Routing Details for Connections to Your On-Premises Network
You might use multiple site-to-site connections between your on-premises network and virtual cloud network (VCN) for redundancy or other reasons.
For example, you might use both FastConnect private peering and VPN Connect to the dynamic routing gateway (DRG) attached to your VCN. Or perhaps you use redundant VPN Connect connections to the DRG (for an example scenario, see Example Layout with Multiple Geographic Areas). Or perhaps you use FastConnect public peering, FastConnect private peering, and VPN Connect.
This topic covers important details about route advertisement and path preferences when you have multiple connections.
DRG Route Advertisements to Your On-Premises Network
FastConnect private peering and VPN Connect provide your on-premises network with private access to a VCN. Both types of connections terminate on a single DRG that is attached to the VCN. Remember that VPN Connect can use either Border Gateway Protocol (BGP) or static routing, or a combination. FastConnect always uses BGP for route advertisements.
The DRG advertises the routes for the individual subnets in the DRG's attached VCN. A DRG can be attached to only a single VCN, and a VCN can be attached to only a single DRG.
If you set up transit routing to multiple VCNs for your on-premises network, the DRG advertises other routes. Transit routing is an advanced routing scenario that involves a single FastConnect or VPN Connect and multiple peered VCNs in a hub-and-spoke layout. With transit routing, the DRG also advertises routes for the VCNs that are peered with the DRG's attached VCN (the hub).
If you set up your on-premises network with private access to Oracle services through the VCN's service gateway , the DRG advertises more routes. They are routes for the Oracle Services Network, which is available with the service gateway. For a list of those ranges, Public IP Addresses for VCNs and the Oracle Services Network.
If you're using VPN Connect with static routing, and you've configured the VCN to give your on-premises network private access to Oracle services, you must configure your edge device with the routes for the Oracle Services Network public IP ranges that are advertised by the DRG over the private path (through the service gateway). For a list of those ranges, see Public IP Addresses for VCNs and the Oracle Services Network
Routing Preferences for Traffic from Oracle to Your On-Premises Network
This section describes how Oracle chooses which path to use when sending traffic to your on-premises network. The traffic can be for responding to a request or initiating new connections.
Routers generally prefer to use the most specific route (the one with the longest prefix match).
However, if the routes for the different paths are the same, Oracle uses the shortest AS path when sending traffic to your on-premises network, regardless of which path was used to initiate the connection to Oracle. Therefore asymmetric routing is allowed. Asymmetric routing here means that Oracle's response to a request can follow a different path than the request. For example, depending on how your edge device (also called your customer-premises equipment, or CPE) is configured, you could send a request over VPN Connect, but the Oracle response could come back over FastConnect. If you want to force routing to be symmetric, Oracle recommends using BGP and AS path prepending with your routes to influence which path Oracle uses when responding to and initiating connections.
Oracle implements AS path prepending to establish preference on which path to use if your edge device advertises the same route and routing attributes over multiple different connection types between your on-premises network and VCN. The details are summarized in the following table. Unless you're influencing routing in some way, when the same route is advertised over multiple paths to the DRG at the Oracle end of the connections, Oracle prefers the paths in the following order:
|Oracle preference||Path||Details of how Oracle prefers the path||Resulting AS path for the route|
|1||FastConnect||Oracle prepends no ASNs to the routes that your edge device advertises, for a total AS path length of 1.||Your ASN|
|2||VPN Connect with BGP routing||Oracle prepends a single private ASN on all the routes that your edge device advertises over VPN Connect with BGP, for a total AS path length of 2.||Private ASN, Your ASN|
|3||VPN Connect with static routing||Oracle prepends 3 private ASNs on the static routes that you've provided (Oracle advertises those routes to the dynamic routing gateway (DRG) at the Oracle end of the IPSec VPN). This results in a total AS path length of 3.||Private ASN, Private ASN, Private ASN|
If you have two connections of the same type (for example, two IPSec VPNs that both use BGP), and you advertise the same routes across both connections, Oracle prefers the oldest continuously advertised route when responding to requests or initiating connections.
The above table above assumes you are sending a single autonomous system number in your AS path. Oracle honors the complete AS path you send. If you use static routing, and also send an AS path that has "Your ASN" plus 2 or more other ASNs, it can cause unexpected behavior because Oracle's routing preference may change accordingly.
While static policy-based VPN routing behavior is documented above, Oracle also recommends that if you use FastConnect connections with VPN backup, you employ BGP on your IPSEC route-based VPN. This strategy allows you to have full control of failover behavior.
Routing Preferences for Traffic from Your On-Premises Network to Oracle
You can configure your edge device to prefer a specific path when sending traffic from your on-premises network to Oracle. The following section describes a particular situation where you must do that to ensure a consistent traffic path if your on-premises hosts use Oracle services.
Your on-premises network can access public Oracle Services Network services such as Object Storage over multiple paths. You can use public paths, such as the internet or FastConnect public peering. With these public paths, the on-premises hosts communicate with Oracle services by using public IP addresses.
You can also set up your on-premises network with private access to Oracle services through the VCN's service gateway . A service gateway lets hosts in your on-premises network use any of the services listed in Service Gateway: Supported Cloud Services in Oracle Services Network and communicate with those Oracle services from your private IP addresses.
If you've configured your on-premises network with multiple connection paths to Oracle services, your edge device may receive route advertisement of the Oracle services' public IP address routes over multiple paths. Here are the possible paths you can use with your on-premises network:
- Public access paths:
- Internet service provider (ISP)
- FastConnect public peering
- Private access paths by way of the VCN's DRG and service gateway:
- FastConnect private peering
- VPN Connect
Your edge device receives route advertisements from the DRG and possibly from routers over public paths. Most of the routes for Oracle services that the DRG advertises have a longer prefix (they are more specific) than the routes for Oracle services that are advertised over the public access paths. Therefore, if you set up your network with both public access and private access to Oracle services, you must configure your edge device to prefer the private access path to the DRG for traffic from the on-premises network to Oracle services. Setting up both public and private access ensures a consistent path for access to Oracle services.
For a list of the public IP ranges advertised over FastConnect public peering, see FastConnect Public Peering Advertised Routes.
For a list of the regional public IP ranges advertised over the private paths (for a VCN with a service gateway), see Public IP Addresses for VCNs and the Oracle Services Network.