What is a virtual cloud network (VCN)?
A VCN is a customizable private network in Oracle Cloud Infrastructure. Just like a traditional data center network, a VCN provides you with complete control over your network environment. This includes assigning your own private IP address space, creating subnets, creating route tables, and configuring stateful firewalls. A single tenancy (an Oracle Cloud Infrastructure account) can have multiple VCNs, thereby providing grouping and isolation of related resources. For example, you might use multiple VCNs to separate the resources in different departments in your company.
What are the core components of a VCN?
For a complete list of components, see Overview of Networking.
How do I get started with VCN?
What IP addresses can I use inside my VCN?
When you create your VCN, you assign a contiguous IPv4 CIDR block of your choice. VCN sizes ranging from /16 (65,533 IP addresses) to /30 (1 IP address) are allowed. Example: 10.0.0.0/16, 192.168.0.0/24.
We recommend using a CIDR block from the private address ranges specified by RFC1918. If you use a non-RFC1918 CIDR block, note that it is still treated as a private IP address range and is not routable from the internet (via Oracle's internet gateway).
You create subnets by subdividing the VCN's address range into contiguous IPv4 CIDR blocks. A subnet's CIDR block must fall within the VCN's CIDR block. When you launch an instance into a subnet, the instance's private IP address is allocated from the subnet's CIDR block.
Can I mark a subnet as "private"?
Yes. When you create a subnet, you can specify the access type: either private or public. A subnet is created with public access by default, in which case the instances in the subnet can be allocated a public IP address. Instances launched in a subnet with private access are prohibited from having public IP addresses, which ensures these instances have no direct internet access.
Can a VCN span multiple availability domains?
Can a subnet span multiple availability domains or multiple VCNs?
Subnets can span multiple availability domains, but not multiple VCNs. If you create a regional subnet, the subnet's resources can reside in any availability domain in the region. However, if you create an AD-specific subnet, the subnet's resources must reside in the subnet's particular availability domain.
Can I create VCNs with overlapping IP addresses?
Yes. However, if you intend to connect a VCN to your on-premises network or another VCN, we recommend you ensure that the IP address ranges don’t overlap.
How many VCNs, subnets, and other Networking resources can I create?
For current limits for all services and instructions for requesting a service limit increase, see Service Limits.
Can I modify my subnet after I create it?
Yes, you can modify the subnet's name and change which route table, security lists, and set of DHCP options are associated with it. However, you cannot change the subnet's CIDR block.
Virtual Network Interface Cards (VNICs)
What is a virtual network interface card (VNIC)?
The servers in Oracle Cloud Infrastructure data centers have physical network interface cards (NICs). When you launch an instance on one of these servers, the instance communicates using the Networking service's virtual NICs (VNICs) associated with the physical NICs. A VNIC enables a compute instance to be connected to a VCN and determines how the instance communicates with endpoints inside and outside the VCN.
Each VNIC resides in a subnet and has the following configuration:
- One primary private IPv4 address from the subnet the VNIC is in, assigned by either you or Oracle
- Up to 31 secondary private IPv4 addresses from the subnet the VNIC is in, assigned by either you or Oracle
- Optional public IPv4 address for each private IP address
- Optional hostname for DNS for each private IP address (see DNS in Your Virtual Cloud Network)
- MAC address
- VLAN tag assigned by Oracle and available when attachment of the VNIC to the instance is complete (relevant only for bare metal instances)
For more information, see Virtual Network Interface Cards (VNICs).
What is the primary VNIC of an instance?
Every instance in your VCN is created with a VNIC, which has a private IP address (assigned by you or Oracle) from the subnet provided at instance creation, and a corresponding public IP address. This VNIC is referred to as the primary VNIC, and its private IP address as the primary private IP address.
The primary VNIC cannot be detached from the instance. It gets automatically deleted when the instance is terminated.
What are secondary VNICs on an instance?
Every instance in your VCN has at least one VNIC, which is its primary VNIC. You can attach additional VNICs to an instance, which are referred to as secondary VNICs. The secondary VNICs can belong to different VCNs or subnets.
What is the maximum number of VNICs supported on an instance?
The limit to how many VNICs can be attached to an instance varies by shape. For those limits, see Compute Shapes.
Can I find VNIC information from within the instance?
Yes. Query the instance metadata service available at http://169.254.169.254/opc/v1/vnics/.
Can I assign a specific private IP address to a VNIC?
Yes. In case of the primary VNIC, you can specify the private IP address at instance launch. In case of secondary VNICs, you can specify a private IP address when you attach the VNIC to an instance. The specified private IP address should belong to the same subnet the VNIC belongs to, and should not be in use.
Can I move a VNIC from one instance to another?
No. Currently, VNICs are always bound to the instance and do not exist independently. The primary VNIC is created and destroyed with the instance. All secondary VNICs are created and destroyed when they are attached and detached respectively.
Can I attach two VNICs from the same subnet to an instance?
Yes. However, attaching multiple VNICs from the same subnet CIDR block to an instance can introduce asymmetric routing, especially on instances using a variant of Linux. If you need this type of configuration, Oracle recommends assigning multiple private IP addresses to one VNIC, or using policy based-routing. For an example, see the script in the Linux: Configuring the OS for Secondary VNICs.
Can the VNICs attached to an instance belong to subnets in different availability domains (AD)?
No. All VNICs must belong to subnets in the same AD as the instance. When using regional subnets, the VNICs must be created in the same AD as the instance.
Can the VNICs attached to an instance belong to subnets in different VCNs?
Yes. You can attach secondary VNICs that belong to a subnet of a VCN that is different from the VCN of the primary VNIC.
Can I assign one or more private IP addresses of my choice to my compute instance?
Every compute instance in your VCN is created with a virtual network interface card (VNIC) and is assigned a private IP address from the subnet provided at instance launch. These are the primary VNIC and its primary private IP address, respectively. You can also attach additional VNICs to an instance, referred to as secondary VNICs, which also have a primary private IP address.
You can let Oracle choose the private IP address, or you can choose it from the subnet's available pool. If the address you specify is already in use, the launch request will fail.
Additionally, you can assign secondary private IP addresses to a VNIC. Similar to primary private IP addresses, a secondary private IP address provides connectivity to destinations within your VCN and/or on-premises (when there is connectivity through VPN or FastConnect).
Can I move a secondary private IP address from one instance's VNIC to another?
Yes. You can move a secondary private IP address from a VNIC on one instance to a VNIC on another instance, provided that both VNICs belong to the same subnet and authorization allows the operation. When using regional subnets, the secondary private IP can be moved to a VNIC in a different AD as well.
How many secondary private IP addresses can I assign to a VNIC of an instance?
Currently you can assign up to 31 secondary private IP addresses to a VNIC.
Can the instance OS discover and configure the secondary private IP address automatically (using DHCP)?
No. The OS cannot discover the secondary private IP address using mechanisms like DHCP. You need to configure the secondary private IP addresses using an OS-specific procedure. For more information, see the scripts provided in Virtual Network Interface Cards (VNICs).
What is a public IP address and how is it different from a private IP address?
A public IP address is an IPv4 address that is reachable from the internet (an internet-routable IP address). An instance in your VCN communicates with hosts on the internet via a public IP address. A private IP address is not internet routable. Instances inside the VCN communicate with each other using private IP addresses.
You can assign a public IP address to a private IP address of a compute instance, or to a load balancer instance, and enable them to communicate with the internet. For a public IP address to be reachable over the internet, the VCN it's in must have an internet gateway, and the public subnet must have route tables and security lists configured accordingly.
What are the types of public IP addresses?
There are two types of public IP addresses.
- Ephemeral public IP addresses: Think of them as temporary and existing for the lifetime of the instance. At your request, Oracle will assign one from Oracle's available pool of public IP addresses. This public IP address is bound to the lifecycle of the private IP address. If you unassign the public IP address explicitly, or unassign the private IP address from the VNIC, or terminate the corresponding instance, this public IP address is released to the available pool. If you later request to assign a public IP address again, it may be a different address than before.
- Reserved public IP addresses: Think of them as floating public IP addresses that reside in a compartment of your choice. They are persistent and exist beyond the lifetime of the instances they're assigned to. They belong to a specific region. You can keep a reserved public IP address unassigned within your compartment, or assign it to a private IP address of an instance or a load balancer within the same region as it was created in. You can also move it to any another private IP address within the same region.
For more details and a table comparing the two types, see Public IP Addresses.
Why do I need reserved public IP addresses?
A public IP address becomes the identity of your service for clients that cannot use the DNS FQDN. A reserved public IP address allows you to keep this identity regardless of any changes to the underlying resources. Here are a couple of specific scenarios that can benefit from using a reserved public IP address:
- Insulate your clients from any instance-specific failures: You can assign a reserved public IP address to your instance, and seamlessly move it to another instance in case of a failure. Your clients are insulated from this change as they continue to connect to the same public IP address.
- Optimize usage of compute resources with no impact to users: Whether you want to change the size of an instance, or terminate your instances based on the usage patterns to save costs, a reserved public IP address enables you to expose the same public IP address to your clients.
How many reserved public IP addresses can I assign to an instance?
You can assign only one reserved public IP address to any (primary or secondary) private IP address. However, you can assign multiple private IP addresses to each VNIC attached to your instance. You can then assign a reserved public IP address to each of these private IP addresses.
There is a limit on the maximum number of reserved public IP addresses you can create in your tenancy. See Service Limits.
How many ephemeral public IP addresses can I assign to an instance?
You can assign only one ephemeral public IP address to any primary private IP address of the VNIC. However, you can create and attach multiple VNICs to your instance. You can then assign an Ephemeral private IP address to each of the primary IP address of each VNIC.
There is a limit on the maximum number of ephemeral public IP addresses that can be assigned to an instance. See Service Limits.
Can I move an ephemeral public IP address from one VNIC/instance to another?
Yes, but only if it's assigned to a secondary private IP on a VNIC. If you move that secondary private IP to a different VNIC (which must be in the same subnet), the ephemeral public IP goes with it.
Can I move a reserved public IP address from one VNIC/instance to another?
Yes, and you can move it from one availability domain or VCN to another. The VCNs must be in the same region.
There are two ways to move a reserved public IP:
- Unassign the reserved public IP and then reassign it to another private IP. The private IP can be on a VNIC in a different availability domain or VCN than the original VNIC.
- If the reserved public IP is assigned to a secondary private IP, you can move the private IP to a different VNIC (which must be in the same subnet) and the reserved public IP goes with it.
When is an ephemeral public IP address released?
When you explicitly unassign it. Also:
- When you delete a private IP address, its corresponding ephemeral public IP address is released.
- When you detach a secondary VNIC, any corresponding ephemeral public IP addresses are released.
- When you terminate the instance, the corresponding ephemeral IP addresses are released.
Note that when you reboot the instance, there is no impact to the corresponding ephemeral public IP addresses.
What IP addresses do I see when I log on to my compute instance?
You see only the private IP address of your compute instance. If the instance is assigned a public IP address, the Networking service provides a one-to-one NAT (static NAT) between the private and public IP addresses when the instance tries to communicate to a destination on the internet (through the internet gateway).
How does the traffic for a public IP address show up on the instance?
At the instance OS level, you see only the private IP address of the VNIC attached to the instance. When traffic sent to the public IP address is received, the Networking service does a network address translation (NAT) from the public IP address to the corresponding private IP address. The traffic shows up inside your instance with the destination IP address set to the private IP address.
Can I assign a MAC address to my compute instance?
No. The Networking service assigns the MAC address.
Is IPv6 supported?
No, not currently.
Do you support IP multicast or broadcast within the VCN?
No, not currently.
Does VCN support transparent IP takeover using gratuitous ARPs (GARP)?
No, not currently.
What connectivity options are available for instances running in my VCN?
The instances can connect:
- to the internet (via an internet gateway)
- to your on-premises data center using an IPSec VPN connection or FastConnect (via a dynamic routing gateway)
- to instances in peered VCNs (in the same region or another region)
- to Oracle Cloud Infrastructure services such as Object Storage, ADW (via a service gateway)
What is an internet gateway?
An internet gateway is a software-defined, highly available, fault-tolerant router providing public internet connectivity for resources inside your VCN. Using an internet gateway, a compute instance with a public IP address assigned to it can communicate with hosts and services on the internet.
