When you work with Oracle Cloud Infrastructure, one of the first steps is to set up a virtual cloud network (VCN) for your cloud resources. In this episode, Lois Houston and Nikita Abraham, along with Rohit Rahi, discuss Oracle’s Virtual Cloud Network, VCN routing, and security.

 

Oracle MyLearn: https://mylearn.oracle.com/

Oracle University Learning Community: https://education.oracle.com/ou-community

X (formerly Twitter): https://twitter.com/Oracle_Edu

LinkedIn: https://www.linkedin.com/showcase/oracle-university/

 

Special thanks to Arijit Ghosh, Kiran BR, Rashmi Panda, David Wright, the OU Podcast Team, and the OU Studio Team for helping us create this episode.

 

---------------------------------------------------------

 

Episode Transcript: 

00:00
Welcome to the Oracle University Podcast, the first stop on your cloud journey. During this series of informative podcasts, we’ll bring you foundational training on the most popular Oracle technologies. Let’s get started.
00:26
Lois: Hello and welcome to the Oracle University Podcast. I’m Lois Houston, Director of Innovation Programs with Oracle University, and with me is Nikita Abraham, Principal Technical Editor.
Nikita: Hi everyone. We hope you’ve been enjoying these last few weeks as we’ve been revisiting our most popular episodes of the year. 
00:47
Lois: Today’s episode is the fourth of six we’ll have in this series and it’s a throwback to a conversation with Rohit Rahi, our Vice President of CSS OU Cloud Delivery, talking about Networking in OCI. We began by asking Rohit to explain what a Virtual Cloud Network is. Let’s listen in.
01:06
Rohit: At its core, it's a private software defined network you create in Oracle Cloud. It's used for secure communication. Whether instances talking to each other, instances talking to on-premises environments, or instances talking to other instances in different regions, you would use Virtual Cloud Network. 
It lives in an OCI region. Like we said, it's a regional service. It's highly available, massively scalable, and secure. And we take care of these things for you. So before we dive deep into the VCN and all the characteristics and all the features it has, let's look at some of the basic stuff. 
01:44
Rohit: So the first thing is VCN has an address space. In this case, you see this address space is denoted in a CIDR notation. CIDR stands for classless interdomain routing. 
The VCN has an IP addressing range. And what that means is you have an address range. You take that range. And you can break it down into smaller networks which are called subnetworks. And these subnetworks are where you would instantiate your compute instances. 
02:16
Nikita: And what can you tell us about the different mechanisms that exist inside a VCN? 
Rohit: So first, there is a notion of internet gateway. This is a gateway which is massively scalable, highly available, and is used for communication to anything on the internet. 
So if you have a web server which wants to talk to other websites on the web being able to be accessed publicly, you would use an internet gateway. So going to the internet and coming back from the internet. You also have this highly available, massively scalable router called NAT gateway. And it is used for providing NAT as a service. 
02:53
Rohit: So what this means is the traffic is unidirectional. It can go from your private subnets to the internet. But users from the internet cannot use the NAT gateway to reach your instances running in a private subnet. So the idea with the NAT gateway is to enable outbound communication to the internet, but block inbound communications or connections initiated from the internet. 
Then we have another router which is called Service Gateway. And the idea is it lets resources in VCN access public OCI services such as object storage, but without using an internet or NAT gateway. So these are the three scenarios-- Internet gateway for internet, NAT gateway also for internet but unidirectional, and Service gateway for accessing OCI public services, which are available on the internet but accessing them in a secure manner. 
And then the other construct is called Dynamic Routing Gateway. This is a virtual router that provides a path for private traffic between your VCN and destinations other than the internet. 
04:00
Lois: So what can these destinations be? 
Rohit: Well, this can be your on-premises environment. VCN uses route tables to send traffic out of the VCN to the internet, to on-premises networks, or to peered VCN, and we look at each of these scenarios. 
Route tables consist of a set of route rules. Each rule specifies a destination CIDR block and a route target. Think about route target as the next hop for the traffic that matches that destination CIDR block. 
Now, one thing to keep in mind is traffic within the VCN subnet is automatically handled by the VCN local routing.
04:44
Lois: Want to get the inside scoop on Oracle University?
Head on over to the all-new Oracle University Learning Community. Attend exclusive events. Read up on the latest news. Get first-hand access to new products and stay up-to-date with upcoming certification opportunities.
If you are already an Oracle MyLearn user, go to MyLearn to join the Community. You will need to log in first. If you have not yet accessed Oracle MyLearn, visit mylearn.oracle.com and create an account to get started.
Join the Community today!
05:20
Nikita: Getting back to our discussion… if you have multiple networks, how do they talk to each other? 
Rohit: So there are two scenarios which are possible here. If the networks are within the same OCI region, they can talk to each other through a mechanism called local peering. If the two networks are in two different OCI data center regions, then you have the same concept, a similar concept, but it's a remote peering now. And instead of using local peering, now you're using the Dynamic Routing Gateways. Remember we talked about Dynamic Routing Gateways used for on-premises communication, anything which is not for internet. So this is also a use case for Dynamic Routing Gateway enabling communication between networks in different regions. 
06:05
Rohit: So within VCN, you have this concept of security list. Think about security list as firewall rules associated with a subnet and applied to all instances inside the subnet. So what does it look like? The security list consists of rules that specify the type of traffic allowed in or out of the subnet. This applies to a given instance, whether it is talking with another instance in the VCN or a host outside the VCN. 
There's also another concept, which is called network security groups, or NSG. These are very similar construct as security list, but the key difference is these apply only to a set of virtual network interface cards in a single VCN. And another big difference here is NSGs can be the source or destination in the rules. Contrast this with the security list rules where you specify a CIDR, only a CIDR, as the source or destination. 
07:06
Lois: Thanks for that, Rohit. To learn more about OCI, please visit mylearn.oracle.com, create a profile if you don’t already have one, and get started learning on our free OCI Foundations training. 
Nikita: You can also practice what you learn in a safe environment with our hands-on labs, without the anxiety of working in a live environment.
07:27
Nikita: We hope you enjoyed that conversation. Join us next week for another throwback episode. Until then, this is Nikita Abraham...
Lois: And Lois Houston, signing off!
07:37
That’s all for this episode of the Oracle University Podcast. If you enjoyed listening, please click Subscribe to get all the latest episodes. We’d also love it if you would take a moment to rate and review us on your podcast app. See you again on the next episode of the Oracle University Podcast.