Taking into account nowadays we have many IP connectivity options, IPSec still remain one of the most used one. Even if the connection itself is running over the Internet, it still provides a good amount of quality. We will not discuss about the benefits and drawbacks, instead let’s discuss about a use case I received recently. It is a non-standard IPSec case and will give us a glance on how far we can go with IPSec on OCI.
I need to mention that for this particular project the main option in the first place was to use an SD-WAN solution using a certain vendor which is not yet certified for OCI. My customer has decided to use an alternative solution until the SD-WAN vendor will be fully certified for OCI and if the alternative solution will work as expected, then probably will continue to be used. The alternative solution was to use IPSec to integrate each and every store. My customer is planning to integrate in the first phase around 270 stores with an increase to 500 stores in the next four years. That’s not a small number, isn’t it?
Besides all, the customer is having a very clear request, the existing OCI networking in place to not be changed and to not alter was is already configured.
So, our challenge now is two-fold:
1. To integrate the 270 stores without the SD-WAN;
2. To not alter what is already configured since it is running production traffic;
Let’s analyze what is the current networking deployed on OCI:
Taking into account that we already have a DRG in place, we can start creating the integration using IPSec for our stores. But there is a question, how scalable will be if we proceed by using the existing DRG?
As we remember, one DRG can support up to 300 attachments (VCN, FastConnect, IPSec and RPC). One IPSec connection is formed by two IPSec tunnels and each IPSec tunnel is consuming one DRG attachment. This means by using the existing DRG will not be enough to accommodate all the stores that will be added. More than that, we are not allowed to change anything in the existing configuration.
In which way we can expand the networking structure to have all the stores connected to OCI? The answer is below:
One of the request was not to modify at all what is already configured. As depicted in the above networking diagram, the green part is the existing VCN configuration which remains unchanged. The part added is the one depicted in red, formed by two called Expansion DRGs, where we actually will configure the IPSec tunnels for each and every store.
Between each expansion DRG and the existing customer DRG the Remote Peering Connection needs to be configured to ensure the routes advertisements occurs without any issues.
The DRG VCN attachment route table will just import the IP prefixes (stores) received over RPCs and the existing customer DRG will import the VCN CIDR or subnets to the RPCs.
For this solution to work, you need to ask for DRG number increase, IPSec connection increase and CPE increase. As we can notice, the networking diagram above resolves our two-fold challenge from the starting point. If we want more sites to be integrated, we will just add another DRG for another 300 attachments. Simple enough, isn’t it?