Synthesize Transitive Routing Configurations

Contents

  1. 1 Summary
  2. 2 Reference
  3. 3 Introduction to OCI Transit Routing
    1. 3.1 What Is OCI Transit Routing?
    2. 3.2 Transit Routing Options
  4. 4 OCI Transit Routing via LPG
  5. 5 OCI Transit Routing via DRG
  6. 6 OCI Transit Routing with Third Party Appliance
  7. 7 OCI Transit Routing, Remote Peering Connection

Summary

Instead of multiple virtual circuits from on-premises to VCNs, a hub (either a VCN and legacy DRG or upgraded DRG) is used to connect the VCNs with on-premises by allowing transit of traffic through the hub.

Reference

Introduction to OCI Transit Routing

What Is OCI Transit Routing?

  • The OCI VCN Transit Routing solution is based on the hub-and-spoke topology and anbles the hub VCN to provide transit between multiple spoke VCNs (within the OCI region) and on-premises network.
  • Transit routing can also be used to transit from one OCI region to another OCI region leveraging the OCI backbone.

Transit Routing Options

OCI Transit Routing will leverage one or more of the components.

  • Local Peering Gateway
  • Dynamic Routing Gateway
    • Route Tables
    • Import Route Distributions
  • Third Party Appliance
  • Remote Peering Connection

OCI Transit Routing via LPG

A hub VCN is connected to on-premises network through a DRG and either FastConnect or Site-to-Site VPN. This VCN could be peered with up to ten (10) other VCNs in the same region using LPGs. The traffic to/from on-premises has to transit the hub VCN to reach the target VCN.

For example, the route table for a subnet in a spoke VCN would be:

Destination CIDR Route Target
0.0.0.0/0 LPG

That is, all traffic, that is not local to the spoke VCN, would go the LPG from the subnet in the spoke VCN.

The route table for the LPG would include:

Destination CIDR Route Target
172.16.0.0/16 DRG

Here the CIDR, 172.16.0.0/16, is for the on-premises network.

The route table for the DRG would include:

Destination CIDR Route Target
192.168.0.0/24 LPG

Here the CIDR, 192.168.0.0/24, is for the subnet in the spoke VCN. This alloews for return traffic from the on-premises network.

OCI Transit Routing via DRG

Instead of having the hub as a VCN, the hub can be the DRG that terminates a virtual circuit from on-premises. This is only available with the upgraded DRG. For earlier versions of DRG, transit routing via LPG has to be used.

OCI Transit Routing with Third Party Appliance

The configuration is a DRG coupled with a third-party appliance. The third-party appliance has VNICs in all spoke VCNs and the hub VCN. All transit traffic goes through this third-party appliance.

The third-party appliance is usually a software firewall for the inspection of network packets. The hub VCN could then be seen as a DMZ to filter untrusted traffic.

OCI Transit Routing, Remote Peering Connection

Again the hub is a DRG that terminates a virtual circuit from on-premises. The spoke VCNs can be in different regions and tenancies. This is achieved through a remote peering connection to another DRG.