Oracle Cloud Infrastructure VCN – FAQ

General Questions

What is a Virtual Cloud Network (VCN)?

A VCN is a customizable private network in Oracle Cloud Infrastructure. Just like a traditional data center network, a VCN provides you with complete control over your network environment. This includes assigning your own private IP address space, creating subnets, creating route tables and configuring stateful firewalls. A single tenant can have multiple VCNs, thereby providing grouping and isolation of related resources.

What are the core components of a VCN?

  • Virtual Cloud Network (VCN): A software-defined version of your traditional, on-premise network -- including subnets, route tables, and gateways -- in which your instances run.
  • Subnet: A section of a VCN’s IP address range providing logical isolation for resource groups.
  • Security List: A common set of stateful firewall rules associated with a subnet and applied to all instances launched inside the subnet.
  • Route Table: A set of route rules, viewed in table format, that specifies how IP network traffic is directed based on a destination IP address matching a specified IP CIDR (e.g. 0.0.0.0/0 for the Internet).
  • DHCP Options: Configuration information, such as the IP address of a custom DNS server, that is provided to the instance when it boots up.
  • Internet Gateway: A software-defined router providing a path for network traffic from your VCN to the public internet.
  • IPSec VPN Connection: A VPN connection between your VCN and your data center.
  • Dynamic Routing Gateway (DRG): A software-defined router providing a path for private traffic between your VCN and your data center’s network. You can use it with the IPSec VPN Connection and an on-premise router to create a site-to-site VPN.
  • Customer Premise Equipment (CPE): A virtual representation of the actual on-premise VPN router at your site.

How do I get started with VCN?

You can create a VCN in the Networking section of the Oracle Cloud Infrastructure management console. Click "Virtual Cloud Networks," and then "Create Virtual Cloud Network". Alternatively, you can use the CreateVcn API.

  • For an overview and to learn how to launch an instance inside Oracle Cloud Infrastructure, see the Getting Started Guide.
  • To learn more about Virtual Cloud Networks, see the "Overview of the Networking Service" section of the Oracle Cloud Infrastructure documentation.

What is a subnet?

A subnet is section of a VCN’s IP address range providing logical isolation for groups of your resources. Compute instances within and across subnets access each other using IP addresses.

How do I create a subnet?

You create a subnet by subdividing the VCN's address range. When you create a subnet via the Oracle Cloud Infrastructure console or the API, you specify a contiguous IPv4 CIDR block for the subnet. The subnet's CIDR block must fall within the VCN's CIDR block. You assign a subnet to exactly one Availability Domain (AD).  When you launch an instance into a subnet, the instance's private IP address is allocated from the subnet's CIDR block.

When you create a subnet, you can also specify the access type - either Private or Public. A subnet is created with Public access by default, in which case the instances in the subnet can be allocated a public IP address. Contrarily, instances launched in a subnet with Private access are prohibited from having public IP addresses, which ensures these instances have no Internet access.

Can a subnet span multiple Availability Domains?

No. A subnet cannot span Availability Domains.

What IP addresses can I use inside my VCN?

When you create your VCN you assign a contiguous IPv4 CIDR block of your choice. We allow VCN sizes ranging from /16 (65,534 IP addresses) to /30 (2 IP addresses). Example: 10.0.0.0/16, 192.168.0.0/24.

We recommend using a CIDR block from the private address ranges specified by RFC1918. If you use a non-RFC1918 CIDR block, note that it is still treated as a private IP address range and is not routable from the Internet (via Oracle's Internet Gateway).

Can I create VCNs with overlapping IP addresses?

You can create multiple VCNs with overlapping IP address ranges. However, if you intend to connect your VCN to your on-premise network via an IPSec VPN connection, we recommend you ensure that the IP address ranges don’t overlap.

Virtual Network Interface Cards (VNICs)

What is a Virtual Network Interface Card (VNIC)?

A VNIC enables a compute instance to be connected to a Virtual Cloud Network (VCN) and determines how the instance communicates with endpoints inside and outside the VCN.

Each VNIC resides in a subnet of a VCN and has the following configuration:

  • One primary private IPv4 address from the subnet the VNIC is in, assigned by either you or Oracle
  • Up to 31 secondary private IPv4 address(es) from the subnet the VNIC is in, assigned by either you or Oracle
  • Optional public IPv4 address, for the primary private IP address, assigned by Oracle (see Internet Access for Your VCN)
  • Optional hostname for DNS for each private IP address (see DNS in Your Virtual Cloud Network)
  • MAC address
  • VLAN tag assigned by Oracle and available when attachment of the VNIC to the instance is complete (relevant only for bare metal instances)

What is the primary VNIC of an instance

Every instance in your VCN is created with a VNIC, which has a private IP address (assigned by you or Oracle) from the subnet provided at instance creation, and a corresponding public IP address. This VNIC is referred to as the primary VNIC, and its private IP address as the primary private IP address.

The primary VNIC cannot be detached from the instance. It gets automatically deleted when the instance is terminated.

What are secondary VNICs on an instance?

Every instance in your VCN has at least one VNIC, which is it's primary VNIC. You can attach additional VNICs to an instance, which are referred to as secondary VNICs. For more information on secondary VNICs, see documentation.

There's a limit to how many VNICs can be attached to an instance, and it varies by shape. For those limits, see the tables in Compute Shape documentation.

The secondary VNICs can belong to different VCNs or subnets.

What is the maximum number of VNICs supported on an instance?

The limit to how many VNICs can be attached to an instance varies by shape. For those limits, see the tables in Compute Shape documentation.

Can I find VNIC information from within the instance?

Yes. You will be able to query the instance metadata service available at http://169.254.169.254/opc/v1/vnics/ to get this information.

Can I assign a specific private IP address to a VNIC?

Yes. In case of the primary VNIC, you can specify the private IP address at instance launch. In case of secondary VNICs, you can specify a private IP address when you attach the VNIC to an instance. The specified private IP address should belong to the same subnet that the VNIC belongs to, and should not be in use.

Can I move a network interface from one instance to another?

No. Currently, network interfaces are always bound to the instance and do not exist independently. The primary VNIC is created and destroyed with the instance. All secondary VNICs are created and destroyed when they are attached and detached respectively.

Can two VNICs be configured within the same subnet?

Yes. However, attaching multiple VNICs from the same subnet CIDR block to an instance can introduce asymmetric routing, especially on instances using a variant of Linux. If you need this type of configuration, Oracle recommends assigning multiple private IP addresses to one VNIC, or using policy based-routing as shown in the scripts from the documentation.

Can the VNICs attached to an instance belong to subnets in different Availability Domains (AD)?

No. All VNICs must belong to subnets in the same AD as the instance.

Can the VNICs attached to an instance belong to subnets in different VCNs?

Yes. You can attach secondary VNICs that belong to a subnet of a VCN that is different from the VCN of the primary VNIC.

IP Addressing

Can I assign a public IP address to my compute instance?

Currently, every compute instance created in a Public subnet is assigned a public, internet-routable IP address by default . You can override that behavior during instance launch and request to have no public IP address assigned. Instances in a Private subnet are prohibited from having public IP addresses.

When you create a VCN and choose the “Create VCN plus related resources” option, we create a default subnet for you. Please note that when you launch an instance into the default subnet, your instance can communicate outbound with hosts on the internet using the public IP address. All inbound traffic except TCP Port 22 (SSH) and ICMP type 3, code 4 is denied per the default Security List. For more details on how to secure your instance, see the VCN Security section below.

Alternatively, when you create a VCN and choose the “Create VCN only” option, you must create a subnet. When you launch an instance into your subnet, you must create an Internet Gateway and update the default route table before your instance can communicate with hosts on the internet.

Can I assign a private IP address to my compute instance?

Every compute instance is assigned a private IP address from the CIDR block of the subnet the instance is launched in. Optionally, you can specify a particular private IP address of your choice from the subnet's available pool. If the address you specify is already in use the launch request will fail.

Can I assign multiple private IP addresses to my compute instance?

Yes, you can assign multiple private IP addresses to your compute instance. Every compute instance is assigned a private IP address from the CIDR block of the subnet the instance is launched in. Additionally, you can assign secondary private IP addresses to a VNIC of an instance.

What is a secondary private IP address of a VNIC?

Every instance in your VCN is created with a network interface (VNIC) and is assigned a private IP address from the subnet provided at instance launch. These are the primary VNIC and its primary private IP address respectively. You can also attach additional VNICs to an instance, referred to as secondary VNICs, which also have a primary private IP address.

