Local VCN peering is the process of connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. The VCNs can be in the same Oracle Cloud Infrastructure (OCI) tenancy or different ones.
A peering is a single peering relationship between two VCNs. Example: If VCN1 peers with three other VCNs, then there are three peerings.
In this blog, we will demonstrate the steps to set up a local peering between the private subnets of two VCNs in the same tenancy.
At a high level:
- Two VCNs with non-overlapping CIDRs, in the same region, with a private subnet as illustrated in the below table
- A local peering gateway (LPG) on each VCN in the peering relationship
- Supporting route rules to enable traffic to flow over the connection, and only to and from private subnets in VCNs
- Supporting security rules to control the types of traffic allowed between VCN’s private subnets
- Two compute instances
|
|
VCN1
|
VCN2
|
|
VCN Name
|
TOR-VCN1
|
TOR-VCN2
|
|
Private Subnet CIDR
|
172.10.0.64/26
|
172.20.0.64/26
|
|
LPG
|
VCN1-LPG
|
VCN2-LPG
|
|
Compute Instance
|
VCN1-VM (172.10.0.124)
|
VCN2-VM (172.20.0.124)
|
Prerequisites:
- An Oracle Cloud free trial or paid account
- Two OCI VCNs in the same tenancy with a private subnet, security list, and route table
- One OCI compute instance is located in the first VCN’s private subnet with API RSA private key
- One OCI compute instance is located in the second VCN’s private subnet with API RSA private key
Restrictions:
- VCNs in the peering relationship must not have overlapping CIDRs.
Step #1: Create a Local Peering Gateway for both VCNs
1. Create LPG (VCN1-LPG) for the first VCN (TOR-VCN1)
- Go to a TOR-VCN1 detail page and click on the “Local Peering Gateways” tab
- Click the “Create Local Peering Gateway” button
- In the “Create Local Peering Gateway” page, enter the LGP name (VCN1-LPG) and select the compartment. Then click the “Create Local Peering Gateway” button
2. Create LPG (VCN2-LPG) for the second VCN (TOR-VCN2). Repeat the same steps done above to create VCN1-LPG
Step #2: Establish Local peering between two local LPG
- Go to a TOR-VCN1 detail page and click on the “Local Peering Gateways” tab
- For VCN1-LPG, select the “Establish Peering Connection” action from the list of actions menu
- In the “Establish Peering Connection” page, enter the information of VCN2-LPG, then click the “Establish Peering Connection” button
Hence, peering connection is done as well from VCN2-LPG to VCN1-LPG.
Step #3: Add Route Rule to enable traffic flow over LPG Connection
1. Add route rule to “route table for private subnet” of the first VCN (TOR-VCN1) to enable routing to the private subnet of the second VCN
- Go to the TOR-VCN1 detail page and click on the “Route Tables” tab, then click on “Route table for private subnet-TOR-VCN1”
- On the route table page, click the “Add Route Rules” button and enter below route rule information
|
Target Type
|
Destination CIDR Block
|
Target Local Peering Gateway
|
|
Local Peering Gateway
|
172.20.0.64/26 (VCN2-private subnet CIDR)
|
VCN1-LPG
|
2. Add route rule to “route table for private subnet” of the second VCN (TOR-VCN2) to enable routing to the private subnet of the first VCN
- Go to a TOR-VCN2 detail page and click on the “Route Tables” tab, then click on “Route table for private subnet-TOR-VCN2”
- On the route table page, click the “Add Route Rules” button and enter below route rule information
|
Target Type
|
Destination CIDR Block
|
Target Local Peering Gateway
|
|
Local Peering Gateway
|
172.10.0.64/26 (VCN1-private subnet CIDR)
|
VCN2-LPG
|
Step #4: Add security Ingress rule to allow local peering gateway in both VCNs
1. Add Ingress rule to “security list for private subnet-TOR-VCN1” of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet
- Go to TOR-VCN1 detail page and click on the “security list” tab, then click on “security list for private subnet-TOR-VCN1“
- On the security list page, click the “Add Ingress Rules” button and enter below Ingress rule information
|
Source Type
|
Source CIDR
|
IP PROTOCOL
|
|
CIDR
|
172.20.0.64/26 (VCN2-private subnet CIDR)
|
All Protocols
|
2. Add Ingress rule to the “security list for private subnet-TOR-VCN2” of the first VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet
- Repeat the same steps done above to add the Ingress rule for VCN1, but use the below Ingress rule
|
Source Type
|
Source CIDR
|
IP PROTOCOL
|
|
CIDR
|
172.10.0.64/26 (VCN1-private subnet CIDR)
|
All Protocols
|
Step #5: Test Local Peering Connectivity
1. Connect to VCN1-VM, then ssh to VCN2-VM
- ssh to opc@VCN1-VM using OCI cloud shell tool. Use the RSA private key which was generated while creating VCN1-VM
- Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM
2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps
Thanks for reading!