This post covers the Q/As & Review from the Day 3 of Oracle Cloud Infrastructure Architect Training Program covering Networking (VCN, Subnets, Gateways, Route Tables, Security List).
For Q/A’s & Review from Day2, please check Here.
The Image below will help you understand what to Learn or look for when appearing for the Oracle Cloud Infrastructure Architect.
Note: In our training Oracle Cloud Infrastructure Architect Training Program, Load Balancer and DNS are separate modules which we will cover in the upcoming sessions.
In this session, We covered Module 3: Networking which includes the following lessons:
[Q/A] VCN & Subnet
We started this Module with Virtual Cloud Network (VCN) & Subnet CIDR Ranges. Here is the high-level overview of what we have covered & related Q/A:
Virtual Cloud Network (VCN): Software-defined version of the traditional physical network including subnet, route tables, security list, and gateways. VCN covers a single, contiguous IPv4 CIDR Block of your choice. It resides within a single Region but can cross multiple Availability Domain (AD).
Subnet: Each VCN network is subdivided into Subnets. Each subnet has a contiguous range of IPs, described in CIDR notation. Subnet IP ranges within VCN can’t overlap. Subnets can be Regional or AD Specific and can be designated as either Public or Private.
Here are some of the questions related to VCN & Subnet:
Q1. Can we have multiple VCN?
Ans: Yes, you can have multiple VCNs.
Q2. Can Subnet span across ADs?
Ans: Yes, now Subnet can span across AD when you select regional Subnet. To know more on Regional Subnets, please check Here.
Q3. How can one use private Subnets as “public”? As per RFC-1918, these Subnets are designated private Subnets, right?
Ans: In Oracle Cloud, you designate Subnet as public or private. So, when you create subnet as public. you get both public IP and private IP. However, for the private Subnet, you get only private IP. Once you have created a Subnet of a specific type, then you can’t change it and Subnet can be either public or private but not both at the same time.
Q4. Why does Oracle recommend Subnet to be over a region?
Ans: Regional Subnet reduces the number of Subnets you need to create as now you are not creating specifically to AD.
To know more on Regional Subnets, please check Here.
Q5. Can a private VCN have a public Subnet?
Ans: VCN is a network (you don’t define VCN as public or private), and only Subnets are defined as public and private. VCN can have both public and private Subnets.
Q6. Is that possible to explain the Regional Subnet with an example or diagram?
Ans: Yes, here is an explanation with a diagram, but we’ll discuss this again in Compute by giving a demo.
Q7. In which case we will use regional Subnet?
Ans: Going forward always use regional Subnet. AD-specific Subnet is how it started and since Regional Subnet it’s better to select Regional Subnet.
Q8. Can you please give an example of why Regional Subnet is useful?
Ans: Regional Subnet reduces the number of Subnet as you are not creating Subnet for each but just 1 Regional Subnet can cover all 3 AD (so now you are creating 1 Subnet for Regional instead of 3 AD Subnet).
To know more on Regional Subnets please, check Here.
[Q/A] Route Table
Next, we discussed was Route Table, here is a high-level overview & some related Q/A:
VCN uses route tables to send traffic outside VCN (Internet, On-Premise, other Peered VCN).
Each Route rule specifies:
- Destination CIDR block
- Route Target for the traffic that matches that CIDR
Each Subnet uses a single route table specified at the time of Subnet creation and can be edited later. The route table is used only if the destination IP Address is not within VCN’s CIDR block.
When you add any gateway (IGW, DRG, NAT, SGW), you must update the Route Table of the Subnet that uses these gateways. Multiple Route Tables can be created from VCN Page but only 1 can be used by a specific Subnet with Multiple Rules inside.
We covered Route Table on Day 3, so here are some of the questions related to Route Table:
Q9. Is there any Default or Main Route Table concept?
Ans: There will be a default Route Table for VCN.
Q10. Is the Routing Table at the VCN or the Subnet?
Ans: VCN will have multiple Route Tables but Subnet will have only 1 Route Table at any given point of time.
Q11. Is there a way we can delete the default Route Table in OCI?
Ans: Yes, you can delete as long as the Route Table is not in use by any Subnet.
Q12. How many maximum Route Table we can create in one VCN, is there any restriction?
Ans: There is a limit which can be seen in the Image below:
[Q/A] Gateways (IGW, NGW, DRG, SGW, LPG)
Then, we look at different Networking Gateways & here is an overview of the critical ones:
Internet Gateway (IGW) provides a path for network traffic between VCN(public Subnet) & the Internet.
NAT Gateway (NGW) gives private network, outgoing access to VCN(private subnet) & the Internet without assigning Public IP to host.
Dynamic Routing Gateway(DRG) provides private network traffic between VCN and destinations other than the Internet like On-Premise and VCN in another Region.
Service Gateway(SGW) lets resources in VCN access public OCI Service (Ex Object Storage) but without using the Internet (IGW or NAT GW).
