Dynamic Routing Gateways (DRGs)

This topic describes how to manage a dynamic routing gateway (DRG) . This topic uses the terms dynamic routing gateway and DRG interchangeably. The Console uses the term Dynamic Routing Gateway, whereas for brevity the API uses DRG.

You use a DRG when connecting your existing on-premises network to your virtual cloud network (VCN) with one (or both) of these:

You also use a DRG when peering a VCN with a VCN in a different region:

Caution

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Overview of Dynamic Routing Gateways

You can think of a DRG as a virtual router that provides a path for private traffic (that is, traffic that uses private IPv4 addresses) between your VCN and networks outside the VCN's region.

For example, if you use an IPSec VPN or Oracle Cloud Infrastructure FastConnect (or both) to connect your on-premises network to your VCN, that private IPv4 address traffic goes through a DRG that you create and attach to your VCN. For scenarios for using a DRG to connect a VCN to your on-premises network, see Networking Scenarios. For important details about routing to your on-premises network, see Routing Details for Connections to Your On-Premises Network.

Also, if you decide to peer your VCN with a VCN in another region, your VCN's DRG routes traffic to the other VCN over a private backbone that connects the regions (without traffic traversing the internet). For information about connecting VCNs in different regions, see Remote VCN Peering (Across Regions).

Working with DRGs and DRG Attachments

For the purposes of access control, when creating a DRG, you must specify the compartment where you want the DRG to reside. If you're not sure which compartment to use, put the DRG in the same compartment as the VCN. For more information, see Access Control.

You may optionally assign a friendly name to the DRG. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the DRG a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

A DRG is a standalone object. To use it, you must attach it to a VCN. A VCN can be attached to only one DRG at a time, and a DRG can be attached to only one VCN at a time. You can detach a DRG and reattach it at any time. In the API, the process of attaching creates a DrgAttachment object with its own OCID. To detach the DRG, you delete that attachment object.

After attaching a DRG, you must update the routing in the VCN to use the DRG. Otherwise, traffic from the VCN will not flow to the DRG. See To route a subnet's traffic to a DRG.

To delete a DRG, it must not be attached to a VCN or connected to another network by way of IPSec VPN, Oracle Cloud Infrastructure FastConnect, or remote VCN peering. Also, there must not be a route rule that lists that DRG as a target.

For information about the number of DRGs you can have, see Service Limits.

Routing a Subnet's Traffic to a DRG

The basic routing scenario sends traffic from a subnet in the VCN to the DRG. For example, if you're sending traffic from the subnet to your on-premises network, you set up a rule in the subnet's route table. The rule's destination CIDR is the CIDR for the on-premises network (or a subnet within), and the rule's target is the DRG. For more information, see Route Tables.

Advanced Scenarios: Transit Routing

This documentation includes a few basic networking scenarios to help you understand the Networking service and generally how the components work together. See scenarios A, B, and C in Networking Scenarios

Scenarios A–C show your on-premises network connected to a VCN by way of FastConnect or VPN Connect, and accessing only the resources in that VCN.

The following advanced routing scenarios give your on-premises network additional access beyond the resources in the connected VCN. Traffic travels from your on-premises network to the VCN, and then transits through the VCN to its destination. See these topics:

In the transit routing scenarios, the VCN has a route table associated with its DRG attachment (typically route tables are associated with a VCN's subnets). That route table lets you manage routing of traffic through the VCN that is connected to the on-premises network.

When you attach a DRG to a VCN, you can optionally associate a route table with the attachment. Or if you already have a DRG attachment, you can associate a route table with it. The route table must belong to the attached VCN. A route table associated with a DRG attachment can contain only rules that use one of the following as a target:

A DRG attachment can exist without a route table associated with it. However, after you associate a route table with a DRG attachment, there must always be a route table associated with it. But, you can associate a different route table. You can also edit the table's rules, or delete some or all of the rules.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: see IAM Policies for Networking.

Using the Console

In general, to use a DRG, you must complete these steps:

  1. Create the DRG.
  2. Attach the DRG to your VCN.
  3. Route subnet traffic to the DRG. This involves updating the route table associated with each subnet that must send traffic to the DRG. If all the subnets use the VCN's default route table, you must only update that one table.
To create a DRG
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Choose a compartment you have permission to work in (on the left side of the page). The page updates to display only the resources in that compartment. If you're not sure which compartment to use, contact an administrator. For more information, see Access Control.
  3. Click Create Dynamic Routing Gateway.
  4. Enter the following items:

    • Create in Compartment: The compartment where you want to create the DRG, if different from the compartment you're currently working in.
    • Name: A descriptive name for the DRG. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  5. Click Create Dynamic Routing Gateway.

The resource is created and then displayed on the Dynamic Routing Gateways page of the compartment you chose. It will be in the "Provisioning" state for a short period. You can connect it to other parts of your network only after provisioning is complete.

To update a DRG's name
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Click the DRG you're interested in.
  3. Click Edit.
  4. Edit the name and click Save Changes.
To attach a DRG to a VCN

Note: A VCN can be attached to only one DRG at a time, and a DRG can be attached to only one VCN at a time. The attachment is automatically created in the compartment that holds the VCN.

The following instructions have you navigate to the DRG and then choose which VCN to attach. You could instead navigate to the VCN and then choose which DRG to attach.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Click the DRG you want to attach.
  3. Under Resources, click Virtual Cloud Networks. If you want to attach the DRG to a VCN in a different compartment than the one you're working in, choose that compartment from the list on the left side of the page.
  4. Click Attach to Virtual Cloud Network.
  5. Select the VCN.
  6. (Optional) Only if you're setting up an advanced scenario for transit routing, you can associate a route table with the DRG attachment (you can do this later if you want to):
    1. Click Show Advanced Options.
    2. Select the route table that you want to associate with the DRG attachment.
  7. Click Attach to Virtual Cloud Network.

The attachment will be in the "Attaching" state for a short period before it's ready.

After it's ready, make sure to create a route rule that directs subnet traffic to this DRG. See To route a subnet's traffic to a DRG.

To route a subnet's traffic to a DRG

For each subnet that must send traffic to the DRG, you must add a route rule to the route table associated with that subnet. If all the subnets in the VCN use the default route table, you must add a rule to only that one table.

If all non-intra-VCN traffic that's not covered by another rule in the table must be routed to the DRG, then this is the new rule to add:

  • Target Type: Dynamic Routing Gateway. The VCN's attached DRG is automatically selected as the target, and you don't have to specify the target yourself.
  • Destination CIDR Block = 0.0.0.0/0. If you want to limit the rule to a specific network (for example, your on-premises network), then use that network's CIDR instead of 0.0.0.0/0.

For step-by-step instructions, see To update rules in an existing route table.

To associate a route table with an existing DRG attachment
Important

Perform this task only if you're setting up an advanced scenario for transit routing. See Transit Routing: Access to Multiple VCNs in the Same Region and Transit Routing: Private Access to Oracle Services.

A DRG attachment can exist without a route table associated with it. However, after you associate a route table with a DRG attachment, there must always be a route table associated with it. But, you can associate a different route table. You can also edit the table's rules, or delete some or all of the rules.

Prerequisites: The route table must exist and belong to the VCN that the DRG is already attached to.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Click the DRG that is attached to the VCN that has the route table.
  3. Click the Actions icon (three dots), and then click either:

    • Associate Route Table: If the DRG attachment has no route table associated with it yet.
    • Associate Different Route Table: If you're changing which route table is associated with the DRG attachment.
  4. Select the route table.
  5. Click Associate Route Table.

The route table is associated with the DRG attachment.

To detach a DRG from a VCN

Note: You do not need to remove the route rule that routes traffic to the DRG before you detach the DRG from the VCN.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Click the DRG you want to detach.
  3. Under Resources, click Virtual Cloud Networks to see the VCN the DRG is attached to. If the VCN is in a different compartment than the one you're working in, choose that compartment from the list on the left side of the page.
  4. Click the Actions icon (three dots), and then click Detach.
  5. Confirm when prompted.

The attachment will be in the "Detaching" state for a short period.

To delete a DRG

Prerequisites:

  • The DRG must not be attached to a VCN.
  • The DRG must not be connected to another network by way of an IPSec VPN, FastConnect, or remote VCN peering.
  • There must not be a route rule that lists the DRG as a target.
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Click the DRG you're interested in.
  3. Click Terminate.
  4. Confirm when prompted.

The DRG will be in the "Terminating" state for a short period while it's being deleted.

To manage tags for a DRG
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Click the DRG you're interested in.
  3. Click the Tags tab to view or edit the existing tags. Or click Add Tags to add new ones.

For more information, see Resource Tags.

To move a dynamic routing gateway to a different compartment

You can move a dynamic routing gateway from one compartment to another. When you move a dynamic routing gateway to a new compartment, inherent policies apply immediately.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

  2. Click the DRG you're interested in.
  3. Find the DRG in the list, click the the Actions icon (three dots), and then click Move Resource.
  4. Choose the destination compartment from the list.
  5. Click Move Resource.

For more information about using compartments and policies to control access to your cloud network, see Access Control. For general information about compartments, see Managing Compartments.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

To manage your DRGs, use these operations:

For information about route table operations, see Route Tables.