Managing Layer 2 Networking Resources for an SDDC

This topic describes how to manage layer 2 networking resources for a software-defined data center (SDDC) by using the Oracle Cloud Infrastructure Console or the API.

Caution

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

About SDDC Layer 2 Networking Resources

An Oracle Cloud Infrastructure SDDC requires a management subnet and layer 2 networking resources. The layer 2 networking resources include seven VLANs and their configured external access objects.

When you provision an SDDC by using the Oracle Cloud Infrastructure Console's Create SDDC workflow, you can have the workflow create these required networking resources for you. We recommend that you select this option. If you prefer, you can create them yourself before you start the Create SDDC workflow, and then select the existing subnet and VLANs you created for this purpose. If you create the SDDC using an existing subnet and VLANs, Oracle recommends that you create a size /22 CIDR network segment in your VCN for the SDDC’s networking resources. The documentation and the console refer to this segment as the “SDDC CIDR.” Divide this SDDC CIDR into eight segments of size /25 to use for the subnet and the seven required VLANs indicated in this topic. In addition, you must configure the security rules for these networking resources as detailed in Security Rules for Oracle Cloud VMware Solution SDDCs. Otherwise, provisioning the SDDC will fail.

VLANs Required for an SDDC

An SDDC requires VLANs for the following functions:

  • NSX Edge Uplink 1: Uplink used for communication between the VMware SDDC and Oracle Cloud Infrastructure.
  • NSX Edge Uplink 2: Reserved for future use to deploy public-facing applications on the VMware SDDC.
  • NSX Edge VTEP: Used for data plane traffic between the ESXi host and NSX Edge.
  • NSX VTEP: Used for data plane traffic between ESXi hosts.
  • vMotion: Used for vMotion (VMware migration tool) management and workload.
  • vSAN: Used for vSAN (VMware storage) data traffic.
  • vSphere: Used for management of the SDDC components (ESXi, vCenter, NSX-T, and NSX Edge).
  • HCX: (Optional) Used for HCX traffic. Create this VLAN if you plan to enable HCX when you provision the SDDC.
    Note

    If you allow the Create SDDC workflow to create the VLANs, the workflow divides the SDDC management CIDR you specify into eight equal segments to use for the provisioning subnet and the seven required VLANs. If you enable HCX, the workflow further divides the vSphere segment into two equal parts, one for the vSphere VLAN and the other for the HCX VLAN. You can follow this model if you choose to create your VLANs manually.

    HCX also requires that the vSphere VLAN has a route table rule that allows traffic to a NAT gateway attached to the VCN. See Route Tables for more information.

These VLANs must all be in the same VCN and availability domain you specify when you create the SDDC, but they can be in different compartments.

External Access to VLAN Resources

You can enable external access to an SDDC's ESXi hosts by creating a private IP object for the VLAN that can be used as a route target. Additionally, you can enable internet access to hosts in the VLAN by assigning a public IP address to the VLAN's private IP address object. When you configure external access, you have the option to indicate that it be accessible as a route target only and, as such, have no associated public IP address. See To add external access to a VLAN for the steps to configure external access.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

Using the Console

Use the procedures that follow to create and manage VLANs and external access objects for your SDDCs.

To create a VLAN for an SDDC
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Choose a compartment you have permission to work in (on the left side of the page). The page updates to display only the resources in that compartment. If you're not sure which compartment to use, contact an administrator. For more information, see Access Control.
  3. Click the VCN in which you plan to provision your SDDC.
  4. Under Resources, click VLANs.
  5. Click Create VLAN.
  6. Enter the following:
    • Name: (Optional) A descriptive name for the VLAN. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Create in Compartment: The compartment for the VLAN.
    • Availability Domain: Select the availability domain you plan select when you provision the SDDC. The ESXi hosts must be in the same availability domain as the SDDC's VLANs.
    • IEEE 802.1Q VLAN Tag: (Optional) The VLAN uses this unique value to identify a broadcast domain for layer 2 traffic. Enter a number from 1 to 4094. If you don't enter a value, Oracle assigns one. You cannot change this value later.
    • VLAN Gateway CIDR: This CIDR provides IP addresses used by the VLAN for external layer 3 communication and routing. This CIDR block also provides the private IP addresses Oracle uses as attachment objects for public IP addresses when instances require access to internet hosts. You can't change this value later.

      Note

      This CIDR must be within the VCN's CIDR and cannot overlap with the CIDRs of the other subnets and VLANs in the VCN.
    • Route Table: The route table contains rules that specifiy the next hop for traffic from the VLAN to external destinations.
    • Network Security Groups: Select the NSGs with the security rules to apply to all VNICs in this VLAN. You can select up to 5 NSGs for a VLAN.

      You manage NSG membership for VNICs in a VLAN at the VLAN level. You cannot add or remove individual VNICs in a VLAN from an NSG.

    If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator. If you don't see the tagging option, click Show Advanced Options.

  7. Click Create VLAN.

    The new VLAN displays in the list of VLANs for the VCN in the selected compartment.

  8. Repeat steps 5 through 7 for each VLAN you need for your SDDC. See VLANs Required for an SDDC.
To add external access to a VLAN
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN that contains the VLAN you want to modify.

    If you do not see the VCN listed, ensure that you have the correct compartment selected.

  3. Under Resources, click VLANs.
  4. Click the name of the VLAN to view details about it.
  5. Click Add External Access.
  6. Specify the type of external access to configure.

    Route Target Only: Select this option to assign a private IP address only for use as a route target for traffic that needs to reach the VMware overlay. The IP address must be within VLAN gateway CIDR block. If you do not specify a name or a private IP address, or both, Oracle generates the needed values for you.

    Public Access: Select this option to also provide a public IP address for internet access to the resources such as VNICs and VMs in the VLAN. The public IP address must be attached to a private IP address to enable internet access.
    • Private IP Address: (Optional) Specify a name and/or a private IP address within the VLAN gateway CIDR block. If you do not specify these values, Oracle generates them for you. Note that as with the route target only option, this private IP address can also be used as a route target for non-internet traffic.
    • Reserved Public IP Address: (For public access only) Choose whether to specify an existing reserved public IP address or have a new one created for this external access.

    If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator. To see the tagging options, click Show Advanced Options.

  7. Click Add External Access.
To modify external access to a VLAN
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN that contains the VLAN you want to modify.

    If you do not see the VCN listed, ensure that you have the correct compartment selected.

  3. Under Resources, click VLANs.
  4. Click the name of the VLAN to view details about it.
  5. In the External Access list, select the external access you want to modify, click the Actions icon (three dots), and then click the Edit.

    The settings you can modify depend on the external access type. Consider the following:

    • You can change the external access type from route target only to public access, or the other way around.

      If you change the type from public access to route target only, the private IP address will no longer have an associated reserved IP address. Therefore, any host that uses the private IP address will not be accessible from the internet.

      If you change the type from route target only to public access, you'll need to attach a reserved public IP address to it to enable access from the internet. You can select an existing public IP address or have a new one created for this purpose.

    • For both route target only and public access types, you can rename the private IP address but you cannot change the IP address value itself.
    • For a public access type, you can rename the reserved public IP address but you cannot change the IP address value itself.
  6. When you are done making your updates, click Save Changes.
To remove external access to a VLAN
Important

If an existing route rule targets the private IP address associated with the external access you are removing, the route rule will drop traffic to that private IP address.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN that contains the VLAN you want to modify.

    If you do not see the VCN listed, ensure that you have the correct compartment selected.

  3. Under Resources, click VLANs.
  4. Click the name of the VLAN to view details about it.
  5. In the External Access list, select the external access you want to remove, and click Remove.
  6. Click Remove to complete the action.
To move a VLAN to a different compartment
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN that contains the VLAN you want to move.

    If you do not see the VCN listed, ensure that you have the correct compartment selected.

  3. Under Resources, click VLANs.
  4. Click the name of the VLAN to view details about it.
  5. Click Move Resource.
  6. Choose the destination compartment from the list.
  7. Click Move Resource.
To modify basic properties of a VLAN

You can rename a VLAN, or change its route table or network security groups.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN that contains the VLAN you want to modify.

    If you do not see the VCN listed, ensure that you have the correct compartment selected.

  3. Under Resources, click VLANs.
  4. Click the name of the VLAN to view details about it.
  5. Click Edit.
  6. Change the applicable settings:

    • VLAN Name: Use a descriptive name that helps to identify the VLAN. The name doesn't have to be unique.
    • Route Table: The route table provides mapping for traffic from the VLAN to external destinations.

      (To select a route table in a different compartment, click Change Compartment, and select the compartment the target route table is in.)

    • Network Security Groups: Select the NSGs with the security rules to apply to all VNICs in this VLAN. You can select up to 5 NSGs for a VLAN.
  7. When you are done making changes, click Save Changes.
To modify the network security groups of a VLAN
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN that contains the VLAN you want to modify.

    If you do not see the VCN listed, ensure that you have the correct compartment selected.

  3. Under Resources, click VLANs.
  4. Click the name of the VLAN to view details about it.
  5. Next to Network Security Groups, click Edit.
  6. Make the applicable changes to the list of security groups. The VLAN can be associated with up to 5 security groups.

  7. Click Save Changes.
To delete a VLAN
Note

You cannot delete a VLAN if it has any external access resources. You must first remove all external access. See To remove external access to a VLAN.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN that contains the VLAN you want to delete.

    If you do not see the VCN listed, ensure that you have the correct compartment selected.

  3. Under Resources, click VLANs.
  4. Click the name of the VLAN to view details about it.
  5. Click Delete.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to create and manage layer 2 networking resources for an Oracle Cloud VMware solution SDDC:

For a list of API operations to create and manage networking resources used by the VLANs in an SDDC, see the following topics: