Internet Gateway

This topic describes how to set up and manage an internet gateway to give your VCN internet access.

Tip

Oracle also offers a NAT gateway, which is recommended for subnets in your VCN that do not require externally initiated connections from the internet..

Highlights

  • An internet gateway is an optional gateway you can add to your VCN to enable direct connectivity to the internet.
  • The gateway supports connections initiated from within the VCN (egress) and connections initiated from the internet (ingress).
  • Resources that need to use the gateway for internet access must be in a public subnet and have public IP addresses. Resources that have private IP addresses can instead use a NAT gateway to initiate connections to the internet.
  • Each public subnet that needs to use the internet gateway must have a route table rule that specifies the gateway as the target.
  • You use security rules to control the types of traffic allowed in and out of resources in that subnet. Make sure to allow only the desired types of internet traffic.
  • The internet gateway can be used only by resources in the gateway's VCN. Hosts in the connected on-premises network or in a peered VCN cannot use that internet gateway.
  • You can't add or move an internet gateway to a VCN within a security zone. Security zones do not permit public subnets.

Overview of Internet Gateways

Before continuing, make sure you've read Access to the Internet and also understand how to set up security rules for the resources in a subnet.

An internet gateway as an optional virtual router that connects the edge of the VCN with the internet. To use the gateway, the hosts on both ends of the connection must have public IP addresses for routing. Connections that originate in your VCN and are destined for a public IP address (either inside or outside the VCN) go through the internet gateway. Connections that originate outside the VCN and are destined for a public IP address inside the VCN go through the internet gateway.

A given VCN can have only one internet gateway. You control which public subnets in the VCN can use the gateway by configuring the subnet's associated route table. You use security rules to control the types of traffic allowed in and out of resources in those public subnets.

The following diagram illustrates a simple VCN setup with a single public subnet. The VCN has an internet gateway, and the public subnet is configured to use the VCN's default route table. The table has a route rule that sends all egress traffic from the subnets to the internet gateway. The gateway allows any ingress connections from the internet with a destination IP address equal to the public IP address of a resource in the VCN. However, the public subnet's security list rules ultimately determine the specific types of traffic that are allowed in and out of the resources in the subnet. Those specific security rules are not shown.

This image shows a simple layout of a VCN with a public subnet that uses an internet gateway.
Callout 1: VCN Default Route Table
Destination CIDR Route Target
0.0.0.0/0 Internet Gateway
Tip

Traffic through an internet gateway between a VCN and a public IP address that is part of Oracle Cloud Infrastructure (such as Object Storage) is routed without being sent over the internet.

Working with Internet Gateways

You create an internet gateway in the context of a specific VCN. In other words, the internet gateway is automatically attached to a VCN. However, you can disable and re-enable the internet gateway at any time. Compare this with a dynamic routing gateway (DRG), which you create as a standalone object that you then attach to a particular VCN. DRGs use a different model because they're intended to be modular building blocks for privately connecting VCNs to your on-premises network.

For traffic to flow from a public subnet to the Internet, you must create a corresponding route rule in the subnet's route table. For example, destination CIDR = 0.0.0.0/0 and target = internet gateway; if you want to route the traffic through a firewall, the target can be the private IP address of the firewall. The firewall subnet will then need a route, usually 0.0.0.0/0, to reach the Internet with the internet gateway as the target.

For traffic flowing from the internet to a destination in a public subnet, the internet gateway routes the traffic directly to the destination by default. You can associate a route table with the internet gateway and define route rules that route ingress public traffic to destinations in the VCN. For example, if you want the internet gateway to route the traffic to a firewall in the VCN first, you can create a route rule for the destination subnet CIDR with the firewall private IP address as the target. Route rules to destinations outside the VCN in an internet gateway route table are not supported.

For the purposes of access control, you must specify the compartment where you want the internet gateway to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as the cloud network. For more information, see Access Control.

You may optionally assign a friendly name to the internet gateway. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the internet gateway a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

To delete an internet gateway, it does not have to be disabled, but there must not be a route table that lists it as a target.

See Gateway Limits and Requesting a Service Limit Increase for limits-related information.

Using the Console

To set up an internet gateway

Prerequisites:

  • You've determined which subnets in the VCN need access to the internet, and you've created those public subnets.
  • You've determined the types of ingress and egress internet traffic that you want to enable for the resources in each public subnet (examples: ingress HTTPS connections, ingress ICMP ping connections).
  • The required IAM policy is in place to allow you to work with Networking service resources. For administrators: see IAM Policies for Networking.
Important

If you've configured the public subnet to use the default security list, remember that the list includes several helpful default rules that enable basic required access (examples: ingress SSH, egress access to all destinations). Oracle recommends that you become familiar with the basic access that these default rules provide. If you choose not to use the default security list, make sure to provide this basic access by implementing these security rules either in network security groups (NSGs) or custom security lists.