In lieu of using an internet gateway, you can connect your VCN to your on-premises data center, from which you can route traffic to the internet via your existing network egress points.
What is a NAT gateway?
A NAT gateway is a reliable and highly available router that provides outbound-only internet connectivity for resources inside your VCN. With a NAT gateway, private instances (with only a private IP address) can initiate connections to hosts and services on the internet, but not receive inbound connections initiated from the internet.
Can I have more than one NAT gateway per VCN?
No. The default limit is one NAT gateway per VCN. We expect this to be sufficient for the vast majority of applications.
If you would like to allocate more than one NAT gateway in a specific VCN, request a limit increase. For instructions on how to request an increase in limits, see Service Limits.
Are there any new throughput limits when using a NAT gateway?
Instances get the same throughput with the NAT gateway as they do when the traffic is routed through an internet gateway. In addition, a single traffic flow through the NAT gateway is limited to 1Gbps (or less for small instance shapes).
Is there a concurrent connection limit when using a NAT gateway?
Yes, there is a limit of ~20,000 concurrent connections to a single destination IP address and port. This limit is aggregate of all connections initiated by instances across the VCN that are using the NAT gateway.
What is a dynamic routing gateway (DRG)?
A dynamic routing gateway is a software-defined, highly available, fault-tolerant router that you can add to a VCN. It provides a private path for traffic between the VCN and other networks outside the VCN's region, such as your an on-premises data center or a peered VCN in another region. To connect your VCN with your on-premises data center, you can set up an IPSec VPN or FastConnect to the VCN's DRG. The connection enables your on-premises hosts and instances to communicate securely.
What is a customer-premises equipment (CPE) object and why do I need it?
You use this object if you set up an IPSec VPN. It's a virtual representation of the actual router that is on-premises at your site, at your end of the VPN. When you create this object as part of setting up an IPSec VPN, you specify the public IP address of your on-premises router.
Do I need an internet gateway to establish an IPSec VPN to my on-premises data center?
No. You just need to provision a DRG, attach it to your VCN, configure the CPE object and IPSec connection, and configure the route tables.
Which customer-premises equipment routers or gateways have you tested with Oracle Cloud Infrastructure IPSec VPN?
I have an IPSec VPN router that is not on the above list of tested equipment. Can I use it to connect to my VCN?
Yes, if you configure it according to Generic CPE Configuration Information. We support multiple configuration options to maximize interoperability with different VPN devices.
How do I ensure availability of my IPSec VPN connection between Oracle Cloud Infrastructure and my on-premises data center?
Oracle provisions two VPN tunnels as part of the IPSec connection. Make sure to configure both tunnels on your CPE for redundancy.
Additionally, you can deploy two CPEs routers in your on-premises data center, with each configured for both tunnels.
Can I use a software VPN to connect to my VCN?
IPSec VPN is an open standard and software IPSec VPNs can interoperate with Oracle Cloud Infrastructure. You need to verify that your software IPSec VPN supports at least one supported Oracle IPSec parameter in each configuration group according to Generic CPE Configuration Information.
What is the Oracle Services Network?
The Oracle Services Network is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. The network comprises a list of regional CIDR blocks. Every service in the Oracle Services Network exposes a service endpoint that uses public IP addresses from the network. A large number of Oracle services are currently available in this network (see the complete list), and more services will be added in the future as they get deployed on Oracle Cloud Infrastructure.
What is a service gateway?
A service gateway lets resources in your VCN privately and securely access Oracle services in the Oracle Services Network, such as Object Storage, ADW, and ATP. Traffic between an instance in the VCN and a supported Oracle service uses the instance's private IP address for routing, travels over the Oracle Cloud Infrastructure fabric, and never traverses the internet. Much like the internet gateway or NAT gateway, the service gateway is a virtual device that is highly available and dynamically scales to support the network bandwidth of your VCN.
What Oracle Cloud Infrastructure services can I access through a service gateway?
Currently, you can configure the service gateway to access Oracle services in the Oracle Services Network. A large number of Oracle services are currently available in this network (see the complete list), and more services will be added in the future as they get deployed on Oracle Cloud Infrastructure.
I am currently using an internet gateway or NAT gateway to access an Oracle service such as ADW. How do I use the service gateway to access the same Oracle service endpoint?
- Create a service gateway for the VCN.
- Update the VCN's routing to forward all traffic for Oracle services in the Oracle Services Network using the service gateway instead of using the internet gateway or NAT gateway.
For instructions, see the Access to Object Storage: Service Gateway. Please note that the service gateway allows access to Oracle services within the region to protect your data from the internet. Your applications may require access to public endpoints or services not supported by the service gateway (for example, for updates or patches). Ensure you have a NAT gateway or other access to the internet if necessary.
What is a service CIDR label?
The service gateway uses the concept of a service CIDR label, which is a string that represents all the regional public IP address ranges for the service or a group of services (for example, "OCI IAD Services in Oracle Services Network" is the label that maps to the regional CIDR blocks in the Oracle Services Network in us-ashburn-1). You use the service CIDR label when you configure the service gateway and route/security rules. For instructions, see the Access to Oracle Services: Service Gateway.
Can I configure the service gateway to access services running in a different region?
No, the service gateway is regional and can access only services running in the same region.
Can I allow access to an Object Storage bucket from only specific VCNs or subnets?
Yes. If you're using a service gateway, you can define an IAM policy that allows access to a bucket only if the requests come from a specific VCN or CIDR range. The IAM policy works only for traffic routed through the service gateway. Access is blocked if the IAM policy is in place and the traffic instead goes through an internet gateway. Also, be aware that the IAM policy prevents you from accessing the bucket through the Console. Access is allowed only programmatically from resources in the VCN.
For an example IAM policy, see the Access to Object Storage: Service Gateway.
Can I have multiple service gateways within my VCN?
No. A VCN can have only one service gateway at this time.
Can I use a service gateway with VCN peering?
No. A VCN that is peered with another VCN that has a service gateway cannot use that service gateway to access Oracle services.
Can I leverage a service gateway to establish connectivity (through FastConnect) from my on-premises network to my VCN?
No. However, you can use FastConnect public peering to do this (without going through internet).
Are there any new throughput limits when using a service gateway?
No. Instances get the same throughput with the service gateway as they do when the traffic is routed through an internet gateway.
How much does the service gateway cost?
The service gateway is free for all Oracle Cloud Infrastructure customers.
What are security lists and why do I need them?
A security list provides a virtual firewall for an instance, with ingress and egress rules that specify the types of traffic allowed in and out of the instance. You can secure your compute instance by using security lists. You configure your security lists at the subnet level, which means all the instances in the subnet are subject to the same set of security list rules. The rules are enforced at the instance level and control traffic at the packet level.
What security lists are applicable to a given instance? How is the VCN's default security list involved?
A given VNIC on an instance is subject to the security lists associated with the VNIC's subnet. When you create a subnet, you specify one or more security lists to associate with it, and that can include the VCN's default security list. If you don't specify at least one security list during subnet creation, the VCN's default security list is associated with the subnet. The security lists are associated at the subnet level, but the rules apply to the VNIC's traffic at the packet level.
Can I change the security lists used by my subnet after I create the subnet?
Yes, you can edit subnet properties to add or remove security lists. You can also edit the individual rules in a security list.
How many security lists and rules can I configure?
There's a limit to the number of security lists you can create, the number of lists you can associate with a subnet, and the number of rules you can add to a given list. For current service limits and instructions on how to request an increase in limits, see Service Limits.
Can I use "deny" rules within the security lists?
No. Security lists use only "allow" rules. All traffic is denied by default and only network traffic matching the attributes specified in the rules is permitted.
What type of rules are supported in the Security Lists?
Each rule is either stateful or stateless, and either an ingress rule or an egress rule.
With stateful rules, once a network packet matching the rule is allowed, connection tracking is used and all further network packets belonging to this connection are automatically allowed. So if you create a stateful ingress rule, both incoming traffic matching the rule and the corresponding outgoing (response) traffic are allowed.
With stateless rules, only the network packets matching the rule are allowed. So, if you create a stateless ingress rule, only the incoming traffic is allowed. You need to create a corresponding stateless egress rule to match the corresponding outgoing (response) traffic.
For more information, see Security Lists.
What is a VCN route table?
A VCN route table contains rules to route traffic that's ultimately destined for locations outside the VCN.
