Basic terminology of VCN:
When you work with Oracle Cloud Infrastructure, one of the first steps is to set up a virtual cloud network (VCN) for your cloud resources.
VCN:Virtual Cloud Network:
A virtual, private network that you set up in Oracle data centers.
A Virtual Cloud Network (VCN) is a virtual version of a traditional network including subnets, route tables, and gateways on which your compute instances run.
A VCN is a customizable private network in Oracle Cloud Infrastructure.
A VCN resides within a single region but can cross multiple Availability Domains.VCN is specific to a region.
When you create your VCN, you assign a contiguous IPv4 CIDR block of your choice. VCN sizes ranging from /16 (65,533 IP addresses) to /30 (1 IP address) are allowed. Example: 10.0.0.0/16, 192.168.0.0/24.
Default Components that Come With Your VCN .Your VCN automatically comes with these default components:
Default route table, with no rules
Default security list, with default rules
Default set of DHCP options, with default values.
***Virtual Cloud Network (VCN) is a virtual network in which you can create subnets, route tables and gateways for your compute instances.
There are two options for creating VCN in OCI:
Create Virtual Cloud Network only: Creates a Virtual Cloud Network only. You’ll still need to set up at least one subnet, gateway and route rule to have a working Virtual Cloud Network.
Create Virtual Cloud Network plus related resources: Automatically sets up a Virtual Cloud Network with access to the internet. You can set up firewall rules and Security Lists to control ingress and egress traffic to your Instances. All related resources will be created in the same Compartment as the VCN.
SUBNET:
Each VCN network is subdivided into subnets.
Subnets can be either AD-specific or regional.Oracle recommends using regional subnets because they're more flexible.They make it easier to efficiently divide your VCN into subnets while also designing for availability domain failure.
Subnets contain virtual network interface cards (VNICs), which attach to instances. Instances are placed in subnets and can live across.
All VNICs in a given subnet use the same route table, security lists, and DHCP options
Instances draw their internal IP address and network configuration from their subnet.
Each subnet has a contiguous range of IPs, described in CIDR notation. Subnet IP ranges cannot overlap.
Subnets can be designated as either
• Private (instances contain private IP addresses assigned to vNICs)
• Public (contain both private and public IP addresses assigned to vNICs)
> Public has access to internet but private don't have and both types of subnets can co-exist in the same VCN.
Can have multiple subnet in an AD.
***Subnets: They are a logical subdivisions of the VCN and they contain virtual network interface cards (VNICs), which attach to instances.
VNIC:
A virtual network interface card (VNIC), which attaches to an instance and resides in a subnet to enable a connection to the subnet's VCN.The VNIC determines how the instance connects with endpoints inside and outside the VCN. Each instance has a primary VNIC that's created during instance launch and cannot be removed. You can add secondary VNICs to an existing instance (in the same availability domain as the primary VNIC), and remove them as you like. Each secondary VNIC can be in a subnet in the same VCN as the primary VNIC, or in a different subnet that is either in the same VCN or a different one. However, all the VNICs must be in the same availability domain as the instance.
SECURITY LISTS:
Virtual firewall rules for your VCN.
Security Lists provides two types of traffic:
When you work with Oracle Cloud Infrastructure, one of the first steps is to set up a virtual cloud network (VCN) for your cloud resources.
VCN:Virtual Cloud Network:
A virtual, private network that you set up in Oracle data centers.
A Virtual Cloud Network (VCN) is a virtual version of a traditional network including subnets, route tables, and gateways on which your compute instances run.
A VCN is a customizable private network in Oracle Cloud Infrastructure.
A VCN resides within a single region but can cross multiple Availability Domains.VCN is specific to a region.
When you create your VCN, you assign a contiguous IPv4 CIDR block of your choice. VCN sizes ranging from /16 (65,533 IP addresses) to /30 (1 IP address) are allowed. Example: 10.0.0.0/16, 192.168.0.0/24.
Default Components that Come With Your VCN .Your VCN automatically comes with these default components:
Default route table, with no rules
Default security list, with default rules
Default set of DHCP options, with default values.
***Virtual Cloud Network (VCN) is a virtual network in which you can create subnets, route tables and gateways for your compute instances.
There are two options for creating VCN in OCI:
Create Virtual Cloud Network only: Creates a Virtual Cloud Network only. You’ll still need to set up at least one subnet, gateway and route rule to have a working Virtual Cloud Network.
Create Virtual Cloud Network plus related resources: Automatically sets up a Virtual Cloud Network with access to the internet. You can set up firewall rules and Security Lists to control ingress and egress traffic to your Instances. All related resources will be created in the same Compartment as the VCN.
SUBNET:
Each VCN network is subdivided into subnets.
Subnets can be either AD-specific or regional.Oracle recommends using regional subnets because they're more flexible.They make it easier to efficiently divide your VCN into subnets while also designing for availability domain failure.
Subnets contain virtual network interface cards (VNICs), which attach to instances. Instances are placed in subnets and can live across.
All VNICs in a given subnet use the same route table, security lists, and DHCP options
Instances draw their internal IP address and network configuration from their subnet.
Each subnet has a contiguous range of IPs, described in CIDR notation. Subnet IP ranges cannot overlap.
Subnets can be designated as either
• Private (instances contain private IP addresses assigned to vNICs)
• Public (contain both private and public IP addresses assigned to vNICs)
> Public has access to internet but private don't have and both types of subnets can co-exist in the same VCN.
Can have multiple subnet in an AD.
***Subnets: They are a logical subdivisions of the VCN and they contain virtual network interface cards (VNICs), which attach to instances.
VNIC:
A virtual network interface card (VNIC), which attaches to an instance and resides in a subnet to enable a connection to the subnet's VCN.The VNIC determines how the instance connects with endpoints inside and outside the VCN. Each instance has a primary VNIC that's created during instance launch and cannot be removed. You can add secondary VNICs to an existing instance (in the same availability domain as the primary VNIC), and remove them as you like. Each secondary VNIC can be in a subnet in the same VCN as the primary VNIC, or in a different subnet that is either in the same VCN or a different one. However, all the VNICs must be in the same availability domain as the instance.
SECURITY LISTS:
Virtual firewall rules for your VCN.
Security Lists provides two types of traffic:
- ingress: Incoming traffic
- Egress:Outgoing traffic.
You can choose whether a given rule is stateful or stateless.
For example, you can allow incoming SSH traffic from anywhere to a subnet's instances by setting up a stateful ingress rule with source CIDR 0.0.0.0/0, and destination TCP port 22.
***Security Lists: They have ingress and egress rules that specify the types of traffic (protocol and port) allowed in and out of the instances.
ROUTE TABLES:
Route Table is used to send traffic out of the VCN.
VCN comes with an empty default route table, and you can add custom route tables of your own.
Consists of a set of route rules; each rule specifies
• Destination CIDR block
• Route Target (the next hop) for the traffic that matches that CIDR.
Each subnet uses a single route table specified at time of subnet creation, but can be edited later.
Route table is used only if the destination IP address is not within the VCN's CIDR block
No route rules are required in order to enable traffic within the VCN itself
When you add an internet gateway, NAT gateway, service gateway, dynamic routing gateway or a peering connection, you must update the route table for any subnet that uses these gateways or connection.
***Route Tables: They have rules to route traffic from subnets to destinations outside the VCN by way of gateways or specially configured instances.
DHCP OPTIONS:
Configuration information that is automatically provided to the instances when they boot up.
***DHCP Options: Configuration information that is automatically provided to the instances when they boot up.
PRIVATE IP:
A private IP address and related information for addressing an instance (for example, a hostname for DNS).
Each VNIC has a primary private IP, and you can add and remove secondary private IPs.
The primary private IP address on an instance doesn't change during the instance's lifetime and cannot be removed from the instance.
PUBLIC IP:
A public IP address and related information. You can optionally assign a public IP to your instances or other resources that have a private IP. Public IPs can be either ephemeral or reserved.
DYNAMIC ROUTING GATEWAY (DRG):
It provides a path for private network traffic between your VCN and on-premises network. You can use it with other Networking components and a router in your on-premises network to establish a connection by way of IPSec VPN or Oracle Cloud Infrastructure FastConnect. It can also provide a path for private network traffic between your VCN and another VCN in a different region.
***You can think of a DRG as a virtual router that provides a path for private traffic (that is, traffic that uses private IPv4 addresses) between your VCN and networks outside the VCN's region.
You use a DRG when connecting your existing on-premises network to your virtual cloud network (VCN) with one (or both) of these:
IPSec VPN
Oracle Cloud Infrastructure FastConnect
You also use a DRG when peering a VCN with a VCN in a different region:
Remote VCN Peering (Across Regions)
A DRG is a standalone object. To use it, you must attach it to a VCN. A VCN can be attached to only one DRG at a time, and a DRG can be attached to only one VCN at a time.You can detach a DRG and reattach it at any time.
After attaching a DRG, you must add a route for the DRG in the VCN's route table to enable traffic flow
The VCN has three gateways:
INTERNET GATEWAY:
Internet gateway provides a path for network traffic between your VCN and the interne.
You can have only one internet gateway for a VCN.
After creating an internet gateway, you must add a route for the gateway in the VCN's Route Table to enable traffic flow.
NETWORK ADDRESS TRANSLATION (NAT) GATEWAY:
NAT gateway gives an entire private network access to the internet without assigning each host a public IP address.
Hosts can initiate outbound connections to the internet and receive responses, but not receive inbound connections initiated from the internet. Use case: updates, patches)(Connections can be initiated only from the subnet. )
You can have more than one NAT gateway on a VCN, though a given subnet can route traffic to only a single NAT gateway
It gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections.
