Friday, September 15, 2023

Peering OCI VCNs in the same tenancy region using Dynamic Routing Gateway

 

There are two options to peer Oracle OCI VCNs in the same region.

1- Use local peering gateway (LPG). Steps are demonstrated in blog Peering using LPG

2- Use dynamic routing gateway (DRG).

In this blog, we will demonstrate the steps to peer two VCNs in the same region using a DRG in the same tenancy.

Peering two VCNs in the same region through a DRG gives you more flexibility in your routing and simplified management but comes at the cost of microseconds increase in latency due to routing traffic through a virtual router.

At a high level, the networking service components required for this scenario include:

  • Two VCNs with non-overlapping CIDRs, in the same region
  • A single dynamic routing gateway (DRG) attached to each peer VCN.
  • Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs.
  • Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets.

 

VCN1

VCN2

VCN Name

TOR-VCN1

TOR-VCN2

Private Subnet CIDR  

172.10.0.64/26

172.20.0.64/26

DRG

TOR-DRG

Compute Instance

VCN1-VM (172.10.0.124)

VCN2-VM (172.20.0.124)
















- Prerequisites:

  • An Oracle cloud fee trial or paid account.
  • Two OCI VCNs in the same tenancy with private subnet, security list, and route table.
  • One OCI compute instance located in the first VCN’s private subnet with API RSA private key.
  • One OCI compute instance located in the second VCN’s private subnet with API RSA private key.

Step #1: Create a DRG

1. Open the navigation menu and click Networking. Under Customer connectivity, click Dynamic routing gateway.


















2. Click "Create Dynamic Routing Gateway" button.








3. In "Create dynamic routing routing gateway" page, enter DRG name and the compartment where you want to create DRG.

 































Step #2: Attach DRG to VCNs

1. Attach DRG to TOR-VCN1.

    - Go to TOR-DRG detail page and click on "VCN attachments" tab.
    - Click "Create virtual cloud network attachment" button.





















    - In "Create VCN attachment" page, enter attachment name (TOR-DR-VCN1) and select VCN1 (TOR-VCN1), then click "create VCN attachment" button.





















2. Attach DRG to TOR-VCN2. Repeat the same steps done above to attach TOR-VCN1.














Step #3: Configure route table in VCNs to send traffic destined to DRG attachment

1. Configure route table in TOR-VCN1 to send traffic to TOR-VCN2's private subnet CIDR.
    - Go to TOR-VCN1 detail page and click on "Route Tables" tab.
    - Under the list of route tables, click on "route table for private subnet-TOR-VCN1".

 

    - In route table page, click "Add Route Rules" button and enter below route rule information.

Target Type

Destination Type

Destination CIDR Block

Dynamic Routing Gateway

CDIR Block

172.20.0.64/26 (VCN2-private subnet CIDR)






























2. Configure route table in TOR-VCN2 to send traffic to TOR-VCN1's private subnet CIDR. 
    - Repeat the same steps done above to configure route table for TOR-VCN1's private subnet. 
Use below rule information

Target Type

Destination Type

Destination CIDR Block

Dynamic Routing Gateway

CDIR Block

172.10.0.64/26 (VCN2-private subnet CIDR)











Step #4: Add security Ingress rule to allow traffic between VCNs' private subnets through DRG

1. Add Ingress rule to "security list for private subnet-TOR-VCN1" of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet.

    - Go to TOR-VCN1 detail page and click on "security list" tab, then click on "security list for private subnet-TOR-VCN1".

    - In security list page, click "Add Ingress Rules" button and enter below Ingress rule information.

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.20.0.64/26 (VCN2-private subnet CIDR)

All Protocols




2. Add Ingress rule to "security list for private subnet-TOR-VCN2" of the second VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet.

    Repeat the same steps done above to add Ingress rule for VCN1, but use below Ingress rule.

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.10.0.64/26 (VCN1-private subnet CIDR)

All Protocols



Step #5: Test SSH connection between VMs

1. Connect to VCN1-VM, then ssh to VCN2-VM. 

    - ssh to opc@VCN1-VM using OCI cloud shell tool. Use RSA private key which was generated while creating VCN1-VM.

- Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM.

2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps.



Thanks for reading. Hope you like it !!!. 


No comments:

Post a Comment

Oracle 23ai: Hybrid Read-Only Mode for Pluggable Databases

  - Overview: Oracle 23ai database introduces a new feature to open Pluggable database in  a new mode called hybrid read-only. Hybrid read-o...