VCN and Subnets

Before you set up a bare metal or virtual machine DB system, you must set up a virtual cloud network (VCN) and other Networking service components.

To launch a DB system, you must have:

  • A VCN in the region where you want the DB system
  • At least one subnet in the VCN (either a public subnet or a private subnet)

In general, Oracle recommends using regional subnets, which span all availability domains in the region. For a bare metal or virtual machine DB system, either a regional subnet or AD-specific subnet works. For more information, see Overview of VCNs and Subnets.

You will create a custom route table. You will also create security rules to control traffic to and from the DB system's compute notes. More information follows about that.

Certain details of the VCN and subnet configuration depend on your choice for DNS resolution within the VCN. For more information, see DNS for the DB System.

Option 1: Public Subnet with Internet Gateway

This option can be useful when doing a proof-of-concept or development work. You can use this setup in production if you want to use an internet gateway with the VCN, or if you have services that run only on a public network and need access to the database. See the following diagram and description.

This image shows the network setup with a public subnet.

You set up:

Note

See this known issue for information about configuring route rules with service gateway as the target on route tables associated with public subnets.

Option 2: Private Subnet

Oracle recommends this option for a production system. The subnet is private and cannot be reached from the internet. See the following diagram and description.

This image shows the network setup with a private subnet.

You set up:

  • Private Subnet.
  • Gateways for the VCN:

  • Route Table: A custom route table for the subnet, with these rules:

    • A route for the on-premises network's CIDR, and target = DRG.
    • A rule for the service CIDR label called All region Services in Oracle Services Network, and target = the service gateway. See Overview of Service Gateways.
    • If you want to access the Oracle YUM repos through the NAT gateway, add a route rule for the regional YUM repo's public IP address, and target = the NAT gateway. See Public IP Addresses for the Oracle YUM Repos. If you just use the next rule only, the traffic to the YUM repo would still be routed to the service gateway, because the service gateway route is more specific than 0.0.0.0/0.
    • A rule for 0.0.0.0/0, and target = NAT gateway.
  • Security rules to enable the desired traffic to and from the DB system nodes. See Security Rules and Security Rules for the DB System.

Requirements for IP Address Space

If you are setting up DB systems (and thus VCNs) in more than one region, make sure the IP address space of the VCNs does not overlap.

The subnet you create for a bare metal or virtual machine DB system cannot overlap with 192.168.16.16/28, which is used by the Oracle Clusterware private interconnect on the database instance.

The following table lists the minimum required subnet size.

Tip:

The Networking service reserves three IP addresses in each subnet. Allocating a larger space for the subnet than the minimum required (for example, at least /25 instead of /28) can reduce the relative impact of those reserved addresses on the subnet's available space. For more information, see IP Addresses Reserved for Use by Oracle.

DB System Type # Required IP Addresses Minimum Subnet Size
1-node bare metal or virtual machine

1 + 3 reserved in subnet = 4

/30 (4 IP addresses)
2-node RAC virtual machine (2 addresses * 2 nodes) + 3 for SCANs + 3 reserved in subnet = 10 /28 (16 IP addresses)

VCN Creation Wizard: Not for Production

The Networking section of the Console includes a wizard that creates a VCN along with related resources. It can be useful if you just want to try launching an instance. However, the wizard automatically creates a public subnet and an internet gateway. You may not want this for your production network, so Oracle recommends you create the VCN and other resources individually yourself instead of using the wizard. For more information on the wizard, see Virtual Networking Quickstart.