SERVICE GATEWAY:
It provides a path for private network traffic between your VCN and supported services in the Oracle Services Network (examples: Oracle Cloud Infrastructure Object Storage and Autonomous Database). For example, DB Systems in a private subnet in your VCN can back up data to Object Storage without needing public IP addresses or access to the internet.
Use case: back up DB Systems in VCN to Object Storage)
LOCAL PEERING GATEWAY (LPG):
It lets you peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.
A given VCN must have a separate LPG for each peering it establishes.
REMOTE PEERING CONNECTION (RPC):
A component that you can add to a DRG. It lets you peer one VCN with another VCN in a different region.
For example, you can allow incoming SSH traffic from anywhere to a subnet's instances by setting up a stateful ingress rule with source CIDR 0.0.0.0/0, and destination TCP port 22.
***Security Lists: They have ingress and egress rules that specify the types of traffic (protocol and port) allowed in and out of the instances.
ROUTE TABLES:
Route Table is used to send traffic out of the VCN.
VCN comes with an empty default route table, and you can add custom route tables of your own.
Consists of a set of route rules; each rule specifies
• Destination CIDR block
• Route Target (the next hop) for the traffic that matches that CIDR.
Each subnet uses a single route table specified at time of subnet creation, but can be edited later.
Route table is used only if the destination IP address is not within the VCN's CIDR block
No route rules are required in order to enable traffic within the VCN itself
When you add an internet gateway, NAT gateway, service gateway, dynamic routing gateway or a peering connection, you must update the route table for any subnet that uses these gateways or connection.
***Route Tables: They have rules to route traffic from subnets to destinations outside the VCN by way of gateways or specially configured instances.
DHCP OPTIONS:
Configuration information that is automatically provided to the instances when they boot up.
***DHCP Options: Configuration information that is automatically provided to the instances when they boot up.
PRIVATE IP:
A private IP address and related information for addressing an instance (for example, a hostname for DNS).
Each VNIC has a primary private IP, and you can add and remove secondary private IPs.
The primary private IP address on an instance doesn't change during the instance's lifetime and cannot be removed from the instance.
PUBLIC IP:
A public IP address and related information. You can optionally assign a public IP to your instances or other resources that have a private IP. Public IPs can be either ephemeral or reserved.
DYNAMIC ROUTING GATEWAY (DRG):
It provides a path for private network traffic between your VCN and on-premises network. You can use it with other Networking components and a router in your on-premises network to establish a connection by way of IPSec VPN or Oracle Cloud Infrastructure FastConnect. It can also provide a path for private network traffic between your VCN and another VCN in a different region.
***You can think of a DRG as a virtual router that provides a path for private traffic (that is, traffic that uses private IPv4 addresses) between your VCN and networks outside the VCN's region.
You use a DRG when connecting your existing on-premises network to your virtual cloud network (VCN) with one (or both) of these:
IPSec VPN
Oracle Cloud Infrastructure FastConnect
You also use a DRG when peering a VCN with a VCN in a different region:
Remote VCN Peering (Across Regions)
A DRG is a standalone object. To use it, you must attach it to a VCN. A VCN can be attached to only one DRG at a time, and a DRG can be attached to only one VCN at a time.You can detach a DRG and reattach it at any time.
After attaching a DRG, you must add a route for the DRG in the VCN's route table to enable traffic flow
The VCN has three gateways:
INTERNET GATEWAY:
Internet gateway provides a path for network traffic between your VCN and the interne.
You can have only one internet gateway for a VCN.
After creating an internet gateway, you must add a route for the gateway in the VCN's Route Table to enable traffic flow.
NETWORK ADDRESS TRANSLATION (NAT) GATEWAY:
NAT gateway gives an entire private network access to the internet without assigning each host a public IP address.
Hosts can initiate outbound connections to the internet and receive responses, but not receive inbound connections initiated from the internet. Use case: updates, patches)(Connections can be initiated only from the subnet. )
You can have more than one NAT gateway on a VCN, though a given subnet can route traffic to only a single NAT gateway
It gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections.
SERVICE GATEWAY:
It provides a path for private network traffic between your VCN and supported services in the Oracle Services Network (examples: Oracle Cloud Infrastructure Object Storage and Autonomous Database). For example, DB Systems in a private subnet in your VCN can back up data to Object Storage without needing public IP addresses or access to the internet.
Use case: back up DB Systems in VCN to Object Storage)
LOCAL PEERING GATEWAY (LPG):
It lets you peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.
A given VCN must have a separate LPG for each peering it establishes.
REMOTE PEERING CONNECTION (RPC):
A component that you can add to a DRG. It lets you peer one VCN with another VCN in a different region.
No comments:
Post a Comment