Oracle Cloud Infrastructure Documentation

Scenario B – Private Subnet

This scenario describes a setup consisting of a VCN and a private subnet on Private Cloud Appliance.

For connectivity to your on-premises network, the VCN needs a dynamic routing gateway (DRG).

The subnet uses the default security list, which has default rules that are designed simplify getting started. The rules enable typical required access; for example inbound SSH connections and any type of outbound connections. Remember that security list rules only allow traffic. Any traffic not explicitly covered by a security list rule is implicitly denied. In this scenario, you add more rules to the default security list. You could instead create a custom security list for those rules. You would then set up the subnet to use both the default security list and the custom security list.

The subnet uses the default route table, which contains no rules when the VCN is created. In this scenario, the table has only a single rule: to route traffic intended for all destinations (0.0.0.0/0) through the DRG.

To set up this networking scenario, you perform the following steps:

  1. Create the VCN.

    Choose a compartment you have permission to work in. Specify one or more non-overlapping CIDR blocks for the VCN; for example: 172.16.0.0/16. Optionally, enable DNS and specify a DNS label for the VCN.

  2. Create the private subnet.

    Specify a single, contiguous CIDR block within the VCN CIDR block; for example: 172.16.10.0/24. Make the subnet private; the instances you create can't obtain a public IP address. Select the default route table. If you enabled DNS at the VCN level, you can choose to assign host names in the subnet and specify a subnet DNS label as well.

  3. Update the default security list.

    You set up the subnet to use the VCN default security list. Now you add security list rules that allow the types of connections that the instances in the VCN will need.

    For example, if your subnet contains Microsoft Windows instances and you intend to access them using RDP, add an ingress rule to the default security list using these parameters:

    • Source Type: CIDR

    • Source CIDR: 0.0.0.0/0

    • IP Protocol: TCP

    • Source Port Range: All

    • Destination Port Range: 3389

  4. Create a dynamic routing gateway (DRG) and attach it to your VCN.

    When you create the DRG, it is in "Provisioning" state for a short period. Ensure provisioning is done before continuing. Next, attach the DRG you just created to your VCN. For this scenario you can ignore the advanced attachment options. The DRG attachment will be in "Attaching" state for a short period before it's ready.

    To allow traffic to flow to the DRG, you must add a route rule.

  5. Update the default route table to use the DRG.

    The default route table starts out with no rules. No route rule is required to route traffic within the VCN itself. You must add a rule that routes all traffic destined for addresses in your on-premises network to the DRG. Enter these parameters:

    • Target Type: Dynamic Routing Gateway.

      The VCN attached DRG is automatically selected as the target.

    • Destination CIDR block: 0.0.0.0/0

      This means that all non-intra-VCN traffic that is not already covered by other rules in the route table goes to the target specified in this rule.

    Because the subnet was set up to use the default route table, the DRG now enables traffic between the resources in the subnet and in your on-premises network.

  6. Create instances.

    Your next step is to create one or more instances in the subnet. Each instance automatically gets a private IP address. With the network setup in this scenario, no additional configuration is required to access the instances from your on-premises network.