Configuring VCN Gateways

Virtual processes communicate with other processes in a variety of ways. If two instances are in the same subnet, meaning the network portions of their IP addresses match, there is no special configuration needed to allow them to communicate. A logical switch connects source and destination at the MAC address level. Also, communication between instances in the same VCN but different subnets requires no routing configuration. Routing is only needed for traffic that is going to a destination or coming from a source external to a VCN.

When communication between two virtual processes is needed and the source and destination are in two different VCNs, then configuration of one of five different types of gateway is necessary in the source VCN. In this context, a gateway is a special type of router, connecting two different IP networks by following rules set up in a route table. (A router can be thought of as a multiport gateway, and a gateway can be thought of as a two-port router.)

When you first create a VCN, various resources are listed in the UI and available for listing with a CLI command. Some of the resources are listed automatically when you create a subnet, and others must be configured explicitly.

• Subnets. This resource gives the number of subnets created under the VCN. All other resources also display counts for the VCN.

• Route Tables. This resource gives the number of route tables. Subnets can share route tables, especially default route tables, so this count is not necessarily the same as the count of subnets, especially if there is more than one subnet for the VCN.

• Internet Gateways. This resource gives the number of internet gateways configured . Initially, there are none.

• Local Peering Gateway. This resource gives the number of local peering gateways configured. Initially, there are none.

• DHCP Options. This resource gives the number of DHCP option lists. There is at least one for the VCN by default, but more can be created.

• Security Lists. This resource gives the number of Security Lists. There is at least one set of ingress and egress rules for the VCN by default, but more can be created.

• NAT Gateways. This resource gives the number of NAT gateways configured. Initially, there are none.

• Network Security Groups. This resource gives the number of Network Security Groups configured . Initially, there are none, but you can gather existing Security Lists into Network Security Groups, where all security rules are applied at once, as needed.

• Service Gateways. This resource gives the number of service gateways configured. Initially, there are none.

• Dynamic Routing Gateways. This resource gives the number of dynamic routing gateways (DRGs) configured. Initially, there are none. Note that these gateways are not configured without the VCN, but attached to the VCN.

• Dynamic Routing Gateway Attachments. This resource gives the number of dynamic routing gateways attachments that have been configured. You must have a DRG configured to have attachments listed.

The various types of gateways are configured for very specific reasons.

• NAT Gateway. A NAT gateway is used to translate IP addresses as traffic passes from one part of an IP network to another. When used between a VCN and the on-premises data center network. the NAT address becomes the source address for traffic sent on to the data center network. A NAT gateway allows egress to the on-premises network from a VCN. It does not allow connections to be initiated to the instances in the VCN. Although essentially one-way, return traffic is allowed for connections initiated in the VCN. Contrast NAT Gateway with the Internet Gateway, which allows connections into and out of the VCN, the NAT Gateway allows instances with public IP addresses to be reachable from outside the PCA network.

  Note:

  A VCN connected to the on-premises network with a Dynamic Routing Gateway cannot overlap with any on-premises CIDR, or other VCN CIDRs connected with a Dynamic Routing Gateway. In other words, the IP addresses used must be exclusive to the VCN.

• Internet Gateway (IGW). An IGW provides the VCN with outside access through the on-premises data center network. The source and destination must have routable, public IP addresses, and a VCN can have only one IGW.

• Local Peering Gateway (LPG). A Local Peering Gateway (LPG) is a way to connect VCNs so that elements in each VCN can communicate, even using private IP address. Peered VCNs can be in different tenancies.

• Dynamic Routing Gateway (DRG). A DRG is used to connect a VCN to the data center's IP address space. That is, outside the Oracle Private Cloud Appliance rack in the data center. The data center network can, if configured that way, pass Oracle Private Cloud Appliance traffic on to other destinations.

• Service Gateway (SG). Some services are isolated on their own network for security and performance reasons. The service gateway (SG) allows a VCN with no external access to privately access Service Network services (such as object storage) in a private subnet.

Enabling Public Connections through a NAT Gateway

A NAT gateway is used to translate IP addresses as traffic passes from one part of an IP network to another. This prevents sources and destinations from having identical IP addresses, and allows RFC 1918 private addresses used in Oracle Private Cloud Appliance traffic to communicate with on-premises data center networks. A NAT gateway is attached to a VCN at the subnet level, allowing finer control of the address translations. The NAT gateway is configured separately from the VCNs, and is not required to be in the same compartment as the VCN (but can be). However, the NAT gateway is within the VCN, and only one NAT per VCN is allowed. The NAT address becomes the source address for traffic sent on to the data center network.

