Oracle Cloud Infrastructure FastConnect – FAQ
What is Oracle Cloud Infrastructure FastConnect?
Oracle FastConnect is a network connectivity alternative to using the public internet for connecting your on-premises data center or network with Oracle Cloud Infrastructure.
Why should I use Oracle FastConnect?
You should use Oracle FastConnect if you require higher bandwidth options that:
- scale with your business needs
- provide 99.95% availability
- offer a more reliable and consistent networking experience when compared to internet-based connections
How do I get started with Oracle FastConnect?
You can create an Oracle FastConnect connection in the Networking section of the Oracle Cloud Infrastructure management console. Click “FastConnect,” and then “Create FastConnect Connection”. For more information, see FastConnect Overview in the documentation.
Can I connect to Oracle Cloud Infrastructure public services through FastConnect?
Yes. You can access Oracle Cloud Infrastructure public service endpoints such as Object Storage through FastConnect.
What Oracle FastConnect offerings are available?
You can connect at your closest Oracle FastConnect locations at port speeds in 1-Gbps and 10-Gbps increments via a provider and 10-Gbps when colocating with Oracle.
What connectivity models are available?
Please see our Connectivity Models page.
What peering types are supported?
Where can I find a list of FastConnect partners by region?
See our Network Provider and Exchange Partners page for the most up-to-date list.
Can I connect to Oracle Cloud Infrastructure if I’m not colocated in an Oracle FastConnect location?
Yes. If your existing network or data center is not colocated within an Oracle FastConnect location, you can instead connect to an Oracle FastConnect location through a connectivity provider (network service provider (NSP) or cloud exchange). For a list of Oracle FastConnect connectivity providers by location, see our Network Provider and Exchange Partners page.
Are there limits on the amount of data that I can transfer and receive using FastConnect?
No, there are no limits on data transfer in or out of the Oracle Cloud when using FastConnect.
What are the technical requirements for the connection?
What Oracle Cloud Infrastructure regions can I connect to with FastConnect?
We have FastConnect service available in all Oracle Cloud Infrastructure regions. For up-to-date information on regional availability, see our Network Provider and Exchange Partners page.
Which services can I access over FastConnect?
For the list of supported cloud services over FastConnect, see FastConnect Supported Cloud Services.
How does FastConnect differ from an IPSec VPN connection?
An IPSec VPN establishes an encrypted network connection over the internet between your network or data center and your Oracle Cloud Infrastructure virtual cloud network (VCN). It's a suitable solution if you have low or modest bandwidth requirements and can tolerate the inherent variability in internet-based connections. FastConnect bypasses the internet. Instead, it uses dedicated, private network connections between your network or data center and your VCN.
Can I use FastConnect and an IPsec VPN to the same VCN simultaneously?
Yes. You can provision FastConnect and an IPSec VPN simultaneously. Typically, you would set up FastConnect as the primary path and the IPSec VPN as a backup path via the internet. The FastConnect path will always be preferred when available, unless you add more specific static routes to the IPSec VPN connection.
In the FastConnect partner model of connectivity, do I receive any additional routes from the provider than those advertised by Oracle Cloud Infrastructure?
No. You shouldn’t see any additional routes from the FastConnect partner.
Can I advertise public and private prefixes over a single FastConnect connection?
Yes. You can advertise both private and public IPv4 prefixes over a FastConnect private virtual circuit. You can advertise only public IPv4 prefixes over a public virtual circuit. Oracle validates the public prefixes that you want to advertise before accepting them.
Does Oracle advertise to other ASNs any routes or prefixes learned over a FastConnect public or private virtual circuit?
No. Oracle does not advertise your routes or prefixes outside of your tenancy.
Can I attach two dynamic routing gateways (DRGs) to a single VCN?
No, only one DRG can be attached to a VCN. And only one VCN can be attached to a DRG. For more information about using DRGs, see Dynamic Routing Gateways (DRGs).
Can I establish connectivity between two VCNs in the same region?
Yes. This is possible with local VCN peering.
Can I establish connectivity between two VCNs across two different regions?
