Oracle Cloud Infrastructure Documentation

Access to Microsoft Azure

Oracle and Microsoft have created a cross-cloud connection between Oracle Cloud Infrastructure and Microsoft Azure in certain regions. This connection lets you set up cross-cloud workloads without the traffic between the clouds going over the internet. This topic describes how to set up virtual networking infrastructure resources to enable this kind of cross-cloud deployment.

Highlights

  • You can connect a Microsoft Azure virtual network (VNet) with an Oracle Cloud Infrastructure virtual cloud network (VCN) and run a cross-cloud workload. In the typical use case, you deploy your Oracle Database on Oracle Cloud Infrastructure, and deploy an Oracle, .NET, or custom application in Microsoft Azure.
  • The two virtual networks must belong to the same company and not have overlapping CIDRs. The connection requires you to create an Azure ExpressRoute circuit and an Oracle Cloud Infrastructure FastConnect virtual circuit.
  • The connection is currently available only in these areas:

Overview of Supported Traffic

Here are more details about the supported types of traffic.

VNet-to-VCN Connection: Extension from One Cloud to Another

You can connect your VNet and VCN so that traffic that uses private IP addresses goes over the cross-cloud connection.

For example, the following diagram shows a VNet that is connected to a VCN. Resources in the VNet are running a .NET application that access an Oracle database that runs on Database service resources in the VCN. The traffic between the application and database uses a logical circuit that runs on the cross-cloud connection between Azure and Oracle Cloud Infrastructure.

This diagram shows the connection between an Azure VNet and Oracle VCN.

To enable the connection between the VNet and VCN, you set up an Azure ExpressRoute circuit and an Oracle Cloud Infrastructure FastConnect virtual circuit. The connection has built-in redundancy, which means you need to set up only a single ExpressRoute circuit and single FastConnect virtual circuit. The bandwidth for the connection is the bandwidth value you choose for the ExpressRoute circuit.

For instructions, see Setting Up a VNet-to-VCN Connection.

Types of Traffic Not Supported by the Connection

This cross-cloud connection does not enable traffic between your on-premises network through the VNet to the VCN, or from your on-premises network through the VCN to the VNet.

The connection also does not enable traffic to flow from the VNet through the connected VCN to a peered VCN in the same Oracle Cloud Infrastructure region, or a different region. Similarly, the connection does not enable traffic to flow from the VCN through the connected VNet to a peered VNet.

Important Implications of Connecting Clouds

This section summarizes some access control, security, and performance implications of connecting your VCN to a VNet. In general, you can control access and traffic by using IAM policies, route tables in the VCN, and security rules in the VCN.

The sections that follow discuss implications from the perspective of your VCN. There are similar implications for your VNet. As with your VCN, you can use Azure resources such as route tables and network security groups to secure your VNet.

Controlling the Establishment of a Connection

With Oracle Cloud Infrastructure IAM policies, you can control:

Controlling Traffic Flow Over the Connection

Even if a connection has been established between your VCN and VNet, you can control the packet flow over the connection with route tables in your VCN. For example, you can restrict traffic to only specific subnets in the VNet.

Without terminating the connection, you can stop traffic flow to the VNet by simply removing route rules that direct traffic from your VCN to the VNet. You can also effectively stop the traffic by removing any security rules that enable ingress or egress traffic with the VNet. This doesn't stop traffic flowing over the connection, but stops it at the VNIC level.

Controlling the Specific Types of Traffic Allowed

It's important that you ensure that all outbound and inbound traffic with the VNet is intended/expected and well defined. In practice, this means implementing Azure network security group and Oracle security rules that explicitly state the types of traffic one cloud can send to the other and accept from the other.

Important

Your Oracle Cloud Infrastructure instances running Oracle-provided Linux images or Windows images also have firewall rules that control access to the instance. When troubleshooting access to an instance, make sure all of the following items are set correctly: the network security groups that the instance is in, the security lists associated with the instance's subnet, and the instance's firewall rules. For more information, see Oracle-Provided Images.

If your instance is running Oracle Linux 7, you need to use firewalld to interact with the iptables rules. For your reference, here are commands for opening a port (1521 in this example):

sudo firewall-cmd --zone=public --permanent --add-port=1521/tcp
								
sudo firewall-cmd --reload

For instances with an iSCSI boot volume, the preceding --reload command can cause problems. For details and a workaround, see Instances experience system hang after running firewall-cmd --reload.

In addition to security rules and firewalls, you should evaluate other OS-based configuration on the instances in your VCN. There could be default configurations that don't apply to your own VCN's CIDR, but inadvertently apply to the VNet's CIDR.

Using Default Security List Rules with Your VCN

If your VCN's subnets use the default security list with the default rules, be aware that there are two rules that allow ingress traffic from anywhere (that is, 0.0.0.0/0, and thus the VNet):

  • Stateful ingress rule that allows TCP port 22 (SSH) traffic from 0.0.0.0/0 and any source port
  • Stateful ingress rule that allows ICMP type 3, code 4 traffic from 0.0.0.0/0 and any source port

Make sure to evaluate these rules and whether you want to keep or update them. As stated earlier, you should ensure that all inbound or outbound traffic that you permit is intended/expected and well defined.

Preparing for Performance Impact and Security Risks

In general, you should prepare your VCN for the ways it could be affected by the VNet. For example, the load on your VCN or its instances could increase. Or your VCN could experience a malicious attack directly from or by way of the VNet.

Regarding performance: If your VCN is providing a service to the VNet, be prepared to scale up your service to accommodate the demands of the VNet. This might mean being prepared to launch additional instances as necessary. Or if you're concerned about high levels of network traffic coming to your VCN, consider using stateless security rules to limit the level of connection tracking your VCN must perform. Stateless security rules can also help slow the impact of a denial-of-service (DoS) attack.

Regarding security risks: If the VNet is connected to the internet, be aware that your VCN can be exposed to bounce attacks in which a malicious host on the internet can send traffic to your VCN but make it look like it's coming from the VNet. To guard against this, as mentioned earlier, use your security rules to carefully limit the inbound traffic from the VNet to expected and well-defined traffic.

Setting Up a VNet-to-VCN Connection

This section describes how to set up the logical connection between a VNet and VCN (for background, see Overview of Supported Traffic).

Prerequisites: Resources You Need

You must already have:

As a reminder, here is a table that lists the comparable networking components involved in each side of the connection.

Component Azure Oracle Cloud Infrastructure
Virtual network VNet VCN
Virtual circuit ExpressRoute circuit FastConnect private virtual circuit
Gateway virtual network gateway dynamic routing gateway (DRG)
Routing route tables route tables
Security rules network security groups (NSGs) network security groups (NSGs), security lists

Prerequisites: BGP Information You Need

The connection between the VNet and VCN uses BGP dynamic routing. When you set up the Oracle virtual circuit, you provide the BGP IP addresses that will be used for the two redundant BGP sessions between Oracle and Azure:

  • A primary pair of BGP addresses (one IP address for the Oracle side, one IP address for the Azure side)
  • A separate, secondary pair of BGP addresses (one IP address for the Oracle side, one IP address for the Azure side)

For each pair, you must provide a separate /30 block of addresses (each /30 has four IP addresses).

The second and third addresses in each /30 are used for the BGP IP address pair. Specifically:

  • The second address in the block is for the Oracle side of the BGP session
  • The third address in the block is for the Azure side of the BGP session

The first and last addresses in the block are used for other internal purposes.

For example, if the /30 is 10.0.0.20/30, then the addresses in the block are:

  • 10.0.0.20/30
  • 10.0.0.21/30: Use this for the Oracle side
  • 10.0.0.22/30: Use this for the Azure side (also referred to as the "Customer" side in the Oracle Console)
  • 10.0.0.23/30

Remember that you must also provide a /30 block for the secondary BGP addresses. For example: 10.0.0.24/30. In this case, 10.0.0.25/30 is for the Oracle side, and 10.0.0.26/30 is for the Azure side.

Prerequisites: Required IAM Policy

It's assumed that you have the necessary Azure Active Directory access and Oracle Cloud Infrastructure IAM access to create and work with the relevant Azure and Oracle networking resources. Specifically for IAM: If your user is in the Administrators group, you have the required authority.

If your user is not, then a policy like this one generally covers all the Networking resources:

Allow group NetworkAdmins to manage virtual-network-family in tenancy

To only create and manage a virtual circuit, you must have a policy like this:

Allow group VirtualCircuitAdmins to manage drgs in tenancy

Allow group VirtualCircuitAdmins to manage virtual-circuits in tenancy

For more information, see IAM Policies for Networking.

Overall Process

The following flow chart shows the overall process of connecting your VNet and VCN.

This flow chart shows the steps for connecting your Azure VNet and Oracle VCN

Task 1: Configure the network security groups and security rules
Task 2: Set up Azure ExpressRoute circuit
Task 3: Set up an Oracle Cloud Infrastructure FastConnect virtual circuit
Task 4: Confirm that both circuits are provisioned
Task 5: Configure the route tables
Task 6: Test the connection

Important

If you decide to terminate the connection, you must follow a particular process. See To terminate the connection to Azure.

Managing a VNet-to-VCN Connection

To get the status of your FastConnect virtual circuit
To edit a FastConnect virtual circuit
To terminate the connection to Azure