Note:

This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Use Oracle Cloud Infrastructure Network Path Analyzer with On-Premises Endpoints

Introduction

Oracle Cloud Infrastructure Network Path Analyzer (OCI Network Path Analyzer) is a diagnostic tool provided by OCI to help users troubleshoot and optimize network paths within their cloud environments. This tool is particularly useful for identifying potential network issues, understanding the performance of network paths, and ensuring that the network configurations align with best practices and operational requirements.

OCI Network Path Analyzer with on-premises endpoints extends the capabilities of the OCI Network Path Analyzer to include analysis of network paths that start or end in an on-premises environment. This integration is particularly beneficial for hybrid cloud architectures where resources are spread across both on-premises and OCI data centers.

This tutorial will demonstrate various test scenarios where OCI Network Path Analyzer will enable and disable the on-premises endpoint.

Key Features and Capabilities:

End-to-End Path Analysis: The OCI Network Path Analyzer can trace the complete path between two points in your network, such as between instances, subnets, or across Virtual Cloud Networks (VCNs). This helps in understanding the route traffic takes and identifying any potential bottlenecks or misconfigurations.
Network Hop Visibility: Provides detailed visibility into each hop along the network path, including details like latency, packet loss, and the status of each hop. This helps in pinpointing where issues may be occurring.
Performance Metrics: Users can view performance metrics for each segment of the path, which aids in diagnosing performance-related issues and ensuring that the network is performing optimally.
Configuration Validation: Validate network configurations against Oracle Cloud Infrastructure (OCI) best practices, helping to identify misconfigurations that could lead to network performance issues or failures.
Security Group and Route Table Analysis: Analyze security group rules and route tables that affect the network path, providing insights into whether the correct rules and routes are in place for the desired traffic flow.
Troubleshooting Assistance: Faster troubleshooting and resolution of network issues by identifying and highlighting problem areas in the network path.

Use Cases:

Network Troubleshooting: Quickly identify where network issues are occurring and understand the root cause.
Performance Optimization: Ensure that your network paths are configured for optimal performance by analyzing latency and packet loss.
Configuration Audits: Regularly check your network configurations to ensure they align with OCI best practices and operational requirements.
Security Validation: Verify that security group rules and route tables are correctly configured to allow or deny the intended traffic.

How OCI Network Path Analyzer Works:

Initiation: Users can initiate the network path analysis from the OCI Console by specifying the source (which can be an on-premises endpoint) and the destination (which can be within OCI or another on-premises location).
Path Mapping: The tool maps out the entire network path, including OCI components (VCNs, subnets, and so on) and on-premises network components (routers, switches, firewalls, and so on).
Data Collection and Analysis: Collects performance metrics and configuration data at each hop along the path, providing detailed insights into each segment.
Visualization and Reporting: Presents the analyzed data in a user-friendly interface, often with visual representations of the network path, performance metrics, and configuration status.

Benefits:

OCI Network Path Analyzer is a powerful tool for any organization using OCI, helping to maintain a robust, efficient, and secure cloud network environment.

Improved Visibility: Gain deep visibility into your network paths within OCI.
Enhanced Performance: Optimize network performance by identifying and resolving issues.
Increased Security: Ensure that your network security configurations are correctly implemented and effective.
Efficient Troubleshooting: Reduce the time and effort needed to diagnose and fix network problems.

Initial Network Architecture:

The initial network architecture that we will use for testing is an OCI environment with two VCNs and an on-premises environment that is connected with an Internet Protocol Security (IPSec) tunnel to the OCI environment.

The subnet information for the full architecture:

Location	Subnet	Notes
ON-PREM	10.222.10.0/24	This is an overlapping subnet with NPA-VCN-A!
NPA-VCN-A	10.222.10.0/24	This is an overlapping subnet with ON-PREM!
NPA-VCN-B	10.222.11.0/24

Due to the overlapping CIDR space between NPA-VCN-A and ON-PREM, we will start with de-attached NPA-VCN-A. This means NPA-VCN-A will not be attached to the DRG and will not participate in the routing architecture initially.

Objectives

Use Oracle Cloud Infrastructure Network Path Analyzer with on-premises endpoints

Test Scenario 1

The first test scenario will use the following path analysis parameters:

	Location	IP address	IP address on-premises setting	Port
Source	OCI	10.222.11.65	Unchecked	N/A
Destination	ON-PREM	10.222.10.100	Checked	22

Note: NPA-VCN-A, which has an overlapping subnet with ON-PREM, is not part of the routing architecture.

Create Path Analysis

Log in to the OCI Console.
1. Click the hamburger menu (≡) from the upper left corner.
2. Click Networking.
3. Click Network Path Analyzer.
Click Create path analysis.
In Configure analysis page, enter the following information.
1. Name: Enter the name.
2. Protocol: Select TCP.
3. Source: Select Enter IP address.
4. Source IPv4 address: Enter source IPv4 address.
5. Scroll down.
1. Destination: Select Enter IP address.
2. Destination IPv4 address: Enter destination IPv4 address.
3. Select The IP address is an on-premises endpoint.
4. Destination Port: Enter destination port.
5. Click Run analysis.
Scroll down.
Note that the analysis has started, it will take a few minutes to complete.

Test and Save the Path Analysis

In Run analysis page, save the configured analysis.
1. Note that the Forward path status is Reachable and the number of hops is 4.
2. Note the visual routing path that the packet has taken from source to destination.
3. Click arrow (^) to expand.
4. You can see the diagram information.
5. Scroll down.
1. Note that the Return path status is Reachable and the number of hops is 4.
2. Note the visual routing path that the packet has taken from source to destination.
3. Click arrow (^) to expand.
4. You can see the diagram information.
5. Click Save analysis.

This test passed because there is a network with 10.222.10.0/24 in the routing table, and the OCI Network Path Analyzer is checking for the on-premises network.

Test Scenario 2

The second test scenario will use the following path analysis parameters:

	Location	IP address	IP address on-premises setting	Port
Source	OCI	10.222.11.65	Unchecked	N/A
Destination	ON-PREM	10.222.10.100	Unchecked	22

Note: NPA-VCN-A, which has an overlapping subnet with ON-PREM, is not part of the routing architecture.

Create Path Analysis

Click Create path analysis.
In Configure analysis page, enter the following information.
1. Name: Enter the name.
2. Protocol: Select TCP.
3. Source: Select Enter IP address.
4. Source IPv4 address: Enter source IPv4 address.
5. Scroll down.
1. Destination: Select Enter IP address.
2. Destination IPv4 address: Enter destination IPv4 address.
3. Select The IP address is an on-premises endpoint.
4. Destination Port: Enter destination port.
5. Click Run analysis.
Note that the analysis has started, it will take a few minutes to complete.

Test and Save the Path Analysis

In Run analysis page, save the configured analysis.
1. Note that the Forward path status is Indeterminate and the number of hops is 0.
2. Note error message: Cannot determine path. IP address 10.222.10.100 is associated with the following listed overlapping resources.
  
  Possible causes:
  - There are multiple route table entries for the destination.
    - Review route table for overlaps for 10.222.10.0/25.
  - There is a missing route table entry for the destination.
    - Review the route table for missing routes for 10.222.10.0/25.
    - Overlapping resources: ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaas3jilha3xxxxxxxxxxxxxxxxxxxjlwszujf6krs3ydy6q, ExternalNetwork.
3. Click Save analysis.

This test failed because there is no network with 10.222.10.0/24 in the routing tables, and the OCI Network Path Analyzer is not checking for the on-premises network.

Test Scenario 3

The third test scenario will use the following path analysis parameters:

	Location	IP address	IP address on-premises setting	Port
Source	OCI	10.222.11.65	Unchecked	N/A
Destination	ON-PREM	10.222.10.100	Checked	22

Note: NPA-VCN-A, which has an overlapping subnet with ON-PREM, is a part of the routing architecture.

Attach the `NPA-VCN-A`

Attach the NPA-VCN-A to the Dynamic Routing Gateway (DRG).
1. Click the hamburger menu (≡) from the upper left corner.
2. Click Networking.
3. Click Dynamic Routing Gateway.
Click the DRG.
1. Click VCN Attachments.
2. Click Create virtual cloud network attachment.
1. Enter a Attachment name.
2. Select NPA-VCN-A VCN.
3. Click Create VCN attachment.
Note that the NPA-VCN-A VCN is now attached.

Create Path Analysis

Click Create path analysis.
1. Name: Enter the name.
2. Protocol: Select TCP.
3. Source: Select Enter IP address.
4. Source IPv4 address: Enter source IPv4 address.
5. Scroll down.
1. Destination: Select Enter IP address.
2. Destination IPv4 address: Enter destination IPv4 address.
3. Select The IP address is an on-premises endpoint.
4. Destination Port: Enter destination port.
5. Click Run analysis.
Note that the analysis has started, it will take a few minutes to complete.

Test and Save the Path Analysis

In Run analysis page, save the configured analysis.
1. Note that the Forward path status is Indeterminate and the number of hops is 0.
2. Note error message: Cannot determine path. IP address 10.222.10.100 is associated with the following listed overlapping resources.
  
  Possible causes:
  - There are multiple route table entries for the destination.
    - Review route table for overlaps for 10.222.10.0/25.
  - There is a missing route table entry for the destination.
    - Review the route table for missing routes for 10.222.10.0/25.
    - Overlapping resources: ExternalNetwork, ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaas3jilha3xxxxxxxxxxxxxxxxxxxjlwszujf6krs3ydy6q, ExternalNetwork.
3. Click Save analysis.

This test failed because of overlapping subnets between ON-PREM and NPA-VCN-A. The OCI Network Path Analyzer detected two paths to the 10.222.10.0/24 network and could not determine which one to take, even though it was checking for the on-premises network.

Test Scenario 4

The fourth test scenario will use the following path analysis parameters:

	Location	IP address	IP address on-premises setting	Port
Source	OCI	10.222.11.65	Unchecked	N/A
Destination	ON-PREM	10.222.10.100	Unchecked	22

Note: NPA-VCN-A, which has an overlapping subnet with ON-PREM, is still a part of the routing architecture.

Create Path Analysis

Click Create path analysis.
In Configure analysis page, enter the following information.
1. Name: Enter the name.
2. Protocol: Select TCP.
3. Source: Select Enter IP address.
4. Source IPv4 address: Enter source IPv4 address.
5. Scroll down.
1. Destination: Select Enter IP address.
2. Destination IPv4 address: Enter destination IPv4 address.
3. Select The IP address is an on-premises endpoint.
4. Destination Port: Enter destination port.
5. Click Run analysis.
Note that the analysis has started, it will take a few minutes to complete.

Test and Save the Path Analysis

In Run analysis page, save the configured analysis.
1. Note that the Forward path status is Reachable and the number of hops is 3.
2. Note the visual routing path that the packet has taken from the source to the destination.
3. Click arrow (^) to expand.
4. You can see the diagram information.
5. Scroll down.
1. Note that the Return path status is Reachable and the number of hops is 4.
2. Note the visual routing path that the packet has taken from the source to the destination.
3. Click arrow (^) to expand.
4. You can see the diagram information.
5. Click Save analysis.
Note that we specified the IP address that is ON-PREM (10.222.10.100) but the path that the OCI Network Path Analyzer has taken is towards the OCI NPA-VCN-A VCN.

This test is passing despite specifying an IP address ON-PREM, but because OCI Network Path Analyzer is not checking for on-premises network and the same network is available within OCI Network Path Analyzer will mark it as a pass.

Test Scenario 5

The fifth test scenario will use the following path analysis parameters:

	Location	IP address	IP address on-premises setting	Port
Source	OCI	10.222.11.65	Unchecked	N/A
Destination	OCI	10.222.10.98	Checked	22

Note:

We will use the OCI subnet (inside the NPA-VCN-A VCN) as a destination.

NPA-VCN-A, which has an overlapping subnet with ON-PREM, is still a part of the routing architecture.

Create Path Analysis

Click Create path analysis.
In Configure analysis page, enter the following information.
1. Name: Enter the name.
2. Protocol: Select TCP.
3. Source: Select Enter IP address.
4. Source IPv4 address: Enter source IPv4 address.
5. Scroll down.
1. Destination: Select Enter IP address.
2. Destination IPv4 address: Enter destination IPv4 address.
3. Select The IP address is an on-premises endpoint.
4. Destination Port: Enter destination port.
5. Click Run analysis.
Note that the analysis has started, it will take a few minutes to complete.

Test and Save the Path Analysis

In Run analysis page, save the configured analysis.
1. Note that the Forward path status is Indeterminate and the number of hops is 0.
2. Note error message: Cannot determine path. IP address 10.222.10.98 is associated with the following listed overlapping resources.
  
  Possible causes:
  - There are multiple route table entries for the destination.
    - Review route table for overlaps for 10.222.10.0/25.
  - There is a missing route table entry for the destination.
    - Review the route table for missing routes for 10.222.10.0/25.
    - Overlapping resources: ExternalNetwork, ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaas3jilha3is4uxxxxxxxxxxxxxxxxxxlwszujf6krs3ydy6q
3. Click Save analysis.

This test failed because the IP address we specified in the destination is not on-premises but in OCI. This test is basically the same as Scenario 3.

Test Scenario 6

The sixth test scenario will use the following path analysis parameters:

	Location	IP address	IP address on-premises setting	Port
Source	OCI	10.222.11.65	Unchecked	N/A
Destination	OCI	10.222.10.98	Unchecked	22

Note:

We will use the OCI subnet (inside the NPA-VCN-A VCN) as a destination.

NPA-VCN-A, which has an overlapping subnet with ON-PREM, is still a part of the routing architecture.

Create Path Analysis

Click Create path analysis.
In Configure analysis page, enter the following information.
1. Name: Enter the name.
2. Protocol: Select TCP.
3. Source: Select Enter IP address.
4. Source IPv4 address: Enter source IPv4 address.
5. Scroll down.
1. Destination: Select Enter IP address.
2. Destination IPv4 address: Enter destination IPv4 address.
3. De-select The IP address is an on-premises endpoint.
4. Destination Port: Enter destination port.
5. Click Run analysis.
Note that the analysis has started, it will take a few minutes to complete.

Test and Save the Path Analysis

In Run analysis page, save the configured analysis.
1. Note that the Forward path status is Reachable and the number of hops is 3.
2. Note the visual routing path that the packet has taken from the source to the destination.
3. Click arrow (^) to expand.
4. You can see the diagram information.
5. Scroll down.
1. Note that the Return path status is Reachable and the number of hops is 4.
2. Note the visual routing path that the packet has taken from the source to the destination.
3. Click arrow (^) to expand.
4. You can see the diagram information.
5. Click Save analysis.

This test passed because there is a network with 10.222.10.0/24 in the routing table, and OCI Network Path analyzer is not checking for the on-premises network. So the network has to be within OCI. This test is basically the same as Scenario 4.

Next Steps

This tutorial has shown you how the OCI Network Path Analyzer with on-premises endpoints significantly enhances the ability of organizations to manage and troubleshoot their hybrid cloud environments. By providing comprehensive visibility into network paths that span both OCI and on-premises data centers, this tool ensures that network performance is optimized and potential issues can be identified and resolved quickly. The detailed performance metrics, configuration validations, and security checks offered by OCI Network Path Analyzer enable IT teams to maintain robust, efficient, and secure network infrastructures. As hybrid cloud architectures become increasingly common, tools like OCI Network Path Analyzer with on-premises endpoints are indispensable for achieving seamless integration and operation across diverse network environments. This leads to improved application performance, reduced downtime, and enhanced overall operational efficiency.

Test Scenario	Result	Overlapping CIDR	NPA On-Prem DST checked	Clarification
1	PASS	No	Yes	This test passed because there is a network with `10.222.10.0/24` in the routing table, and the OCI Network Path Analyzer is checking for the on-premises network.
2	FAIL	No	No	This test failed because there is no network with `10.222.10.0/24` in the routing tables, and the OCI Network Path Analyzer is checking for the on-premises network.
3	FAIL	Yes	Yes	This test failed because of overlapping subnets between `ON-PREM` and `NPA-VCN-A`. The OCI Network Path Analyzer detected two paths to the `10.222.10.0/24` network and could not determine which one to take, even though it was checking for the on-premises network.
4	PASS	Yes	No	This test is passing despite specifying an IP address `ON-PREM`, but because OCI Network Path Analyzer is not checking for the on-premises network and the same network is available within OCI Network Path Analyzer will mark it as a pass.
5	FAIL	Yes	Yes	This test failed because the IP address we specified in the destination is not in on-premises but in OCI. This test is basically the same as Scenario 3.
6	PASS	Yes	No	This test passed because there is a network with `10.222.10.0/24` in the routing table, and OCI Network Path analyzer is not checking for the on-premises network. So the network has to be within OCI. This test is basically the same as Scenario 4.

Acknowledgments

Author - Iwan Hoogendoorn (OCI Network Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

Title and Copyright Information

Use Oracle Cloud Infrastructure Network Path Analyzer with On-Premises Endpoints

G11497-01

July 2024

Oracle and/or its affiliates.

Use Oracle Cloud Infrastructure Network Path Analyzer with On-Premises Endpoints

Introduction

Objectives

Test Scenario 1

Create Path Analysis

Test and Save the Path Analysis

Test Scenario 2

Create Path Analysis

Test and Save the Path Analysis

Test Scenario 3

Attach the NPA-VCN-A

Create Path Analysis

Test and Save the Path Analysis

Test Scenario 4

Create Path Analysis

Test and Save the Path Analysis

Test Scenario 5

Create Path Analysis

Test and Save the Path Analysis

Test Scenario 6

Create Path Analysis

Test and Save the Path Analysis

Next Steps

Acknowledgments

More Learning Resources

Attach the `NPA-VCN-A`