OCI Advanced Lab (VCN Peering)

Introduction

Description

When building a network architecture, customers may have the need to create separate VCNs. Customers can create as many VCNs as they wish for reasons like workload separation, management, or application security. A VCN is a distinct network within the OCI architecture and by default it isn't able to communicate with other internal networks for security reasons. This is a small part of Oracle's Zero Trust network architecture . However, customers can create their own secure peering connections between their VCNs using Local Peering Gateways in OCI. Peering connections allow private communication between VCNs, the connection doesn't expose any ports or allow packets to traverse the public internet.

This lab will walk you through the creation of two distinct VCNs, each with a deployed Linux instance. You'll allow the two instances to communicate with a Local Peering Gateway and create a private connection that is not exposed to the internet.

Lab Objective

• Create a secure, private connection between two VCNs

Lab Overview Video

• Watch the video below for an accelerated view of the lab steps run through by the author.

OCI Advanced - OCI Advanced Lab VCN Peering

Intended Audience

• Oracle Cloud Architects
• Anyone interested in OCI network architecture

Contact us

Having an issue with the lab? Have an idea on how it could be made better? Want to tell us how awesome the lab is? Click the icon below to contact the team and let us know your feedback.

Task 1: Create VCN #1

In the following section, you'll create a VCN with network address range of 10.0.0.0/16. You'll add an internet gateway, a subnet, you'll adjust the route rules to allow incoming traffic, and you'll add a local peering gateway.

1. Create the VCN. From the OCI Services menu, under Core Infrastructure, click on Networking > Virtual Cloud Networks

2. Before you can create a VCN, you'll need to be in a compartment where you have authorization to create resources. From the List Scope section, locate the Compartment dropdown field. Expand the compartment selections using the plus signs until you find your assigned compartment underneath the Luna-Labs compartment, then click on it to select it.

Note: You will not be able to create any resources in the root, Luna-Labs or ManagedCompartmentForPaaS compartments. Any resources necessary for the lab have been made available in your assigned sub-compartment.

3. Click Create VCN

4. Fill out the fields in the Create a Virtual Cloud Network dialog using the following information and click the Create VCN button.

The VCN should be created immediately. You'll add communication and security features next.

5. In this step, you'll create an internet gateway so traffic can travel outside of your network. On the bottom left hand side of the VCN Details screen, click on the Internet Gateways (0) link.

6. Click the Create Internet Gateway button.

7. Type a name for your gateway (gateway-01), confirm your compartment name, and click Create Internet Gateway.

8. Now add a route from your VCN through the internet gateway. In the bottom left hand Resources section, click Route Tables (1), and then click on the link for the existing Default Route Table for <VCN name>.

9. Click on the Add Route Rules button. Use the drop down fields to fill out the Add Route Rules dialog box with the information in the following table, then click Add Route Rules at the bottom of the dialog.

Your route rules should look like the below screenshot.

10. Navigate back to the VCN Details page through the breadcrumb link at the top of the page. Choose Subnets (0) from the Resources section on the bottom left, then click Create Subnet.

11. You will add a /24 subnet (256 addresses) and link it to the DHCP and security list options for peering-vcn-01. Fill out the Create Subnet dialog box with the following information and click Create Subnet.

12. Your Subnet should appear as Available. Next, click on Local Peering Gateways on the left hand side of the screen under the Resources section.

13. Click on the Create Local Peering Gateway button. A local peering gateway is a VCN component for routing traffic to another local VCN located in the same region. Each VCN will need it's own peering gateway. Fill out the dialog box and click Create Local Peering Gateway.

A new peering gateway should appear and be in the available state.

Note: Peering status will reflect New - Not connected to a peer at this time because we haven't connected it to anything yet.

In the next section, you'll create a second VCN with it's own peering gateway.

Task 2: Create VCN #2

1. From the OCI Action menu, navigate to Networking > Virtual Cloud Networks.

2. Choose the Create VCN button to create a new VCN.

3. Fill out the fields in the Create a Virtual Cloud Network dialog using the following information and click the Create VCN button. Note: VCN 2 will have a distinct CIDR block from VCN #1. VCN #2 will have a 10.10.0.0/16 CIDR. Also note the warning in the dialog about overlapping CIDRs. It's relatively easy to make this mistake and your VCNs won't be able to communicate with each other.

