Configuring VNICs and IP Addressing

The compute nodes in the Oracle Private Cloud Appliance have physical network interface cards (NICs). When you launch a compute instance, the Networking service creates a virtual NIC (VNIC) on top of a NIC so that the instance can communicate over the network. Each instance gets a primary VNIC, and that primary VNIC gets a primary private IP address. Neither the primary VNIC nor the primary private IP address can be removed from the instance.

You can optionally attach a public IP address to the private IP address if the subnet allows a public IP address. A private IP address enables the instance to communicate with other instances on the VCN. A public IP address enables the instance to communicate with hosts outside of the VCN, on your data center network. Internet access depends on what your data center network allows. See "Public Network in Private Cloud " and "IP Addressing" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

You can add secondary VNICs to an instance after instance launch. Each secondary VNIC also gets a private IP address, and you can optionally attach a public IP address to the private IP address if the subnet allows a public IP address. See "Virtual Network Interface Cards (VNICs) " in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

You can add secondary private IP addresses to a VNIC, and you can optionally attach a public IP address to any secondary private IP address. For information about how secondary IP addresses are used, see "About Secondary Private IPs" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Managing VNICs

For information about how primary and secondary VNICs are used on Private Cloud Appliance, see "Virtual Network Interface Cards (VNICs)" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Viewing VNIC Attachments

Using the Compute Web UI, you can only view VNIC attachments for a particular instance. Using the OCI CLI, you can view all VNIC attachments in a compartment, and you can filter the list by instance or VNIC.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to view VNIC attachments. You might need to change the compartment to find the instance you want.
In the Resources box on the instance details page, click Attached VNICs.

The list of attached VNICs for that instance is displayed.

Using the OCI CLI

Get the information you need to run the command.
- To list all VNIC attachments in a compartment, get the OCID of the compartment: oci iam compartment list
- To list VNIC attachments only for a specific instance, get the OCID of that instance: oci compute instance list
- To list VNIC attachments only for a specific VNIC, get the OCID of that VNIC: oci compute instance list-vnics

Run the VNIC attachment list command.

Syntax:

oci compute vnic-attachment list --compartment-id compartment_OCID

Examples:

The following example lists all VNIC attachments for all instances in the specified compartment:

$ oci compute vnic-attachment list --compartment-id ocid1.compartment.uniqueID
{
  "data": [
    {
      "availability-domain": "AD-1",
      "compartment-id": "ocid1.compartment.uniqueID",
      "display-name": "Ainstance",
      "id": "ocid1.vnicattachment.uniqueID",
      "instance-id": "ocid1.instance.uniqueID",
      "lifecycle-state": "ATTACHED",
      "nic-index": 0,
      "subnet-id": "ocid1.subnet.uniqueID",
      "time-created": "2022-05-09T15:17:39.398551+00:00",
      "vlan-id": null,
      "vlan-tag": 0,
      "vnic-id": "ocid1.vnic.uniqueID"
    },
...
  ]
}

The following example lists VNIC attachments for the specified instance:

$ oci compute vnic-attachment list --compartment-id ocid1.compartment.uniqueID \
--instance-id ocid1.instance.uniqueID

The following example lists the VNIC attachment of the specified VNIC:

$ oci compute vnic-attachment list --compartment-id ocid1.compartment.uniqueID \
--vnic-id ocid1.vnic.uniqueID

Viewing VNICs

Use these procedures to show details of a VNIC such as resource tags, hostname label, MAC address, NSGs, private and public IP addresses, whether this VNIC is a primary or secondary VNIC, and whether source/destination checks are being skipped.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to view VNIC attachments. You might need to change the compartment to find the instance you want.
On the instance details page, scroll to the Resources section and click Attached VNICs.

The list of attached VNICs for this instance is displayed.
Click the name of an attached VNIC to view the details page for the VNIC.

Using the OCI CLI

Get the information you need to run the command.
- To list all VNICs in a compartment, get the OCID of the compartment: oci iam compartment list
- To list all VNICs that are attached to a specific instance, get the OCID of that instance: oci compute instance list

Run the VNIC list command.

Syntax:

oci compute instance list-vnics \
{--compartment-id compartment_OCID | --instance-id instance_OCID}

Example:

The following example lists all VNICs for all instances in the specified compartment:

oci compute instance list-vnics --compartment-id ocid1.compartment.uniqueID

{
  "data": [
    {
      "availability-domain": "AD-1",
      "compartment-id": "ocid1.compartment.uniqueID",
      "defined-tags": {
        "Oracle-Tags": {
          "CreatedBy": "flast",
          "CreatedOn": "2022-06-07T16:09:47.05Z"
        }
      },
      "display-name": "Ainstance",
      "freeform-tags": {},
      "hostname-label": "ainstance",
      "id": "ocid1.vnic.uniqueID",
      "is-primary": true,
      "lifecycle-state": "AVAILABLE",
      "mac-address": "MACaddress",
      "nsg-ids": [
        "ocid1.networksecuritygroup.uniqueID"
      ],
      "private-ip": "privateIP",
      "public-ip": "publicIP",
      "skip-source-dest-check": false,
      "subnet-id": "ocid1.subnet.uniqueID",
      "time-created": "2022-06-07T16:09:59.813530+00:00",
      "vlan-id": null
    },
...
  ]
}

The following example lists VNICs for the specified instance:

$ oci compute instance list-vnics --instance-id ocid1.instance.uniqueID

To view the details for a specific VNIC, use the VNIC get command.

Use the list-vnics command to get the VNIC OCID.
```
$ oci network vnic get --vnic-id ocid1.vnic.uniqueID
```

Creating and Attaching a Secondary VNIC

The number of secondary VNICs that you can add to an instance depends on the shape of the instance, as shown in Compute Shapes in the Oracle Private Cloud Appliance Concepts Guide.

After you perform the following Private Cloud Appliance procedure, log onto the instance to configure the instance OS to use the new interface. See Configuring the Instance OS for a Secondary VNIC.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance to which you want to add a secondary VNIC. You might need to change the compartment to find the instance you want.
In the Resources box on the instance details page, click Attached VNICs.

The primary VNIC and any secondary VNICs attached to the instance are displayed.
Click the Create VNIC Attachment button.
In the Subnet section of the Create VNIC Attachment dialog box, specify the subnet to use for the VNIC. You might need to select a different compartment to find the VCN and subnet that you want.

Specifying the same subnet for this VNIC that is specified for another VNIC for this instance can introduce asymmetric routing as described in "Virtual Network Interface Cards (VNICs)" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Instead of creating a VNIC in the same subnet as an existing VNIC for this instance, consider creating a secondary private IP address for the existing VNIC that is in this subnet. See Assigning a Secondary Private IP Address.
Specify whether to disable source/destination checks.

By default, a VNIC looks at the source and destination listed in the header of each network packet. If the VNIC is not the source or destination, then the packet is dropped.

If the VNIC needs to forward traffic (for example, if the VNIC needs to perform Network Address Translation), check the box to disable this source/destination check.
If you selected a public subnet, you can specify whether to automatically assign a public IPv4 address object to the VNIC's private IP address object.
(Optional) Specify the following private IP information.
- Private IP Address. An address that is within the CIDR block range assigned to the subnet and not already in use. If you do not enter an address, an IP address is automatically assigned.
- Hostname. A hostname to be used for DNS within the cloud network. This option is available only if the VCN and subnet both have DNS labels. The hostname can be up to 63 letters, numbers, and hyphens. No spaces are allowed.
(Optional) Add this VNIC to an NSG.

By default, the new VNIC is not attached to any NSG. Check the box labeled Enable Network Security Groups to add this VNIC to one or more NSGs.
1. Select an NSG from the drop-down list. You might need to change the compartment to find the NSG you want.
2. Click the Add Another NSG button if you want to attach to another NSG.
3. To remove an NSG from the list, click the trash can to the right of that NSG. To remove the last NSG or all NSGs, uncheck the Enable Network Security Groups box.
See Controlling Traffic with Network Security Groups for information about NSGs.
Click the Create Attachment button in the dialog. The secondary VNIC is created and then displayed on the Attached VNICs list for the instance.
Configure the instance OS to use the secondary VNIC. See Configuring the Instance OS for a Secondary VNIC.

Using the OCI CLI

Get the information you need to run the command:
- Instance OCID: oci compute instance list
- Subnet OCID: oci network subnet list
  
  Specifying the same subnet for this VNIC that is specified for another VNIC for this instance can introduce asymmetric routing as described in "Virtual Network Interface Cards (VNICs)" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.
  
  Instead of creating a VNIC in the same subnet as an existing VNIC for this instance, consider creating a secondary private IP address for the existing VNIC that is in this subnet. See Assigning a Secondary Private IP Address.
Review the list of optional parameters to disable source/destination checks, explicitly specify a private IP address, assign a public IP address, specify a host name, attach to network security groups, or assign a display name.
```
oci compute instance attach-vnic -h
```
Use the following command to show the JSON format to use to specify a list of attached NSGs:
```
oci compute instance attach-vnic --generate-param-json-input nsg-ids
```

Run the VNIC attach command.

Syntax:

oci compute instance attach-vnic --instance-id instance_OCID \
--subnet-id subnet_OCID

Example:

In this example, the newly attached VNIC gets a public IP address and a display name, and is attached to one or more NSGs.

$ oci compute instance attach-vnic --instance-id ocid1.instance.unique_ID \
--subnet-id ocid1.subnet.unique_ID --assign-public-ip true \
--nsg-ids file://./InstABC-nsgs.json --vnic-display-name "InstABC-Secondary-VNIC"

When successful, the attach-vnic command has no output. To confirm that the secondary VNIC attached, list VNICs for the instance. The new attached secondary VNIC is a non-primary VNIC (the value of the is-primary property is false).

$ oci compute instance list-vnics --instance-id ocid1.instance.unique_ID
{
  "data": [
    {
      ...
      "display-name": "InstABC-VNIC",
      ...
      "id": "ocid1.vnic.unique_ID",
      "is-primary": true,
      ...
      "time-created": "2022-06-22T22:24:31.853538+00:00",
      ...
    },
    {
      ...
      "display-name": "InstABC-Secondary-VNIC",
      ...
      "id": "ocid1.vnic.unique_ID",
      "is-primary": false,
      ...
      "nsg-ids": [
        "ocid1.networksecuritygroup.unique_ID"
      ],
      ...
      "public-ip": "publicIP",
      ...
      "time-created": "2022-06-29T18:28:44.355805+00:00",
      ...
    }
  ]
}

Configure the instance OS to use the secondary VNIC. See Configuring the Instance OS for a Secondary VNIC.

Configuring the Instance OS for a Secondary VNIC

After you create a secondary VNIC as described in Creating and Attaching a Secondary VNIC, log in to the instance to configure the instance OS to use the new VNIC.

For Linux and Microsoft Windows, you can use scripts that are provided by Oracle. The Oracle scripts use information from the instance metadata. See Retrieving Instance Metadata from Within the Instance for instructions about how to view that data on the instance OS, including how to show the VNIC data.

Linux Instance OS Configuration

Configuring the Instance OS Manually

Use the ifdown and ifup commands for the physical NIC. To persist this configuration across reboots, create a configuration file in /etc/sysconfig/network-scripts.

To add a VNIC, add a configuration file and use ifup.

To delete a VNIC, use ifdown and delete the configuration file.

Using the Oracle Script

You can download the Oracle script from https://docs.oracle.com/en-us/iaas/Content/Resources/Assets/secondary_vnic_all_configure.sh. Note that the script configures policy-based routing: two default routes in two separate route tables on the instance OS. Policy-based routing enables you to use all primary private IP addresses from anywhere without having asymmetric routing problems, if the packets are sourced from the primary IP address of the secondary VNIC. Applications can communicate through the secondary VNIC with hosts outside the VNIC's subnet. You might not need such a configuration. For example, if the secondary VNIC is used only to communicate with devices in the directly attached subnet of the VNIC, then you can use the /etc/sysconfig/network-scripts method described in the preceding procedure to add an IP and routes to the secondary VNIC.

The configuration performed by the script is not persistent across reboots. Run the script every time you add or delete a VNIC or reboot the instance.

The following are the most commonly used options of this script:

-c Using the instance metadata, add IP configuration for VNICs that are not configured and delete configuration for VNICs that are no longer provisioned.
-s Show information about all provisioning and interface configuration. This is the default behavior if you do not specify any option.
-h Show information about how to use the script.

If the secondary VNIC that you are configuring already has secondary private IP addresses, use this Oracle script with the -e option to configure the secondary IP addresses. The instance metadata does not include information about secondary IP addresses. You must provide the IP address and VNIC OCID on the command line. See also Configuring the Instance OS for a Secondary IP Address.

Oracle Solaris Instance OS Configuration

Use the ipadm command to configure network interfaces persistently.

Microsoft Windows Instance OS Configuration

Configuring the Instance OS Manually

Open Settings and then open Network Adapters.

Using the Oracle Script

You can download the Oracle-provided PowerShell script from https://docs.oracle.com/en-us/iaas/Content/Resources/Assets/secondary_vnic_windows_configure.ps1.

When you run the script, you can optionally provide the OCID of the secondary VNIC that you want to configure. See Retrieving Instance Metadata from Within the Instance for instructions about how to get the VNIC OCID from the instance metadata.

.\secondary_vnic_windows_configure.ps1 "ocid1.vnic.unique_ID"

If you do not enter the OCID of a VNIC that you want to configure, the script shows a list of the secondary VNICs on the instance and asks you to select the one you want to configure.

The script does the following:

Checks whether the network interface has an IP address and a default route.
To enable the OS to use the secondary VNIC, the script overwrites the IP address and default route with static settings. These actions effectively disable DHCP. The script prompts you to either overwrite with the static settings or exit.

Updating a VNIC

You can update the VNIC name, the host name, and whether to disable source/destination checks. You can add the VNIC to an NSG and remove the VNIC from an NSG.

Using the Compute Web UI Edit Option

If you only want to add or remove NSGs, see Using the Compute Web UI to Update NSGs Only.

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to update a VNIC. You might need to change the compartment to find the instance you want.
In the Resources box on the instance details page, click Attached VNICs.

The list of attached VNICs for that instance is displayed.
For the VNIC that you want to update, click the Actions menu and then click Edit.
In the Update VNIC dialog, update the VNIC name, the host name, whether to disable source/destination checks, or whether to attach this VNIC to an NSG or detach this VNIC from an NSG.

See Creating and Attaching a Secondary VNIC for information about the Skip Source/Destination Check selection.

If you change the Enable Network Security Groups box from unchecked to checked, then you must select an NSG from the drop-down list. You might need to change the compartment to find the NSG you want.

If the Enable Network Security Groups box is already checked, then you can click the Add Another NSG button to attach to another NSG.

If more than one NSG is already listed, you can click the trash can next to an existing NSG to detach this VNIC from that NSG. To detach the last NSG or all NSGs, uncheck the Enable Network Security Groups box.

See Controlling Traffic with Network Security Groups for information about NSGs.
Click the Update VNIC button in the dialog.

Using the Compute Web UI to Update NSGs Only

Follow the steps in the preceding procedure to display the list of attached VNICs for the instance.

Click the name of the VNIC for which you want to change the NSGs.
On the VNIC details page, scroll to the resources section, and click Network Security Groups.
Click the Update Network Security Groups button.
In the Update Network Security Groups for VNIC dialog, attach this VNIC to an NSG or detach this VNIC from an NSG.

If you change the Enable Network Security Groups box from unchecked to checked, then you must select an NSG from the drop-down list. You might need to change the compartment to find the NSG you want.

If the Enable Network Security Groups box is already checked, then you can click the Add Another NSG button to attach to another NSG.

