7 Understand the Oracle Cloud Infrastructure Network Resources
There are certain key differences between the network models in Oracle Cloud Infrastructure Compute Classic and Oracle Cloud Infrastructure. This chapter helps you understand the network resources in Oracle Cloud Infrastructure and how they map to the network resources in Oracle Cloud Infrastructure Compute Classic.
While in some cases the differences in the network models in these two environments could have an impact on your network design and implementation, using the Terraform configuration generated by Oracle Cloud Infrastructure Classic Discovery and Translation Tool replicates the network environment from your Oracle Cloud Infrastructure Compute Classic account in your Oracle Cloud Infrastructure tenancy. When you use this Terraform configuration to migrate your network, you don't need to map any of your network resources manually. The information provided here helps you to understand how the tool maps the network resources in your source environment to the slightly different network resources in the target environment.
Understand the Oracle Cloud Infrastructure Compute Classic Network Models
Here's a brief description of the shared network and IP networks used in your Oracle Cloud Infrastructure Compute Classic account.
| Term or Concept | Description | Oracle Cloud Infrastructure Compute Classic Documentation |
|---|---|---|
| IP Networks | Oracle Cloud
Infrastructure Compute Classic IP networks allow you to define multiple, independent IP networks that can optionally be connected through an IP network exchange.
Access control lists (ACLs) contain security rules that are applied to a group of network interfaces (vNICsets) across multiple networks. |
Configuring IP Networks |
| Shared Network | The Oracle Cloud Infrastructure Compute Classic shared network is a single, flat network. Instances are grouped by security lists. Security rules define what traffic is allowed to a group of instances in a security list. | Configuring the Shared Network |
Understand the Oracle Cloud Infrastructure Network Model
Here's a brief description of virtual cloud networks, subnets, and availability domains used in your Oracle Cloud Infrastructure tenancy.
| Term or Concept | Description | Oracle Cloud Infrastructure Documentation |
|---|---|---|
| Virtual Cloud Networks (VCNs) | A virtual, private network that you set up in Oracle data centers. It closely resembles a traditional network, with firewall rules and specific types of communication gateways that you can choose to use. A VCN covers a single, contiguous IPv4 CIDR block of your choice. | |
| Subnets | Subdivisions you define in a VCN (for example, 10.0.0.0/24 and 10.0.1.0/24). Subnets contain virtual network interface cards (VNICs), which attach to instances. Subnets act as a unit of configuration within the VCN: All VNICs in a given subnet use the same route table, security lists, and DHCP options. You can designate a subnet as either public or private when you create it. | Overview of Networking |
| Availability Domain | Each subnet in a VCN exists in a single availability domain and consists of a contiguous range of IP addresses that do not overlap with other subnets in the VCN. | Regions and Availability Domains |
Understand How Your Oracle Cloud Infrastructure Compute Classic Network Resources Map to Oracle Cloud Infrastructure Network Resources
The following table provides some basic information about how the elements of your Oracle Cloud Infrastructure Compute Classic network map to the corresponding Oracle Cloud Infrastructure network elements.
Understand How Oracle Cloud Infrastructure Compute Classic Network Concepts Map to Oracle Cloud Infrastructure Network Concepts
| Oracle Cloud Infrastructure Compute Classic Network Resource | Oracle Cloud Infrastructure Network Resource |
|---|---|
| Shared Network | A single subnet in a VCN. |
| IP Network |
Subnets within a single VCN OR Multiple VCNs with local peering configured – if the subnets span different parent CIDR block ranges and need to be interconnected |
| Corente VPN or VPNaaS | IPSec VPN |
| Oracle Cloud Infrastructure FastConnect Classic | Oracle Cloud Infrastructure FastConnect |
Understand How Oracle Cloud Infrastructure Compute Classic Shared Network Concepts Map to Oracle Cloud Infrastructure Network Concepts
| Oracle Cloud Infrastructure Compute Classic Shared Network Resource | Oracle Cloud Infrastructure Network Resource |
|---|---|
| Security lists | A security list applied to a subnet in a VCN or a set of network security group (NSG) security rules. |
| Security rules | An Ingress and Egress security rule within a security list or a security rule in an NSG. |
| Security applications | The TCP, UDP or ICMP options within a security rule. |
| Security IP lists | No direct equivalent. Security rules must be defined for a single source or destination IP prefix. In NSGs, security rules can use the same NSG or another NSG in the same VCN as a source or destination. |
Understand How Oracle Cloud Infrastructure Compute Classic IP Network Concepts Map to Oracle Cloud Infrastructure Network Concepts
| Oracle Cloud Infrastructure Compute Classic IP Network Resource | Oracle Cloud Infrastructure Network Resource |
|---|---|
| IP network exchange | Partially maps to a VCN. IP network exchanges provide connectivity between IP networks. In Oracle Cloud Infrastructure subnets under a VCN are connected by default. If an IP network translates to multiple subnets across multiple VCNs, then a local peering gateway (LPG)is required to connect the subnets. |
| Virtual NIC sets | No direct equivalent. However, creating a network security group (NSG) allows you to specify a set of vNICs in a VCN and apply a set of security rules to this set of vNICs. |
| Access Control Lists (ACLs)
ACLs are applied to a set of vNICs. The vNICs don't have to be within a single IP network or in IP networks connected to an IP network exchange. |
A security list applied to a subnet in a VCN or a set of security rules in an NSG. Security lists in Oracle Cloud Infrastructure are applied at the subnet level and can't be applied to specific vNICs. NSG security rules are applied to the set of vNICs specified in the NSG. These vNICs must be in a single VCN. |
| Routes | Routes |
| Security rules | An ingress and egress security rule within a security list or an NSG security rule. |
| IP Address Prefix Sets | No direct equivalent. Security rules must be defined for a single source or destination IP prefix. In NSGs, security rules can use the same NSG or another NSG in the same VCN as a source or destination. |
Understand How Oracle Cloud Infrastructure Compute Classic Security Rules Map to Oracle Cloud Infrastructure NSG Security Rules
If you use IP networks in Oracle Cloud Infrastructure Compute Classic, then Access Control Lists (ACLs) are used to apply a set of security rules to a set of instance interfaces.
In Oracle Cloud Infrastructure, network security groups (NSGs) are used to apply a set of security rules to a set of instance interfaces in a VCN.
However, because of differences in the way in which NSG security rules are defined compared to security rules in ACLs, you must keep the following considerations in mind when you start planning your network migration.
- Oracle Cloud Infrastructure Compute Classic allows you to set up a large number of security lists and security rules. Oracle Cloud Infrastructure permits a smaller number of NSGs and NSG security rules. If you use a large number of security lists and security rules in your source environment, you might not be able to directly migrate your network architecture to Oracle Cloud Infrastructure. Check the number of NSGs and NSG security rules you'll need and find out your tenancy limits before migrating the network to your target environment.
- Each security rule in a given ACL might translate to one or more NSG security rules in the target environment. For example, in Oracle Cloud Infrastructure Compute Classic, a security rule can specify a list of ports or a list of IP addresses in the source or destination, while in Oracle Cloud Infrastructure each of these fields can take only a single value.
Considerations for Setting Up Your Oracle Cloud Infrastructure Network
When you migrate your network elements to Oracle Cloud Infrastructure, consider the following points for determining DNS names and the CIDR block size and prefix for your VCNs and subnets.
VCN and Subnet CIDR Prefixes
When you create a VCN or a subnet in Oracle Cloud Infrastructure, you must specify the IP address range for the VCN or subnet in the form of a CIDR prefix. You must select this CIDR prefix carefully, because you can't change it after the VCN or subnet has been created.
If you use Oracle Cloud Infrastructure Classic Discovery and Translation Tool to migrate your network, the tool generates Terraform configuration to replicate the network in your source environment. The tool takes the following points into consideration when designing the network in the target environment. If you want to design your network manually or if you want to modify the Terraform configuration generated by the tool, then consider the following points:
- It is recommended that the private IP addresses associated with each instance be retained in the migration process. Design the network architecture in the target environment carefully to ensure that private IP addresses can be migrated wherever possible.
- For a VCN, select a CIDR block that can accommodate all IP networks that need to be interconnected, if possible.
For example, consider IP networks with the following CIDR prefixes, connected to an IP network exchange:
192.168.1.0/24192.168.2.0/24192.168.3.0/20
These IP networks can be migrated as one or more subnets in a single VCN. In this case, you can create the VCN with the CIDR range
192.168.0.0/16.However, consider IP networks with the following CIDR prefixes, connected to an IP network exchange.
192.168.1.0/24172.16.1.0/24
Although you want to enable connectivity across the subnets that these IP networks are migrated to, you can't create the required subnets in a single VCN with a /16 CIDR prefix. You must either migrate one of the IP networks to a different CIDR block, or if you want to retain the same IP addresses, then you must migrate these two IP networks to separate VCNs and enable VCN peering across those networks.
- If you need to connect two VCNs using VCN peering, remember that the peered VCNs must have non-overlapping CIDR prefixes.
- Select a VCN and a subnet CIDR block that is large enough so that you can add more VMs in the same VCN and subnet later on, if required.
- For a subnet, select a CIDR block large enough to accommodate the private IP addresses all of the instances that you want to migrate to this subnet, if possible.
- As far as possible, select a CIDR block for each subnet that can include all the IP addresses of instances in the source environment that you want to migrate to this subnet. If a single subnet maps to a single IP network, the subnet's CIDR should map to the IP network's address range, whenever possible.
