1. Migrating Infrastructure Classic Workloads to Oracle Cloud Infrastructure
  2. Create a Virtual Cloud Network in Oracle Cloud Infrastructure

8 Create a Virtual Cloud Network in Oracle Cloud Infrastructure

You must set up your virtual cloud network (VCN) in your Oracle Cloud Infrastructure tenancy, before you create compute, load balancer, database, or other resources.

Complete the Prerequisites

Before you create the Oracle Cloud Infrastructure VCN, you should do the following.

  • Review the Oracle Cloud Infrastructure Compute Classic Architecture
  • Understand the Oracle Cloud Infrastructure Network Resources
  • You should be familiar with the fundamentals of networking in Oracle Cloud Infrastructure. For information about setting up a cloud network in Oracle Cloud Infrastructure, see:
  • Oracle Cloud Infrastructure Classic Discovery and Translation Tool can help you to identify and filter information about the networking resources in your Oracle Cloud Infrastructure Compute Classic environment. If you use this tool to identify resources in your Oracle Cloud Infrastructure Compute Classic account, then you can use the reports generated by this tool to help design and set up the networking objects in your Oracle Cloud Infrastructure tenancy. You should be familiar with this tool and its commands and options. For information about using this tool, see Identify and Translate Resources in Your Source Environment.
  • The Terraform configurations generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool can be used to automate the set up of resources in your Oracle Cloud Infrastructure tenancy. To use Terraform to apply those configurations in the target environment, you should be familiar with Terraform.
  • Before you apply the Terraform configuration, you'll need to create a compartment in your Oracle Cloud Infrastructure tenancy. It's strongly recommended that you create a new compartment dedicated to the migration process. Don't use the root compartment for migration.

Considerations for Migrating Your Network

You must carefully consider several aspects of your network design when you migrate your network from Oracle Cloud Infrastructure Compute Classic to Oracle Cloud Infrastructure.

Public IP Addresses

When you migrate your network, some network configuration might change. For example, the public IP addresses associated with your instances on Oracle Cloud Infrastructure Compute Classic can't be reused on Oracle Cloud Infrastructure. This is because the range of public IP addresses available in both services is different. Evaluate the impact of this change on your applications and architecture before you start your migration.

Security Rules

You'll see some changes is in the way security rules are designed and applied in Oracle Cloud Infrastructure compared to Oracle Cloud Infrastructure Compute Classic.

  • In Oracle Cloud Infrastructure Compute Classic, if you use IP networks, then security rules are applied to groups of vNICs called vNICsets. If you use the shared network, security rules are applied to a set of instance interfaces that are members of a security list.
  • In Oracle Cloud Infrastructure, using network security groups (NSGs) allows you to specify a set of vNICs in a VCN and apply a set of security rules to these vNICs.
  • NSGs, however, are only scoped to affect vNICs within the same VCN. NSGs don't affect vNICs in peered VCNs and NSG security rules can't reference NSGs from peered VCNs. If your IP networks are migrated as separate but connected VCNs, the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool sets up VCN peering along with the required security lists and security rules to provide that connectivity. For more information about NSGs and NSG security rules, see Network Security Groups in the Oracle Cloud Infrastructure documentation.
  • When you use the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool to migrate your network, your network is migrated as follows:
    • If you have multiple IP networks connected with an IP network exchange:
      • If the address ranges of all the IP networks can be expressed as a single CIDR address range no larger than /16, then your network is migrated as a single VCN in Oracle Cloud Infrastructure, with the appropriate NSGs and NSG security rules to permit and restrict traffic between sets of vNICs in the VCN.
      • If the address ranges of all IP networks can't be expressed as a single /16 CIDR address range, then:
        1. The IP networks are migrated to separate VCNs.
        2. In this case, NSG security rules can't be used to permit and restrict traffic between sets of vNICs in different VCNs. Security lists and security rules are created to permit or restrict traffic between instances in a VCN.
        3. Connectivity across the VCNs is implemented using LPGs.
    • If you have multiple IP networks that aren't connected with an IP network exchange, then each IP network is migrated as a separate VCN, with the appropriate NSGs and NSG security rules to permit and restrict traffic between sets of vNICs within each VCN.

Multiple vNICs

If instances in your Oracle Cloud Infrastructure Compute Classic account have multiple vNICs:
  1. You might need to use a different instance shape in Oracle Cloud Infrastructure to support multiple vNICs. Smaller shapes support a smaller number of vNIC attachments. Depending on the number vNICs required, the instances shape (OCPU count) may need to be increased. See Map Oracle Cloud Infrastructure Compute Classic Instance Shapes to Oracle Cloud Infrastructure Shapes.
  2. Launch the instance with the primary vNIC on the appropriate primary subnet. If you use the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool to launch your instances, this is done automatically.
  3. Additional vNICs must be attached as secondary vNICs after the instance is launched. See https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVNICs.htm. If you use the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool to launch your instances, the additional vNICs are attached automatically.

