When integrating between an Oracle Utilities Cloud services application and an application hosted externally, either in your data center or in a third party data center, you can select between three different connectivity technologies, depending on your topology and integration requirements,

Akamai is a content delivery network provider with geographically distributed servers that speed up the delivery of web content by bringing it closer to where users are. It currently handles 15-30% of the world's web traffic. Access to Oracle Utilities Cloud Services through Akamai networking adds a layer of security that thwarts malicious attacks such as Distributed Denial-of-Service (DDoS), at the edge, before they reach infrastructure. All communication coming into Oracle Utilities Cloud Services is automatically directed through Akamai network. The DNS of Oracle Utilities Cloud Services automatically resolve to the respective Akamai network end points through which the communication is routed.

You can use Oracle VPN Connect to connect your corporate/private network to Oracle Cloud Infrastructure (OCI) through public internet. It provides secure communication through a virtual private tunnel via the public internet between the Oracle Utilities Cloud services on OCI and the external application with which it integrates.

Separate VPNs should be setup for each of your data center and each third party data center that you may need to connect to OCI, for integrating external applications. Customers need to setup and configure VPN Connect. VPN Connect is a free service, with no port hour charges. Data transfer cost is covered under networking cloud pricing.

You should consider using VPN Connect when the following conditions exist:

Before you implement VPN Connect to integrate external applications with Oracle cloud services, do the following:

Setting up an IPSec VPN Connect network between external applications and Oracle SaaS is a multistep process that can be complex unless you understand it thoroughly This topic provides a basic overview of the required steps. For more details, refer to Setting Up VPN Connect, referenced in Before Using VPN Connect.

Network engineers require basic information about the inside and outside interfaces of your on-premises device; that is, your customer-provided equipment or CPE. This will allow them to configure these on-premises device at your end of the IPSec VPN so traffic can flow between your on-premises network and VCN.

The network engineer will need to take the following steps:

Redundancies in your IPSec VPN Connect implementation ensure reliable performance and minimize or eliminate costly downtime and other stresses on the system. When implementing redundancies, the key is to create backup paths built for efficiency, speed and availability.

To plan for redundancy, consider all the components (hardware, facilities, circuits, and power) between your on-premises network and Oracle Cloud Infrastructure. Also consider diversity, to ensure that facilities are not shared between the paths. Redundancy considerations are described here:

To review some useful examples of redundancy planning, see Redundancy Use Cases in the Connectivity Redundancy Guide, referenced in Before Using VPN Connect.

The preceding VPN Connect best practices were culled from the Oracle Cloud Infrastructure documentation, which contains more detailed information on this service. Before using VPN Connect, you should review the following:

Oracle FastConnect allows for a dedicated private line, to be installed by a telecommunications provider between an external data center and Oracle Cloud Infrastructure's (OCI) data center. This provides reliable and secured communication through a separate dedicated private line connecting the Oracle Cloud Infrastructure data center and external data center and provides communication capabilities outside the public internet.

Oracle FastConnect can be used with the data center belonging to Oracle Utilities Cloud services application's customer or with third party data center for integrating external applications. FastConnect capability with a third party data center may involve additional agreements/effort. If FastConnect capability is required, then it needs to be separately licensed and configured by the customer.

Use Oracle Cloud Infrastructure FastConnect whenever a high bandwidth dedicated private line between the data center hosting the external application and the Oracle Utilities Cloud services application is required.

Before you implement Oracle Cloud Infrastructure FastConnect to integrate external applications with Oracle cloud services, do the following:

Oracle provides substantial and comprehensive documentation for implementing and using FastConnect which is beyond the scope of this chapter. Please refer to the links in Before Using Oracle Cloud Infrastructure FastConnect to locate this content.

Before getting started with FastConnect, you need to address a set of implementation requirements.

At a minimum, meet these requirements:

You can find additional information on these requirements in the Hardware and Routing Requirements documentation, referenced in Before Using Oracle Cloud Infrastructure FastConnect.

There are three FastConnect options to choose from: Oracle Provider, Third-Party Provider, and Colocation. This topic will help you to choose the best option for your implementation, based on consideration important points in the design.

You need to consider three main points when planning a FastConnect deployment:

These are key points to consider in the design and choosing the proper FastConnect option. For example, if the customer has a good relation with Provider A but Provider A is not an Oracle Provider, then the next option is to use Third-Party provider or Colocation option. If Provider A can deploy circuits to the FastConnect DC but can't deploy cross connect at the FastConnect DC then customer will have to look at a different provider. If the customer is not at the same address as the FastConnect DC then Colocation is not an option.

This is just a brief outline of how to address the design options for implementing OCI FastConnect. For a more detailed discussion of these design options, see the blog post FastConnect Design, referenced in Before Using Oracle Cloud Infrastructure FastConnect.

Redundancies in your FastConnect implementation ensure reliable performance and minimize or eliminate costly downtime and other stresses on the system. When implementing redundancies, the key is to create backup paths built for efficiency, speed and availability.

While which redundancy best practices you should follow depend on which connectivity model you use, you should always design your network to achieve high availability (HA) and so that it's prepared for these types of disruptions:

For help ensure redundancy, Oracle provides:

You can find a more comprehensive discussion of best practices specific to a FastConnect connectivity model in FastConnect Redundancy Best Practices, referenced in Before Using Oracle Cloud Infrastructure FastConnect.

The preceding Oracle Cloud Infrastructure FastConnect best practices were culled from the OCI documentation, which contains more detailed information on this service. Before using FastConnect, you should review the following documentation:

Many Oracle customer cloud networks are designed to prevent outbound connections to the internet. Typical on-premises deployed services are hosted on the enterprise intranet and don’t require public internet access. Migrating these services to the cloud by using the public connectivity model requires customers to enable internet access for their backend clients and punch holes in their firewalls and other security controls. Private connectivity using a service gateway offers a private and secure alternative. Although service gateways enable private access to Oracle services from customer OCI and on-premises networks, this access is over a publicly accessible IP.

Private endpoints allow customers to access Oracle services over a private IP taken from a subnet within their VCN. This capability allows a customer experience where the service is hosted in their own private network, either in their own VCN or on their on-premises site. When allowed, private endpoints support reverse connections to allow Oracle services to initiate connections to instances within the customer’s VCN or on-premises data sources.

The following architectural diagram depicts how customer-to-service (C2S) or forward direction and service-to-customer (S2C) or reverse direction traffic flows through the private endpoint. Within the customer VCN, the private endpoint is a logical representation of the service’s fully qualified domain name (FQDN) or IP address. Customers access the service using a dynamically allocated free private IP address from their chosen subnet as a target. Private endpoints physically reside outside the customer VCN and are managed on-behalf of the customer by the service provider.

A service gateway lets resources in your VCN privately access specific Oracle services, without exposing the data to the public internet. The resources in the VCN can be in a private subnet and use only private IP addresses. The traffic from the VCN to the service of interest travels over the Oracle network fabric and never traverses the internet. Private endpoint is another way to have private access to oracle cloud services. This document is focusing on Service Gateway only.

Please refer to Access to Oracle Services: Service Gateway for more information.

By default, all incoming network traffic (Web/SOAP/REST) using Public Internet to Oracle Utilities SaaS applications MUST go through Akamai network. Any direct attempt to access Oracle Utilities SaaS applications bypassing Akamai is blocked.

The only exception to bypass Akamai network is to access Oracle Utilities SaaS applications via Service Gateway using Private Subnet in OCI VCN. This connectivity is routed privately and does not go through Akamai network. This exception is handled via Inbound Allowlist internally managed by Oracle.

If you don't need to use a reverse proxy to implement integration between Oracle Utilities Cloud services application and an application hosted externally but still aren't sure whether to use IPSec VPN Connect or OCI FastConnect, understanding the differences betweent the two will help you make the correct determination.

An IPSec VPN establishes an encrypted network connection over the internet between the external application's data center and your Oracle Cloud Infrastructure virtual cloud network (VCN). It provides low or modest bandwidth and has the inherent variability in internet-based connections.

FastConnect bypasses the internet. Instead, it uses dedicated, private network connections between the external application's network or data center and your VCN.

Further comparisons are here: