Oracle Cloud Infrastructure Documentation

Overview of VCNs and Subnets

This topic describes how to manage virtual cloud networks  (VCNs) and the subnets in them. This topic uses the terms virtual cloud network, VCN, and cloud network interchangeably. The Console uses the term Virtual Cloud Network, whereas for brevity the API uses VCN.

A VCN is a software-defined network that you set up in the Oracle Cloud Infrastructure data centers in a particular region . A subnet is a subdivision of a VCN. For an overview of VCNs, allowed size, default VCN components, and scenarios for using a VCN, see Networking Overview.

A VCN can have multiple non-overlapping IPv4 CIDR blocks that you can change after you create the VCN. Regardless of the number of CIDR blocks, the max number of private IPs you can create within the VCN is 64,000. A VCN can optionally be enabled for IPv6 and Oracle will allocate a /56 prefix. You can also can import a BYOIP IPv6 prefix and assign it to an existing VCN or create a new VCN with a BYOIP or ULA IPv6 prefix.

You can privately connect a VCN to another VCN so that the traffic does not traverse the internet. The CIDRs for the two VCNs must not overlap. For more information, see Access to Other VCNs: Peering. For an example of an advanced routing scenario that involves the peering of multiple VCNs, see Transit Routing inside a hub VCN.

Each subnet in a VCN consists of a contiguous range of IPv4 addresses and optionally IPv6 addresses that do not overlap with other subnets in the VCN. Example: 172.16.1.0/24. With IPv4 addresses as well as IPv6 addresses, the first two addresses and the last in the subnet's CIDR are reserved by the Networking service. You can change the size of the subnet after creation. IPv6-enabled subnets will always be /64.

Subnets act as a unit of configuration: all instances in a given subnet use the same route table, security lists, and DHCP options. For more information, see Default Components that Come With Your VCN.

Subnets can be either public or private (see Public vs. Private Subnets). The choice of public or private happens during subnet creation, and you can't change it later.

You can think of each compute instance as residing in a subnet. But to be precise, each instance is attached to a virtual network interface card (VNIC), which in turn resides in the subnet and enables a network connection for that instance.

IPv6 addressing is supported for all commercial and government regions. For more information, see IPv6 Addresses.

About Regional Subnets

Originally subnets were designed to cover only one availability domain (AD) in a region. They were all AD-specific, which means the subnet's resources were required to reside in a particular availability domain. Now subnets can be either AD-specific or regional. You choose the type when you create the subnet. Both types of subnets can co-exist in the same VCN. In the following diagram, subnets 1-3 are AD-specific, and subnet 4 is regional.

This image shows a VCN with a regional subnet and three AD-specific subnets.

Aside from the removal of the AD constraint, regional subnets behave the same as AD-specific subnets. Oracle recommends using regional subnets because they're more flexible. They make it easier to efficiently divide your VCN into subnets while also designing for availability domain failure.

When you create a resource such as a compute instance, you choose which availability domain the resource will be in. From a virtual networking standpoint, you must also choose which VCN and subnet the instance will be in. You can either choose a regional subnet, or choose an AD-specific subnet that matches the AD you chose for the instance.

Caution

If anyone in your organization implements a regional subnet, be aware that you may need to update any client code that works with Networking service subnets and private IPs. There are possible breaking API changes. For more information, see the regional subnet release note.
VCN and Subnet Limits
Resource Scope Oracle Universal Credits Pay As You Go or Trial
VCN Region 50 10
Subnets VCN 300 300
IPv4 CIDRs VCN 5 5
IPv6 Prefixes VCN 5 5
IPv4 CIDRs Subnet 1 1
IPv6 Prefixes Subnet 3* 3*
Oracle allocated IPv6 prefix Subnet 1 1
* Limit for this resource can be increased to a maximum of five.

Working with VCNs and Subnets

One of the first things you do when working with Oracle Cloud Infrastructure resources is create a VCN with one or more subnets. You can easily get started in the Console with a simple VCN and some related resources that enable you to launch and connect to an instance. See Tutorial - Launching Your First Linux Instance or Tutorial - Launching Your First Windows Instance.