The following procedure uses security lists, but you could instead implement the security rules in a network security group and then create all of the subnet's resources in that NSG.

  1. For each public subnet that needs to use the internet gateway, set up the subnet's security list rules to allow the desired internet traffic.

    1. In the Console, while viewing the VCN you're interested in, click Security Lists.
    2. Click the security list you're interested in (a security list associated with the public subnet).
    3. Under Resources, click either Ingress Rules or Egress Rules depending on the type of rule you want to work with.
    4. If you want to add a new rule, click Add Ingress Rule (or Add Egress Rule).

      Example

      Imagine you have web servers in the public subnet. This example shows how to add an ingress rule for HTTPS connections (TCP port 443) coming from the internet to the web server. Without this rule, inbound HTTPS connections are not allowed.

      1. Leave the Stateless check box unselected.
      2. Source Type: CIDR
      3. Source CIDR: 0.0.0.0/0
      4. IP Protocol: Leave as TCP.
      5. Source Port Range: Leave as All.
      6. Destination Port Range: Enter 443.
      7. Description: An optional description of the rule.
    5. If you want to delete an existing rule, click the Actions menu, and then click Remove.
    6. If you wanted to edit an existing rule, click the Actions menu, and then click Edit.
  2. Create the VCN's internet gateway:

    1. In the Console, while viewing the VCN you're interested in, click Internet Gateways
    2. Click Create Internet Gateway.
    3. Enter the following:

      • Name: A friendly name for the internet gateway. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
      • Create in Compartment: The compartment where you want to create the internet gateway, if different from the compartment you're currently working in.
      • Route Table Association: (advanced option) You can associate a specific VCN route table with this gateway. If you associate a route table, afterwards the gateway must always have a route table associated with it. You can modify the rules in the current route table or replace it with another route table.
      • Tags: (advanced option) If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
    4. Click Create Internet Gateway.

      Your internet gateway is created and displayed on the Internet Gateways page of the compartment you chose. It's already enabled, but you still need to add a route rule that allows traffic to flow to the gateway.

  3. For each public subnet that needs to use the internet gateway, update the subnet's route table:

    1. While viewing the VCN's details, click Route Tables.
    2. Click the public subnet's route table to view its details.
    3. Click Add Route Rule.
    4. Enter the following:

      • Target Type: Internet Gateway
      • Destination CIDR block: 0.0.0.0/0 (which means that all non-intra-VCN traffic that is not already covered by other rules in the route table will go to the target specified in this rule)
      • Compartment: The compartment where the internet gateway is located.
      • Target: The internet gateway you just created.
      • Description: An optional description of the rule.
    5. Click Save.

An internet gateway is now enabled and working for your cloud network.

To disable/enable an internet gateway

This is available only through the API. If you don't have access to the API and need to disable or enable an internet gateway, contact Oracle Support. You can also easily delete and recreate the internet gateway if needed. Just make sure to update any route tables that refer to the internet gateway.

To delete an internet gateway

Prerequisite: The internet gateway does not have to be disabled, but there must not be a route table that lists it as a target.

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Internet Gateways.
  4. Click the Actions menu for the internet gateway, and then click Terminate.
  5. Confirm when prompted.
To manage route tables for an internet gateway
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Internet Gateways.
  4. Click the Actions menu for the internet gateway, and then click Associate Different Route Table. From there you can change the associated route table for this gateway or associate a route table to a gateway that doesn't already have an associated route table. After a route table is associated to a gateway, the gateway must always have a route table associated with it.
To manage tags for an internet gateway
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Internet Gateways.
  4. Click the Actions menu for the internet gateway, and then click View Tags. From there you can view the existing tags, edit them, and apply new ones.

For more information, see Resource Tags.

To move an internet gateway to a different compartment

You can move an internet gateway from one compartment to another. When you move an internet gateway to a new compartment, inherent policies apply immediately.

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Internet Gateways.
  4. Click the the Actions menu for the internet gateway, and then click Move Resource.
  5. Choose the destination compartment from the list.
  6. Click Move Resource.

For more information about using compartments and policies to control access to your cloud network, see Access Control. For general information about compartments, see Managing Compartments.