Peering OCI VCNs in different regions using Dynamic Routing Gateway

 

In this blog, we will demonstrate the steps to peer two VCNs in different regions through a DRG in the same tenancy. This is called a remote VCN peering.

The peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network.

A remote peering connection (RPC) is a component you create on the DRG attached to your VCN. The RPC's job is to act as a connection point for a remotely peered VCN. A given DRG must have a separate RPC for each remote peering it establishes for the VCN.

At a high level, the networking service components required for this scenario include:

• Two VCNs with non-overlapping CIDRs, in different regions but same tenancy.
• Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship.
• A remote peering connection (RPC) on each DRG in the peering relationship. And a connection between those two RPCs.
• Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs.
• Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets.

	VCN1	VCN2
Region	Toronto (ca-toronto-1	Ashburn (us-ashburn-1)
VCN Name	TOR-VCN	ASH-VCN
Private Subnet CIDR	10.0.1.0/24	172.0.1.0/24
DRG	TOR-DRG	ASH-DRG
RPC	TOR-RPC	ASH-RPC
Compute Instance	TOR-VM (10.0.1.129)	ASH-VM (172.0.1.132)

- Prerequisites:

• An Oracle cloud fee trial or paid account.
• A VCN in Toronto region with private subnet, security list, and route table.
• A VCN in Ashburn region with private subnet, security list, and route table.
• Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship.
• One OCI compute instance located in the first VCN’s private subnet with API RSA private key.
• One OCI compute instance located in the second VCN’s private subnet with API RSA private key.

Step #1: Attach DRG to VCNs

1. Attach TOR-DRG to TOR-VCN.
    - Go to TOR-DRG detail page and click on "VCN attachments" tab.
    - Click "Create virtual cloud network attachment" button.

 

   - In "Create VCN attachment" page, enter attachment name (TOR-DRG-VCN) and select VCN1 (TOR-VCN), then click "create VCN attachment" button.

2. Attach ASH-DRG to ASH-VCN. 

    - Repeat the same steps done above to attach TOR-VCN.

Step #2: Create Remote Peering Connection (RPC)

1. Create Toronto region RPC (TOR-RPC).

    - Go to TOR-DRG detail page and click on "Remote peering connection attachments" tab.
    - Click "Create remote peering connection" button.
    - In "Create remote peering connection" page, enter connection name and select compartment.

2. Create Ashburn region RPC (ASH-RPC).

    - Repeat the steps done above to create Toronto region RPC.

 

Step #3: Establish RPC connection

1. Establish connection from Toronto region to Ashburn region through TOR-RPC connection.

    - Go to TOR-DRG detail page and click on "Remote peering connection attachments" tab.

    - View the details of TOR-RPC by clicking the name of TOR-RPC connection in the "Remote Peering Connection" column. 

    - In the connection details page, click "Establish connection" button, enter connection name and select compartment.

    - In "Establish connection" page, select "us-ashburn-1" region and enter the OCID of Ashburn RPC (ASH-RPC) (the remote peering RPC). When The connection is established, the RPC's state changes to PEERED

    - Hence, ASH-RPC peering state changes to PEERED as well.

Step #4: Configure route table in VCNs to send traffic destined to DRG attachment

1. Configure route table in TOR-VCN to send traffic to ASH-VCN private subnet CIDR.
    - Go to TOR-VCN detail page and click on "Route Tables" tab.
    - Under the list of route tables, click on "route table for private subnet-TOR-VCN".

 - In route table page, click "Add Route Rules" button and enter below route rule information.

Target Type	Destination Type	Destination CIDR Block
Dynamic Routing Gateway	CDIR Block	172.0.1.64/24 (VCN2-private subnet CIDR)

2. Configure route table in ASH-VCN to send traffic to TOR-VCN's private subnet CIDR. 

    - Repeat the same steps done above to configure route table for TOR-VCN's private subnet. 

Use below rule information.

Target Type	Destination Type	Destination CIDR Block
Dynamic Routing Gateway	CDIR Block	10.0.1.0/24 (VCN1-private subnet CIDR)

Step #5: Add security Ingress rule to allow traffic between VCNs' private subnets through DRG

1. Add Ingress rule to "security list for private subnet-TOR-VCN" of the first VCN (TOR-VCN) to allow traffic coming from VCN2-private subnet to VCN1-private subnet.
    - Go to TOR-VCN detail page and click on "security list" tab, then click on "security list for private subnet-TOR-VCN".

    - In security list page, click "Add Ingress Rules" button and enter below Ingress rule information.

Source Type	Source CIDR	IP PROTOCOL
CIDR	172.0.1.0/24 (VCN2-private subnet CIDR)	All Protocols

2. Add Ingress rule to "security list for private subnet-ASH-VCN" of the second VCN (ASH-VCN) to allow traffic coming from VCN1-private subnet to VCN2-private subnet.

    - Repeat the same steps done above to add Ingress rule for VCN1, but use below Ingress rule.

Source Type	Source CIDR	IP PROTOCOL
CIDR	10.0.1.64/24 (VCN1-private subnet CIDR)	All Protocols

Step #6: Test SSH connection between VMs

1. Connect to TOR-VM, then ssh to ASH-VM. 
    - ssh to opc@TOR-VM using OCI cloud shell tool. Use RSA private key which was generated while creating TOR-VM.

- Use RSA private key, which was generated while creating ASH-VM, to ssh from TOR-VM to opc@ASH-VM.

2. Connect to ASH-VM, then ssh to TOR-VM. Repeat the same steps.

Thanks for reading. Hope you like it !!!.