Virtual Private Networks (VPN)
IPSec VPN is the quickest way to connect an on-premises network to Oracle Cloud privately. It uses the public internet as the transport mechanism and encrypts data to secure it as it crosses the internet.
Bandwidth
IPSec VPN is routed across the public internet, and, as a result, the total bandwidth available is subject to the limits provided by your Internet Service Provider (ISP). Bandwidth can often be variable and prone to network congestion.
Whatever the available bandwidth is, keep in mind that the traffic between on-premises hosts, and Oracle Cloud-based hosts, needs to be accommodated. Therefore, it is often a good idea to migrate highly dependent components, with significant data traffic, at the same time (e.g. database and application). This will substantially reduce bandwidth requirements as well as data egress charges.
Latency
The routing of packets across the public internet is often unpredictable and highly variable. This can lead to increased latency between on-premises components and cloud-based components.
Therefore, consider migrating dependent components and applications together where response times are sensitive, or the data volume or the interaction frequency is high.
Resilience
In its most straightforward configuration, an Oracle Cloud IPSec connection results in the allocation of a public IP address for each of two tunnel endpoints. Both endpoints are located in a single region and are attached to a Dynamic Routing Gateway (DRG). Having two endpoints delivers resilience and redundancy should either of the tunnels fail.
Although both endpoints are attached to a single DRG, Oracle have engineered the DRG service to be fully resilient with built-in redundancy.
Dual endpoints attached to the DRG provides redundancy within Oracle Cloud. However, the presence of a single Customer Premise Device (CPE) and a single Internet Service Provider (ISP) constitutes single points of failure.
Tip:
We recommend deploying a second CPE, ideally in a different geography, but certainly with a separate power supply and LAN switches to the first. This ensures that neither CPE configuration shares a common point of failure.
We further recommend that you connect each CPE to the internet via different ISP’s. In this way, we provide diversity in internet routing and protection from ISP failure.
Like the first configuration, each IPSec connection (primary and secondary) results in two tunnels and the provisioning of two public IP addresses/endpoints. Therefore there are now 4 VPN tunnels.