Define Workload Requirements
Make decisions about your requirements for communication, connectivity, and resiliency of workloads.
Communication Requirements
Identify what your workload communication requirements are for communication gateways and internet connectivity, inter-VCN connectivity, and accessing Oracle Services Network.
OCI Communication Gateways
You must decide the appropriate communication gateways for your needs.
The following table shows the features and the recommended gateways to use for each feature.
| Feature | Recommended Gateway | Comments |
|---|---|---|
| Traffic in and out of OCI can be initiated from OCI or the internet | Internet Gateway | Need a public subnet and a resource with public IP |
| Resources in OCI access internet securely | NAT Gateway | Only traffic initiated from within the subnet is allowed through the NAT Gateway |
| Access to Oracle Cloud Infrastructure Object Storage or other services in Oracle Service Network | Service Gateway | Examples of services are OS management service, Oracle Linux, or Yum Service. See the Explore section for a full list of supported services in Oracle Services Network |
| Connection between OCI and on-premises and between VCNs | Dynamic Routing Gateway (DRG) | A virtual router connects VCNs and on-premises locations through a central connection point and also connects between regions and different tenancies |
Inter-VCN Connectivity
Decide how to communicate between VCNs in OCI. You can connect two VCNs either within same tenancy or different tenancies.
You can see three examples of inter-VCN connectivity using a local peering gateway or a dynamic routing gateway.
Local Peering Gateway (LPG)
The following image shows a region with two VCNs using the Local Peering Gateway method:
Both VCNs must be in the same region and you can have a maximum of ten LPGs per VCN.
Dynamic Routing Gateway (DRG)
Oracle recommends using Dynamic Routing Gateways. You can connect VCNs within the same region or between regions. One DRG can connect up to 300 VCNs.
The following image shows a region with two VCNs connected by a DRG in the same region:
The following image shows a region with two VCNs using the DRG with two VCNs connected between separate regions:
Access Oracle Services Network
Oracle Services Network (OSN) is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services.
The following architecture shows accessing the Oracle Services Network:
These services have public IP addresses that can be reached over the internet. However, you can access the Oracle Services Network without the traffic going over the internet, by using a Service Gateway from within a VCN.
When adding a route to OSN, you must decide if the network should use all services or simply access Oracle Cloud Infrastructure Object Storage.
Object Storage is normally used for backup purposes such as for Oracle Database backups.
Hybrid and Multicloud Requirements
Decide whether you need a hybrid cloud or multicloud architecture. Evaluate bandwidth requirements for the connection for a good user experience.
You can connect Oracle Cloud to on-premises networks using FastConnect or site-to-site VPN.
The following diagram shows an example architecture of connecting an on-premises environment to OCI using either site-to-site VPN or FastConnect:
The following diagram shows an example architecture of a database in OCI and the application load balancer in Microsoft Azure:
Latency is important for a good user experience with better response times. Oracle and Micorsoft Azure have integration points in different locations around the world. This makes it easy to integrate and also reduces latency which makes it possible to have solution that spans between the clouds using FastConnect and ExpressRoute.
You can use FastConnect as a primary connection, and site-to-site VPN as the backup connection. You can also connect to other clouds with both site-to-site VPN and FastConnect depending on your needs.
Connect to On-Premises Networks
You can connect to on-premises networks using either of the following:
- FastConnect uses a dedicated connection for fixed bandwidth and latency. Oracle recommends using redundant connections for resiliency.
- Site-to-site VPN uses the internet as the carrier and can also use FastConnect. The bandwidth and latency can vary and hence Oracle recommends using redundant tunnels.
Connect to On-Premises Networks Using FastConnect
The following image shows an architecture with an on-premises and OCI region using FastConnect where the traffic doesn't go through the public internet:
Use site-to-site VPN as a backup connection for FastConnect, so the primary connection is FastConnect and the backup is VPN. The available connection speeds are 1 Gbps, 10 Gbps, or 100 Gbps.
- Set up a virtual circuit with public peering, if you only need access to Oracle Services Network.
- Use site-to-site VPN which uses IPSec for encryption of traffic in addition to FastConnect public peering.
- Use private peering when you need a private connection to resources in OCI (VCNs).
Note:
Oracle recommends using twice the equipment for redundancy.Connect to On-Premises Networks Using Site-to-Site VPN
Site-to-site VPN connects on-premises DC to OCI. Site-to-site VPN uses the internet as carrier and encrypts the traffic using the IPSec protocol.
The following image shows an architecture with redundant customer-premises devices and an OCI connection using site-to-site VPN:
Site-to-site VPN connects on-premises data centers to OCI. The performance may vary depending on internet traffic. As with FastConnect, you should configure site-to-site VPN with redundant tunnels and if possible also with redundant CPE devices. Oracle provides two VPN endpoints for every site-to-site VPN connection.
Depending on your business need, you can use it as an alternative to FastConnect if you have a steady bandwidth. Site-to-site VPN is built into Oracle Cloud tools to make is easy to set up and is available at no additional cost. However, site-to-site VPN can't scale to the same bandwidth as FastConnect (currently 250 Mbps/tunnel). You can use it as a standby for FastConnect.
Use site-to-site VPN as a free alternative if you don't require the high performance connections of Megaport or Equinix discussed in the next sections.
Connect to Amazon Web Services
Connections to other public clouds from Oracle Cloud Infrastructure are quick and easy to establish through our FastConnect partners.
The following diagram shows a connection between OCI and AWS using our connection partner Megaport:
Connect to Microsoft Azure
Microsoft and Oracle have a partnership with preintegration of Azure with OCI in several regions.
The following diagram shows the preintegration of Azure with OCI using ExpressRoute and FastConnect:
You can enable access between the clouds by enabling it from both sites or the console using FastConnect and ExpressRoute with no network service provider in between. You only need to set up 1x virtual circuit since it has built-in redundancy using a different standard than FastConnect. There is no cost of traffic between Azure if you use a local SKU and select the minimum 1 Gbps connection speed. The interconnects are built where Azure and OCI are located close to each other to enable low latency between the clouds.
Note:
Not all regions have this capability. Use a network service provider in other regions.If you are looking for connecting to Microsoft Azure, see Access to Microsoft Azure.
Resiliency Requirements
Decide if you want to have resiliency from regional outages and consider a multiregion deployment.
Multiregion Deployment
Use a standard cross-regional setup for a multiregion deployment where you pair a region with another region for cross-copying. Set up the same resources in the standby region and set up remote peering between DRGs.
The data between the regions uses Oracle's network backbone instead of the internet. You must set up replication of data and necessary content that is required to run the deployment on the standby region.
Description of the illustration multi-region-deployment-full-arch.png
Load Balancing
Use a load balancer to distribute traffic to several backend servers.
Load Balancer
A standard load balancer for public facing web servers can terminate SSL traffic or pass it through to the backend. You can directly apply Web Application Firewall (WAF) protection to a load balancer and use flexible shapes between the minimum and maximum bandwidth depending on traffic.
You can set up either a public or private load balancer on layer 4/7, TCP/HTTP layer.
Network Load Balancer
Provides a non-proxy, pass-through load balancing with high throughput and ultra low latency. Network load balancers are free. They are optimized for long-running connections over days or months with connections to same backend server which is optimal for the database. It can scale up and down automatically based on client traffic and doesn't require bandwidth configurations or SSL termination.
Network load balancers ensure that your services remain available by directing traffic only to healthy servers based on Layer 3/Layer 4 (IP protocol) data.