Using the Compute Web UI

1. In the navigation menu, under Networking, click Virtual Cloud Networks. A list of previously configured VCNs in compartments appears. If the compartment you are creating the NAT gateway in is not in the title bar, then use the drop-down tab to select the correct compartment.

2. Click on the VCN that you are creating the NAT gateway in.

3. In the Resources menu for that VCN, click on NAT Gateways (the number of configured NAT gateways in parentheses does not matter).

4. Click on Create NAT Gateway

5. Fill in the required NAT gateway information:

   • Name: Provide a name or description for the NAT gateway. Avoid using any of the organization's confidential information.

   • Create in Compartment: Select the compartment in which to create the NAT Gateway.

   • Block Traffic Choose whether to block traffic to this NAT Gateway.

     • (Yes: Traffic Not Blocked): By default, the VCN uses the NAT gateway even if it is not completely configured.

     • (No: Traffic Blocked): You can set the NAT gateway not see traffic until it is explicitly enabled to do so.

     For more information on NAT gateways, refer to "NAT Gateways" in the Virtual Networking Overview chapter of the Oracle Private Cloud Appliance Concepts Guide.

   • Tagging: Optionally, add one or more tags to this resource. For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

6. Click Create NAT Gateway.

   The NAT Gateway is now ready for the addition of route rules or security settings.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • VCN OCID (oci network vcn list --compartment-id <compartment_OCID>)

2. Run the oci network nat-gateway create command.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci network nat-gateway create \
   --compartment-id <compartment_OCID> \
   --vcn-id <vcn_OCID>
                              

   Example:

   oci network nat-gateway create \
    --compartment-id ocid1.compartment.….….….uniqueID \
    –-vcn-id ocid1.vcn.….….….uniqueID
    
   {
     "data": {
       "block-traffic": true,
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "display-name": "natgateway20210827215953",
       "freeform-tags": {},
       "id": "ocid1.vcn.….….….uniqueID",
       "lifecycle-state": "PROVISIONING",
       "nat-ip": "10.133.80.3",
       "public-ip-id": "ocid1.publicip.AK00661530.scasg01..….….….uniqueID",
       "time-created": "2021-08-27T21:59:53.858329+00:00",
       "vcn-id": "ocid1.vcn.AK00661530.scasg01..….….….uniqueID"
     },
     "etag": "c98377e4-ae89-46cf-9c61-52aea68a3476"
   }
   

   The NAT Gateway is now ready for the addition of route rules or security settings. Note that the name of the gateway (natgateway20210827215953) is assigned automatically and not by a parameter, and that the IP address of the device (10.133.80.3) is also assigned automatically.

Providing Public Access through an Internet Gateway

An Internet Gateway (IGW) provides the VCN with outside access through the on-premises data center network. The IGW is configured within the VCN, so the IGW is automatically attached to the VCN in which it is configured. The source and destination must have routable, public IP addresses, and a VCN can have only one IGW. Any traffic using public IP addresses goes through the IGW. The IGW is not required to be in the same compartment as the VCN. A subnet's route table determines which public subnets can use the IGW, and the subnet security list defines the types of traffic that can use the IGW. Like a physical router, the IGW can be disabled, severing internet access no matter what permissions are established.

Using the Compute Web UI

1. In the navigation menu, under Networking, click Virtual Cloud Networks. A list of previously configured VCNs in compartments appears. If the compartment you are creating the internet gateway in is not in the title bar, then use the drop-down tab to select the correct compartment.

2. Click on the VCN that you are creating the internet gateway in.

3. In the Resources menu for that VCN, click on Internet Gateways (the number of configured internet gateways in parentheses does not matter).

4. Click on Create Internet Gateway

5. Fill in the required internet gateway information:

   • Name: Provide a name or description for the internet gateway. Avoid using any of the organization's confidential information.

   • Create in Compartment: Select the compartment in which to create the Internet Gateway.

     For more information on internet gateways, refer to the "Internet Gateways" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

   • Enabled: Use the toggle to determine if the gateway is enabled at creation or not. The default is to enable the gateway.

     • (Yes: Gateway Enabled: By default, the VCN uses the gateway when created.(No: Gateway Disabled): You can set the gateway not see traffic until it is explicitly enabled to do so.

   • Tagging: Optionally, add one or more tags to this resource.

     For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

6. Click Create Internet Gateway.

   The Internet Gateway is now ready for the addition of route rules or security settings.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • VCN OCID (oci network vcn list --compartment-id <compartment_OCID>)

2. Run the oci network internet-gateway create command.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci network internet-gateway create
   --compartment-id <compartment_OCID>
   --is-enabled <boolean: true | false>
   --vcn-id <vcn_OCID>
                              

   Example:

   oci network internet-gateway create \
    --compartment-id ocid1.compartment.….….….uniqueID
    –-is-enabled true 
    –-vcn-id ocid1.vcn.….….….uniqueID
    
   {
     "data": {
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "display-name": "internetgateway20210830165014",
       "freeform-tags": {},
       "id": "ocid1.internetgateway.AK00661530.scasg01..….….….uniqueID",
       "is-enabled": true,
       "lifecycle-state": "PROVISIONING",
       "time-created": "2021-08-30T16:50:14.634466+00:00",
       "vcn-id": "ocid1.vcn.….….….uniqueID",
     },
     "etag": "c98377e4-ae89-46cf-9c61-52aea68a3476"
   }

   The Internet Gateway is now ready for the addition of route rules or security settings. The IGW is not reachable unless there is at least one route rule for the gateway in the route table. For more information about configuring route rules, see Working with Route Tables.

Disable or Enable an Internet Gateway

You can enable or disable the IGW using the Compute Web UI or the OCI CLI.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN that contains the IGW you want to enable or disable. The VCN details page is displayed.

3. In the Internet Gateway list in the Resources section, locate the IGW to enable or disable. The configuration details show whether the IGW is enabled or not (Yes or No).

4. Access the Edit dialog from the Actions menu, or click Edit in the upper right of the details box.

5. Change the status of the Enabled toggle to Yes or No. Click Update to change the status of the IGW.

Using the OCI CLI

1. Get the IGW OCID of the IGW you want to enable or disable (oci network internet-gateway list -c compartment_OCID)

2. Enter the internet-gateway update --is-enabled command with the True or False boolean value.

   $ oci network internet-gateway update --ig-id internetgateway_OCID --is-enabled boolean

   Use the --force option to override the confirmation step.

Delete an Internet Gateway

If you have previously configured an IGW, you can delete it.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN that contains the IGW you want to delete. The VCN details page is displayed.

3. In the Internet Gateway list in the Resources section, locate the IGW to delete. In the Actions menu, click Delete. Confirm the operation when prompted.

Using the OCI CLI

1. Get the IGW OCID of the IGW you want to delete (oci network internet-gateway list -c compartment_OCID)

2. Enter the internet-gateway delete command.

   $ oci network internet-gateway delete --ig-id internet-gateway_OCID
   Are you sure you want to delete this resource? [y/N]: y

   Use the --force option to override the confirmation step.

Connecting VCNs through a Local Peering Gateway

A Local Peering Gateway (LPG) is a way to connect VCNs so that elements in each VCN can communicate, even using private IP address. Peered VCNs can be in different tenancies. There are several other requirements for LPG configuration:

• The CIDRs for the VCNs linked by the LPG cannot overlap.

• Each peered VCN must have an LPG configured correctly, and the LPGs must be connected.

• VCN route rules must be properly configured to steer VCN subnet traffic to and from the LPGs.

• Security rules must be properly configured to allow or deny certain types VCN subnet traffic use the LPGs

Using the Compute Web UI

1. In the navigation menu, under Networking, click Virtual Cloud Networks. A list of previously configured VCNs in compartments appears. If the compartment you are creating the local peering gateway in is not in the title bar, then use the drop-down tab to select the correct compartment.

2. Click on the VCN that you are creating the local peering gateway in.

3. In the Resources menu for that VCN, click on Local Peering Gateways (the number of configured local peering gateways in parentheses does not matter).

4. Click on Create Local Peering Gateway

5. Fill in the required Local Peering gateway information:

   • Name: Provide a name or description for the local peering gateway. Avoid using any of the organization's confidential information.

   • Create in Compartment: Select the compartment in which to create the Local Peering Gateway.

   • Route Table Association (Optional) Optionally, you can associate a route table with the Local Peering Gateway. A list of configured route tables for the selected compartment is in a drop-down list. You can change the compartment by clicking (change) next to the compartment name.

     For more information on local peering gateways, refer to "Local Peering Gateways" in the Virtual Networking Overview chapter of the Oracle Private Cloud Appliance Concepts Guide.

   • Tagging: Optionally, add one or more tags to this resource.