The VCN should be created immediately. You'll add communication and security features next.

4. In this step, you'll create an internet gateway so traffic can travel outside of your network. On the bottom left hand side of the VCN Details screen, click on the Internet Gateways (0) link.

5. Click the Create Internet Gateway button.

6. Type a name for your gateway (Call it gateway-02), confirm your compartment name, and click Create Internet Gateway.

The new gateway should appear and be immediately available.

7. Now add a route from your VCN through the internet gateway. In the bottom left hand Resources section, click Route Tables (1), and then click on the link for the existing Default Route Table for <VCN name>.

8. Use the drop down fields and fill out the Add Route Rules dialog box with the information in the following table, then click Add Route Rules at the bottom of the dialog.

Your route rules should look like the below screenshot.

9. Navigate back to the VCN Details for peering-vcn-02 page through the breadcrumb link at the top of the page. Choose Subnets (0) from the Resources section on the bottom left, then click Create Subnet.

10. Fill out the Create Subnet dialog box with the following information and click Create Subnet

11. Your Subnet should appear as Available. Next, click on Local Peering Gateways on the left hand side of the screen under the Resources section.

12. Click on the Create Local Peering Gateway button. A local peering gateway is a VCN component for routing traffic to another local VCN located in the same region. Each VCN will need it's own peering gateway. This is the second in a pair that will communicate with each other.

13. Fill out the dialog box and click Create Local Peering Gateway.

A new peering gateway should appear and be in the available state.

Note: Peering status will reflect New - Not connected to a peer at this time because we haven't connected it to anything yet.

You have created two VCNs, each with a distinct CIDR block. You've given each an internet gateway which will allow internet traffic to pass through both ways. You've added a default rule in the route table to route the internet traffic. You've created a subnet for each VCN and ensured that the CIDR blocks don't overlap, and added two local peering gateways (one for each VCN). The Local Peering Gateway is a required service for VCN peering.

In the next section, you will create instances in each VCN, configure, and test communications between them.

Task 3: Create and configure two compute instances

1. Switch to the OCI console in your browser, and use the action menu to choose Compute > Instances

2. Click the Create Instance button.

3. Use the information from the table to fill out the Create Compute Instance form. For the exercise to work confirm that you have chosen the correct VCN for your instance (peering-vcn-01) and that you select Assign A Public IP4 Address.

4. Name the instance peering-instance-01 and verify that your compartment has been selected. Accept the default Availabiliy Domain.

5. For the Image, choose the default version of Oracle Linux (which was 8 at the time of this lab update). For the shape, accept the default which should be the AMD VM.Standard.E4.Flex.

6. In the Networking section, be sure to select the first VCN you created - peering-vcn-01 as well as the subnet for that vcn - lp-subnet-01 and check the radio button for Assign a public IPV4 address.

7. In the Add SSH Key section, click on Choose public key files and click Or browse to a location

8. A file manager window will open initially showing no files. Right click in the window and select Show Hidden Files from the resulting dialog.

9. Double click on the .ssh directory.

10. Double click on id_rsa.pub, which is the public key that has been precreated for you in the Luna environment.

11. The public key file will appear as part of your configuration.

12. Click the Create Instance button when you're satisfied that you've entered all the required information. For the first instance, ensure you've selected the first vcn and the proper subnet.

The instance will begin provisioning. You can continue on with the next step while the first instance is provisioning if you wish.

13. In the OCI Action menu, navigate to Compute > Instances and click the Create Instance button to create the second instance.

14. Repeat the steps above to create a second compute instance. Use most of the same information. The major difference will be that the second instance will be connected to VCN #2 and will be in a different subnet. Use the information from the following table to create the second instance. You will also use the same SSH Keys from the Luna session.

Your screen should look similar to the below screenshot.

15. Click Create and your second instance will begin provisioning.

Wait a few moments for both instances to reach the Available state.

16. From the Instances menu on the OCI console you can view the state of both instances. Note that their status is Running and note the Public IP of both instances. Feel free to click on each instance and examine the information presented. See if you can find both the public and private IP addresses. You'll need this information in the next few Tasks.

Next, you will configure the local peering gateways and establish a connection between the two instances across their VCN boundaries.

