FastConnect: With an Oracle Partner

This topic is for customers who want to use Oracle Cloud Infrastructure FastConnect by connecting to an Oracle Partner.

For a summary of the different ways to connect, see How and Where to Connect.

If you instead want to use a network provider that is not on the list of FastConnect Partners, see FastConnect: With a Third-Party Provider. Or if you want to use FastConnect by colocating with Oracle, see FastConnect: Colocation with Oracle.

For general information about FastConnect, see FastConnect Overview.

Getting Started with FastConnect

Learn and Plan

Before you start, walk through the planning in Before Getting Started: Learn and Plan. Also see FastConnect Redundancy Best Practices and Hardware and Routing Requirements.

You may also need to review information on how to use FastConnect if you do not own a Public ASN or Public IP Address.

The following diagram shows the overall process of setting up FastConnect with an Oracle partner. The tasks described below are represented in the diagram.

This flow chart shows the steps for getting started with FastConnect

Also see the sequence diagram in To get the status of your virtual circuit.

Task 1: Set up connection to the Oracle partner

If you haven't already, start the process of ordering the connection from the Oracle partner, setting it up, and then testing it with the partner. It can take some time, depending on the partner.

Task 2: Set up a DRG (private peering only)
Summary: If you plan to use a private virtual circuit (private peering), you need a DRG. If you haven't already, use the Oracle Cloud Infrastructure Console to set up a DRG, attach it to your VCN, and update routing in your VCN to include a route rule to send traffic to the DRG. It's easy to forget to update the route table. Without the route rule, no traffic will flow.

Instructions:

Task 3: Set up your virtual circuits

Summary: Create one or more virtual circuits for your connection in the Oracle Console. If your network design includes more than one virtual circuit, complete the following steps for each one.

Instructions:

Repeat the following steps for each virtual circuit you want to create.

  1. In the Console, confirm you're viewing the compartment  that you want to work in. If you're not sure which one, use the compartment that contains the DRG that you'll connect to (for a private virtual circuit). The choice of compartment, along with a corresponding IAM policy, controls who has access to the virtual circuit you're about to create.
  2. Open the navigation menu and click Networking. Under Customer connectivity, click FastConnect.

    The resulting FastConnect page is where you'll create a new connection and later return to when you need to manage the connection.

  3. Click Create FastConnect.
  4. Select FastConnect Partner and choose the partner from the list.
    Note

    If you select Megaport as your partner, you will also be able to provision the partner side of the circuit using the optional steps mentioned.
  5. Click Next.
  6. Enter the following for your virtual circuit:

    • Name: A friendly name that helps you track your virtual circuits. The value does not need to be unique across your virtual circuits, and you can change it later. Avoid entering confidential information.
    • Create in Compartment: Leave as is (the compartment you're currently working in).
  7. Choose the virtual circuit type (private or public). A private virtual circuit is for private peering (where your existing network receives routes for your VCN's private IP addresses). A public virtual circuit is for public peering (where your existing network receives routes for the Oracle Cloud Infrastructure public IP addresses). Also see Uses for FastConnect.

    • For a private virtual circuit, enter the following:

      • Select either All traffic or IPSec over FastConnect traffic only. The virtual circuit can be used for IPSec over FastConnect with either choice, but you can choose to not allow unencrypted traffic on the virtual circuit.
      • Dynamic Routing Gateway: Select the DRG to route the FastConnect traffic to. IPSec over FastConnect requires an upgraded DRG.
      • Provisioned Bandwidth: Choose a value. If your bandwidth needs increase later, you can update the virtual circuit to use a different value (see To edit a virtual circuit).
      • Partner Service Key (Optional): Enter the service key provided by your Oracle partner. You can enter this key now or edit the circuit later.

      If your BGP session goes to Oracle (see Basic Network Diagrams), the dialog box includes other fields for the BGP session:

      • Customer BGP IP Address: The BGP peering IP address for your edge (your CPE), with a subnet mask from /28 to /31.
      • Oracle BGP IP Address: The BGP peering IP address you want to use for the Oracle edge (the DRG), with a subnet mask from /28 to /31.
      • Enable IPv6 Address Assignment: IPv6 addressing is supported for all commercial and government regions. See FastConnect and IPv6.
      • Customer BGP ASN: The public or private ASN for your network.
      • Use a BGP MD5 Authentication Key (optional): Select this checkbox and provide a key if your system requires MD5 authentication. Oracle supports up to 128-bit MD5 authentication.
      • Enable Bidirectional Forwarding Detection (optional): Select this checkbox to enable Bidirectional Forwarding Detection.
        Note

        When you use Bidirectional Forwarding Detection, your paired device must be configured to use a 300ms minimum interval and a multiplier of 3.
    • For a public virtual circuit, enter the following:

      • Provisioned Bandwidth: Choose a value. If your bandwidth needs increase later, you can update the virtual circuit to use a different value (see To edit a virtual circuit).
      • Public IP Prefixes: The public IP prefixes that you want Oracle to receive over the connection. All prefix sizes are allowed. You can enter a comma-separated list of prefixes, or one per line.
      • Route Filtering: Choose a Route Filtering option. This selects the routes included in BGP advertisements to your on-premises network.
      • BGP ASN: The public ASN for your network. Present only if your BGP session goes to Oracle (see Basic Network Diagrams). Oracle specifies the BGP IP addresses for a public virtual circuit.
      • Use a BGP MD5 Authentication Key (optional): Select this checkbox and provide a key if your system requires MD5 authentication. Oracle supports up to 128-bit MD5 authentication.
      • Enable Bidirectional Forwarding Detection (optional): Select this checkbox to enable Bidirectional Forwarding Detection.
  8. Click Create.

    The virtual circuit is created. Its OCID and a link to the partner's portal are displayed in the resulting confirmation box at the top of the page. The OCID is also available with the other virtual circuit details.

  9. Copy and paste the OCID to another location. You give it to your partner in the next task.

The virtual circuit is listed on the FastConnect page.

Until you complete the next task and the partner does their provisioning work, the virtual circuit's Lifecycle State is PENDING PROVIDER and the BGP state is DOWN. After the partner does their work, the Lifecycle State switches to PROVISIONED. When the BGP session is established and working, the BGP state changes to UP.

Tip

For a virtual circuit where your BGP session goes to the Oracle partner, the BGP state for the virtual circuit reflects the status of the separate BGP session between the Oracle partner and Oracle. For reference, see Basic Network Diagrams.

Also see the diagram in To get the status of your virtual circuit.

Task 4: Complete the partner end of the virtual circuit

Contact the partner and give the OCID of each virtual circuit that you created, along with any other information the partner requests. Depending on the partner, you might do this in the partner's online portal, or over the phone. The partner then configures each virtual circuit on their end to complete the connectivity.

If your partner is either Megaport or Colt, you can also connect the OCI Console to the partner and complete the connection yourself from within the OCI Console as described in the following sections.

If your partner is AT&T NetBond: After AT&T gives you the service key for your virtual circuit, you can either edit the virtual circuit yourself or create a ticket at My Oracle Support to request provisioning. Include the service key when creating your ticket.

Complete virtual circuits to Megaport

The Oracle Console can add and configure a connection in the Megaport location to this virtual circuit using Megaport's API. To do this, you log in the console to your Megaport account with your username and password (the Oracle Console doesn't store the login information).

Note

If you're simply completing setup of a virtual circuit, you must have previously configured a Megaport port in the Megaport Console to use this option. The Oracle Console can add and configure a connection to this virtual circuit for a Megaport port that already exists. It can't create a new Megaport port at the other end of the connection. This requirement doesn't apply if you're configuring a connection to another cloud provider.

The Oracle console can optionally configure a Megaport Cloud Router (MCR) at the other end of the virtual circuit. An MCR allows you to configure a connection from Oracle to AWS or other cloud service providers.

To complete a connection or create an MCR:

  1. At the top of the details screen for the virtual circuit you just created, click Complete Connection in the Next Steps section.
  2. Enter the requested Megaport Username and Megaport Password for the account that created the Megaport port you want to use.
  3. Click Log in to Megaport.
  4. If you want to complete a virtual circuit to your on-premises network, choose Megaport Port for the Megaport Product and enter the following information:
    • Oracle Connection Name: (Required) A friendly name that helps Megaport track your connection. The value doesn't need to be unique and you can change it later.
    • Megaport Port: (Required) Select the name of the Megaport port to which you want to connect this virtual circuit.
    • Oracle Connection Location: (Required) Select any Megaport location close to the Oracle region for your virtual circuit.
    • Connection Rate Limit (Mbps): (Required) Enter the speed (in Mbps) for the virtual circuit. 1000 Mbps is 1 Gbps, and 10,000 Mbps is 10 Gbps. The Rate Limit must be equal to or less than the bandwidth provisioned at both ends of the virtual circuit.
    • Use VLAN tagging: Enabled by default. If you choose not to use VLAN tagging, you're only able to deploy a single cross-connect on this Megaport port.
    • Preferred A-End VLAN: (Optional) If you don't select a Preferred A-End VLAN, a random A-End VLAN is chosen for you.

    Click Next.

  5. If you want to complete a virtual circuit to another cloud provider, choose Megaport Cloud Router (MCR) for the Megaport Product and enter the following information:
    • Choose Select an existing MCR or Create a new MCR: If you have already connected a third-party cloud service to an MCR, choose Select an existing MCR choose an MCR from the list. If you want to Create a new MCR enter the following information:
      • MCR Name: (Required) A friendly name that helps Megaport track your MCR. The value doesn't need to be unique and you can change it later.
      • MCR Country: (Required) Select the country for the Megaport location where your MCR resides.
      • MCR Location: (Required) Select the Megaport location where your MCR resides. This should be as close as possible to the Oracle region hosting the virtual circuit.
      • MCR Rate Limit: (Required) The rate limit is an aggregate capacity for all connections through the MCR. The rate limit can scale from 1 Gbps to 10 Gbps and is set for the life of the MCR.
      • Minimum Term (Required) (options are no minimum, 12 month, 24 month, 36 month)
    • Oracle Connection Name: (Required) A friendly name that helps Megaport track your Oracle connection. The value doesn't need to be unique and you can change it later.
    • Oracle Connection Location: (Required) Select the Megaport location where your Oracle connection resides. This should be as close as possible to the Oracle region hosting the virtual circuit.
    • Connection Rate Limit (Mbps): (Required) Enter the speed (in Mbps) for the connection. 1000 Mbps is 1 Gbps, and 10,000 Mbps is 10 Gbps. The setting must be equal to or less than the bandwidth provisioned at both ends of the virtual circuit.
    • Create a connection to AWS: Check this only if your third-party cloud service is AWS. Enter the following information:
      • AWS Connection Name: (Required) This information is used to connect AWS to the Megaport MCR.
      • AWS Account ID: (Required) Provide your AWS Account ID. Oracle doesn't retain this information.
      • MCR Country: (Required) Select the country for the Megaport location where your MCR resides.
      • AWS Connection Location: (Required) Select any Megaport location close to the AWS region for your connection.
      • Connection Rate Limit (Mbps): (Required) Enter the speed (in Mbps) for the connection. 1000 Mbps is 1 Gbps, and 10,000 Mbps is 10 Gbps. The setting must be equal to or less than the bandwidth provisioned at both ends of the connection.

    If you want to connect to a third-party cloud service (other than AWS), leave Create a connection to AWS unselected. For any third-party cloud service, including AWS, you also need to configure the remainder of the connection using the Megaport console and the console for your third-party cloud service.

    Click Next.

  6. Confirm that the information about the circuit or MCR is accurate by reviewing the displayed information.
  7. Confirm the quoted price of this service (paid to Megaport and not to Oracle) by selecting the Accept checkbox.
  8. Click Complete Connection when finished.

    If for any other reason all resources can't be configured as entered, the component that can't be configured is automatically deleted. You can click Previous and enter slightly different information to resolve the issue.

After you complete these steps, expect the FastConnect virtual circuit to be in the PENDING PARTNER state while the connection provisions.

Complete virtual circuits to Colt

The Oracle Console can add and configure a connection to this virtual circuit using Colt's API. To do this, you log the console into your Colt account with your username and password (the Oracle Console doesn't store login information).

Note

You must have previously configured a port in the Colt Console to use this option. The Oracle Console can add and configure a connection to this virtual circuit for a port that already exists, but it can't create a new port for the connection.

To use this feature:

  1. At the top of the details screen for the virtual circuit you just created, click Complete Connection in the Next Steps section.
  2. Create Connection.
  3. Enter the requested Colt Username and Colt Password for the account that created the Colt port you want to use.
  4. Click Log in to Colt.
  5. Enter the following information:

    • Connection Name: (Required) A friendly name that helps Colt track your connection. The value doesn't need to be unique and you can change it later.
    • Colt Ethernet Port: (Required) Select the name of the Ethernet port to which you want to connect this virtual circuit.
    • Oracle Connection Location: (Required) Select any Colt location close to the Oracle region for your virtual circuit.
    • Connection Bandwidth: (Required) Enter the speed (in Mbps) for the virtual circuit. 1000 Mbps is 1 Gbps, and 10,000 Mbps is 10 Gbps. The setting must be equal to or less than the bandwidth provisioned at both ends of the virtual circuit.
    • Connection Commitment Period: This entry selects the length of the commitment that you choose to make with Colt for this connection. If necessary, refer to Colt's policies regarding extending commitments or ending them early.
    • Preferred B-End VLAN: (Optional) If you don't select a Preferred B-End VLAN, a random B-End VLAN is chosen for you.
  6. Click Next.
  7. Confirm that the information about the circuit is accurate by reviewing the displayed information.
  8. Confirm the quoted price of this circuit (paid to Colt and not to Oracle) by selecting the Accept checkbox.
  9. Click Create when finished.

After you complete these steps, expect the virtual circuit to be in the PENDING PARTNER state while the connection provisions.

Task 5: Configure your edge

If your BGP session goes to Oracle: (see Basic Network Diagrams), configure your edge (your CPE) to use the BGP peering information (see General Requirements). Oracle's BGP ASN for the commercial cloud is 31898, except the Serbia Central (Jovanovac) region which is 14544. For the Government Cloud, see Oracle's BGP ASN. By default, Oracle uses the default BGP timers of 10 seconds for keep-alive and 30 seconds for hold-time. If you need fast BGP convergence, you can use any value in these supported ranges: 6-60 seconds for keep-alive, and 18-180 seconds for hold-time. Also configure the router for redundancy according to the network design you decided on earlier (see FastConnect Redundancy Best Practices). After you successfully configure the BGP session, the virtual circuit's BGP session state changes to UP.

If your BGP session instead goes to the Oracle partner: You still need to configure your router if you haven't already. You may need to contact your partner to get the required BGP peering information. This BGP session must be up and running for FastConnect to work. Also configure your edge router for redundancy according to the network design you decided on earlier (see FastConnect Redundancy Best Practices).

Important

For a public virtual circuit: Your existing network can receive advertisements for Oracle's public IP addresses through multiple paths (for example: FastConnect and your internet service provider). Make sure to give FastConnect higher preference than your ISP. You must configure your edge appropriately so that traffic uses your desired path to receive the benefits of FastConnect. This is particularly important if you decide to also set up your existing network with private access to Oracle services. For important information about path preferences, see Routing Details for Connections to Your On-premises Network.
Task 6: Check light levels

Confirm that the light levels are good for each of your physical network connections to the partner. Don't proceed until they are.

Task 7: Confirm your interfaces are up

Confirm your side of the interfaces for the connections to the partner are up. Don't proceed until they are.

If the BGP Session Goes to Oracle

Task 9a: Ping the Oracle BGP IP address

For each virtual circuit, ping the Oracle BGP IP address assigned to the virtual circuit. Check the error counters and look for any dropped packets. Don't proceed until you can successfully ping this IP address without errors.

Task 9b: Confirm that the BGP session is established

For each virtual circuit, confirm that the BGP session is in an established state. When it is, the connection is ready to test (see Task 11: Test the connection).

If BGP Session Goes to the Partner

Task 10a: Ping the partner's edge

For each virtual circuit, ping the partner's edge. Check the error counters and look for any dropped packets. Don't proceed until you can successfully ping the partner's edge without errors.

Task 10b: Confirm the BGP session is established

Confirm the BGP session you have with the partner is in an established state. Don't proceed until it is.

Task 10c: Ping the Oracle BGP IP address

For each virtual circuit, ping the Oracle BGP IP address (which you can get from the partner). Check the error counters and look for any dropped packets. When you can successfully ping this IP address without errors, the connection is ready to test.

Task 11: Test the connection

For a private virtual circuit: You should be able to launch an instance in your VCN and access it (for example, with SSH) from a host in your existing private network. See Creating an Instance. If you can, your FastConnect private virtual circuit is ready to use.

For a public virtual circuit:

  1. Make sure that Oracle has successfully verified at least one of the public prefixes you've submitted. You can see the status of each prefix by viewing the virtual circuit's details in the Console. When one of the prefixes has been validated, Oracle starts advertising the regional Oracle Cloud Infrastructure public addresses over the connection.
  2. Launch an instance with a public IP address.
  3. Ping the public IP address from a host in your existing private network. You should see the packet on the FastConnect interface on the virtual circuit. If you do, your FastConnect public virtual circuit is ready to use. However, remember that only the public prefixes that Oracle has successfully verified so far are advertised on the connection.

Managing Your Virtual Circuit

To get the status of your virtual circuit
  1. Open the navigation menu and click Networking. Under Customer connectivity, click FastConnect.
  2. Click the virtual circuit you're interested in to view its details.

The following diagram shows the different states of the virtual circuit when you're setting it up.

This image shows a sequence diagram with the different virtual circuit states
To edit a virtual circuit

You can change these items for a virtual circuit:

  • The name
  • The bandwidth
  • The service key provided by your Oracle partner (for a private virtual circuit)
  • Which DRG it uses (for a private virtual circuit)
  • The public IP prefixes (for a public virtual circuit)
  • Enable or disable Bidirectional Forwarding Detection
  • Configure the virtual circuit to only allow traffic using IPSec over FastConnect. By default any traffic is allowed.
  • Depending on the situation, you might also have access to the BGP session information for the virtual circuit and thus can change it.
Important

If your virtual circuit is working and in the PROVISIONED state before you edit it, be aware that changing any of the properties besides the name, bandwidth, and public prefixes (for a public virtual circuit) causes the virtual circuit's state to switch to PROVISIONING and may cause the related BGP session to go down. After Oracle re-provisions the virtual circuit, its state returns to PROVISIONED. Make sure you confirm that the associated BGP session is back up.

If you change the public IP prefixes for a public virtual circuit, the BGP status is unaffected. Oracle begins advertising a new IP prefix over the connection only after verifying your ownership of it. The virtual circuit's state changes to PROVISIONING while Oracle implements any prefix changes.

  1. Open the navigation menu and click Networking. Under Customer connectivity, click FastConnect.
  2. Select the compartment where the connection resides, and then click the connection to view its details.
  3. Click Edit and make your changes. Avoid entering confidential information.
  4. Click Save Changes.
  5. (Optional) To temporarily deactivate a virtual circuit, click Deactivate. To re-activate the circuit, click Activate. Deactivating the virtual circuit suspends the BGP session and traffic flow without otherwise changing the settings for the virtual circuit.
To terminate a virtual circuit
Important

Also terminate the connection with the partner, or else the partner may continue to bill you.
  1. Open the navigation menu and click Networking. Under Customer connectivity, click FastConnect.
  2. Select the compartment where the connection resides, and then click the connection to view its details.
  3. Click Delete.
  4. Confirm when prompted.

The virtual circuit's Lifecycle State changes to TERMINATING and then to TERMINATED.

To manage public IP prefixes for a public virtual circuit

For general information about the prefixes, see Basic Network Diagrams.

You can specify your public IP prefixes when you create the virtual circuit. See Task 3: Set up your virtual circuits.

You can add or remove public IP prefixes later after creating the virtual circuit. See To edit a virtual circuit. If you add a new prefix, Oracle first verifies your company's ownership before advertising it across the connection. If you remove a prefix, Oracle stops advertising the prefix within a few minutes of your editing the virtual circuit.

You can view the state of Oracle's verification of a given public prefix by viewing the virtual circuit's details in the Console. Here are the possible values:

  • In progress: Oracle is in the process of verifying your organization's ownership of the prefix.
  • Failed: Oracle could not verify your organization's ownership. Oracle will not advertise the prefix over the virtual circuit.
  • Completed: Oracle successfully verified your organization's ownership. Oracle is advertising the prefix over the virtual circuit.
To move a connection to a different compartment

You can move a connection from one compartment to another. After you move the connection to the new compartment, inherent policies apply immediately and affect access to the connection through the Console. Moving the connection to a different compartment does not affect the connection between your data center and Oracle Cloud Infrastructure. For more information, see Moving a Compartment to a Different Parent Compartment.

  1. Open the navigation menu and click Networking. Under Customer connectivity, click FastConnect.
  2. Find the connection in the list, click the the Actions menu (Actions Menu), and then click Move Resource.
  3. Choose the destination compartment from the list.
  4. Click Move Resource.
  5. If there are alarms monitoring the connection, update the alarms to reference the new compartment. See Updating an Alarm After Moving a Resource for more information.

Monitoring Your Connection

You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring and Notifications.

For information about monitoring your connection, see FastConnect Metrics.