Monday, September 18, 2023

Peering OCI VCNs in different regions using Dynamic Routing Gateway

In this blog, we will demonstrate the steps to peer two VCNs in different regions through a DRG in the same tenancy. This is called a remote VCN peering.

The peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network.

A remote peering connection (RPC) is a component you create on the DRG attached to your VCN. The RPC's job is to act as a connection point for a remotely peered VCN. A given DRG must have a separate RPC for each remote peering it establishes for the VCN.

At a high level, the networking service components required for this scenario include:

Two VCNs with non-overlapping CIDRs, in different regions but same tenancy.
Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship.
A remote peering connection (RPC) on each DRG in the peering relationship. And a connection between those two RPCs.
Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs.
Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets.

	VCN1	VCN2
Region	Toronto (ca-toronto-1	Ashburn (us-ashburn-1)
VCN Name	TOR-VCN	ASH-VCN
Private Subnet CIDR	10.0.1.0/24	172.0.1.0/24
DRG	TOR-DRG	ASH-DRG
RPC	TOR-RPC	ASH-RPC
Compute Instance	TOR-VM (10.0.1.129)	ASH-VM (172.0.1.132)

- Prerequisites:

An Oracle cloud fee trial or paid account.
A VCN in Toronto region with private subnet, security list, and route table.
A VCN in Ashburn region with private subnet, security list, and route table.
Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship.
One OCI compute instance located in the first VCN’s private subnet with API RSA private key.
One OCI compute instance located in the second VCN’s private subnet with API RSA private key.

Step #1: Attach DRG to VCNs

1. Attach TOR-DRG to TOR-VCN.
- Go to TOR-DRG detail page and click on "VCN attachments" tab.
- Click "Create virtual cloud network attachment" button.

- In "Create VCN attachment" page, enter attachment name (TOR-DRG-VCN) and select VCN1 (TOR-VCN), then click "create VCN attachment" button.

2. Attach ASH-DRG to ASH-VCN.

- Repeat the same steps done above to attach TOR-VCN.

Step #2: Create Remote Peering Connection (RPC)

1. Create Toronto region RPC (TOR-RPC).

- Go to TOR-DRG detail page and click on "Remote peering connection attachments" tab.
- Click "Create remote peering connection" button.
- In "Create remote peering connection" page, enter connection name and select compartment.

2. Create Ashburn region RPC (ASH-RPC).

- Repeat the steps done above to create Toronto region RPC.

Step #3: Establish RPC connection

1. Establish connection from Toronto region to Ashburn region through TOR-RPC connection.

- Go to TOR-DRG detail page and click on "Remote peering connection attachments" tab.

- View the details of TOR-RPC by clicking the name of TOR-RPC connection in the "Remote Peering Connection" column.

- In the connection details page, click "Establish connection" button, enter connection name and select compartment.

- In "Establish connection" page, select "us-ashburn-1" region and enter the OCID of Ashburn RPC (ASH-RPC) (the remote peering RPC). When The connection is established, the RPC's state changes to PEERED

- Hence, ASH-RPC peering state changes to PEERED as well.

Step #4: Configure route table in VCNs to send traffic destined to DRG attachment

1. Configure route table in TOR-VCN to send traffic to ASH-VCN private subnet CIDR.
- Go to TOR-VCN detail page and click on "Route Tables" tab.
- Under the list of route tables, click on "route table for private subnet-TOR-VCN".

- In route table page, click "Add Route Rules" button and enter below route rule information.

Target Type	Destination Type	Destination CIDR Block
Dynamic Routing Gateway	CDIR Block	172.0.1.64/24 (VCN2-private subnet CIDR)

2. Configure route table in ASH-VCN to send traffic to TOR-VCN's private subnet CIDR.

- Repeat the same steps done above to configure route table for TOR-VCN's private subnet.

Use below rule information.

Target Type	Destination Type	Destination CIDR Block
Dynamic Routing Gateway	CDIR Block	10.0.1.0/24 (VCN1-private subnet CIDR)

Step #5: Add security Ingress rule to allow traffic between VCNs' private subnets through DRG

1. Add Ingress rule to "security list for private subnet-TOR-VCN" of the first VCN (TOR-VCN) to allow traffic coming from VCN2-private subnet to VCN1-private subnet.
- Go to TOR-VCN detail page and click on "security list" tab, then click on "security list for private subnet-TOR-VCN".

- In security list page, click "Add Ingress Rules" button and enter below Ingress rule information.

Source Type	Source CIDR	IP PROTOCOL
CIDR	172.0.1.0/24 (VCN2-private subnet CIDR)	All Protocols

2. Add Ingress rule to "security list for private subnet-ASH-VCN" of the second VCN (ASH-VCN) to allow traffic coming from VCN1-private subnet to VCN2-private subnet.

- Repeat the same steps done above to add Ingress rule for VCN1, but use below Ingress rule.