     For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

6. Click Create Local Peering Gateway.

   The Local Peering Gateway is now ready for connecting VCNs with Establish Peering Connection, and the addition of route rules or security settings.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • VCN OCID (oci network vcn list --compartment-id <compartment_OCID>)

2. Run the oci network local-peering-gateway create command.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci network local-peering-gateway create \
   --compartment-id <compartment_OCID> \
   --vcn-id <vcn_OCID>
                              

   Example:

   oci network local-peering-gateway create \
    --compartment-id ocid1.compartment.….….….uniqueID \
    –-vcn-id ocid1.vcn.….….….uniqueID
    
   {
     "data": {
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "display-name": "localpeeringgateway20210830174050",
       "freeform-tags": {},
       "id": "ocid1.lpg.AK00661530.scasg01..….….….uniqueID",
       "is-cross-tenancy-peering": false,
       "lifecycle-state": "AVAILABLE",
       "peer-advertised-cidr": null,
       "peer-advertised-cidr-details": null,
       "peering-status": "NEW",
       "peering-status-details": null,
       "route-table-id": null,
       "time-created": "2021-08-30T17:40:50.876023+00:00",
       "vcn-id": "ocid1.vcn.….….….uniqueID"
     },
     "etag": "c98377e4-ae89-46cf-9c61-52aea68a3476"
   }

Connecting to the On-Premises Network through a Dynamic Routing Gateway

Dynamic Routing Gateway (DRG). A DRG is the Oracle Private Cloud Appliance equivalent of a general purpose router. A DRG is used to connect a VCN to the data center's IP address space. The router is configured separately from the VCNs, at the compartment level and is not required to be in the same compartment as the VCN (but it typically is). Once configured, the DRG can be attached to more than one VCN and, like a physical router, can be attached and detached at any time, although perhaps with traffic loss. Also like a physical router, even when attached to a VCN, the DRG must have route table rules to steer traffic to the on-premises data center network's IP address space.

Create a Dynamic Routing Gateway

Using the Compute Web UI

1. In the navigation menu, under Networking, click Dynamic Routing Gateways (DRGs). A list of previously configured DRGs in compartments appears. If the compartment you are creating the dynamic routing gateway in isn't in the title bar, then use the drop-down tab to select the correct compartment.

2. Click Create Dynamic Routing Gateway.

3. Fill in the required dynamic routing gateway information:

   • Name: Provide a name or description for the dynamic routing gateway. Avoid using any of the organization's confidential information.

   • Create in Compartment: Select the compartment in which to create the dynamic routing Gateway.

     For more information on dynamic routing gateways, refer to "Dynamic Routing Gateways" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

4. Click Create Dynamic Routing Gateway.

   The Dynamic Routing Gateway is now ready for the addition of DRG attachments, such as a route table.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

2. Run the oci network drg create command to create the DRG and the oci network drg-attachment update command to attach a route table OCID to the DRG OCID.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci network drg create
   --compartment-id <compartment_OCID>

   Example:

   oci network drg create \
    --compartment-id ocid1.compartment.….….….uniqueID 
    
   {
     "data": {
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "display-name": "drg20210830204524",
       "freeform-tags": {},
       "id": "ocid1.drg..….….….uniqueID",
       "lifecycle-state": "AVAILABLE",
       "time-created": "2021-08-30T20:45:24.236954+00:00"
     },
     "etag": "c98377e4-ae89-46cf-9c61-52aea68a3476"
   }

   Note:

   When the DRG has been created, use the oci network drg-attachment update command to attach a route table to the DRG.

   $ oci network drg-attachment update --drg-attachment-id ocid1.drgattachment....….….….uniqueID \
     --route-table-id ocid1.routetable....….….….uniqueID
   
   {
     "data": {
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "display-name": "drg20210830204524",
       "freeform-tags": {},
       "drg-attachment-id": "ocid1.drgattachment..….….….uniqueID",
       "lifecycle-state": "AVAILABLE",
       "route-table-id": "ocid1.routetable.….….….uniqueID",  
       "time-created": "2021-08-30T20:45:24.236954+00:00"
     },
     "etag": "c98377e4-ae89-46cf-9c61-52aea68a3476"
   }

Attach VCNs to a Dynamic Routing Gateway

You can connect many VCNs to a DRG, but each VCN can have only one DRG attached. You must still ensure the route tables and security lists allow communication.

Using the Compute Web UI

1. In the navigation menu, under Networking, click Dynamic Routing Gateways. A list of previously configured DRGs in compartments appears. If the compartment you are attaching the dynamic routing gateway to isn't in the title bar, then use the drop-down tab to select the correct compartment.

2. Click Dynamic Routing Gateway name in the list of DRGs for that compartment.

3. Click Attach to Virtual Cloud Network.

4. Click the VCN to attach the DRG to, from the list of VCNs in the drop down list. If the correct compartment isn't in the title bar, then use the drop-down tab to select the correct compartment.

5. Click Attach to DRG.

6. Repeat the process to attach the other VCNs to the DRG and connect the VCNs.

   The Dynamic Routing Gateway is attached to the selected VCN.

