Oracle US Defense Cloud
This topic contains information specific to the Oracle US Defense Cloud.
Compliance with Defense Cloud Security Requirements
US Defense Cloud supports applications that require Impact Level 5 (IL5) data, as defined in the Department of Defense Cloud Computing Security Requirements Guide (SRG).
Oracle US Defense Cloud Regions
The region names and identifiers for the US Defense Cloud regions are shown in the following table:
| Region Name | Region Identifier | Region Key | Realm Key | Availability Domains |
|---|---|---|---|---|
| US DoD East (Ashburn) | us-gov-ashburn-1 | ric | OC3 | 1 |
| US DoD North (Chicago) | us-gov-chicago-1 | pia | OC3 | 1 |
| US DoD West (Phoenix) | us-gov-phoenix-1 | tus | OC3 | 1 |
After your tenancy is created in one of the US Defense Cloud regions, you can subscribe to the other regions in the US Defense Cloud. These tenancies can't subscribe to any Oracle Cloud Infrastructure regions not belonging to the OC3 realm . For information about subscribing to a region, see Managing Regions.
Oracle US Defense Cloud Console Sign-in URLs
To sign in to the US Defense Cloud, enter one of the following URLs in a supported browser:
- https://console.us-gov-ashburn-1.oraclegovcloud.com/
- https://console.us-gov-chicago-1.oraclegovcloud.com/
- https://console.us-gov-phoenix-1.oraclegovcloud.com/
When you're signed in to the Console for one of the US Defense Cloud regions, the browser times out after 15 minutes of inactivity, and you need to sign in again to use the Console.
Oracle US Defense Cloud API Reference and Endpoints
This section includes the APIs and corresponding regional endpoints with the US Defense Cloud.
- https://analytics.us-gov-ashburn-1.ocp.oraclegovcloud.com
- https://analytics.us-gov-chicago-1.ocp.oraclegovcloud.com
- https://analytics.us-gov-phoenix-1.ocp.oraclegovcloud.com
- https://announcements.us-gov-ashburn-1.oraclegovcloud.com
- https://announcements.us-gov-chicago-1.oraclegovcloud.com
- https://announcements.us-gov-phoenix-1.oraclegovcloud.com
- https://apm-config.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://apm-config.us-gov-chicago-1.oci.oraclegovcloud.com
- https://apm-config.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://apm-cp.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://apm-cp.us-gov-chicago-1.oci.oraclegovcloud.com
- https://apm-cp.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://apm-synthetic.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://apm-synthetic.us-gov-chicago-1.oci.oraclegovcloud.com
- https://apm-synthetic.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://apm-trace.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://apm-trace.us-gov-chicago-1.oci.oraclegovcloud.com
- https://apm-trace.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://apigateway.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://apigateway.us-gov-chicago-1.oci.oraclegovcloud.com
- https://apigateway.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://artifacts.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://artifacts.us-gov-chicago-1.oci.oraclegovcloud.com
- https://artifacts.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://osmh.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://osmh.us-gov-chicago-1.oci.oraclegovcloud.com
- https://osmh.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://autoscaling.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://autoscaling.us-gov-chicago-1.oci.oraclegovcloud.com
- https://autoscaling.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://bastion.us-ashburn-1.oci.oraclegovcloud.com
- https://bastion.us-chicago-1.oci.oraclegovcloud.com
- https://bastion.us-phoenix-1.oci.oraclegovcloud.com
- https://bigdataservice.us-ashburn-1.oci.oraclegovcloud.com
- https://bigdataservice.us-chicago-1.oci.oraclegovcloud.com
- https://bigdataservice.us-phoenix-1.oci.oraclegovcloud.com
- https://certificatesmanagement.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://certificatesmanagement.us-gov-chicago-1.oci.oraclegovcloud.com
- https://certificatesmanagement.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://certificates.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://certificates.us-gov-chicago-1.oci.oraclegovcloud.com
- https://certificates.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://cloudguard-cp-api.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://cloudguard-cp-api.us-gov-chicago-1.oci.oraclegovcloud.com
- https://cloudguard-cp-api.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://optimizer.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://optimizer.us-gov-chicago-1.oci.oraclegovcloud.com
- https://optimizer.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://service-connector-hub.us-ashburn-1.oci.oraclegovcloud.com
- https://service-connector-hub.us-chicago-1.oci.oraclegovcloud.com
- https://service-connector-hub.us-phoenix-1.oci.oraclegovcloud.com
The Networking, Compute, and Block Volume services are accessible with the following API:
- https://iaas.us-gov-ashburn-1.oraclegovcloud.com
- https://iaas.us-gov-chicago-1.oraclegovcloud.com
- https://iaas.us-gov-phoenix-1.oraclegovcloud.com
- https://dataflow.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://dataflow.us-gov-chicago-1.oci.oraclegovcloud.com
- https://dataflow.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://dataintegration.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://dataintegration.us-gov-chicago-1.oci.oraclegovcloud.com
- https://dataintegration.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://datascience.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://datascience.us-gov-chicago-1.oci.oraclegovcloud.com
- https://datascience.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://database.us-gov-ashburn-1.oraclegovcloud.com
- https://database.us-gov-chicago-1.oraclegovcloud.com
- https://database.us-gov-phoenix-1.oraclegovcloud.com
You can track the progress of long-running Database operations with the Work Requests API.
