Skip to content

Peering OCI VCNs in the Same Tenancy Region Using Local Peering Gateways

Anas Darkal Oct 4, 2023 10:15:00 AM
Peering OCI VCNs in the Same Tenancy Region Using Local Peering Gateways – Eclipsys
5:30

Local VCN peering is the process of connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. The VCNs can be in the same Oracle Cloud Infrastructure (OCI) tenancy or different ones.

A peering is a single peering relationship between two VCNs. Example: If VCN1 peers with three other VCNs, then there are three peerings.

vcn

In this blog, we will demonstrate the steps to set up a local peering between the private subnets of two VCNs in the same tenancy. 

At a high level:

  • Two VCNs with non-overlapping CIDRs, in the same region, with a private subnet as illustrated in the below table
  • A local peering gateway (LPG) on each VCN in the peering relationship
  • Supporting route rules to enable traffic to flow over the connection, and only to and from private subnets in VCNs
  • Supporting security rules to control the types of traffic allowed between VCN’s private subnets
  • Two compute instances

 

 

VCN1

VCN2

VCN Name

TOR-VCN1

TOR-VCN2

Private Subnet CIDR  

172.10.0.64/26

172.20.0.64/26

LPG

VCN1-LPG

VCN2-LPG

Compute Instance

VCN1-VM (172.10.0.124)

VCN2-VM (172.20.0.124)

 

vcn2

 

 

Prerequisites:

  • An Oracle Cloud free trial or paid account
  • Two OCI VCNs in the same tenancy with a private subnet, security list, and route table
  • One OCI compute instance is located in the first VCN’s private subnet with API RSA private key
  • One OCI compute instance is located in the second VCN’s private subnet with API RSA private key

Restrictions:

  • VCNs in the peering relationship must not have overlapping CIDRs.

 

Step #1: Create a Local Peering Gateway for both VCNs

1. Create LPG (VCN1-LPG) for the first VCN (TOR-VCN1)

  • Go to a TOR-VCN1 detail page and click on the “Local Peering Gateways” tab
  • Click the “Create Local Peering Gateway” button

vcn3

 

  • In the “Create Local Peering Gateway” page, enter the LGP name (VCN1-LPG) and select the compartment. Then click the “Create Local Peering Gateway” button

vcn4

vcn5

 

2. Create LPG (VCN2-LPG) for the second VCN (TOR-VCN2). Repeat the same steps done above to create VCN1-LPG

vcn6

 

Step #2: Establish Local peering between two local LPG

  • Go to a TOR-VCN1 detail page and click on the “Local Peering Gateways” tab
  • For VCN1-LPG, select the “Establish Peering Connection” action from the list of actions menu

vcn7

 

  • In the “Establish Peering Connection” page, enter the information of VCN2-LPG, then click the “Establish Peering Connection” button

vcn8

vcn9

 

Hence, peering connection is done as well from VCN2-LPG to VCN1-LPG.

vcn10

 

Step #3: Add Route Rule to enable traffic flow over LPG Connection

1. Add route rule to “route table for private subnet” of the first VCN (TOR-VCN1) to enable routing to the private subnet of the second VCN

  • Go to the TOR-VCN1 detail page and click on the “Route Tables” tab, then click on “Route table for private subnet-TOR-VCN1”

vcn11

 

  • On the route table page, click the “Add Route Rules” button and enter below route rule information

 

Target Type

Destination CIDR Block

Target Local Peering Gateway

Local Peering Gateway

172.20.0.64/26 (VCN2-private subnet CIDR)

VCN1-LPG

 

vcn12

vcn13

vcn14

 

2. Add route rule to “route table for private subnet” of the second VCN (TOR-VCN2) to enable routing to the private subnet of the first VCN

  • Go to a TOR-VCN2 detail page and click on the “Route Tables” tab, then click on “Route table for private subnet-TOR-VCN2”

vcn15

 

  • On the route table page, click the “Add Route Rules” button and enter below route rule information

 

Target Type

Destination CIDR Block

Target Local Peering Gateway

Local Peering Gateway

172.10.0.64/26 (VCN1-private subnet CIDR)

VCN2-LPG

 

vcn16

vcn17

vcn18

 

Step #4: Add security Ingress rule to allow local peering gateway in both VCNs

1. Add Ingress rule to “security list for private subnet-TOR-VCN1” of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet

  • Go to TOR-VCN1 detail page and click on the “security list” tab, then click on “security list for private subnet-TOR-VCN1

vcn19

 

  • On the security list page, click the “Add Ingress Rules” button and enter below Ingress rule information

 

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.20.0.64/26 (VCN2-private subnet CIDR)

All Protocols

 

vcn20

vcn21

vcn22

 

2. Add Ingress rule to the “security list for private subnet-TOR-VCN2” of the first VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet

  • Repeat the same steps done above to add the Ingress rule for VCN1, but use the below Ingress rule

 

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.10.0.64/26 (VCN1-private subnet CIDR)

All Protocols

 

vcn23

 

Step #5: Test Local Peering Connectivity 

1. Connect to VCN1-VM, then ssh to VCN2-VM

  • ssh to opc@VCN1-VM using OCI cloud shell tool. Use the RSA private key which was generated while creating VCN1-VM

vcn24

 

  • Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM

vcn25

 

2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps

vcn26

 

Thanks for reading! 

Leave a Comment