Scribd Logo
Upload

Welcome to Scribd!

  • Lesson 03a Adv VCN

    Uploaded by

    Krish Lee
    47 views14 pages
    Lesson 03a Adv VCN

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Lesson 03a Adv VCN

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    47 views14 pages

    Lesson 03a Adv VCN

    Uploaded by

    Krish Lee
    Lesson 03a Adv VCN

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    2a

    VCN Advanced Features


    June 2018
    v2.1

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved.


    Objectives

    After completing this lesson, you should be able to:


    • Describe Advanced VCN Functionalities
    – Private IP as Route Target
    – VCN Peering
    — Local VCN Peering
    — Remote VCN Peering
    – Multiple and Secondary vNICs

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 2


    Private IP as Route Target – NAT (GA)
    ORACLE CLOUD REGION
    Availability Domain 1 • Ability to use a private IP as
    VCN 10.0.0.0/16 the target of a route rule in situations
    Frontend Subnet where you want to route a subnet's
    10.0.0.0/24
    traffic to another instance
    NAT/Firewall HA Pair Route Table
    172.16.0.0/16  DRG
    0.0.0.0/0 10.0.0.15
    • Use Cases
    Customer
    Datacenter • To implement NAT in VCN
    • To implement a virtual network
    Backend Subnet
    10.0.1.0/24
    function (such as a firewall or
    intrusion detection)
    • To manage an overlay network on
    FastConnect
    the VCN, which lets you run
    Private Instances container orchestration workloads

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 3


    VCN Peering

    • Enables connectivity between the resources in different VCNs


    • Does not require public IPs or NAT to enable connectivity
    • Traffic never leaves the Oracle Network
    • Over other options such as connecting over the internet, VCN Peering offers
    • Faster connectivity
    • Higher security

    • Types of VCN Peering available


    • Local Peering (In-region)
    • Remote Peering (Cross-region)

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 4


    Local VCN Peering – Connecting VCNs in the same region

    • Traffic flows from the Network interface card (NIC) of one VCN instance to the NIC of another instance in a different VCN
    • Latency of traffic remains the same as if the instances are in the same region
    • VCNs should not have overlapping IP addresses
    • Local Peering Gateway
    • Like the Internet Gateway, LPG is a component on the VCN
    • LPGs of two VCNs are connected to make a peering relationship
    • Enable the data plane to learn about instances in peered VCNs
    • Route Table
    • Supporting route rules to enable traffic to flow over the connection, and only to/from select subnets in the
    respective VCNs
    • In target types use local peering gateway
    • Security Lists - Supporting security list rules to control the types of traffic allowed to/from the instances in the subnets that
    need to communicate with the other VCN.

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 5


    Local VCN Peering

    • Create Local Peering Gateway in each


    VCN
    • Have required IAM policies to establish
    connection
    • Establish connection across LPGs
    • Update the Route Table
    • Update the Security List

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 6


    Remote VCN Peering – Connecting VCNs in the different region

    • Traffic flows between regions through the OCI backbone network


    • Requires a DRG to set up the Remote peering connection
    • NIC of one VCN instance forwards traffic to its DRG. The DRG then forwards traffic to the peer DRG connected to the
    other VCN in the other region over the backbone
    • Enables features such as data replication across regions
    • Remote Peering Connection
    • Like Virtual Circuits, the Remote Peering Connection
    is a component of DRG
    • RPCs of two DRGs from two regions are connected to create a peering relationship
    • Route Table
    • Supporting route rules to enable traffic to flow over the connection, and only to/from select subnets in the
    respective VCNs
    • In target types use DRG
    • Security Lists - Supporting security list rules to control the types of traffic allowed to/from the instances in the subnets that
    need to communicate with the other VCN.

