To ensure secure access to the service instance by your end users, you must establish an IPSec VPN connection between the Oracle Cloud to the service instance host. The VPN provisioning process is a collaborative effort between Oracle Public Cloud network engineers and your corporate network administrators.
To request VPN, see My Oracle Support Note 2056914.1. Instructions in this topic are complementary to the note in My Oracle Support referenced in the URL.
If you attempt to connect to BDDCS through a connection that is not protected by VPN, Oracle Cloud MyServices prevents such connections and issues an error.
Before you request VPN, ensure these requirements are met at your site:
- Product-related requirements for VPN. If you used VPN in Big Data Cloud Service (BDCS), continue to rely on the same VPN routing in BDDCS. If you have not used VPN in BDCS, and now are purchasing BDDCS, you should request VPN from your sales representative.
- VPN device requirements. You need a VPN gateway device that uses current IPSec standards to establish a secure tunnel between your network and the Oracle Public Cloud. You will provide the details of your device to Oracle. The device must support:
- IPv4 traffic with support for ICMP, TCP and UDP. Multicast traffic is not supported.
- Tunnel mode sessions. Tunnel mode is used to create a virtual private network between your network and the Oracle Public Cloud, rather than between a specific set of hosts. It is used to protect all communications between both networks.
- Authentication with pre-shared keys. The same pre-shared key is configured on each IPSec VPN gateway device.
- Dynamic rekeying. IPsec uses dynamic rekeying to control how often a new key is generated during communication. Communication is sent in blocks and each block of data is secured with a different key.
- Network requirements for an IPSec VPN connection. Both sides must provide subnets:
- On your side, dedicate subnets in your network for this VPN connection. You will indicate these subnets to Oracle. To prevent an IP address conflict in the end-to-end network connection, mask your internal systems with a public or non-RFC 1918 address range.
- On the Oracle side, the network engineers from the Oracle Cloud Operations will provide the destination subnets in a way that avoids IP address conflicts.
To request a VPN provisioning by Oracle Support:
Oracle engineers receive your information and check all prerequisites are met. Next, Oracle provisions the VPN service together with your network engineers during an agreed maintenance window and runs through a post-configuration checklist with you to ensure that the VPN connection is working and that the setup is completed.