Migrate the Shared Network

If your source environment uses the shared network, then your network is migrated to Oracle Cloud Infrastructure with a single VCN that has a single subnet.

In Oracle Cloud Infrastructure Compute Classic, the shared network doesn't allow you to select or specify private IP addresses and private IP addresses aren't persistent. However, when you create the VCN and subnet in Oracle Cloud Infrastructure, you can use the --shared-network-prefix option to specify the IP address range for private IP addresses. Primary private IP addresses are persistent in Oracle Cloud Infrastructure.

To migrate your shared network to the target environment use Oracle Cloud Infrastructure Classic Discovery and Translation Tool. This tool simplifies the process of setting up your network in Oracle Cloud Infrastructure. You can use this tool to discover all the security rules applied to each security list in your source environment. You can then generate a Terraform module to create a VCN, subnet, network security groups (NSGs) and NSG security rules for your shared network.

You must have already installed Oracle Cloud Infrastructure Classic Discovery and Translation Tool and run the opcmigrate discover command before you run the following commands.
  1. To view the security rules associated with a security list in the shared network in Oracle Cloud Infrastructure Compute Classic, run the following command:
    opcmigrate network --shared-grouping seclist

    The output of this command provides a list of security rules associated with each security list.

  2. To generate Terraform, use the following commands:
    opcmigrate plan create --output migration-plan.json

opcmigrate generate --plan migration-plan.json --output main.tf
  3. Review the generated Terraform and make any required modifications before creating the network and applying the security rules to subnets in Oracle Cloud Infrastructure.
  4. If you want to enable direct access to the public Internet for VMs launched in a VCN, use the Oracle Cloud Infrastructure Console to create an Internet Gateway for the VCN. To create an Internet Gateway using the Console:
    1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
    2. Click the VCN you're interested in.
    3. Click Internet Gateways.
    4. Click Create Internet Gateway.
    5. Enter the following:
      • Create in Compartment: Leave as is.
      • Name: A friendly name for the Internet Gateway. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
      • Tags: Optionally, you can apply tags. If you are not sure if you should apply tags, skip this option. You can apply tags later.
    6. Click Create.

      Your internet gateway is created and displayed on the Internet Gateways page. Ensure that you have a route rule that allows traffic to flow to the gateway.

  5. If required, you can enable access to the public Internet for VMs that have only private IP addresses, by using a NAT gateway. To create a NAT gateway using the Console:
    1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
    2. Click the VCN you're interested in.
    3. On the left side of the page, click NAT Gateways.
    4. Click Create NAT Gateway.
    5. Enter the following values:
      • Create in compartment: The compartment where you want to create the NAT gateway, if different from the compartment you're currently working in.
      • Name: A friendly name for the NAT gateway. It doesn't have to be unique. Avoid entering confidential information.
      • Tags: Optionally, you can apply tags. If you are not sure if you should apply tags, skip this option. You can apply tags later.
    6. Click Create NAT Gateway.

      The NAT gateway is then created and displayed on the NAT Gateways page. Ensure that you have a route rule that directs the desired traffic from the subnet to the NAT gateway. Do this for each subnet that needs to access the gateway.

  6. Migrate your instances and block volumes. You can use Oracle Cloud Infrastructure Classic VM and Block Storage Migration Tool to automate this process. See Migrate Virtual Machines and Block Storage to Oracle Cloud Infrastructure.
  7. After your instances are migrated, launch your instances in the appropriate subnet and add the vNICs to the appropriate NSGs. The NSGs that vNICs are added to should correspond to the security lists that the instance was added to in the source environment.
    The process of launching instances in appropriate subnets can be performed manually or by applying the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool. If you use the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool to launch your VMs, the VMs are automatically launched in the appropriate subnet and the vNICs are automatically added to the appropriate NSGs. For more details about launching your VMs after migration, see Launch VMs in the Target Environment.

Migrate IP Networks

If your source environment uses IP networks, then, to recreate your network in the target environment using network security groups (NSGs), you can use Oracle Cloud Infrastructure Classic Discovery and Translation Tool.