For the purposes of access control, when you create a VCN or subnet, you must specify the compartment where you want the resource to reside. Consult an administrator in your organization if you're not sure which compartment to use.

You may optionally assign descriptive names to the VCN and its subnets. The names don't have to be unique, and you can change them later. Oracle automatically assigns each resource a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

You can also add a DNS label for the VCN and each subnet, which are required if you want the instances to use the Internet and VCN Resolver feature for DNS in the VCN. For more information, see DNS in Your Virtual Cloud Network.

When you create a subnet, you may optionally specify a route table for the subnet to use. If you don't, the subnet uses the cloud network's default route table. You can change which route table the subnet uses at any time.

Also, you may optionally specify one or more security lists for the subnet to use (up to five). If you don't specify any, the subnet uses the cloud network's default security list. You can change which security list the subnet uses at any time. Remember that the security rules are enforced at the instance level, even though the list is associated at the subnet level. Network security groups are an alternative to security lists and let you apply a set of security rules to a set of resources that all have the same security posture, instead of all the resources in a particular subnet.

You may optionally specify a set of DHCP options for the subnet to use. All instances in the subnet receive the configuration specified in that set of DHCP options. If you don't specify a set, the subnet uses the cloud network's default set of DHCP options. You can change which set of DHCP options the subnet uses at any time.

To delete a subnet, it must contain no resources (no instances, load balancer, OCI database systems, and orphaned mount targets). For more details, see Subnet or VCN Deletion.

To delete a VCN, its subnets must contain no resources. Also, the VCN must have no attached gateways. If you're using the Console, there's a "Delete All" process you can use after first ensuring the subnets are empty. See To delete a VCN.

See Service Limits for a list of applicable limits and instructions for requesting a service limit increase.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: see IAM Policies for Networking.

Security Zones

Security Zones ensure that your cloud resources comply with Oracle security principles. If any operation on a resource in a security zone compartment violates a policy for that security zone, then the operation is denied.

The following security zone policies affect your ability to manage VCNs and subnets:

  • Subnets in a security zone can't be public. All subnets must be private.
  • You can't move a subnet from a security zone to a standard compartment.

Using the Console

To create a VCN
Note

The following procedure creates a VCN without any subnets or gateways for access. You must manually create the subnets and other resources before you can use the VCN. For a quick procedure that creates a VCN that you can try out immediately (that is, with subnets and an internet gateway), see the information about the "VCN with Internet Connectivity" wizard in Virtual Networking Quickstart. Or see Scenario A: Public Subnet.

  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Choose a compartment you have permission to work in (on the left side of the page). The page updates to display only the resources in that compartment. If you're not sure which compartment to use, contact an administrator. For more information, see Access Control.
    Note

    To create any new resource the service limit for that resource must not already have been reached. Once the service limit for a resource type has been reached, you can either remove unused resources of that type or request a service limit increase.
  3. Click Create Virtual Cloud Network.
  4. Enter the following:
    • Name: A descriptive name for the VCN. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    • Create in Compartment: Leave as is.
    • IPv4 CIDR Blocks: Up to five but at least one non-overlapping IPv4 CIDR blocks for the VCN. For example: 172.16.0.0/16. You can add or remove CIDR blocks later. See Allowed VCN Size and Address Ranges. For reference, here's a CIDR calculator.
    • Use DNS Hostnames in this VCN: Required for assignment of DNS hostnames to hosts in the VCN, and required if you plan to use the VCN's default DNS feature (called the Internet and VCN Resolver). If the check box is selected, you can specify a DNS label for the VCN, or allow the Console to generate one for you. The dialog box automatically displays the corresponding DNS Domain Name for the VCN (<VCN DNS label>.oraclevcn.com). For more information, see DNS in Your Virtual Cloud Network.
    • IPv6 prefixes: You can request that a single Oracle-allocated IPv6 /56 prefix is assigned to this VCN. Alternately, you can assign a BYOIPv6 prefix or ULA prefix to the VCN. This option is available for all commercial and government regions. For more information on IPv6, see IPv6 Addresses.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

  5. Click Create Virtual Cloud Network.

    The VCN is then created and displayed on the Virtual Cloud Networks page in the compartment you chose.

Next you'll typically want to create one or more subnets in the cloud network.

To create a subnet
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click Create Subnet.

  4. In the Create Subnet dialog box, you specify the resources to associate with the subnet (for example, a route table). By default, the subnet is created in the current compartment, and you choose the resources from the same compartment. Click the click here link in the dialog box if you want to enable compartment selection for the subnet and each of those resources.

    Enter the following:

    • Create in Compartment: If you've enabled compartment selection, specify the compartment where you want to put the subnet.
    • Name: A friendly name for the subnet. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    • Regional or AD-specific subnet: Oracle recommends creating only regional subnets, which means that the subnet can contain resources in any of the region's availability domains. If you instead choose Availability Domain-Specific (the only type of subnet that Oracle originally offered), you must also specify an availability domain. This choice means that any instances or other resources later created in this subnet must also be in that availability domain.
    • IPv4 CIDR Block: A single, contiguous CIDR block for the subnet (for example, 172.16.0.0/24). Ensure that it's within the cloud network's CIDR block and doesn't overlap with any other subnets. You can change the size of this CIDR block later. See Allowed VCN Size and Address Ranges. For reference, here's a CIDR calculator.
    • IPv6 Prefixes: You can request an Oracle-allocated IPv6 /64 prefix, or enter BYOIPv6 or ULA prefixes. You can have a maximum of three IPv6 prefixes in a subnet. Once you have assigned an IPv6 prefix to a VCN, it must always have at least one IPv6 prefix assigned to it. This option is available for VCNs in all commercial and government regions, provided the VCN is already enabled for IPv6. For more information, see IPv6 Addresses.
    • Route Table: The route table to associate with the subnet. If you've enabled compartment selection, under Route Table Compartment, you must specify the compartment that contains the route table.
    • Private or public subnet: This controls whether VNICs in the subnet can have public IP addresses. For more information, see Access to the Internet.
    • Use DNS Hostnames in this Subnet: This option is available only if you provided a DNS label for the VCN during creation. The option is required for assignment of DNS hostnames to hosts in the subnet, and also when you plan to use the VCN's default DNS feature (called the Internet and VCN Resolver). If the check box is selected, you can specify a DNS label for the subnet, or let the Console generate one for you. The dialog box automatically displays the corresponding DNS Domain Name for the subnet (<subnet_DNS_label>.<VCN_DNS_label>.oraclevcn.com). For more information, see DNS in Your Virtual Cloud Network.
    • DHCP Options: The set of DHCP options to associate with the subnet. If you've enabled compartment selection, under DHCP Options Compartment, you must specify the compartment that contains the set of DHCP options.
    • Security Lists: One or more security lists to associate with the subnet. If you've enabled compartment selection, you must specify the compartment that contains the security list.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  5. Click Create. The subnet is then created and displayed on the Subnets page in the compartment you chose.
To edit a subnet

You can change these characteristics of a subnet:

  • Name
  • Size of the CIDR block
    Note

    • The CIDR block IP range you specify must be completely within one of the VCN's CIDR block ranges.
    • The new range must use the same network address as the previous range. For example, the previous and new ranges could be 10.0.0.0/25 and 10.0.0.0/24.
    • If you are reducing the CIDR range, ensure that no IP addresses outside of the reduced range are in use.
    • The new CIDR range's broadcast address (last IP address of CIDR range) must not be an IP address in use in the previous CIDR range.
    • You cannot create VNICs or private IPs for this subnet while a CIDR block update is in progress.
    • After the CIDR block update is complete, the DHCP lease for each host within the subnet must be renewed. Renewal happens automatically within 24 hours. To renew the lease immediately, refer to the applicable operating system documentation for guidance on how to renew the lease manually.
    • Ensure that you adjust your secondary VNICs and secondary IPs as applicable to match your updated VCN configuration.
    • Once you have assigned an IPv6 prefix to a VCN, it must always have at least one IPv6 prefix assigned to it.
  • Which set of DHCP options the subnet uses
  • Which route table the subnet uses
  • Which security lists the subnet uses
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click Subnets.
  4. Click the subnet you're interested in.
  5. Click Edit.
  6. Make your changes. Avoid entering confidential information.

  7. Click Save Changes.

    The changes take effect within a few seconds.

To delete a subnet

Prerequisite: The subnet must have no instances, load balancer, OCI database systems, and orphaned mount targets in it. For more information, see Subnet or VCN Deletion.

  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click Subnets.
  4. Click the subnet you're interested in.
  5. Click Terminate.
  6. Confirm when prompted.

If the subnet is empty, its state changes to TERMINATING briefly and then TERMINATED. If the subnet is not empty, you get an error indicating that there are still instances or other resources in it that you must delete first.

To add an IPv4 CIDR block or IPv6 prefix to a VCN

Be aware of the following limitations:

  • The IPv4 CIDR block or IPv6 prefix you add must not overlap with any other address range in the VCN or in a peered VCN.
  • The new IPv4 CIDR block or IPv6 prefix must not include an IP address used in an existing route rule.
  • You cannot create or update the VCN's subnets, VLANs, LPGs, or route tables while this VCN update is in progress.
  • You cannot edit IPv6 prefixes after they are assigned to the VCN.
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click CIDR Blocks/Prefixes.
  4. Click Add CIDR Block/IPv6 Prefix.
  5. Enter the value of the CIDR block you want to add to the VCN.

    You can indicate you want an Oracle-allocated IPv6 prefix, specify a ULA, or select a BYOIPv6 prefix you have already imported. For BYOIPv6, you can also subdivide the prefix here, if you're only assigning a portion of the imported prefix to the VCN.

  6. Click Add CIDR Block.

    The VCN's state changes to UPDATING. The time to completion can take a few minutes. You can view work requests to monitor the status of the update.

To change a VCN CIDR block
  • The CIDR block range you specify must not overlap with any other CIDR block in this VCN or in a peered VCN.
  • You cannot change the CIDR block to a range that excludes an IP address in use in the current CIDR block range.
  • You cannot create or update the VCN's subnets, VLANs, LPGs, or route tables while this VCN update is in progress.
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click CIDR Blocks.
  4. Find the CIDR block in the list, click the Actions menu, and then click Edit CIDR Block.
  5. Make the applicable change.

  6. Click Save Changes.

    The VCN's state changes to UPDATING. The time to completion can vary depending on the size of your network. Updating a small network could take about a minute, and updating a large network could take up to an hour. You can view work requests to monitor the status of the update.

To remove an IPv4 CIDR block or IPv6 prefix from a VCN

Be aware of the following restrictions:

  • You cannot remove an IPv4 CIDR block if an IP address in that range is in use.
  • You cannot create or update the VCN's subnets, VLANs, LPGs, or route tables while this VCN update is in progress.
  • Once you have assigned an IPv6 prefix to a VCN, it must always have at least one IPv6 prefix assigned to it.
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click CIDR Blocks.
  4. Find the CIDR block in the list, click the Actions menu, and then click Remove CIDR Block.

  5. Click Remove CIDR Block.

    The VCN's state changes to UPDATING. The time to completion can vary depending on the size of your network. Updating a small network could take about a minute, and updating a large network could take up to an hour. You can view work requests to monitor the status of the update.

To delete a VCN
Important

The Console has an easy "Delete all" process that scans the chosen compartments then deletes a VCN and its related Networking resources (subnets, route tables, security lists, sets of DHCP options, internet gateway, and so on). If the VCN is attached to a dynamic routing gateway (DRG), the process deletes the attachment, but the DRG remains.

