Service gateway access to Oracle Services Network
- Services: Networking
- Release Date: March 11, 2019
- API Versions Affected: 20160918
The service gateway now offers access to multiple services in the Oracle Service Network. The Oracle Services Network is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. Every service in the Oracle Services Network exposes a service endpoint that uses public IP addresses from the network. More services will be added to the network in the future as they get deployed on Oracle Cloud Infrastructure.
Important: The service gateway allows access to Oracle services within the region to protect your data from the internet. Your workloads may require access to public endpoints or services not supported by the service gateway (for example, to download updates or patches). Ensure you have a NAT gateway or other access to the internet if necessary.
New Service CIDR Label: All <region> Services in Oracle Services Network
The service gateway uses service CIDR labels to represent the regional public IP addresses of a service or group of services that are accessible through the gateway. Here are the available labels:
- Already existing label: OCI <region> Object Storage
- New label with this release: All <region> Services in Oracle Services Network. It includes Object Storage and many other Oracle services.
If you already have a service gateway and want to access Oracle services in addition to Object Storage, switch the gateway to use the new service CIDR label.
Important: See this known issue for information about accessing Yum services through the service gateway.
How to Avoid Disruption While Switching to the New Service CIDR Label
To avoid disrupting your Object Storage connections while switching to the new service CIDR label from the existing one, use the following process.
- Update the service gateway: Remove the OCI <region> Object Storage label and add the new service CIDR label.
- Update relevant route rules: For each rule that uses the service gateway as the target, switch each rule's destination service to the new service CIDR label instead of OCI <region> Object Storage.
- Update relevant security list rules: Change any security list rules that specify the OCI <region> Object Storage service CIDR label to instead use the new label.
If you instead try to delete your existing service gateway and create a new one, your Object Storage connections will be disrupted. Also remember that before you can delete a service gateway, you must delete any route rules that specify that gateway as a target.
Other important details:
- Switching labels is the correct process to use because:
- A service gateway can use only one of the preceding service CIDR labels, because both include access to Object Storage. If you try to add the new label to a service gateway that already uses the existing label, you'll get an error.
- Similarly, a route table can have a single rule for one of the service CIDR labels. It cannot have two separate rules, one for each label.
- Also, a VCN can have only one service gateway, so you can't add a second one only for the new service CIDR label.
- The Oracle Cloud Infrastructure Console enforces a special restriction. When you set up a route rule that uses a service gateway as the target, the rule's destination service must be the service CIDR label that is enabled for that service gateway. Oracle intends to remove this restriction from the Console interface, so that when you use the Console to set up a route rule for a service gateway, you can specify any service CIDR label as the destination service, regardless of what label is enabled for the service gateway. See this known issue.
Possible Breaking API Changes If You're New to Using a Service Gateway
If your organization decides to start using a service gateway with a VCN, and you're using an Oracle client released before June 2018: you must update the code for all your clients that work with the Networking service route rules and security lists. The APIs for these resources changed as part of the original service gateway release in June 2018. For details, see the related release note.
Related Technical Documentation