Monday, September 18, 2023

Peering OCI VCNs in different regions using Dynamic Routing Gateway

 

In this blog, we will demonstrate the steps to peer two VCNs in different regions through a DRG in the same tenancy. This is called a remote VCN peering.

The peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network.

remote peering connection (RPC) is a component you create on the DRG attached to your VCN. The RPC's job is to act as a connection point for a remotely peered VCN. A given DRG must have a separate RPC for each remote peering it establishes for the VCN.

At a high level, the networking service components required for this scenario include:

  • Two VCNs with non-overlapping CIDRs, in different regions but same tenancy.
  • Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship.
  • A remote peering connection (RPC) on each DRG in the peering relationship. And a connection between those two RPCs.
  • Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs.
  • Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets.

 

VCN1

VCN2

Region

Toronto (ca-toronto-1

Ashburn (us-ashburn-1)

VCN Name

TOR-VCN

ASH-VCN

Private Subnet CIDR  

10.0.1.0/24

172.0.1.0/24

DRG

TOR-DRG

  ASH-DRG

RPC

TOR-RPC

  ASH-RPC

Compute Instance

TOR-VM (10.0.1.129)

ASH-VM (172.0.1.132)
















- Prerequisites:

  • An Oracle cloud fee trial or paid account.
  • A VCN in Toronto region with private subnet, security list, and route table.
  • A VCN in Ashburn region with private subnet, security list, and route table.
  • Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship.
  • One OCI compute instance located in the first VCN’s private subnet with API RSA private key.
  • One OCI compute instance located in the second VCN’s private subnet with API RSA private key.

Step #1: Attach DRG to VCNs

1. Attach TOR-DRG to TOR-VCN.
    - Go to TOR-DRG detail page and click on "VCN attachments" tab.
    - Click "Create virtual cloud network attachment" button.




















 
   - In "Create VCN attachment" page, enter attachment name (TOR-DRG-VCN) and select VCN1 (TOR-VCN), then click "create VCN attachment" button.

































2. Attach ASH-DRG to ASH-VCN. 
    - Repeat the same steps done above to attach TOR-VCN.


















Step #2: Create Remote Peering Connection (RPC)

1. Create Toronto region RPC (TOR-RPC).

    - Go to TOR-DRG detail page and click on "Remote peering connection attachments" tab.
    - Click "Create remote peering connection" button.
    - In "Create remote peering connection" page, enter connection name and select compartment.























































2. Create Ashburn region RPC (ASH-RPC).
    - Repeat the steps done above to create Toronto region RPC.
 

Step #3: Establish RPC connection

1. Establish connection from Toronto region to Ashburn region through TOR-RPC connection.
    - Go to TOR-DRG detail page and click on "Remote peering connection attachments" tab.
    - View the details of TOR-RPC by clicking the name of TOR-RPC connection in the "Remote Peering Connection" column. 
















    - In the connection details page, click "Establish connection" button, enter connection name and select compartment.
    - In "Establish connection" page, select "us-ashburn-1" region and enter the OCID of Ashburn RPC (ASH-RPC) (the remote peering RPC). When The connection is established, the RPC's state changes to PEERED








    - Hence, ASH-RPC peering state changes to PEERED as well.



























Step #4: Configure route table in VCNs to send traffic destined to DRG attachment

1. Configure route table in TOR-VCN to send traffic to ASH-VCN private subnet CIDR.
    - Go to TOR-VCN detail page and click on "Route Tables" tab.
    - Under the list of route tables, click on "route table for private subnet-TOR-VCN".


























 - In route table page, click "Add Route Rules" button and enter below route rule information.

Target Type

Destination Type

Destination CIDR Block

Dynamic Routing Gateway

CDIR Block

172.0.1.64/24 (VCN2-private subnet CIDR)
















2. Configure route table in ASH-VCN to send traffic to TOR-VCN's private subnet CIDR. 
    - Repeat the same steps done above to configure route table for TOR-VCN's private subnet. 
Use below rule information.

Target Type

Destination Type

Destination CIDR Block

Dynamic Routing Gateway

CDIR Block

10.0.1.0/24 (VCN1-private subnet CIDR)






















Step #5: Add security Ingress rule to allow traffic between VCNs' private subnets through DRG

1. Add Ingress rule to "security list for private subnet-TOR-VCN" of the first VCN (TOR-VCN) to allow traffic coming from VCN2-private subnet to VCN1-private subnet.
    - Go to TOR-VCN detail page and click on "security list" tab, then click on "security list for private subnet-TOR-VCN".


























    - In security list page, click "Add Ingress Rules" button and enter below Ingress rule information.

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.0.1.0/24 (VCN2-private subnet CIDR)

All Protocols
































2. Add Ingress rule to "security list for private subnet-ASH-VCN" of the second VCN (ASH-VCN) to allow traffic coming from VCN1-private subnet to VCN2-private subnet.

    Repeat the same steps done above to add Ingress rule for VCN1, but use below Ingress rule.

Source Type

Source CIDR

IP PROTOCOL

CIDR

10.0.1.64/24 (VCN1-private subnet CIDR)

All Protocols















Step #6: Test SSH connection between VMs

1. Connect to TOR-VM, then ssh to ASH-VM. 
    - ssh to opc@TOR-VM using OCI cloud shell tool. Use RSA private key which was generated while creating TOR-VM.






- Use RSA private key, which was generated while creating ASH-VM, to ssh from TOR-VM to opc@ASH-VM.















2. Connect to ASH-VM, then ssh to TOR-VM. Repeat the same steps.




















Thanks for reading. Hope you like it !!!. 

No comments:

Post a Comment

Oracle 23ai: Hybrid Read-Only Mode for Pluggable Databases

  - Overview: Oracle 23ai database introduces a new feature to open Pluggable database in  a new mode called hybrid read-only. Hybrid read-o...