Understand Oracle Virtual Cloud Network (VCN) step by step with simple examples and easy explanations. This blogpost covers all important OCI networking components required for beginners, what VCN is, why it is needed and components of VCN.
Source: https://docs.oracle.com/What is VCN? A virtual cloud network (VCN) is a virtual, private network that closely resembles a traditional network, with firewall rules and specific types of communication gateways that you can choose. A VCN resides in a single OCI region and covers one or more CIDR blocks (IPv4 and IPv6, if enabled). Each subnet consists of one or more contiguous ranges of IP addresses that do not overlap with other subnets in the VCN.
A VCN is your private network inside Oracle Cloud.
It works almost like the network inside your office, home, or company building — but instead of physical cables and routers, everything is virtual and created in the cloud.
Imagine you buy land and build a private society.
Inside the society you create:
- Roads
- Security gates
- Different blocks
- Houses
- Visitor entry rules
Similarly, in OCI:
This is exactly how VCN works.
Main Components of Oracle VCN
1. CIDR Block – Address Range of Your Network
When creating a VCN, we define a CIDR block like:
10.0.0.0/16
This means your VCN can contain IP Addresses from 10.0.0.1 to 10.0.255.255.
2. Subnets
Inside the VCN, we create smaller sections called Subnets. Think of subnets like different blocks inside a society.
Public Subnet
Resources inside public subnet can access internet directly. Example:
Private Subnet
Resources inside private subnet cannot be accessed directly from internet. Example:
- Databases
- Internal applications
This is important for security.
10.0.0.0/16 network contains:
- IP range from 10.0.0.0 to 10.0.255.255
- Total around 65,536 IP addresses
This large network can be split into many smaller subnet networks.
Common examples include small /24 subnets:
An Internet Gateway allows resources inside VCN to communicate with the internet. Without Internet Gateway:
- Server cannot download packages
- Users cannot open website hosted on server
Think of it as:
Main gate connecting your colony to the outside world.
Internet Gateway supports connections from within the VCN (egress) and connections from the internet (ingress). Each public subnet that needs to use the internet gateway must have a route table rule that specifies the gateway as the target.
An internet gateway as an optional virtual router that connects the edge of the VCN with the internet. To use the gateway, the hosts on both ends of the connection must have public IP addresses for routing. Connections that originate in a VCN and are destined for a public IP address (either inside or outside the VCN) go through the internet gateway. Connections that originate outside the VCN and are destined for a public IP address inside the VCN go through the internet gateway.
Route tables tell network traffic where to go. Example:
0.0.0.0/0 → Internet Gateway
Meaning:
Any internet traffic should go through Internet Gateway.
A VCN uses route tables to send traffic out of the VCN (for example, to the internet, to an on-premises network, or to a peered VCN). These route tables have rules that look and act similar to traditional network route rules you might already be familiar with. Each rule specifies a destination CIDR block and the target (the next hop) for any traffic that matches that CIDR.
5. Security Lists
Security lists act as virtual firewalls for Compute instances and other kinds of resources. A security list consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. This means that all the VNICs in a particular subnet are subject to the same set of security lists.
Security Lists control:
- Which traffic is allowed
- Which ports are open
- Which IPs can connect
If port 22 is blocked:
SSH connection will fail
Think of Security Lists as: Security guards checking who can enter.
6. Network Security Groups
Network security groups (NSGs) act as a virtual firewall for Compute instances and other kinds of resources. An NSG consists of a set of ingress and egress security rules that apply only to a set of VNICs in a single VCN (for example: all the Compute instances that act as web servers in the web tier of a multitier application in a VCN).
7. DRG – Dynamic Routing Gateway
A DRG acts as a virtual router, providing a path for traffic between on-premises networks and VCNs, and can also be used to route traffic between VCNs.
DRG connects your OCI network to:
- On-premise data center
- Other cloud networks
- VPNs
Think of DRG as: Highway connecting your colony to another city.
8. NAT Gateway
A NAT gateway gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections.
The hosts can start connections to the internet and receive responses, but not receive inbound connections started from the internet.
Private subnet servers cannot access internet directly.
But sometimes they still need:
- OS updates
- Package downloads
NAT Gateway allows:
- Outgoing internet access
- Without allowing incoming internet traffic
This improves security.
Service Gateway allows private resources to access Oracle services privately.
Example:
- Object Storage
- Autonomous Database
Without using public internet.
Gateway Limits
Source: https://docs.oracle.com/
Comments
Post a Comment