This tool simplifies the process of setting up your network in Oracle Cloud Infrastructure. You can use this tool to discover all the security rules applied to each IP network in your source environment. You can then generate a Terraform module to create the corresponding VCNs and subnets, and – wherever possible – the required NSGs and NSG security rules for each of your IP networks. If VCNs corresponding to separate IP networks need to be connected using VCN peering, the Terraform configuration sets up the components required for VCN peering.
You must have already installed Oracle Cloud Infrastructure Classic Discovery and Translation Tool and run the opcmigrate discover command before you run the following commands.
  1. To view the security rules applied to vNICs in an IP network, use the following command: 
    opcmigrate network --ipnetwork-grouping ipnetwork

    The output of this command provides a list of ACLs along with the associated security rules applied to the vNICs in an IP network. These security rules are translated into a set of security rules in network security groups (NSGs) in Oracle Cloud Infrastructure.

  2. To generate Terraform, use the following commands:
    opcmigrate plan create --output migration-plan.json

opcmigrate generate --plan migration-plan.json --output main.tf

    Note:

    If you are migrating the shared network as well, then you need to run these commands just once. These commands generate the Terraform configuration for the shared network as well as your IP networks, along with instance configurations.

    By default, the Terraform configuration creates the required VCNs and subnets along with the required NSGs and the NSG security rules. The generated configuration exactly replicates the security context created by the vNICsets, security rules, and ACLs in your IP networks.

    If the private IP addresses of IP networks connected to an IP network exchange can't be represented in a single /16 CIDR prefix, then multiple VCNs must be created. These VCNs are connected using VCN peering. However, NSG security rules can only make reference to NSGs within the same VCN. NSG security rules can't reference NSGs across peered VCNs. In this case, no NSGs or NSG security rules are generated by default. Use the --with-security-rule-union option to generate security lists and security rules. This option generates a security list with a union of all the security rules related to the specified IP networks.

    Caution:

    When you use the --with-security-rule-union option, review the generated Terraform configuration carefully before applying it. The security rules generated with this option might expose instances to more traffic than intended.
  3. Review the generated Terraform and make any required modifications before creating the network and applying the security rules in Oracle Cloud Infrastructure.
  4. If you want to enable direct access to the public Internet for VMs launched in a VCN, use the Oracle Cloud Infrastructure Console to create an Internet Gateway for the VCN. To create an Internet Gateway using the Console:
    1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
    2. Click the VCN you're interested in.
    3. Click Internet Gateways.
    4. Click Create Internet Gateway.
    5. Enter the following:
      • Create in Compartment: Leave as is.
      • Name: A friendly name for the Internet Gateway. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
      • Tags: Optionally, you can apply tags. If you are not sure if you should apply tags, skip this option. You can apply tags later.
    6. Click Create.

      Your internet gateway is created and displayed on the Internet Gateways page. Ensure that you have a route rule that allows traffic to flow to the gateway.

  5. If required, you can enable access to the public Internet for VMs that have only private IP addresses, by using a NAT gateway. To create a NAT gateway using the Console:
    1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
    2. Click the VCN you're interested in.
    3. On the left side of the page, click NAT Gateways.
    4. Click Create NAT Gateway.
    5. Enter the following values:
      • Create in compartment: The compartment where you want to create the NAT gateway, if different from the compartment you're currently working in.
      • Name: A friendly name for the NAT gateway. It doesn't have to be unique. Avoid entering confidential information.
      • Tags: Optionally, you can apply tags. If you are not sure if you should apply tags, skip this option. You can apply tags later.
    6. Click Create NAT Gateway.

      The NAT gateway is then created and displayed on the NAT Gateways page. Ensure that you have a route rule that directs the desired traffic from the subnet to the NAT gateway. Do this for each subnet that needs to access the gateway.

  6. If you migrate the shared network as well as one or more IP networks, the shared network and the IP networks are migrated as separate VCNs. If you need to enable traffic across those VCNs, you will need to set up VCN peering. See Connect VCNs Using Local Peering Gateways.
  7. Migrate your instances and block volumes. You can use Oracle Cloud Infrastructure Classic VM and Block Storage Migration Tool to automate this process. See Migrate Virtual Machines and Block Storage to Oracle Cloud Infrastructure.
  8. After your instances are migrated, launch your instances in the appropriate subnet for each instance and add the vNICs to the appropriate NSGs. The subnet an instance is launched in should correspond to the IP network that the instance had an interface on in the source environment. The NSGs that vNICs are added to should correspond to the vNICsets the vNICS belonged to in the source environment.
    The process of launching instances in appropriate subnets can be performed manually or by applying the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool. If you use the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool to launch your VMs, the VMs are automatically launched in the appropriate subnet and the vNICs are automatically added to the appropriate NSGs. For more details about launching your VMs after migration, see Launch VMs in the Target Environment.

