FastConnect Overview

Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections.

Uses for FastConnect

With FastConnect, you can choose to use private peering, public peering, or both.
  • Private peering: To extend your existing infrastructure into a virtual cloud network (VCN) in Oracle Cloud Infrastructure (for example, to implement a hybrid cloud, or a lift and shift scenario). Communication across the connection is with IPv4 private addresses (typically RFC 1918).
  • Public peering: To access public services in Oracle Cloud Infrastructure without using the internet. For example, Object Storage, the Oracle Cloud Infrastructure Console and APIs, or public load balancers in your VCN. Communication across the connection is with IPv4 public IP addresses. Without FastConnect, the traffic destined for public IP addresses would be routed over the internet. With FastConnect, that traffic goes over your private physical connection. For a list of the services available with public peering, see FastConnect Supported Cloud Services. For a list of the public IP address ranges (routes) that Oracle advertises, see FastConnect Public Peering Advertised Routes.

In general it's assumed you'll use private peering, and you might also use public peering. Most of this documentation is relevant to both, with specific details called out for private versus public.

If you choose to have multiple paths from your on-premises network to Oracle, see Routing Details for Connections to Your On-Premises Network.

IPv6 addressing is supported for all commercial and government regions. For more information, see IPv6 Addresses.

Note

It is possible to connect two VCNs in different regions using FastConnect colocation, with inter-region traffic using that link rather than the Oracle backbone. A Layer 3 device is required to implement this, even for a layer 2 connection. Details of this use case are not available, but are similar to Connecting Oracle Cloud Infrastructure to Amazon VPC with Megaport Cloud Router or Connecting Oracle Cloud Infrastructure to Google Cloud Platform with Equinix Network Edge Cloud Router.

How and Where to Connect

With FastConnect, there are different connectivity models to choose from.

Oracle Partners

Third-Party Provider

Colocation with Oracle in an Oracle Cloud Infrastructure FastConnect Location

The following table summarizes several important requirements for each connectivity model.

Requirement With Oracle Partner With Third-Party Provider Colocation with Oracle
Routing requirements Yes Yes Yes
BGP support Yes Yes Yes
Layer 3 support Recommended Recommended Recommended
Obtain a Letter of Authority (LOA) from Oracle N/A Yes Yes
Network connectivity Yes Yes N/A
Cross-connect Yes (from the partner) Yes Yes
Redundant network connectivity Recommended Recommended Recommended
Cloud connectivity solution architecture support Recommended Recommended Recommended
FastConnect SKU Yes Yes Yes
Oracle Cloud Infrastructure Console user login (IAM policy unique setup) Yes Yes Yes
Tenancy established Yes Yes Yes

Concepts

Here are some important concepts to understand (also see the following diagrams):

FastConnect
The general concept of a connection between your existing network and Oracle Cloud Infrastructure over a private physical network instead of the internet.
FastConnect location
A specific Oracle data center where you can connect to Oracle Cloud Infrastructure.
METRO AREA
A geographical area (for example, Ashburn) with multiple FastConnect locations. All locations in a metro area connect to the same set of availability domains for resiliency if there is failure in a single location.
ORACLE PARTNER
A network service provider that has integrated with Oracle in a FastConnect location. See the list of the Oracle partners in How and Where to Connect. If your provider is in the list, see FastConnect: With an Oracle Partner.
THIRD-PARTY PROVIDER
A network service provider that is NOT on the list of Oracle partners in How and Where to Connect. If you have a third-party provider and want to use FastConnect, see FastConnect: With a Third-Party Provider.
COLOCATION
The situation where your equipment is deployed into a FastConnect location. If your network service provider is not on the list of Oracle partners in How and Where to Connect, you must colocate.
CROSS-CONNECT
In a colocation or third-party provider scenario, this is the physical cable connecting your existing network to Oracle in the FastConnect location.
CROSS-CONNECT GROUP
In a colocation or third-party provider scenario, this is a link aggregation group (LAG) that contains at least one cross-connect. You can add more cross-connects to a cross-connect group as your bandwidth needs increase. This is applicable only for colocation.
VIRTUAL CLOUD NETWORK (VCN)
Your virtual network in Oracle Cloud Infrastructure. You can use a VCN to extend your infrastructure into the cloud. For more information, see VCNs and Subnets.
DYNAMIC ROUTING GATEWAY (DRG)
A virtual edge router attached to your VCN. Necessary for private peering. The DRG is a single point of entry for private traffic coming in to your VCN, whether it's over FastConnect or a Site-to-Site VPN link. After creating the DRG, you must attach it to your VCN and add a route for the DRG in the VCN's route table to enable traffic flow. Instructions for everything are included in the sections that follow.
VIRTUAL CIRCUIT
An isolated network path that runs over one or more physical network connections to provide a single, logical connection between the edge of your existing network and Oracle Cloud Infrastructure. Private virtual circuits support private peering, and public virtual circuits support public peering (see Uses for FastConnect). Each virtual circuit is made up of information shared between you and Oracle (and also a partner if you're connecting through an Oracle partner). You could have multiple private virtual circuits, for example, to isolate traffic from different parts of your organization (one virtual circuit for 10.0.1.0/24; another for 172.16.0.0/16), or to provide redundancy.

