Oracle Cloud Infrastructure Documentation

Internet Gateway

This topic describes how to set up and manage an internet gateway to give your VCN internet access.

Tip

Oracle also offers a NAT gateway, which is recommended for subnets in your VCN that do not require ingress connections from the internet.

Highlights

  • An internet gateway is an optional virtual router you can add to your VCN to enable direct connectivity to the internet.
  • The gateway supports connections initiated from within the VCN (egress) and connections initiated from the internet (ingress).
  • Resources that need to use the gateway for internet access must be in a public subnet and have public IP addresses. Resources that have private IP addresses can instead use a NAT gateway to initiate connections to the internet.
  • Each public subnet that needs to use the internet gateway must have a route table rule that specifies the gateway as the target.
  • You use security rules to control the types of traffic allowed in and out of resources in that subnet. Make sure to allow only the desired types of internet traffic.
  • The internet gateway can be used only by resources in the gateway's VCN. Hosts in the connected on-premises network or in a peered VCN cannot use that internet gateway.

Overview of Internet Gateways

Before continuing, make sure you've read Access to the Internet and also understand how to set up security rules for the resources in a subnet.

An internet gateway as an optional virtual router that connects the edge of the VCN with the internet. To use the gateway, the hosts on both ends of the connection must have public IP addresses for routing. Connections that originate in your VCN and are destined for a public IP address (either inside or outside the VCN) go through the internet gateway. Connections that originate outside the VCN and are destined for a public IP address inside the VCN go through the internet gateway.

A given VCN can have only one internet gateway. You control which public subnets in the VCN can use the gateway by configuring the subnet's associated route table. You use security rules to control the types of traffic allowed in and out of resources in those public subnets.

The following diagram illustrates a simple VCN setup with two public subnets. The VCN has an internet gateway, and the two public subnets are both configured to use the VCN's default route table. The table has a route rule that sends all egress traffic from the subnets to the internet gateway. The gateway allows any ingress connections from the internet with a destination IP address equal to the public IP address of a resource in the VCN. However, the public subnet's security list rules ultimately determine the specific types of traffic that are allowed in and out of the resources in the subnet. Those specific security rules are not shown in the diagram.

This image shows a simple layout of a VCN with two public subnets that use an internet gateway.

Tip

When an internet gateway receives traffic from your VCN destined for a public IP address that is part of Oracle Cloud Infrastructure (such as Object Storage), the internet gateway routes the traffic to the destination without sending the traffic over the internet.

Working with Internet Gateways

You create an internet gateway in the context of a specific VCN. In other words, the internet gateway is automatically attached to a VCN. However, you can disable and re-enable the internet gateway at any time. Compare this with a dynamic routing gateway (DRG), which you create as a standalone object that you then attach to a particular VCN. DRGs use a different model because they're intended to be modular building blocks for privately connecting VCNs to your on-premises network.

For traffic to flow between a subnet and an internet gateway, you must create a route rule accordingly in the subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target = internet gateway). If the internet gateway is disabled, that means no traffic will flow to or from the internet even if there's a route rule that enables that traffic. For more information, see Route Tables.

For the purposes of access control, you must specify the compartment where you want the internet gateway to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as the cloud network. For more information, see Access Control.

You may optionally assign a friendly name to the internet gateway. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the internet gateway a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

To delete an internet gateway, it does not have to be disabled, but there must not be a route table that lists it as a target.

Using the Console

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

To set up an internet gateway
To disable/enable an internet gateway
To delete an internet gateway
To manage tags for an internet gateway
To move an internet gateway to a different compartment

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

To manage your internet gateways, use these operations: