So far in this series, we have looked at an overview of OCVS networking, connectivity to on-prem networks and in Part-3 I discussed connecting your SDDC in OCI the Oracle Services Network. In this blog, I will be talking about configuring connectivity between your VMware environment in OCVS to other resources in OCI connected to the VCN(s).
You can learn more about OCI Virtual Cloud Network and related configuration in my previous post about OCI Networking Fundamentals and the OCI documentation.
This workflow will allow you to establish communication between your OCI Compute Instances or other resources deployed in the VCN and your workloads deployed in the overlay in OCVS.
Execute the Quick Action Workflow
At this stage, we are ready to go ahead and run the Quick Start Workflow to “Configure connectivity to VCN Resources”.
Step-1 – Provide Basic Information
Once you select the option to configure on-prem connectivity, the workflow will require you to provide the networks at each end of the connectivity:
- SDDC Workload CIDR – IP Address Range for the NSX Overlay Networks. I am using 192.168.192.0/20 for my environment.
- VCN Subnets – This is where you need to select the VCN Subnets that have resources needing connectivity to the SDDC. I will be using the Public Subnet (172.16.254.0/24) for the purpose of this post.
Step-2 – Review and Apply Configuration
In this step, you will be able to review the information provided and the resulting configuration generated by the workflow to complete the setup for the required connectivity. This is point where we will make sure all the correct information is being used.
- VCN & Compartment – You will be able to confirm that the connectivity is being established to the correct VCN and will give the associated compartment as well.
- Subnet(s) – This is the subnet that has the resources requiring connectivity to / from the Overlay Networks. An route-rule will be created for the Overlay Network in the Subnet route-table.
- Network Security Groups – The NSG for the Uplink will be updated with an entries to allow communication between the SDDC and the VCN Subnet.
At this stage, you can click on apply configuration and the workflow will give you confirmation once all the required steps have been completed.
- The route tables entry is given below:
- Route-table – Route-table for Public-Subnet
- Associated With – Public-Subnet
- Destination – 192.168.192.0/20
- Route-target – Private IP (172.16.0.131)
- Security rules will be added to the Network Security Group for the Uplink VLAN to allow traffic to / from the resources connected to Subnet(s) in the respective VCN.
Verification and Traffic Flow
Let’s take a look at the traffic flow between a VM connected to a logical switch in the SDDC and an instance in the Virtual Cloud Network Subnet. Let’s start with the verification of the communication.
The above image shows that the icmp was successful and we have connectivity between the required VLAN / Subnet.
Now let’s jump straight into the step-by-step packet trace for the test above. In order to do the same, we will use the figure below.
The flow of traffic between the SDDC and the Subnets is similar to what I described in an earlier post where I spoke about L2 networking with OCVS.
Traffic from SDDC VM to VCN Compute Instance
- The Virtual Machine connected to the Logical Switch (192.168.192.0/24) will initiate a request to access Host in Public-Subnet (172.16.254.0/24).
- The VM will send the traffic to it’s default gateway, which is the Tier-1 router in this case.
- The traffic will traverse the inter-tier router link and get to the Tier-0 router.
- The Tier-0 has a default route configured to forward all traffic to 172.16.0.129, which is the SVI for the Uplink VLAN.
- The SVI will do a lookup for a MAC address entry for the destination Host IP (172.16.254.2).
- The traffic will get forwarded directly to the Host.
Traffic from VCN Instance to the SDDC VM
- The return packet from Host-A will be matched against the route-table to check for the route-target.
- In this case, the Public-Subnet route-table has a rule to forward the traffic for the Overlay CIDR (192.168.192.0/20) to the private IP address 172.16.0.131. This is the HA-VIP for the NSX Edge Uplink 1.
- The traffic will be sent to the Tier-0, which forwards the traffic back to the VM via the Tier-1 router.
So far in this series, we have looked at an overview of OCVS Default Networking and Quick Actions and 3 workflows that help in establishing connectivity from your SDDC in the Oracle Cloud VMware Solution.
- Connecting to On-premises Networks
- Connecting to Oracle Services Network
- Connecting to your VCN Resources
In Part-5 of this blog series, I will be talking about accessing the internet from your VMs, using the NAT Gateway.