Back in 2019, I created a blog that covers the connectivity from on-prem to the OCI Object Storage. At that point, we had DRG v1 was attached to a single VCN and did not had the routing capabilities that we currently have with the DRG.
Some things changed in the configurations steps, and i had several customers reaching out to create a blog that covers the present connectivity from on-prem to the Object Storage.
In this article, we will focus on the connectivity between a host from on-premise and service in OCI (for example Object Storage) via FastConnect or an IPSec connection.
A prerequisite for moving forward is a BGP connection from on-premise to OCI, the cloud artefacts: VCN, DRG, Service Gateway.
Traditionally the Object Storage was accessible via the Internet. With the online threats growing every day, enterprises want to “hide” the connections to Object Storage from the Internet attackers.The network topology that will be used is depicted in the following picture:
The provisioning of the FastConnect Virtual Circuit or the IPSec connection is not in the scope of this blog post.
Thweblog focuses on configuring the routing from on-prem to the Service Gateway.
There are two connection paths when we are discussing an https connectivity:
The initial packet is received by the DRG from the FastConnect or IPSec and by checking the VCN route table attached to the DRG it sends it via the VCN attachment to the Service Gateway.
For the return traffic, the Service Gateway checks the associated route table and finds the route for the On-prem CIDR pointing to the DRG.
The DRG will send the packet to the FastConnect or IPSec connection.
In this section we will configure the required route tables for both of the paths.
In the OCI webUI under Networking > Virtual Cloud Network > Your VCN > Route Tables
, create a route table for the DRG and add a route entry target type Service Gateway
for All Region Services in Oracle Services Network
.
Navigate to Networking > Customer Connectivity > Dynamic Routing GAteway
and edit your DRG Attachment.
Under the Advanced options, VCN route table tab, Associate a route table. Select the route table that you just created.
This configurations will enable the on-prem to the Service Gateway path.
In the OCI webUI under Networking > Virtual Cloud Network > Your VCN > Route Tables
, create a route table to be associated with the Service Gateway and add a route entry target type Dynamic Routing Gateway
for the on-prem CIDR.
Navigate to your Service Gateway, on the right you can find three vertical dots and if you click on them you can Associate a Route Table.
From the drop-down menu, choose the route table that you created for the Service Gateway.
This configurations will enable the Service Gateway to on-prem path.
Login to your on-prem router and check if the routes are learned.
You can check the Oracle Services Network (OSN) CIDRs for the region you provisioned the Service Gateway by checkeing the following JSON with all the OCI Regions.
You can find below the CIDRs for the OCI Amsterdam Region.
{ "cidr": "62.115.179.220/31", "tags": [ "OSN" ] }, { "cidr": "62.115.179.228/31", "tags": [ "OSN" ] }, { "cidr": "134.70.104.0/22", "tags": [ "OSN", "OBJECT_STORAGE" ] }, { "cidr": "140.83.44.0/22", "tags": [ "OSN" ] }, { "cidr": "140.91.44.0/23", "tags": [ "OSN" ] }, { "cidr": "140.204.36.128/25", "tags": [ "OSN" ] }, { "cidr": "140.204.38.128/25", "tags": [ "OSN" ] }, { "cidr": "140.204.40.128/25", "tags": [ "OSN" ] }, { "cidr": "158.178.220.0/22", "tags": [ "OSN" ] }, { "cidr": "192.29.192.0/22", "tags": [ "OSN" ] }, { "cidr": "192.29.200.0/21", "tags": [ "OSN" ] }, { "cidr": "213.19.198.156/31", "tags": [ "OSN" ] }, { "cidr": "213.19.198.164/31", "tags": [ "OSN" ] }
{
"cidr": "62.115.179.220/31",
"tags": [
"OSN"
]
},
{
"cidr": "62.115.179.228/31",
"tags": [
"OSN"
]
},
{
"cidr": "134.70.104.0/22",
"tags": [
"OSN",
"OBJECT_STORAGE"
]
},
{
"cidr": "140.83.44.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "140.91.44.0/23",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.36.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.38.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.40.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "158.178.220.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "192.29.192.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "192.29.200.0/21",
"tags": [
"OSN"
]
},
{
"cidr": "213.19.198.156/31",
"tags": [
"OSN"
]
},
{
"cidr": "213.19.198.164/31",
"tags": [
"OSN"
]
}
In this post we covered the routing configurations needed to access Oracle Services Network (OSN) privately from on-premises via a FastConnect or IPSec.
Next Post