Local VCN peering is the process of connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. The VCNs can be in the same Oracle Cloud Infrastructure tenancy or different ones.
A peering is a single peering relationship between two VCNs. Example: If VCN1 peers with three other VCNs, then there are three peerings.
In this blog, we will demonstrate the steps to setup a local peering between the private subnets of two VCNs in the same tenancy.
- At a high level:
- Two VCNs with non-overlapping CIDRs, in the same region, with a private subnet as illustrated in below table.
- A local peering gateway (LPG) on each VCN in the peering relationship.
- Supporting route rules to enable traffic to flow over the connection, and only to and from private subnets in VCNs.
- Supporting security rules to control the types of traffic allowed between VCNs private subnets.
- Two compute instances.
|
VCN1 |
VCN2 |
VCN Name |
TOR-VCN1 |
TOR-VCN2 |
Private
Subnet CIDR |
172.10.0.64/26 |
172.20.0.64/26 |
LPG |
VCN1-LPG |
VCN2-LPG |
Compute Instance |
VCN1-VM (172.10.0.124) |
VCN2-VM (172.20.0.124) |
- Prerequisites:
- An Oracle cloud fee trial or paid account.
- Two OCI VCNs in the same tenancy with private subnet, security list, and route table.
- One OCI compute instance located in the first VCN’s private subnet with API RSA private key.
- One OCI compute instance located in the second VCN’s private subnet with API RSA private key.
- Restrictions:
- VCNs in the peering relationship must not have overlapping CIDRs.
Step #1: Create Local Peering Gateway for both VCNs
1. Create LPG (VCN1-LPG) for the first VCN (TOR-VCN1).
- Go to TOR-VCN1 detail page and click on "Local Peering Gateways" tab.
- Click "Create Local Peering Gateway" button.
- In "Create Local Peering Gateway" page, enter LGP name (VCN1-LPG) and select the compartment. Then click "Create Local Peering Gateway" button.
2. Create LPG (VCN2-LPG) for the second VCN (TOR-VCN2). Repeat the same steps done above to create VCN1-LPG.
Step #2: Establish Local peering between two local LPG
- Go to TOR-VCN1 detail page and click on "Local Peering Gateways" tab.
- For VCN1-LPG, select "Establish Peering Connection" action from the list of actions menu.
- In "Establish Peering Connection" page, enter the information of VCN2-LPG, then click "Establish Peering Connection" button.
Step #3: Add Route Rule to enable traffic flow over LPG connection
1. Add route rule to "route table for private subnet" of the first VCN (TOR-VCN1) to enable routing to private subnet of the second VCN.
- Go to TOR-VCN1 detail page and click on "Route Tables" tab, then click on "route table for private subnet-TOR-VCN1".
- In route table page, click "Add Route Rules" button and enter below route rule information.
Target Type |
Destination CIDR Block |
Target Local Peering Gateway |
Local Peering Gateway |
172.20.0.64/26 (VCN2-private subnet CIDR) |
VCN1-LPG |
2. Add route rule to "route table for private subnet" of the second VCN (TOR-VCN2) to enable routing to private subnet of the first VCN.
- Go to TOR-VCN2 detail page and click on "Route Tables" tab, then click on "route table for private subnet-TOR-VCN2".
- In route table page, click "Add Route Rules" button and enter below route rule information.
Target Type | Destination CIDR Block | Target Local Peering Gateway |
Local Peering Gateway | 172.10.0.64/26 (VCN1-private subnet CIDR) | VCN2-LPG |
Step #4: Add security Ingress rule to allow local peering gateway in both VCNs
1. Add Ingress rule to "security list for private subnet-TOR-VCN1" of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet.
- In security list page, click "Add Ingress Rules" button and enter below Ingress rule information.
Source Type |
Source CIDR |
IP PROTOCOL |
CIDR |
172.20.0.64/26 (VCN2-private subnet CIDR) |
All Protocols |
2. Add Ingress rule to "security list for private subnet-TOR-VCN2" of the second VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet.
- Repeat the same steps done above to add Ingress rule for VCN1, but use below Ingress rule.
Source Type |
Source CIDR |
IP PROTOCOL |
CIDR |
172.10.0.64/26 (VCN1-private subnet CIDR) |
All Protocols |
Step #5: Test local peering connectivity
1. Connect to VCN1-VM, then ssh to VCN2-VM.
- ssh to opc@VCN1-VM using OCI cloud shell tool. Use RSA private key which was generated while creating VCN1-VM.
- Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM.
2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps.
Thanks for reading. Hope you like it !!!.
No comments:
Post a Comment