In my previous posts, I discussed the Oracle Cloud VMware Solution and the related provisioning process. We also looked at the L2 networking for OCVS. The next step in your VMware journey on Oracle Cloud is establishing connectivity to your resources in other environments; on-prem, on OCI or other Oracle Services.
OCVS provides a set of “Networking Quick Actions” that are aimed at making your connectivity process easier, by configuring a subset of the elements needed to establish the connections. Before we look at the list of the quick actions, let’s quickly take a look at the networking elements that are involved in the Oracle Cloud VMware Solution.
VLANs & Subnet
Subnet and VLAN selection / configuration is an important aspect of any VMware deployment. The same is true for OCVS as well. The provisioning process configures a number of VLANs and a single subnet for the solution.
The details for the same are given below:
|Subnet||Provisioning||Communication with the hosts at provisioning time||0|
|VLAN||vSAN||Used for vSAN traffic||0|
|VLAN||vMotion||Used for vMotion Traffic||0|
|VLAN||NSX VTEP||Geneve encapsulated Traffic for East-West Traffic||1|
|VLAN||NSX Edge VTEP||Geneve encapsulated Traffic Between Hosts & NSX Edges||1|
|VLAN||NSX Edge Uplink 1||Uplink for North-South Traffic||1|
|VLAN||NSX Edge Uplink 2||Uplink for North-South Traffic (unused)||1|
Each VLAN & Subnet in OCI has a route-table associated with it. The route-table is responsible for the traffic forwarding to specific destination. This is a very important part of the configuration, when deploying your connectivity schema for your SDDC. The networking quick actions update the respective route-tables, according the use case being deployed.
The route-tables significant to your SDDC for establishing external connectivity, are going to be the ones associated to the uplinks.
- NSX Edge Uplink 1 – Used for routing to: On-prem, VCN, OCI Services and Internet via NAT Gateway.
- NSX Edge Uplink 2 – Unused by default and will come into the picture when exposing services to the internet.
Network Security Groups
Security is an important aspect of any configuration in OCI. It is built on the principles of zero trust and everything needs to be allowed, to establish communication. Every VLAN in the OCVS eco-system, as listed above has a Network Security Group associated with it and allows only the traffic required for the proper functioning of the environment. e.g. the NSG associated with the VTEP segment will only allow GENEVE traffic with the VLAN and any other traffic only within the SDDC.
Coming to the subject of the North-South communication, just like the route-tables the NSG associated to the Uplink VLANs are important when allowing communication to any environment external to the SDDC. Everytime a new class of traffic is allowed to communicate, an entry needs to be created / verified in the respective NSG.
Logical View of Default Routing Setup
When the provisioning of your SDDC is completed, there is a minimum level of routing configuration that gets done for you. We have already seen the creation of the networking foundation in terms of Subnet, VLANs, Route Tables and Network Security Groups. The provisioning service configures the following:
- Logical Routers – Tier-0 & Tier-1 Routers are configured and connected
- NSX Edge Uplink Interface – IP Addresses are configured for Uplink 1 on the Edge Nodes (2 Nodes)
- Edge HA VIP – HA configuration and corresponding VIP is configured
- Default Route – Static route configured on Tier-0 router. All traffic to be forwarded out uplink 1. The route points to the default gateway for the VLAN
- Logical Switch (optional) – The provisioning service does ask you for an Overlay segment (optional) and if you provided the same, the logical switch will be configured and connected to the Tier-1 router.
This is the point where all the basic configuration is in place, for you to start connecting to external destinations. All the required egress routing is also in place on the NSX Side, however the ingress portion still needs to be set up and that will be achieved using the respective quick actions.
The figure below shows a logical view of what will be ready for you once the environment is handed over to you. The figure does include a couple of logical switches, which are not part of the base configuration and will be configured by you.
Quick Actions Overview
This is the point where we can start utilizing the Quick Actions to establish connectivity to the desired external destinations. There are 4 workflows available from your SDDC Details page and they can be used to:
- Connect to On-prem Network – Access HQ, Branch or DC networks from your SDDC, using FastConnect of VPN Connect.
- Connect to Oracle Services Network – Access Native OCI Services directly
- Connect to Internet using NAT Gateway – Outbound internet access from the SDDC Workloads
- Connect to VCN Resources – Accessing resources in your VCNs in OCI
Each of the actions listed above run workflows to configure VCN resources such as Gateways, Route-table entries, Security Rules etc. on the OCI side to help complete the connectivity scenarios. I will be talking about each of the above scenarios in detail in my next few posts and discuss the configuration done by the quick actions and any items left to be done from the NSX side as well.
In Part-2 of this blog series about OCVS Networking Quick Actions, I will talk about establishing connectivity to your on-premises networks using the quick actions.