- https://dbmgmt.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://dbmgmt.us-gov-chicago-1.oci.oraclegovcloud.com
- https://dbmgmt.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://devops.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://devops.us-gov-chicago-1.oci.oraclegovcloud.com
- https://devops.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://digitalassistant.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://digitalassistant.us-gov-chicago-1.oci.oraclegovcloud.com
- https://digitalassistant.us-gov-phoenix-1.oci.oraclegovcloud.com
This information is for private DNS only. Public DNS is not available in government realms.
- https://dns.us-gov-ashburn-1.oraclegovcloud.com
- https://dns.us-gov-chicago-1.oraclegovcloud.com
- https://dns.us-gov-phoenix-1.oraclegovcloud.com
- https://ctrl.email.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://ctrl.email.us-gov-chicago-1.oci.oraclegovcloud.com
- https://ctrl.email.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://events.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://events.us-gov-chicago-1.oci.oraclegovcloud.com
- https://events.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://filestorage.us-gov-ashburn-1.oraclegovcloud.com
- https://filestorage.us-gov-chicago-1.oraclegovcloud.com
- https://filestorage.us-gov-phoenix-1.oraclegovcloud.com
- https://functions.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://functions.us-gov-chicago-1.oci.oraclegovcloud.com
- https://functions.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://goldengate.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://goldengate.us-gov-chicago-1.oci.oraclegovcloud.com
- https://goldengate.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://generic.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://generic.us-gov-chicago-1.oci.oraclegovcloud.com
- https://generic.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://identity.us-gov-ashburn-1.oraclegovcloud.com
- https://identity.us-gov-chicago-1.oraclegovcloud.com
- https://identity.us-gov-phoenix-1.oraclegovcloud.com
Use the Endpoint of Your Home Region for All IAM API Calls
When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for you in one region. This is your home region. Your home region is where your IAM resources are defined. When you subscribe to a new region, your IAM resources are replicated in the new region, however, the master definitions reside in your home region and can only be changed there. Make all IAM API calls against your home region endpoint. The changes automatically replicate to all regions. If you try to make an IAM API call against a region that is not your home region, you will receive an error. See What is the tenancy home region? How do I find my tenancy home region?
- https://javamanagement.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://javamanagement.us-gov-chicago-1.oci.oraclegovcloud.com
- https://javamanagement.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://kms.us-gov-ashburn-1.oraclegovcloud.com
- https://kms.us-gov-chicago-1.oraclegovcloud.com
- https://kms.us-gov-phoenix-1.oraclegovcloud.com
In addition to these endpoints, each vault has a unique endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or management endpoint. Each vault also has a unique endpoint for cryptographic operations. This endpoint is known as the data plane URL or the cryptographic endpoint.