You can connect up to 10 VCNs to a DRG, but each VCN can have only one DRG attached. You must still ensure the route tables and security lists allow communication.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • VCN OCID (oci network vcn list --compartment-id <compartment_OCID>)

   • Dynamic Routing Gateway OCID (oci network drg-attachment --compartment-id <compartment_OCID> )

2. Run the oci network drg-attachment create command.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci network drg-attachment create \
   --drg-id <drg_OCID> \
   --vcn-id <vcn_OCID>

   Example:

   oci network drg-attachment create \
    --drg-id ocid1.drg.….….….uniqueID \
    --vcn-id ocid1.vcn.….….….uniqueID 
    
   {
    "data": {
    "compartment-id": "ocid1.compartment.….….….uniqueID",
    "display-name": "drgattachment20210902221928",
    "drg-id": "ocid1.drg.….….….uniqueID",
    "id": "ocid1.drgattachment.AK00661530.scasg01..….….….uniqueID",
    "lifecycle-state": "ATTACHING",
    "route-table-id": null,
    "time-created": "2021-09-02T22:19:28.642402+00:00",
    "vcn-id": "ocid1.vcn.….….….uniqueID
    },
    "etag": "c98377e4-ae89-46cf-9c61-52aea68a3476"
   }

Accessing Oracle Services through a Service Gateway

Some services are isolated on their own network for security and performance reasons. The service gateway (SG) allows a VCN with no external access to privately access Service Network services (such as object storage) in a private subnet. These services are reached at the infrastructure level through the management node cluster.

The feature is non-functional and implemented for compatibility purposes.

A VCN can have only one service gateway. The service gateway is automatically attached to the VCN it is created in. Services use CIDR labels, and are allowed by default.

For each enabled Service, you need a route rule with the Service object’s cidrBlock as the rule destination and the service gateway as the rule target.

Using the Compute Web UI

1. In the navigation menu, under Networking, click Virtual Cloud Networks. A list of previously configured VCNs in compartments appears. If the compartment you are creating the service gateway in is not in the title bar, then use the drop-down tab to select the correct compartment.

2. Click on the VCN that you are creating the service gateway in.

3. In the Resources menu for that VCN, click on Service Gateways (If you are creating a service gateway for a particular VCN< the number of configured service gateways in parentheses should be zero (0)).

4. Click on Create Service Gateway

5. Fill in the required service gateway information:

   • Name: Provide a name or description for the service gateway. Avoid using any of the organization's confidential information.

   • Create in Compartment: Select the compartment in which to create the service Gateway.

   • Services: Select the service from the list.

   • Route Table Association (Optional): Optionally, you can associate a route table with the Service Gateway. A list of configured route tables for the selected compartment is in a drop-down list. You can change the compartment by clicking (change) next to the compartment name.

     For more information on service gateways, refer to "Service Gateways" in the Virtual Networking Overview chapter of the Oracle Private Cloud Appliance Concepts Guide.

   • Tagging: Optionally, add one or more tags to this resource.

     For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

6. Click Create Service Gateway.

   The Service Gateway is now ready for the addition of route rules or security settings.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • VCN OCID (oci network vcn list --compartment-id <compartment_OCID>)

2. Run the oci network service-gateway create command.

   Complex data types are usually handled by using the --generate-full-command-json-input option, or, in this case, oci network service-gateway create --generate-param-json-input services. This generates a sample json file to be used with this command option. The key names are pre-populated and match the command option names (converted to camelCase format, for example, compartment-id becomes compartmentId).

   The values of the keys are edited by the user before the sample file can be used as an input to this command.

   For any command option that accepts multiple values, the value of the key can be a JSON array.

   Options can still be provided on the command line. If an option exists in both the JSON document and the command line then the command line specified value will be used.

   oci network service-gateway create 
   --compartment-id ocid1.compartment..….….….uniqueID
   --vcn-id ocid1.vcn..….….….uniqueID 
   --services '[{"serviceId":"grafana"}]'
   
   {
    "data": {
     "displayName": "servicegateway20210830204524",
     "freeform-tags": {},
     "id": "ocid1.servicegateway..….….….uniqueID",
     "maxWaitSeconds": 0,
     "routeTableId": NULL,
     "services": [
      {
      "serviceId": "grafana"
      }
      ],
     "vcnId": ""ocid1.vcn.….….….uniqueID",
     "waitForState": "PROVISIONING",
     "waitIntervalSeconds": 0
     },
    "etag": "c98377e4-ae89-46cf-9c61-52aea68a3476"
   }