If more than one NSG is already listed, you can click the trash can to the right of an existing NSG to detach this VNIC from that NSG. To detach the last NSG or all NSGs, uncheck the Enable Network Security Groups box.
Click the Update Network Security Groups for VNIC button in the dialog.
An alternative way to detach a VNIC from an NSG is to use the Detach menu option.
1. On the VNIC details page, scroll to the resources section, and click Network Security Groups.
2. In the Network Security Groups list, for the NSG that you want to detach, click the Actions menu and click Detach.

Using the OCI CLI

Use one of the following commands to get the OCID of the VNIC that you want to update:
```
oci compute instance list-vnics
oci compute vnic-attachment list
```
Review the list of optional parameters to use to update the VNIC name or the host name label, change whether to disable source/destination checks, or attach or detach NSGs.
```
oci network vnic update -h
```
Use the following command to show the JSON format to use to replace the list of attached NSGs:
```
oci network vnic update --generate-param-json-input nsg-ids
```

Run the VNIC update command.

Syntax:

oci network vnic update --vnic-id vnic_OCID

Example:

In this example, source/destination checks are disabled, and the list of attached NSGs is replaced.

$ oci network vnic update --vnic-id ocid1.vnic.unique_ID \
--nsg-ids '["ocid1.networksecuritygroup.unique_ID"]' \
--skip-source-dest-check true
{
  "data": {
    "availability-domain": "AD-1",
    "compartment-id": "ocid1.compartment.unique_ID",
    "defined-tags": {
      "Oracle-Tags": {
        "CreatedBy": "flast",
        "CreatedOn": "2022-06-28T23:08:55.06Z"
      }
    },
    "display-name": "A2instance",
    "freeform-tags": {},
    "hostname-label": "a2instance",
    "id": "ocid1.vnic.unique_ID",
    "is-primary": false,
    "lifecycle-state": "AVAILABLE",
    "mac-address": "MACaddress",
    "nsg-ids": [
      "ocid1.networksecuritygroup.unique_ID"
    ],
    "private-ip": "privateIP",
    "public-ip": "publicIP",
    "skip-source-dest-check": true,
    "subnet-id": "ocid1.subnet.unique_ID",
    "time-created": "2022-06-28T23:08:55.960950+00:00",
    "vlan-id": null
  },
  "etag": "67fe1002-e72f-4cd5-9200-ea4b5721db39"
}

The initial command output might not show NSG updates. If your updates are not shown, use the network vnic get command to re-check the VNIC configuration.

Deleting a Secondary VNIC

This operation detaches and deletes the specified secondary VNIC. You cannot delete an instance's primary VNIC. When you terminate an instance, all attached VNICs (primary and secondary) are automatically detached and deleted.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to delete a VNIC. You might need to change the compartment to find the instance you want.
In the Resources box on the instance details page, click Attached VNICs.

The list of attached VNICs for that instance is displayed.
For the VNIC that you want to delete, click the Actions menu, and then click Delete.
Click the Confirm button on the dialog.

The VNIC state changes to Detached. After a few seconds, the VNIC is removed from the list.
Log onto the instance and delete the configuration for the IP address from the instance OS.

Undo the configuration you did when you added the VNIC. See Configuring the Instance OS for a Secondary VNIC.

Using the OCI CLI

Gather the information you need to run the command:
- Compartment OCID: oci iam compartment list
- VNIC OCID: oci compute vnic-attachment list

Run the instance detach VNIC command.

$ oci compute instance detach-vnic \
--compartment-id ocid1.compartment.unique_ID \
--vnic-id ocid1.vnic.unique_ID
Are you sure you want to delete this resource? [y/N]: y

You can suppress the confirmation by using the --force option.

Log onto the instance and delete the configuration for the IP address from the instance OS.

Undo the configuration you did when you added the VNIC. See Configuring the Instance OS for a Secondary VNIC.

Managing IP Addresses

A private IP address enables communication with resources on the VCN. Along with route rules, security rules, and gateways, a public IP address enables communication outside the VCN, including to the data center network.

All of the following are required for an instance to communicate outside the VCN:

The instance must be in a public subnet, which is configured when the subnet is created. Private subnets cannot have a public IP address assigned to instances in the subnet.
The instance must have a public IP address.
The instance's VCN must have an internet gateway configured.
The public subnet must have route table and security list entries that enable communications outside the VCN.

For information about route rules, security rules, and gateways, see Configuring VCN Rules and Options and Configuring VCN Gateways. For conceptual information, see "IP Addressing" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Viewing Private IP Addresses

The Compute Web UI enables you to view private and public IP addresses for a specific instance.

The OCI CLI enables you to list all private IP address objects in the tenancy or in the specified subnet or VNIC. You can also list a single private IP address object by specifying the IP address.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to view the private IP address. You might need to change the compartment to find the instance you want.
On the instance details page, view networking information or VNIC information.
- Click the Networking tab. The primary private IP address and any attached public IP address are shown in the Instance Access column.
- Scroll to the Resources section and click Attached VNICs. Click the name of the VNIC for which you want to view IP addresses.
  
  On the VNIC details page, scroll to the Resources section and click IP Addresses. The primary private IP address and any secondary private IP addresses, as well as any attached public IP addresses, are shown in the table.

Using the OCI CLI

Get the information you need to run the command:
- Subnet OCID: oci network subnet list
- VNIC OCID: oci compute instance list-vnics

Run the command to list private IP address objects.

Syntax:

oci network private-ip list

Examples:

List all private IP address objects in the tenancy:

$ oci network private-ip list
{
  "data": [
    {
      "availability-domain": "AD-1",
      "compartment-id": "ocid1.compartment.unique_ID",
      "defined-tags": {},
      "display-name": "privateip20220705090302",
      "freeform-tags": {},
      "hostname-label": "ol8instance",
      "id": "ocid1.privateip.unique_ID",
      "ip-address": "IPaddress",
      "is-primary": true,
      "subnet-id": "ocid1.subnet.unique_ID",
      "time-created": "2022-07-05T09:03:02.025808+00:00",
      "vlan-id": null,
      "vnic-id": "ocid1.vnic.unique_ID"
    },
...
  ]
}

List all private IP address objects in the specified subnet:

$ oci network private-ip list --subnet-id ocid1.subnet.unique_ID

List all private IP address objects in the specified VNIC:

$ oci network private-ip list --vnic-id ocid1.vnic.unique_ID

List the private IP address object with the specified IP address:

$ oci network private-ip list --ip-address IPaddress

The output of the preceding list command is the same as the output from the following get command:

$ oci network private-ip get --private-ip-id ocid1.privateip.unique_ID

Similar to the Compute Web UI instance information, the instance list-vnics command shows each private and public IP address in each VNIC. This command does not show OCIDs or any other information about the IP address objects. See Viewing VNICs.

Assigning a Secondary Private IP Address

When you create an instance, the instance automatically gets a VNIC, and the VNIC automatically gets a primary private IP address. You can add secondary private IP addresses to a VNIC. A VNIC can have up to 33 private IP addresses: one primary private IP address, and up to 32 secondary private IP addresses.

Creating a VNIC in the same subnet as another VNIC for the same instance can introduce asymmetric routing as described in "Virtual Network Interface Cards (VNICs)" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide. Instead, you can create a secondary private IP address for the existing VNIC that is in the subnet that you want.

See information about secondary private IP addresses, including use cases, in "IP Addressing" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

After you perform the following Private Cloud Appliance procedure to assign a secondary private IP address, log onto the instance to configure the instance OS to use the new IP address. See Configuring the Instance OS for a Secondary IP Address.

Moving a Secondary IP Address

In addition to adding a secondary private IP address, you can use this procedure to reassign (move) a currently assigned secondary private IP address to a different VNIC. Because the VNIC must be in the same subnet as the VNIC where the secondary private IP address is currently assigned, the new VNIC probably is attached to a different instance; as mentioned above, having two VNICs in the same subnet in the same instance can introduce asymmetric routing.

To move a secondary private IP address, see the Unassign if assigned or --unassign-if-already-assigned options in the following procedures.

You cannot move a VNIC's primary private IP address.

If a public IP address object is assigned to a secondary private IP address object, and you move that secondary private IP address object to another VNIC, the public IP address object moves with it.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance to which you want to add a secondary private IP address. You might need to change the compartment to find the instance you want.
On the instance details page, scroll to the Resources section and click Attached VNICs.

The primary VNIC and any secondary VNICs attached to the instance are displayed.
Click the name of the attached VNIC to which you want to add a secondary private IP address.
On the VNIC details page, scroll to the Resources section and click IP Addresses.
Click the Assign Secondary Private IP Address button.
In the Attach Private IP dialog, all input fields are optional.
- IP Address: If you do not enter an address, an IP address from the subnet CIDR is automatically assigned.
  
  If you enter an address, the IP address must be within the CIDR block for the subnet. You can enter a secondary private IP address that is already assigned to another VNIC in the subnet. You cannot enter a primary private IP address.
  
  If you enter an IP address that is already assigned, see the following option.
- Unassign if assigned: In the previous option, if you entered a secondary private IP address that is already assigned, check this button to move that private IP address. The address will be unassigned from the VNIC where it is currently assigned and reassigned to this VNIC.
  
  If you entered an IP address that is already assigned and you do not check this button, this secondary private IP assignment operation fails.
- Hostname: Enter the hostname to be used for DNS within the cloud network. This option is available only if the VCN and subnet both have DNS labels.
Click the Attach IP Address button in the dialog.

The new secondary private IP address is shown in the table.
Configure the new secondary private IP address in the instance. See Configuring the Instance OS for a Secondary IP Address

Using the OCI CLI

Get the OCID of the VNIC where you want to assign this secondary private IP address: oci compute instance list-vnics

Run the assign private IP command.

Syntax:

oci network vnic assign-private-ip --vnic-id vnic_OCID

Examples:

$ oci network vnic assign-private-ip --vnic-id ocid1.vnic.unique_ID
{
  "data": {
    "availability-domain": "AD-1",
    "compartment-id": "ocid1.compartment.unique_ID",
    "defined-tags": {},
    "display-name": "privateip20220707213054",
    "freeform-tags": {},
    "hostname-label": null,
    "id": "ocid1.privateip.unique_ID",
    "ip-address": "IPaddress",
    "is-primary": false,
    "subnet-id": "ocid1.subnet.unique_ID",
    "time-created": "2022-07-07T21:30:54.305936+00:00",
    "vlan-id": null,
    "vnic-id": "ocid1.vnic.unique_ID"
  },
  "etag": "756b973a-c76e-4151-92ad-24fa265c8289"
}

In the following example, an existing private IP address is moved to a different VNIC:

$ oci network vnic assign-private-ip --vnic-id ocid1.vnic.unique_ID \
--ip-address IPaddress --unassign-if-already-assigned

Configure the new secondary private IP address in the instance. See Configuring the Instance OS for a Secondary IP Address.

