This topic describes how to set up and manage an internet gateway to give your VCN internet access.
Tip
Oracle also offers a NAT gateway, which
is recommended for subnets in your VCN that do not require externally initiated
connections from the internet..
Highlights
An internet gateway is an optional gateway you can add to your VCN to enable direct
connectivity to the internet.
The gateway supports connections initiated from within the VCN (egress) and connections initiated from the internet (ingress).
Resources that need to use the gateway for internet access must be in a public subnet and have public IP addresses. Resources that have private IP addresses can instead use a NAT gateway to initiate connections to the internet.
Each public subnet that needs to use the internet gateway must have a route table rule that specifies the gateway as the target.
You use security rules to control the types of traffic allowed in and out of resources in that subnet. Make sure to allow only the desired types of internet traffic.
The internet gateway can be used only by resources in the gateway's VCN. Hosts in the connected on-premises network or in a peered VCN cannot use that internet gateway.
You can't add or move an internet gateway to a VCN within a security zone. Security zones do not permit public subnets.
Only one internet gateway is needed for each VCN. All public subnets within a VCN
have access to the internet gateway, provided security rules and route table rules
allow that access.
An internet gateway as an optional virtual router that connects the edge of the VCN with the internet. To use the gateway, the hosts on both ends of the connection must have public IP addresses for routing. Connections that originate in your VCN and are destined for a public IP address (either inside or outside the VCN) go through the internet gateway. Connections that originate outside the VCN and are destined for a public IP address inside the VCN go through the internet gateway.
A given VCN can have only one internet gateway. You control which public subnets in the VCN can use the gateway by configuring the subnet's associated route table. You use security rules to control the types of traffic allowed in and out of resources in those public subnets.
The following diagram illustrates a simple VCN setup with a single public subnet. The VCN
has an internet gateway, and the public subnet is configured to use the VCN's default
route table. The table has a route rule that sends all egress traffic from the subnets
to the internet gateway. The gateway allows any ingress connections from the internet
with a destination IP address equal to the public IP address of a resource in the VCN.
However, the public subnet's security list rules ultimately determine the specific
types of traffic that are allowed in and out of the resources in the subnet.
Those specific security rules are not shown.
Callout 1: VCN Default Route Table
Destination CIDR
Route Target
0.0.0.0/0
Internet Gateway
Tip
Traffic between a VCN and a public IP address that is part of Oracle Cloud Infrastructure (such as Object Storage) should be routed through a service
gateway instead of an internet gateway.
Working with Internet Gateways 🔗
You create an internet gateway in the context of a specific VCN. In other words, the
internet gateway is always attached to a VCN. However, you can disable and re-enable
the internet gateway at any time. Compare this with a dynamic routing gateway (DRG), which you create as a standalone object that
you then attach to a particular VCN. DRGs use a different model because they're
intended to be modular building blocks for privately connecting VCNs to your on-premises
network.
For traffic to flow from a public subnet to the Internet, you must create a corresponding
route rule in the subnet's route table. For example, destination CIDR = 0.0.0.0/0
and target = internet gateway; if you want to route the traffic through a firewall,
the target can be the private IP address of the firewall. The firewall subnet will
then need a route, usually 0.0.0.0/0, to reach the Internet with the internet
gateway as the target.
For traffic flowing from the internet to a destination in a public subnet, the internet
gateway routes the traffic directly to the destination by default. You can associate a
route table with the internet gateway and define route rules that route ingress public
traffic to destinations in the VCN. For example, if you want the internet gateway to
route the traffic to a firewall in the VCN first, you can create a route rule for the
destination subnet CIDR with the firewall private IP address as the target. Route rules
to destinations outside the VCN in an internet gateway route table are not
supported.
Only one internet gateway is needed for each VCN. All public subnets within a VCN have
access to the internet gateway provided security rules and route table rules allow that
access.
For the purposes of access control, you must specify the compartment where you want the internet gateway to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as the cloud network. For more information, see Access Control.
You may optionally assign a friendly name to the internet gateway. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the internet gateway a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.
To delete an internet gateway, it does not have to be disabled, but there must not be a route table that lists it as a target.
You've determined which subnets in the VCN need access to the internet, and you've
created those public subnets.
Only one internet gateway is needed for each VCN.
All public subnets within a VCN have access to the internet gateway provided
security rules and route table rules allow that access.
You've determined the types of ingress and egress internet traffic that you want to
enable for the resources in each public subnet (examples: ingress HTTPS connections,
ingress ICMP ping connections).
The required IAM policy is in place to allow
you to work with Networking service resources. For
administrators: see IAM Policies for Networking.
Important
If you've configured the public subnet to use the default
security list, remember that the list includes several helpful default
rules that enable basic required access (examples: ingress SSH, egress access to all
destinations). Oracle recommends that you become familiar with the basic access that
these default rules provide. If you choose not to use the default security list,
make sure to provide this basic access by implementing these security rules either
in network security
groups (NSGs) or custom security lists.
The following procedure uses security lists, but you could instead implement the security
rules in a network security group and then create all of the subnet's resources in that
NSG.
For each public subnet that needs to use the internet gateway, set up the subnet's security
list rules to allow the desired internet traffic. Refer to the
following example settings:
Imagine you have web servers in the public subnet. This example shows how to add
an ingress rule for HTTPS connections (TCP port 443) coming from the internet to
the web server. Without this rule, inbound HTTPS connections are not
allowed.
After the internet gateway is created and displayed on the Internet
Gateways page of the VCN you chose, it's already enabled but you still
need to add a route rule that allows traffic to flow to the gateway.
For each public subnet that needs to use the internet gateway, update the subnet's route table
using the following example settings:
Target Type: Internet Gateway
Destination CIDR block: 0.0.0.0/0 (which means that all non-intra-VCN
traffic that is not already covered by other rules in the route table will
go to the target specified in this rule)
Compartment: The compartment where the internet gateway is
located.
Target: The internet gateway you just created.
Description: An optional description of the rule.
The internet gateway is now enabled and working for your cloud network.