1. Best practices for hybrid and multicloud OCI networking design
  2. Learn About Key Design Decisions for OCI Workload Networking

Learn About Key Design Decisions for OCI Workload Networking

You can optimize network performance and connectivity by architecting workload networking specific to your organizational needs. This solution playbook presents the key design decisions and best practices for architecting your Oracle Cloud Infrastructure (OCI) workload networking. You will learn about patterns explaining networking components and services which help you build a resilient OCI network to meet your application and solution needs.

Before You Begin

Review this related solution to learn more about setting up the CIS landing zone.

Architecture

This architecture shows a complete architecture after you set up your networking and connectivity. Use this architecture to make key design decisions specific to your organizational needs.

The following diagram illustrates the finished reference architecture for a resilient OCI network.

Description of multi-region-deployment-full-arch.png follows
Description of the illustration multi-region-deployment-full-arch.png

multi-region-deployment-full-arch-oracle.zip

This architecture supports the following components:

  • Virtual cloud network (VCN) and subnet

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Network security group (NSG)

    NSGs act as virtual firewalls for your cloud resources. With the zero-trust security model of Oracle Cloud Infrastructure, all traffic is denied, and you can control the network traffic inside a VCN. An NSG consists of a set of ingress and egress security rules that apply to only a specified set of VNICs in a single VCN.

  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Dynamic routing gateway (DRG)

    The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

  • Local peering gateway (LPG)

    An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.

  • FastConnect

    Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.

  • Site-to-Site VPN

    Site-to-Site VPN provides IPSec VPN connectivity between your on-premises network and VCNs in Oracle Cloud Infrastructure. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.