Routing Details for Connections to Your On-Premises Network

You might use multiple site-to-site connections between your on-premises network and virtual cloud network (VCN) for redundancy or other reasons.

For example, you might use both FastConnect private peering and Site-to-Site VPN to the dynamic routing gateway (DRG)  attached to your VCN. Or perhaps you use redundant Site-to-Site VPN connections to the DRG (for an example scenario, see Example Layout with Multiple Geographic Areas). Or perhaps you use FastConnect public peering, FastConnect private peering, and Site-to-Site VPN.

This topic covers important details about route advertisement and path preferences when you have multiple connections.

DRG Route Advertisements to Your On-Premises Network

FastConnect private peering and Site-to-Site VPN provide your on-premises network with private access to a VCN. Both types of connections terminate on a single DRG that is attached to the VCN. Remember that Site-to-Site VPN can use either Border Gateway Protocol (BGP) or static routing, or a combination. FastConnect always uses BGP for route advertisements.

For attachments to virtual circuits and IPSec tunnels configured to use dynamic routing, the DRG will advertise all routes contained in their assigned DRG route table.

If an attached VCN is using ingress routing to grant access to Oracle services through the VCN's service gateway , you will be able to observe the route listed as a single mnenomic route using the ListDrgRouteRules API operation. When this route is propagated to another DRG through an RPC or advertised to your on-premises network using BGP, it will appear as a set of literal rules. For a list of those ranges, see Public IP Addresses for VCNs and the Oracle Services Network.

Important

If you're using Site-to-Site VPN with static routing, and the VCN is configured to give your on-premises network private access to Oracle services, you must configure your edge device with the routes for the Oracle Services Network public IP ranges advertised by the DRG over the private path (through the service gateway). For a list of those ranges, see Public IP Addresses for VCNs and the Oracle Services Network

Using AS_PATH to prefer routes from Oracle to your on-premises network

This section describes in greater detail how the BGP AS_PATH attribute can be used to influence route selection in the context of a single DRG route table.

If the routes for the different paths are the same, Oracle uses the shortest AS path when sending traffic to your on-premises network, regardless of which path was used to initiate the connection to Oracle. Therefore asymmetric routing is allowed. Asymmetric routing here means that Oracle's response to a request can follow a different path than the request. For example, depending on how your edge device (also called your customer-premises equipment, or CPE) is configured, you could send a request over Site-to-Site VPN, but the Oracle response could come back over FastConnect. If you want to force routing to be symmetric, Oracle recommends using BGP and AS path prepending with your routes to influence which path Oracle uses when responding to and initiating connections.

Oracle implements AS path prepending to establish preference on which path to use if your edge device advertises the same route and routing attributes over multiple different connection types between your on-premises network and VCN. The details are summarized in the following table. Unless you're influencing routing in some other way, when the same route is advertised over multiple paths to the DRG at the Oracle end of the connections, Oracle prefers the paths in the following order:

Oracle preference Path Details of how Oracle prefers the path Resulting AS path for the route
1 FastConnect Oracle prepends no ASNs to the routes that your edge device advertises, for a total AS path length of 1. Your ASN
2 Site-to-Site VPN with BGP routing Oracle prepends a single private ASN on all the routes that your edge device advertises over Site-to-Site VPN with BGP, for a total AS path length of 2. Private ASN, Your ASN
3 Site-to-Site VPN with static routing Oracle prepends 3 private ASNs on the static routes that you've provided (Oracle advertises those routes to the dynamic routing gateway (DRG)  at the Oracle end of the IPSec VPN). This results in a total AS path length of 3. Private ASN, Private ASN, Private ASN

The preceding table assumes you are sending a single autonomous system number in your AS path. Oracle honors the complete AS path you send. If you use static routing, and also send an AS path that has "Your ASN" plus two or more other ASNs, it can cause unexpected behavior because Oracle's routing preference might change.

While policy-based VPN static routing behavior is documented earlier, Oracle also recommends that if you use FastConnect connections with VPN backup, you employ BGP on your IPSec route-based VPN. This strategy allows you to have full control of failover behavior.

Routing Preferences for Traffic from Your On-Premises Network to Oracle

You can configure your edge device to prefer a specific path when sending traffic from your on-premises network to Oracle. The following section describes a particular situation where you must do that to ensure a consistent traffic path if your on-premises hosts use Oracle services.

Your on-premises network can access public Oracle Services Network services such as Overview of Object Storage over multiple paths. You can use public paths, such as the internet or FastConnect public peering. With these public paths, the on-premises hosts communicate with Oracle services by using public IP addresses.

You can also set up your on-premises network with private access to Oracle services through the VCN's service gateway . A service gateway lets hosts in your on-premises network use any of the services listed in Service Gateway: Supported Cloud Services in Oracle Services Network and communicate with those Oracle services from your private IP addresses.

If you've configured your on-premises network with multiple connection paths to Oracle services, your edge device might receive route advertisement of the Oracle services' public IP address routes over multiple paths. Here are the possible paths you can use with your on-premises network:

  • Public access paths:
    • Internet service provider (ISP)
    • FastConnect public peering
  • Private access paths by way of the VCN's DRG and service gateway:
    • FastConnect private peering
    • Site-to-Site VPN

Your edge device receives route advertisements from the DRG and possibly from routers over public paths. Most of the routes for Oracle services that the DRG advertises have a longer prefix (they are more specific) than the routes for Oracle services that are advertised over the public access paths. Therefore, if you set up your network with both public access and private access to Oracle services, you must configure your edge device to prefer the private access path to the DRG for traffic from the on-premises network to Oracle services. Setting up both public and private access ensures a consistent path for access to Oracle services.

For a list of the public IP ranges advertised over FastConnect public peering, see FastConnect Public Peering Advertised Routes.

For a list of the regional public IP ranges advertised over the private paths (for a VCN with a service gateway), see Public IP Addresses for VCNs and the Oracle Services Network.

Route Filtering

Route filtering allows you to select what routes are included in BGP advertisements to your on-premises network. RFC 5291 provides more general information about route filtering and BGP advertisement of routes.

Private virtual circuits do not support route filtering. Public virtual circuits over FastConnect advertise routes according to the selected route filtering settings which define the scope of the shared routes. The options are:

  • Regional - Advertises only available public routes for this virtual circuit's region to your on premises network.
  • Market - Advertises available public routes for this virtual circuit's region and routes for other regions in the same part of the world to your on-premises network. This is the default setting. The regions available in each of the four markets are shown in tables and on a map in the FastConnect Public Peering Advertised Routes article.
  • Global - Advertises available public routes for all regions in all markets of the Oracle cloud to your on-premises network.
  • Oracle Services Network - Advertises only public routes used to access Oracle Services Network (OSN) resources to your on-premises network.

You can select route filtering options when you set up a FastConnect virtual circuit. The details vary depending on whether you are using a FastConnect partner, a third-party provider, or colocation.