Connection Over IPSec VPN

This topic describes one way to set up a connection between an Oracle Cloud Infrastructure Classic IP network and an Oracle Cloud Infrastructure virtual cloud network (VCN). The connection runs over an IPSec VPN.

Another option is to have Oracle set up a connection over the Oracle network. For more information, see Connection Over Oracle Network.


  • You can run a hybrid workload between your Oracle Cloud Infrastructure Classic and Oracle Cloud Infrastructure environments.
  • You set up an IPSec VPN between the IP network's VPN as a Service (VPNaaS) gateway and the VCN's attached dynamic routing gateway (DRG). The connection runs over the internet. You configure routing and security rules in the environments to enable traffic.
  • The two environments must not have overlapping CIDRs. The cloud resources can communicate over the connection only with private IP addresses.
  • The two environments do not have to be in the same geographical area or region.
  • The connection is free of charge.


You can connect your Oracle Cloud Infrastructure environment and your Oracle Cloud Infrastructure Classic environment with an IPSec VPN. The connection facilitates a hybrid deployment with application components that are set up across the two environments. You can also use the connection to migrate workloads from Oracle Cloud Infrastructure Classic to Oracle Cloud Infrastructure. Compared to using the Oracle network for the connection: you can set up the IPSec VPN yourself in a matter of minutes. Compared to FastConnect: you don't incur the additional cost and operational overhead of working with a FastConnect partner.

The following diagram shows an example of a hybrid deployment. Oracle Analytics Cloud is running in an Oracle Cloud Infrastructure Classic IP network and accessing the Database service in Oracle Cloud Infrastructure over the connection.

This diagram shows the connection between an IP network and VCN.

Here are other important details to know:

  • The connection is supported in any of the Oracle Cloud Infrastructure and Oracle Cloud Infrastructure Classic regions. The two environments do not need to be in the same geographical area.
  • The connection enables communication that uses private IP addresses only.
  • The CIDR blocks of the IP network and VCN subnets that need to communicate must not overlap.
  • This connection enables communication only between resources in the Oracle Cloud Infrastructure Classic IP network and Oracle Cloud Infrastructure VCN. It does not enable traffic between your on-premises network through the IP network to the VCN, or from your on-premises network through the VCN to the IP network.
  • The connection also does not enable traffic to flow from the IP network through the connected VCN to a peered VCN in the same Oracle Cloud Infrastructure region, or a different region.

The following table lists the comparable networking components required on each side of the connection.

Component Oracle Cloud Infrastructure Classic Oracle Cloud Infrastructure
Cloud network IP network VCN
Gateway VPNaaS gateway dynamic routing gateway (DRG)
Security rules security rules network security groups, security lists

Setting Up the IPSec VPN Between Your IP Network and VCN

The following flow chart shows the overall process of connecting your IP network and VCN with an IPSec VPN.

This flow chart shows the steps for connecting your IP network and VCN with an IPSec VPN


You must already have:

Task 1: Set up a VPNaaS gateway for your IP network
Task 2: Set up the VCN's components and IPSec tunnel
Task 3: Update the VPNaaS connection with the tunnel information
Task 4: Test the connection

Terminating the Connection

If you want to terminate the connection, delete the IPSec connection:

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click IPSec Connections.

    A list of the IPSec connections in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).

  2. Click the IPSec connection you're interested in.
  3. Click Terminate.
  4. Confirm the deletion when prompted.

The IPSec connection will be in the Terminating state for a short period while it's being deleted.