17 Set Up VPN Connection to Oracle Cloud Infrastructure
Use IPSec VPN to set up a connection between the Compute Classic environment and the Oracle Cloud Infrastructure.
Set Up VPNaaS Connection between an IP Network and Oracle Cloud Infrastructure
This topic does not apply to Oracle Cloud at Customer.
About Setting Up VPN Connection between Compute Classic and Oracle Cloud Infrastructure
Workflow for Setting Up a VPNaaS Connection to Oracle Cloud Infrastructure
-
Create an IP network in Compute Classic site or use an existing IP network. See Creating an IP Network. Note down the name of the IP network as you’ll have to provide this information while creating the VPNaaS connection.
-
Create a vNICset. When you create instances, specify this vNICset for each vNIC that is added to an IP network that will be reachable over the VPN connection. See Creating a vNICset. Note down the name of the vNICset as you’ll have to provide this information while creating the VPNaaS connection.
-
Create a VPN connection using VPNaaS in the Compute Classic site. See Create a VPN Connection in Compute Classic.
-
Create the required networking components in Oracle Cloud Infrastructure to set up IPSec VPN. See Setting Up an IPSec VPN in Oracle Cloud Infrastructure documentation.
-
Update the VPN connection that you have created in the Compute Classic site with the pre-shared key and IP address of the IPSec VPN tunnel that you have created in Oracle Cloud Infrastructure. See Update the VPNaaS Connection in Compute Classic.
-
Validate connectivity between your hosts in the Compute Classic site and Oracle Cloud Infrastructure.
Test the connection before you start using it. Depending on how you've set up your IP network's security rules and security lists in VCN, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.
This sets up a VPN connection between a single IP network in your Compute Classic site and a single subnet in the VCN in your Oracle Cloud Infrastructure site. If you want to establish a VPN connection between another IP network and another subnet in Oracle Cloud Infrastructure VCN, you’ll have to create another VPNaaS connection.
Create a VPN Connection in Compute Classic
Create a VPN connection using VPNaaS in the Compute Classic site.
After noting down the public IP address of the VPN gateway, create the required networking components in Oracle Cloud Infrastructure. See Setting Up an IPSec VPN in Oracle Cloud Infrastructure documentation.
Keep the following points in mind while creating the required networking components in Oracle Cloud Infrastructure:
-
After creating a dynamic routing gateway (DRG) and attaching the DRG to VCN, create a route table and route rule for the DRG. The routes should include a route to your IP network in the Compute Classic site. This is the IP network in the Compute Classic site that points to the DRG.
-
While creating the Customer-Premises Equipment (CPE) object, in the IP Address field specify the public IP address of the VPN gateway that you have created in the Compute Classic site.
-
While creating the IPSec connection from the DRG to the CPE object, in the Static Route CIDR field specify the CIDR block of the IP network in the Compute Classic site. You can specify the CIDR block of only one IP network.
Update the VPNaaS Connection in Compute Classic
Procedure
When the VPN connection in the Compute Classic site is updated and provisioned, the IPSec VPN tunnel becomes available on Oracle Cloud Infrastructure. This might take a few minutes.
Validate connectivity between your hosts in the Compute Classic site and Oracle Cloud Infrastructure. Depending on how you've set up your IP network's security rules and VCN security lists, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.
Set Up VPN Connection between Shared Network and Oracle Cloud Infrastructure
This topic does not apply to Oracle Cloud at Customer.
Workflow for Setting Up VPN Connection between the Shared Network and the Oracle Cloud Infrastructure
-
Complete the prerequisites. See Before You Begin.
-
Create a Corente Services Gateway instance in Compute Classic. See Create a Cloud Gateway.
-
Add information about your VPN device in Oracle Cloud Infrastructure. See Register the Third-Party VPN Device.
-
Create a connection between your Corente Services Gateway and the Oracle Cloud Infrastructure DRG. See Connect the Cloud Gateway with the Oracle Cloud Infrastructure VPN.
-
On each instance that you want to access, configure a GRE tunnel to the gateway. See Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud in Setting Up VPN From a Third-Party Gateway On-Premises to the Shared Network.
-
Update the timeout for the VPN connection. See Update the Timeout.
-
Test the connection after the status of the VPN connection changes to Up. Depending on how you've set up your IP network's security rules and VCN security lists, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.
Before You Begin
Before you begin creating an IPSec VPN connection to Oracle Cloud Infrastructure, complete the following tasks.
-
Create an IP reservation in the shared network. While reserving the IP address, ensure that you don't attach this IP address to any instance. See Reserving a Public IP Address.