Yes. This is possible with remote VCN peering.
I have a VCN attached to a DRG, and then a second VCN peered with the first VCN. Can I send traffic from my on-premises network through the FastConnect virtual circuit and on to the peered VCN?
No. The DRG cannot forward traffic to the peered VCN. The DRG is only aware of the subnets in the first VCN and the on-premises network advertised over the FastConnect virtual circuit.
Does FastConnect span across compartments?
Yes. With FastConnect, you can connect to resources in all compartments in your tenancy.
Does FastConnect span across tenancies?
No. FastConnect does not currently span tenancies. Your FastConnect virtual circuit can enable access only to resources in the tenancy where the virtual circuit was established.
Can I connect to the internet through a FastConnect connection?
I am running into a service limit when I try to create more CPEs, DRGs, FastConnect virtual circuits, and cross-connects. How can I increase these limits?
You can request a service limit increase. See Service Limits.
Billing and Pricing
How will I be charged and billed for Oracle FastConnect? Do I pay for data transfer?
Oracle charges only for port hours consumed and not data transfer. If you connect to an Oracle FastConnect location through a connectivity provider, the provider bills you separately for the bandwidth you provision with them and any additional fees they have. For the billing model and pricing for FastConnect, see our FastConnect Pricing page. The charges you incur do not include any fees that the network provider or data center provider may charge you separately for connectivity.
Are there any setup charges or minimum service commitments with Oracle FastConnect?
There are no setup charges and you may cancel the service at any time. Services provided by our connectivity providers may have other terms and restrictions.
What defines billable port hours?
Port hours are billed after the connection between the Oracle FastConnect router and your router is established, or 30 days after you ordered the port, whichever comes first. Port charges will continue to be billed as long as the Oracle FastConnect port is provisioned for your use. If you no longer want to be charged for your port, delete your port from the Oracle Cloud Infrastructure console. What defines a "port"? That depends on your connectivity model:
- If you are connected through a FastConnect provider, the billable port is the virtual circuit. You're charged based on the bandwidth level you choose for the virtual circuit. You pay a fixed dollar amount per 1 Gbps. For example, if you specify 1 Gbps for your virtual circuit, you're charged at one times the hourly rate as specified here. If you choose 2 Gbps for the virtual circuit, you're charged 2 times that hourly price, and so on.
- If you are directly connected (either colocated in a FastConnect location, or connected using a third-party network provider), the billable port is the cross-connect (physical port). You are NOT charged based on the number of virtual circuits or their bandwidth level.
Do I pay for data transfer between availability domains when I connect into an Oracle Cloud Infrastructure region through FastConnect?
No. There is no charge for data transfer between availability domains within a region.
What are the data transfer limits when using FastConnect?
There are no data transfer limits up to the amount of your provisioned port.
If FastConnect is activated, is the billing of the port hours related to traffic sent or received on the Fast Connect virtual circuit? Does a minimum amount of data need to go over the FastConnect virtual circuit for billing to commence?
Oracle does not charge for inbound and outbound data transfer. In the colocation or direct cross-connect model, your metering starts when the cross-connect moves to the "Provisioned" state, or after 30 days (whichever is earlier). Metering stops when the cross-connect moves to the "Terminated" state. In the FastConnect provider model, metering starts when the virtual circuit moves to the "Provisioned" state.
High Availability and Best Practices
Which availability domains can I connect to through FastConnect? Do I need to order a separate FastConnect for each availability domain?
You can connect to all availability domains in the region through a single FastConnect virtual circuit. You don't need any other medium of connectivity between the availability domains.
Can I connect to two or more regions with a single FastConnect?
No. You must provision two FastConnect virtual circuits if you want to connect to two different regions.
Does FastConnect provide redundant connections?
We recommend having a minimum of two connections for redundancy. You can land the connections on different FastConnect edge devices.
Will a FastConnect link failure cause loss in connectivity to my resources?
If you have a single FastConnect connection (physical port or virtual circuit) to Oracle Cloud Infrastructure, you might experience a loss in connectivity when that path goes down. Therefore redundant physical and logical (virtual circuits) connections are recommended. If you like, you can use an IPSec VPN as a redundant connection.
Does FastConnect offer a service level agreement (SLA)?
If you are redundantly connected, a 99.9% SLA is guaranteed for the FastConnect service.
What happens if I have a FastConnect virtual circuit and an IPSec VPN terminating on the same DRG?
Oracle overrides the default route selection behavior to prefer FastConnect BGP routes over the IPSec VPN static routes if a static route overlaps with a route advertised by your on-premises network. If the static route is more specific than the BGP route, the static route over the IPSec VPN takes precedence for outbound traffic from Oracle.
What is the failover mechanism for IPSec VPN and FastConnect?
If an IPSec VPN and a FastConnect virtual circuit terminate on the same DRG, Oracle always prefers FastConnect for egress (outbound) traffic, assuming that the IPSec VPN static route is not more specific than the FastConnect BGP route. If the FastConnect virtual circuit goes down, the DRG detects this failure and starts sending traffic over the IPSec VPN tunnel, provided a static route exists. If the FastConnect virtual circuit recovers, traffic switches back over to the FastConnect path.
When using an IPSec VPN for redundancy, what happens to outbound traffic if the FastConnect drops or recovers?
The DRG detects the availability of the FastConnect virtual circuit and starts forwarding egress (outbound) traffic through the IPSec VPN accordingly. If the FastConnect virtual circuit and the IPSec VPN connection terminate on the same CPE device on your end (not recommended), then the CPE must support asymmetric routing.
How does the DRG know that the FastConnect is down?
One of the technical requirements for FastConnect is having an LACP timer. Oracle supports aggressive LACP timers. You can enable LACP timers by using link aggregation. LACP timers detect the physical failures faster than standard BGP timers. If LACP timers are not set up, the DRG relies on BGP timers to detect FastConnect virtual circuit availability.
What can I do to create redundant Oracle FastConnect connections?
Oracle provides three components to help you implement highly available connections:
- Multiple Oracle FastConnect locations within each region (data center redundancy)
- Multiple providers in each Oracle FastConnect location (provider redundancy)
- Multiple physical circuits in each Oracle FastConnect location (circuit redundancy)
If I create separate compartments for redundancy, can I easily share a single FastConnect between the two compartments with minimal manual intervention?
There is no manual intervention needed to share FastConnect across compartments. The DRG is attached to the VCN, and all instances inside the VCN (whether they're in the same compartment or spread across different ones) can have their traffic routed through that DRG, over the FastConnect, and on to your network or data center.
How we can I connect other cloud service providers (CSPs) to Oracle Cloud Infrastructure?
You can establish connectivity using a software VPN, or through a FastConnect provider that has connectivity to the other CSP.
Cross-Connects and LAG
Can I bundle FastConnect cross-connects?
Yes. Oracle supports link aggregation (LAG), where you aggregate one or more ethernet interfaces to form a logical point-to-point link. Specifically, Oracle supports the Link Aggregation Control Protocol (LACP).
What is the maximum number of links I can have in a LAG group?
What port types is LAG available on?
LAG is available for 10-Gbps ports.
If I'm using a FastConnect provider, can I configure or request the use of LAG?
This is between you and the provider. You can work with provider to have LAG configured for their connection.
Does Oracle support multi-chassis LAG?
No. LAG includes only ports on the same Oracle router.
How do I add links to my LAG once it’s set up?
You can request another port for your LAG, but if one is not available on the same chassis, you must order a new LAG and migrate your connections. For example, if you have 3x 10G links and would like to add a fourth, but no port is available on that chassis, you must order a new LAG of 4x 10G ports.
Oracle is out of ports and I have to order a new LAG, but I already have virtual circuits configured on the existing LAG. How do I move those?
You can have multiple virtual circuits attached to your DRG at the same time. Create the new virtual circuits on your new bundle, and then move traffic from your on-premises network over. Remember to delete the old virtual circuits so Oracle stops billing you for them.
Can I delete my LAG bundle all at once?
Yes, but just like a regular connection you won’t be able to delete it if you have virtual circuits using it. First you must delete the virtual circuits, and then you can delete the LAG.
