In this blog series we are going to discuss Oracle Cloud Infrastructure (OCI) networking best practices and provide you with some recommendations and tips to help you design and build your network infrastructure. This is the first blog in this series and will cover OCI network design, Virtual Cloud Networks (VCN) and subnets. The topics for this blog series are outlined below:
If you are new to OCI, or specifically OCI networking, Oracle has many options available to you to help you increase your knowledge and skills. Taking advantage of these will help you, and your organization, when it comes time to designing, provisioning, and supporting your OCI network infrastructure down the road.
Tip: If you are familiar with other Cloud Service Providers (CSP), check out the below links for service comparisons between OCI and other CSPs. This can help you understand the OCI terms and concepts and how they are comparable to other CSPs.
Often we see customers jumping right away to deploying their applications or workloads into OCI without taking the time to properly design the OCI Network. VCNs, subnets, gateways, etc. are typically built very quickly using default parameters and Classless Inter-Domain Routing (CIDRs) can end up overlapping with on-prem CIDRs causing issues later. Having the network design completed prior to your deployment forces you to think about and resolve these issues early and prevent any barriers to having a successful deployment later. While it's possible to change some OCI network design elements later, it can be a painful experience and could cause disruption.
Tip: Investigate if there are any reference architectures for your specific deployment that can be leveraged as a starting point. For example, Oracle has many reference architectures for common Oracle OCI deployments such as E-Business Suite (EBS), Siebel, and ExaCS in the Oracle Architecture Center.
Tip: OCI diagram templates are located here https://docs.oracle.com/en-us/iaas/Content/General/Reference/graphicsfordiagrams.htm
When provisioning the necessary network resources in OCI, such as VCNs, subnets, security lists, Dynamic Routing Gateways (DRG), you will be prompted to input a name for the resource. Having a standard naming convention for your OCI resources will help you, and other OCI users later, with understanding the purpose, location and how that resource is differentiated from others. Some of these resource names can be changed later, however some cannot, such as DNS label, and others must be changed via CLI, such as VCN name.
Tip: Consider using OCI tags to add metadata information to the resources. See https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm
Tip: Take a look at the naming convention recommendations from the Oracle Cloud Foundation
The OCI Private DNS service provides the ability to:
This gives customers the ability to do seamless DNS resolution between OCI and on-premise infrastructure. Without this, the default behavior of OCI is limited to performing DNS resolution internal to the VCN using the default domain of oraclevcn.com and you may find yourself troubleshooting connectivity problems later because you cannot resolve the DNS names for resources in other VCNs or on-premise.
More info on OCI Private DNS:
Tip: Try out this Private DNS lab from Oracle Live Labs to see it in action!
Tip: Keep in mind that when you use a custom domain name in OCI, the management of the custom zones and records is manual whereas the default oraclevcn.com is automatic.
Oracle best practice and recommendation for most OCI deployments is to use a multiple VCN design in a hub-and-spoke topology utilizing the DRG for connectivity.
For more information on this design, see https://docs.oracle.com/en/solutions/hub-spoke-network-drg/index.html
Benefits of a multiple VCN hub-and-spoke design using the DRG:
Tip: Take a look at the hub and spoke section of the Oracle Cloud Foundation
VCN CIDRs need to be broken down into one or more subnets where resources can be placed. Those subnets can either be regional or Availability Domain (AD) specific subnets and they can also be either public or private subnets. Regional vs. AD specific and public vs. private cannot be changed later so making sure they are correct when you provision them will help minimize disruption and complexity later. In addition to the subnets needing to be terminated and then re-provisioned correctly, the resources already deployed in those subnets will also need to be terminated and then re-provisioned in the new subnets.
Sizing the VCNs and subnets appropriately during your design will help you:
For more information see https://www.ateam-oracle.com/post/vcn-design-and-sizing
When provisioning subnets you will be prompted to choose a VCN route table and a security list to use with each subnet. OCI provides a default route table and a default security list that, if used, is shared with all subnets that are associated with them.
Using the default options for these is good for a simple deployment or to get you started but not a recommended approach for a production design that includes multiple subnets. Having VCN route tables and security lists that are specific to each subnet allows you to maintain granular routing and security control to the individual subnets instead of having them share these resources.
For example:
Tip: Create and associate these unique VCN route tables and security lists when you provision the subnets as it will be more difficult to change from the default ones later.
VCN flow logs show details about traffic that passes through, is sourced from, or destined to your VCN. VCN flow logs are not enabled by default when a subnet is created.
For more information see:
Enabling VCN flow logs on all subnets will help you later with auditing traffic and troubleshooting your VCN and security lists.
Tip: There is a cost for OCI logging storage above a certain threshold. Make sure you understand your OCI logging needs and budget and consider only enabling VCN Flow Logs on a temporary and as needed basis for troubleshooting purposes if you want to limit the usage.
Stay tuned for Part Two of this blog series which will focus on OCI Network Security Best Practices, Recommendations, and Tips
Ben Woltz is a Principal Cloud Architect for OCI with over 25 years of experience in the IT networking space. During those 25 years, his career has included working for both enterprises and service providers and his roles have spanned from delivery and support to sales. He applies the experience he's gained from this broad background to his current role with Oracle where he helps Oracle's customers ensure their solutions are designed for successful deployment in the cloud.