Configuring the Instance OS for a Secondary IP Address

After you create a secondary private IP address on a VNIC as described in Assigning a Secondary Private IP Address, log in to the instance to configure the instance OS to use the new IP address.

Linux Instance OS Configuration

Configuring the Instance OS Manually

This configuration permits use of an IP address subnet, netmask, gateway, and DNS service that are entirely independent from the existing NIC. This configuration is persistent across reboots.

Create a new network interface configuration file to create a sub-interface on the existing NIC. In this example, ens03 is the name of the existing NIC and ifcfg-ens3:0 is the name of the new configuration file.

Create the network configuration file ifcfg-ens3:0 in the /etc/sysconfig/network-scripts/ directory to create the first sub-interface (:0) on the existing ens3 NIC.

Include the following entries in ifcfg-ens3:0:
```
TYPE=Ethernet
BOOTPROTO=none
IPADDR=a.b.c.d
PREFIX=24
GATEWAY=
DNS=
NAME=ens3:0
DEVICE=ens3:0
```
Include the appropriate IPADDR, PREFIX, GATEWAY, and DNS entries for this new sub-interface.
Run the following command to start the new interface:
```
# ifup ens3:0
```
Run the following command to confirm that the new interface is operational:
```
# ifconfig -a
```

Using the Oracle Script

The Oracle script can only configure a secondary IP address on a secondary VNIC. To configure a secondary IP address on the primary VNIC, use the /etc/sysconfig/network-scripts/ method described in the preceding procedure. You can download the Oracle script from https://docs.oracle.com/en-us/iaas/Content/Resources/Assets/secondary_vnic_all_configure.sh.

To use this script to configure a secondary private IP address on a secondary VNIC, use the -e option as shown below. The instance metadata does not include information about secondary IP addresses. You must provide the IP address and VNIC OCID on the command line.

$ secondary_vnic_all_configure.sh -e IP_address VNIC_OCID

The configuration performed by the script is not persistent across reboots. Run the script every time you add a new secondary private IP address or reboot the instance. If you have several secondary IP addresses, consider creating a configuration file as described in the manual procedure above.

Oracle Solaris Instance OS Configuration

Use the ipadm command to configure network interfaces persistently.

Microsoft Windows Instance OS Configuration

See Windows: Details about Secondary IP Addresses for information about how to either:

Create a PowerShell script.
Use the Network and Sharing Center UI.

Updating a Secondary Private IP Address

You cannot update a VNIC's primary private IP address.

You can update the host name of a secondary private IP address object. To change the IP address, delete the secondary private IP address object as described in Deleting a Secondary Private IP Address, and create a new one as described in Assigning a Secondary Private IP Address, explicitly specifying the IP address that you want to use.

To update the host name for the primary private IP on a VNIC, update the VNIC. See Updating a VNIC.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance that has the secondary private IP address object that you want to update. You might need to change the compartment to find the instance you want.
On the instance details page, scroll to the Resources section and click Attached VNICs.

The primary VNIC and any secondary VNICs attached to the instance are displayed.
Click the name of the attached VNIC that has the secondary private IP address object that you want to update.
On the VNIC details page, scroll to the Resources section and click IP Addresses.
For the secondary private IP address object that you want to update, click the Actions menu and click Edit.
In the Attach Private IP dialog, update the host name.
Click the Attach IP Address button in the dialog.

Using the OCI CLI

Get the OCID of the secondary private IP address object that you want to update: oci network private-ip list
Run the private IP address update command.

Syntax:
```
oci network private-ip update --private-ip-id private_ip_OCID \
--hostname-label newhostname
```
The output is the same as the output of the private-ip get command.

Deleting a Secondary Private IP Address

You cannot delete a VNIC's primary private IP address.

On successful delete, the private IP address is returned to the pool of available addresses in the subnet. Any attached public IP address is again available for assignment.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to delete a secondary private IP address. You might need to change the compartment to find the instance you want.
On the instance details page, scroll to the Resources section and click Attached VNICs.

The primary VNIC and any secondary VNICs attached to the instance are displayed.
Click the name of the attached VNIC for which you want to delete a secondary private IP address.
On the VNIC details page, scroll to the Resources section and click IP Addresses.
For the secondary private IP address that you want to delete, click the Actions menu and click Delete.

Confirm the deletion.
Log onto the instance and delete the configuration for the IP address from the instance OS.

Undo the configuration you did when you added the IP address. See Configuring the Instance OS for a Secondary IP Address.

Using the OCI CLI

Gather the information you need to run the command:
- Private IP address: oci network private-ip list
- VNIC OCID: oci compute instance list-vnics
Run the unassign private IP command.

Syntax:
```
oci network vnic unassign-private-ip --ip-address IPaddress --vnic-id VNIC_OCID
```
Confirm the deletion, or use the --force option.

The secondary private IP address object is unassigned and then deleted.
Log onto the instance and delete the configuration for the IP address from the instance OS.

Undo the configuration you did when you added the IP address. See Configuring the Instance OS for a Secondary IP Address.

Viewing Public IP Addresses

The Compute Web UI enables you to view private and public IP addresses for a specific instance. See "Using the Compute Web UI" in Viewing Private IP Addresses.

The OCI CLI enables you to list public IP address objects in a specified compartment.

