Virtual Network Interface Cards (VNICs)

This topic describes how to manage the virtual network interface cards  (VNICs) in a virtual cloud network (VCN).

Caution

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Overview of VNICs and Physical NICs

The servers in Oracle Cloud Infrastructure data centers have physical network interface cards (NICs). When you launch an instance on one of these servers, the instance communicates using Networking service virtual NICs (VNICs) associated with the physical NICs. The next sections talk about VNICs and NICs, and how they're related.

About VNICs

A VNIC enables an instance to connect to a VCN and determines how the instance connects with endpoints inside and outside the VCN. Each VNIC resides in a subnet in a VCN and includes these items:

  • One primary private IPv4 address from the subnet the VNIC is in, chosen by either you or Oracle.
  • Up to 31 optional secondary private IPv4 addresses from the same subnet the VNIC is in, chosen by either you or Oracle.
  • An optional public IPv4 address for each private IP, chosen by Oracle but assigned by you at your discretion.
  • An optional hostname for DNS for each private IP address (see DNS in Your Virtual Cloud Network).
  • A MAC address.
  • A VLAN tag assigned by Oracle and available when attachment of the VNIC to the instance is complete (relevant only for bare metal instances).
  • A flag to enable or disable the source/destination check on the VNIC's network traffic (see Overview of VNICs and Physical NICs).
  • Optional membership in one or more network security groups (NSGs) of your choice. NSGs have security rules that apply only to the VNICs in that NSG.
  • Up to 32 optional IPv6 addresses. IPv6 addressing is currently supported only in the US Government Cloud. For more information, see IPv6 Addresses.

Each VNIC also has a friendly name you can assign, and an Oracle-assigned OCID (see Resource Identifiers).

Each instance has a primary VNIC that is automatically created and attached during launch. That VNIC resides in the subnet you specify during launch. The primary VNIC cannot be removed from the instance.

How VNICs and Physical NICs Are Related

This section is relevant to bare metal instances.

The OS on a bare metal instance recognizes two physical network devices and configures them as two physical NICs, 0 and 1. Whether they're both active depends on the underlying hardware:

  • Oracle X5 servers (also called first-generation): Only NIC 0 is active.
  • Oracle X6 servers: Only NIC 0 is active.
  • Oracle X7 servers (also called second-generation): Both NIC 0 and NIC 1 are active. Each physical NIC has 25 Gbps bandwidth.

NIC 0 is automatically configured with the primary VNIC's IP configuration (the IP addresses, DNS hostname, and so on).

If you add a secondary VNIC to a second-generation instance, you must specify which physical NIC the secondary VNIC should use. You must also configure the OS so that the physical NIC has the secondary VNIC's IP configuration. For Linux instances, see Linux: Configuring the OS for Secondary VNICs. For Windows instances, see Windows: Configuring the OS for Secondary VNICs.

About Secondary VNICs

You can add secondary VNICs to an instance after it's launched. Each secondary VNIC can be in a subnet in the same VCN as the primary VNIC, or in a different subnet that is either in the same VCN or a different one. However, all the VNICs must be in the same availability domain as the instance.

Here are some reasons why you might use secondary VNICs:
  • Use your own hypervisor on a bare metal instance: The virtual machines on the bare metal instance each have their own secondary VNIC, giving direct connectivity to other instances and services in the VNIC's VCN. For more information, see Installing and Configuring KVM on Bare Metal Instances with Multi-VNIC.
  • Connect an instance to subnets in multiple VCNs: For example, you might set up your own firewall to protect traffic between VCNs, so the instance needs to connect to subnets in different VCNs.

Here are more details about secondary VNICs:

  • There's a limit to how many VNICs can be attached to an instance, and it varies by shape. For those limits, see Compute Shapes.
  • They can be added only after the instance is launched.
  • They must always be attached to an instance and cannot be moved. The process of creating a secondary VNIC automatically attaches it to the instance. The process of detaching a secondary VNIC automatically deletes it.
  • They are automatically detached and deleted when you terminate the instance.
  • The instance's bandwidth is fixed regardless of the number of VNICs attached. You can't specify a bandwidth limit for a particular VNIC on an instance.
  • Attaching multiple VNICs from the same subnet CIDR block to an instance can introduce asymmetric routing, especially on instances using a variant of Linux. If you need this type of configuration, Oracle recommends assigning multiple private IP addresses to one VNIC, or using policy-based routing as shown in the script later in this topic.

Source/Destination Check

By default, every VNIC performs the source/destination check on its network traffic. The VNIC looks at the source and destination listed in the header of each network packet. If the VNIC is not the source or destination, then the packet is dropped.

If the VNIC needs to forward traffic (for example, if it needs to perform Network Address Translation (NAT)), you must disable the source/destination check on the VNIC. For instructions, see To update an existing VNIC. For information about the general scenario, see Using a Private IP as a Route Target.

VNIC Information in the Instance Metadata

The instance metadata service (IMDS) includes information about the VNICs at these URLs:

  • IMDS version 2:

    http://169.254.169.254/opc/v2/vnics/
  • Legacy IMDS version 1:

    http://169.254.169.254/opc/v1/vnics/

Here's an example response that shows the VNICs that are attached to an instance:

[ {
  "vnicId" : "ocid1.vnic.oc1.phx.exampleuniqueID",
  "privateIp" : "10.0.3.6",
  "vlanTag" : 11,
  "macAddr" : "00:00:00:00:00:01",
  "virtualRouterIp" : "10.0.3.1",
  "subnetCidrBlock" : "10.0.3.0/24",
  "nicIndex" : 0
}, {
  "vnicId" : "ocid1.vnic.oc1.phx.exampleuniqueID",
  "privateIp" : "10.0.4.3",
  "vlanTag" : 12,
  "macAddr" : "00:00:00:00:00:02",
  "virtualRouterIp" : "10.0.4.1",
  "subnetCidrBlock" : "10.0.4.0/24",
  "nicIndex" : 0
} ]

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

VNICs reside in a subnet but attach to an instance. The VNIC's attachment to the instance is a separate object from the VNIC or the instance itself. Be aware that the VNIC and subnet always exist together in the same compartment, but the VNIC's attachment to the instance always exists in the instance's compartment. This distinction isn't important if you have a simple access control scenario where all the cloud resources are in the same compartment (for example, for a proof-of-concept). When you move to a production implementation, you might decide to have network administrators manage the network, and other personnel administer instances. That means you might put instances in a different compartment than the subnet.

For administrators: see IAM Policies for Networking.

Monitoring VNICs

You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring Overview and Notifications Overview.

For information about monitoring the traffic coming in and out of VNICs, see VNIC Metrics.

Using the Console

To view an instance's VNICs
  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed. If the instance has two active physical NICs, the VNICs are grouped by NIC 0 and NIC 1.

To create and attach a secondary VNIC
  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click Create VNIC.
  6. In the Create VNIC dialog box, you specify which VCN and subnet to put the VNIC in. By default, the VNIC will be created in the current compartment. You can choose a VCN and subnet from the same compartment or a different compartment.

    Enter the following:

    • Name: A friendly name for the secondary VNIC. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Virtual cloud network: The VCN that contains the subnet of interest.
    • Network: Select Normal Setup: Subnet.
    • Subnet: The subnet of interest. The secondary VNIC must be in the same availability domain as the instance's primary VNIC, so the subnet list includes any regional subnets or AD-specific subnets in the primary VNIC's availability domain.
    • Physical NIC: Only relevant if this is a bare metal instance with two active physical NICs. Select which one you want the secondary VNIC to use. When you later view the instance's details and the list of VNICs attached to the instance, they'll be grouped by NIC 0 and NIC 1.
    • Use network security groups to control traffic: Select this check box to add the secondary VNIC to at least one network security group (NSG) of your choice. NSGs have security rules that apply only to the VNICs in that NSG.
    • Skip source/destination check: By default, this check box is NOT selected, which means the VNIC performs the source/destination check. Only select this check box if you want the VNIC to be able to forward traffic. See Overview of VNICs and Physical NICs.
    • Private IP Address: Optional. An available private IP address of your choice from the subnet's CIDR (otherwise the private IP address is automatically assigned).
    • Assign a public IPv4 address: Whether to assign a public IP address to the VNIC's primary private IP. Available only if the subnet is public. Choose this option to specify an existing reserved public IP address by name, or to create a new reserved IP address by assigning a name and selecting a source IP pool for the address. If you don't select an IP pool you've created, the default Oracle IP pool is used.
    • Hostname: Optional. A hostname to be used for DNS within the cloud network. Available only if the VCN and subnet both have DNS labels. For more information, see DNS in Your Virtual Cloud Network.
    • Show Tagging Options: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  7. Click Submit. The secondary VNIC is created and then displayed on the Attached VNICs page for the instance. It can take several seconds before the secondary VNIC appears on the page.
  8. Configure the OS to use the VNIC. See Linux: Configuring the OS for Secondary VNICs or Windows: Configuring the OS for Secondary VNICs.
To update an existing VNIC

You can update the VNIC's friendly name or hostname, or whether the VNIC performs the source/destination check.

  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. For the VNIC you want to edit, click the Actions icon (three dots), and then click Edit VNIC.

  6. Make your changes and click Save Changes.
To add or remove a VNIC from a network security group

You can change which network security groups (NSGs) a VNIC belongs to, or remove a VNIC from all NSGs.

  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.

    Each VNIC's details page includes a list of the NSGs that the VNIC belongs to (if any).