- https://containerengine.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://containerengine.us-gov-chicago-1.oci.oraclegovcloud.com
- https://containerengine.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://licensemanager.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://licensemanager.us-gov-chicago-1.oci.oraclegovcloud.com
- https://licensemanager.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://loganalytics.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://loganalytics.us-gov-chicago-1.oci.oraclegovcloud.com
- https://loganalytics.us-gov-phoenix-1.oci.oraclegovcloud.com
Using Sample Log Data to perform analysis operations isn't supported in US Defense Cloud.
- https://ingestion.logging.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://ingestion.logging.us-gov-chicago-1.oci.oraclegovcloud.com
- https://ingestion.logging.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://logging.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://logging.us-gov-chicago-1.oci.oraclegovcloud.com
- https://logging.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://logging.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://logging.us-gov-chicago-1.oci.oraclegovcloud.com
- https://logging.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://management-agent.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://management-agent.us-gov-chicago-1.oci.oraclegovcloud.com
- https://management-agent.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://marketplace.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://marketplace.us-gov-chicago-1.oci.oraclegovcloud.com
- https://marketplace.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://telemetry-ingestion.us-gov-ashburn-1.oraclegovcloud.com
- https://telemetry-ingestion.us-gov-chicago-1.oraclegovcloud.com
- https://telemetry-ingestion.us-gov-phoenix-1.oraclegovcloud.com
- https://telemetry.us-gov-ashburn-1.oraclegovcloud.com
- https://telemetry.us-gov-chicago-1.oraclegovcloud.com
- https://telemetry.us-gov-phoenix-1.oraclegovcloud.com
- https://network-load-balancer-api.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://network-load-balancer-api.us-gov-chicago-1.oci.oraclegovcloud.com
- https://network-load-balancer-api.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://notification.us-gov-ashburn-1.oraclegovcloud.com
- https://notification.us-gov-chicago-1.oraclegovcloud.com
- https://notification.us-gov-phoenix-1.oraclegovcloud.com
The source service must be available in US Defense Cloud regions for messages to be successfully sent through the Notifications service. If the source service isn't available in these regions, then the message isn't sent. For a list of unavailable services, see Services Not Supported in Oracle US Defense Cloud.
Both Object Storage and Archive Storage are accessible with the following APIs:
- https://objectstorage.us-gov-ashburn-1.oraclegovcloud.com
- https://objectstorage.us-gov-chicago-1.oraclegovcloud.com
- https://objectstorage.us-gov-phoenix-1.oraclegovcloud.com
- https://<object_storage_namespace>.compat.objectstorage.us-gov-ashburn-1.oraclegovcloud.com
- https://<object_storage_namespace>.compat.objectstorage.us-gov-chicago-1.oraclegovcloud.com
- https://<object_storage_namespace>.compat.objectstorage.us-gov-phoenix-1.oraclegovcloud.com
See Understanding Object Storage Namespaces for information regarding how to find your Object Storage namespace.
- https://swiftobjectstorage.us-gov-ashburn-1.oraclegovcloud.com
- https://swiftobjectstorage.us-gov-chicago-1.oraclegovcloud.com
- https://swiftobjectstorage.us-gov-phoenix-1.oraclegovcloud.com
- https://operationsinsights.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://operationsinsights.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://operationsinsights.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://ocvps.us-ashburn-1.oci.oraclegovcloud.com
- https://ocvps.us-chicago-1.oci.oraclegovcloud.com
- https://ocvps.us-phoenix-1.oci.oraclegovcloud.com
- https://integration.us-ashburn-1.oci.oraclegovcloud.com
- https://integration.us-chicago-1.oci.oraclegovcloud.com
- https://integration.us-phoenix-1.oci.oraclegovcloud.com
For more information, see Using Oracle Integration Generation 3 on US Government Cloud.