If I have only two ports in my LAG, can I still delete one?
Yes. You can have a single port in a LAG.
Can I order a LAG with only one port?
Yes. However, Oracle recommends that you set up two ports to different devices for redundancy.
When I associate my existing FastConnect connection with a LAG, what happens with existing virtual circuits already created with FastConnect connection?
When a FastConnect connection with existing virtual circuits is associated to a LAG, virtual circuits are migrated to the LAG.Please note that certain parameters associated with virtual circuits needs to be unique like VLAN, BGP peer info etc. and need to be moved to LAG.
Why do I need to configure LACP for my LAG?
LACP provides automatic determination, configuration, and monitoring of member links. If one of the physical links in the LAG goes down, traffic is dynamically and transparently reassigned to one of the other physical links. LACP lets devices send Link Aggregation Control Protocol Data Units (LACPDUs) to each other to establish a link aggregation connection.
Does having a LAG make my connection more resilient?
LAG lets you protect against single-path failures between your data center and Oracle. It doesn't protect against device failure.
Can I have virtual circuits on two different LAGs or cross-connect groups connected to the same DRG?
Yes. It's similar to having a virtual circuit on two different physical ports. This provides physical redundancy for FastConnect virtual circuits or BGP.
Can a virtual circuit be attached to more than one DRG?
No. A virtual circuit can be attached only to a single DRG.
I'm colocated with Oracle. Are there limits on how many virtual circuits I can have to my DRG?
There's no limit, but you must use a unique VLAN and BGP information for each virtual circuit. You're not charged per virtual circuit.
What IP address is assigned to each end of a virtual circuit?
For a private virtual circuit, you can specify a /30 or /31 network of your choice, and those IP addresses are assigned to the virtual circuit during the provisioning process. The IP addresses are used for BGP peer establishment. For a public virtual circuit, Oracle Cloud Infrastructure chooses the BGP IP addresses.
What routes will I receive from Oracle over a private virtual circuit?
For a private virtual circuit, Oracle advertises the subnets in your VCN.
Can I influence routes advertised out of Oracle?
If I have a public ASN, will it work for private virtual circuit?
Yes. You can use either a private ASN in the 64512-65535 range, or a public ASN that you own.
If I want to change the bandwidth of my virtual circuit, will the virtual circuit need to be totally re-provisioned?
No it doesn't need to be re-provisioned. If you're connected through an Oracle partner, make sure to change the bandwidth setting on both the partner side and Oracle side. Depending on the partner, you can change it on the partner side and the change is automatically propagated to the Oracle side.
If I add a public virtual circuit to a cross-connect group, does it affect my existing private virtual circuit?
No. They are separate virtual circuits.
What public IP prefixes can I advertise over BGP for public virtual circuits?
You can advertise public routes that are /31 and less specific. The prefixes must be registered to your organization. Oracle verifies your organization's ownership of each prefix before sending any traffic for it across the connection.
What prefixes does Oracle advertise to my network over the public virtual circuit?
Oracle advertises the local, regional, public aggregate routes that are /24 and less specific, except the default route.
Can I verify the routes that Oracle is receiving?
Can I bring my own public IP addresses, assign them to my cloud resources, and access these resources over FastConnect public peering?
No, not currently.
What IP addresses can I use for my public virtual circuit?
For a public virtual circuit, Oracle provides the public IP addresses. They're from the range 169.254.0.0/16.
How long does it take for the public routes to get installed once I advertise?
Oracle's verification for a given public prefix that you submit can take up to three business days. Oracle begins advertising the Oracle Cloud Infrastructure public IP addresses across the connection only after successfully verifying at least one of your public prefixes.
Other Technical Questions
Is traffic flowing over FastConnect encrypted?
Oracle FastConnect provides dedicated, private connectivity. Traffic flowing over the connection is not encrypted.
What is an Autonomous System Number (ASN) and do I need one to use FastConnect?
The BGP ASN is used to define networks that are under a single administrative domain. For a FastConnect private virtual circuit, you can use a public ASN that you own, or you can pick any private ASN number between 64512 and 65535. For a FastConnect public virtual circuit, you must use a public ASN that you own.
What are the BGP attributes supported over FastConnect to load balance traffic?
We honor AS_Path as a BGP attribute.
What is the frame size (MTU) supported over FastConnect? Are jumbo frames supported?
The interfaces on the FastConnect devices support a maximum Media MTU of 9196 (this includes the 4-byte FCS/CRC Ethernet trailer). It's imperative that the Media MTU between Oracle's devices and yours are identical to avoid the potential of jumbo frames being silently discarded at the MAC-layer without an ICMP Type 3 Code 4 (Fragmentation Needed and DF bit set) message being sent to the sender. For more information, see Hanging Connection.
Does the MTU change at all?
No. The MTU does not change.
Does FastConnect support Bidirectional Forwarding Detection (BFD)?
No, not currently.
Does FastConnect support a default route? Can I advertise a default route over FastConnect BGP connection?
Does my DRG support dynamic routing?
DRGs support dynamic routing over FastConnect, but not over IPSec VPN.
Is IPv6 supported over FastConnect?
No, not currently.
Does FastConnect support multi-hop BGP?
No, not currently.
Can I customize configuration parameters such as IKE ID or IPSec VPN tunnel lifetime on the DRG?
No. Oracle has predetermined the configuration parameters that work with the IPSec VPN service. Your IPsec VPN can't be established if there is a mismatch.
Can Oracle initiate the IPsec VPN connection?
No. You must initiate it from your end.
Is an IPSec VPN supported over FastConnect?
No, FastConnect and the IPSec VPN are two different services.
Can packets from the VCN be sourced with the public IP of the DRG? In other words, can the DRG source the NAT VCN traffic?
No. Packets from the VCN have the private IP address of the instance as a source IP address. Oracle cannot change the source IP address to the private or public IP address of the DRG.
Oracle has provided two VPN endpoints to build tunnels to. Does Oracle route the same network over both tunnels?
Yes. Traffic for all the subnets in the VCN attached to your DRG is routed over both tunnels.
How many VPN tunnels can I have from a single CPE device?
You can have a maximum of eight tunnels from a unique CPE IP address per region. If you want more than eight tunnels, either use a different IP address for the additional ones, or use a different CPE device (recommended).
I have two different services (Service X and service Y) provisioned on Oracle cloud, and I plan to access them over FastConnect Classic. Do I need two FastConnect circuits?
It depends on the way services are set up. For example, if you plan to provision one service onpublic peering and the other on private peering, you must have two FastConnect Classic circuits. If you instead plan to provision both services on public peering, one FastConnect Classic circuit is enough. However, if you plan to provision both services over private peering, whether you must have one or two FastConnect Classic circuits depends on the private gateway and IP Networks setup.
Can a Service X instance talk to a Service Y instance over FastConnect Classic if they are provisioned in different data center regions?
No. FastConnect provides connectivity from your on-premises or colocated data center to an Oracle data center, and not connectivity between two Oracle data centers. However, some services can communicate over the Oracle backbone network. Check with the ECA or Cloud Pursuit specialist to review your design further.
I have two Compute Identity Domains. Can I have a single FastConnect Classic private peering to access them both?
No. Your Private Gateway is attached to a single Compute Identity Domain and cannot span across two. You must provision two FastConnect Classic circuits.
How many prefixes can I advertise over FastConnect Classic?
Public peering has a limit of 200 public IP prefixes. Private peering has a limit of 2000 IP prefixes.
What if I exceed the prefix advertisement limit?
When you exceed the number of prefix advertisements, the BGP session for the connection is brought down for 60 minutes. After that, Oracle checks the the prefix advertisements being received. If the limit is no longer being exceeded, the BGP session is re-established. If the limit is still being exceeded, the session is kept down for another 60 minutes. This process repeats until the prefix advertisements are back to within allowed limits.
Can I advertise a default route (0.0.0.0/0) over FastConnect Classic?
