Remote VCN Peering using a Legacy DRG

Remote VCN peering is the process of connecting two VCNs in different regions (but the same tenancy ). Peering lets the VCNs' resources communicate using private IP addresses without routing the traffic over the internet or through an on-premises network. Without peering, a VCN would need an internet gateway and public IP addresses for the instances that need to communicate with another VCN in a different region.

Summary of Networking Components for Remote Peering

At a high level, the Networking service components required for a remote peering include:

• Two VCNs with CIDRs that don't overlap, in different regions that support remote peering.

  Note
  
  

  All VCN CIDRs Must Not Overlap

  The two VCNs in the peering relationship must not have overlapping CIDRs. Also, if a particular VCN has several peering relationships, those other VCNs must not have overlapping CIDRs with each other. For example, if VCN-1 is peered with VCN-2 and also VCN-3, then VCN-2 and VCN-3 must not have overlapping CIDRs.

• A Dynamic Routing Gateway (DRG) attached to each VCN in the peering relationship. A VCN already has a DRG if you're using a Site-to-Site VPN IPSec tunnel or an Oracle Cloud Infrastructure FastConnect private virtual circuit.
• A remote peering connection (RPC) on each DRG in the peering relationship.
• A connection between those two RPCs.
• Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in the respective VCNs (if required).
• Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that need to communicate with the other VCN.

The following diagram illustrates the components.

Note

A VCN can only use the connected RPCs to reach VNICs in the other VCN or an on-premises network, and not destinations outside of the VCNs such as the internet. For example, if VCN-1 in the preceding diagram were to have an internet gateway, the instances in VCN-2 couldn't use it to send traffic to endpoints on the internet. For more information, see Important Implications of Peering.

Spoke-to-Spoke: Remote Peering with Transit Routing

Note

The scenario this section mentions is still supported, but is deprecated. We recommend you use the DRG Transit routing method described in Routing traffic through a central network virtual appliance.

Imagine that in each region you have several VCNs in a hub-and-spoke layout, as shown in the following diagram. This type of layout within a region is discussed in detail in Transit Routing inside a hub VCN. The spoke VCNs in a particular region are locally peered with the hub VCN in the same region, using local peering gateways .

You can set up remote peering between the two hub VCNs. You can then also set up transit routing for the hub VCN's DRG and LPGs, as discussed in Transit Routing inside a hub VCN. This setup lets a spoke VCN in one region communicate with one or more spoke VCNs in the other region without needing a remote peering connection directly between those VCNs.

For example, you could configure routing so that resources in VCN-1-A could communicate with resources in VCN-2-A and VCN-2-B by way of the hub VCNs. That way, VCN 1-A isn't required to have a separate remote peering with each of the spoke VCNs in the other region. You could also set up routing so that VCN-1-B could communicate with the spoke VCNs in region 2, without needing its own remote peerings to them.

The following concepts help you understand the basics of peering and how to establish a remote peering.

PEERING

A peering is a single peering relationship between two VCNs. Example: If VCN-1 peers with two other VCNs, then two peerings exist. The remote part of remote peering indicates that the VCNs are in different regions.

VCN ADMINISTRATORS

In general, VCN peering can occur only if both of the VCN administrators agree to it. In practice, this means that the two administrators must:

• Share some basic information with each other.
• Coordinate to set up the required Oracle Cloud Infrastructure Identity and Access Management policies to enable the peering.
• Configure their VCNs for the peering.

Depending on the situation, a single administrator might be responsible for both VCNs and the related policies.

For more information about the required policies and VCN configuration, see Setting Up a Remote Peering.

ACCEPTOR AND REQUESTOR

To implement the IAM policies required for peering, the two VCN administrators must select one administrator as the requestor and the other as the acceptor. The requestor must be the one to start the request to connect the two RPCs. In turn, the acceptor must create a particular IAM policy that gives the requestor permission to connect to RPCs in the acceptor's compartment . Without that policy, the requestor's request to connect fails.

REGION SUBSCRIPTION

To peer with a VCN in another region, a tenancy must first be subscribed to that region. For information about subscribing, see Managing Regions.

REMOTE PEERING CONNECTION (RPC)

A remote peering connection (RPC) is a component you create on the DRG attached to a VCN. The RPC's job is to act as a connection point for a remotely peered VCN. As part of configuring the VCNs, each administrator must create an RPC for the DRG on their VCN. A specific DRG must have a separate RPC for each remote peering it establishes for the VCN. To continue with the previous example: the DRG on VCN-1 would have two RPCs to peer with two other VCNs. In the API, a RemotePeeringConnection is an object that contains information about the peering. You can't reuse an RPC to later establish another peering with it.

CONNECTION BETWEEN TWO RPCS

When the requestor starts the request to peer (in the Console or API), they're effectively asking to connect the two RPCs. This means the requestor must have information to identify each RPC (such as the RPC's region and OCID ).

Either VCN administrator can end a peering by deleting their RPC. In that case, the other RPC's status switches to REVOKED. The administrator could instead deactivate the connection by removing the route rules that enable traffic to flow across the connection (see the next section).

ROUTING TO THE DRG

As part of configuring the VCNs, each administrator must update the VCN's routing to enable traffic to flow between the VCNs. For each subnet that needs to communicate with the other VCN, update the subnet's route table. The route rule specifies the destination traffic's CIDR and the DRG as the target. The DRG routes traffic that matches that rule to the other DRG, which in turn routes the traffic to the next hop in the other VCN.

In the following diagram, VCN-1 and VCN-2 are peered. Traffic from an instance in Subnet A (10.0.0.15) destined for an instance in VCN-2 (192.168.0.15) is routed to DRG-1 based on the rule in Subnet A's route table. From there the traffic is routed through the RPCs to DRG-2, and then from there, on to the destination in Subnet X.

Callout 3: Subnet A Route Table

Destination CIDR	Route Target
0.0.0.0/0	Internet Gateway
192.168.0.0/16	DRG-1

Callout 4: Subnet X Route Table

Destination CIDR	Route Target
10.0.0.0/16	DRG-2

Note

As mentioned earlier, a VCN can only use the connected RPCs to reach VNICs in the other VCN, and not destinations outside of the VCNs (such as the internet or an on-premises network). For example, in the preceding diagram, VCN-2 can't use the internet gateway attached to VCN-1.

SECURITY RULES

Each subnet in a VCN has one or more security lists that control traffic in and out of the subnet's VNICs at the packet level. You can use security lists to control the type of traffic allowed with the other VCN. As part of configuring the VCNs, each administrator must decide which subnets in their own VCN need to communicate with VNICs in the other VCN and update their subnet's security lists to allow the traffic.

If you use network security groups (NSGs) to implement security rules, notice that you have the option to write security rules for an NSG that specify another NSG as the source or destination of traffic. However, the two NSGs must belong to the same VCN.

If you haven't yet, read Important Implications of Peering to understand important access control, security, and performance implications for peered VCNs.

This section covers the general process for setting up a peering between two VCNs in different regions.

1. Create the RPCs: Each VCN administrator creates an RPC for their own VCN's DRG.
2. Share information: The administrators share the basic required information.
3. Set up the required IAM policies for the connection: The administrators set up IAM policies to enable the connection to be established.
4. Establish the connection: The requestor connects the two RPCs (see Important Remote Peering Concepts for the definition of the requestor and acceptor).
5. Update route tables: Each administrator updates their VCN's route tables to enable traffic between the peered VCNs or subnets.
6. Update security rules: Each administrator updates their VCN's security rules to enable traffic between the peered VCNs or subnets.

The administrators can perform tasks E and F before establishing the connection. Each administrator needs to know the CIDR block or specific subnets from the other VCN and share that in task B.