DNS Names
DNS names used in Oracle Cloud Infrastructure Compute Classic will change when your instances are migrated to Oracle Cloud Infrastructure. When specifying DNS names, consider the following.
- In Oracle Cloud
Infrastructure Compute Classic, the way DNS names are derived depends on whether instances are in the shared network or in an IP network.
- In the shared network, DNS names for the private IP are derived from the host name by appending the domain
<accountName>.oraclecloud.internal.This domain name is assigned by the system and can't be changed. - In IP networks, you can specify the hostname and the DNS name separately, and multiple DNS names are allowed, with each DNS name resolving to the private IP. You can specify any FQDNs, as required.
- In the shared network, DNS names for the private IP are derived from the host name by appending the domain
- In Oracle Cloud
Infrastructure, DNS names for the private IP are derived from the host name by appending the domain
<subnetLabel>.<VcnLabel>.oraclevcn.com.Here, the subnet label and VCN label can be user-specified, butoraclevcn.comis assigned by the system and can't be changed.
Since there is no one-to-one mapping of DNS names between Oracle Cloud Infrastructure Compute Classic and Oracle Cloud Infrastructure, consider the following recommendations when assigning DNS names in Oracle Cloud Infrastructure:
- If the instance host name is specified in Oracle Cloud Infrastructure Compute Classic, use that for both the instance name and the host name. The DNS name will be derived from this host name by appending the domain name as described above.
- If no host name is specified in Oracle Cloud
Infrastructure Compute Classic, but the
dnsattribute is specified in the networking section of the instance orchestration, pick the first name in thednslist. Use the host name part of the dns name as the instance host name. - If no host name is specified and the
dnsattributed is also not specified in the instance orchestration, generate a host name from the instance name.
Note that the DNS name always changes during migration, as the domain for Oracle Cloud Infrastructure Compute Classic is different from the domain for Oracle Cloud Infrastructure.
Applications that Use DNS
If the instances that you are migrating host applications that use DNS, then consider the differences between DNS features in Oracle Cloud Infrastructure Compute Classic and Oracle Cloud Infrastructure and select a strategy to migrate your instances so that your applications continue to work without requiring configuration changes.
In Oracle Cloud
Infrastructure Compute Classic, the top-level domain is oraclecloud.internal. A fully-qualified domain name (FQDN) is assigned to each instance by default. You can specify an FQDN to override the default value.
In Oracle Cloud Infrastructure Compute Classic, external DNS resolution isn't supported. Only instances in a tenancy can resolve the IP addresses of other instances in the same tenancy.
In Oracle Cloud
Infrastructure, the top-level domain is oraclevcn.com. You can specify a DNS label for each VCN and subnet that you create, as well as a host name for each instance. The FQDN of an instance has the form: <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com
Before you migrate your instances, consider the following strategies:
- Use custom DNS servers to preserve FQDNs
- Specify search domains and host names
Preserve FQDNs with Custom DNS Servers
With this strategy, you preserve the fully qualified domain name of each instance, so that the applications don't need any configuration changes when you migrate them to Oracle Cloud Infrastructure.
- A pair of instances in Oracle Cloud
Infrastructure run a DNS server (for example, Bind 9).
- The IP address to name mappings are extracted from the resources JSON file and configured in the DNS servers.
- Security rules allow port 53 TCP/UDP ingress from the migrated instances.
- Migrated instances are created as follows:
- With the same static IP addresses as they had in Oracle Cloud Infrastructure Compute Classic.
- Their DHCP option
custom_dns_serversis configured with the IP addresses of the DNS server instances.See: https://www.terraform.io/docs/providers/oci/r/core_dhcp_options.html
- Security rules allow port 53 TCP/UDP egress to the DNS server instances.
Use Search Domains and Host Names
This strategy works if the applications to be migrated can be configured to have URLs or server names make reference to short host DNS names. For example, the applications can be configured to reference http://foo/some/path/ instead of http://foo.compute-608547156.oraclecloud.internal./some/path/. Note that this configuration might already be the default, because in Oracle Cloud
Infrastructure Compute Classic, the default search domain is already set for this to work out of the box.
The advantage of this solution is that it doesn't require a set of dedicated DNS servers and IP addresses can be automatically allocated to the migrated instances in Oracle Cloud Infrastructure.
If required, you can change the applications to connect with the short host name instead of the FQDN.
Instances are started with proper search domain specified as part of the search_domain_names DHCP options. See: https://www.terraform.io/docs/providers/oci/r/core_dhcp_options.html
Typically, the search domain is set to: <subnet DNS label>.<VCN DNS label>.oraclevcn.com., since the FQDN is typically: <host name>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com..