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 7


    Remote VCN Peering

    • Existing DRG and attached to a VCN


    • Have required IAM policies to establish
    connection
    • Establish connection across DRGs
    • Update the Route Table
    • Update the Security List

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 8


    Multiple VNICs on virtual machines
    • Every VM has one primary VNIC created at
    ORACLE CLOUD INFRASTRUCTURE (REGION) launch, and a corresponding Ethernet device
    Availability Domain 1 AD2 AD3 on the instance with the IP address
    configuration of the primary VNIC.
    Subnet A Subnet B
    10.0.0.0/24 10.0.1.0/24
    • When a secondary VNIC is added, new
    Ethernet device is added and is recognized by
    VNIC1 VNIC2 VNIC3 VNIC4
    the instance OS.
    • VM1 - single VNIC instance
    primary primary primary

    • VM2 - connected to two VNICs from two


    subnets within the same VCN. Used for
    virtual appliance scenarios
    VM1 VM2 VM3
    • VM3 - connected to two VNICs from two
    subnets from separate VCNs. Used to
    VNIC5
    VCN connect instances to a separate
    management network for isolated access
    Subnet X
    172.16.0.0/24

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 9


    Multiple VNICs on bare metal instances
    • Every BM instance has two physical NICs.
    ORACLE CLOUD INFRASTRUCTURE (REGION)
    Availability Domain 1 AD2 AD3 • Only one physical NIC is active in first
    generation BM (X5 Servers)
    Subnet A Subnet B
    10.0.0.0/24 10.0.1.0/24
    • Both NICs are active in second generation
    BM (X7 servers)
    VNIC1 VNIC2 VNIC3 VNIC4

    • Each NIC has 25 Gbps bandwidth.


    • NIC1 is configured as primary VNIC, created at
    primary
    instance launch.
    NIC
    1 • Secondary VNICs can be on either NICs if both
    are active
    • Traffic is uniquely identified based on a unique
    VNIC5
    VLAN tag
    Subnet X • attach a secondary VNIC
    Bare metal instance 172.16.0.0/2

    NIC2
    4
    • update the instance OS

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 10


    Multiple VNICs on bare metal instances

    Availability Domain 1
    ORACLE CLOUD INFRASTRUCTURE (REGION)
    AD2
    • In a BYOH scenario, each guest VM can get
    AD3
    one or more secondary VNICs.
    Subnet A
    10.0.0.0/24
    Subnet B
    10.0.1.0/24 • In case SR-IOV virtual functions (VF) are being
    used by the hypervisor to provide network
    VNIC1 VNIC2 VNIC3 VNIC4 access to the guest VMs, each VF can be
    configured with the VLAN tag and MAC
    address of a secondary VNIC.
    primar
    y
    NIC
    VF2
    VF1

    VF3

    1
    Hypervisor
    Guest VM3
    Guest VM2

    VNIC5
    Guest VM1

    Subnet X
    172.16.0.0/2
    Bare metal instance 4
    NIC2

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 11


    Secondary IP addresses on VNICs
    ORACLE CLOUD INFRASTRUCTURE (REGION) • Every VNIC is assigned a primary private IP
    Availability Domain 1 AD2 AD3
    address when it is created, which is configured
    Subnet A Subnet B
    automatically on the corresponding Ethernet
    10.0.0.0/24 10.0.1.0/24 device in the instance OS.
    • Two step process to use secondary IP
    addresses
    • assign a secondary private IP address to
    IP5

    IP6

    IP7
    IP4
    IP1

    IP2

    IP3

    primary primary primary VNIC using console/API/SDK


    VNIC1 VNIC1 VNIC3
    • update the instance OS to configure an
    additional IP address on the
    primar primar
    corresponding Ethernet device.
    y y

    • Secondary IP addresses can be assigned to a


    different VNIC in the same subnet, in case of a
    failover scenario.
    VM1 VM2

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 12


    Securing your VCN

    • Public vs Private Subnets - designate a subnet to be private, which means instances in the subnet cannot
    have public IP addresses

    • Security Lists - To control packet-level traffic in/out of an instance by defining security rules in your VCN

    • Firewall Rules - configure firewall rules directly on the instance itself to control packet-level traffic in/out of
    an instance

    • Gateways and route tables - Control general traffic flow from your cloud network to outside destinations
    (the internet, your on-premises network, or another VCN)

    • IAM Policies - control who has access to the Oracle Cloud Infrastructure API or console

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 13


    Summary
    In this lesson, you should have learned how to:
    • Describe Advanced VCN Functionalities
    – Private IP as Route Target
    – VCN Peering
    — Local VCN Peering
    — Remote VCN Peering
    – Multiple and Secondary vNICs

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2a - 14

    You might also like