Using the OCI CLI

Get the OCID of the compartment where the instance is located: oci iam compartment list

Run the public IP list command.

Syntax:

oci network public-ip list --compartment-id compartment_OCID \
--scope {region | availability_domain}

Examples:

List reserved public IP address objects:

$ oci network public-ip list --compartment-id ocid1.compartment.unique_ID \
--scope region --lifetime reserved
{
  "data": [
    {
      "assigned-entity-id": null,
      "assigned-entity-type": "PRIVATE_IP",
      "availability-domain": null,
      "compartment-id": "ocid1.compartment.unique_ID",
      "defined-tags": {},
      "display-name": "apublicIP",
      "freeform-tags": {},
      "id": "ocid1.publicip.unique_ID",
      "ip-address": "IPaddress",
      "lifecycle-state": "AVAILABLE",
      "lifetime": "RESERVED",
      "private-ip-id": null,
      "public-ip-pool-id": null,
      "scope": "REGION",
      "time-created": "2022-07-06T16:36:56.860931+00:00"
    }
  ]
}

List the ephemeral public IP address objects that are assigned to a regional entity such as a NAT gateway:

$ oci network public-ip list --compartment-id ocid1.compartment.unique_ID \
--scope region --lifetime ephemeral

List the ephemeral public IP address objects that are assigned to primary private IP address objects:

$ oci network public-ip list --compartment-id ocid1.compartment.unique_ID \
--scope availability_domain --availability-domain AD-1 --lifetime ephemeral

Assigning an Ephemeral Public IP Address to an Instance

To assign a public IP address to an instance, you assign the public IP address object to a private IP address object.

An ephemeral public IP address is created and assigned in the same step.

An ephemeral public IP address can only be assigned to a primary private IP address: The value of the is-primary property of the private IP address object must be true. Every VNIC has one primary private IP address.

For secondary private IP addresses (the value of the is-primary property of the private IP address object is false), assign reserved public IP addresses. See Assigning a Reserved Public IP Address to an Instance.

An ephemeral public IP address cannot be unassigned and cannot be moved to a different private IP address.

An ephemeral public IP address object is deleted in the following cases:

Its private IP address object is deleted.
Its VNIC is detached or terminated.
Its instance is terminated.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to assign a public IP address. You might need to change the compartment to find the instance you want.
On the instance details page, scroll to the Resources section and click Attached VNICs. Click the name of the VNIC for which you want to assign a public IP address.
On the VNIC details page, scroll to the Resources section and click IP Addresses. The primary private IP address and any secondary private IP addresses, as well as any attached public IP addresses, are shown in the table.
If the primary private IP address does not already have a public IP address assigned, click the Actions menu for the primary private IP address, and then click Edit Public IP,
In the dialog, click Ephemeral Public IP.
(Optional) Give the ephemeral public IP address a name.
Click the Reserve Public IP button in the dialog.

You might have to refresh the page to see the new public IP address. The new public IP address shows in the IP Addresses table in Resources, in the Primary IP Information column for the VNIC, and in the Instance Access column of the Networking tab of the instance.

Using the OCI CLI

Get the information you need to run the command:
- Compartment OCID: oci iam compartment list
- Private IP OCID: oci network private-ip list
- Public IP OCID: oci network public-ip list

Run the public IP create command.

This command creates a new ephemeral public IP address object and assigns it to the specified private IP address object.

$ oci network public-ip create --compartment-id ocid1.compartment.unique_ID \
--lifetime ephemeral --private-ip-id ocid1.privateip.unique_ID
  "data": {
    "assigned-entity-id": "ocid1.privateip.unique_ID",
    "assigned-entity-type": "PRIVATE_IP",
    "availability-domain": "AD-1",
    "compartment-id": "ocid1.compartment.unique_ID",
    "defined-tags": {},
    "display-name": "publicip20220708231248",
    "freeform-tags": {},
    "id": "ocid1.publicip.unique_ID",
    "ip-address": "IPaddress",
    "lifecycle-state": "ASSIGNING",
    "lifetime": "EPHEMERAL",
    "private-ip-id": "ocid1.privateip.unique_ID",
    "public-ip-pool-id": null,
    "scope": "AVAILABILITY_DOMAIN",
    "time-created": "2022-07-08T23:12:48.610545+00:00"
  },
  "etag": "dcb8dafe-bbe4-42ff-b86a-9e1ebaf4d94c"
}

Reserving a Public IP Address

Use the Compute Web UI procedure in Updating a Public IP Address to create and assign a reserved public IP address in one step.

Use the following OCI CLI procedure to create a reserved public IP address that is available to assign to a private IP address object at a later time.

Using the OCI CLI

Get the OCID of the compartment where you want to create the IP address object: oci iam compartment list

Run the public IP create command.

Syntax:

oci network public-ip create --compartment-id compartment_OCID \
--lifetime reserved

Example:

$ oci network public-ip create --compartment-id ocid1.compartment.unique_ID \
--lifetime reserved --display-name apublicIP
{
  "data": {
    "assigned-entity-id": null,
    "assigned-entity-type": "PRIVATE_IP",
    "availability-domain": null,
    "compartment-id": "ocid1.compartment.unique_ID",
    "defined-tags": {},
    "display-name": "apublicIP",
    "freeform-tags": {},
    "id": "ocid1.publicip.unique_ID",
    "ip-address": "IPaddress",
    "lifecycle-state": "PROVISIONING",
    "lifetime": "RESERVED",
    "private-ip-id": null,
    "public-ip-pool-id": null,
    "scope": "REGION",
    "time-created": "2022-07-06T16:36:56.860931+00:00"
  },
  "etag": "dcb8dafe-bbe4-42ff-b86a-9e1ebaf4d94c"
}

Assigning a Reserved Public IP Address to an Instance

To assign a public IP address to an instance, you assign the public IP address object to a private IP address object.

An ephemeral public IP address can be assigned only to the primary private IP address of a VNIC. See Assigning an Ephemeral Public IP Address to an Instance. A reserved public IP address can be assigned to any private IP address.

See Reserving a Public IP Address to create a reserved public IP address that is available to assign to a private IP address object at a later time.

Use the procedures in Updating a Public IP Address to assign an existing reserved public IP address object to the specified private IP address object or to create and assign a reserved public IP address in one step.

A reserved public IP address object remains available for reassignment when its private IP address object is deleted, its VNIC is detached or terminated, or its instance is terminated.

Updating a Public IP Address

You can use the public IP update command to do any of the following:

Assign an existing reserved public IP address object to a private IP address object.
Create and assign a reserved public IP address object in one step.
Move a reserved public IP address object to a different private IP address object.
Unassign a reserved public IP address object from a private IP address object.
Change the display name or tags for a public IP address object.

Using the Compute Web UI

On the Dashboard, click the Compute/View Instances button.
Click the name of the instance for which you want to assign a public IP address. You might need to change the compartment to find the instance you want.
On the instance details page, scroll to the Resources section and click Attached VNICs. Click the name of the VNIC for which you want to assign a public IP address.
On the VNIC details page, scroll to the Resources section and click IP Addresses. The primary private IP address and any secondary private IP addresses, as well as any attached public IP addresses, are shown in the table.
For the private IP address for which you want to add or update a public IP address, click the Actions menu and then click Edit Public IP.
In the Reserve Public IP dialog, click one of the following choices:
- No public IP
  
  Click the Reserve Public IP button in the dialog to unassign this public IP address from this private IP address. You might have to refresh the page to see that the public IP address is no longer assigned.
- Reserve public IP
  
  Click one of the following choices:
  - Reserve existing public IP
    1. Select an existing public IP address. You might need to change the compartment.
    2. Click the Reserve Public IP button in the dialog.
      If the specified public IP address object is already assigned to a different private IP address object, the public IP address object will be unassigned (moved) from the current private IP address object and reassigned to the specified private IP address object.
  - Create public IP
    
    Create and assign a reserved public IP address in one step.
    1. (Optional) Provide a name for the new reserved public IP address object.
    2. Select the compartment where the new reserved public IP address object will be created.
    3. Select the IP Address Source.
    4. Click the Reserve Public IP button in the dialog.
The new reserved public IP address shows in the IP Addresses table in Resources. You might need to refresh the page to see the new public IP address.

Using the OCI CLI

Get the OCID of the public IP object that you want to update. See Viewing Public IP Addresses.

If you want to assign or move the public IP object to a private IP object, get the OCID of the private IP object. See Viewing Private IP Addresses.

Run the public IP update command.

Syntax:

oci network public-ip update --public-ip-id public_ip_OCID

Example:

The following example updates an existing reserved public IP address object and assigns it to the specified private IP address object. If the specified public IP address object is already assigned to a different private IP address object, the public IP address object will be unassigned (moved) from the current private IP address object and reassigned to the specified private IP address object.

$ oci network public-ip update --public-ip-id ocid1.publicip.unique_ID \
--private-ip-id ocid1.privateip.unique_ID
{
  "data": {
    "assigned-entity-id": null,
    "assigned-entity-type": "PRIVATE_IP",
    "availability-domain": null,
    "compartment-id": "ocid1.compartment.unique_ID",
    "defined-tags": {},
    "display-name": "apublicIP",
    "freeform-tags": {},
    "id": "ocid1.publicip.unique_ID",
    "ip-address": "IPaddress",
    "lifecycle-state": "ASSIGNING",
    "lifetime": "RESERVED",
    "private-ip-id": null,
    "public-ip-pool-id": null,
    "scope": "REGION",
    "time-created": "2022-07-06T16:36:56.860931+00:00"
  },
  "etag": "dcb8dafe-bbe4-42ff-b86a-9e1ebaf4d94c"
}

The following example unassigns the specified reserved public IP address object and makes it available for future reassignment.

$ oci network public-ip update --public-ip-id ocid1.publicip.unique_ID \
--private-ip-id ""

Deleting a Public IP Address

An ephemeral public IP address object cannot be unassigned and cannot be directly deleted. An ephemeral public IP address object is deleted in the following cases:

Its private IP address object is deleted.
Its VNIC is detached or terminated.
Its instance is terminated.

A reserved public IP address object is unassigned but remains available for reassignment when its private IP address object is deleted, its VNIC is detached or terminated, or its instance is terminated.

Use the following procedure to delete a reserved public IP address object.

Using the OCI CLI

Gather the information you need to run the command:
- Compartment OCID: oci iam compartment list
- Public IP address OCID: oci network public-ip list

Run the public IP delete command.

Syntax:

oci network public-ip delete --public-ip-id public_ip_OCID

Example:

oci network public-ip delete --public-ip-id ocid1.publicip.unique_ID --force