Creating an OKE VCN

Create the following resources in the order listed:

1. VCN

2. Internet gateway

3. Route table with public route rule

4. NAT gateway

5. Route table with private route rule

6. Modify the VCN default security list

Resource names and CIDR blocks are example values.

VCN

To create the VCN, use the instructions in Creating a VCN in the Oracle Private Cloud Appliance User Guide. For Terraform input, see Example Terraform Scripts for Network Resources.

For this example, use the following input to create the VCN. The VCN covers one contiguous CIDR block. The CIDR block cannot be changed after the VCN is created.

Compute Web UI property	OCI CLI property
Name: oketest-vcn CIDR Block: vcn_cidr DNS Label: oketest This label must be unique across all VCNs in the tenancy.	--display-name: oketest-vcn --cidr-blocks: '["vcn_cidr"]' --dns-label: oketest This label must be unique across all VCNs in the tenancy.

Note the OCID of the new VCN. In the examples in this guide, this VCN OCID is ocid1.vcn.oke_vcn_id.

Next steps: To enable internet access for OKE nodes, add an internet gateway and a route rule that references that internet gateway. For traffic that needs to go outside the VCN but not to the internet (for example, to your data center), add a NAT gateway and edit the default route table to add a route rule that references that NAT gateway.

Private Route Table

Create a NAT gateway, and edit the default route table to reference the NAT gateway.

NAT Gateway

To create the NAT gateway, use the instructions in Enabling Public Connections through a NAT Gateway in the Oracle Private Cloud Appliance User Guide. For Terraform input, see Example Terraform Scripts for Network Resources.

Note the name and OCID of the NAT gateway for assignment to the private route rule.

Private Route Rule

Modify the default route table, using the following input to create a private route rule that references the NAT gateway that was created in the preceding step. See "Updating Rules in a Route Table" in Working with Route Tables in the Oracle Private Cloud Appliance User Guide.

Compute Web UI property	OCI CLI property
Display name: Default - private Route rule Target Type: NAT Gateway NAT Gateway: Name of the NAT gateway that was created in the preceding step CIDR Block: 0.0.0.0/0 Description: OKE private route rule	--rt-id: ocid1.routetable.default_routetable_id --display-name: Default - private --route-rules networkEntityId: OCID of the NAT gateway that was created in the preceding step destinationType: CIDR_BLOCK destination: 0.0.0.0/0 description: OKE private route rule

Note the name and OCID of this route table for assignment to private subnets.

Public Route Table

Create an Internet gateway and a route table with a route rule that references the Internet gateway.

Internet Gateway

To create the internet gateway, use the instructions in Providing Public Access through an Internet Gateway in the Oracle Private Cloud Appliance User Guide. For Terraform input, see Example Terraform Scripts for Network Resources.

Note the name and OCID of the internet gateway for assignment to the public route rule.

Public Route Rule

To create a route table, use the instructions in "Creating a Route Table" in Working with Route Tables in the Oracle Private Cloud Appliance User Guide. For Terraform input, see Example Terraform Scripts for Network Resources.

For this example, use the following input to create the route table with a public route rule that references the internet gateway that was created in the preceding step.

Compute Web UI property	OCI CLI property
Name: public Route rule Target Type: Internet Gateway Internet Gateway: Name of the internet gateway that was created in the preceding step CIDR Block: 0.0.0.0/0 Description: OKE public route rule	--vcn-id: ocid1.vcn.oke_vcn_id --display-name: public --route-rules networkEntityId: OCID of the internet gateway that was created in the preceding step destinationType: CIDR_BLOCK destination: 0.0.0.0/0 description: OKE public route rule

Note the name and OCID of this route table for assignment to public subnets.

VCN Default Security List

Modify the default security list, using the input shown in the following table. Delete all of the default rules and create the rules shown in the following table.

To modify a security list, use the instructions in "Updating a Security List" in Controlling Traffic with Security Lists in the Oracle Private Cloud Appliance User Guide. For Terraform input, see Example Terraform Scripts for Network Resources.

Compute Web UI property	OCI CLI property
	--security-list-id: ocid1.securitylist.default_securitylist_id
One egress security rule: Stateless: uncheck the box Egress CIDR: 0.0.0.0/0 IP Protocol: All protocols Description: "Allow all outgoing traffic."	One egress security rule: --egress-security-rules isStateless: false destination: 0.0.0.0/0 destinationType: CIDR_BLOCK protocol: all description: "Allow all outgoing traffic."
Three ingress security rules:	Three ingress security rules: --ingress-security-rules
Ingress Rule 1 Stateless: uncheck the box Ingress CIDR: vcn_cidr IP Protocol: ICMP Parameter Type: 8: Echo Description: "Allow ping from VCN."	Ingress Rule 1 isStateless: false source: vcn_cidr sourceType: CIDR_BLOCK protocol: 1 icmpOptions type: 8 description: "Allow ping from VCN."
Ingress Rule 2 Stateless: uncheck the box Ingress CIDR: 0.0.0.0/0 IP Protocol: ICMP Parameter Type: 3: Destination Unreachable Description: "Allow unreachables."	Ingress Rule 2 isStateless: false source: 0.0.0.0/0 sourceType: CIDR_BLOCK protocol: 1 icmpOptions type: 3 description: "Allow unreachables."
Ingress Rule 3 Stateless: uncheck the box Ingress CIDR: 0.0.0.0/0 IP Protocol: ICMP Parameter Type: 11: Time Exceeded Description: "Allow time exceeded."	Ingress Rule 3 isStateless: false source: 0.0.0.0/0 sourceType: CIDR_BLOCK protocol: 1 icmpOptions type: 11 description: "Allow time exceeded."

Note the name and OCID of this default security list for assignment to subnets.