The "Delete All" process deletes one resource at a time. A VCN with many compartments and resources takes longer to delete than a VCN with only a few. A progress report displays to show the results of both the scan for resources and the deletion of those resources.

Before using the "Delete All" process, verify that no resources such as compute instances, load balancers, OCI database systems, or orphaned mount targets are present in any of the subnets. If any of these are present, the deletion process stalls when trying to delete the resource's subnet. Deleted VCN resources are irretrievable. For more information, see Subnet or VCN Deletion.

If any subnet still contains resources, or if you don't have permission to delete a particular Networking resource, the "Delete All" process stops and returns an error message that includes the OCIDs of the blocking resources and subnets, which link to the details page for that resource. In some cases, you might need to contact your tenancy administrator to help you delete any remaining resources if you don't have the needed permissions.

  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the name of the VCN that you want to delete.

  3. Click Delete.

    In the Delete Virtual Cloud Network dialog box, you can select from the following options:

    • Search compartments for resources associated with this VCN: (Optional) When you select this option the process scans for active resources in the VCN. If the process finds any active resources (subnets and route tables, for example) it deletes them if possible, then deletes the VCN. If the process finds a VNIC on a compute instance, a load balancer, a database system, or a mount target, manually delete those resources and then restart the process. Oracle recommends leaving this option selected unless you’re certain the VCN and its subnets are already empty. If you select this option, you can also choose which compartments to search:
      • All (number) compartments: This option searches all compartments in the same region as this VCN for resources associated with the VCN.
      • Specific compartments: This option lets you choose specific compartments and searches only the chosen compartments for resources associated with the VCN.

      Searching more compartments takes more time, but is more thorough and has a smaller chance of failure.

  4. Click Scan.

    The scan begins. Progress is displayed in the completion bar when the process identifies associated resources. The scan lists associated VCN resource types like subnets, DRG attachments, internet or NAT gateways, and so on. The process deletes associated resources in the order shown.

  5. Click Delete All to delete associated resources in the order listed.

    If you don't have the needed permissions to delete an associated resource or an error occurs, the deletion process stops. Deleted VCN resources are irretrievable. Resolve the error and restart the process to delete the VCN.

    If a subnet still contains compute instances, load balancers, and so on, deleting the subnet fails. The resulting error message displays the OCID of the subnet and the blocking item in that subnet. Click on the OCID to go to the details page for that item and either delete it or move it to a subnet in a different VCN.

  6. Click Close when the deletion of the VCN and all associated resources finishes.

If the VCN is empty, its state changes to TERMINATING and then TERMINATED temporarily until the VCN is completely removed. Once a deleted VCN is completely removed it no longer appears in a list of VCNs in your tenancy.

To manage tags for a VCN
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click the Tags tab to view or edit the existing tags. Or click Apply tag(s) to add new ones.

For more information, see Resource Tags.

To manage tags for a subnet
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click the subnet you're interested in.
  4. Click the Tags tab to view or edit the existing tags. Or click Apply tag(s) to add new ones.

For more information, see Resource Tags.

To move a VCN to a different compartment

You can move a VCN from one compartment to another. When you move a VCN, its associated VNICs, private IPs, and ephemeral IPs move with it to the new compartment. For more information, see To move a resource to a different compartment.

  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Find the VCN in the list, click the Actions menu, and then click Move Resource.
  3. Choose the destination compartment from the list.
  4. Click Move Resource.
  5. If there are alarms monitoring the VCN, update the alarms to reference the new compartment. See Updating an Alarm After Moving a Resource for more information.
To move a subnet to a different compartment

You can move a subnet from one compartment to another. For more information, see Working with Compartments.

  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Find the subnet in the list, click the Actions menu, and then click Move Resource.
  4. Choose the destination compartment from the list.
  5. Click Move Resource.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

To manage your VCNs, use these operations:

To manage a VCN's subnets, use these operations: