Configure the Secondary Site - OCI Dedicated Region B
This section outlines the essential networking and infrastructure configuration for the Secondary Site, designated as the failover location in the stretched vSAN setup. Most steps mirror the primary site configuration, with adjustments noted where applicable.
Create VCNs and Networking Foundation
Start by creating a VCN named VCN-Secondary in the OCI Dedicated Region B using: Primary CIDR: 10.17.0.0/16.
Once created, add a secondary CIDR block:
Secondary CIDR: 172.45.0.0/16
This secondary CIDR is required during the initial SDDC deployment.
CreateVCN-Mgmt-FailoverThis VCN will ultimately host management components for the Failover (Secondary Site):
-
VCN Name:
VCN-Mgmt-Failover -
CIDR Block:
172.45.0.0/16
Note:
This VCN is intended to host the management components after a failover event. Until such a failover occurs, this VCN remains unused. However, we pre-provision its basic constructs, except active route entries, so it’s ready when needed. Only one management VCN, either the active (VCN-Mgmt-Active) or failover
(VCN-Mgmt-Failover) should have route entries pointing to its
VLANs at any given time.
Set Up Networking Dependencies
Create the route tables and NAT Gateway, define the network security groups (NSGs) and security list.
- Create a dedicated route table per VLAN and for subnet. No rules needed initially. All required VLANs and subnets per VCN will be listed below.
- Create a NAT Gateway in both VCNs to allow egress to the internet for management components.
Add the following route entry only to the route table for the vSphere VLAN-TEMP:
| Destination | Target Type | Target |
|---|---|---|
0.0.0.0/0 |
NAT Gateway | NAT-GW |
Define Network Security Groups (NSGs) and Security List
For each VLAN, create a dedicated NSG with the following base rules. Additionally, create a security list for the subnet that will be created for deploying VMware ESXi hosts into, by the Oracle Cloud VMware Solution service.
| Direction | Source | Destination | Protocol |
|---|---|---|---|
| Ingress | 10.17.0.0/16
(VCN-Secondary)
|
All Protocols | |
| Ingress | 172.45.0.0/16
(VCN-Mgmt-Failover)
|
All Protocols | |
| Egress | 0.0.0.0/0 |
All Protocols |
More specific security rules can be applied post-deployment.
Create Subnet and VLANs for VCN-Secondary
Create the ESXi host subnet and VLANs.
Using the route table and security list created earlier, create the below subnet.
| Purpose | Subnet Name | CIDR |
|---|---|---|
| ESXi Deployment | Subnet-Stretched-Cls-Mgmt |
10.17.1.0/24 |
Create VLANs
Using the corresponding route tables and NSGs created earlier, create the below VLANs.
| VLAN Purpose | Name | CIDR Range | Tag | Notes |
|---|---|---|---|---|
| HCX | VLAN-Stretched-Cls-Mgmt-HCX | 172.45.5.0/24 |
205 | |
| NSX Edge Uplink 1 | VLAN-Stretched-Cls-Mgmt-NSX Edge Uplink 1 | 172.45.3.0/24 |
203 | |
| NSX Edge Uplink 2 | VLAN-Stretched-Cls-Mgmt-NSX Edge Uplink 2 | 172.45.4.0/24 |
204 | |
| NSX Edge VTEP | VLAN-Stretched-Cls-Mgmt-NSX Edge VTEP | 172.45.2.0/24 |
202 | |
| NSX VTEP | VLAN-Stretched-Cls-Mgmt-NSX VTEP | 10.17.4.0/24 |
104 | |
| Provisioning | VLAN-Stretched-Cls-Mgmt-Provisioning Net | 10.17.6.0/24 |
106 | |
| Replication | VLAN-Stretched-Cls-Mgmt-Replication Net | 10.17.5.0/24 |
105 | |
| vMotion | VLAN-Stretched-Cls-Mgmt-vMotion | 10.17.3.0/24 |
103 | |
| vSAN | VLAN-Stretched-Cls-Mgmt-vSAN | 10.17.2.0/24 |
102 | |
| vSphere-TEMP | VLAN-Stretched-Cls-Mgmt-vSphere-TEMP | 10.17.7.0/24 |
107 | Add NAT-GW route for outbound |
Note:
The VLAN tags for vSAN, vMotion, NSX VTEP, Replication, and
Provisioning are consistent with those used in VCN-Primary,
ensuring uniformity across both sites. The vSphere-TEMP VLAN is temporary and
will not be utilized after the initial deployment. The remaining VLANs align
with the CIDR blocks and tags configured in either
VCN-Mgmt-Active or VCN-Mgmt-Failover as
shown in a later step.
Configure VLANs in VCN-Mgmt-Failover
Replicate the VLAN configurations from VCN-Mgmt-Active in
VCN-Mgmt-Failover, using identical VLAN tags and CIDR structures to
enable seamless recovery and connectivity during failover.
Additionally, replicate these VLANs and associated security rules in both
VCN-Mgmt-Active and VCN-Mgmt-Failover. This is
essential for the next phase of the workflow, where VMware ESXi host vNICs will be
migrated from VCN-Primary or VCN-Secondary to the
appropriate management VCN. This migration must occur after the SDDC
deployment, as SDDCs cannot span multiple VCNs.
VLANs in VCN-Mgmt-Failover
| VLAN Purpose | Name | CIDR Range | Tag | Notes |
|---|---|---|---|---|
| HCX | VLAN-Stretched-Cls-Mgmt-HCX-NEW | 172.45.5.0/24 |
205 | |
| NSX Edge Uplink 1 | VLAN-Stretched-Cls-Mgmt-NSX Edge Uplink 1-NEW | 172.45.3.0/24 |
203 | |
| NSX Edge Uplink 2 | VLAN-Stretched-Cls-Mgmt-NSX Edge Uplink 2-NEW | 172.45.4.0/24 |
204 | |
| NSX Edge VTEP | VLAN-Stretched-Cls-Mgmt-NSX Edge VTEP-NEW | 172.45.2.0/24 |
202 | |
| vSphere | VLAN-Stretched-Cls-Mgmt-vSphere-NEW | 172.45.1.0/24 |
201 | NAT-GW for egress. Ensure external access rules for
HCX, NSX, and vCenter IPs match those in the same VLAN under
VCN-Primary.
|
Now that we have both the SDDCs deployed in the Primary Site and Secondary Site, let’s connect both regions in the next section.
Deploy the Secondary SDDC
When deploying the SDDC, choose the Select existing subnet and VLANs option. Then manually associate each VLAN and the management subnet (Subnet-Stretched-Cls-Mgmt) as configured earlier.
- Ensure the shape and OCPU configuration match the hosts used in the Primary Site to maintain compatibility.
- The deployment typically completes within 2 to 2.5 hours.
Refer to the same deployment guides used for the Primary Site:
With both SDDCs deployed, the next step is to enable inter-region communication by configuring DRGs and Remote Peering.