Peering OCI VCNs in Different Regions Using Dynamic Routing Gateway
Contents
The peering allows the VCNs’ resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network.
A remote peering connection (RPC) is a component you create on the DRG attached to your VCN. The RPC’s job is to act as a connection point for a remotely peered VCN. A given DRG must have a separate RPC for each remote peering it establishes for the VCN.
At a high level, the networking service components required for this scenario include:
- Two VCNs with non-overlapping CIDRs, in different regions but same tenancy
- Two dynamic routing gateways (DRG) are attached to each peer VCN in the peering relationship
- A remote peering connection (RPC) on each DRG in the peering relationship. And a connection between those two RPCs
- Supporting route rules to enable traffic to flow over the connection between private subnets in the respective VCNs
- Supporting security rules to control the types of traffic allowed to and from the instances in the private subnets
|
|
VCN1 |
VCN2 |
|
Region |
Toronto (ca-toronto-1 |
Ashburn (us-Ashburn-1) |
|
VCN Name |
TOR-VCN |
ASH-VCN |
|
Private Subnet CIDR |
10.0.1.0/24 |
172.0.1.0/24 |
|
DRG |
TOR-DRG |
ASH-DRG |
|
RPC |
TOR-RPC |
ASH-RPC |
|
Compute Instance |
TOR-VM (10.0.1.129) |
ASH-VM (172.0.1.132) |
Prerequisites:
- An Oracle Cloud free trial or paid account
- A VCN in the Toronto region with the private subnet, security list, and route table
- A VCN in the Ashburn region with the private subnet, security list, and route table
- Two dynamic routing gateways (DRG) attached to each peer VCN in the peering relationship
- One OCI compute instance located in the first VCN’s private subnet with API RSA private key
- One OCI compute instance located in the second VCN’s private subnet with API RSA private key
Step #1: Attach DRG to VCNs
- Attach TOR-DRG to TOR-VCN
– Go to the TOR-DRG detail page and click on the “VCN attachments” tab
– Click the “Create virtual cloud network attachment” button
– In the “Create VCN attachment” page, enter the attachment name (TOR-DRG-VCN) and select VCN1 (TOR-VCN), then click the “Create VCN attachment” button
- Attach ASH-DRG to ASH-VCN.
– Repeat the same steps done above to attach TOR-VCN
Step #2: Create Remote Peering Connection (RPC)
- Create Toronto region RPC (TOR-RPC).
– Go to the TOR-DRG detail page and click on the “Remote peering connection attachments” tab
– Click the “Create remote peering connection” button
– In the “Create remote peering connection” page, enter the connection name and select compartment
- Create Ashburn region RPC (ASH-RPC).
– Repeat the steps done above to create the Toronto region RPC
Step #3: Establish RPC Connection
- Establish the connection from the Toronto region to the Ashburn region through the TOR-RPC connection
– Go to the TOR-DRG detail page and click on the “Remote peering connection attachments” tab
– View the details of TOR-RPC by clicking the name of the TOR-RPC connection in the “Remote Peering Connection” column
– In the connection details page, click the “Establish Connection” button, enter the connection name, and select compartment
– In the “Establish connection” page, select the “us-Ashburn-1” region and enter the OCID of Ashburn RPC (ASH-RPC) (the remote peering RPC). When The connection is established, the RPC’s state changes to PEERED
– Hence, ASH-RPC peering state changes to PEERED as well
Step #4: Configure route table in VCNs to send traffic destined to DRG attachment
- Configure route table in TOR-VCN to send traffic to ASH-VCN private subnet CIDR
– Go to the TOR-VCN detail page and click on the “Route Tables” tab
– Under the list of route tables, click on “route table for private subnet-TOR-VCN“
– On the route table page, click the “Add Route Rules” button and enter below route rule information below.
|
Target Type |
Destination Type |
Destination CIDR Block |
|
Dynamic Routing Gateway |
CDIR Block |
172.0.1.64/24 (VCN2-private subnet CIDR) |
- Configure route table in ASH-VCN to send traffic to TOR-VCN’s private subnet CIDR
– Repeat the same steps done above to configure the route table for TOR-VCN’s private subnet
Use below rule information below.
|
Target Type |
Destination Type |
Destination CIDR Block |
|
Dynamic Routing Gateway |
CDIR Block |
10.0.1.0/24 (VCN1-private subnet CIDR) |
Step #5: Add security Ingress rule to allow traffic between VCNs’ private subnets through DRG
- Add Ingress rule to “security list for private subnet-TOR-VCN” of the first VCN (TOR-VCN) to allow traffic coming from VCN2-private subnet to VCN1-private subnet
– Go to the TOR-VCN detail page and click on the “Security List” tab, then click on “Security list for private subnet-TOR-VCN“
– On the Security List page, click the “Add Ingress Rules” button and enter below Ingress rule information
|
Source Type |
Source CIDR |
IP PROTOCOL |
|
CIDR |
172.0.1.0/24 (VCN2-private subnet CIDR) |
All Protocols |
- Add Ingress rule to “security list for private subnet-ASH-VCN” of the second VCN (ASH-VCN) to allow traffic coming from VCN1-private subnet to VCN2-private subnet
– Repeat the same steps done above to add the Ingress rule for VCN1, but use the below Ingress rule
|
Source Type |
Source CIDR |
IP PROTOCOL |
|
CIDR |
10.0.1.64/24 (VCN1-private subnet CIDR) |
All Protocols |
Step #6: Test SSH connection between VMs
- Connect to TOR-VM, then SSH to ASH-VM
– ssh to opc@TOR-VM using OCI cloud shell tool. Use the RSA private key which was generated while creating TOR-VM
– Use RSA private key, which was generated while creating ASH-VM, to ssh from TOR-VM to opc@ASH-VM.
- Connect to ASH-VM, then ssh to TOR-VM. Repeat the same steps.