Oracle Cloud Infrastructure Documentation

Configuring VCN Gateways

On Compute Cloud@Customer, you can configure NAT gateways and Internet gateways to enable access to the Internet.

Virtual processes communicate with other processes in a variety of ways. If two instances are in the same subnet, meaning the network portions of their IP addresses match,No special configuration is needed to allow them to communicate. A logical switch connects source and destination at the MAC address level. Also, communication between instances in the same VCN but different subnets requires no routing configuration. Routing is only needed for traffic that is going to a destination or coming from a source external to a VCN.

When communication between two virtual processes is needed and the source and destination are in two different VCNs, then configuration of one of five different types of gateway is necessary in the source VCN. In this context, a gateway is a special type of router, connecting two different IP networks by following rules set up in a route table. (A router can be thought of as a multiport gateway, and a gateway can be thought of as a two-port router.)

When you first create a VCN, various resources are listed in the Compute Cloud@Customer Console and available for listing with a CLI command. Some resources are listed automatically when you create a subnet, and others must be configured explicitly.

  • Subnets. This resource gives the number of subnets created under the VCN. All other resources also display counts for the VCN.

  • Route Tables. This resource gives the number of route tables. Subnets can share route tables, especially default route tables, so this count isn't necessarily the same as the count of subnets, especially if there is more than one subnet for the VCN.

  • Internet Gateways. This resource gives the number of internet gateways configured . Initially, there are none.

  • Local Peering Gateway. This resource gives the number of local peering gateways configured. Initially, there are none.

  • DHCP Options. This resource gives the number of DHCP option lists. There is at least one for the VCN by default, but more can be created.

  • Security Lists. This resource gives the number of Security Lists. There is at least one set of ingress and egress rules for the VCN by default, but more can be created.

  • NAT Gateways. This resource gives the number of NAT gateways configured. Initially, there are none.

  • Network Security Groups. This resource gives the number of Network Security Groups configured . Initially, there are none, but you can gather existing Security Lists into Network Security Groups, where all security rules are applied at once, as needed.

  • Service Gateways. This resource gives the number of service gateways configured. Initially, there are none.

  • Dynamic Routing Gateways. This resource gives the number of dynamic routing gateways (DRGs) configured. Initially, there are none. Note that these gateways aren't configured without the VCN, but attached to the VCN.

  • Dynamic Routing Gateway Attachments. This resource gives the number of dynamic routing gateways attachments that have been configured. You must have a DRG configured to have attachments listed.

The various types of gateways are configured for very specific reasons.

  • NAT Gateway. A NAT gateway is used to translate IP addresses as traffic passes from one part of an IP network to another. When used between a VCN and the on-premises data center network. the NAT address becomes the source address for traffic sent on to the data center network. A NAT gateway allows egress to the on-premises network from a VCN. It does not allow connections to be initiated to the instances in the VCN. Although essentially one-way, return traffic is allowed for connections initiated in the VCN. Contrast NAT Gateway with the Internet Gateway, which allows connections into and out of the VCN, the NAT Gateway allows instances with public IP addresses to be reachable from outside the PCA network.
    Note

    A VCN connected to the on-premises network with a Dynamic Routing Gateway can't overlap with any on-premises CIDR, or other VCN CIDRs connected with a Dynamic Routing Gateway. In other words, the IP addresses used must be exclusive to the VCN.

  • Internet Gateway (IGW). An IGW provides the VCN with outside access through the on-premises data center network. The source and destination must have routable, public IP addresses, and a VCN can have only one IGW.

  • Local Peering Gateway (LPG). A Local Peering Gateway (LPG) is a way to connect VCNs so that elements in each VCN can communicate, even using private IP address. Peered VCNs can be in different tenancies.

  • Dynamic Routing Gateway (DRG). A DRG is used to connect a VCN to the data center's IP address space. That is, outside the Compute Cloud@Customer rack in the data center. The data center network can, if configured that way, pass Compute Cloud@Customer traffic on to other destinations.

  • Service Gateway (SG). Some services are isolated on their own network for security and performance reasons. The service gateway (SG) allows a VCN with no external access to privately access Service Network services (such as object storage) in a private subnet.