Oracle created the data handling and management standards used in Oracle Cloud Infrastructure to assist customers in configuring their data and give them the tools necessary to safeguard their data and applications from external threats.
Oracle platform is highly secure, scalable, and optimized for performance.
Encryption between customer and OCI
All traffic between customer data centers and OCI is encrypted via VPN and TLS. Network traffic within VCN is not encrypted by default. However, customers can implement end-to-end encryption between their instances.
VPN – Virtual Private Network
VPN connects your corporate network to Oracle Cloud Infrastructure over your existing internet connection in a simple and secure manner. For increased security and privacy, the data is encrypted using industry-standard encryption algorithms known as IPSec and routed through the public internet.
TLS – Transport Layer Security
TLS (Transport Layer Security), is a widely used security protocol that enhances privacy and data security for Internet communications. The main application of TLS is to encrypt communication between online applications and servers, such as when web browsers load a website
VCN – Virtual Cloud Network
A VCN (Virtual Cloud Network) is a private network that can be customized in Oracle Cloud Infrastructure. A VCN, like a traditional data center network, gives you total control over your network environment. This includes creating your own private IP address space, subnets, route tables, and setting up stateful firewalls.
End-to-End Encryption
End-to-end encryption (E2EE) is a secure communication method that restricts unauthorized third parties from accessing data transferred from one endpoint to another.
The end-to-end encrypted system assigns each a public-private key pair, with the public keys stored on the server and the private keys stored on their device.
Options for interconnecting VCN within a region
- Local VCN Peering – Using Local Peering Gateways.
- Remote VCN Peering – Using an RPC.
- Peering VCNs in the same region through a DRG.
- Peering VCNs in different regions through a DRG.
VCN peering
Virtual Cloud Network (VCN) peering is nothing but networking connection between virtual cloud networks (VCNs). Instances in either VCN can connect as if they were in the same network. VCN Peering can be established within the same region, known as local peering, or across OCI regions, known as remote peering.
Local Peering
Local VCN peering is the process of establishing a connection between two VCNs in the same area so that their resources can interact using private IP addresses without going through your on-premises network or the internet. The Oracle Cloud Infrastructure tenancy under which the VCNs are located need not be the same. Without peering, a specific VCN would require both a public IP address for the instances that must communicate with another VCN and an internet gateway.
(Source: Oracle) Local Peering across Region
Remote Peering
Remote VCN peering is the process of establishing a connection between two VCNs in the different regions (but same tenancy). Peering allows the resources of the VCNs to communicate using private IP addresses rather than routing traffic over the internet or via on-premises network. Without peering, a given VCN would require an internet gateway and public IP addresses for instances requiring communication with another VCN in a different region.
(Source: Oracle) Remote Peering Different Regions
Your network can be divided into several VCNs using VCN peering (for instance according to departments or business lines), with each VCN having direct, private access to the others. There is no requirement for traffic to pass through your on-premises network or over the internet using FastConnect or a Site-to-Site VPN. So that the Data and traffic is secure within the OCI.
You can have 1 DRG and up to 10 local peering gateways are allowed for each VCN. One DRG can handle up to 300 VCN attachments. If you need to peer with a lot of VCNs, we advise using the DRG.
Three Main Components of OCI Network
DRG
A dynamic routing gateway (DRG), a virtual router that connects your VCN and current network, offers a route for private network traffic. It can be used to establish an IPSec VPN or a connection that makes use of Oracle Cloud Infrastructure FastConnect when combined with other Networking Service components.
LPG
A VCN component called a local peering gateway (LPG) is used to direct traffic to another VCN that is nearby. Each administrator must create an LPG for their own VCN as part of configuring the VCNs.
RPC
A Remote peering connection (RPC) is a component that you set up on the DRG that is connected to your VCN. The RPC’s role is to serve as a connecting point for a VCN that is peering with another. Each administrator must build an RPC for the DRG on their VCN as part of setting the VCNs.
Acceptor and Receptor
The Two VCN administrators must designate one administrator as the requestor and the other as the acceptor in order to execute the IAM policies needed for peering. The request to connect the two RPCs must be made by the requestor. To enable the requestor to connect to RPCs in the acceptor’s compartment, the acceptor must construct a specific IAM policy. The requestor’s request to connect, Connection fails in the absence of the policy.
Peering with LPG, DRG, RPC
Consider having several VCNs in a hub-and-spoke configuration in each region, as depicted in the following diagram. Using local peering gateways, the spoke VCNs in a given region are locally peered with the hub VCN in the same region.
Peering Connection with Two Regions on OCI (Source : Oracle)
Remote peering can be configured between the two hub VCNs. After that, you can configure transit routing for the hub VCNs DRGs and LPGs.
Example: It is possible to set up routing so that resources in VCN-1-A can connect to resources in VCN-2-A and VCN-2-B through the hub VCNs. In this method, each spoke VCN in the opposite area does not require VCN 1-A to have a separate remote peering. Additionally, routing might be configured so that VCN-1-B could connect to the spoke VCNs in region 2 without requiring its own remote peering.
Peering enablement between VCNs is simple, with no scheduled downtime.
Private connectivity for resources in peer VCNs via highly redundant Oracle Cloud Infrastructure fabric lines with known bandwidth and latency.
Oracle Cloud Infrastructure (OCI) and Oracle’s Services and Resources are highly secure, which have variant options in connections. The data transmitted either with in the region or across the region or outside the platform, data is always Encrypted in Oracle OCI.
Frequently Asked Questions (FAQs):
Q1. Is my remote VCN peering traffic encrypted?
Ans. Yes. Your remote VCN peering traffic is secure and encrypted by industry standard link encryption.
Q2. What are the benefits of local VCN peering?
Ans. A Cost-free, dependable alternative to VPN connectivity models that eliminates internet gateways, public IP addresses for instances, encryption, and performance constraints.
Q3. Can I link a VCN from another tenancy to my DRG?
Ans. Yes. However, The specific IAM policies need to be configured.
Q4. What is the price for VCN peering?
Ans. Local peering (intra-region): No charge.
Remote peering (inter-region): Pricing is based on outbound data transfer.
Related Links/References:
- Networking (VCN, Subnets, Gateways, Route Tables, Security List)
- Networking Concepts and Overview [Oracle Cloud Infrastructure Architect Associate] [1Z0-1072]
- OCI Regions & OCI Availability Domain
- Virtual Networking (VCN) QuickStart In Oracle Cloud (OCI)
- OCI Gateways & OCI NAT Gateway
Next Task For You
- Download the Step-By-Step Activity Guide to Register for an Oracle Cloud Trial Account.
Begin your journey towards becoming an Oracle Cloud Architect by Joining the FREE Masterclass on How To Become Oracle Cloud Architect in 8 Weeks.
Click on the image below to Register for the FREE Masterclass NOW!
The post Networking, Encryption and Peering in OCI appeared first on Cloud Training Program.