Learn About Network Connectivity

Ensure Your Network Connectivity is Fully Redundant

As Oracle's customers continue to grow their cloud deployments, more and more of their critical applications and workloads are being hosted in OCI. These workloads are accessed externally from on-premises or other Cloud Service Providers (CSPs) using connectivity methods such as IPSec VPN and FastConnect. While growing cloud deployments, you must ensure that your critical applications in OCI are always available and connected with redundancy built in to support planned and unplanned outages.

For DRG, Oracle recommends that you check your DRG's Redundancy Status for a quick indication, however this can lead to a false-positive status and you may need further clarification to validate redundancy status.

Oracle recommends the following for FastConnect connections:

Learn about how many FastConnect locations your OCI region provides. Review the FastConnect Redundancy Best Practices in OCI documentation.
Find your FastConnect scenario, understand the level of location-specific diversity it provides, and the options available to increase diversity.
Avoid single points of failure all along the path, including the third-party or Oracle partner's network.

Oracle recommends the following for IPSec VPN connections:

Deploy two Customer-Premise Equipments (CPEs) with a second set of IPSec tunnels.
Preferably locate the two CPEs in different datacenters or geographic locations for maximum diversity.
If the two CPEs are in the same datacenter, minimally ensure the CPEs have separate power supplies, Local Area Network (LAN) switches, and are connected to different Internet Service Providers (ISPs) to provide the highest level of diversity.

Tip:

Make sure your secondary connection can handle the bandwidth in case the primary connection is down. For example, you can use an IPSec VPN as a backup for a 1 GB FastConnect as a primary. However, using an IPSec VPN or a 1 GB FastConnect as a backup for a 10 GB FastConnect as a primary may not work for you.

Oracle also recommends the following:

Use Border Gateway Protocol (BGP) for dynamic advertising of routes to provide predictable automatic network failover.
Perform failover tests, including:
- When you first provision your redundant connections to validate they're working correctly before you place them into production.
- On a regular basis (such as every 6 months or every year) during scheduled outage windows, validate whether failover is still working correctly to make sure that changes made in your environment after the initial failover test don't break the failover. If you only test it when you first provision the redundant connectivity, you run the risk of finding out it's not working when an actual outage occurs when it's too late.
- Don't forget to also validate that failing back to the primary works.

Consider Using an Oracle FastConnect Partner

There are a few connectivity models for OCI FastConnect connectivity, including a direct or colocation with Oracle, using a third-party, and using an OCI FastConnect Partner.

Using an OCI FastConnect partner provides many benefits including:

Diversity and Redundancy

Oracle's partners are physically onboarded according to standard requirements in our FastConnect locations with multiple high-speed links terminating on separate OCI FastConnect routers.
Ease of Provisioning

Because the physical connectivity is already established and shared, the provisioning process of an OCI FastConnect partner connection is relatively quick and easy using the consoles of OCI and the partner. You can be up and running with your FastConnect within few minutes or up to a few hours.
Cost

Using an Oracle Partner is a low cost option as there is no need for an expensive third-party telecommunications circuit. The cost of the physical connections to the partner are shared with all customers.
Large Partner Ecosystem

We have over 90 unique partners across all OCI regions providing over 750 total connections. This number continues to grow and gives you several options of partners you can work with.
Multicloud Connectivity

You have the option of several OCI FastConnect partners to provide quick, easy, and low cost connectivity between cloud service providers.

The following table lists connectivity-related information for Oracle FastConnect models:

FactConnect Option	Implementation Time	Complexity	Carrier Virtual Circuit Charge	Carrier Charge
Oracle Partner	Quick	Easy	`$`	`$$`
Third-Party Provider	Long	Complex	Included	`$$$`
Colocation/Direct	Short	Easy	Included	`$`

Oracle recommends the following:

Review the available FastConnect Partners in your specific OCI regions.
Consider using a FastConnect Partner on the list that you have an existing contract or relationship with.

Choose Between FastConnect and IPSec VPN

IPSec VPNs can be good options for Proof-of-Concept (PoC) or for small environments to get them up and running quickly.

Over time, as the PoC becomes successful or your organization's confidence in the OCI public cloud increases, you may want to move to a dedicated connection like OCI FastConnect. FastConnect is more beneficial if the level of integration between cloud-based and on-premises based applications is high from a frequency, volume, and latency-sensitive perspective.

You can also adopt a FastConnect early when a migration candidate is considered a critical application, particularly when consistent wide area network performance is a vital requirement.

IPSec VPN is routed across the public internet. Thus the total bandwidth available is subject to the limits provided by your Internet Service Provider (ISP). Bandwidth can often be variable and prone to network congestion and should be considered best effort with no service levels. Oracle's customers typically see a least 250 Mbps of throughput on an individual IPSec tunnel, and sometimes exceeding that. However, the actual bandwidth achieved at any point in time will depend on many factors outside of Oracle's control.

The following table lists cloud connectivity options and considerations for each option:

Cloud Connectivity Option	Considerations
OCI FastConnect	Higher data throughput, lower latency, consistent performance Network costs may be higher than internet costs
Site-to-Site VPN	Added layer of encrypted tunnels to internet connections Recommended for PoCs Best effort performance
Public Internet	Best effort performance Suitable for SaaS applications

Oracle recommends the following:

Plan and document your bandwidth and latency requirements early in the design phase of your project.
Provision a FastConnect if you require consistent and predictable network performance (bandwidth, latency, jitter, and so on.)
Estimate the costs involved with provisioning a FastConnect. Don't assume that the costs for FastConnect are high and that IPSec VPN is free. The added value you can receive from a FastConnect is often well worth the minimal increase in costs for a FastConnect, especially when using an Oracle partner.
Understand the differences between FastConnect public and private peering virtual circuits and any associated outbound data transfer charges that apply for public peering options.

The following diagram is an example of using FastConnect in multiple locations with redundancy built in:

Description of fastconnect-multiple-fc-locations.png follows

Description of the illustration fastconnect-multiple-fc-locations.png

Use Descriptive Names for IPSec Tunnels

When you provision an IPSec VPN connection in OCI, Oracle provides two tunnels by default for an IPSec VPN connection.

By default, the tunnel names don't provide much valuable or descriptive information for the tunnel and can lead to confusion when you're trying to find information about a specific tunnel later. The default tunnel naming convention is ipsectunnel<year><month><day><time>-<tunnelnumber>. For example, ipsectunnel20220112214811-1.

Tip:

You can't delete a tunnel if you are not using it. This can lead to confusion as users unfamiliar with the network can misinterpret the console and assume they have a production tunnel in a down state, where in fact its an unused tunnel that can't be deleted.

Oracle recommends the following:

Create descriptive and user-friendly tunnel names when you provision the tunnels in the OCI console. For example, instead of Tunnel 1 and Tunnel 2 use Primary and Backup.
If you are not using one of the tunnels, consider using a descriptive name letting others know it's not in use. For example, Unused Tunnel or Not In Use.

Use Custom DRG Route Tables and Import Route Distributions

When provisioning a DRG, you may notice that it associates autogenerated DRG route tables to the DRG attachments, and autogenerated import route distributions to those DRG route tables.

These autogenerated route tables and import route distributions are intended for basic connectivity scenarios. Your requirements may change later and need advanced DRG features. You will then need to change the autogenerated route tables and import route distributions.

Instead of trying to modify the autogenerated route tables and import route distributions, Oracle recommends that you create your own custom DRG route tables and import route distributions. This makes it cleaner and easier to understand the logic compared to modifying the default autogenerated ones.

Oracle recommends the following:

Learn how DRG route tables and import route distributions work. Check the OCI documentation, blogs, and YouTube videos linked in the Explore More section.
Create a custom DRG route table for each attachment or group of attachments that will have the same routing logic.
Create a custom DRG import route distribution for each of the DRG route tables. Be clear and specific in the import route distribution statements about what routes and attachments you want to import routes from.