Oracle 23c: Managing Flashback Database Logs Outside the Fast Recovery Area
Overview: In previous Database releases, you could store flashback database logs only in the fast recovery area Oracle 23c Database introduces the ... Read More
Peering OCI VCNs in the Same Tenancy Region Using Dynamic Routing Gateway
There are two options to peer Oracle Cloud Infrastructure (OCI) VCNs in the same region.
- Use a local peering gateway (LPG). Steps are demonstrated in the blog Peering using LPG
- Use a dynamic routing gateway (DRG)
In this blog, we will demonstrate the steps to peer two VCNs in the same region using a DRG in the same tenancy.
Peering two VCNs in the same region through a DRG gives you more flexibility in your routing and simplified management but comes at the cost of a microsecond increase in latency due to routing traffic through a virtual router.
At a high level, the networking service components required for this scenario include:
- Two VCNs with non-overlapping CIDRs, in the same region
- A single dynamic routing gateway (DRG) is attached to each peer VCN
- Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs
- Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets
|
|
VCN1 |
VCN2 |
|
VCN Name |
TOR-VCN1 |
TOR-VCN2 |
|
Private Subnet CIDR |
172.10.0.64/26 |
172.20.0.64/26 |
|
DRG |
TOR-DRG |
|
|
Compute Instance |
VCN1-VM (172.10.0.124) |
VCN2-VM (172.20.0.124) |
Prerequisites:
- An Oracle Cloud free trial or paid account
- Two OCI VCNs in the same tenancy with the private subnet, security list, and route table
- One OCI compute instance is located in the first VCN’s private subnet with API RSA private key
- One OCI compute instance is located in the second VCN’s private subnet with API RSA private key
Step #1: Create a DRG
1. Open the navigation menu and click Networking. Under Customer connectivity, click Dynamic Routing Gateway.
2. Click the “Create Dynamic Routing Gateway” Button
3. In the “Create dynamic routing gateway” page, enter the DRG name and the compartment where you want to create the DRG
Step #2: Attach DRG to VCNs
1. Attach DRG to TOR-VCN1
- Go to the TOR-DRG detail page and click on the “VCN attachments” tab
- Click the “Create virtual cloud network attachment” button
- On the “Create VCN attachment” page, enter the attachment name (TOR-DR-VCN1) and select VCN1 (TOR-VCN1), then click the “Create VCN attachment” button
2. Attach DRG to TOR-VCN2. Repeat the same steps done above to attach TOR-VCN1
Step #3: Configure route table in VCNs to send traffic destined to DRG attachment
1. Configure the route table in TOR-VCN1 to send traffic to TOR-VCN2’s private subnet CIDR to the DRG attachment
- Go to a TOR-VCN1 detail page and click on the “Route Tables” tab
- Under the list of route tables, click on “route table for private subnet-TOR-VCN1“
- On the route table page, click the “Add Route Rules” button and enter below route rule information below
|
Target Type |
Destination Type |
Destination CIDR Block |
|
Dynamic Routing Gateway |
CDIR Block |
172.20.0.64/26 (VCN2-private subnet CIDR) |
2. Configure the route table in TOR-VCN2 to send traffic to TOR-VCN1’s private subnet CIDR to the DRG attachment
- Repeat the same steps done above to configure the route table for TOR-VCN1’s private subnet
Use below rule information
|
Target Type |
Destination Type |
Destination CIDR Block |
|
Dynamic Routing Gateway |
CDIR Block |
172.10.0.64/26 (VCN2-private subnet CIDR) |
Step #4: Add security Ingress rule to allow traffic between VCNs’ private subnets through DRG
1. Add Ingress rule to “security list for private subnet-TOR-VCN1” of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet
- Go to TOR-VCN1 detail page and click on the “security list” tab, then click on “security list for private subnet-TOR-VCN1“
- On the security list page, click the “Add Ingress Rules” button and enter below Ingress rule information
|
Source Type |
Source CIDR |
IP PROTOCOL |
|
CIDR |
172.20.0.64/26 (VCN2-private subnet CIDR) |
All Protocols |
2. Add Ingress rule to the “security list for private subnet-TOR-VCN2” of the first VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet
- Repeat the same steps done above to add the Ingress rule for VCN1, but use the below Ingress rule
|
Source Type |
Source CIDR |
IP PROTOCOL |
|
CIDR |
172.10.0.64/26 (VCN1-private subnet CIDR) |
All Protocols |
Step #5: Test SSH connection between VMs
1. Connect to VCN1-VM, then ssh to VCN2-VM
- ssh to opc@VCN1-VM using OCI cloud shell tool. Use the RSA private key which was generated while creating VCN1-VM
- Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM
2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps
Thanks for reading!
More from this Author
Oracle 23c: Read-Only Users and Sessions
Overview: Oracle 23c Database introduces a new feature to control whether a user or session is enabled for read-write operations, irrespective of the ... Read More
