Recent Oracle Update [May 21, 2019]: You can now use Border Gateway Protocol (BGP) with VPN Connect (also known as an IPSec VPN).
This post covers:
- 3 different ways to connect to Oracle Cloud
- Dynamic Routing Gateway (DRG) & its use
- IPSec VPN Routing [Earlier/Now]
- BGP & its Benefits
3 Ways to Connect to Oracle Cloud
1) Public IP:
A public IP address is an IPv4 address that is reachable from the internet. If a resource in your tenancy needs to be directly reachable from the internet, it must have a public IP address.
You will also need an Internet Gateway, & security List configured.
There are two types of public IPs:
- Ephemeral: Think of it as temporary and existing for the lifetime of the instance.
- Reserved: Think of it as persistent and existing beyond the lifetime of the instance it’s assigned to
Note: When you are creating an instance, make sure you create that inside Public Subnet. It will automatically be assigned to Public IP, or just go to the Advance options & under Networking make sure you have assigned Public IP
2) VPN Connect or IPSec VPN Tunnel:
The second way to connect is using IP Sec VPN Tunnel and typically used to extend OCI Network (i.e. VCN) as if this is an extension to your On-Premise Network so that your users in On-Premise Network can connect to Cloud using Secure Tunnel over the Internet but on Internal (or non -public IP).
If you look at the diagram over here you have one network with CIDR 10.0 /16 on Premise while other as 172.16 /16 on OCI. One end of this VPN Tunnel will be connected using CPE and another end using DRG (so you must know what is DRG, check below about DRG).
FastConnect connects an existing network to VCN over a private physical network instead of the Internet. There are two ways to connect with FastConnect:
- Colocation: By Co-locating with Oracle in a FastConnect Locations.
- Provider: By Connecting to a FastConnect Provider.
FastConnect is the most expensive solution whereas connecting over IPSec VPN Tunnel is the most common method. Connecting via Public is more common when you just testing out to see connectivity.
Dynamic Routing Gateway (DRG) & Its Use
If you are using IPSec VPN Tunnel or FastConnect for connecting, then you must configure DRG.
- let’s assume you want to connect VCN in Oracle Cloud with On-Premise Network using IP Sec VPN Tunnel or FastConnect, then DRG will be configured at the cloud side of the VPN tunnel
- If you would like to connect VCN in One Region to VCN in another Region then you use Dynamic Routing Gateway
- To know more about Oracle Cloud: Create VCN, Subnet, Firewall (Security List), IGW, DRG, Check here
- Networking QA from Day 3 of OCI Training
IPSec VPN Routing [Earlier & Now]
When Oracle Cloud Infrastructure talks to On-Premise, there are two routing types by which traffic can route.
- BGP Dynamic Routing: [New Feature: Introduced on 21st May 2019]
- The available routes are learned dynamically through BGP. The DRG dynamically learns the routes from your on-premises network. On the Oracle side, the DRG advertises the VCN’s subnets.
- Static routing: [Existing Feature]
- When you set up the IPSec connection to the DRG, you specify the particular routes to your on-premises network that you want the VCN to know about. You also must configure your CPE device with static routes to the VCN’s subnets. None of these routes are learned dynamically.
For IPSec connection, static routing is the default type of routing for all tunnels.
What is Border Gateway Protocol?
BGP is a protocol used to transfer packet over the internet and it uses dynamic routing for transfer and decides the path at the run time. BGP offers network stability that guarantees routers can quickly adapt to send packets through another reconnection if one internet path goes down.
Benefits of Using BGP for Routing
- BGP allows dynamic routing or automatic route exchange between your CPE device and your dynamic routing gateway (DRG).
- IPSec VPN now becomes Dynamic, it Supports BGP Routing (Dynamic) between CPE and DRG.
- The routing type (BGP or static) is now configured per IPSec tunnel in the overall connection.
- If the connection has two tunnels, either both can use the same routing type, or one tunnel can use BGP and the other static routing.
- Static to BGP changing possible per tunnel basis.
- Custom Shared Secret: Option to provide Shared Secret Each Tunnel, pre or post setup.
So, This is the high-level overview of the Border Gateway Protocol (BGP).
We cover all this in detail in our Oracle Cloud Infrastructure Architect Training Program, under Module 9: Advanced Networking
- Release Note: BGP support and custom shared secret
- [Video 3 of 5] Oracle Cloud: Create VCN, Subnet, Firewall (Security List), IGW, DRG
- Oracle Cloud Networks: VCN, FastConnect, DRG, IGW
- [Q/A] Oracle Cloud Infrastructure Architect Certification Training Day 3: Networking (VCN, Subnets, Gateways, Route Tables, Security List)
Next Task For You
Begin your journey towards becoming an Oracle Cloud Certified Architect by Joining the FREE Masterclass on How To Become Oracle Certified Cloud Architect in 8 Weeks.