Routing Details for Connections to the On-premises Network

You might use several site-to-site connections between the on-premises network and Virtual Cloud Network (VCN) for redundancy or other reasons.

For example, you might use both FastConnect private peering and Site-to-Site VPN to the Dynamic Routing Gateway (DRG)  attached to a VCN. Or you might use redundant Site-to-Site VPN connections to the DRG (for an example scenario, see Example Layout with Multiple Geographic Areas). Or you might use FastConnect public peering, FastConnect private peering, and Site-to-Site VPN.

This topic covers important details about route advertisement and path preferences when you have several connections.

DRG Route Advertisements to the On-Premises Network

FastConnect private peering and Site-to-Site VPN provide the on-premises network with private access to a VCN. Both types of connections terminate on a single DRG attached to the VCN. Remember that Site-to-Site VPN can use either Border Gateway Protocol (BGP) or static routing, or a combination. FastConnect always uses BGP for route advertisements.

For attachments to virtual circuits and IPSec tunnels configured to use dynamic routing, the DRG advertises all routes contained in their assigned DRG route table.

If an attached VCN is using ingress routing to grant access to Oracle services through the VCN's service gateway , you can observe the route listed as a single mnenomic route using the ListDrgRouteRules API operation. When this route is propagated to another DRG through an RPC or advertised to the on-premises network using BGP, it appears as a set of literal rules. For a list of those ranges, see Public IP Addresses for VCNs and the Oracle Services Network.

Important

If you're using Site-to-Site VPN with static routing, and the VCN is configured to give the on-premises network private access to Oracle services, you must configure an edge device with the routes for the Oracle Services Network public IP ranges advertised by the DRG over the private path (through the service gateway). For a list of those ranges, see Public IP Addresses for VCNs and the Oracle Services Network

Using AS_PATH to Prefer Routes from Oracle to the On-premises Network

This section describes in greater detail how the BGP AS_PATH attribute can be used to influence route selection in the context of a single DRG route table.

If the routes for the different paths are the same, Oracle uses the shortest AS path when sending traffic to the on-premises network, regardless of which path was used to start the connection to Oracle. Therefore asymmetric routing is allowed. Asymmetric routing here means that Oracle's response to a request can follow a different path than the request. For example, depending on how the edge device (also called customer-premises equipment, or CPE) is configured, you could send a request over Site-to-Site VPN, but the Oracle response could come back over FastConnect. To force routing to be symmetric, we recommend using BGP and AS path prepending with routes to influence which path Oracle uses when responding to and starting connections.

Oracle implements AS path prepending to establish preference on which path to use if the edge device advertises the same route and routing attributes over several different connection types between the on-premises network and VCN. The details are summarized in the following table. Unless you're influencing routing in some other way, when the same route is advertised over several paths to the DRG at the Oracle end of the connections, Oracle prefers the paths in the following order:

Oracle preference Path Details of how Oracle prefers the path Resulting AS path for the route
1 FastConnect Oracle prepends no ASNs to the routes that the edge device advertises, for a total AS path length of 1. On-premises ASN
2 Site-to-Site VPN with BGP routing Oracle prepends a single private ASN on all the routes that the edge device advertises over Site-to-Site VPN with BGP, for a total AS path length of 2. Private ASN, On-premises ASN
3 Site-to-Site VPN with static routing Oracle prepends 3 private ASNs on the static routes that you provided (Oracle advertises those routes to the Dynamic Routing Gateway (DRG)  at the Oracle end of the IPSec VPN). This results in a total AS path length of 3. Private ASN, Private ASN, Private ASN

The preceding table assumes you're sending a single autonomous system number in the AS path. Oracle honors the complete AS path you send. If you use static routing, and also send an AS path that has "On-premises ASN" plus two or more other ASNs, it can cause unexpected behavior because Oracle's routing preference might change.

While policy-based VPN static routing behavior is documented earlier, Oracle also recommends that if you use FastConnect connections with VPN backup, you use BGP on the IPSec route-based VPN. This strategy gives you full control of failover behavior.

Routing Preferences for Traffic from An On-premises Network to Oracle

You can configure an edge device to prefer a specific path when sending traffic from the on-premises network to Oracle. The following section describes a particular situation where you must do that to ensure a consistent traffic path if the on-premises hosts use Oracle services.

The on-premises network can access public Oracle Services Network services such as Object Storage over several paths. You can use public paths, such as the internet or FastConnect public peering. With these public paths, the on-premises hosts communicate with Oracle services by using public IP addresses.

You can also set up the on-premises network with private access to Oracle services through the VCN's service gateway . A service gateway lets hosts in the on-premises network use any of the services listed in Service Gateway: Supported Cloud Services in Oracle Services Network and communicate with those Oracle services from private IP addresses.

If you configured the on-premises network with several connection paths to Oracle services, the edge device might receive route advertisement of the Oracle services' public IP address routes over several paths. Here are the possible paths you can use with the on-premises network:

  • Public access paths:
    • Internet service provider (ISP)
    • FastConnect public peering
  • Private access paths by way of the VCN's DRG and service gateway:
    • FastConnect private peering
    • Site-to-Site VPN

The edge device receives route advertisements from the DRG and possibly from routers over public paths. Most of the routes for Oracle services that the DRG advertises have a longer prefix (they're more specific) than the routes for Oracle services that are advertised over the public access paths. Therefore, if you set up the network with both public access and private access to Oracle services, you must configure the edge device to prefer the private access path to the DRG for traffic from the on-premises network to Oracle services. Setting up both public and private access ensures a consistent path for access to Oracle services.

For a list of the public IP ranges advertised over FastConnect public peering, see FastConnect Public Peering Advertised Routes.

For a list of the regional public IP ranges advertised over the private paths (for a VCN with a service gateway), see Public IP Addresses for VCNs and the Oracle Services Network.

Route Filtering

Route filtering lets you decide what routes are included in BGP advertisements to the on-premises network. RFC 5291 provides more general information about route filtering and BGP advertisement of routes.

Private virtual circuits and Site-to-Site VPN don't support route filtering. Public virtual circuits over FastConnect advertise routes according to the selected route filtering settings which define the scope of the shared routes. The options are:

  • Regional - Advertises only available public routes used by ephemeral IP address ranges, reserved IP address ranges, and Oracle Services Network for this virtual circuit's region to the on-premises network.
  • Market - Advertises available public routes used by ephemeral IP address ranges, reserved IP address ranges, and OSN for this virtual circuit's region and routes for other regions in the same part of the world to the on-premises network. This is the default setting. The regions available in each of the four markets are shown in tables and on a map in the FastConnect Public Peering Advertised Routes article.
  • Global - Advertises available public routes used by ephemeral IP address ranges, reserved IP address ranges, and OSN for all regions in all markets of the Oracle cloud to the on-premises network.
  • Oracle Services Network - Advertises only public routes used by OSN resources in the local region to the on-premises network.

You can select route filtering options when you set up a FastConnect virtual circuit. The details vary depending on whether you're using a FastConnect partner, a third-party provider, or colocation.