Local Peering Gateway(LPG) provides a connection between two VCNs in the same region, so their resources can communicate using private IP addresses without routing the traffic over the Internet or through your On-Premises Network.
On Day 3, we also covered Gateways (Internet Gateway, NAT Gateway, Dynamic Routing Gateway), so here are some of the questions related to Gateways:
Q13. In DRG, the destination IP will always be the same?
Ans: No, it will be the CIDR of a network that DRG is connecting to.
Here, we have our VCN whose CIDR block is 172.16.0.0/16 and the destination CIDR block is 10.0.0.0/16, the route target will be the DRG. The DRG is attached to this VCN which then allows the connection to route to the destination CIDR block.
Let us assume this is the On-Premise CIDR block, so the route target in DRG will be CIDR 10.0.0.0/16
Q14. Can we create both NGW and IGW in the same architecture?
Ans: Yes, for Public Subnet you’ll use IGW, and for Private Subnets, you’ll use NGW
Q15. In Public Subnet Access through Internet Gateway and In Private Subnet connectivity through DRG, is it? Means DRG use in only Private Subnet?
Ans: No, IGW is used to connect to the Internet while DRG is to connect VCN to another VCN or another Network like On-Premise using private IP. If you want to connect to the Internet, then it’s via IGW.
Q16. Do we have any limits to the number of Gateways within a VCN?
Ans: Yes, there is and it depends on the Gateway.
Q17. Do we have to install any software on our on-premise machines to access VCN through DRG?
Ans: Yes, you’ll need a VPN software in On-Premise.
[Q/A] Security List: Ingress & Egress
You should know about the Security Lists, & the most confusing one is Stateless vs Stateful. Here is an overview & some questions related to the Security List:
Security List: Common set of firewall rules associated with a Subnet. Security List is of 2 types:
- Ingress: Incoming Traffic
- Egress: Outgoing Traffic
Firewall rules in OCI are defined at the Subnet level and not at the Compute Instance level.
Q18. What is the value of stateful and stateless rules? Can you explain more about the stateless rule?
Ans: When you define a Stateful Security Rule, you just need to write Ingress rule, and you don’t need any specific egress rule for a response to go back to the client.
Whereas if you define a Stateless Rule, you need to write an Ingress Rule and with that, you also need to write an Egress Rule for the response to go back to the client. You write a stateless rule for service that gets a lot of requests like for very busy website traffic.
Note: If in such a scenario, you use Stateful Rule (whereas Stateless is recommended), Security List will need to maintain connection tracking and this will impact performance.
[Q/A] VPNConnect & FastConnect
There are 3 ways to connect your On-Premise to the VCN on Cloud.
- Public Internet: Here, a public IP is assigned which connects to the VCN.
- VPN: One way to connect your on-premises network and your virtual cloud network (VCN) is to use VPN Connect, which is an IPSec VPN. Here, a private IP is assigned.
- FastConnect: FastConnect provides higher-bandwidth options, more reliable and consistent networking experience compared to the Internet-based connections.
One way to connect your On-Premises Network and your Virtual Cloud Network (VCN) is to use VPN Connect, which is an IPSec VPN. IPSec stands for Internet Protocol Security or IP Security. IPSec is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source to the destination.
FastConnect connects an existing network to VCN over a private physical network instead of the Internet. There are two ways to connect with FastConnect:
➢ Colocation: By Co-locating with Oracle in a FastConnect Locations.
➢ Provider: By Connecting to a FastConnect Provider.
Note: We will cover IPSec and FastConnect in the advanced Module of Networking i.e. Module 9.
Here is a high-level overview & some related Q/A:
Q19. What is the difference between IPSec VPN and Fast Connect?
Ans: Both are ways to connect On-Premise to the Cloud. An IPSec VPN establishes an encrypted network connection over the Internet between your network or data center and your Oracle Cloud Infrastructure Virtual Cloud Network (VCN). It’s a suitable solution if you have low or modest bandwidth requirements and can tolerate the inherent variability in the Internet-based connections. FastConnect bypasses the Internet. Instead, it uses dedicated, private network connections between your network or data center and your VCN.
- [Q/A] Oracle Cloud Infrastructure Architect Training Program Day 1 Review: Region, AD & FD, OCI Services
- [Q/A] Oracle Cloud Infrastructure Architect Training Program Day 2 Review: IAM (Compartments, Policies, Users, Group
- Oracle Cloud Infrastructure (OCI) Architect Live Training Program.
- Oracle Cloud Infrastructure Architect: Step-By-Step Activity Guides
Next Task For You
- Download the Step-By-Step Activity Guide to Register for an Oracle Cloud Trial Account.
- Create VCN and Subnets in Oracle Cloud, to know more about VCN Subnets, please check Here.
Begin your journey towards becoming an Oracle Cloud Architect by Joining the FREE Masterclass on How To Become Oracle Cloud Architect in 8 Weeks.