Oracle Cloud Infrastructure is a cloud computing platform that provides a range of services, including networking. Oracle Cloud Infrastructure’s networking features include virtual cloud networks (VCNs), availability domains, fault domains, and gateways. A region is a localized geographic area that consists of one or more availability domains. An availability domain is a group of isolated data centers that offer high availability, low latency, and high throughput. A fault domain is a grouping of hardware and infrastructure within an availability domain, and each availability domain has three fault domains. A VCN is a virtual representation of a physical network that includes features such as addressing, subnets, routers (called “gateways” in VCN), firewalls, route tables, and connectivity. There are several types of gateways available in VCN, including the internet gateway, NAT gateway, service gateway, local peering gateway, and dynamic routing gateway. VCNs also come with firewalls, security lists, route tables, and the ability to use multiple non-overlapping IPv4 CIDR blocks. VCNs reside in a single region and can be assigned a CIDR block or prefix, which can be modified later on.
Virtual Cloud Network
- A region is a localized geographic area that consists of one or more availability domains.
- An availability domain is a group of fault-tolerant and isolated data centers that are close to each other and offer high availability, low latency, and high throughput.
- A fault domain is a grouping of hardware and infrastructure within an availability domain, and each availability domain has three fault domains.
- A Virtual Cloud Network (VCN) is a virtual representation of a physical network that includes features such as addressing, subnets, routers (called “gateways” in VCN), firewalls, route tables, and connectivity.
- There are several types of gateways available in VCN, including the internet gateway, NAT gateway, service gateway, local peering gateway, and dynamic routing gateway.
- VCNs also come with firewalls, security lists, route tables, and the ability to use multiple non-overlapping IPv4 CIDR blocks.
- VCNs reside in a single region and can be assigned a CIDR block or prefix, which can be modified later on.
- CIDR notation is used to represent IP addresses and prefixes
- CIDR stands for classless inter-domain routing
- An IP address or CIDR prefix consists of four bytes, or 32 bits
- CIDR notation includes a network prefix, represented by “slash x”, which is the number of bits reserved for the network address
- Subnetting divides a network into smaller portions
- CIDR notation uses binary to represent the value of each bit in an address
- The network ID, first host address, and broadcast address are typically reserved in OCI
- CIDR notation can be used to calculate the number of hosts in a subnet
- RC 1918 is a set of private IPv4 addresses recommended for use in Oracle Cloud Infrastructure virtual cloud networks and subnets
- RC 1918 addresses are not routable over the open internet and are assigned to internal hosts inside a private virtual cloud network
- RC 1918 consists of the 10.0.0.0/8, 172.16.0.0/12, and 126.96.36.199/16 ranges
- OCI recommends using a /16 prefix for a virtual cloud network, but it can be any prefix between /16 and /30
- Public routable ranges can also be used, but it is recommended to stick with RC 1918 to avoid routing conflicts
- The first two and last IP addresses in a CIDR prefix are reserved by OCI and it is recommended to avoid overlaps
- Subnets are a way to divide a virtual cloud network (VCN) into smaller sections.
- Subnets can be either availability domain-specific, meaning they are contained within a single availability domain, or regional, meaning they span all availability domains within a region.
- Each subnet has a continuous range of IPv4 addresses, and subnets cannot have overlapping address ranges.
- The size of a subnet can be changed after creation, but care must be taken to ensure that it does not overlap with another subnet’s address range.
- Private IP addresses for resources within a subnet are taken from the subnet’s address range.
- Resources within a VCN can communicate with each other without needing routing, but external resources can only be accessed through a route table and Internet Gateway or NAT Gateway.
- Public subnets are subnets that have a direct route to the Internet Gateway, allowing resources within them to be directly accessed over the internet.
- Private subnets are subnets that do not have a direct route to the Internet Gateway and cannot be directly accessed over the internet.
- Resources within private subnets can access the internet through a NAT Gateway or NAT instance.
- CIDR notation is a standard for writing IP addresses and their associated network prefix
- RC 1918 is a standard for assigning IPv4 addresses to a private network, with the recommended range being 10.0.0.0/8, 172.16.0.0/12, and 188.8.131.52/16
- A subnet is a range of IP addresses within a VCN, and can be either availability domain-specific or regional
- A security list is a set of firewall rules associated with a subnet, and can be either stateful or stateless
- The security list is applied at the VNIC level and controls ingress and egress traffic to a subnet
- A route table controls the routing of traffic within a VCN and can be modified to create a custom route
- A route rule consists of a CIDR block and a target, and determines where traffic matching the CIDR should be routed to
- Internet and VCN Gateway allow resources in a VCN to communicate with the internet or other VCNs respectively
Network Security Groups
- Network Security Groups (NSGs) provide a virtual firewall for a set of cloud resources with the same security posture
- NSGs apply only to a set of VNICs in a single VCN
- NSGs can be used for compute instances, load balancers, compute nodes, Autonomous Database endpoints, and Mount targets for file systems
- Oracle recommends using NSGs over security lists because they provide fine-grained detail for security permissions
- NSGs can be used as an exception to security lists or as a standalone security measure
- Security lists must be associated with a subnet, but can be empty and NSGs applied to individual resources instead
- The Bastion Service from Oracle Cloud Infrastructure allows secure, time-bound access to resources in a private subnet
- Incoming SSH connections can be restricted to a specific IP address or IPv4 CIDR range, and all access is recorded through the Event and Audit service
- The Bastion Service is integrated with Identity and Access Management, is free and fully managed by Oracle Cloud Infrastructure personnel, and reduces operational overhead for users
- The Bastion Service can be used to access compute instances, database compute nodes, and the Oracle Kubernetes Engine via port forwarding, and any SSH-able private IPv4 within OCI
- The Bastion Service can be placed on the same subnet as the resources or on a separate Bastion-only private subnet
- An internet gateway is a virtual router that connects the edge of a Virtual Cloud Network (VCN) to the internet.
- The internet gateway allows connectivity to the open internet for resources in a public subnet in a VCN.
- To use the internet gateway, the following are required: an internet gateway, a public IP address on both ends of the connection, a route rule in a route table using the internet gateway as the target, and permission from security lists or network security groups.
- The internet gateway can only be used by resources in the same VCN, not by other VCNs or on-premises resources.
- Each VCN can only have one internet gateway.
- Network Address Translation (NAT) is a technique used to give a private network access to the internet without assigning each host a public IPv4 address
- NAT gateway provides this access and supports UDP, TCP, and ICMP protocols
- Typically limited to one NAT gateway per VCN, but can be increased by submitting a service limit increase request
- NAT gateway can be used by resources within the VCN, but not by resources in a peered VCN or connected via a DRG
- NAT gateway address can be an ephemeral or reserved IP address
- The Services Gateway on Oracle Cloud Infrastructure (OCI) provides a secure path to the Oracle Services network without leaving OCI.
- The Services Gateway is used to access services such as Object Storage and Autonomous Data Warehouse.
- The Services Gateway allows resources within a VCN and on-premises networks (through FastConnect or VPN) to access the Oracle Services network without going through the open internet.
- The Services Gateway is regional and only enables access to supported Oracle services in the same region as the VCN.
Local peering gateway
- Local peering allows two virtual networks (VCNs) in the same region to communicate with each other privately using their private IP addresses.
- Local peering requires two VCNs with non-overlapping CIDRs and a local peering gateway on each VCN.
- A dynamic routing gateway (DRG) can also be used to connect two VCNs in the same region, even if their CIDRs overlap.
- A DRG attachment allows multiple VCNs to be connected to the same DRG.
- There are pros and cons to using a DRG over local peering, including complexity and latency.
- A route table consists of a set of rules that govern how traffic leaving a subnet is routed.
- Traffic within a VCN is automatically handled by VCN local routing and does not require a route rule.
- If a route table has overlapping rules, Oracle will use the most specific one.
- If there is no matching route rule for network traffic, it will be dropped.
- IPv6 addressing is supported in Oracle Cloud Infrastructure.
- The main purpose of a route table is to send traffic out of a VCN or subnet.
- The destination for a set of route rules can be a CIDR block or a service gateway, and the route target is the next hop.