In Part-2 of my this series on OCVS Networking Quick Actions, I discussed connecting your SDDC on OCI to your on-premises networks. We will now move on to the next piece in the connectivity puzzle and a very important one indeed; connecting to the Oracle Services Networks.
Oracle Cloud Infrastructure has a conceptual network for Oracle Services, and this is referred to as the Oracle Services Network. Point to know about the services in the OSN:
- The Services have Public IP Addresses
- These services can be reached over the internet.
A Service Gateway is used to allow private access to the supported resources in the Oracle Services Network. You can learn more about OCI Networking and Gateways in my previous post about OCI Networking Fundamentals.
You can get more information on Oracle Services Network and Services supported by the Service Gateway here.
Execute the Quick Action Workflow
At this stage, we are ready to go ahead and run the Quick Start Workflow to “Configure connectivity to Oracle Services Network”.
Step-1 – Provide Basic Information
Once you select the option to configure on-prem connectivity, the workflow will require you to provide the networks at each end of the connectivity:
- SDDC Workload CIDR – IP Address Range for the NSX Overlay Networks. I am using 192.168.192.0/20 for my environment.
Step-2 – Review and Apply Configuration
In the next step, the workflow will provide you with all the components and configuration that will be part of setting up the required connectivity. This is point where we will make sure all the correct information is being used.
- Service Gateway – The workflow picks up the Service Gateway available or creates a new one, if none exists in the VCN. In our case, the workflow created a new Service Gateway.
- Route Table Entries – It shows the respective route-tables and entries that will be created as part of the workflow. An entry will be created for the Overlay Network in the Service Gateway route table and another one for the Services in the OSN in the Uplink VLAN route table.
- Network Security Groups – The NSG for the Uplink will be updated with an entries to allow communication between the SDDC and the Oracle Services Network.
At this stage, you can click on apply configuration and the workflow will give you confirmation once all the required steps have been completed.
The workflow will configure the Service Gateway, Route-table and respective entries and security rules to provide connectivity to the required services.
- The route tables and the respective entries are listed below:
|Route Table||Associate with||Destination||Route-target|
|1||Route Table for OCI-FRA-SGW-01||DRG||192.168.192.0/20||172.16.0.131|
|2||Route Table for VLAN-OCI-FRA-SDDC-NSX Edge Uplink 1||Uplink VLAN||All Services in OSN for selected region||Service Gateway|
- The Service Gateway is created to provide connectivity between Overlay Networks (provided in the workflow) and All Services in the OSN in the respective OCI region (FRA in my case).
- The route table created above will be attached to the Service Gateway as well.
- Security rules will be added to the Network Security Group for the Uplink VLAN to allow traffic to / from the services in the Oracle Services Network for that region.
Verification and Traffic Flow
Let’s take a look at the traffic flow between the VMs connected to logical switches in the SDDC and the OCI Object Storage bucket in the Oracle Services Network. But before we dive into the traffic flow, let’s verify the connectivity. In order to verify the communication with the OSN, we will download a file from an OCI Object Storage bucket in my tenancy in OCI Frankfurt region.
- We will download the file call “FRA Object Store File.txt” from the bucket.
- We will create a PAR (Pre-authenticated Request) for the object and get the link for the same.
- The next step in the verification process would be to access the object from the VM.
The above image shows that the file was accessed successfully and we were able to verify the contents of the file as well.
Now let’s jump straight into the step-by-step packet trace for the test above. In order to do the same, we will use the figure below.
Traffic from Virtual Machine to Object Storage
- The Virtual Machine will initiate traffic to access the object in the said bucket in OCI FRA region.
- The VM will forward the packet to it’s default gateway, which is the NSX Tier-1 router as shown in the figure above.
- The packet will traverse the Tier-1-Tier-0 router link and reach the Tier-0 router.
- The T0 has a default route to send all traffic out it’s Uplink-1 and forward it to 172.16.0.129, which is the VLAN Gateway in this case.
- This is the point where the VLAN Uplink route table comes into play. The Quick Action Workflow had added an entry to forward traffic for all Services in the OSN to the OCI-FRA-SGW-01 (Service Gateway.
- Once the traffic is received by the Service Gateway, it is forwarded internally to the respective service, which is the Object Storage in this case. We have to remember that the service was published over a public IP, but the traffic was forwarded to it without traversing the public internet.
- The traffic reaches the respective service.
Traffic from Object Storage to the Virtual Machine
- The return packet is forwarded from the service to the Service Gateway (OCI-FRA-SGW-01).
- The Quick Action Workflow had created and attached a route-table to the Service Gateway. The route-table has an entry to forward all traffic for the Workload Network (192.168.192.0/20) to the Private IP (172.16.0.131). This is the IP Address on the Tier-0 router in the SDDC.
- The Tier-0 forwards the traffic back to the Tier-1 and it is delivered back to the VM via the downlink from the Tier-1.
Note: We have focused on the North-South traffic flow and not double-clicked on the East-West flows that come into the picture as well. We will look at those in a future post.
So far in this series, we have now looked at an overview of OCVS Default Networking and Quick Actions and 2 workflows that help in establishing connectivity from your SDDC in the Oracle Cloud VMware Solution.
- Connecting to On-premises Networks
- Connecting to Oracle Services Network
In Part-4 of this blog series, I will be talking about the next step in the connectivity model and that is accessing resources connected to your VCN from your SDDC workloads.