- https://organizations.us-ashburn-1.oci.oraclegovcloud.com
- https://organizations.us-chicago-1.oci.oraclegovcloud.com
- https://organizations.us-phoenix-1.oci.oraclegovcloud.com
- https://osms.us-ashburn-1.oci.oraclegovcloud.com
- https://osms.us-chicago-1.oci.oraclegovcloud.com
- https://osms.us-phoenix-1.oci.oraclegovcloud.com
- https://osmh.us-ashburn-1.oci.oraclegovcloud.com
- https://osmh.us-chicago-1.oci.oraclegovcloud.com
- https://osmh.us-phoenix-1.oci.oraclegovcloud.com
- https://resourcemanager.us-ashburn-1.oci.oraclegovcloud.com
- https://resourcemanager.us-chicago-1.oci.oraclegovcloud.com
- https://resourcemanager.us-phoenix-1.oci.oraclegovcloud.com
- https://vss-cp-api.us-ashburn-1.oci.oraclegovcloud.com
- https://vss-cp-api.us-chicago-1.oci.oraclegovcloud.com
- https://vss-cp-api.us-phoenix-1.oci.oraclegovcloud.com
- https://stack-monitoring.us-ashburn-1.oci.oraclegovcloud.com
- https://stack-monitoring.us-chicago-1.oci.oraclegovcloud.com
- https://stack-monitoring.us-phoenix-1.oci.oraclegovcloud.com
- https://streaming.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://streaming.us-gov-chicago-1.oci.oraclegovcloud.com
- https://streaming.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://api-threatintel.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://api-threatintel.us-gov-chicago-1.oci.oraclegovcloud.com
- https://api-threatintel.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://kms.us-gov-ashburn-1.oraclegovcloud.com
- https://kms.us-gov-chicago-1.oraclegovcloud.com
- https://kms.us-gov-phoenix-1.oraclegovcloud.com
- https://vaults.us-gov-ashburn-1.oraclegovcloud.com
- https://vaults.us-gov-chicago-1.oraclegovcloud.com
- https://vaults.us-gov-phoenix-1.oraclegovcloud.com
- https://secrets.us-gov-ashburn-1.oraclegovcloud.com
- https://secrets.us-gov-chicago-1.oraclegovcloud.com
- https://secrets.us-gov-phoenix-1.oraclegovcloud.com
- https://vision.aiservice.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://vision.aiservice.us-gov-chicago-1.oci.oraclegovcloud.com
- https://vision.aiservice.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://visualbuilder.us-gov-ashburn-1.ocp.oraclegovcloud.com
- https://visualbuilder.us-gov-chicago-1.ocp.oraclegovcloud.com
- https://visualbuilder.us-gov-phoenix-1.ocp.oraclegovcloud.com
- https://vbstudio.us-gov-ashburn-1.ocp.oraclegovcloud.com
- https://vbstudio.us-gov-chicago-1.ocp.oraclegovcloud.com
- https://vbstudio.us-gov-phoenix-1.ocp.oraclegovcloud.com
- https://waf.us-gov-ashburn-1.oci.oraclegovcloud.com
- https://waf.us-gov-chicago-1.oci.oraclegovcloud.com
- https://waf.us-gov-phoenix-1.oci.oraclegovcloud.com
- https://iaas.us-gov-ashburn-1.oraclegovcloud.com
- https://iaas.us-gov-chicago-1.oraclegovcloud.com
- https://iaas.us-gov-phoenix-1.oraclegovcloud.com
Oracle YUM Repo Endpoints
The Oracle YUM repo regional endpoints for the US Defense Cloud are shown in the following table
| Region | YUM Server Endpoint |
|---|---|
| US DoD East (Ashburn) |
|
| US DoD North (Chicago) |
|
| US DoD West (Phoenix) |
|
SMTP Authentication and Connection Endpoints
Email Delivery only supports the AUTH PLAIN command when using SMTP authentication. If the sending application is not flexible with the AUTH command, an SMTP proxy/relay can be used. For more information about the AUTH command, see AUTH Command and its Mechanisms.
| Region | SMTP Connection Endpoint |
|---|---|
| US DoD East (Ashburn) | smtp.email.us-gov-ashburn-1.oci.oraclegovcloud.com |
| US DoD North (Chicago) | smtp.email.us-gov-chicago-1.oci.oraclegovcloud.com |
| US DoD West (Phoenix) | smtp.email.us-gov-phoenix-1.oci.oraclegovcloud.com |
SPF Record Syntax
An SPF record is a TXT record on your sending domain that authorizes Email Delivery IP addresses to send on your behalf. SPF
is required for subdomains of oraclegovcloud.com and recommended in
other cases. The SPF record syntax for each sending region is shown in the following
table:
| Realm Key | SPF Record |
|---|---|
| OC3 | v=spf1 include:rp.email.oci.oraclegovcloud.com
~all |
Services Not Supported in Oracle US Defense Cloud
Currently, the following services aren't available or aren't supported for tenancies in the US Defense Cloud.