Task 4: Configure local peering gateways and test the connection

1. On the OCI Action menu, navigate to Networking > Virtual Cloud Networks

2. Click on the link for the first VCN that you created, peering-vcn-01.

3. To configure the first local peering gateway, click on the Local Peering Gateways link in the Resources section of the VCN details page. Left click on the vertical ellipsis (3 vertical dots) at the end of the local peering gateway entry and choose Establish Peering Connection.

4. Use the drop down boxes and the following information to fill out the Establish Peering Connection dialog box. Essentially, you're choosing the second VCN for the connection and providing the details.

5. Once you click the Establish Peering Connection button, Peering Status will initially show connecting ... In a few moments the status should change to Peered - Connected to a peer in the Peering Status field.

At this point you will configure the route tables and security lists for the two VCNs to allow traffic to traverse the new connection.

6. Navigate to VCN details page of the first VCN (peering-vcn-01). Click Route Tables from the Resources section on the left side of the screen, then click on the Default Route Table for peering-vcn-01 entry in the table.

7. Click the Add Route Rules button and use the following information to fill out the dialog. Use the drop down fields to select the target and gateway, and enter the subnet CIDR block. Click Add Route Rules button at the bottom of the dialog when you're finished.

You should have two route rules listed similar to the below screenshot.

8. Navigate to the VCN details page for the first VCN and click Security Lists, then click on the link for Default Security List for peering-vcn-01.

9. Click on the Add Ingress Rule button and fill out the dialog with the following information:

10. Click Add Ingress Rule.

The ingress rules for the first VCN should look similar to the below screenshot.

11. You will repeat the same steps for the route table and security list in the second VCN. Navigate to the VCN details page for peering-vcn-02, click on Route Tables and click the link for the default route table.

12. Click on the Add Route Rules button and use the below information to fill out the dialog. Select from the drop down fields and enter the destination CIDR block. You will be selecting the gateway that belongs in the second VCN. Click on the Add Route Rules button to save your information.

13. Navigate back to the VCN details page for peering-vcn-02 and select Security Lists from the Resources section on the left of the screen, then choose the Default Security List for peering-vcn-02.

14. Click on the Add Ingress Rule button and fill out the dialog with the following information:

Confirm that the security list for the second VCN looks like the below screen shot.

So far in this lab, you have created two distinct VCNs with a single compute instance in each VCN. You have created a secure private communication channel between the two instances by installing and configuring Local Peering Gateways. At this point, any instance in one VCN can reach an instance in the other VCN. In the next steps, you will test the connection and ensure the instances can communicate with each other.

Task 5: Test the VCN peering connection

1. Locate and copy the IP address of the first instance you created, peering-instance-01.

2. Open a terminal window from the bottom applications menu in the linux desktop.

3. You'll use the SSH command and login as the default admin user 'opc' In a terminal window enter the command below. Since the SSH key is stored in the default .ssh directory you shouldn't need to specify it on the command line.

ssh opc@(public ip address of the first compute instance)

4. The prompt in the security window should say opc@peering-instance-01 and that indicates that you're connected!

5. Locate the private IP address of the second instance on the second VCN. Navigate to the Instance Details page for peering-instance-02, locate and copy the assigned private IP address.

6. Navigate back to the terminal window that you used to SSH to peering-instance-01 and enter the following command. Ensure that you're still connected.

ping <PRIVATE_IP_OF_SECOND_COMPUTE_INSTANCE>

In the example, the private IP address of the instance in the second VCN is 10.10.0.2. You opened a secure port in the firewall for ICMP, which is used by the Unix ping command. A successful ping wil result in transmit messages with an icmp sequence number and a transfer time in milliseconds.

If you get the transmit timings you have successfully connected the two instances across separate VCNs in the Oracle Cloud. In a typical customer situation, the next steps would be configuring networking for the customers use case and application needs.

If you get a timeout or no response, backtrack in your configuration and double check the CIDR ranges that you entered, the security and route rules.

You have successfully created a peering relationship between two OCI VCNs, great job! You can now show your customers how to divide their networks into functional departments or lines of business without using internet gateways and without the need for traffic to cross the public internet. You could also use this concept to place shared resources in a single VCN, so that all other VCNs could privately access them. Take this concept further and look into region to region peering for the ultimate in high availability cloud architecture.