Last validated October 30, 2020 for OAC 5.8

Introduction

An Oracle Cloud Infrastructure (OCI) tenancy may be subscribed to multiple geographical regions. 

This post describes several methods of privately accessing Oracle public services residing in different regions from a customer's on-premise network. Identity Cloud Service (IDCS) and Oracle Analytics Cloud (OAC) are used as examples. 

Refer to the Before You Begin section below to determine the location of your IDCS region and if this post is applicable.

Note: This post uses the terms "you" and "your" broadly to mean any administrator in your company who has access to work with OCI networking components.

Validations

October 30, 2020 for OAC 5.8

May 30, 2020 for OAC 5.6

Topics

Before You Begin

Using FastConnect Public Peering

Using FastConnect Private Peering and/or VPN

Hybrid Examples

 Before You Begin

The prerequisites listed in this section require a detailed and functioning knowledge of OCI Networking components. It is beyond the scope of this blog to detail the requirements. Presented is a list of the requirements with links to official Oracle documentation. This post uses an OAC in Ashburn and an IDCS in Phoenix

Determining the IDCS Region

You may open a Service Request with Oracle Support to obtain the tenancy's IDCS region. Or you can use the nslookup command available with most operating systems.

First, obtain the IDCS URL and hostname. These can be found in the OCI console by navigating to Identity > Federation > Identity Provider. The URL is in the form:

https://<hostname>/ui/v1/adminconsole

Then run the command from a terminal window. An example command and result are below:

nslookup <hostname>

The result implies this IDCS instance is in Phoenix.  You may also refer here for OCI's list of IP ranges by Region.

Initial Components

The initial state is shown in the following figure. It depicts accessing both IDCS and OAC via the internet.

OCI 

Oracle's Global Edge Network

A tenancy subscribed to the Ashburn (ASH) and Phoenix (PHX) regions.

ASHBURN

An OAC instance in the Oracle Services Network (OSN)

PHOENIX

An IDCS instance in the Oracle Services Network (OSN)

ON-PREMISE

Networking equipment (CPE) available for Internet connections

 Using FastConnect Public Peering

FastConnect Public Peering allows private access to public services via your FastConnect virtual circuit. The circuit connects your CPE with Oracle's Global Edge network. It grants access to multiple regions within a broad geographical area e.g. Ashburn, Phoenix, and Toronto in North America. For a list of the services available with public peering, see FastConnect Supported Cloud Services. For a list of the public IP address ranges (routes) that Oracle advertises, see FastConnect Public Peering Advertised Routes.

The following figure depicts the architecture.

Additional Components

ON-PREMISE

Networking equipment (CPE) configured for FastConnect connections. Refer here for an overview.

 Using FastConnect Private Peering and/or VPN

FastConnect Private Peering and/or VPN extends the reach of your private access to Virtual Cloud Networks (VCN) and private services within those VCNs. For each region, a FastConnect virtual circuit or VPN IPsec tunnel connects to an OCI Dynamic Routing Gateway attached to your VCN.

FastConnect Private Peering

The following figure depicts the architecture.

VPN Connect

The following figure depicts the architecture.

Additional Components

ON-PREMISE

Networking equipment (CPE) available for VPN and/or FastConnect connections

ASHBURN and PHOENIX

A VCN to accommodate a Service Gateway (SG) and a Dynamic Routing Gateway (DRG) Here  Note: The Regional VCNs and your On-Premise CIDR blocks must not overlap.

A DRG configured for FastConnect and/or VPN and attached to the VCN here

A Service Gateway (SG) in the VCN here

A Route Table for the DRG to the SG Here. Example below.

A Route Table for the SG back to the DRG. Example below.

 Hybrid Examples

There are many hybrid scenarios available. Two of these are depicted below. They both use the components described previously.

VPN and FastConnect Private Peering

This scenario allows private access to an additional region using VPN and removes the need for an additional FastConnect virtual circuit.

FastConnect Private and Public Peering

This scenario allows private access Oracle public services and to service instances within a VCN as well as private access to public services in another region without the need for a VCN, DRG, and SG.

 Summary

This post described several methods of privately accessing public services residing in different regions from a customer's on-premise network. Identity Cloud Service (IDCS) and Oracle Analytics Cloud (OAC) were used as examples. 

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley