1. Learn about connecting to Oracle Cloud and VMware resources
  2. Learn About Network Connectivity Design Options

Learn About Network Connectivity Design Options

By default, Oracle Cloud Infrastructure FastConnect and IPSec VPN tunnels terminate on a logical device called a dynamic routing gateway (DRG). You can choose to use other VPN network edge devices by using vendors in the Oracle Cloud Marketplace or by using open source solutions, such as Libreswan.

The following topics show architecture diagrams for each option and then compares their pros and cons.

FastConnect

FastConnect offers high-speed (1 Gbps or 10 Gbps) connectivity into Oracle Cloud Infrastructure.

You can connect to Oracle in the following ways:
  • Through a FastConnect provider
  • Through a non-FastConnect provider, also known as a third-party provider
  • Through a direct fiber handoff, if you’re colocated in the same data center campus as Oracle

Unlike our competitors, Oracle Cloud Infrastructure has a flat fee per FastConnect connection. We don’t charge an incremental fee for data being transferred across the connection. For details about FastConnect, including a step-by-step guide, see the FastConnect documentation.

To achieve redundancy, we recommend that you have at least two FastConnect connections to avoid a single point of failure on the Oracle side. The highest availability option is to also have two wide area network (WAN) routers deployed in your on-premises location.These routers are generically referred to as customer-premise equipment (CPE) .

Description of fastconnect_w_priv_peering.png follows
Description of the illustration fastconnect_w_priv_peering.png

Oracle Cloud Infrastructure-Based IPSec VPN

Oracle Cloud provides the VPN Connect service. A single IPSec connection automatically provides two diverse IPSec tunnels.

It’s your responsibility to ensure that both tunnels come up, or deploy two different VPN CPEs to achieve diversity on both the on-premises and Oracle sides of the connection. VPN Connect is free of charge, and goes over the public internet. As a result, your connection could be subject to jitter and variability based on current internet conditions outside of Oracle’s control.

Description of oci_ipsec_vpn_2_tunnel.png follows
Description of the illustration oci_ipsec_vpn_2_tunnel.png

NVA-Based IPSec VPN

To have more control over both ends of the IPSec VPN connection, you might want to deploy your own network virtual appliance (NVA).

In this model, you deploy one or more virtual machines (VMs) to build a highly available firewall. Examples include Palo Alto Networks, Fortinet, and Check Point. For the complete list of firewall solutions, see the Oracle Cloud Marketplace. For an example, see a step-by-step guide for Palo Alto networks.

Description of nva_ipsec_vpn_1_tunnel.png follows
Description of the illustration nva_ipsec_vpn_1_tunnel.png

NVA-Based SSL VPN

SSL VPN could be a requirement for some applications. SSL VPN could be accomplished and deployed as an NVA in Oracle Cloud Infrastructure, or potentially as an appliance within Oracle Cloud VMware Solution.

An example that uses the Oracle Cloud Marketplace and the OpenVPN appliance was shared earlier in this solution.

Description of nva_ssl_vpn_w_3_tunnels.png follows
Description of the illustration nva_ssl_vpn_w_3_tunnels.png

NSX-Based IPSec VPN

Another model of deployment is to establish an IPSec tunnel directly into Oracle Cloud VMware Solution. NSX-T supports layer 3 and layer 2 IPSec tunnels, but SSL VPN is not supported.

When the communication is over long-distance links, latency can dramatically slow down applications. We recommend layer 3 IPSec tunnels to keep the traffic cleanly segmented between on-premises and Oracle Cloud VMware Solution workloads. If you attempt to stretch layer 2 VLANs across the internet or dedicated links, chatty applications can dramatically slow down your connections.

Description of nsx_ipsec_w_1_tunnel.png follows
Description of the illustration nsx_ipsec_w_1_tunnel.png

Network Connectivity Technology Pros and Cons

The following table describes the pros and cons of each of the preceding technologies.

Network Connectivity PROs CONs
FastConnect (DRG) High speed, low latency links

Need to deploy more than one FastConnect connection to avoid a single point of failure

Depending on the model, it could take several weeks or months to deploy
VPN Connect (DRG)

It's free

Uses an existing internet connection

Low lead time to set up

Can be a software-only solution

 Subject to internet variability, jitter, and delay
IPSec or SSL VPN with an NVA

Customer can control the VPN appliance in the cloud and on premises

Flexibility to choose IPSec or SSL VPN network parameters

Subject to internet variability, jitter, and delay

Customer is responsible for managing the VM appliance

Additional license costs to the VPN/firewall appliance vendor
IPSec VPN to NSX (over a private network)

Uses an existing connection to access private subnets in Oracle Cloud

Software-defined connectivity and ease of use for VMware administrators

 Assumes that private subnets are reachable from on-premises networks
FastConnect (DRG) plus IPSec VPN to an Oracle Cloud NVA

High speed, low latency

Encryption to Oracle Cloud

Could also offer SSL VPN services (if supported by the VM appliance vendor)

 Customer is responsible for managing the VM appliance

Additional license costs to the VPN/firewall appliance vendor
FastConnect (DRG) plus IPSec VPN to NSX Edge

High speed, low latency

Encryption to the Oracle Cloud VMware Solution environment

Uses NSX technology

VPN tunnel would be limited to the VMware environment

Customer might not be able to access IaaS, PaaS, or SaaS services in Oracle Cloud Infrastructure