Each rule in a route table has a destination CIDR block and a route target. When the subnet's outgoing traffic matches the destination CIDR block of the route rule, traffic is routed to the route target. Examples of common route targets: an internet gateway, a dynamic routing gateway.
For more information, see Route Tables.
What route tables are applicable to a given instance? How is the VCN's default route table involved?
A given VNIC on an instance is subject to the route table associated with the VNIC's subnet. When you create a subnet, you specify one route table to associate with it, and that can be the VCN's default route table or another you've already created. If you don't specify a route table during subnet creation, the VCN's default route table is associated with the subnet. The route table is associated at the subnet level, but the rules apply to the VNIC's traffic at the packet level.
Can I create a route rule for any destination CIDR block?
No. Currently, you can add a route rule only for a CIDR block that doesn't overlap with the VCN's address space.
Can I change the route table used by my subnet after I create the subnet?
Yes, you can edit subnet properties to change the route table. You can also edit the individual rules in a route table.
Does VCN support source-based routing?
No, not currently.
How many route rules can I create in a single route table?
There's a limit to the number of rules in a route table. See Service Limits.
Can I use a private IP as the route target in the VCN route rule?
Yes. You can use a private IP as the target of a route rule in situations where you want to route a subnet's traffic to another instance in the same VCN. For requirements and other details, see Using a Private IP as a Route Target.
What is VCN peering?
VCN peering is a process of connecting two VCNs to enable private connectivity and traffic flow between them. There are two general types of peering:
- Local VCN peering (or intra-region peering): The two VCNs are in the same region. They can be in the same tenancy (in the same or different compartments), or different tenancies.
- Remote VCN peering (or inter-region VCN peering): The two VCNs are in different regions.
For more information, see Access to Other VCNs: Peering.
Is VCN peering supported in all regions?
- Local VCN peering (or intra-region peering) is supported in all regions.
- Remote VCN peering (or inter-region peering) is currently supported. The list of supported regions can be found in product documentation.
Why do I need VCN peering?
- With local VCN peering, you get flexibility to organize your resources in to separate VCNs and meet requirements for governance and regional presence, while enabling private connectivity across these VCNs. With cross-tenancy local VCN peering, you get flexibility to organize your resources into separate VCNs in different tenancies, while enabling private connectivity across these VCNs. You can also enable a service provider model by providing private access to your services for multiple consumer VCNs (in different tenancies) located in the same region.
- With remote VCN peering, you get flexibility to organize your resources in to separate VCNs and meet your requirements for governance, multi-region presence and DR, while enabling private connectivity across these VCNs in different regions.
What are the benefits of local VCN peering?
- A no-cost, reliable alternative to connectivity models such as VPN by eliminating internet gateways, public IPs for instances, encryption, and performance bottlenecks.
- Ease of peering enablement between VCNs with no scheduled downtime.
- Private connectivity for resources in peered VCNs using the Oracle Cloud Infrastructure fabric’s highly redundant links with predictable bandwidth and latency.
How do I establish a local VCN peering between two VCNs?
For instructions, see Local VCN Peering.
Can I establish local peering between two VCNs with overlapping address ranges?
No. The two VCNs in a local peering relationship cannot have overlapping CIDRs.
Can I establish local peering from my VCN to two other VCNs that have overlapping IP address ranges?
Yes. If VCN-1 is peered with two other VCNs (say VCN-2 and VCN-3), those two VCNs (VCN-2 and VCN-3) can have overlapping CIDRs.
Can I establish a local peering connection to a VCN that belongs to another account?
How many local peerings can I establish per VCN?
A given VCN can have a maximum of ten local peerings at a time.
What are the benefits of remote VCN peering?
- A low-cost, reliable alternative to connectivity models such as VPN by eliminating internet gateways, public IPs for instances, encryption, and performance bottlenecks.
- Ease of peering enablement between VCNs with no scheduled downtime.
- Private connectivity for resources in peered VCNs using Oracle Cloud Infrastructure's highly redundant backbone links with predictable bandwidth and latency.
Do I need an internet gateway to create a remote peering connection?
No. You establish a remote peering connection using a dynamic routing gateway (DRG).
How do I establish a Remote VCN Peering between two VCNs?
For instructions, see Remote VCN Peering.
Can I establish remote peering between two VCNs with overlapping address ranges?
No. The two VCNs in a remote peering relationship cannot have overlapping CIDRs.
Can I establish remote peering from my VCN to two other VCNs that have overlapping IP address ranges?
No, if VCN-1 is remotely peered with two other VCNs (say VCN-2 and VCN-3), those two VCNs (VCN-2 and VCN-3) cannot have overlapping CIDRs.
Can I establish a remote peering connection to a VCN that belongs to another account?
Is my remote VCN peering traffic encrypted?
Yes. Your remote VCN peering traffic is encrypted using industry standard link encryption.
How many remote peerings can I establish per VCN?
A given VCN can have a maximum of ten remote peerings at a time.
As administrator of VCN-A, can I control connectivity to only a specific subnet on the peered VCN-B?
Yes. You can use VCN-A's route tables and security lists to control connectivity to the peered VCN-B. You can allow connectivity to the full address range of VCN-B, or limit it to one or more subnets.
As administrator of VCN-A, can I control which subnets of VCN-A are accessible from the peered VCN-B ?
Yes. After the local or remote peering is established, the instances in VCN-B can send traffic to the full address range of VCN-A. However, you can limit access from instances in VCN-B to a specific subnet in VCN-A by using appropriate ingress rules in the subnet's security lists.
Is there a performance impact based on throughput and latency over the established local peering between two VCNs?
No. Throughput and latency should be close to intra-VCN connections. Traffic over the local peering has similar availability and bandwidth constraints as the traffic between instances in a VCN.
Is there a performance impact based on throughput and latency over the established remote peering between two VCNs?
Remote VCN peering uses the Oracle Cloud Infrastructure inter-region backbone, which is designed to deliver superior performance and availability characteristics, and a 99.5% availability SLA for inter-region connectivity. Traffic over the remote peering has similar availability and bandwidth constraints as any other connection to a dynamic routing gateway. You can achieve redundancy by backhauling the peering traffic using your FastConnect or IPSec VPN.
What is the price for VCN peering?
- Local peering (intra-region): No charge.
- Remote peering (inter-region): Pricing is based on outbound data transfer. Refer to the latest published pricing for “Outbound Data Transfer”.
VCN Transit Routing
What is VCN Transit Routing (VTR)?
The VCN Transit Routing (VTR) solution is based on a hub-and-spoke topology and enables the hub VCN to provide transit connectivity between multiple spoke VCNs (within the region) and on-premises networks. Only a single FastConnect or IPSec VPN (connected to the hub VCN) is required for the on-premises network to communicate with all the spoke VCNs.
How do I get started with VCN Transit Routing (VTR)?
See the instructions in Setting Up VCN Transit Routing in the Console.
What kinds of remote networks can the spoke VCNs access using the hub VCN?
Currently, the spoke VCNs can access your on-premises networks using the hub VCN.
Can I configure the hub VCN to provide connectivity to spoke VCNs in remote Oracle Cloud Infrastructure regions?
No, the VCN Transit Routing solution only supports consolidated connectivity between VCNs in the same region.
Can I configure the hub VCN so a spoke VCN can access only specific subnets in the on-premises network?
Yes. You control this with the route table associated with the LPG on the hub VCN. You can configure restrictive route rules that specify only the on-premises subnets that you want to make available to the spoke VCN. The routes advertised to the spoke VCN are those in that route table and the hub VCN's CIDR.
Can I configure the hub VCN so the on-premises network can access only specific subnets in the spoke VCN?
Yes. You control this with the route table associated with the DRG on the hub VCN. You can configure restrictive route rules that specify only the spoke VCN subnets that you want to make available to the on-premises network. The routes advertised to the on-premises network are those in that route table and the hub VCN's CIDR.
Is there a limit to the number of spoke VCNs that can peer with the hub VCN?
Yes. The hub VCN is limited to a maximum of 10 local peerings with spoke VCNs.
What are DHCP Options?
The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on an IP network. Configuration parameters and other control information are carried to the instance in the "options" field (RFC 2132) of the DHCP message. Each subnet in a VCN can have a single set of DHCP options associated with it.
Which DHCP Options can I configure?
