FastConnect with Multiple DRGs and VCNs
This topic summarizes an advanced networking scenario that enables communication between an on-premises network and multiple virtual cloud networks (VCNs) over a single Oracle Cloud Infrastructure FastConnect. Each VCN has its own dynamic routing gateway (DRG) , and you set up a separate FastConnect private virtual circuit to each DRG.
This scenario is supported for only certain FastConnect setups:
- Using a third-party provider or a Colocation with Oracle in a FastConnect location is fully supported.
- Using multiple DRGs and VCNs with an Oracle partner depends on your partner's support of this feature. Some partners also provide alternative solutions to achieve the same goal, so check with your chosen Oracle partner for details.
There's a scenario called transit routing that also involves using multiple VCNs, but only a single DRG. It can be used with VPN Connect or FastConnect. It involves setting up the VCNs in a hub-and-spoke layout and using the hub VCN for transit routing of traffic to the other VCNs. You might use this scenario if you need multiple VCNs for different parts of your organization, but you want to use one VCN for centralized services that all parts of the organization need. For more information, see Transit Routing: Access to Multiple VCNs in the Same Region.
- You can use a single FastConnect to connect your on-premises network with multiple VCNs in the same region. The scenario is supported only for FastConnect through a third-party provider or through colocation with Oracle. You need at least one physical connection (cross-connect) in your connection.
- The VCNs must be in the same region and same tenancy . The VCNs can be in the same compartment or different ones in the tenancy. For accurate routing, the CIDR blocks of the various subnets of interest in the on-premises network and VCNs must not overlap.
- Each VCN has its own dynamic routing gateway (DRG) and private virtual circuit . You must use a different VLAN and different set of BGP IP addresses for each private virtual circuit.
- You can also use FastConnect public peering to give your on-premises network access to public endpoints of Oracle services. In this case, you set up a single public virtual circuit , which covers all the VCNs. With public peering, configure your edge device (also known as your customer-premises equipment or CPE) to prefer FastConnect over your ISP for the Oracle Cloud Infrastructure public IP prefixes. Or, if you plan to also set up private access to Oracle services through one of the VCNs, see the important routing details in Routing Details for Connections to Your On-Premises Network.
Overview of the Scenario
In this scenario, you have a single FastConnect that connects your existing on-premises network to Oracle Cloud Infrastructure. That FastConnect has at least one physical connection, or cross-connect .
In Oracle Cloud Infrastructure, you have multiple VCNs, all in the same region. Each VCN has its own DRG. For each VCN, there's a private virtual circuit that runs on the FastConnect and terminates at your CPE on one end, and on the VCN's DRG on the other end. The private virtual circuit enables communication that uses private IP addresses between the VCN and the on-premises network. See the following diagram.
For example, imagine that each department in your organization has its own subnet in your on-premises network and a corresponding departmental VCN in Oracle Cloud Infrastructure. You want to enable private communication between each department's subnet and VCN over the FastConnect.
Or, perhaps all the departments need to communicate with all the VCNs. For example, instead perhaps the VCNs are for separate development, test, and production environments, and each department needs access to all three VCNs.
The FastConnect and virtual circuits give you the general private connection where none of the traffic traverses the internet. You can separately control which on-premises subnets and VCNs can communicate by configuring route rules in your on-premises network and VCN route tables. You can optionally configure VCN security rules and other firewalls that you maintain to allow only certain types of traffic (such as SSH) between your on-premises network and VCN.
You can also set up public peering on that same FastConnect by creating a public virtual circuit. In the following diagram, the public virtual circuit is shown separate from the private virtual circuits. It terminates at Oracle's edge. The public virtual circuit enables communication that uses public IP addresses but does not traverse the internet. If a given VCN happens to also have an internet gateway , Oracle's edge prefers the FastConnect route over the VCN's internet gateway. For other important details about how you can control route preferences when you have multiple connections between your on-premises network and Oracle, see Routing Details for Connections to Your On-Premises Network.
When you set up public peering for your FastConnect, the public IP prefixes that you designate for the public virtual circuit are advertised to all the VCNs in your tenancy. The routes advertised to your on-premises network are all the Oracle Cloud Infrastructure public IP addresses (including the CIDRs for each of the VCNs in the tenancy).
Your network receives Oracle's public IP addresses through both FastConnect and your Internet Service Provider (ISP). When configuring your edge, give higher preference to FastConnect over your ISP, or you will not receive the benefits of FastConnect. If you plan to also set up private access to Oracle services through one of the VCNs, see the important routing details in Routing Details for Connections to Your On-Premises Network.
For more information, see Basic Network Diagrams.
General Setup Process
The setup process and instructions are in these topics, based on your particular FastConnect setup:
However, remember that:
- You set up a separate DRG for each VCN. A DRG can be attached to only a single VCN, and each VCN can be attached to only a single DRG.
- You set up a separate private virtual circuit for each DRG.
- For each private virtual circuit, you must specify a different VLAN and a different set of BGP IP addresses.
- When you configure your CPE, you can advertise the same on-premises routes to each VCN, or different ones, based on your own requirements.