Virtual Cloud Network Level 200 Jamal Arif November 2018 Copyright Copyright 2018, Oracle 2018, and/or Oracle its and/or affiliates. its affiliates. All rights All reserved. rights reserved. 1
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
Objectives After completing this lesson, you should be able to: Describe Advanced VCN Functionalities Service Gateway Private IP as Route Target VCN Peering Local VCN Peering Remote VCN Peering Edge Security Pre-requisites: Virtual Cloud Network Level 100 3
Service Gateway A service gateway enables VCN to access Object Storage without exposing the VCN to the public internet The traffic from the VCN to Object Storage travels over the Oracle Cloud Infrastructure network fabric and never traverses the internet Use case: Back up DB Systems in your VCN to Object Storage With Service Gateway, no Internet Gateway is required for DB System backup. DB Systems can be in a and have only private IP addresses. IAM policies can restrict access to the bucket from only the VCN or the within the VCN 4
Service Gateway Before After ORACLE CLOUD REGION ORACLE CLOUD REGION VCN 10.0.0.0/16 Public Subnet 10.0.0.0/24 Public Instance Internet Gateway VCN 10.0.0.0/16 Public Subnet 10.0.0.0/24 Internet Gateway Public Instance 10.0.1.0/24 Object Storage 10.0.1.0/24 Object Storage Private Instance Private Instance Service Gateway 5
Managing Service Gateway You can control which subnets in your VCN use a service gateway A service gateway can be used only by resources in the gateway's own VCN. Object Storage is the first service to be available with a service gateway Must specify a route rule and a Security List Rule in the subnet s associated route table and security lists respectively Service gateway is automatically always attached to only one VCN of your choice, and you can block or allow traffic through the service gateway at any time. Currently, service gateway doesn t support OS updates: blocks access to the YUM repositories needed to update the OS. NAT gateways can be used in the interim. 6
Private IP as Route Target Availability Domain 1 VCN 10.0.0.0/16 Public Subnet 10.0.0.0/24 Firewall Instance ORACLE CLOUD REGION Ability to use a private IP as the target of a route rule in situations where you want to route a subnet's traffic to another instance. Note: a given subnet's route table can have routes only for traffic with a destination IP address outside the VCN 10.0.1.0/24 0.0.0.0/0 Firewall Private IP 172.16.0.0/16 DRG Use Cases To implement a virtual network function (such as a firewall or intrusion detection) Private Instance Customer Datacenter To manage an overlay network on the VCN, which lets you run container orchestration workloads 7
VCN Peering Enables connectivity between the resources in different VCNs Does not require public IPs or NAT to enable connectivity Traffic never leaves the Oracle Network Over other options such as connecting over the internet, VCN Peering offers Faster connectivity Higher security Types of VCN Peering available Local Peering (In-region) Remote Peering (Cross-region) 8
Local VCN Peering connecting VCNs in the same region Connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. VCNs should not have overlapping IP addresses Local Peering VCNs can be either in the same or different tenancies (cross-tenancy peering) Local Peering Gateway (LPG) Like the Internet Gateway, LPG is a component on the VCN LPGs of two VCNs are connected to make a peering relationship Enable the data plane to learn about instances in peered VCNs 9
Local VCN Peering Create Local Peering Gateway in each VCN Have required IAM policies to establish connection Establish connection across LPGs Update the Route Table Update the Security List Test Connectivity 10
Remote VCN Peering connecting VCNs in the different region Traffic flows between regions through the OCI backbone network Supported between ASH PHX and LHR-FRA, other regions on roadmap. The two VCNs in the peering relationship must not have overlapping CIDRs Requires a DRG to set up the Remote Peering connection; vnic of one VCN instance forwards traffic to its DRG, which forwards traffic to peer DRG in other region over backbone Enables features such as data replication across regions Remote Peering Connection Like Virtual Circuits, the Remote Peering Connection is a component of DRG RPCs of two DRGs from two regions are connected to create a peering relationship 11
Remote VCN Peering Existing DRG and attached to a VCN Have required IAM policies to establish connection Establish connection across DRGs Update the Route Table Update the Security List Test Connectivity 12
Things to remember for VCN Peering! With IAM policies, you can control: Who can subscribe your tenancy to another region (required for remote VCN peering). Who in your organization has the authority to establish VCN peerings. Who can manage route tables and security lists. Once the peering connection has been established control the packet flow over the connection with route tables in your VCN control the packet flow over the connection with security lists in your VCN ensure that all outbound and inbound traffic with the other VCN is intended/expected and well defined implement security list rules that explicitly state the types of traffic your VCN can send to the other and accept from the other. If you're concerned about high levels of network traffic coming to your VCN, consider using stateless security list rules to limit the level of connection tracking your VCN must perform. 13
Edge Security 14
Securing your VCN Public vs s - designate a subnet to be private, which means instances in the subnet cannot have public IP addresses Security Lists - To control packet-level traffic in/out of an instance by defining security rules in your VCN Firewall Rules - configure firewall rules directly on the instance itself to control packet-level traffic in/out of an instance Gateways and Route Tables - Control general traffic flow from your cloud network to outside destinations (the internet, your on-premises network, or another VCN) IAM Policies - control who has access to the Oracle Cloud Infrastructure API or console 15
Virtual Firewall Instances Fortigate NGFW with a Two Tier App OCI Client On-premises Network Internet Internet Gateway Public Load Balancer Fortigate NGFW Fortigate NGFW Bastion Host Public Subnet Bastion Host Public Subnet Private Load Balancer DB Systems DataGuard Sync AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 VCN: 10.0.0.0/16 Protection Tier Web/App Tier DB Tier OCI Blog on Fortigate NGFW 16
Using vsrx as a Virtual Firewall/Nat Device vsrx provide benefits like stateful firewall protection, and application and content security features like IPS, antivirus, web filtering, and antispam High Level workflow Create VCN and three subnets as shown in the figure Import vsrx image and launch a vsrx compute instance in VCN Attach additional vnics in each subnet Use Instance console connection to setup vsrx Following blog post provides details on how to setup a vsrx on OCI - https://blogs.oracle.com/cloudinfrastructure/how-to-deploy-a-virtual-firewallappliance-on-oracle-cloud-infrastructure 17
cloud.oracle.com/iaas cloud.oracle.com/tryit 18
Best Practices for Virtual Cloud Network Design 19
Review: Virtual Cloud Network VCN network range once created can t be modified and it is a contiguous IPv4 CIDR block VCN is a regional construct and Subnets are specific to an AD Subnets can have ONE Route Table and MULTIPLE (5*) Security Lists associated to it Security Lists support stateful and stateless rules All hosts within a VCN can route to all other hosts in a VCN, the route table defines what can be routed into and out of the VCN Allowable VCN size range is from /16 to /30 (VCN reserves the first two IP addresses and the last one in each subnet's CIDR) 20
VCN Best Practices Architect your networking infrastructure in a way to maximize use of Availability Domains for High Availability (ADs are fault tolerant and geographically distributed to sustain a natural disaster) Ensure VCN CIDR block does not overlap with other VCNs in Oracle Cloud Infrastructure (same/different regions) and with your organizations private IP network ranges Ensure not all IP addresses are allocated at once within a VCN or Subnet, instead plan to reserve some IP addresses for future use Divide your VCN network range across all ADs evenly Hosts that have similar routing requirements can use same routing tables across multiple availability domains for e.g. public hosts, private hosts, NAT instances etc. Ensure your VCN and subnet network ranges can support additional workloads 21
VCN Best Practices (2) Ensure security lists are used as Firewalls to manage connectivity North-South (incoming/outgoing VCN traffic) and East-West (internal VCN traffic between multiple subnets), and is applied at a Subnet Level. All instances with in that subnet inherit all security rules in that SL. Private subnets are recommended to have individual route tables to control the flow of traffic within and outside of VCN. OCI recommends to use OCI IAM policies to restrict unauthorized users from managing virtual cloud network resources in your tenancy/compartment. Only network admins are allowed to manage VCN resources, and other users can have least privilege policies (use, inspect, read) Use OCI tags to tag VCN resources (Route Tables, Security Lists, Subnets etc.) so that all resources are following organizational tagging/naming conventions 22
Example: VCN and Subnet Sizing VCN CIDR Block 10.0.0.0/16 Extra Large IPv4 CIDR Block Divide in Four equal blocks three for ADs and one spare 10.0.0.0/18 AD1 10.0.64.0/18 AD2 10.0.128.0/18 AD3 10.0.192.0/18 Extra With in each AD, we can have Public and s Private instances are more prevalent than public instances so we should reserve a greater range for the private subnets. 10.0.0.0/18 AD1 10.0.0.0/19 AD1 10.0.32.0/19 AD1 Public/spare 10.0.32.0/20 AD1 Public Subnet 10.0.48.0/20 AD1 Extra Follow the same design pattern for all 3 Availability Domains. 23
Example: VCN and Subnet Sizing VCN Size Netmask Subnet Size IPs/Subnet Total Subnets Total IPs Small /24 /27 29* 8 232 Medium /20 /24 253* 16 4,048 Large /18 /22 1021* 16 16,336 Extra Large /16 /20 4093* 16 65,488 The first two IP addresses and the last one in each subnet's CIDR are reserved. 24
Example: VCN and Subnet Sizing VCN 10.0.0.0/16 10.0.0.0/18 10.0.64.0/18 10.0.128.0/18 AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 AVAILABILITY DOMAIN-3 10.0.0.0/19 10.0.64.0/19 10.0.128.0/19 Spare Network Range 10.0.192.0/18 Public Subnet Public Subnet Public Subnet 10.0.32.0/20 Extra Range 10.0.48.0/20 10.0.96.0/20 Extra Range 10.0.112.0/20 10.0.160.0/20 Extra Range 10.0.176.0/20 25
Example: Three Tier Application Architecture (Extra Large VCN size) ORACLE CLOUD INFRASTRUCTURE REGION Object Storage Client On-premises Network Internet Internet Gateway Public LB (Active) Public Subnet 10.0.40.0/21 Public LB (standby) Public Subnet 10.0.104.0/21 Public Subnet 10.0.32.0/21 Public Subnet 10.0.96.0/21 Private LB (Standby) Private LB (Active) 10.0.16.0/20 10.0.0.0/20 10.0.64.0/19 10.0.48.0/20 DB Systems DataGuard Sync 10.0.112.0/20 AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 VCN: 10.0.0.0/16 Web Tier App Tier DB Tier 26
Example: Oracle Customer Architecture (1) IGW ORACLE CLOUD DATA CENTER REGION Customer Datacenter Public Subnet-A Public Subnet-D Virtual Cloud Network 10.0.0.0/16 Public Subnet-B Load balanced Web Servers on VMs Public Subnet- E IAM Service -C -F Audit Service VPN DRG Bastion Server on VM RMAN backup 2-node RAC Database Object Storage AVAILABILITY DOMAIN-1 AVAILABILITY DOMAIN-2 27
Summary Describe Advanced VCN Functionalities Service Gateway Private IP as Route Target VCN Peering Local VCN Peering Remote VCN Peering Edge Security 28
cloud.oracle.com/iaas cloud.oracle.com/tryit 29