Eclipsys Blog

Peering OCI VCNs in the Same Tenancy Region Using Local Peering Gateways – Eclipsys

Written by Anas Darkal | Oct 4, 2023 2:15:00 PM

Local VCN peering is the process of connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. The VCNs can be in the same Oracle Cloud Infrastructure (OCI) tenancy or different ones.

A peering is a single peering relationship between two VCNs. Example: If VCN1 peers with three other VCNs, then there are three peerings.

In this blog, we will demonstrate the steps to set up a local peering between the private subnets of two VCNs in the same tenancy. 

At a high level:

  • Two VCNs with non-overlapping CIDRs, in the same region, with a private subnet as illustrated in the below table
  • A local peering gateway (LPG) on each VCN in the peering relationship
  • Supporting route rules to enable traffic to flow over the connection, and only to and from private subnets in VCNs
  • Supporting security rules to control the types of traffic allowed between VCN’s private subnets
  • Two compute instances

 

 

VCN1

VCN2

VCN Name

TOR-VCN1

TOR-VCN2

Private Subnet CIDR  

172.10.0.64/26

172.20.0.64/26

LPG

VCN1-LPG

VCN2-LPG

Compute Instance

VCN1-VM (172.10.0.124)

VCN2-VM (172.20.0.124)

 

 

 

Prerequisites:

  • An Oracle Cloud free trial or paid account
  • Two OCI VCNs in the same tenancy with a private subnet, security list, and route table
  • One OCI compute instance is located in the first VCN’s private subnet with API RSA private key
  • One OCI compute instance is located in the second VCN’s private subnet with API RSA private key

Restrictions:

  • VCNs in the peering relationship must not have overlapping CIDRs.

 

Step #1: Create a Local Peering Gateway for both VCNs

1. Create LPG (VCN1-LPG) for the first VCN (TOR-VCN1)

  • Go to a TOR-VCN1 detail page and click on the “Local Peering Gateways” tab
  • Click the “Create Local Peering Gateway” button

 

  • In the “Create Local Peering Gateway” page, enter the LGP name (VCN1-LPG) and select the compartment. Then click the “Create Local Peering Gateway” button

 

2. Create LPG (VCN2-LPG) for the second VCN (TOR-VCN2). Repeat the same steps done above to create VCN1-LPG

 

Step #2: Establish Local peering between two local LPG

  • Go to a TOR-VCN1 detail page and click on the “Local Peering Gateways” tab
  • For VCN1-LPG, select the “Establish Peering Connection” action from the list of actions menu

 

  • In the “Establish Peering Connection” page, enter the information of VCN2-LPG, then click the “Establish Peering Connection” button

 

Hence, peering connection is done as well from VCN2-LPG to VCN1-LPG.

 

Step #3: Add Route Rule to enable traffic flow over LPG Connection

1. Add route rule to “route table for private subnet” of the first VCN (TOR-VCN1) to enable routing to the private subnet of the second VCN

  • Go to the TOR-VCN1 detail page and click on the “Route Tables” tab, then click on “Route table for private subnet-TOR-VCN1”

 

  • On the route table page, click the “Add Route Rules” button and enter below route rule information

 

Target Type

Destination CIDR Block

Target Local Peering Gateway

Local Peering Gateway

172.20.0.64/26 (VCN2-private subnet CIDR)

VCN1-LPG

 

 

2. Add route rule to “route table for private subnet” of the second VCN (TOR-VCN2) to enable routing to the private subnet of the first VCN

  • Go to a TOR-VCN2 detail page and click on the “Route Tables” tab, then click on “Route table for private subnet-TOR-VCN2”

 

  • On the route table page, click the “Add Route Rules” button and enter below route rule information

 

Target Type

Destination CIDR Block

Target Local Peering Gateway

Local Peering Gateway

172.10.0.64/26 (VCN1-private subnet CIDR)

VCN2-LPG

 

 

Step #4: Add security Ingress rule to allow local peering gateway in both VCNs

1. Add Ingress rule to “security list for private subnet-TOR-VCN1” of the first VCN (TOR-VCN1) to allow traffic coming from VCN2-private subnet to VCN1-private subnet

  • Go to TOR-VCN1 detail page and click on the “security list” tab, then click on “security list for private subnet-TOR-VCN1

 

  • On the security list page, click the “Add Ingress Rules” button and enter below Ingress rule information

 

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.20.0.64/26 (VCN2-private subnet CIDR)

All Protocols

 

 

2. Add Ingress rule to the “security list for private subnet-TOR-VCN2” of the first VCN (TOR-VCN2) to allow traffic coming from VCN1-private subnet to VCN2-private subnet

  • Repeat the same steps done above to add the Ingress rule for VCN1, but use the below Ingress rule

 

Source Type

Source CIDR

IP PROTOCOL

CIDR

172.10.0.64/26 (VCN1-private subnet CIDR)

All Protocols

 

 

Step #5: Test Local Peering Connectivity 

1. Connect to VCN1-VM, then ssh to VCN2-VM

  • ssh to opc@VCN1-VM using OCI cloud shell tool. Use the RSA private key which was generated while creating VCN1-VM

 

  • Use RSA private key, which was generated while creating VCN2-VM, to ssh from VCN1-VM to opc@VCN2-VM

 

2. Connect to VCN1-VM, then ssh to VCN2-VM. Repeat the same steps

 

Thanks for reading!