This list isn't exhaustive. Full Stack Disaster Recovery services and features are not available. Other services and features might also be unavailable or unsupported.
Networking services and features not available:
- FastConnect with a provider (FastConnect in a colocation model is supported)
- DNS Zone Management - public DNS zones (private DNS zones are supported)
- Traffic Management
Oracle Database services not available:
- Data Safe
Storage services and features not available:
- In-transit encryption for bare metal instances.
- The Ultra High Performance level for block volumes and boot volumes.
- File Storage LDAP authorization and Kerberos authentication.
Analytics & AI services not available:
- Analytics Cloud
- Fusion Data Intelligence
Developer Services features not supported:
- Container Instances
- Content Management
- Process Automation
Identity & Security services not available:
- Compliance Documents
Observability & Management services and features not available:
- Health Checks
Migration & Disaster Recovery services and features not available:
- Data Transfer service
Governance & Administration features not supported:
- Auto-federation with Oracle Identity Cloud Service
- WAF service
Integration with Oracle SaaS and PaaS services, including those listed here: Get Started with Oracle Platform Services.
Oracle Cloud Infrastructure Free Tier, including promotional trial and Always Free offers aren't available in US Defense Cloud regions.
Access to Multiple Oracle US Defense Cloud Regions
This section shows how to give the on-premises resources that are part of NIPRNet access to multiple US Defense Cloud regions over a single FastConnect connection. This is important if one of the regions doesn't have a direct connection to the NIPRNet's border cloud access point (BCAP). The BCAP is also referred to as the meet me point.
Overview
Some US Defense Cloud regions have a direct connection to a NIPRNet BCAP, but others don't. You can use the Networking service to give on-premises resources that are part of NIPRNet access to a US Defense Cloud region that's not directly connected to the NIPRNet's BCAP. You might do this to extend on-premises workloads into a particular US Defense Cloud region that you're interested in, or to use that region for disaster recovery (DR).
This scenario is illustrated in the following diagram.
| Destination CIDR | Route Target |
|---|---|
| 172.16.1.0/24 | DRG-1 |
| 10.0.3.0/24 | DRG-1 |
| Destination CIDR | Route Target |
|---|---|
| 172.16.1.0/24 | DRG-2 |
| 10.0.1.0/24 | DRG-2 |
| Advertises | Receives |
|---|---|
| 172.16.1.0/24 | 10.0.1.0/24 |
| 10.0.3.0/24 |
| Advertises | Receives |
|---|---|
| 10.0.1.0/24 | 172.16.1.0/24 |
| 10.0.3.0/24 |
In the diagram, US Defense Cloud region 1 has a direct connection to the NIPRNet's BCAP, but US Defense Cloud region 2 doesn't. Imagine that on-premises resources in NIPRNet (in subnet 172.16.1.0/24) need access to a virtual cloud network (VCN) in region 2 (with CIDR 10.0.3.0/24).
Optionally, there could also be a VCN with cloud resources in region 1 (with CIDR 10.0.1.0/24), but a VCN in region 1 isn't required for this scenario. The intent of this scenario is for the on-premises resources to get access to resources in region 2.
In general, you set up two types of connections:
- FastConnect between the NIPRNet BCAP and region 1.
- Remote peering connection between region 1 and region 2.
Here are some details about the connections:
- That FastConnect has at least one physical connection, or cross-connect . You set up a private virtual circuit that runs on the FastConnect. The private virtual circuit enables communication that uses private IP addresses between the on-premises resources and the cloud resources.
- The remote peering connection is between a dynamic routing gateway (DRG) in region 1, and a DRG in region 2. A DRG is a virtual router that you typically attach to a VCN to give that VCN access to resources outside its Oracle region.
- You can control which on-premises subnets are advertised to the VCNs by configuring the BCAP edge router accordingly.
- The subnets in both VCN-1 and VCN-2 are advertised to the BCAP edge router over the FastConnect connection.
- You can optionally configure VCN security rules and other firewalls that you maintain to allow only certain types of traffic (such as SSH or SQL*NET) between the on-premises resources and VCNs.
Here are some basic requirements:
- The VCNs and DRGs in region 1 and region 2 must belong to the same tenancy, but they can be in different compartments within the tenancy.
- For accurate routing, the CIDR blocks of the on-premises subnets of interest and the VCNs must not overlap.
- To enable traffic to flow from a VCN to the on-premises subnets of interest, you must add a route rule to the VCN subnet route tables for each of the on-premises subnets. The preceding diagram shows the route rule for 172.16.1.0/24 in each VCN's route table.
General Setup Process
Summary: In this task, you set up the FastConnect between the NIPRNet BCAP and region 1. FastConnect has three connectivity models, and you generally follow the colocate with Oracle model. In this case, colocation occurs in the BCAP (the meet me point). The connection consists of both a physical connection (at least one cross-connect) and logical connection (private virtual circuit).
For instructions, follow the flow chart and tasks listed in Getting Started with FastConnect, and notice these specific variations:
- In task 2, the instructions assume that you have a VCN (in region 1), but it's optional.
- In task 8, create a private virtual circuit (not a public one).
Summary: If you don't yet have a VCN in region 2 (VCN-2 in the preceding diagram), you set it up in this task. You also create a DRG in region 2 and attach it to the VCN. Then, for each VCN-2 subnet that needs to communicate with the on-premises network, you update that subnet's route table to include a route rule for the on-premises subnet of interest. If there are multiple on-premises subnets that you want to route to, set up a route rule for each one.
For instructions, see these procedures:
- Creating a VCN
- Creating a DRG
- Attaching a VCN to a DRG
-
To route a subnet's traffic to a DRG
Important
In step 4 in the preceding list, add a route rule with the following settings:
- Destination CIDR = the on-premises subnet of interest
- Target = the VCN's DRG
In the preceding diagram, it's the rule with 172.16.1.0/24 as the destination CIDR, and target as DRG-2. The second rule in the diagram (for 10.0.1.0/24 and DRG-2) is necessary only if resources in VCN-2 need to communicate with resources in VCN-1.
Summary: In this task, you set up a remote peering to enable private traffic between DRG-1 and DRG-2. The term remote peering typically means that resources in one VCN can communicate privately with resources in a VCN in a different region. In this case, the remote peering also enables private communication between the on-premises network and VCN-2.
For instructions, see Setting Up a Remote Peering, and notice these important details:
- Optional region 1 VCN: The instructions assume that each region has a VCN, but in this situation, it is optional for region 1.
- Single VCN administrator: The instructions assume that there are two different VCN administrators: one for the VCN in region 1 and another for the VCN in region 2. In this situation, there might be only a single VCN administrator (you) who handles both regions and configures the remote peering connection.
- Unnecessary IAM policies: The instructions include a task for each VCN administrator to set up particular IAM policies to enable the remote peering connection. One policy is for the VCN administrator who is designated as the requestor, and one is for the VCN administrator who is designated as the acceptor. Those terms are further defined in Important Remote Peering Concepts. However, if there's only a single VCN administrator with comprehensive networking permissions across the tenancy, those IAM policies aren't necessary. For more information, read the tip that appears at the end of the task.
- RPC anchor points and connection: The remote peering actually consists of multiple components that you must set up. There's an anchor point on each DRG (shown as RPC-1 and RPC-2 in the preceding diagram), plus a connection between those two RPC anchor points. The instructions include steps for creating those RPCs and the connection between them. Ensure that you create all the components.
More Information for Oracle US Defense Cloud Customers
- Shared Responsibilities
- Setting Up an Identity Provider for Your Tenancy
- Using a Common Access Card/Personal Identity Verification Card to Sign in to the Console
- IPv6 Support for Virtual Cloud Networks
- Setting Up Secure Access for Compute Hosts
- Setting Up an Identity Provider for Your Tenancy
- Required Site-to-Site VPN Parameters for Government Cloud
- Oracle's BGP ASN
- Requesting a Service Limit Increase for US Government Cloud and US Defense Cloud Tenancies