You can configure two options that control how instances in your VCN resolve Domain Name System (DNS) hostnames:
- Search Domain. You can specify a single search domain.
- DNS Type. Choose either:
- Internet and VCN Resolver (default)
- Custom Resolver (you can specify up to three DNS servers of your choice, which you set up, manage, and maintain yourself)
When resolving a DNS query, the instance's OS uses the DNS servers specified with DNS Type and appends the Search Domain to the value being queried.
For more information, see DHCP Options.
Can I change the DHCP options used by my subnet after I create the subnet?
Yes, you can edit subnet properties to change which set of DHCP options the subnet uses. You can also change the values of the DHCP options.
How do I configure a DNS hostname for my instance?
When you launch an instance, you can specify a hostname for the instance, along with a display name. This hostname, combined with the subnet's domain name, becomes the fully qualified domain name (FQDN) of your instance. This FQDN is unique within the VCN and resolves to the private IP address of your instance. For more details, see DNS in Your Virtual Cloud Network.
Note that to specify a hostname for the instance, the VCN and subnet must be configured to enable DNS hostnames.
How do I configure the VCN and subnet to enable hostnames?
When you create a VCN, you can specify its DNS label. This, combined with the parent domain oraclevcn.com, becomes the domain name of the VCN.
When you create a subnet, you can specify its DNS label. This, combined with the VCN's domain name, becomes the domain name of the subnet.
You can enable a hostname for a compute instance only if the VCN and subnet are both created with a DNS label.
What is a DNS hostname of a compute instance?
A DNS hostname is a name that corresponds to the IP address of an instance connected to a network. In case of an Oracle Cloud Infrastructure VCN, every instance can be configured with a DNS hostname that corresponds to the private IP address of the instance.
A fully qualified domain name (FQDN) of an instance looks like hostname.subnetdnslabel.vcndnslabel.oraclevcn.com, where hostname is the DNS hostname of the instance, subnetdnslabel and vcndnslabel are the DNS labels of the instance's subnet and the VCN respectively.
The parent domain oraclevcn.com is reserved for use with DNS hostnames created in Oracle Cloud Infrastructure.
Can I rename the hostname of my instance?
Can I rename the DNS label of an existing VCN or a subnet?
If my subnet is configured to use "Custom Resolver" for DNS, are DNS hostnames created for instances in this subnet?
Yes. DNS hostnames are created for instances regardless of the DNS type selected for the subnet.
Can my instance resolve hostnames of instances in other VCNs?
No. The instance can resolve hostnames only of instances within the same VCN.
Can I configure my custom DNS servers to resolve VCN internal DNS hostnames?
Yes, you can do this with custom DNS servers set up within the VCN. You can configure the custom DNS servers to use 169.254.169.254 as the forwarder for the VCN domain (like contoso.oraclevcn.com).
Note that the custom DNS servers must be configured in a subnet that uses "Internet and VCN Resolver" as the DNS type (to allow access to the 169.254.169.254 IP address).
For an example of an implementation with the Oracle Terraform provider, see Hybrid DNS Configuration.
Do I get charged for using a VCN?
There is no charge for creating VCNs and using them. However, usage charges for other Oracle Cloud Infrastructure services (including Compute and Block Volumes) and data transfer charges apply at the published rates. There are no data transfer charges for any communication among resources within a VCN.
How will I be charged when I connect my VCN to my on-premises data center using an IPSec VPN?
You are charged only the published Oracle Cloud Infrastructure outbound data transfer rates. There is no hourly or monthly VPN connection charge.
What are my usage charges if I use other resources, such as the Database or Object Storage service, from instances inside my VCN?
You don’t incur data transfer charges when accessing other public Oracle Cloud Infrastructure services (such as Object Storage) in the same region. All network traffic via private or public IPs between your instances and other resources inside your VCN, (such as a database or load balancer) is free of data transfer charges.
If you access public Oracle Cloud Infrastructure resources via your IPSec VPN from inside your VCN, you incur the published outbound data transfer charges.
Do your prices include taxes?
Unless otherwise noted, the Oracle Cloud Infrastructure prices, including outbound data transfer charges, exclude applicable taxes and duties, including VAT and any applicable sales tax.