1. Concepts Guide
  2. Virtual Networking Overview
  3. Public Network in Private Cloud

Public Network in Private Cloud

Oracle Private Cloud Appliance is a private cloud solution. The infrastructure that provides the necessary services to deploy your cloud workloads, is configured to operate within the network environment of your data center. During initialization, the appliance core network components are integrated with your existing data center network design. Uplink ports in the appliance switches connect to your next-level data center switches to provide a redundant high-speed and high-bandwidth physical connection that carries all traffic into and out of the appliance.

This is a critical difference with a public cloud environment, where the infrastructure is managed by your service provider, who grants you restricted access to systems in their data center. Because your cloud resources are not inside your own network, you access them over the internet, using a secure tunneling connection. In this context, network traffic between your public cloud and locations external to it, is sent over the internet by definition. In other words, from the perspective of your cloud environment, the public network is effectively the internet. Compare this with the private cloud environment, where the public network is your on-premises network, and internet access is always indirect through your data center edge router.

Private Cloud Appliance is modeled after Oracle's public cloud offering: Oracle Cloud Infrastructure. This applies not only to the Networking service but to all the major infrastructure services: they have been optimized for the smaller scale of a single rack, while offering the same core functionality. One of the main objectives is to maintain maximum compatibility between both cloud platforms: this provides a very similar user experience and allows you to efficiently migrate workloads between your private cloud environment and your Oracle Cloud Infrastructure account.

Because the public cloud network model is applied to a private cloud environment, where the public network is actually the data center network, certain network resources or components present a different behavior. You need to be aware of these differences when designing and configuring the virtual cloud networks in Private Cloud Appliance.

  • Access to the on-premises network

    The appliance rack is located at your premises: it is set up inside your data center and connected directly to your on-premises network. There is no need for a secure tunnel over the internet to allow your cloud resources and your on-premises network to communicate with each other. Access is enabled through a gateway between your virtual cloud network (VCN) and your on-premises network.

  • Access to the internet

    Resources in your cloud environment have no direct internet access. In contrast with a public cloud environment, no gateway is capable of enabling direct internet connectivity for a VCN. Public connectivity implies that resources have access to the data center network. The configuration of the networking components in the data center determines how cloud resources can connect to the internet and whether they can be reached from the internet.

  • VCN gateways

    To manage network traffic into and out of your VCNs several types of gateways are used. Resources in a VCN can connect to external hosts through either a dynamic routing gateway (DRG), a NAT gateway or an internet gateway. Technically, each of these gateways provides a path to your on-premises network. However, a DRG has an important limitation in that it performs no address translation and thus cannot handle any overlap between VCNs and the on-premises network.

    Although these gateways seem interchangeable to a certain extent, it is important to configure and use them strictly for their intended purpose. It helps to ensure that your private cloud network configuration remains compatible with the public cloud network model. If you move a workload into Oracle Cloud Infrastructure, the data center network is removed from the equation, meaning the NAT and internet gateways will provide direct internet access, and a DRG will only provide access to your on-premises network.

  • Public IP addresses

    From the perspective of a virtual cloud network, the public network is effectively the data center network, so a public IP address must be within its CIDR. To accommodate this, you must reserve an address range within the data center CIDR to be used exclusively by Private Cloud Appliance. You typically configure the public IP range during initial system setup. You can extend the range at a later time, but removing IPs is not allowed. The Networking service uses this range as a pool, from which it assigns public IP addresses to cloud resources that require them. A public IP makes a resource reachable from outside the VCN it resides in. In a private cloud context, it allows interaction with other resources in the data center or the on-premises network. The IPs that are considered "public" are really part of the data center's private range.

    The use of public IPs has different implications when you move a particular workload into Oracle Cloud Infrastructure, where public IPs are truly unique and publicly routable. True public IPs are scarce and expensive resources. Take this into account when designing applications and services in a private cloud environment: use private IPs to enable connectivity between components and assign public IPs only where true public connectivity is required.