Define Your Network and Connectivity Architecture
Use Redundant Connections for Your On-Premises Environments and Private Resources
Enterprise Architect, Cloud Architect, Infrastructure Lead, Network Administrator
The following options are available to connect your on-premises environments to your private resources in the cloud:
- VPN Connect
Creates highly available and redundant VPN connections by using encrypted IP security (IPSec) VPN tunnels over the internet. IPSec is a protocol suite that encrypts all IP traffic before the packets are transferred from the source to the destination. Oracle creates redundant IPSec tunnels for each VPN connection. The tunnels are logically and physically isolated, when possible, both tunnels should be connected to different CPE's to maximize availability.
- Oracle Cloud
Infrastructure FastConnect
Creates dedicated, private connections between your data center and OCI. Oracle Cloud Infrastructure FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections. The end-to-end connection is called a virtual circuit. It is always best practice to install two or more virtual circuits for redundancy. Oracle Cloud Infrastructure FastConnect uses a Border Gateway Protocol (BGP) to ensure your traffic uses the best path.
The following connectivity models are available with Oracle Cloud Infrastructure FastConnect:
- With an Oracle Provider
You can establish a FastConnect connection from your on-premises or remote data center to the data center where your Oracle Cloud resources are provisioned by requesting cloud connectivity services from any of Oracle's FastConnect partners. Oracle has integrated the FastConnect service with a geographically diverse set of IP, VPN, and Ethernet network providers and cloud exchanges to make it easy for you to establish a connection to Oracle Cloud services.
This connectivity model is suitable if you plan to use, or are already using, network connectivity services from any Oracle FastConnect partner. Depending on the partner of choice, you may have to order redundant cloud connectivity services from the Oracle FastConnect partner.
- With a Third-Party Provider
You can establish a FastConnect connection from your remote data center to the Oracle data center where your cloud resources are provisioned by ordering a private or dedicated circuit from a network carrier that is not an Oracle FastConnect Partner. This third-party network carrier, typically an MPLS VPN provider, is responsible for the physical connection between your on-premises network and Oracle's FastConnect edge devices, including the last-leg of connectivity within Oracle's data center. Oracle will provide a letter of authorization (LOA) that you will need to provide to the network carrier of your choice, who will then provision the circuit. You should order two such circuits from your network carrier to the Oracle data center to provide redundancy.
This connectivity model is suitable if you have existing relationships with certain network carriers, and, or if, your on-premises or remote data center location is not served by any of Oracle's FastConnect Partners.
- Colocation with Oracle
If you have purchased colocation space from a data center provider, then you can use Oracle Cloud Infrastructure FastConnect to establish connectivity from your network equipment in that colocation facility to your Oracle Cloud services provisioned at this location. Oracle will provide you a letter of authorization (LOA) that the data center provider will need in order to establish a direct cross-connect into Oracle's FastConnect edge devices.
This connectivity model is suitable if you already have presence at an Oracle Cloud Infrastructure FastConnect location or are looking to establish a co-location presence there. You should order two such connections to a data center to provide redundancy.
- Redundancy Recommendations
- If you're relying on FastConnect to access OCI-based resources, then ensure that your path to the provider is redundant. Leverage multiple carriers, if possible.
- If you're running workloads in multiple regions, then consider regional failover of your FastConnect connectivity, or leverage VPN as a backup in the event of failure of in-region redundancy.
- If it is not possible to create a redundant FastConnect, then the best practice is to create a backup VPN connection. While bandwidth may be lower and latency may be higher, maintaining connectivity through VPN is preferable to no connectivity in the event of an issue with FastConnect. Verify that network traffic defaults to the preferred path and ensure that you test traffic redirection in a failure scenario.
Establish Non-Overlapping Private Network Ranges Across Private Environments
Cloud Architect, Infrastructure Lead, Network Administrator
Size Your Virtual Cloud Network to Allow for Expansion
Cloud Architect, Infrastructure Lead, Network Administrator
While you can increase your CIDR range, or add CIDR ranges to a VCN, it is preferable to size your VCN appropriately from the beginning. Ensure that you create VCN CIDRs and subnet CIDR ranges that can accommodate future growth, including capacity for disaster recovery activities.
Consider the following:
- Many services, including Oracle Cloud Infrastructure Load Balancing and Oracle Cloud Infrastructure File Storage services, consume multiple IP Addresses within a subnet to deliver a highly available service.
- All subnets created in a VCN are within the CIDR range.
- Extending a VCN with an additional CIDR is possible, but if you leverage Oracle Cloud Infrastructure FastConnect, additional steps may be necessary to ensure that the extra CIDR is reachable from your on-premises network.
Establish Fault Tolerant and High Availability Connections for Your Public Workload
Enterprise Architect, Cloud Architect, Infrastructure Lead, Network Administrator
Use the following services to strengthen connections for your public workload:
- Oracle Cloud Infrastructure Load Balancing: Automates traffic distribution from one entry point to multiple servers reachable from your virtual cloud network (VCN). It improves resource utilization, facilitates scaling, and helps ensure high availability.
- Oracle Cloud Infrastructure Traffic Management Steering Policies: Enables you to configure policies to serve intelligent responses to DNS queries, giving you the ability to create failover and high-availablility capabilities.
Bypass the Internet When Connecting to Public Resources
Enterprise Architect, Cloud Architect, Infrastructure Lead, Network Administrator
You can implement Oracle Cloud Infrastructure FastConnect with either public or private peering, while VPN Connect only supports private peering. For workloads hosted in OCI, leverage a service gateway to connect to public OCI services.
Use one of the following methods to bypass the internet:
- Public peering
Provides access to public services in OCI without using the internet.
- Private peering:
Extends your existing infrastructure into a VCN on OCI.
- Service gateway
Enables cloud resources without public IP addresses to privately access Oracle services. Combine a service gateway with transit routing and private peering to allow access from on-premises resources to public OCI services.
Transit Routing
Cloud Architect, Infrastructure Lead, Network Administrator
You can extend the hub-and-spoke model by using a service gateway to provide access to public services through the same VPN Connect or FastConnect connection. The hub-and-spoke model also serves as an optimal network architecture when you're considering implementing a virtual firewall appliance. The appliance is deployed within the Hub VCN with all traffic between the VPN or FastConnect and the VCNs routing through the appliance. Optionally, you can route traffic between VCN's through the appliance.
Several virtual appliance offerings are available in Oracle Cloud Marketplace. To ensure availability, deploy redundant appliances within the hub and configure for automatic failover (failover configuration is appliance-specific).