An Oracle Cloud Infrastructure (OCI) tenancy may be subscribed to multiple geographical regions.
This post describes several methods of privately accessing Oracle public services residing in different regions from a customer's on-premise network. Identity Cloud Service (IDCS) and Oracle Analytics Cloud (OAC) are used as examples.
Refer to the Before You Begin section below to determine the location of your IDCS region and if this post is applicable.
Note: This post uses the terms "you" and "your" broadly to mean any administrator in your company who has access to work with OCI networking components.
October 30, 2020 for OAC 5.8
May 30, 2020 for OAC 5.6
The prerequisites listed in this section require a detailed and functioning knowledge of OCI Networking components. It is beyond the scope of this blog to detail the requirements. Presented is a list of the requirements with links to official Oracle documentation. This post uses an OAC in Ashburn and an IDCS in Phoenix
You may open a Service Request with Oracle Support to obtain the tenancy's IDCS region. Or you can use the nslookup command available with most operating systems.
First, obtain the IDCS URL and hostname. These can be found in the OCI console by navigating to Identity > Federation > Identity Provider. The URL is in the form:
https://<hostname>/ui/v1/adminconsole
Then run the command from a terminal window. An example command and result are below:
nslookup <hostname>
The result implies this IDCS instance is in Phoenix. You may also refer here for OCI's list of IP ranges by Region.
The initial state is shown in the following figure. It depicts accessing both IDCS and OAC via the internet.
Oracle's Global Edge Network
A tenancy subscribed to the Ashburn (ASH) and Phoenix (PHX) regions.
An OAC instance in the Oracle Services Network (OSN)
An IDCS instance in the Oracle Services Network (OSN)
Networking equipment (CPE) available for Internet connections
FastConnect Public Peering allows private access to public services via your FastConnect virtual circuit. The circuit connects your CPE with Oracle's Global Edge network. It grants access to multiple regions within a broad geographical area e.g. Ashburn, Phoenix, and Toronto in North America. For a list of the services available with public peering, see FastConnect Supported Cloud Services. For a list of the public IP address ranges (routes) that Oracle advertises, see FastConnect Public Peering Advertised Routes.
The following figure depicts the architecture.
Networking equipment (CPE) configured for FastConnect connections. Refer here for an overview.
FastConnect Private Peering and/or VPN extends the reach of your private access to Virtual Cloud Networks (VCN) and private services within those VCNs. For each region, a FastConnect virtual circuit or VPN IPsec tunnel connects to an OCI Dynamic Routing Gateway attached to your VCN.
The following figure depicts the architecture.
The following figure depicts the architecture.
Networking equipment (CPE) available for VPN and/or FastConnect connections
A VCN to accommodate a Service Gateway (SG) and a Dynamic Routing Gateway (DRG) Here Note: The Regional VCNs and your On-Premise CIDR blocks must not overlap.
A DRG configured for FastConnect and/or VPN and attached to the VCN here
A Service Gateway (SG) in the VCN here
A Route Table for the DRG to the SG Here. Example below.
A Route Table for the SG back to the DRG. Example below.
This scenario allows private access to an additional region using VPN and removes the need for an additional FastConnect virtual circuit.
This scenario allows private access Oracle public services and to service instances within a VCN as well as private access to public services in another region without the need for a VCN, DRG, and SG.
This post described several methods of privately accessing public services residing in different regions from a customer's on-premise network. Identity Cloud Service (IDCS) and Oracle Analytics Cloud (OAC) were used as examples.
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley