Wednesday, September 13, 2023

Peering OCI VCNs in the same tenancy region using Local Peering Gateways

Local VCN peering is the process of connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. The VCNs can be in the same Oracle Cloud Infrastructure tenancy or different ones.

peering is a single peering relationship between two VCNs. Example: If VCN1 peers with three other VCNs, then there are three peerings.









In this blog, we will demonstrate the steps to setup a local peering between the private subnets of two VCNs in the same tenancy. 

- At a high level:

  • Two VCNs with non-overlapping CIDRs, in the same region, with a private subnet as illustrated in below table.
  • A local peering gateway (LPG) on each VCN in the peering relationship.
  • Supporting route rules to enable traffic to flow over the connection, and only to and from private subnets in VCNs.
  • Supporting security rules to control the types of traffic allowed between VCNs private subnets.
  • Two compute instances.

 

VCN1

VCN2

VCN Name

TOR-VCN1

TOR-VCN2

Private Subnet CIDR  

172.10.0.64/26

172.20.0.64/26

LPG

VCN1-LPG

VCN2-LPG

Compute Instance

VCN1-VM (172.10.0.124)

VCN2-VM (172.20.0.124)









- Prerequisites:

  • An Oracle cloud fee trial or paid account.
  • Two OCI VCNs in the same tenancy with private subnet, security list, and route table.
  • One OCI compute instance located in the first VCN’s private subnet with API RSA private key.
  • One OCI compute instance located in the second VCN’s private subnet with API RSA private key.

- Restrictions:

  • VCNs in the peering relationship must not have overlapping CIDRs.

Step #1: Create Local Peering Gateway for both VCNs

1. Create LPG (VCN1-LPG) for the first VCN (TOR-VCN1).
     - Go to TOR-VCN1 detail page and click on "Local Peering Gateways" tab. 
     - Click "Create Local Peering Gateway" button.







































    - In "Create Local Peering Gateway" page, enter LGP name (VCN1-LPG) and select the compartment. Then click "Create Local Peering Gateway" button.































































2. Create LPG (VCN2-LPG) for the second VCN (TOR-VCN2). Repeat the same steps done above to create VCN1-LPG.


























Step #2: Establish Local peering between two local LPG

    - Go to TOR-VCN1 detail page and click on "Local Peering Gateways" tab.

    - For VCN1-LPG, select "Establish Peering Connection" action from the list of actions menu.







    - In "Establish Peering Connection" page, enter the information of VCN2-LPG, then click "Establish Peering Connection" button.




























Hence, peering connection is done as well from VCN2-LPG to VCN1-LPG.











Step #3: Add Route Rule to enable traffic flow over LPG connection


1. Add route rule to "route table for private subnet" of the first VCN (TOR-VCN1) to enable routing to private subnet of the second VCN.
    - Go to TOR-VCN1 detail page and click on "Route Tables" tab, then click on "route table for private subnet-TOR-VCN1".



 





















    - In route table page, click "Add Route Rules" button and enter below route rule information.

Target Type

Destination CIDR Block

Target Local Peering Gateway

Local Peering Gateway

172.20.0.64/26 (VCN2-private subnet CIDR)

VCN1-LPG








































































2. Add route rule to "route table for private subnet" of the second VCN (TOR-VCN2) to enable routing to private subnet of the first VCN.
    - Go to TOR-VCN2 detail page and click on "Route Tables" tab, then click on "route table for private subnet-TOR-VCN2".




























 - In route table page, click "Add Route Rules" button and enter below route rule information.

Target Type

Destination CIDR Block

Target Local Peering Gateway

Local Peering Gateway

172.10.0.64/26 (VCN1-private subnet CIDR)

VCN2-LPG













































































Step #4: Add security Ingress rule to allow local peering gateway in both VCNs

1. Add Ingress rule to "security list for private subnet-TOR-VCN1" of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet.

    - Go to TOR-VCN1 detail page and click on "security list" tab, then click on "security list for private subnet-TOR-VCN1".


























    - In security list page, click "Add Ingress Rules" button and enter below Ingress rule information.

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.20.0.64/26 (VCN2-private subnet CIDR)

All Protocols















































2. Add Ingress rule to "security list for private subnet-TOR-VCN2" of the second VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet.

    - Repeat the same steps done above to add Ingress rule for VCN1, but use below Ingress rule.

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.10.0.64/26 (VCN1-private subnet CIDR)

All Protocols



















Step #5: Test local peering connectivity 

1. Connect to VCN1-VM, then ssh to VCN2-VM. 

    - ssh to opc@VCN1-VM using OCI cloud shell tool. Use RSA private key which was generated while creating VCN1-VM.






   




 - Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM.









2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps.





















Thanks for reading. Hope you like it !!!. 


No comments:

Post a Comment

Oracle 23ai: Hybrid Read-Only Mode for Pluggable Databases

  - Overview: Oracle 23ai database introduces a new feature to open Pluggable database in  a new mode called hybrid read-only. Hybrid read-o...