Evaluate OCI VPN Services

Contents

  1. 1 Summary
  2. 2 Reference
  3. 3 Site-to-Site VPN
    1. 3.1 Connecting On-Premises to OCI
    2. 3.2 Site-to-Site VPN: Use Cases
    3. 3.3 Site-to-Site VPN: Redundancy Overview
    4. 3.4 Site-to-Site VPN: Routing Overview
    5. 3.5 Site-to-Site VPN: Negotiation, Behaviour
    6. 3.6 Policy-Based and Route-BAsed VPNs

Summary

Site-to-site VPN connects on-premises equipment through a CPE and a DRG with tunnels of encrypted traffic passing over the Internet.

Reference

Site-to-Site VPN

Connecting On-Premises to OCI

Public Internet
  • Connectivity over Internet via Internet Gateway or NAT Gateway
  • For apps in development, or in test/pilot phase
Site-to-Site VPN
  • Secure connectivity over Internet through encryption of data, then tunnels it through the public Internet for enhanced security and privacy with an IPSec VPN connection
  • No throughput guarantee
  • OCI-managed service with easy setup on Console with no provider negaitiations or circuits provisioning
  • Free service - no tunnel or egree data transfer charges
  • For site connectivity when geographically isolated from OCI regions or lacks partner connections
  • Industry Standard Security Protocol - IPSec adn IKEv1/IKEv2
  • Hign Availability support
  • Static or BGP routing
  • Route-based or policy-based VPN support
FastConnect
  • Dedicated, secure connectivity
  • Low larency interconnect
  • High Bandwidth - up to 100 Gbps
  • OCI-managed service
  • Competitive pricing
  • For business-critical applications

Site-to-Site VPN: Use Cases

Secure connectivity from on-premises to OCI
Securely connect your existing infrastructure to the cloud
Connect multiple locations to the cloud
Connect your headquarters, branch locations, and private data centers to OCI so all of your offices can access applications directly.
Build redundant connectivity for FastConnect
Already have Oracle FastConnect? Site-to-Site IPSec VPN can provide a redundant connection to Oracle Cloud Infrastructure
Use for Proof of Concept
No contracts or commitment. Build as many VPN tunnels to Oracle Cloud Infrastructure as desired and decide how long you want them active.

Site-to-Site VPN: Redundancy Overview

  • OCI provisions redundant IPSec VPN tunnels located on physically and logically diverse tunnel endpoints in the same region.
  • Routing type can be configured per tunnel. It is higly recommended to use the same routing type for all tunnels.
  • Use routing to configure active/passive or active/active tunnels and failover behaviour
  • By default, redundancy is provided only on the Oracle end. Customers must ensure end-to-end redundancy by configuring redundant tunnels to 1 or more CPEs, and 1 or more Internet providers.

Site-to-Site VPN: Routing Overview

Longest Prefix Match
Adverise more specific routes for the preferred primary tunnel
BGP Local Preference
Configure on CPE to influence traffic egressing on-premises
BGP AS PATH Prepending
Use prepending when advertising routes to OCI to influence which tunnel has the shortest path for any given route. Oracle will use the shortest AS PATH as a tiebreaker when sending traffic to on-premises

Site-to-Site VPN: Negotiation, Behaviour

  • Phase 1: Participants authenticate the IPSec peer and a secure channel to negotiate the IPSec Security Associations (SA). The outcome of a Phase 1 negotiation is the IKE SA (Phase 1 SA)
  • Phase 2: Using keying material derived from the Pahse 1 negotiation, participants negotiate IPSec SAs (Phase 2 SA) which will specify what traffic to send over the VPN and how to encrypt/authenticate the traffic.
  • When traffic is routed to a VPN, a SA lookeup is performed before encrypting traffic.
  • A similar method is performed for an icoming packet.

Policy-Based and Route-BAsed VPNs

  • CPE configuration mechanism. Different with each vendor. Some vendors may support both methods.
  • The main difference is the encryption decision.
  • Policy based
    • A subset of traffic flowing through an interface is encrypted according to a specific policy.
    • A special policy is used to determine whether specific traffic is sent across a VPN tunnel.
    • An IPSec SA is created for each source/destination policy combination. This may also be referred to as an encryption domain.
    • Each encryption domain is treated as a separate tunnel.
    • Example: 1 local subnet, 3 remote subnets = 3 IPSec SAs.
  • Route based
    • Uses a Virtual Tunnel Interface (VTI). Any traffic routed to the VTI is encrypted and sent to the remote VPN peer.
    • Relies on routing decisions to determine if specific is sent across a VPN tunnel.
    • A single IPSec SA is generated for each VPN tunnel.
    • Default VTI encryption domain of any/any, meaning any traffic routed to the VTI is encrypted without an additional policy lookup.