Network Visualizer

Overview

Your Oracle virtual network is composed of virtual cloud networks (VCNs), subnets, gateways, and other resources. These entities are related and connected through routing that is often complex. These resources can also have complex relationships with other Oracle Cloud Infrastructure (OCI) services. The ability to have a concise picture of these entities and their relationships is essential for understanding the design and operation of a virtual network.

The Network Visualizer provides a diagram of the implemented topology of all VCNs in a selected region and tenancy. This tool in the OCI Console can provide two levels of granularity:

  • Regional Network Topology: You can see a high-level layout and routing topology of your entire virtual network configuration within a region. This topology includes DRGs, VCNs, CPEs, and various types of gateway.
  • Virtual Cloud Network Topology: You can see the organization of a single VCN including its subnets and routing configuration. This topology includes subnets, VLANs, and gateways to other resources.
  • Subnet Topology: You can see the the resource information about the instances, load balancer, FSS, OKE clusters in the subnet.

Required Permissions

You will need to set the following policy to have access to Network Visualizer.

Allow group <your_admin_group> to READ all-resources in tenancy

Network Visualizer does not belong to the virtual-network-family and does not belong to a specific group that would allow a more granular permission.

Working with Regional Network Topologies

The Network Visualizer tool diagram helps you view a high-level structure of your network configuration and facilitates quick navigation between its core components. It provides a view of all resources in a given combination of region and compartment.

You can view and understand the following from this diagram:

  • How VCNs are inter-connected
  • How on-premises networks are connected (using FastConnect or Site-to-Site VPN)
  • Which routing entities (DRGs and so on) control traffic routing
  • How your transit routing is configured

When you open a diagram for a compartment, it shows resources for all compartments nested underneath. You are also able to filter out objects from the compartments that you don't want to see.

You can see cross-region connections between network resources and you can also quickly change regions in the console and see the VCNs in another region.

The Regional Map view uses the following symbols and conventions:

External resources External devices like a CPE are shown in the left side of the canvas, which is shaded and separated by a dashed line.
Customer-Premises Equipment (CPE) CPE Icon
Oracle cloud resources Oracle cloud resources are shown in the main area of the canvas.
Virtual Private Network (IPSec) connection VPN Icon
Dynamic Routing Gateway (DRG) DRG Icon
Connection Connection
Link Link Icon
FastConnect connection FastConnect Icon
Virtual Cloud Network (VCN) VCN Icon
Remote Peering Connection (RPC) Remote Peering Connection Icon
NAT Gateway (NAT) NAT Gateway Icon
Service Gateway (SGW) Service Gateway Icon
Internet gateway (IGW) Internet Gateway Icon
Local Peering Gateway (LPG) LPG Icon
Oracle region Oracle Region Icon
Resource outside the region or compartment (details are not visible) Details Not Visible Icon

Working with VCN Topologies

The VCN topology routing diagram helps visualize the networking components that are part of the selected VCN up to the subnet level. This allows you to focus on cross-AD deployment, routing and network security configurations. VCNs can also be viewed in Security mode that shows relationships with security lists and network security groups (NSGs) with other virtual network resources. When you view a VCN in one of these modes you can easily switch to the other mode.

You can view and understand the following from this diagram and the accompanying information panel:

  • Which subnets and VLANs belong to the VCN
  • How subnets and VLANs are organized across availability domains
  • How Security lists are applied within the VCN
  • How NSGs are applied within the VCN
  • Whether subnets in a VCN are public or private
  • How subnets and VLANs are organized across compartments
  • Which gateways (RPG, LPG, NGW, SGW, IGW) are part of the VCN
  • Which routes are defined between subnets and gateways

The Virtual Network Map uses the following symbols and conventions:

Regional resources Routable resources not internal to the VCN but routable from the VCN are are shown in the left side of the canvas, which is shaded and separated by a dashed line.
DRG DRG Icon
Other directly connected VCNs VCN Icon
VCN resources VCN resources like subnets and VLANs are shown in the main area of the canvas. Gateways connecting the VCN to other resources in the region are shown on the dashed line defining the border of the VCN.
Link Link Icon
LPG LPG Icon
SGW Service Gateway Icon
IGW Internet Gateway Icon
Public Subnet (S) Public Subnet Icon
Private Subnet (S) Private Subnet Icon
VLAN (V) VLAN Icon
VPN VPN icon
Note

Load balancers and compute instances in a subnet are not shown in this view. That level of detail is shown in the subnet maps.

Working With Subnet Maps

The main VCN topology diagram helps visualize the networking components that are part of the selected VCN up to subnet level, but no further. For each subnet in the VCN, you can access a Subnet resource map that examines resources inside the subnet in either Inventory or Security mode. When you view a subnet map in one of these modes you can easily switch to the other map mode.

The Subnet Inventory map lists resources in the subnet such as network load balancers, load balancers, and compute instances. A resource summary and additional details are available for each of these resources.

The Subnet Security map also lists the resources in the subnet, but this mode allows you to click on a resource and see what security lists and network security groups are associated to a specified resource.

You can view and understand the following from these diagrams and the accompanying information panel:

  • What compute instances and VLANs belong to the subnet
  • How security lists are applied to compute instances and load balancers within the subnet
  • How network security groups are applied to VNICs associated to compute instances
  • Whether instances in a subnet have public or private VNICs
  • How network security groups and security lists are organized across compartments

The Subnet Inventory map and Subnet Security map use the following additional symbols and conventions:

Public Network Load Balancer (NLB) public NLB icon
Private Network Load Balancer (NLB) private NLB icon
Public Load Balancer (LB) public LB icon
Private Load Balancer (LB) private LB icon
Mount Target (MT) Mount target icon
Kubernetes Cluster (OKE) OKE icon
Compute instance (I) compute instance icon
Security list (SL) security list icon

SLs are shown to the left of the resource list while in Security mode.

Network security groups (NSG) network security group icon

NSGs are shown to the right of the resource list while in Security mode.

Using the Console

View the Network Topology regional map
  1. In the Console, confirm you're viewing the region and compartment that you want to see represented in a diagram.
  2. Open the navigation menu, click Networking, and then click Network Visualizer, found in the Network Command Center group.

    Wait briefly for the network map to generate.

  3. If you need to change compartment, click CHANGE COMPARTMENT and select a different compartment.
  4. If you want to see resources in all compartments nested within the selected compartment, click INCLUDE CHILD COMPARTMENTS.
  5. Elements in the control bar include, from left to right:
    • Map: Displays the currently selected region.
    • To find a resource by name, enter the name in the search window. When a match is found and selected, the view will zoom in to that resource.
    • Screen Refresh Icon Refresh: updates the view in the main map window. The view is refreshed every three minutes, but if a change was made since the last refresh you can choose to manually trigger a refresh of the diagram.
    • Download Icon Export Map Data: Exports a zip file containing a high resolution .png map of the resources in the current region and compartment, and a .pdf file containing a lower resolution version of the map plus resource data (such as route tables). This PDF only includes the resource information for the elements seen in the map at the time of export.
    • Filter Icon Filter: Allows you to turn on and off the filters used in the current view.
    • Legend Icon Legend: Displays the symbols used in the map and their meaning.

    Resources in your external on-premises network are shown on the left side of the canvas and are separated from elements in the Oracle Cloud by a dashed line.

    The zoom controls are in the lower right corner of the diagram canvas, and you can click the canvas and hold as you move to pan up, down, left, or right. You can also double-click to zoom in.

    You can dynamically rearrange resources on the map by dragging them. Be aware these changes are temporary and do not persist if the map is refreshed.

    Routes that are enabled between resources are shown on the lines connecting the resources. Routes can be one way, but are most often two-way connections.

    Some resources are displayed with both a name and an associated CIDR block. When more than one CIDR block is associated with a resource, a +1 or +2 is added as appropriate (up to +99). The additional CIDR blocks are listed in the details screen for the resource.

    Any connected elements you do not have the needed permissions to view are shown with a tag: Not Visible Icon. Only the OCID is visible for that resource.

  6. Click any resource on the map (the resource changes color to indicate the selection) to view basic information for that item in the right-hand column. The details presented vary depending on the component you selected.

    For some components, you can also click Open Additional Details to open a details screen for that component. These details are read-only summaries of the basic components for that resource. Links to that resource's details page are provided in case you want to make edits.

    You can click on the link icon Link Icon on a line connecting a DRGv2 and another resource. This selects the associated DRG attachment and you can can observe its properties in the details screen. When you select the DRG attachment the routes within the DRG between the selected DRG attachment and other DRG attachments. These routes are determined by the routing table associated with the DRG attachment. If you click on one of these internal connections, any additional CIDR blocks are listed in the details screen for the connection. This capability is only available for connections that involve a DRG v2.
View the Virtual Cloud Network map

While viewing a regional map:

  1. Click a VCN.
  2. Click the Go to VCN Map button in the Resource Information panel.

    Wait briefly for the network map to generate.

  3. If you need to change compartment, click CHANGE COMPARTMENT and select a different compartment.
  4. Click any subnet resource on the map, and in the resource summary click either View VCN routing map or View VCN security map. While viewing one of these map modes, you can easily switch to the other map mode.
  5. If you want to see resources in all compartments nested within the selected compartment, click INCLUDE CHILD COMPARTMENTS.
  6. Elements in the control bar include, from left to right:
    • Map: Displays the currently selected region.
    • To find a resource by name, enter the name in the search window. When a match is found and selected, the view will zoom in to that resource.
    • Download Icon Export Map Data: Exports a zip file containing a high resolution .png map of the resources in the current region and compartment, and a .pdf file containing a lower resolution version of the map plus resource data (such as route tables). This PDF only includes the resource information for the elements seen in the map at the time of export.
    • Screen Refresh Icon Refresh: updates the view in the main map window. The view is refreshed every three minutes, but if a change was made since the last refresh you can choose to manually trigger a refresh of the diagram.
    • Filter Icon Filter: Allows you to turn on and off the filters used in the current view.
    • Legend Icon Legend: Displays the symbols used in the map and their meaning.

    Routable resources in the region but not within the specified VCN are shown on the left side of the canvas, separated with a dashed line from the resources (like subnets and VLANs) inside the chosen VCN. Gateways and DRG attachments are placed on this dashed line, and you can drag them on the line to make the relationships clearer. Resources that are not routable from the VCN are not shown.

    The zoom controls are in the lower right corner of the diagram canvas, and you can click the canvas and hold as you move to pan up, down, left, or right. You can also double-click to zoom in.

    Some resources are displayed with both a name and an associated CIDR block. When more than one CIDR block is associated with a resource, a +1 or +2 is added as appropriate (up to +4). The additional CIDR blocks are listed in the details screen for the resource.

    Any connected elements you do not have the needed permissions to view are shown with a tag: Not Visible Icon. Only the OCID is visible for that resource.

  7. Click any resource on the map (the resource changes color to indicate the selection) to view basic information for that item in the right-hand column. The details presented vary depending on the component you selected.

    For some components, you can also click Open Additional Details to open a details screen for that component. These details are read-only summaries of the basic components for that resource. Links to that resource's details page are provided in case you want to make edits.

    You can Enable Routing Information for subnets and VLANs, which maintains the display of the routing information for connections to and from the resource. Using this control you can display as many or as few routes as you choose.

You can navigate back to the Network Topology regional map by clicking on the name of the region in the control bar, or by selecting one of the connected VCNs and clicking Go to Region Map in the resource information.

View the Subnet maps

The subnet view provides resource information about the instances, load balancer, FSS, OKE clusters in a subnet. Whether you want to get an idea of the resources in the subnet or details about a specific resource, this view provides the flexibility to achieve that. The search capability using name, IP address or OCID comes handy to find a resource and get to the resource page in single click.

While viewing a regional map:

  1. Click a VCN.
  2. Click the Go to VCN Map button in the Resource Information panel.

    Wait briefly for the network map to generate.

  3. If you need to change compartment, click CHANGE COMPARTMENT and select a different compartment.
  4. If you want to see resources in all compartments nested within the selected compartment, click INCLUDE CHILD COMPARTMENTS.
  5. Click any subnet resource on the map, and in the resource summary click either View subnet inventory map or View subnet security map. While viewing one of these map modes, you can easily switch to the other map mode.

    For all resources, you can click Open Additional Details to open a details screen for that resource. These details are read-only summaries of the basic components for that resource. Links to that resource's details page are provided in case you want to make edits.

    You can Enable Routing Information for subnets and VLANs, which maintains the display of the routing information for connections to and from the resource. Using this control you can display as many or as few routes as you choose.

  6. Elements in the control bar include, from left to right:
    • Map: Displays the currently selected region.
    • To find a resource by name, enter the name in the search window. When a match is found and selected, the view will zoom in to that resource.
    • Download Icon Export Map Data: Exports a zip file containing a high resolution .png map of the resources in the current region and compartment, and a .pdf file containing a lower resolution version of the map plus resource data (such as route tables). This PDF only includes resource information for elements seen in the map at the time of export.
    • Screen Refresh Icon Refresh: updates the view in the main map window. The view is refreshed every three minutes, but if a change was made since the last refresh you can choose to manually trigger a refresh of the diagram.
    • Filter Icon Filter: Allows you to turn on and off the filters used in the current view.
    • Legend Icon Legend: Displays the symbols used in the map and their meaning.

You can navigate back to the Network Topology regional map by clicking on the name of the region in the control bar, or by selecting one of the connected VCNs and clicking Go to Region Map in the resource information.

Using the API