MACsec Encryption

FastConnect can be configured to use MACsec (IEEE standard 802.1AE) to protect network-to-network connections on Layer 2. When MACsec is enabled you choose an advanced encryption standard (AES) encryption algorithm, two security keys are exchanged and verified between two connected networks, and then a secure bi-directional link is established. The Oracle Cloud Infrastructure Vault service securely stores the actual encryption keys.

Using MACsec has the following requirements:

  • Your customer premises equipment (CPE) device must also support MACsec.
  • The FastConnect virtual circuit or LAG speed must be 10 Gbps or greater.
  • Not all esisting cross-connect or cross-connect group can support MACsec. To upgrade an existing cross-connect or cross-connect group, the details page for the cross-connect or cross-connect group has a MACsec Encryption field that could be set to either Capable or Incapable. The connection must be capable of using MACsec. If the cross-connect or cross-connect group is Incapable of using MACsec, you will need to re-provision before configuring MACsec.
  • Not all third-party providers can support MACsec on the type of circuit they provide. Please check with your provider to verify that the type of conectivity you purchase supports MACsec.

FastConnect with MACsec integrates with the Vault service. Here is an overview of the steps that are required to fully configure FastConnect with MACsec.

  1. Create a Vault.
  2. Create a master encryption key in Vault.
  3. Create two secrets to represent the Connectivity Association Key (CAK) and Connectivity association Key Name (CKN) in your Vault. The CAK and CKN must be hexadecimal strings with a length of 32–64 characters.
  4. Configure MACsec in a Third-party provider or colocation cross-connect using the CKN and CAK secrets created for the FastConnect circuit.
  5. Give your on-premises network administrator the original CAK and CKN keys to use when configuring the customer premises equipment device.
  6. Activate the cross-connects for the third-party provider or colocation virtual circuit.

If you decide to add MACsec encryption to an existing FastConnect cross-connect, remember that changing the encryption settings requires restarting the BGP session which briefly suspends BGP traffic.

MACsec Parameters

When configuring MACsec on your CPE, refer to the below table for various required parameters.

Parameter Possible Values Description
CAK 32-64 hexadecimal characters Minimum of 32 hexadecimal characters (0-9, A-F).
Cipher Suites

aes128-gcm-xpn

aes256-gcm-xpn

Configure your CPE to match the cipher suite configured in OCI.
CKN 32-64 hexadecimal characters Minimum of 32 hexadecimal characters (0-9, A-F).
Confidentiality Offset 0 The OCI side is always set to 0, meaning the whole frame will be encrypted. If required as part of your CPE configuration, configure to match the OCI side.
Interface

Single physical interface

link aggregation group (LAG)

MACsec for FastConnect supports configuration of MACsec on either a single FastConnect connection or a LAG. Likewise this needs to be configured on your CPE.
Key-server 1 or higher Use any value higher than 0 on your CPE. The OCI FastConnect edge device is configured to always use 0.
MKA Include SCI include SCI Configure your CPE to include SCI (Secure Channel Identifier) tag. Include SCI is configured on the OCI side.
MKA Policy Option must-secure This specifies that all traffic sent on the MACsec-enabled network segment must be secured by MACsec prior to being sent. Match this configuration option on your CPE.
SAK Rekey time 3600 seconds (1 hour) CPE configuration must match the OCI SAK rekey time of 1 hour.

