X

Best Practices from Oracle Development's A‑Team

Inter-TENANCY VCN peering using LPGs

This Blog post is a discussion regarding PEERING OCI VCNs that belong to DIFFERENT tenancies.   This is in the context of  using LPGs vs Attachments.  Options including attachments instead of peering and will be discussed in different posts.

We are assuming you have a basic understanding of OCI Networking and best practices for creating VCNs, subnets, security lists, and routing.

An example of VCN peering -

LPGs (Local Peering Gateways) provide connectivity between VCNs.   An LPG must be created in EACH VCN by a user with proper authority to do so (this is VERY important later when we talk about peering between DIFFERENT TENANCIES).

 

https://docs.oracle.com/en-us/iaas/Content/Resources/Images/network_local_peering_basic.png

It is important to note basic networking rules apply - you must have non-overlapping IP spaces in order to peer between ANY VCNs, whether in the same tenancy or different tenancies.   It is likewise important to be sure there is no IP space overlap across the enterprise networks for either tenancy - you could "'black hole" traffic from a different part of your network if one of the peered VCNs uses space that exist elsewhere on your corporate/enterprise network.

Peering VCNs between two SEPARATE customer tenancies requires an understanding of some related concepts:  First, the connection process requires one tenant to be the REQUESTOR, and the other to be the ACCEPTOR.  Second, each role requires very specific IAM policies in order to provide the user placing the request (the requestor) proper authorization to complete the peering connection process.  Last, as with all OCI networking proper security rules and routes must be put in place on each VCN to allow only the required traffic flows.

 

Preperation:  Be sure the user on each tenancy performing the configuration work has the proper authorization AND are each members of a group as we will provide authority to the group to perform the needed tasks (see group IAM policies if you are not already familiar with user/group/policy implementation).  For our example I have used the Administrators group, but more often a smaller group such as “NetworkAdmins” might be more appropriate.

Obtain the tenancy OCID, authorized group OCID, and the LPG OCID from the acceptor tenancy.

In each tenancy create the appropriate IAM policy.  These policies are APPLIED at the Root, but can specify nested compartments in the actual policy statements.

Examples for Requestor and Acceptor policies:

Requestor Policy

Define tenancy Acceptor as ocid1.tenancy.oc1..aaaaaaaaqgag3pg47ao7v25dqgwfeu5myetwayn3….

Allow group RequestorGrp to manage local-peering-from in compartment CompartmentA:CompartmentB

Endorse group RequestorGrp to manage local-peering-to in tenancy Acceptor

Endorse group RequestorGrp to associate local-peering-gateways in compartment CompartmentA:CompartmentB with local-peering-gateways in tenancy Acceptor

Acceptor Policy

Define tenancy Requestor as ocid1.tenancy.oc1..aaaaaaaagfqbe4ujb2dgwxtp37gzinrxt6h6hfshjokfgfi5…

Define group RequestorGrp as ocid1.group.oc1..aaaaaaaaqmnmuwmtazjp6isf5zrpukdgzjyajggb77tibl66….

Admit group RequestorGrp of tenancy Requestor to manage local-peering-to in compartment AcceptorCompartmentA:AcceptorCompartmentB

Admit group RequestorGrp of tenancy Requestor to associate local-peering-gateways in tenancy Requestor with local-peering-gateways in compartment AcceptorCompartmentA:AcceptorCompartmentB

In the Acceptor Tenancy create the LPG as well as the appropriate Route Rules (these might be in the VCN route table, or a specific Subnet route table as appropriate).   Also create the appropriate Security List rules to allow only the required traffic to flow to the remote VCN.

In the Requestor Tenancy create the LPG to connect to the Acceptor Tenancy:

 

In the Requestor Tenancy go to the LPG and from the “three dot” menu on the right select Establish Peering Connection, and select ENTER LOCAL PEERING GATEWAY OCID.   Enter the OCID provided by the Acceptor Tenancy for the LPG on their side.

 

 

When peering is successfully completed you will see the new status as Peered – Connected to a peer. And you will see the CIDRs being advertised to you from the peered Tenancy:

 

At this point you have established a peering relationship and traffic should flow between the VCNs as allowed.