  6. Next to Network Security Groups, click Edit.

  7. Make your changes and click Save Changes.
To delete a secondary VNIC
Caution

If the VNIC has a private IP that is the target of a route rule, deleting the VNIC causes the route rule to blackhole and traffic will be dropped.
  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. For the VNIC you want to delete, click the Actions icon (three dots), and then click Delete VNIC.

  6. Confirm when prompted.

It takes typically a few seconds before the VNIC is deleted.

If the secondary VNIC is on a Linux instance: If you then run the provided script in Linux: Configuring the OS for Secondary VNICs, it removes the secondary VNIC from the OS configuration.

To manage tags for a VNIC
  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC that you're interested in.

  6. Click the Tags tab to view or edit the existing tags. Or click Add Tags to add new ones.

For more information, see Resource Tags.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

To manage VNICs on an instance, use these operations:

Linux: Configuring the OS for Secondary VNICs

This section gives details about OS configuration that is required for secondary VNICs on instances that run a variant of Linux.

At the end of the section is a script that you can use to configure secondary VNICs on either VM instances or bare metal instances.

Linux VM Instances

When you add a secondary VNIC to a Linux VM instance, a new interface (that is, an Ethernet device) is added to the instance and automatically recognized by the OS. However, DHCP is not active for the secondary VNIC, and you must configure the interface with the static IP address and default route. The script provided here handles that configuration for you.

Linux Bare Metal Instances

When you add a secondary VNIC to a Linux bare metal instance, the OS does not automatically recognize the secondary VNIC, so you must configure it in the OS. Depending on your requirements, you can configure it as either:

Configuration Script for Either Linux VM Instances or Linux Bare Metal Instances

The following script works for both VM instances and bare metal instances. It looks at the secondary VNIC information in the instance metadata and configures the OS accordingly. You could run the script periodically to bring the OS configuration up to date with the instance metadata.

For VM instances in particular, the OS automatically recognizes the secondary VNIC's interface, and the script just needs to configure the static IP address and default route.

For bare metal instances in particular, the script creates the interface for the secondary VNIC and configures it with the relevant information. If the instance has two active physical NICs (an X7/second-generation shape with NIC 0 and NIC 1), the script configures the secondary VNIC to use whichever physical NIC you chose when you added the VNIC to the instance. Note that for NIC 1, if a secondary VNIC has VLAN tag 0, it uses the NIC's interface. The script doesn't create an interface for that secondary VNIC.

Here are some additional notes about how the script works for both VM instances and bare metal instances:

  • Default namespace and policy-based routing: By default, this script configures the secondary VNIC in the default namespace and with policy-based routing so applications can communicate through the VNIC with hosts outside the VNIC's subnet. This policy-based routing has effect only if the packets are sourced from the IP address of the secondary VNIC. The ability to bind to a specific source IP address or source interface exists in most tools (such as ssh, ping, and wget) and libraries that initiate connections. For example, the ssh -b option lets you bind to the private IP address of the secondary VNIC:

    ssh -b <secondary_VNIC_IP_address> <destination_IP_address>

    Be aware that if traffic comes in to a service on the instance through a secondary VNIC's interface and the service replies, the reply packets automatically have the VNIC's interface IP address as the source IP address. Policy-based routing is required for that reply to go back out on the same interface and find the correct default gateway.

  • A separate namespace: If you're familiar with namespaces, you can instead configure the secondary VNIC in another namespace of your choice by running the script with the -n option. A separate namespace is required when an instance has secondary VNICs that are attached to subnets in different VCNs, and those subnets have overlapping CIDR blocks.
  • Secondary private IPs: The instance metadata does not include information about any secondary private IPs assigned to the instance. To include that as part of the script's OS configuration, you must provide the secondary private IP address and OCID at the command line when you run the script.
  • Removal of a secondary VNIC: After deleting a secondary VNIC from an instance, running the script removes the VNIC's information from the OS configuration.
Important

The script uses a simple configuration process that does not persist if you reboot the instance. If you use the script, make sure to rerun it after each reboot.

Here are basic examples of how to run the script:

  • <script_name> -c: Configure (adds or deletes) secondary VNIC host IP configuration
  • <script_name> -c -n: Same but uses separate namespaces
  • <script_name> -d: Force removes all secondary VNIC host IP configuration
See the script's help for more information.

View the script that configures a Linux-variant OS for a new secondary VNIC

Important

This script is intended for use in situations where non-hypervisor compute instances need to be assigned an additional VNIC and IP address.

For Kernel-based Virtual Machine (KVM) applications on a bare metal instance, refer to the white paper "Installing and Configuring KVM on Bare Metal Instances with Multi-VNIC."

Windows: Configuring the OS for Secondary VNICs

Secondary VNICs are supported on VM and bare metal instances, but only on X7/second-generation shapes (shapes with "2" in the name, such as VM.Standard2.16 and BM.Standard2.52). For bare metal, secondary VNICs are supported only on the second physical NIC.

Tip

The first physical NIC is NIC 0, and the second is NIC 1.

You must configure the secondary VNIC within the OS. There's an Oracle-provided PowerShell script that performs configuration. When running the script, you can optionally provide the secondary VNIC's OCID (which you can get from the instance's VNIC metadata):

.\secondary_vnic_windows_configure.ps1 "<secondary_VNIC_OCID>"

Otherwise, the script shows a list of the secondary VNICs on the instance and asks you to choose the one you want to configure. Here's generally what the script does:

  1. The script checks if the network interface has an IP address and a default route.
  2. To enable the OS to recognize the secondary VNIC, the script must overwrite the IP address and default route with static settings (which effectively disables DHCP). The script prompts you with a choice: to overwrite with the static settings, or exit.

View the Powershell script that configures Windows for a new secondary VNIC

The overall process for configuration varies slightly depending on the type of instance (VM or bare metal) and how many secondary VNICs you add to the instance.

Windows VM instances

Here's the overall process:

  1. Add one or more secondary VNICs to the instance. Keep each VNIC's OCID handy so you can provide it later when you run the configuration script. You can also get the OCID from the instance's VNIC metadata.
  2. Connect to the instance with Remote Desktop.
  3. Run the script:
    1. Open PowerShell as an administrator.
    2. Run the script with the secondary VNIC's OCID:

      .\secondary_vnic_windows_configure.ps1 "<secondary_VNIC_OCID>"
  4. Repeat the preceding step for each additional secondary VNIC.
Windows bare metal instances: adding the first secondary VNIC

If you're adding only a single secondary VNIC to the bare metal instance, here's the overall process:

  1. Add the secondary VNIC to your instance. Keep the VNIC's OCID handy so you can provide it when later running the configuration script. You can also get the OCID from the instance's VNIC metadata.
  2. Connect to the instance with Remote Desktop.
  3. Enable the second physical NIC on the instance:
    1. Open the Device Manager, and then click Network adapters.
    2. Right-click the adapter that corresponds to the instance's second physical NIC, and click Enable.
  4. Run the script:
    1. Open PowerShell as an administrator.
    2. Run the script with the secondary VNIC's OCID:

      .\secondary_vnic_windows_configure.ps1 "<secondary_VNIC_OCID>"
    3. When the script prompts you to overwrite the network interface's settings, say yes.
Windows bare metal instances: adding additional secondary VNICs

If you have one secondary VNIC on the second physical NIC of a bare metal instance, and you want to one or more additional VNICs, here's the overall process. It includes a task for setting up NIC teaming, which is required if the instance has more than one VNIC on the second physical NIC.

Note

If you increase the number of secondary VNICs on the second physical NIC from one to two or more, you must enable NIC teaming for the second physical NIC (see instructions that follow). In your NIC "team," you create a separate interface for each secondary VNIC on that physical NIC, including the initial one. This means that the original interface for that first secondary VNIC will no longer work, and any subsequent configuration you want to do for that VNIC must be done instead on the VNIC's new interface that's part of the "team".
  1. Add one or more additional secondary VNICs to your instance. Keep each VNIC's OCID and VLAN tag handy so you can provide them when later running the configuration script. You can also get the values from the instance's VNIC metadata.
  2. Connect to the instance with Remote Desktop.
  3. Set up NIC teaming on the instance:
    1. Open the Server manager, and then click Local Server.
    2. In the list of properties, locate NIC Teaming, and then click Disabled to enable and set up NIC teaming.
    3. In the Teams section on the lower-left side of the screen, click Tasks, and then click New Team.
    4. Enter a name for the team, select the check box for the second physical NIC on the instance, and click OK.

      The new team is created and appears in the list of teams in the Teams section.

    5. Click the new team so it's selected, and then in the Adapters and Interfaces section on the right side of the screen, click the Team Interfaces tab.
    6. Click Tasks, and then click Add Interface (you will create a separate interface for each secondary VNIC on the second physical NIC).
    7. Click the radio button for Specific VLAN, and then enter the Oracle-assigned VLAN tag number for the VLAN (for example, 1). You can get the VLAN tag from the Console or the instance's VNIC metadata.
    8. Click OK.
    9. Repeat the four preceding steps (e-h) for each of the other secondary VNICs. You create a separate interface for each secondary VNIC.

  4. Run the script:
    1. Open PowerShell as an administrator.
    2. For the first secondary VNIC, run the script with the secondary VNIC's OCID:

      .\secondary_vnic_windows_configure.ps1 "<secondary_VNIC_OCID>"
    3. When the script prompts you to overwrite the network interface's settings, say yes.
    4. Repeat the preceding two steps (b and c) for each of the additional secondary VNICs.