Similar to primary private IP addresses, a secondary private IP address provides connectivity to destinations within your VCN and/or on-premises (when there is connectivity through VPN or FastConnect).

How do I configure a secondary private IP address on my instance?

You can configure the secondary private IP address on your instance as an IP alias using the OS specific procedure. You should configure the IP alias on the specific network interface that the secondary private IP address is associated with.

Can the instance OS discover and configure the secondary private IP address automatically (using DHCP)?

No. Instance OS will not be able to discover the secondary private IP address using mechanisms like DHCP. You need to configure the secondary private IP addresses using OS specific procedure.

Can I move a secondary private IP address from one instance's VNIC to another?

Yes. You can move a secondary private IP address from a VNIC on one instance to a VNIC on another instance, provided that both VNICs belong to the same subnet and authorization allows the operation.

How many secondary private IP addresses can I assign to a VNIC of an instance?

Currently, you can assign up to 31 secondary private IP addresses on a VNIC.

What is the difference between a public and a private IP address?

A public IP address is an internet routable IP address. An instance in your VCN communicates with hosts on the internet via a public IP address. A private IP address is not internet routable. Instances inside the VCN communicate with each other using private IP addresses.

How many public IP addresses can I assign to an instance?

Currently, you can assign one public IP address for each VNIC attached to an instance.

What IP addresses do I see when I log-on to my compute instance?

You will only see the private IP address of your compute instance. If the instance is assigned a public IP address, we provide a one-to-one NAT (static NAT) between the private and public IP addresses when the instance tries to communicate to a destination on the internet (through the Internet Gateway).

Can I assign a MAC address to my compute instance?

No, you cannot specify a MAC address for your compute instance. MAC addresses are assigned by Oracle Cloud Infrastructure.

Does VCN support IPv6?

No, currently VCN does not support IPv6.

Do you support IP multicast or broadcast within the VCN?

No, currently we do not support IP multicast or broadcast inside the VCN.

Does VCN support transparent IP takeover using gratuitous ARPs (GARP)?

No, currently we do not support IP takeover using GARP.

Connectivity

What connectivity options are available for instances running in my VCN?

The instances can connect:

  • to the internet (via an Internet Gateway)
  • to your on-premise data center using an IPSec VPN connection (via a Dynamic Routing Gateway)
  • to both the internet and your on-premise data center
  • to Oracle Cloud Infrastructure services such as Object Storage (via a Service Gateway)

How do I connect my VCN to the Internet?

You connect your VCN to the internet by creating an Internet Gateway. The Internet Gateway enables Oracle Cloud Infrastructure Compute instances to directly access the internet. You can also connect your VCN via a Dynamic Routing Gateway (DRG) and IPSec VPN connection to your on-premise data center, from which you can route traffic via your existing network egress points.

What is an Internet Gateway?

An Internet Gateway is a software-defined, highly available, fault-tolerant router providing public internet connectivity for resources inside your VCN. Using an Internet Gateway, a compute host with a public IP address assigned to it can communicate with hosts and services on the internet.

How do instances in my VCN access the Internet?

Currently, each Oracle Cloud Infrastructure Compute instance can be assigned a public, internet-routable IP address. The public IP address provides the instance with the ability to communicate outbound and inbound with hosts on the internet. We provide a one-to-one NAT (static NAT) between the public and private IP addresses.

When you create a VCN and choose the “Create VCN plus related resources” option, we create a default subnet for you. Please note that when you launch an instance into the default subnet, your instance can communicate outbound with hosts on the internet using the public IP address. All inbound traffic except TCP Port 22 (SSH) and ICMP type 3, code 4 is denied per the default Security List. For more details on how to secure your instance, see the VCN Security section below.

Alternatively, when you create a VCN and choose the “Create VCN only” option, you must create a subnet. When you launch an instance into your subnet, you must create an Internet Gateway and update the default route table before your instance can communicate with hosts on the internet.

What is a Dynamic Routing Gateway (DRG)?

A Dynamic Routing Gateway is a software-defined, highly available, and fault-tolerant router that establishes a private path between a VCN and an on-premise network. You can configure IPSec VPN Connections on your VCN’s DRG to connect your on-premise data center network with a VCN. Using IPSec VPN Connections, your on-premise hosts and instances in the cloud can communicate with each other securely.

What is a Customer-Premise Equipment (CPE) object and why do I need it?

The Customer-Premise Equipment object is a virtual representation of the actual router that is on-premise at your site, at your end of the VPN connection to your cloud network. When you create this object, you specify the IP address of your on-premise router as part of the process of setting up the IPSec VPN connection.

Do I need an Internet Gateway to establish a VPN connection to my on-premise network?

No, you don’t need an Internet Gateway configured with your VCN to establish a VPN connection. You just need to provision a DRG, associate it with your VCN, configure the IPSec VPN connection and CPE object, and configure the route tables.

Which Customer-Premise Equipment routers or gateways have you tested with Oracle Cloud Infrastructure IPSec VPN?

We have tested the following CPEs with Oracle Cloud Infrastructure IPSec VPN connections:

I have an IPSec VPN router that is not on the above list of tested equipment. Can I use it to connect to my VCN?

In addition to the equipment we have tested, you can use CPE routers and gateway devices that support and allow you to configure IKE and IPSec configuration parameters as shown in the following table. We accept multiple configuration options to maximize interoperability with customer VPN devices. Recommended options appear in bold text.

VPN Configuration
IKE (Phase 1) Encryption aes-256-cbc, aes-192-cbc, aes-128-cbc
Data Integrity SHA-384, SHA-256, SHA-1
Diffie-Hellman Group group 5, group 2, group 1
Renegotiate IKE in Seconds 28800 (8hr)
IPSEC (Phase 2) Encryption aes-256-cbc, aes-192-cbc, aes-128-cbc
Data Integrity SHA-1
Perfect Forward Secrecy (PFS) enabled
DH Group DH group 5
Renegotiate IPsec in Seconds 3600 (1hr)
Peer Information Client Peer IP Address [available from API or Console once the IPSec is configured]
Customer Peer IP Address [customer information]
Pre-Shared Key [available from API or Console once the IPSec is configured]

How do I ensure availability of my IPSec VPN Connection between Oracle Cloud Infrastructure and my on-premise data center?

When you create an IPSec VPN connection to Oracle Cloud Infrastructure, Oracle provisions 3 VPN tunnels. It is important that you configure on your CPE a minimum of 2, and ideally all 3, tunnels for redundancy. We automatically route traffic to your instances via an available (“up”) tunnel in case any one tunnel becomes unavailable in Oracle Cloud Infrastructure. The following diagram shows the recommended VPN deployment with three configured tunnels.

The following diagram shows the recommended VPN deployment with three configured tunnels.

Additionally, you can configure two CPEs to create a highly available (HA) deployment in your on-premises network. The following diagram shows the recommended HA VPN deployment with three configured tunnels per CPE.

The following diagram shows the recommended HA VPN deployment with three configured tunnels per CPE.

Can I use a software VPN to connect to my VCN?

IPSec VPN is an open standard and software IPSec VPNs can interoperate with Oracle Cloud Infrastructure. You’ll need to verify that your software IPSec VPN supports at least one supported Oracle BMCS IPSec parameter in each configuration group as outlined above. We don’t recommend software solutions because they are lower performance (lower bandwidth and higher induced latency) compared to hardware-based solutions.

What is a service gateway?

A service gateway lets resources in your VCN privately and securely access Oracle Cloud Infrastructure services such as Object Storage, eliminating the need for an Internet Gateway or NAT to establish connectivity to to the service's public endpoints. Traffic between an instance in the VCN and Object Storage uses the instance's private IP address for routing, travels over the Oracle Cloud Infrastructure fabric, and never traverses the internet. Much like the Internet Gateway, the service gateway is a virtual device that is highly available and dynamically scales to support the network bandwidth of your VCN.

What Oracle Cloud Infrastructure services can I access through a service gateway?

Currently, you can configure the service gateway to access only Object Storage.

I am currently using an Internet Gateway to access Object Storage. How do I use the service gateway to access the same Object Storage endpoint?

  1. Create a service gateway for the VCN.
  2. Update the VCN's routing to forward all traffic for Object Storage through the service gateway instead of the Internet Gateway.

For instructions, see the technical documentation for service gateways.

Can I configure the service gateway to access services running in a different region?

No, the service gateway is regional and can access only services running in the same region.

Can I allow access to an Object Storage bucket from only specific VCNs or subnets?

Yes. If you're using a service gateway, you can define an IAM policy that allows access to a bucket only if the requests come from a specific VCN or CIDR range. The IAM policy works only for traffic routed through the service gateway. Access is blocked if the IAM policy is in place and the traffic instead goes through an Internet Gateway. Also, be aware that the IAM policy prevents you from accessing the bucket through the Console. Access is allowed only programmatically from resources in the VCN.

For an example IAM policy, see the technical documentation for service gateways.

Can I have multiple service gateways within my VCN?

No. A VCN can have only one service gateway at this time.

Can I use a service gateway with VCN peering?

No. A VCN that is peered with another VCN that has a service gateway cannot use that service gateway to access Object Storage.

Can I leverage a service gateway to establish connectivity (through FastConnect) from my on-premises network to my VCN?

No, you cannot use the service gateway to establish connectivity between on-premise hosts and Object Storage. However, you can use FastConnect public peering to do this (without going through internet).

Are there any new throughput limits when using a service gateway?

No. Instances get the same throughput with the service gateway as they do when the traffic is routed through an Internet Gateway.

How much does the service gateway cost?

The service gateway is free for all Oracle Cloud Infrastructure customers.

VCN Security

How do I secure my compute instance running inside my VCN?

You can secure your compute instance by using the Oracle-provided default Security List as is, editing it to allow more or less traffic to enter your instance, or by creating one or more new Security Lists that match your specific application security requirements. In each Security List, you specify a set of stateful and/or stateless firewall rules. The firewall rules in Security Lists are "allow" rules, which means that any network traffic matching the attributes specified in the rules is permitted. When you create a subnet in your VCN, you choose either the Oracle-provided default Security List or one or more Security Lists that you created, and associate them with that subnet. That association means that the ingress and egress traffic for each instance in that subnet is subject to the rules in the associated Security Lists.

How many Security Lists can I associate with each subnet?

You can currently associate up to 5 Security Lists with any subnet.

Can I use 'deny' rules within the Security Lists?

No. All firewall rules in Security Lists are "allow" rules. All traffic is denied by default and only network traffic matching the attributes specified in the rules is permitted.

What type of rules are supported in the Security Lists?

There are two dimensions in which you can categorize the rules within a Security List.

Direction - ingress rules and egress rules

Ingress rules specify the source (IP CIDR), destination port range, and protocol to match on, and are applied to ingress network connections. The default Security List allows ingress network connections only on TCP Port 22 (SSH) and ICMP type 3, code 4 from anywhere (0.0.0.0/0), and ICMP type 3, all codes from within the VCN.

Egress rules specify the target (IP CIDR), destination port range, and protocol to match on, and are applied to egress network connections. The default Security List allows all egress network connections.

Connection tracking - stateful and stateless rules

With stateful rules, once a network packet matching the rule is allowed, connection tracking is used and all further network packets belonging to this connection will automatically be allowed. So, if you create a stateful ingress rule, both incoming traffic matching the rule and the corresponding outgoing (response) traffic will be allowed automatically.

With stateless rules, only the network packets matching the rule are allowed. So, if you create a stateless ingress rule, only the incoming traffic is allowed. You need to create a corresponding egress rule to match the corresponding outgoing (response) traffic.

Effectively, there are 4 types of rules - Stateful Ingress, Stateful Egress, Stateless Ingress and Stateless Egress.

How many Security Lists and firewall rules can I configure?

You can create a maximum of 300 Security Lists per VCN. You can have 50 allow rules for ingress and 50 allow rules for egress per security list (giving a total of 100 combined ingress and egress rules). For current service limits and instructions on how to request an increase in limits, please see Service Limits in the Oracle BMCS documentation.

Can I change the security lists assigned to my Subnet after I create it?

No, currently you cannot change the security list you assigned to your subnet after you create the subnet.

VCN Routing

What is a VCN routing rule?

A VCN routing rule allows IP network packets with a destination IP address matching a specified IP CIDR (e.g. 0.0.0.0/0 for the Internet) to be redirected to a specific gateway (e.g. Internet Gateway, Dynamic Routing Gateway).

Can I create a routing rule for any destination CIDR block?

No. Currently, you can only add a route rule for a CIDR block that doesn't overlap with the VCN address space.

Does VCN support source-based routing?

No. Currently, VCN does not support source-based routing.

DHCP Options

What are DHCP Options?

The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on an IP network. Configuration parameters and other control information are carried to the instance in the "options" field (RFC 2132) of the DHCP message. Each subnet inside a VCN can have a single set of DHCP Options associated with it.

Which DHCP Options can I configure?

Currently, you can configure the DNS Type and Search Domain options, which specify how instances inside your VCN resolve Domain Name System (DNS) hostnames.

When resolving a DNS query, the OS of your instances in the VCN will append the Search Domain to the value being queried, and use the DNS servers specified with DNS Type.

The default DNS Type is an Oracle-provided Internet and VCN Resolver. It enables hosts to resolve hostnames that are published publicly on the internet and the hostnames of instances in the VCN. Resolving hostnames for internet hosts using the Oracle-provided Internet Resolver does not require an instance to have internet access via the Internet Gateway or through an IPSec VPN connection via a DRG.

As an alternative, you can configure the DNS Type to return a set of up to three Custom Resolver IPs for DNS resolution. These Custom Resolver IPs could be Internet IPs (e.g. 8.8.8.8 for Google's public DNS or 216.146.35.35 for Dyn's Internet Guide), DNS servers local to your VCN, or DNS servers in your on-premise network, which is connected to your VCN via an IPSec VPN connection. If you provide an Internet IP as a Custom Resolver IP, your instances inside the VCN must have internet access for DNS resolution to work. Custom Resolvers must be specified as IP addresses, as they are passed down to the host verbatim via DHCP when the host boots.

If you specified a DNS label for the VCN during creation the default Search Domain is the VCN's DNS domain. If you didn't, the default set of DHCP options does not include a Search Domain option. As an alternative, you can configure a Search Domain to a specific DNS domain. This is useful when using Custom Resolvers as DNS Type.

Can I specify custom DNS servers to resolve hostnames for instances in my VCN?

Yes, you can configure the DNS Type to return a set of up to three Custom Resolver IPs for DNS resolution. These Custom Resolver IPs can be DNS servers that are local to your VCN or they can be located in your on-premise network, which is connected to your VCN via an IPSec VPN connection. NOTE: you are responsible for setup, management, and maintenance of the DNS server(s).

DNS

How do I configure DNS hostname for my instance?

When you are launching an instance, you can specify a hostname for the instance along with its display name. This combined with the subnet's domain name becomes the fully qualified domain name (FQDN) of your instance. This FQDN is unique within the VCN, and will resolve to the private IP address of your instance.

Note that your VCN and subnet should be configured to enable DNS hostnames.

How do I enable DNS hostnames in a VCN?

When you create a VCN, you can specify its DNS label. This combined with the parent domain, oraclevcn.com, is created as the domain name of the VCN.

When you create a subnet, you can specify its DNS label. This combined with VCN's domain name is created as the domain name of the subnet.

DNS hostnames for compute instance can be enabled only if the VCN and Subnet are created with a DNS label.

What is a DNS hostname of a compute instance?

A DNS hostname is a name that corresponds to the IP address of an instance connected to a network. In case of Oracle Cloud Infrastructure VCN, every instance can be configured with a DNS hostname that corresponds to the private IP address of the instance.

A fully qualified domain name (FQDN) of an instance looks like hostname.subnetdnslabel.vcndnslabel.oraclevcn.com, where hostname is the DNS hostname of the instance, subnetdnslabel and vcndnslabel are the DNS labels of the instance's subnet and the VCN respectively.

oraclevcn.com is reserved as the parent domain for DNS hostnames created in Oracle Cloud Infrastructure.

Can I specify a hostname when I create an instance but the subnet does not have a DNS label?

No. Your request will be rejected if you specify a hostname when creating an instance and the subnet does not have a DNS label.

What if I do not specify a hostname when creating an instance?

If you do not specify a hostname for an instance, its display name will be used as the hostname instead. In case the display name does not meet the constraints of a DNS hostname, a heuristic is applied to generate a hostname from the display name.

How do I use DNS hostnames when communicating with other instances in the VCN?

You will be able to use the fully qualified domain name (FQDN) of a target instance, like database1.accounts.contosovcn1.oraclevcn.com, instead of its private IP address to communicate from your instances in the VCN.

Can I use same hostname for two instances in my VCN?

Yes. You can specify the same hostname for two instances as long as they are in two separate subnets. However, you need to specify a unique hostname for instances within the same subnet.

Can I configure two VCNs with the same domain name (DNS label)?

Yes. You can specify the same DNS label for two VCNs, in which case they will be configured with the same domain name. This does not impact the resolution of DNS hostnames within these VCNs. However, it is a best practice to configure your VCNs with distinct domain names.

Can I configure two subnets in a VCN with the same domain name (DNS label)?

No. You cannot create two subnets in a VCN with the same DNS label. Subnet domain names are unique within the VCN.

Can I configure DNS hostnames for my existing instances created before March 1, 2017?

No. Currently, you cannot configure DNS hostnames for instances created before March 1, 2017.

Can I rename the hostname of my instance?

No. Currently you cannot rename the hostname of your instance after it is created.

Can I rename the DNS label of an existing VCN or a subnet?

No. Currently you will not be able to rename the DNS label for a VCN or a subnet after it is created.

If my subnet is configured to use 'Custom resolver' for DNS, are DNS hostnames created for instances in this subnet?

Yes. DNS hostnames are created for instances irrespective of the DNS type selected for the subnet.

Will DNS hostname resolution work if existing DHCP option uses 'Internet resolver' as the DNS type?

Yes. 'Internet resolver' DNS type is renamed as 'Internet and VCN resolver' with this feature. You do not need to make any changes to DHCP option to get DNS hostname resolution if your DHCP options set is previously using 'Internet resolver'.

Can my instance resolve hostnames of instances in other VCNs?

No. You can only resolve hostnames of instances within the VCN.

Can I configure my custom DNS servers to resolve VCN internal DNS hostnames?

Yes, you can do this with custom DNS servers setup within the VCN. You can configure the custom DNS servers to use 169.254.169.254 as the forwarder for the VCN domain (like contoso.oraclevcn.com).

Note that the custom DNS servers should be configured in a subnet that uses 'Internet and VCN resolver' as the DNS type (to allow access to the 169.254.169.254 IP address).

Billing

Do I get charged for using VCN?

There is no charge for creating VCNs and using them. However, usage charges for other Oracle Cloud Infrastructure services (including Compute and Block Volumes) and data transfer charges apply at the published rates. There are no data transfer charges for any communication among resources within a VCN.

How will I get charged when I connect my VCN to my on-premise data center using an IPSec VPN connection?

If you connect your VCN to your on-premise data center using an IPSec VPN Connection, you will only be charged the published Oracle Cloud Infrastructure outbound data transfer rates. There is no hourly or monthly VPN Connection charge.

What are my usage charges if I use other Oracle Cloud Infrastructure resources, such as the Database or Object Storage, from instances inside my VCN?

You don’t incur data transfer charges when accessing other public Oracle Cloud Infrastructure services (such as Object Storage) in the same region. All network traffic via private or public IPs between your instances and other resources inside your VCN, (such as a database or load balancer) is free of data transfer charges.

If you access public Oracle Cloud Infrastructure resources via your VPN connection from inside your VCN, you will incur the published outbound data transfer charges.

Do your prices include taxes?

Unless otherwise noted, the Oracle Cloud Infrastructure prices, including outbound data transfer charges, exclude applicable taxes and duties, including VAT and any applicable sales tax.

Additional Questions

Can a VCN span multiple Availability Domains?

Yes, a VCN can span multiple Availability Domains.

How many VCNs, subnets, Internet Gateways, and VPN connections can I create?

For current limits for all services, see Service Limits.

To request a service limit increase for your account, please visit My Oracle Support.

×
Call us now
1-800-633-0738 (United States)

Contact
×
Call us now
1-800-633-0738 (United States)

Technical Support

Oracle Cloud Discussion Forums

Chat
×
Considering a purchase? Let one of our Sales Representatives guide you through the process and connect you to a product specialist.

Live Cloud Chat
Contact cloud advocacy team for Oracle Cloud clarifications, trial assistance, technical and functional help or any non-sales related questions. You may also find answers to common questions in FAQ of selected product.