Note down the value of the public IP address that you have reserved as you will have to provide this information while creating the VPN gateway.
-
Create networking components in Oracle Cloud Infrastructure. See Setting Up an IPSec VPN in Oracle Cloud Infrastructure documentation.
Keep the following points in mind while creating the required networking components in Oracle Cloud Infrastructure:
- After creating a dynamic routing gateway (DRG) and attaching the DRG to VCN, create a route table and route rule for the DRG. The routes should include a route to your shared network in the Compute Classic site.
- While creating the Customer-Premises Equipment (CPE) object, in the IP Address field specify the public IP address of the VPN gateway that you have created in the Compute Classic site. While creating the cloud gateway in Compute Classic site, you specify an IP reservation to assign a public IP address to the VPN gateway. Specify this IP address.
- While creating the IPSec connection from the DRG to the CPE object, in the Static Route CIDR field enter 172.16.1.0/24. This is the subnet that contains the local address of the GRE tunnel to the Corente Services Gateway instance in the Compute Classic environment.
-
To complete this task, you must have the
Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Create a Cloud Gateway
If you want to establish a VPN connection to your Compute Classic instances, start by creating a Corente Services Gateway instance.
- Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
- Click the Network tab.
- In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
- Click Create VPN Gateway.
- Select or enter the required information:
- Name: Enter a name for the Corente Services Gateway instance.
- IP Reservation: Select the IP reservation that you want to use with this instance. This is the public IP address of your VPN gateway.
- Image: Select the machine image that you want to use to create the instance. You must select the most recent Corente Gateway image, such as corente_gateway_images-9.4.1062.
- Interface Type: Select Single-homed.
- Subnets: Enter 172.16.1.0/24. This is the subnet that contains the local address of the GRE tunnel to Corente Services Gateway instance on the Cloud.
- Click Create.
A Corente Services Gateway instance is created. The required orchestrations are created and started automatically. For example, if you specified the name of the Corente Gateway instance as CSG1, then the following orchestrations are created:
-
vpn–CSG1–launchplan: This orchestration creates the instance using the specified image, and associates the instance with the shared network.
-
vpn–CSG1–bootvol: This orchestration creates the persistent bootable storage volume.
-
vpn–CSG1–secrules: This orchestration creates the required security list, security applications, and security rules.
-
vpn–CSG1–master: This orchestration specifies relationships between each of the nested orchestrations and starts each orchestration in the appropriate sequence.
While the Corente Services Gateway instance is being created, the instance status displayed in the Instance column on the VPN Gateways page is Starting. When the instance is created, its status changes to Ready.
Note:
You can list the gateway instance and view details on the Instances page, or view the corresponding orchestrations on the Orchestrations page. However, it is recommended that you always use the VPN Gateways page to manage your gateway instances.
Register the Third-Party VPN Device
To establish a VPN connection to your Compute Classic instances, after creating a Corente Services Gateway instance, register a VPN device to provide information about the Dynamic Routing Gateway (DRG) in Oracle Cloud Infrastructure.
Connect the Cloud Gateway with the Oracle Cloud Infrastructure VPN
After you’ve created a Corente Services Gateway instance and added a third-party device, to establish a VPN connection between your data center and your Compute Classic instances you must connect the cloud gateway with the Oracle Cloud Infrastructure VPN.
To complete the VPN setup, you must configure GRE tunnels between the Corente Services Gateway instance and each Compute Classic instance that you want to access using VPN. See Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud in Setting Up VPN From a Third-Party Gateway On-Premises to the Shared Network.
Update the Timeout
App Net Manager is a secure web portal that you use to modify and monitor the components of your IPSec VPN network in Compute Classic.
- Download App Net Manager from https://www.oracle.com/technetwork/server-storage/corente/downloads/index.html.
- Log in to App Net Manager using the Corente credentials that you received in an email when you subscribed to Compute Classic.
- In App Net Manager, in the Domains pane, click Locations to expand and show all of your gateways.
- Right-click your Oracle Cloud Infrastructure Classic gateway instance, and then select Edit.
- In the Edit dialog box, select the Partners tab, and click the Add button.
- Select 3rd-Party Device and then select the Oracle Cloud Infrastructure VPN device name that you had configured in the earlier task.
- Under Timeouts, enter 28800 seconds as the IKE Lifetime.
- Under Timeouts, enter 1800 seconds as the IPSEC Lifetime.
- Click OK to close the dialog box.
- Click Save at the top of the App Net Manager screen.