OCI provides Virtual Cloud Network (VCN) as a private software-defined network used for secure communication. VCN is highly available, massively scalable, and secure. It has an address space denoted by CIDR notation, which represents its IP address range. This address range can be further divided into smaller networks called subnets, where compute instances can be instantiated. Each subnet has its own route tables and security lists. Within a subnet, web application virtual machines can interact with a load balancer. For example, if we have the network 10.0.0.0/16, it can be broken down into 256 smaller networks, such as the public subnet 10.0.1.0/24 and the private subnet is 10.0.2.0/24. These IP addresses are used for communication and can be accessed through various gateways such as: 

1. Internet Gateways: This is scalable and highly available gateway allows bidirectional communication to anything on the internet.
2. NAT gateways: Used for providing NAT as a service, allowing unidirectional traffic from private subnets to the internet. However, users from the internet cannot initiate connections to instances running in a private subnet through the NAT gateway. The goal of NAT gateways is to enable outbound communication to the internet, but block inbound communications or connections initiated from the internet.
3. Service Gateways: Enables VCN resources to access public OCI services, such as object storage, without using an internet or NAT gateway.
4. Dynamic routing Gateways: Acts as a virtual router, providing a path for private traffic between your VCN and destinations other than the internet.

Communication between networks is facilitated by route tables. In the case of multiple networks, peering can be used: 

1. Local Peering: If the networks are within the same OCI region, they can communicate with each other using a mechanism called local peering. It utilizes a local peering gateway, which acts as a virtual for managing the communication.
2. Remote Peering: If two networks are located in different OCI data center regions, remote peering is used. It employs Dynamic Routing Gateways and is typically used for on-premises communication via FastConnect and Virtual Private Network (VPN).

When dealing with a large number of VCNs (e.g., 250-300), the newer version of Dynamic Routing Gateway (DRG v2) can be utilized. With DRG v2, maintaining point-to-point connectivity using a local peering gateway is no longer necessary. Instead, VCNs can communicate directly through the DRG, allowing for up to 300 VCNs on a single DRG. 

Within a VCN, there is a security list, which can be defined as a set of firewall rules associated with a subnet and applied to all instances within that subnet. The security list specifies the type of traffic allowed in or out of the subnet, whether it is within the VCN or to a host outside the VCN. It contains various entries indicating whether rules are stateful or stateless. A stateful rule allows incoming traffic on a particular port and allows outgoing traffic from that port, and vice versa. The direction of the traffic can be specified as either coming to the port or going from that port to a destination port. For example, if traffic is coming in at port 80 from anywhere on the web, the source is 0.0.0.0/0.

Another concept related to network security is the Network Security Group (NSG). NSGs are similar to security lists, but they differ in the following ways:

1. NSGs only apply to a set of virtual network interface cards within a single VCN, while security lists apply to all VNICs in a subnet.
2. NSGs can be specified as the source or destination in the rules, whereas security lists can only specify a CIDR, as the source or destination.

• OCI Networking
• Route Tables
• Security Lists
• NAT Gateways
• Internet Gateways
• Dynamic Routing Gateways