcome this, Oracle has announced the availability of Oracle Cloud Infrastructure VCN Transit Routing, which now offers an alternative. This post covers all about Transit Routing in OCI.
What is Networking in Oracle Cloud (OCI)?
When you work with Oracle Cloud Infrastructure, Whether you are deploying Database or Application the very first thing you will do is create a Network (VCN & Subnet). You then will decide which part of Application/Database is in what Subnet, What Ports to open across Subnet, How Primary Database talks to DR, Where to Deploy LoadBalancer for HA & Networking across Region.
To know more about Networking, check here
What is IPSec VPN Connect?
One way to connect your on-premises network and your virtual cloud network (VCN) is to use VPN Connect, which is an IPSec VPN. IPSec stands for Internet Protocol Security or IP Security.
To know more about IPSec VPN Connect, check here
Image may be NSFW.
Clik here to view.
What is FastConnect?
FastConnect is the most expensive solution whereas connecting over IPSec VPN Tunnel is the most common method. Connecting via Public is more common when you just testing out to see connectivity.
Image may be NSFW.
Clik here to view.
To know more about FastConnect, check here
What is DRG?
- Dynamic Routing Gateway (DRG) provides the single point of entry for remote network paths coming into VCN
- Use DRG to connect On-Premise network to Oracle Cloud using IPSec VPN Tunnel & Fast Connect
- Each VCN can have single DRG
To know more about Oracle Cloud Infrastructure Networks: VCN, FastConnect, DRG, IGW, check here
What is Transit Routing?
Transit routing refers to a network setup in which your on-premises network uses a connected VCN to reach Oracle resources. You connect the on-premises network to the VCN with FastConnect or VPN Connect and then configure the VCN routing so that traffic transits through the VCN to its destination beyond the VCN.
- It uses Hub & Spoke topology, where a customer dedicates a Hub VCN & connects it to the customer’s on-premises network using a FastConnect or IPSec VCN.
- Now, you no longer need to attach a DRG to each of your VCNs to access your on-premises network, you only attach a single DRG to the Hub VCN and allow resources in the Spoke VCN to share the connectivity to the on-premises resources
- One of the VCNs acts as the hub and connects to the on-premises network. The other VCNs are locally peered with the Hub VCN. The traffic between the on-premises network and the peered VCNs transits through the hub VCN.
- The VCNs must be in the same region but can be in different tenancies.
Image may be NSFW.
Clik here to view.
What is a Hub-and-Spoke Networking Topology?
The Hub-and-Spoke model is a concept that can be applied to any network. Take for example the flight networks of a global air carrier: they are generally organized around major airports (hubs), with a constellation of regional airports connected to hubs and other regional airports. The main benefit is to reach more destinations with less links.
The “Hub-and-Spoke” architecture model (also known as “star network”) is used to connect several network nodes together, using a central point: the hub.
In terms of OCI, It enables you to use a central VCN to offer connectivity for other VCNs inside the same cloud region.
Transit Routing Scenarios
There are two primary transit routing scenarios :
• Access to multiple VCNs in the same region: This scenario enables the communication between your on-premises network and multiple VCNs in the same region over a single FastConnect private virtual circuit or VPN Connect.
• Private access to Oracle services: This scenario gives your on-premises network private access to Oracle services so that your on-premises hosts can use their private IP addresses and the traffic does not go over the internet.
High-Level Steps
At a high level, you do this by performing the following steps:
- Establishing a peering relationship between each spoke VCN and the hub VCN
- Associating route tables with the hub VCN’s local peering gateways (LPG) and DRG
- Setting up rules in those route tables to direct traffic from each LPG on the hub VCN to the DRG, and from the DRG to each LPG.
1) Example
How to access to on-premises networks for several VCN:
- the central VCN (HUB) handles the connections to on-premises networks through the DRG,
- other VCNs (SPOKE) establish a peering with the HUB VCN and gains access to connected networks behind the HUB VCN.
The “HUB” VCN is used by the “SPOKE” VCNs only as a transit to reach the destination: traffic is routed according to the defined rules.
Image may be NSFW.
Clik here to view.![Transit Routing]()
Transit Routing Benefits
- Simplified network management and fewer connections
- Increased service velocity/Faster Time-to-Market
- Centralized control of route advertisements
- Cost savings
Summary
- You can use a single FastConnect or IPSec VPN to connect your on-premises network with multiple VCNs in the same region, in a hub-and-spoke layout.
- The VCNs must be in the same region but can be in different tenancies.
- The VCN that acts as the hub uses a dynamic routing gateway (DRG) to communicate with the on-premises network. This hub VCN peers with each VCN that is acting as a spoke. The hub and spoke VCNs use local peering gateways (LPGs) to communicate.
- To enable the desired traffic from the on-premises network through the hub VCN to a peered spoke VCN, you implement route rules for the hub VCN’s DRG attachment and LPG, and for the spoke VCN’s subnets.
- By configuring route tables that reside in the hub VCN, you can control whether a particular subnet in a peered spoke VCN is advertised to the on-premises network, and whether a particular subnet in the on-premises network is advertised to a peered spoke VCN.
Related/Further Readings
- Networking in Cloud: Who Should Learn & Why
- 3 Ways to Connect to Oracle Cloud: Public IP, IPSec VPN & FastConnect
- Transit Routing: Access to Multiple VCNs in the Same Region
- Foundation for Hub-and-Spoke topologies in OCI
Next Tasks For you
We cover Transit Routing in our Oracle Cloud Infra Architect [1Z0-1072] training, under Advance Networking Module, check all list of hands-on guides which we cover here
Click on the image below to register for the FREE Masterclass NOW!Image may be NSFW.
Clik here to view.
Join OCI FREE Community
The post Transit Routing: Access to Multiple VCNs From On-Premise appeared first on Oracle Trainings.