Summary
Inter-tenancy connection can be done within the same region (LPG or DRG and RPC)or different regions (DRG and RPC)
Reference
Implement and Operate Secure OCI Networking and Connectivity Solutions
Inter Tenancy Connectivity
Local Versus Remote Peering Scenarios
Workload Location Same Tenancy Different Tenancy Same Region Possible with peering using LPG, RPC, and DRG attachments Possible with peering using LPG, RPC, and DRG attachments Different Region Possible with peering using RPC attachments Possible with peering using RPC attachments
Inter Tenancy Peering: Example
- Declare one tenancy REQUESTOR, and other ACCEPTOR
- Initiate Peering relationship from REQUESTOR tenancy
- Each Tenancy Administrator configures own tenancy
- Administrators share inter tenancy peering information
Inter Tenancy Peering Information
- Requestor Tenancy
- Acceptor Tenancy OCID
- Requestor Group Name
- Requestot Group OCID
- Compartment Name where Peering resources are deployed
- Acceptot LPG/RPC/DRG Attachment OCID
- Acceptor Tenancy
- Resquestor Tenancy OCID
- Requestor Group Name
- Requestot Group OCID
- Compartment Name where Peering resources are deployed
- Acceptot LPG/RPC/DRG Attachment OCID
Special IAM Policy Statements: Define
- Assign an alias to a tenancy OCID for Endorse and Admit Policy statements
- `Define` statements must be the first in the policy
- Required in both Requestor and Acceptor tenancy to assign an alias to the resource IAM group OCID for `Admit` statements
Example: (Policy written in Requestor tenancy)
Define tenancy Acceptor as ocdi1.tenancy.oc1..
Special IAM Policy Statements: Endorse
- Allows set of abilities that a group in your tenancy can perform in other tenancies
- Always belongs in the tenancy that contains the group of users crossing the boundaries into the other tenancy to work with that tenancy's resources
Example: (Policy written in Requestor tenancy)
Endorse group StorageAdmins to manage object-family in tenancy Acceptor
Special IAM Policy Statements: Admit
- Identifies the group of users that requires resources access from the Requestor tenancy and are identified with a corresponding `Endorse` statement
- Belongs in the tenancy who is granting "admittance" to that tenancy
Example: (Written in Acceptor tenancy)
Admit group StorageAdmins of tenancy Requestor to manage object-family in compartment SharedBuckets
Inter Tenancy Connectivity Using Local Peering Gateways: Tasks
- Create IAM policy required to set up Peering in Requestor and Acceptor tenancy in the same region, that is, Ashburn (IAD)
- Create VCN, Subnet, Route Table, Security List, and compute resources in IAD for Requestor tenancy
- Create LPG and attach to VCN in IAD for Requestor tenancy
- Create VCN, Subnet, Route Table, Security List, and compute resources in IAD for Acceptor tenancy
- Create LPG and attach to VCN in IAD for Acceptor tenancy
- Configure the Route Table and Security List in both tenancies
- Validate the Inter Tenancy communication between servers in the same region
Inter Tenancy Connectivity Using Remote Peering Gateways: Tasks
- Create IAM policy required to set up Peering in Requestor and Acceptor tenancy in different regions, that is, Ashburn (IAD) and Phoenix (PHX)
- Create VCN-A, Subnet, Route Table, Security List, and compute resources in IAD for Requestor tenancy IAD region
- Create VCN-B, Subnet, Route Table, Security List, and compute resources in IAD for Acceptor tenancy PHX region
- Create Dynamic Routing Gateways in both VCNs
- Create a Remote Peering Connection in both DRGs and establish a Remote Peering Connection between them
- Configure the Route Table and Security List in both VCNs
- Validate the Inter Tenancy communication between servers in different regions
Inter Tenancy Connectivity Using DRG Attachments: Tasks
- Create IAM policy required to set up Peering in Requestor and Acceptor tenancy in the same region, that is, Ashburn (IAD)
- Create VCN-A, Subnet, Route Table, Security List, and compute resources in the Requestor tenancy
- Create DRG in the Requestor tenancy
- Create a VCN-A attachment to attach VCN to DRG
- Create VCN-B, Subnet, Route Table, Security List, and compute resources in the Acceptor tenancy
- Create DRG in the Acceptor tenancy
- Create a VCN-B attachment to attach VCN to DRG
- Configure the Route Table and Security List in both tenancies
- Validate the Inter Tenancy communication between servers in the same region
Demonstrations
LPG Demonstration
Sample policies are:
Define tenancy Requestor as ocid.tenancy.oc1.... Define group RequestorGrp as ocid.group.oc1.... Admit group RequestorGrp of tenancy Requestor to manage local-peering-to in compartment ... Admit group RequestorGrp of tenancy Requestor to associate local-peering-gateways in tenancy Requestor with local-peering-gateways in compartment ... Admit group RequestorGrp of tenancy Requestor to manage remote-peering-to in compartment ...
Same Region DRG Demonstration
Sample policies on the Requestor for using a DRG in the same region are:
Define tenancy VCN as <vcn-tenant-ocid> Define group VCN-Admin as <vcn-group-ocid> Endorse group DRG-Admin to manage drg-attachment in tenancy VCN Admit group VCN-Admin of tenancy VCN to manage drg in tenancy
Sample policies on the Acceptor for using a DRG in the same region are:
Define tenancy DRG as <drg-tenant-ocid> Define group DRG-Admin as <drg-group-ocid> Admit group DRG-Admin of tenancy DRG to manage drg-attachment in tenancy Endorse group VCN-Admin to manage drg-attachment in tenancy DRG