Define Workload Requirements

Determine your requirements for communication, connectivity, and resiliency of workloads.

Communication Requirements

Identify your workload requirements for communication gateways and internet connectivity, inter-VCN connectivity, and accessing the Oracle Services Network (OSN).

OCI Communication Gateways

The following diagram illustrates a primary OCI deployment in the US West (Phoenix) region, showing how production and pre-production workloads are networked for secure, resilient connectivity between the cloud, on-premises data centers, and Oracle services:


Select the appropriate communication gateways based on your workload's requirements from the following table:

Feature Recommended Gateway Comments
Traffic in and out of OCI can be initiated from OCI or the internet Internet Gateway Need a public subnet and a resource with public IP
Resources in OCI access internet securely NAT Gateway Only traffic initiated from within the subnet is allowed through the NAT Gateway
Access to Oracle Cloud Infrastructure Object Storage or other services in Oracle Service Network Service Gateway Examples of services are OS management service, Oracle Linux, or Yum Service. See the Explore section for a full list of supported services in OSN
Connection between OCI and on-premises and between VCNs DRG A virtual router connects VCNs and on-premises locations through a central connection point and also connects between regions and different tenancies

Inter-VCN Connectivity

Decide how VCNs within OCI should communicate (within a tenancy or across tenancies):

Oracle recommends using DRGs for the inter-VCN connectivity. DRG provides scalable path for connectivity not only between VCNs but also from on-premises and other clouds. Dynamic route importing reduces management complexity. For specific routing needs between two VCNs, use a Local Peering Gateway (LPG). You can use both DRGs and LPGs together depending on your requirements.

The following three examples of inter-VCN connectivity use an LPG or DRG:

Local Peering Gateway (LPG)

The following image shows a region with two VCNs using LPGs for local peering:



Both VCNs must be in the same OCI region and you can have up to 10 LPGs per VCN.

Dynamic Routing Gateway (DRG)

DRGs connect VCNs within or across regions and allow up to 300 attachments per DRG. DRGs provide simple routing options, in addition to static routes. Routes from the attached networks are dynamically imported into DRG route tables using import route distributions.

The following image shows a region with two VCNs connected by a DRG in the same region:



The following image shows a region with two VCNs using the DRG with two VCNs connected between separate regions:



Access Oracle Services Network (OSN)

OSN is a conceptual network in OCI that is reserved for Oracle services.

The following architecture shows a VCN accessing the OSN without the traffic going over the internet through a service gateway:



Consider the following options and decide how you want to route your traffic:

  • Use a Service Gateway to route private traffic to OSN without traversing the internet.
  • Services (like Object Storage) have public IPs that can be reached over the internet. Use private endpoints (PEs) to keep traffic within the OCI network.
  • When adding a route to OSN, decide if you want to enable the network to use all OCI services or just use OCI Object Storage for database backups.
  • Consider private endpoints (PE) for direct, private access from VCNs or on-premises data centers. For example, you could configure OCI Object Storage with a PE reachable from within a VCN or from an on-premises region over a private IP address.

Hybrid and Multicloud Connectivity Requirements

Determine if your architecture will be hybrid or multicloud, and assess bandwidth for a quality user experience.

Connect OCI to on-premises networks base on your needs using either of these connectivity options:

  • OCI FastConnect uses a dedicated connection for fixed bandwidth and latency. Oracle recommends using redundant connections for resiliency.
  • OCI Site-to-Site VPN uses the internet as the carrier and can also use FastConnect. Bandwidth, latency, and availability can vary due to public internet circuits. Oracle recommends using redundant tunnels.

The following diagram shows an example architecture of connecting an on-premises environment to OCI using either site-to-site VPN or FastConnect:



Oracle recommends using FastConnect for primary connections with VPN as backup for production workloads. FastConnect is available at varying speeds up to 400 Gbps, depending on region and partners.

To set up your connectivity, do the following:

  • Set up a virtual circuit with public peering for only OSN access.
  • Use private peering for a private connection to resources in VCNs.
  • Use site-to-site VPN (with IPSec) for traffic encryption within FastConnect private peering.

Note:

Oracle recommends using redundant hardware for all connections.

Connect to On-Premises Networks Using OCI FastConnect

OCI FastConnect provides direct, private connectivity. Always configure VPN as a backup. The following image shows an architecture with an on-premises and OCI region using OCI FastConnect where the traffic doesn't go through the public internet:


Oracle recommends using FastConnect with VPN as backup as the primary connections for production workloads. Use site-to-site VPN as a backup connection for FastConnect, so the primary connection is FastConnect and the backup is VPN. The available connection speeds are 1 Gbps, 10 Gbps, or 100 Gbps.

  • Set up a virtual circuit with public peering, if you only need access to OSN.
  • Use OCI Site-to-Site VPN which uses IPSec for encryption of traffic in addition to FastConnect public peering.
  • Use private peering when you need a private connection to resources in OCI VCNs.

Note:

Oracle recommends using twice the equipment for redundancy.

Connect to On-Premises Networks Using OCI Site-to-Site VPN

OCI Site-to-Site VPN connects an on-premises data center to OCI. Site-to-site VPN uses the internet as carrier and encrypts the traffic using the IPSec protocol. Site-to-site VPN is a cost-effective, encrypted solution but lower bandwidth (~250 Mbps/tunnel). Use redundant endpoints and devices. Consider Equal-Cost Multi-Path (ECMP) routing for high availability with better bandwidth. Use site-to-site VPN as a free alternative if you don't require the high-performance connections of Megaport or Equinix discussed in the next sections.

