Introduction
This blog is the second of three scenarios mentioned in “How to access OIC in a secure way” mini-series. The main page presenting all scenarios can be found here
In this scenario, we will continue adding connectivity from another OCI Region via a Remote Peering connection.
In this scenario we will use the following technologies:
- Remote Peering Connection – for more information please access official documentation here
- Service Gateway (SGW) – for more information please access official documentation here
- Virtual Cloud Network (VCN) – for more information please access official documentation here
- Dynamic Routing Gateway v2 (DRGv2) – for more information please access official documentation here
Prerequisites
In this blog, we will cover how you can access OIC over RPC and Service gateway from another OCI Region. For doing this we will need the following resources already provisioned:
1. OIC instance – in our test, we will have an OIC instance preconfigured in the Phoenix region that has the following URL: https://oracle-integration-cloud-natdcshjumpstartprod-px.integration.ocp.oraclecloud.com/ic/home/.
2. VCN – in our case is named “OCI_VCN” with a non-overlapping CIDR block “10.0.0.0/24”.
3. Service Gateway (SGW) – in our case is named “OIC_Blog_SGW”.
4. RPC link – In our case is named “OIC-Blog-RPC-PHX”.
5. Remote OCI Region we used is Jerusalem, non-overlapping VCN CIDR block “192.168.0.0/24”.
6. A Windows VM that is part of the Remote OCI Region.
7. All security rules (OCI and On-Premises) are in place to allow traffic.
Solution Description
For this scenario, I have used the following network diagram
To have secure connectivity from the Remote OCI Region to the OIC instance, we need to find the IP address of our OIC instance, which in our case has the IP “138.1.38.80”. This IP address can be found using the nslookup command:
Now we need to activate Transit Routing so the Remote OCI Region will receive over RPC (uses BGP) the Oracle Service Network (OSN) prefix routes from the OIC region.
For doing that we need to do the following steps:
1. Create a new routing table in the VCN that is pointing to the Service Gateway (SGW) and allow all Region Services over that route:
2. Attach the newly created routing table to the VCN attachment by going to “VCN -> Dynamic Routing Gateways Attachment” and click on the attachment name:
Now click the edit button and under advanced options select the VCN route table tab and select the existing route table that we created earlier:
At this point, we should see the OSN subnets advertised over RPC link (using BGP) and one of those subnets will also have the OIC instance IP address, which in our case will be the “138.1.32.0/21” subnet:
3. Now we need to create a new VCN routing table with the routing rule for the remote OCI CIDR block going via DRG:
4. With this newly created routing table go now to the Service Gateway (SGW) and attach the routing table. After this is done the SGW page should look like this:
5. At this point, all necessary routing changes will be done on the Remote OCI Region so the OIC subnet “138.1.32.0/21” (or the IP address “138.1.38.80”) will point to OCI via the DRG connection by adding a rule on the VM subnet routing table.
6. The last step is to activate the OIC Network Access using the Virtual Cloud Network OCID:
On the OIC Network Access Page we can now allow access only from the Virtual Cloud Netwok and block everything else.
Validation
At this point we should have access to OIC from the Remote OCI Region VM:
If we try to access OIC from a different source, we will get a “403 Forbidden” error as access is denied:
In the next scenario, I will talk about providing access from the Internet using Load Balancer (LBaaS) to an OIC instance using the new Vanity URL feature. This scenario can be found here