Source Type	Source CIDR	IP PROTOCOL
CIDR	10.0.1.64/24 (VCN1-private subnet CIDR)	All Protocols

Step #6: Test SSH connection between VMs

1. Connect to TOR-VM, then ssh to ASH-VM.
- ssh to opc@TOR-VM using OCI cloud shell tool. Use RSA private key which was generated while creating TOR-VM.

- Use RSA private key, which was generated while creating ASH-VM, to ssh from TOR-VM to opc@ASH-VM.

2. Connect to ASH-VM, then ssh to TOR-VM. Repeat the same steps.

Thanks for reading. Hope you like it !!!.

Friday, September 15, 2023

Peering OCI VCNs in the same tenancy region using Dynamic Routing Gateway

There are two options to peer Oracle OCI VCNs in the same region.

1- Use local peering gateway (LPG). Steps are demonstrated in blog Peering using LPG

2- Use dynamic routing gateway (DRG).

In this blog, we will demonstrate the steps to peer two VCNs in the same region using a DRG in the same tenancy.

Peering two VCNs in the same region through a DRG gives you more flexibility in your routing and simplified management but comes at the cost of microseconds increase in latency due to routing traffic through a virtual router.

At a high level, the networking service components required for this scenario include:

Two VCNs with non-overlapping CIDRs, in the same region
A single dynamic routing gateway (DRG) attached to each peer VCN.
Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs.
Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets.

	VCN1	VCN2
VCN Name	TOR-VCN1	TOR-VCN2
Private Subnet CIDR	172.10.0.64/26	172.20.0.64/26
DRG	TOR-DRG
Compute Instance	VCN1-VM (172.10.0.124)	VCN2-VM (172.20.0.124)

- Prerequisites:

An Oracle cloud fee trial or paid account.
Two OCI VCNs in the same tenancy with private subnet, security list, and route table.
One OCI compute instance located in the first VCN’s private subnet with API RSA private key.
One OCI compute instance located in the second VCN’s private subnet with API RSA private key.

Step #1: Create a DRG

1. Open the navigation menu and click Networking. Under Customer connectivity, click Dynamic routing gateway.

2. Click "Create Dynamic Routing Gateway" button.

3. In "Create dynamic routing routing gateway" page, enter DRG name and the compartment where you want to create DRG.

Step #2: Attach DRG to VCNs

1. Attach DRG to TOR-VCN1.

- Go to TOR-DRG detail page and click on "VCN attachments" tab.
- Click "Create virtual cloud network attachment" button.

- In "Create VCN attachment" page, enter attachment name (TOR-DR-VCN1) and select VCN1 (TOR-VCN1), then click "create VCN attachment" button.

2. Attach DRG to TOR-VCN2. Repeat the same steps done above to attach TOR-VCN1.

Step #3: Configure route table in VCNs to send traffic destined to DRG attachment

1. Configure route table in TOR-VCN1 to send traffic to TOR-VCN2's private subnet CIDR.
- Go to TOR-VCN1 detail page and click on "Route Tables" tab.
- Under the list of route tables, click on "route table for private subnet-TOR-VCN1".

- In route table page, click "Add Route Rules" button and enter below route rule information.

Target Type	Destination Type	Destination CIDR Block
Dynamic Routing Gateway	CDIR Block	172.20.0.64/26 (VCN2-private subnet CIDR)

2. Configure route table in TOR-VCN2 to send traffic to TOR-VCN1's private subnet CIDR.

- Repeat the same steps done above to configure route table for TOR-VCN1's private subnet.

Use below rule information

Target Type	Destination Type	Destination CIDR Block
Dynamic Routing Gateway	CDIR Block	172.10.0.64/26 (VCN2-private subnet CIDR)

Step #4: Add security Ingress rule to allow traffic between VCNs' private subnets through DRG

1. Add Ingress rule to "security list for private subnet-TOR-VCN1" of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet.

- Go to TOR-VCN1 detail page and click on "security list" tab, then click on "security list for private subnet-TOR-VCN1".

- In security list page, click "Add Ingress Rules" button and enter below Ingress rule information.

Source Type	Source CIDR	IP PROTOCOL
CIDR	172.20.0.64/26 (VCN2-private subnet CIDR)	All Protocols

2. Add Ingress rule to "security list for private subnet-TOR-VCN2" of the second VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet.

- Repeat the same steps done above to add Ingress rule for VCN1, but use below Ingress rule.

Source Type	Source CIDR	IP PROTOCOL
CIDR	172.10.0.64/26 (VCN1-private subnet CIDR)	All Protocols

Step #5: Test SSH connection between VMs

1. Connect to VCN1-VM, then ssh to VCN2-VM.

- ssh to opc@VCN1-VM using OCI cloud shell tool. Use RSA private key which was generated while creating VCN1-VM.

- Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM.

2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps.