Oracle cloud offers multiple network technologies that allow you to connect different networks together. Usually we see these two use cases:
- The networks are in the same tenancy but in different OCI regions,
- or they are in the same OCI region but in two different tenancies.
From time to time we see a third (3rd) use case appear which is:
- Two different tenancies that need connectivity across two different regions. Such as Company 1 in Amsterdam needs access to Company 2 in Frankfurt
Since I get many questions regarding the possibility of interconnecting two tenancies in separate regions, I have decided to make this document with the purpose to describe how to achieve this in OCI by leveraging Remote Peering Connection (RPC) connectivity and Local Peering Gateway (LPG) connectivity with transit routing enabled.
In this blog we will also add some Identity and Access Management (IAM) policies, that is needed for creating intra-tenancy LPG’s (Customer 1 ZHR VCN and Customer 2 ZHR VCN). IAM Policies lets you control who has access to your cloud resources and in this case will let Customer 1 to be the requestor of the LPG peering and Customer 2 the Acceptor of the LPG Peering.
For more information regarding:
Caveats and Limitations
- RPC connectivity is not possible between 2 different tenancies, since RPC is used to create a connectivity link between 2 regions VCN’s using DRG. This link is not designed to be used for On-Prem connectivity to reach another region VCN, and private IP traffic from On-Prem -> AMS VCN ->RPC-> ZHR VCN will not work and a direct link to region is needed.
- Connectivity will be done over Oracle backbone, backbone that is monitored for capacity and latency by OCI, there will be no bandwidth or latency SLA on this link, and because of that any business-critical traffic should not use this path, but instead a dedicated Fastconnect link via a provider network that can provide proper SLA’s.
- For an RPC, it is required to have at least a single active tenancy in multiple regions such as Frankfurt and Amsterdam. RCP can be created between any regions and is not limited by a geographic region like NA or EMEA
- In addition, for the LPGs, it is required to have two active VCNs in the same region where the first tenancy will act as a HUB tenancy. An LPG can be created between 2 VCN’s in same tenancy or between 2 VCN’s in different tenancies with the condition that VCN’s are in same region
- In this document I will not concentrate on building the infrastructure elements like Virtual Cloud Network (VCN), Dynamic Routing Gateway (DRG), Routing Table, Security List (SL), Network Security Group (NSG) and Virtual Machine (VM), we will assume that all these elements are already in place.
- Identity and Access Management (IAM) policies for allowing work in same tenancy is considered as already existing, for example to add/update Routing Tables, SL/NSG, RPC, IAM policy etc.
- Validating VCN subnets are not overlapping on all VCN’s involved, in this example I have used following subnets:
- Customer 1 VCN in AMS - 192.168.100.0/24
Customer 1 VCN in ZHR – 192.168.1.0/24
- Customer 2 VCN in ZHR – 172.16.0.0/24
In order to overcome the limitation that RPC is available only on the same tenancy I have created following path as an example
Customer 1 AMS--> RPC to Customer 1 ZHR --> LPG to Customer 2 ZHR as in the following diagram
For this solution to work end to end we still need to have some SL updated as we can see in next diagram
Step 1. Creating RPC link for Customer 1 in AMS
- Update the Routing Table of Customer 1 AMS VCN of the subnet that is part of the source or destination (see below diagram), with Customer 2 ZHR VCN subnet 172.16.0.0/24 for required connectivity with a route using the DRG as net hop
After I have done this, I have in my Customer 1 AMS following route rules, that include 172.16.0.0/24 via attached DRG
- Update SL/NSG with the needed rules to allow required traffic, in this case I have updated SL from the following diagram
with following rules
- Creating RPC link:
- Go to Customer 1 DRG in AMS that is attached to the VCN that has the VM needing to communicate with Customer 2 VCN - > Remote Peering Connections -> Create Remote Peering Connection
- Fill the name field and select wanted compartment and hit Create Remote Peering Connection
- After doing that a new field will appear with this new peer created
- Select 3 dots menu in the right and Copy Remote Peering Connection OCID of the created peering
With this step the work is done for Customer 1 AMS region.
Step 2. Creating an LPG and IAM Policy for Customer 2 in ZHR
- Create IAM policy to allow customer 1 to establish a LPG by adding a policy under Identity -> Policies
Create Policy in root compartment with following statement for Acceptor tenancy, in this case Customer 2
Define tenancy [Requestor] as „ocid1.tenancy.oc1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
Define group [Requestor Group] as „ocid1.group.oc1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
Admit group [Requestor Group] of tenancy [Requestor] to manage local-peering-to in compartment maradule
Admit group [Requestor Group] of tenancy [Requestor] to associate local-peering-gateways in tenancy [Requestor] with local-peering-gateways in compartment [name of the compartment]
- Create LPG
- Go to VCN -> Local Peering Gateways -> Create Local Peering Gateway, fill the name of the Link and select the compartment and hit Create Local Peering Gateway
- After doing this a new connection will appear the new LPG
- Go to 3-point menu in the right and select Copy OCID
- Update Routing Table of the subnet that is part of the source or destination for required connectivity with a route using the new created LPG as net hop
- Update SL/NSG with the needed rules to allow required traffic. In my example I have update with following rules