Connect from on-premise to Oracle Services Network via FastConnect
September 21, 2023 | 93 minute readBack in 2019, I created a blog that covers the connectivity from on-prem to the OCI Object Storage. At that point, we had DRG v1 was attached to a single VCN and did not had the routing capabilities that we currently have with the DRG.
Some things changed in the configurations steps, and i had several customers reaching out to create a blog that covers the present connectivity from on-prem to the Object Storage.
Introduction
In this article, we will focus on the connectivity between a host from on-premise and service in OCI (for example Object Storage) via FastConnect or an IPSec connection.
A prerequisite for moving forward is a BGP connection from on-premise to OCI, the cloud artefacts: VCN, DRG, Service Gateway.
Traditionally the Object Storage was accessible via the Internet. With the online threats growing every day, enterprises want to “hide” the connections to Object Storage from the Internet attackers.The network topology that will be used is depicted in the following picture:
Configuration
The provisioning of the FastConnect Virtual Circuit or the IPSec connection is not in the scope of this blog post.
Thweblog focuses on configuring the routing from on-prem to the Service Gateway.
Connection paths
There are two connection paths when we are discussing an https connectivity:
- the path from on-prem to the Service Gateway.
- the return path from Service Gateway to on-prem.
On-prem to Service Gateway path
The initial packet is received by the DRG from the FastConnect or IPSec and by checking the VCN route table attached to the DRG it sends it via the VCN attachment to the Service Gateway.
Service Gateway to On-prem path
For the return traffic, the Service Gateway checks the associated route table and finds the route for the On-prem CIDR pointing to the DRG.
The DRG will send the packet to the FastConnect or IPSec connection.
Route Tables
In this section we will configure the required route tables for both of the paths.
VCN Route Table associated to the DRG
In the OCI webUI under Networking > Virtual Cloud Network > Your VCN > Route Tables , create a route table for the DRG and add a route entry target type Service Gateway for All Region Services in Oracle Services Network.
Navigate to Networking > Customer Connectivity > Dynamic Routing GAteway and edit your DRG Attachment.
Under the Advanced options, VCN route table tab, Associate a route table. Select the route table that you just created.
This configurations will enable the on-prem to the Service Gateway path.
Route Table associated with the Service Gateway
In the OCI webUI under Networking > Virtual Cloud Network > Your VCN > Route Tables , create a route table to be associated with the Service Gateway and add a route entry target type Dynamic Routing Gateway for the on-prem CIDR.
Navigate to your Service Gateway, on the right you can find three vertical dots and if you click on them you can Associate a Route Table.
From the drop-down menu, choose the route table that you created for the Service Gateway.
This configurations will enable the Service Gateway to on-prem path.
On-prem route verification
Login to your on-prem router and check if the routes are learned.
You can check the Oracle Services Network (OSN) CIDRs for the region you provisioned the Service Gateway by checkeing the following JSON with all the OCI Regions.
You can find below the CIDRs for the OCI Amsterdam Region.
{
"cidr": "62.115.179.220/31",
"tags": [
"OSN"
]
},
{
"cidr": "62.115.179.228/31",
"tags": [
"OSN"
]
},
{
"cidr": "134.70.104.0/22",
"tags": [
"OSN",
"OBJECT_STORAGE"
]
},
{
"cidr": "140.83.44.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "140.91.44.0/23",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.36.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.38.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.40.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "158.178.220.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "192.29.192.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "192.29.200.0/21",
"tags": [
"OSN"
]
},
{
"cidr": "213.19.198.156/31",
"tags": [
"OSN"
]
},
{
"cidr": "213.19.198.164/31",
"tags": [
"OSN"
]
}
{
"cidr": "62.115.179.220/31",
"tags": [
"OSN"
]
},
{
"cidr": "62.115.179.228/31",
"tags": [
"OSN"
]
},
{
"cidr": "134.70.104.0/22",
"tags": [
"OSN",
"OBJECT_STORAGE"
]
},
{
"cidr": "140.83.44.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "140.91.44.0/23",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.36.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.38.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "140.204.40.128/25",
"tags": [
"OSN"
]
},
{
"cidr": "158.178.220.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "192.29.192.0/22",
"tags": [
"OSN"
]
},
{
"cidr": "192.29.200.0/21",
"tags": [
"OSN"
]
},
{
"cidr": "213.19.198.156/31",
"tags": [
"OSN"
]
},
{
"cidr": "213.19.198.164/31",
"tags": [
"OSN"
]
}Conclusion
In this post we covered the routing configurations needed to access Oracle Services Network (OSN) privately from on-premises via a FastConnect or IPSec.
Catalin Andrei
Master Principal Cloud Architect
Next Post