The following diagram shows an architecture with redundant customer-premises equipment (CPE) and an OCI connection using site-to-site VPN:



Site-to-site VPN performance may vary depending on internet traffic. As with FastConnect, configure site-to-site VPN with redundant tunnels and where possible also with redundant CPE devices. Oracle provides two VPN endpoints for every site-to-site VPN connection.

Oracle Interconnect for Microsoft Azure

Microsoft and Oracle have partnered to provide Microsoft Azure preintegrated with OCI in select regions.

The following diagram shows an example architecture of an Oracle database in an OCI region and the application in Azure:



Latency is important for a good user experience with better response times. Oracle and Azure have integration points in different locations around the world. This makes it easy to integrate and also reduces latency which makes it possible to have solution that spans between the clouds using FastConnect and Azure ExpressRoute.

You can enable access between the clouds by configuring from both Azure portal—ExpressRoute and OCI console—FastConnect. You only need to set up 1x virtual circuit since Azure interconnect has built-in redundancy using physical diversity of hardware and location where possible. There is no cost of traffic between Azure and OCI (egress cost) if you use a local SKU and select the minimum 1 Gbps Azure ExpressRoute connection speed. The interconnects are built where Azure and OCI are located close to each other to enable low latency between the clouds.

Note:

Not all regions have this capability. Use a network service provider in other regions.

If you are looking for connecting to Microsoft Azure, see Access to Microsoft Azure.

Oracle Interconnect for Google Cloud

Oracle and Google have partnered to provide customers direct connectivity with natively provisioning options from both clouds. Oracle Interconnect for Google Cloud and OCI FastConnect can be provisioned to build low latency and high bandwidth connectivity. With no egress costs from either cloud provider. Consider this option to design your multicloud connectivity to use services in both OCI and Google Cloud.

The following architecture diagram shows you a connection between OCI and Google Cloud.



Connect to AWS and Other Cloud Platforms

Connections to other public clouds from OCI are quick and easy to establish through our FastConnect partners. We have over 100 global FastConnect partners to choose from based on you region and connectivity requirements. They provide different options to connect with other cloud providers as well as other SaaS/PaaS platforms.

The following diagram shows a connection between OCI and AWS using our connection partner Megaport:

You can also consider a direct VPN connection between AWS and OCI.

Resiliency Requirements

Assess your need for regional resiliency from outages and consider a multiregion deployment.

Multiregion Deployment

Deploy a standard cross-regional setup for a multiregion deployment and pair a disaster recovery and failover. Replicate the resources in the standby region for failover readiness and set up remote peering between DRGs. Data replication uses Oracle's network backbone, not the public internet.

The following diagram shows data replication between a primary and standby region:


Description of multi-region-deployment-full-arch.png follows
Description of the illustration multi-region-deployment-full-arch.png

Load Balancing

Use a load balancer (public or private) to optimize traffic distribution. several backend servers.

A public load balancer exposes a public IP and is accessible from the internet. A private load balancer uses a private IP address and is only accessible from within the VCN.

Load Balancer

A standard load balancer for public facing web servers can terminate SSL traffic or pass it through to the backend. Use flexible shapes between the minimum and maximum bandwidth depending on traffic.

You can set up either a public or private load balancer on layer 4/7, TCP/HTTP layer.

Network Load Balancer

Free service that provides a non-proxy, ultra-low latency, pass-through load balancing with high throughput. Network load balancers are optimized for long-running connections over days or months with connections to the same backend server which is optimal for the database.

Network load balancers ensure that your services remain available by directing traffic only to healthy servers based on Layer 3/Layer 4 (IP protocol) data.

To learn more, review the topic Comparing Load Balancer and Network Load Balancer in the OCI Documentation linked in Explore More.

Security Requirements

Security is critical for any network architecture. Choose the approprite OCI services to establish the required security posture across your applications and networks, whether they are on-premises or in the cloud.

OCI Web Application Firewall

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a regional and edge enforcement service that attaches to enforcement points such as load balancers or web application domain names. OCI WAF protects applications from malicious and unwanted internet traffic.
The OCI WAF policy enables you to enforce the following rules across your OCI applications:
  • Access control
  • Bot management
  • Protection rules
  • Rate limits
  • Customer applications

Note:

Use WAF to protect any internet-facing endpoints, and ensure consistent security rule enforcement across applications.

To learn more, review both OCI WAF policy (regional solution) and Edge policy (global solution).

OCI Network Firewall

Based on the network security posture required, select the network firewall deployment option.

The following diagram shows a supported OCI Network Firewall insertion design that allows for the use of a single OCI Network Firewall to manage both north-south (internet-bound) and east-west (inter-VCN and on-premises) traffic patterns:



In this architecture, an OCI Network Firewall deployed within a central Hub VCN inspects and secures traffic flows inbound from the internet, outbound to the internet, and from an on-premises region.

Zero Trust Packet Routing

Consider using Oracle Cloud Infrastructure Zero Trust Packet Routing (ZPR) for implementing an enhanced security posture with simple policy deployment.

The following diagram shows network security policies managed independently from the underlying network architecture to reduce the risk of unauthorized access:



Security administrators can quickly define intent-based access policies. Only explicitly permitted traffic is allowed, making unauthorized access impossible. This approach simplifies network security management and audit processes.