This topic describes one way to set up a connection between an Oracle Cloud Infrastructure Classic IP network and an Oracle Cloud Infrastructure
Virtual Cloud Network (VCN). The connection runs over Site-to-Site VPN.
Another option is to have Oracle set up a connection over the Oracle network. For more information, see Connection Over Oracle Network.
Highlights
You can run a hybrid workload between your Oracle Cloud Infrastructure Classic and Oracle Cloud Infrastructure environments.
You set up Site-to-Site VPN between the IP network's VPN as a Service (VPNaaS) gateway and the VCN's attached Dynamic Routing Gateway (DRG). The connection runs over the internet. You configure routing and security rules in the environments to enable traffic.
The two environments must not have overlapping CIDRs. The cloud resources can communicate over the connection only with private IP addresses.
The two environments do not have to be in the same geographical area or region.
The connection is free of charge.
Overview 🔗
You can connect your Oracle Cloud Infrastructure environment and your Oracle Cloud Infrastructure Classic environment with Site-to-Site VPN. The connection facilitates a hybrid deployment with
application components that are set up across the two environments. You can also use the
connection to migrate workloads from Oracle Cloud Infrastructure Classic
to Oracle Cloud Infrastructure. Compared to using the Oracle network for
the connection: you can set up Site-to-Site VPN yourself in a matter
of minutes. Compared to FastConnect: you don't incur the
additional cost and operational overhead of working with a FastConnect partner.
The following diagram shows an example of a hybrid deployment. Oracle Analytics Cloud is
running in an Oracle Cloud Infrastructure Classic IP network and
accessing the Database service in Oracle Cloud Infrastructure over the connection.
Here are other important details to know:
The connection is supported in any of the Oracle Cloud Infrastructure and Oracle Cloud Infrastructure Classic regions. The two
environments do not need to be in the same geographical area.
The connection enables communication that uses private IP addresses only.
The CIDR blocks of the IP network and VCN subnets that need to communicate must not overlap.
This connection enables communication only between resources in the Oracle Cloud Infrastructure Classic IP network and Oracle Cloud Infrastructure VCN. It does not enable traffic between
your on-premises network through the IP network to the VCN, or from your on-premises
network through the VCN to the IP network.
The connection also does not enable traffic to flow from the IP network through the
connected VCN to a peered VCN in the same Oracle Cloud Infrastructure region, or a different region.
The following table lists the comparable networking components required on each side of the connection.
Component
Oracle Cloud Infrastructure Classic
Oracle Cloud Infrastructure
Cloud network
IP network
VCN
Gateway
VPNaaS gateway
Dynamic Routing Gateway (DRG)
Security rules
security rules
network security groups, security lists
Setting Up Site-to-Site VPN Between Your IP Network and VCN 🔗
The following flow chart shows the overall process of
connecting your IP network and VCN with Site-to-Site VPN.
Prerequisites:
You must already have:
An Oracle Cloud Infrastructure Classic
IP network.
IP Network: The Oracle Cloud Infrastructure Classic
IP network you want to connect to your VCN. You can only specify a single IP
network.
Customer Gateway: A placeholder value such as 129.213.240.51. Using
this placeholder value lets you move forward in the process. You update the
value later with the Oracle Cloud Infrastructure VPN
router's IP address.
Customer Reachable Routes: The CIDR block for the VCN. You can specify only a single VCN.
Add a route rule that directs traffic from the VCN's subnets to the DRG. Use the IP network's CIDR block as the destination for the rule.
Determine which subnets in your VCN need to communicate with the IP network.
Update the route table for each of those subnets to include a new rule that directs traffic destined for the IP network's CIDR to your DRG:
Open the navigation menu , select Networking, and then select Virtual cloud networks.
Click the VCN you're interested in.
Under Resources, click Route Tables.
Click the route table you're interested in.
Click Add Route Rule and enter the following:
Destination CIDR Block: The IP network's CIDR block.
Target Type: Dynamic Routing Gateway. The VCN's attached DRG is automatically selected as the target, and you don't have to specify the target yourself.
Description: An optional description of the rule.
Click Add Route Rule.
Any subnet traffic with a destination that matches the rule is routed to your DRG. For more information about setting up route rules, see VCN Route Tables.
Later, if you no longer need the connection and want to delete your DRG, you must first delete all the route rules in your VCN that specify the DRG as the target.
To ensure traffic flows between the IP network and VCN, set the IP network security rules and the VCN's security rules to allow the wanted traffic.
Here are the types of rules to add:
Ingress rules for the types of traffic you want to allow into one cloud from the other, specifically from the other cloud's CIDR block.
Egress rule to allow outgoing traffic from one cloud to the other. If the VCN's subnet already has a broad egress rule for all types of protocols to all destinations (0.0.0.0/0), then you don't need to add a special one for the IP network.
The following procedure uses security lists, but you could instead implement the security rules in one or more network security groups and then place the VCN's resources in NSGs.
Determine which subnets in your VCN need to communicate with the IP network.
Update the security list for each of those subnets to include rules to allow the wanted egress or ingress traffic specifically with the CIDR block of the IP network:
In the Console, while viewing the VCN you're interested in, click Security Lists.
Click the security list you're interested in.
Under Resources, you can click Ingress Rules or Egress Rules to switch between the different types of rules.
Add one or more rules, each for the specific type of traffic you want to allow.
For more information about setting up security list rules, see Security Lists.
Let's say you want to add a stateful rule that enables ingress HTTPS (port 443) traffic from the IP network's CIDR. Here are the basic steps you take when adding a rule:
On the Ingress Rules page, click Add Ingress Rule.
The resulting IPSec connection consists of two tunnels. Record the IP address and shared secret for one of those tunnels. In the next task, you will provide those values.
Customer Gateway: The tunnel's IP address from the preceding task.
Pre-shared Key: The tunnel's shared secret from the preceding task.
After the IPsec connection is updated and provisioned, the state of your IPSec tunnel
should change to Available. Provisioning might take a few minutes.
After the tunnel state changes to Available, test the connection. Depending on how you've set up your IP network's security rules and VCN security rules, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.
Terminating the Connection 🔗
If you want to terminate the connection, delete the IPSec connection:
Open the navigation menu and select Networking. Under Customer connectivity, select Site-to-Site VPN.
A list of the IPSec connections in the compartment you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
Select the IPSec connection you're interested in.
Select Terminate.
Confirm the deletion when prompted.
The IPSec connection is in the Terminating state for a short period while it's being deleted.