In this blog, we will demonstrate the steps to peer two VCNs in different regions through a DRG in the same tenancy. This is called a remote VCN peering.

The peering allows the VCNs’ resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network.

A remote peering connection (RPC) is a component you create on the DRG attached to your VCN. The RPC’s job is to act as a connection point for a remotely peered VCN. A given DRG must have a separate RPC for each remote peering it establishes for the VCN.

At a high level, the networking service components required for this scenario include:

  • Two VCNs with non-overlapping CIDRs, in different regions but same tenancy
  • Two dynamic routing gateways (DRG) are attached to each peer VCN in the peering relationship
  • A remote peering connection (RPC) on each DRG in the peering relationship. And a connection between those two RPCs
  • Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs
  • Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets

 

VCN1

VCN2

Region

Toronto (ca-toronto-1

Ashburn (us-Ashburn-1)

VCN Name

TOR-VCN

ASH-VCN

Private Subnet CIDR  

10.0.1.0/24

172.0.1.0/24

DRG

TOR-DRG

  ASH-DRG

RPC

TOR-RPC

  ASH-RPC

Compute Instance

TOR-VM (10.0.1.129)

ASH-VM (172.0.1.132)

 

vcn

 

Prerequisites:

  • An Oracle Cloud free trial or paid account
  • A VCN in the Toronto region with the private subnet, security list, and route table
  • A VCN in the Ashburn region with the private subnet, security list, and route table
  • Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship
  • One OCI compute instance located in the first VCN’s private subnet with API RSA private key
  • One OCI compute instance located in the second VCN’s private subnet with API RSA private key

Step #1: Attach DRG to VCNs

  1. Attach TOR-DRG to TOR-VCN
      – Go to the TOR-DRG detail page and click on the “VCN attachments” tab
      – Click the “Create virtual cloud network attachment” button

vcn2

   – In the “Create VCN attachment” page, enter the attachment name (TOR-DRG-VCN) and select VCN1 (TOR-VCN), then click the “Create VCN attachment” button

vcn3

vcn4

  1. Attach ASH-DRG to ASH-VCN. 

    – Repeat the same steps done above to attach TOR-VCN

vcn5

Step #2: Create Remote Peering Connection (RPC)

  1. Create Toronto region RPC (TOR-RPC).

    – Go to the TOR-DRG detail page and click on the “Remote peering connection attachments” tab
    – Click the “Create remote peering connection” button
    – In the “Create remote peering connection” page, enter the connection name and select compartment

vcn6

vcn7

vcn8

  1. Create Ashburn region RPC (ASH-RPC).

    – Repeat the steps done above to create the Toronto region RPC

vcn9

Step #3: Establish RPC Connection

  1. Establish the connection from the Toronto region to the Ashburn region through the TOR-RPC connection

    – Go to the TOR-DRG detail page and click on the “Remote peering connection attachments” tab

    – View the details of TOR-RPC by clicking the name of the TOR-RPC connection in the “Remote Peering Connection” column

vcn10

    – In the connection details page, click the “Establish Connection” button, enter the connection name, and select compartment

    – In the “Establish connection” page, select the “us-Ashburn-1” region and enter the OCID of Ashburn RPC (ASH-RPC) (the remote peering RPC). When The connection is established, the RPC’s state changes to PEERED

vcn11

vcn12

vcn13

 

    – Hence, ASH-RPC peering state changes to PEERED as well

vcn14

Step #4: Configure route table in VCNs to send traffic destined to DRG attachment

  1. Configure route table in TOR-VCN to send traffic to ASH-VCN private subnet CIDR
      – Go to the TOR-VCN detail page and click on the “Route Tables” tab
      – Under the list of route tables, click on “route table for private subnet-TOR-VCN

vcn15

 – On the route table page, click the “Add Route Rules” button and enter below route rule information below.

Target Type

Destination Type

Destination CIDR Block

Dynamic Routing Gateway

CDIR Block

172.0.1.64/24 (VCN2-private subnet CIDR)

 

vcn16

vcn17

vcn18

  1. Configure route table in ASH-VCN to send traffic to TOR-VCN’s private subnet CIDR

    – Repeat the same steps done above to configure the route table for TOR-VCN’s private subnet

Use below rule information below.

Target Type

Destination Type

Destination CIDR Block

Dynamic Routing Gateway

CDIR Block

10.0.1.0/24 (VCN1-private subnet CIDR)

 

vcn19

Step #5: Add security Ingress rule to allow traffic between VCNs’ private subnets through DRG

  1. Add Ingress rule to “security list for private subnet-TOR-VCN” of the first VCN (TOR-VCN) to allow traffic coming from VCN2-private subnet to VCN1-private subnet
      – Go to the TOR-VCN detail page and click on the “Security List” tab, then click on “Security list for private subnet-TOR-VCN

vcn20

    – On the Security List page, click the “Add Ingress Rules” button and enter below Ingress rule information

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.0.1.0/24 (VCN2-private subnet CIDR)

All Protocols

 

vcn21

vcn22

 

  1. Add Ingress rule to “security list for private subnet-ASH-VCN” of the second VCN (ASH-VCN) to allow traffic coming from VCN1-private subnet to VCN2-private subnet

    – Repeat the same steps done above to add the Ingress rule for VCN1, but use the below Ingress rule

 

Source Type

Source CIDR

IP PROTOCOL

CIDR

10.0.1.64/24 (VCN1-private subnet CIDR)

All Protocols

 

vcn23

 

Step #6: Test SSH connection between VMs

  1. Connect to TOR-VM, then SSH to ASH-VM
      – ssh to opc@TOR-VM using OCI cloud shell tool. Use the RSA private key which was generated while creating TOR-VM

vcn24

– Use RSA private key, which was generated while creating ASH-VM, to ssh from TOR-VM to opc@ASH-VM.

vcn25

  1. Connect to ASH-VM, then ssh to TOR-VM. Repeat the same steps.