Connect VCNs Using Local Peering Gateways

VCN peering can be required when you migrate multiple IP networks connected to an IP network exchange. If you use the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool to migrate your network, VCN peering is set up automatically when required.

However, if you migrate the shared network as well as one or more IP networks, the shared network and the IP networks are migrated as separate VCNs. In this case, VCN peering across these VCNs isn't set up by default. If you need to enable traffic across these VCNs, you will need to set up VCN peering.

VCN peering involves the following steps:

  1. Create local peering gateways (LPGs) in each VCN.
  2. Establish the connection.
  3. Update route tables to enable traffic between the peered VCNs as desired.
  4. Update security lists to enable traffic between the peered VCNs as desired.
This procedure assumes that you have policies in place.

For example, if you belong to the NetworkAdmin group or the Administrators group, you might have either of the following policies already in place: 

Allow group NetworkAdmin to manage virtual-network-family in tenancy

Or:

Allow group Administrators to manage all-resources in tenancy

If you need to set up IAM policies required for this task, or for more information about VCN peering concepts and procedures, see Local VCN Peering in the Oracle Cloud Infrastructure documentation.

To set up VCN peering using the Console:

  1. Create the LPG in each of the VCNs that you want to connect.
    1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
    2. Click the VCN you're interested in.
    3. On the Virtual Cloud Network Details page, click Local Peering Gateways on the left of the page.
    4. Click Create Local Peering Gateway.
    5. Enter the following:
      • Name: A friendly name for the LPG. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
      • Create in compartment: The compartment where you want to create the LPG, if different from the compartment you're currently working in.
      • Associate with Route Table (optional): Leave this field blank. It isn't required for this migration scenario.
      • Tags: Optionally, you can apply tags. If you are not sure if you should apply tags, skip this option. You can apply tags later.
    6. Click Create. The LPG is created and displayed on the Local Peering Gateways page.
    7. Repeat these steps to create the LPG in the other VCN.
  2. In the context of VCN peering, one network is considered the requestor and the other network is considered the acceptor. The VCN peering connection is initiated by the requestor and accepted by the acceptor. After both LPGs have been set up, to establish the VCN peering connection:
    1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
    1. Click the requestor LPG's VCN.
    2. On the Virtual Cloud Network Details page, click Local Peering Gateways on the left of the page.
    3. For the requestor LPG that you want to use, click View Peering Gateway.
    4. On the Local Peering Gateway Details page, click Establish Connection.
    5. Select the acceptor LPG that you want to peer with.
    6. Click Establish Peering Connection.

    The connection is established and the LPG's state changes to PEERED. The details of each LPG update to show the Peer VCN CIDR Block for the other VCN.

  3. Next, create or edit the route table entries in the route table for each VCN, to ensure that traffic intended for the peered subnet is routed to the appropriate LPG.
    1. Determine which subnets in the requestor VCN need to communicate with the acceptor VCN.
    2. Update the route table for each of those subnets to add a rule that directs traffic destined for the acceptor VCN to your LPG:
      1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
      2. Click the requestor VCN.
      3. Click Route Tables.
      4. Select the default route table.
      5. Click Edit Route Rules.
      6. Click + Another Route Rule and enter the following:
        • Target Type: Local Peering Gateway.
        • Destination CIDR Block: The acceptor VCN's CIDR block. If you want, you can specify a subnet or particular subset of the peered VCN's CIDR.
        • Target Compartment: The compartment where the LPG is located, if not the current compartment.
        • Target: The LPG.
      7. Click Save. Any subnet traffic with a destination that matches the rule is now routed to your LPG.
    3. Repeat these steps to update the route table for the acceptor VCN as well.
  4. Verify that the appropriate security rules apply to each of the subnets participating in the peered connection. Add the following security rules, as required:
    • Ingress rules for the types of traffic you want to allow from the other VCN's CIDR block or specific subnets.
    • Egress rules to allow outgoing traffic from your VCN to the other VCN. If the subnet already has a broad egress rule for all types of protocols to all destinations (0.0.0.0/0), then you don't need to add specific egress rules.

    To add or edit security rules in security lists applied to your subnets:

    1. In the Console, while viewing the VCN you're interested in, click Security Lists.
    2. Click the security list you're interested in.
    3. Click Edit All Rules and create one or more rules, each for the specific type of traffic you want to allow.
    4. Click Save Security List Rules at the bottom of the dialog box.
    5. Repeat these steps for all subnets in both VCNs, as required.