MACsec Hitless Key Rollover

When you're ready to rotate your keys, MACsec for FastConnect supports hitless key rollover. To ensure no loss in communication when rotating keys, always update both the CKN and CAK at the same time. Change the CKN and CAK pair on the OCI side of the FastConnect link first, and then update your CPE.

Perform the following tasks in the order described. Doing these steps out of order might result in a temporary disruption in communication.

Task 1: Update the CKN and CAK pair
  1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Choose a compartment you have permission to work in (on the left side of the page). The page updates to display only the resources in that compartment. If you're not sure which compartment to use, contact an administrator. For more information, see Access Control.
  3. Click the name of the Vault that includes your CKN and CAK secrets.
  4. Under Resources, click Secrets.
  5. Click the name of the secret which represents your CKN.
  6. Click Create Secret Version.
  7. Under Secret Contents, enter the new value for your CKN.
  8. Click Create Secret Version.

Repeat these steps to also change the value of your CAK secret.

When performing hitless key rollover, always update both the CKN and CAK.

Task 2: Update your cross-connect to use the latest CKN and CAK secret versions
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click FastConnect.

  2. Click the name of the FastConnect which uses the Vault secrets modified in Task 1. You see the cross-connect representing your FastConnect.
  3. Click Edit.
  4. Under Connectivity Association Key Name (CKN) click the check box for Use current version in Vault: <number> where <number> matches the latest secret version of your CKN secret in the Vault.
  5. Under Connectivity Association Key (CAK) click the check box for Use current version in Vault: <number> where <number> matches the latest secret version of your CAK secret in the Vault.
  6. After both CKN and CAK versions are updated, click Save Changes.
  7. A new pop-up appears to confirm changes. Click Confirm.

After the cross-connect has been updated to use the new CKN and CAK values, you have a 1-hour rekey period to update the CKN and CAK on your CPE before the session drops.

Task 3: Update the CKN and CAK pair on your CPE

After the cross-connect has been updated to use the new CKN and CAK values, you have a 1-hour rekey period to update the CKN and CAK on your CPE before the session drops. Refer to the appropriate documentation for your device.

Basic Network Diagrams

The diagrams in this section introduce the basic logical and physical connections involved in FastConnect. Details specific to private versus public peering are called out.

General Concept of FastConnect

The following diagram illustrates the two ways to connect to Oracle with FastConnect: either through colocation with Oracle in the FastConnect location, or through an Oracle partner. In both cases, the connection goes between the edge of your existing network and Oracle.

This image shows the general concept of FastConnect between your network and Oracle

Physical Connection

The next two diagrams give more detail about the physical connections. They also show the metro area that contains the FastConnect location, and a VCN within an Oracle Cloud Infrastructure region.

The first diagram shows the colocation scenario, with your physical connection to Oracle within the FastConnect location.

This image shows the colocation scenario with basic physical connection details

The next diagram shows a scenario with either an Oracle partner or third-party provider. It shows your physical connection to the provider, and the provider's physical connection to Oracle within the FastConnect location.

This image shows the provider scenario with basic physical connection details

Logical Connection: Private Virtual Circuit

The next two diagrams show a private virtual circuit, which is a single, logical connection between your edge and Oracle Cloud Infrastructure by way of your DRG. Traffic is destined for private IP addresses in your VCN.

The first diagram shows the colocation scenario.

This image shows colocation scenario with the virtual circuit

The next diagram shows the scenario with either an Oracle partner or third-party provider.

This image shows the provider scenario with the virtual circuit

Logical Connection: Public Virtual Circuit

A public virtual circuit gives your existing network access to Oracle services in Oracle Cloud Infrastructure. For example, Object Storage, the Oracle Cloud Infrastructure Console and APIs, and public load balancers in your VCN. All communication across a public virtual circuit uses public IP addresses. For a list of services available with FastConnect public peering, see FastConnect Supported Cloud Services. For a list of the public IP address ranges (routes) that Oracle advertises, see FastConnect Public Peering Advertised Routes. You can select the way this access is structured using Route Filtering.

The first diagram shows the colocation scenario with both a private virtual circuit and a public virtual circuit. Notice that the DRG is not involved with the public virtual circuit, only the private virtual circuit.

This image shows colocation scenario with a public virtual circuit

The next diagram shows the scenario with either an Oracle partner or third-party provider.

This image shows the provider scenario with a public virtual circuit

Here are a few basics to know about public virtual circuits:

  • You choose which of your organization's public IP prefixes you want to use with the virtual circuit. All prefix sizes are allowed. Oracle verifies your organization's ownership of each prefix before sending any traffic for it across the connection. Oracle's verification for a given prefix can take up to three business days. You can get the status of the verification of each prefix in the Oracle Console or API. Oracle begins advertising the Oracle Cloud Infrastructure public IP addresses across the connection only after successfully verifying at least one of your public prefixes.
  • Configure your firewall rules to allow traffic coming from the Oracle public IP addresses.
  • Your existing network can receive advertisements for Oracle's public IP addresses through multiple paths (for example: FastConnect and your internet service provider). Make sure to give FastConnect higher preference than your ISP. You must configure your edge appropriately so that traffic uses your desired path to receive the benefits of FastConnect. This is particularly important if you decide to also set up your existing network with private access to Oracle services. For important information about path preferences, see Routing Details for Connections to Your On-Premises Network.
  • You can add or remove public IP prefixes at any time by editing the virtual circuit. If you add a prefix, Oracle first verifies your company's ownership before advertising it across the connection. If you remove a prefix, Oracle stops advertising the prefix within a few minutes of your editing the virtual circuit.
  • You should consider FastConnect public peering as an untrusted interface, and put in place firewalls and other access controls just like you would for any network interface connected to the Internet. See Security considerations for FastConnect public peering for more information.

Oracle Partner Scenario: BGP Session to Either Oracle or the Oracle Partner

This section is applicable if you're using FastConnect through an Oracle partner. A Border Gateway Protocol (BGP) session is established from your edge, but where it goes depends on which Oracle partner you use.

Tip

For simplicity, the following diagrams show only a private virtual circuit. However, the location of the BGP session is the same for a public virtual circuit.

To Oracle: With some of the Oracle partners, the BGP session goes from your edge to Oracle, as shown in the following diagram. When setting up the virtual circuit with Oracle, you are asked to provide basic BGP peering information (see General Requirements).

This image shows the BGP session between the customer's edge router and Oracle

To the Oracle partner: With other Oracle partners, your BGP session goes from your edge to the partner's, as shown in the following diagram. When setting up the virtual circuit with Oracle, you are NOT asked for any BGP session information. Instead, you share BGP information with your Oracle partner. Notice that there's a separate BGP session that the partner establishes with Oracle.

This image shows the BGP session between the customer's edge router and the provider

To use FastConnect if you do not own a Public ASN or Public IP Address

If you use a Public ASN or Public IP Address loaned or leased from a third-party source, your third-party source must provide a Letter of Authorization (LOA) on your behalf before Oracle can allow the completion of FastConnect configuration.

The following additional steps are required to obtain approval when configuring public peering virtual connections:

  1. Obtain an LOA from the third-party source that authorizes the Customer to use the Public ASN and or Public IP address. The LOA must contain:

    • Customer Name approved to the use the Public IP Address and Public ASN
    • The range of the Public IP Addresses and or the Public ASN must be explicitly listed
    • The third-party source who owns the Public IP Addresses and or the Public ASN
    • Third-party source authorization authority signatory
    • Contact email, phone number and address of third-party source
    • Your enterprise's contact email and phone number
    • Date of authorization and validity
  2. Using the Console, open a service request on the tenancy and region where you wish to use the third-party provided Public ASN and Public IP Address.
  3. Attach the LOA to the service request.

Once the service request is opened and the LOA is approved, Oracle will authorize the use of the Public ASN and or Public IP Address.

FastConnect with Access to Multiple VCNs

You can use a single FastConnect to access multiple VCNs. Different network scenarios are available depending on your needs and which FastConnect connectivity model you use. For more information, see these topics:

  • Transit Routing inside a hub VCN: This scenario can be used with either FastConnect or Site-to-Site VPN. It involves a single DRG, and multiple VCNs in a hub-and-spoke layout.
  • FastConnect with Multiple DRGs and VCNs: This scenario can be used only with FastConnect, and only if you're using a third-party provider or colocated with Oracle. It involves multiple DRGs and private virtual circuits.