You might use multiple connections between your on-premises network and virtual cloud network (VCN) for redundancy or other reasons.
For example, you might use both FastConnect private peering and VPN Connect to the An optional virtual router that you can add to your VCN to provide a path for private network traffic between your VCN and on-premises network. attached to your VCN. Or perhaps you use redundant VPN Connect connections to the DRG (for an example scenario, see Example Layout with Multiple Geographic Areas). Or perhaps you use FastConnect public peering, FastConnect private peering, and VPN Connect.
This topic covers important details about route advertisement and path preferences when you have multiple connections.
DRG Route Advertisements to Your On-Premises Network
FastConnect private peering and VPN Connect provide your on-premises network with private access to a VCN. Both types of connections terminate on a single DRG that is attached to the VCN. Remember that VPN Connect can use either Border Gateway Protocol (BGP) or static routing, or a combination. FastConnect always uses BGP for route advertisements.
The DRG advertises the routes for the individual subnets in the DRG's attached VCN. A DRG can be attached to only a single VCN, and a VCN can be attached to only a single DRG.
If you set up transit routing to multiple VCNs for your on-premises network, the DRG advertises additional routes. Transit routing is an advanced routing scenario that involves a single FastConnect or VPN Connect and multiple peered VCNs in a hub-and-spoke layout. With transit routing, the DRG also advertises routes for the VCNs that are peered with the DRG's attached VCN (the hub).
If you set up your on-premises network with private access to Oracle services through the VCN's An optional virtual router that you can add to your VCN. The gateway enables on-premises hosts or VCN hosts to privately access Oracle services (such as Object Storage and Autonomous Database) without exposing the resources to the public internet., the DRG advertises more routes. They are routes for the Oracle Services Network, which is available with the service gateway. For a list of those ranges, Public IP Address Ranges for the Oracle Services Network (Service Gateway).
If you're using VPN Connect with static routing, and you've configured the VCN to give your on-premises network private access to Oracle services, you must configure your edge device with the routes for the Oracle Services Network public IP ranges that are advertised by the DRG over the private path (through the service gateway). For a list of those ranges, see Public IP Address Ranges for the Oracle Services Network (Service Gateway)
Routing Preferences for Traffic from Oracle to Your On-Premises Network
This section describes how Oracle chooses which path to use when sending traffic to your on-premises network. The traffic can be for responding to a request or initiating new connections.
In general, routers use the most specific route (the one with the longest prefix match).
However, if the routes for the different paths are the same, Oracle uses the shortest AS path when sending traffic to your on-premises network, regardless of which path was used to initiate the connection to Oracle. This means asymmetric routing is allowed. Asymmetric routing here means that Oracle's response to a request can follow a different path than the request. For example, depending on how your edge device (also called your customer-premises equipment, or CPE) is configured, you could send a request over VPN Connect, but the Oracle response could come back over FastConnect. If you want to force routing to be symmetric, Oracle recommends using BGP and AS path prepending with your routes to influence which path Oracle uses when responding to and initiating connections.
Oracle implements AS path prepending to determine which path to use if your edge device advertises the same route over multiple connections between your on-premises network and VCN. The details are summarized in the following table. Assuming that you're not influencing routing in some way, when the same route is advertised over multiple paths to the DRG at the Oracle end of the connections, Oracle prefers the paths in the following order:
|Oracle preference||Path||Details of how Oracle prefers the path||Resulting AS path for the route|
|1||FastConnect||Oracle prepends no ASNs to the routes that your edge device advertises.||Your ASN|
|2||VPN Connect with BGP routing||Oracle prepends a single private ASN on all the routes that your edge device advertises over VPN Connect with BGP.||Private ASN, Your ASN|
|3||VPN Connect with static routing||Oracle prepends 3 private ASNs on the static routes that you've provided (Oracle advertises those routes to the An optional virtual router that you can add to your VCN to provide a path for private network traffic between your VCN and on-premises network. at the Oracle end of the IPSec VPN) .||Private ASN, Private ASN, Private ASN|
If you have two connections of the same type (for example, two IPSec VPNs that both use BGP), and you advertise the same routes across both connections, Oracle prefers the oldest established route when responding to requests or initiating connections.
You can configure your edge device to prefer a specific path when sending traffic from your on-premises network to Oracle. This section describes a particular situation where you must do that to ensure a consistent traffic path if your on-premises hosts use Oracle services.
Your on-premises network can access Oracle services such as Object Storage over multiple paths. You can use public paths, such as the internet or FastConnect public peering. With these public paths, the on-premises hosts communicate with Oracle services by using public IP addresses.
You can also set up your on-premises network with private access to Oracle services through the VCN's An optional virtual router that you can add to your VCN. The gateway enables on-premises hosts or VCN hosts to privately access Oracle services (such as Object Storage and Autonomous Database) without exposing the resources to the public internet.. You might do this if hosts in your on-premises network use any of the services listed in Service Gateway: Supported Cloud Services in Oracle Services Network. This implementation lets your on-premises hosts communicate with those Oracle services from your private IP addresses.
If you've configured your on-premises network with multiple connection paths to Oracle services, your edge device may receive route advertisement of the Oracle services' public IP address routes over multiple paths. Here are the possible paths you can use with your on-premises network:
- Public access paths:
- Internet service provider (ISP)
- FastConnect public peering
- Private access paths by way of the VCN's DRG and service gateway:
- FastConnect private peering
- VPN Connect
Your edge device receives route advertisements from the DRG and possibly from routers over public paths. Most of the routes for Oracle services that the DRG advertises have a longer prefix (they are more specific) than the routes for Oracle services that are advertised over the public access paths. Therefore, if you set up your network with both public access and private access to Oracle services, you must configure your edge device to prefer the private access path to the DRG for traffic traveling from the on-premises network to Oracle services. This ensures a consistent path for all your access to Oracle services.
For a list of the public IP ranges advertised over FastConnect public peering, see FastConnect Public Peering Advertised Routes.
For a list of the regional public IP ranges advertised over the private paths (for a VCN with a service gateway), see Public IP Address Ranges for the Oracle Services Network (Service Gateway).
Available White Papers
For additional information, see these white papers (PDF format):