10 Connect Your On-Premises Network to Your Oracle Cloud Infrastructure Network

After you migrate to the new Oracle Cloud Infrastructure network, you can connect your on-premises data center to your Oracle Cloud Infrastructure network. This connection is important if you run workloads across your on-premises and cloud-based infrastructure or if for any other reason you need to extend your network to include your on-premises as well as your cloud-based resources.

You can use any of the following options to establish a connection from your on-premises data center to your existing Oracle Cloud Infrastructure Compute Classic resources:

Connection Option	Description	Oracle Cloud Infrastructure Compute Classic Documentation Topics
VPN access using Corente Services Gateway	Use this solution when you use Oracle Cloud Infrastructure Compute Classic shared networks. Corente is an Oracle-provided IPSec solution. Corente Services Gateway acts as a proxy to facilitate secure access and data transfer to your instances. All VPN connections to your multitenant Oracle Cloud Infrastructure Compute Classic site use a Corente Services Gateway instance in the cloud.	Connecting to Instances in a Multitenant Site Using VPN
VPN as a Service (VPNaaS)	Use this VPN approach when you use Oracle Cloud Infrastructure Compute Classic IP networks.	Setting Up a VPN Connection Using VPNaaS
FastConnect Classic	FastConnect Classic allows you to access Oracle Cloud services using a direct connection from your on-premises data centers.	Connecting to Instances Using FastConnect

Oracle Cloud Infrastructure provides both VPN and FastConnect options for connecting your on-premises data center to the Oracle Cloud Infrastructure network.

• IPSec VPN Overview
• FastConnect Overview

After you migrate your resources to your Oracle Cloud Infrastructure environment, you'll want to either reconfigure your existing FastConnect or IPSec VPN connection to point to the new Oracle Cloud Infrastructure network, or you'll want to create a new FastConnect or IPSec VPN connection to Oracle Cloud Infrastructure, so you can run both connections in parallel.

About Migrating from FastConnect Classic to Oracle Cloud Infrastructure FastConnect

This document provides instructions for migrating FastConnect Classic users to Oracle Cloud Infrastructure FastConnect.

In most cases, it's recommended that you keep your existing FastConnect Classic links established during the migration of your data between Oracle Cloud Infrastructure Compute Classic and Oracle Cloud Infrastructure data centers. You can leverage your FastConnect Classic public peering session to access public endpoints from both data centers during this period. Depending on your workload and your migration strategy, you can benefit from FastConnect Classic public peering global prefixes advertisements.

If you need to migrate your FastConnect Classic link to a different geographical location or facility, then you must carefully plan for the migration in consultation with your FastConnect Classic provider, network service provider, and data center providers, to anticipate any potential delays or service interruptions.

Note:

Migrating to a different location can have cost and performance impacts. Evaluate these changes with your network service provider prior to choosing a target location.

Before You Begin

Before you begin migrating Oracle Cloud Infrastructure FastConnect Classic, identify the following information:

• The location where Oracle Cloud Infrastructure FastConnect Classic has been provisioned.
• The connectivity model.
• Your FastConnect provider.
• The subscribed bandwidth.
• The peering types enabled.
• The target region that you want to migrate to.

For details about the connectivity models, providers, peering types, or other information, see https://cloud.oracle.com/en_US/fastconnect. For information about Oracle Cloud Infrastructure regions, see About Regions and Availability Domains in Oracle Cloud Infrastructure documentation.

To find the required information, check the initial order that you had placed for Oracle Cloud Infrastructure FastConnect Classic or refer to the excel file that was created in the activation phase of the service. You may have received this information in an email from saas_provisioning@custhelp.com. If you can't find this information, contact your Oracle Cloud representative.

Options for Migrating FastConnect Classic

The migration process varies depending on your location, connectivity models, and partners. This document describes the migration process for the following scenarios:

• Migration process for standard/colocation edition:
  • If your FastConnect Classic location is Slough and your target Oracle Cloud Infrastructure region is London
  • For any other source and target regions
• Migration process for partner/provider edition:
  • If your FastConnect Classic location is Slough or Amsterdam
  • If your FastConnect Classic location is Ashburn and your target Oracle Cloud Infrastructure region is also Ashburn
  • For any other source and target regions, where your current provider operates in the target region
  • For any other source and target regions, where your current provider doesn't operate in the target region

Migrate FastConnect Classic Standard or Colocation Edition

With FastConnect Classic standard or colocation edition, you manage your own equipment hosted in a FastConnect Classic location. A network service provider operates the link between your on-premises location and the FastConnect Classic location.

If your FastConnect Classic location is Slough and your target Oracle Cloud Infrastructure region is London, then when you are ready to start the migration, perform the following steps:

1. In your Oracle Cloud Infrastructure tenancy, use the Console to create a new cross-connect and get the LOA.
2. Submit a change request to your data center provider (Equinix) to update the existing cross-connect with the information provided in the new LOA.
3. When the cross-connect is updated, use the Oracle Cloud Infrastructure Console to create a new virtual circuit.
4. Finalize the BGP peering session configuration on your equipment.

For all other source or target locations, perform the following steps:

1. Identify a data center provider for your target Oracle Cloud Infrastructure region. For a list of providers, see https://cloud.oracle.com/en_US/fastconnect/emea-providers
2. Provide the data center provider's address to your network service provider. Plan with your network service provider for establishing the new link.
3. Rent space and ship your equipment to the target location provided by the data center provider.
4. In your Oracle Cloud Infrastructure tenancy, use the Console to create a new cross-connect and get the LOA.
5. Submit a cross-connect request to your data center provider and provide them the new LOA.
6. When the cross-connect is updated, use the Oracle Cloud Infrastructure Console to create a new virtual circuit.
7. Finalize the BGP peering session configuration on your equipment.

Migrate FastConnect Classic Partner or Provider Edition

With FastConnect Classic provider or partner edition, you rely on FastConnect Classic service providers to establish and maintain end-to-end connectivity between your on-premises location and your FastConnect Classic location.

Complete these steps in the following scenarios:

• If your FastConnect Classic location is Slough or Amsterdam
• If your FastConnect Classic location is Ashburn and your target Oracle Cloud Infrastructure region is also Ashburn
• For any source and target regions, if your current FastConnect provider operates in the target region

In these scenarios, to perform the migration, complete the following steps:

1. In your Oracle Cloud Infrastructure tenancy, use the Console to create a new virtual circuit and get the OCID of the new circuit.
2. Submit a change request to your FastConnect provider to update the existing virtual circuit with the new circuit OCID and location.
3. When the circuit is updated, finalize the BGP peering session configuration with your FastConnect provider.

For a list of FastConnect provider locations, see https://cloud.oracle.com/en_US/fastconnect/providers.

If your current FastConnect provider doesn't operate in the target region, then you must subscribe to another FastConnect provider. Perform the following steps:

1. Follow the standard procedure to provision a new FastConnect circuit with a new FastConnect Provider in the target region. For information about setting up FastConnect on Oracle Cloud Infrastructure, see FastConnect: With an Oracle Provider in Oracle Cloud Infrastructure documentation.
2. When the new circuit is provisioned, terminate your contract with your existing FastConnect provider.

About Migrating Your IPSec VPN Connection

If you use an IPSec VPN connection to connect to instances in your Oracle Cloud Infrastructure Compute Classic account, then you can set up an IPSec VPN connection to the VCN in your Oracle Cloud Infrastructure tenancy as well.

Before You Begin

Before you begin migrating the IPSec VPN connection, ensure that you have completed the following tasks.

• Identify whether the on-premises router is a route-based or policy-based device.
• Identify if the on-premise device is placed behind a NAT device.
• Ensure that you have set up an IPSec VPN connection in your Oracle Cloud InfrastructureVCN. The IPSec connection contains multiple IPSec tunnels for redundancy. For each IPSec tunnel, collect the following information:
  • The IP address of the Oracle IPSec tunnel endpoint (the VPN headend)
  • The pre-shared key (PSK)

Configure the Customer-Premises Equipment

After setting up the IPSec VPN connection in Oracle Cloud Infrastructure, configure the customer-premises equipment, or CPE in your on-premises environment.

The required configuration depends on the type of the on-premises router. See Configuring Your CPE in Oracle Cloud Infrastructure documentation.

Take care of the following additional configuration requirements while peering the Oracle Cloud Infrastructure DRG with a policy-based device in your on-premise environment. There are additional requirements that you must meet if the on-premise device is place behind a NAT device.

1. If you are using a policy-based device in your on-premises environment, ensure the following additional configuration for your on-premise device:
   1. Create a single SPI with a single destination IP address. Oracle recommends using a single SPI with the following values:
      • Source IP address: Any (0.0.0.0/0)
      • Destination IP address: VCN CIDR (example: 10.120.0.0/20)
      • Protocol: IPv4
   2. Make sure the single SPI matches any traffic that needs to go from your on-premises network across the IPSec tunnel to the VCN. The VCN CIDR must not overlap with your on-premises network.
   3. Ensure that the on-premise device is always the initiator of the tunnel. You don't have to meet this requirement only if you create the single SPI with both Source IP address and Destination IP address as Any (0.0.0.0/0).
   4. Ensure that the encryption domain in your on-premise environment has only one local subnet and one remote subnet. If multiple subnets are present or if you use multiple subnets with Oracle Cloud Infrastructure Compute Classic, you'll need to perform route summarization.
2. If the on-premise device is placed behind a NAT device:
   1. Oracle recommends that you disable NAT-T at your on-premise device when establishing IPSec tunnels with Oracle Cloud Infrastructure. Unless you have multiple CPEs sharing the same NAT IP, NAT-T is not required.
   2. While creating the CPE in Oracle Cloud Infrastructure, you specify the public IP address of the on-premise device. Your on-premise IPSec local identity must match your CPE public IP. If your CPE is behind a NAT device but does not support setting the IPSec local identity, file a ticket at My Oracle Support for help in configuring your CPE and bringing up the tunnels.

After configuring the CPE, ensure that the IPSec tunnel enters the UP state and that you can send and receive traffic over the IPSec tunnel.