Over public peering, all default routes and private IP advertisements are dropped. Over private peering, because of an Oracle internal limitation, you cannot advertise a default route yet. As a workaround until a fix is in place,, you can advertise a 0.0.0.0/2 route.
What if I do not own any public IP prefixes? How can I access a cloud service over public peering?
If the cloud services you plan to access are supported only over public peering, and if you do not own public IP prefixes, you can lease public IP space from your provider or a reseller and provide a letter of authorization.
I have Oracle Cloud Infrastructure services and Oracle Cloud Infrastructure Classic services provisioned in the same region. Can I configure one FastConnect connection to access both?
No. Currently, Oracle Cloud Infrastructure and Oracle Cloud Infrastructure Classic FastConnect services are offered as two different independent services.
I have made changes to my network an need to advertise new public IP addresses. How should I notify Oracle about this change?
Please open a My Oracle Support service request and specify your new public IP prefixes along with your FastConnect Classic ID (which you can obtain from the Compute Classic UI).
How many FastConnect Classic virtual circuits can I create?
There is no limit.
How many FastConnect Classic cross-connects can I create?
There is no limit. Your primary and secondary cross-connects must be UP before you can create any additional ones.
How many private gateways can I communicate with over a single FastConnect Classic virtual circuit?
Only one. You can have multiple IP Networks attached to a single private gateway and communicate with them over your FastConnect Classic connection.
What are the best practices for setting up a private gateway?
Plan to set up multiple non-overlapping IP networks and a single private gateway. When you attach the IP networks to the private Gateway, FastConnect Classic will advertise the IP networks to your on-premises edge device.
How can I establish communication between a VCN in Oracle Cloud Infrastructure and a private gateway in Oracle Cloud Infrastructure Classic?
You can set up a private connection if your VCN and IP networks meet the basic requirements. For more information, see Access to Oracle Cloud Infrastructure Classic. As an alternative, you can use an IPSec VPN.
Public Peering between Oracle Cloud Infrastructure Classic and Oracle Cloud Infrastructure
Is Public Peering enabled between Oracle Cloud Infrastructure Classic and Oracle Cloud Infrastructure?
Public peering between Oracle Cloud Infrastructure Classic and Oracle Cloud Infrastructure is now enabled in Oracle Cloud Infrastructure’s London and Ashburn regions.
What is an example use case for this public peering capability?
Customers who have public peering virtual circuits to Oracle Cloud Infrastructure Classic may now access public services in Oracle Cloud Infrastructure and migrate their data to Oracle’s next generation cloud platform. Traffic moving from Oracle Cloud Infrastructure Classic to Oracle Cloud Infrastructure will not traverse the public Internet and will remain on private, dedicated links between Oracle FastConnect routers.
Which Oracle Cloud Infrastructure services can be accessed using public peering?
Public resources in Oracle Cloud Infrastructure include object storage, public load balancers in customer VCNs, public IPS on Compute, or supported SaaS services.
Are there restrictions on the regions that can be peered?
- The two environments must be in the same geographical area (Ashburn or London), and the connection is available only between these specific regions:
- Between Oracle Cloud Infrastructure us-ashburn-1 region and Oracle Cloud Infrastructure Classic uscom-east-1 region
- Between Oracle Cloud Infrastructure uk-london-1 region and Oracle Cloud Infrastructure Classic gbcom-south-1 region
- The two environments must belong to the same company. Oracle validates this when setting up the connection.
Are there costs to enable Public Peering?
There are standard costs for provisioning a public peering virtual circuit to Oracle Cloud Infrastructure Classic, but once that is in place, there are no additional costs for Public Peering with Oracle Cloud Infrastructure.
How do I order Public Peering?
You file a ticket with My Oracle Support and Oracle provisions a connection between the IP network's private gateway and the VCN's attached dynamic routing gateway (DRG). The connection runs over Oracle's network and not the internet.
What if I need to move data between different regions or companies?
- You can set up an IPSec VPN between the IP network's VPN as a Service (VPNaaS) gateway and the VCN's attached DRG. That connection runs over the internet.
- The two environments do not have to be in the same geographical area or regions.
- The two environments do not have to belong to the same company.