Oracle Cloud Infrastructure Documentation

Removing or Changing a Service Gateway's Service CIDR label

Remove or change a specified service CIDR label from the specified service gateway.

Important

Because Object Storage is covered by both OCI <region> Object Storage and All <region> Services in Oracle Services Network, a service gateway can use only one of those service CIDR labels. Likewise, a route table can have a single rule for one of the service CIDR labels. It can't have two separate rules, one for each label.

If the service gateway is configured to use All <region> Services in Oracle Services Network, the route rule can use either CIDR label. However, if the service gateway is configured to use OCI <region> Object Storage and the route rule uses All <region> Services in Oracle Services Network, traffic to services in the Oracle Services Network except Object Storage gets dropped or blackholed. The Console prohibits you from configuring the service gateway and corresponding route table in that manner.

To switch the service gateway to use a different service CIDR label, see When You Switch to a Different Service CIDR Label.

After you have assigned a service CIDR label to a service gateway, the Console allows you to switch to the other label, but the service gateway must always have a service CIDR label. The API and CLI allow you to remove the service CIDR label completely.

  • You can't remove the service CIDR label using the Console after this option gets assigned, but you can do so in the CLI and API. The following steps can be used to change the assigned service CIDR label to the other option provided.

    1. On the Virtual Cloud Networks list page, select the VCN that contains the gateway that you want to work with. If you need help finding the list page or the VCN, see Listing VCNs.
    2. On the details page, perform one of the following actions depending on the option that you see:
      • On the Gateways tab, go to the Service Gateways section.
      • Under Resources, select Service Gateways.
    3. For the service gateway that you're interested in, select the Actions menu (three dots), and then select Edit.
    4. In the Services field, select the other service CIDR label. Without a service CIDR label enabled for the gateway, no traffic flows through it.
    5. Select Save changes.

    What's Next

    • Remove any route rules for that service CIDR label and gateway. Do this for the route tables for any subnets that no longer need to access the service CIDR label through the gateway. See instructions in Task 2: Update routing for the subnet.
    • Remove any security rules for that service CIDR label. Do this for the security lists for any subnets that no longer need to access the service CIDR label. See instructions in Task 3: (Optional) Update security rules.

  • Use the network service-gateway detach command and required parameters to remove a service CIDR label from a service gateway:

    oci network service-gateway detach --service-gateway-id sgw-ocid --service-id service-ocid ... [OPTIONS]

    The service gateway can only have one service CIDR label at a time. If you're trying to change the service CIDR label, remove the old service CIDR label and then use the network service-gateway attach command and required parameters to add the desired service CIDR label to the service gateway:

    oci network service-gateway attach --service-gateway-id sgw-ocid --service-id service-ocid ... [OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the DetachServiceId operation to remove a service CIDR label for a service gateway.

    The service gateway can only have one service CIDR label at a time. If you're trying to change the service CIDR label, first remove the old service CIDR label and then run the AttachServiceId operation to add a new service CIDR label to a service gateway.

    Use ListServices to determine the available service CIDR labels. GetService: Gets the details for a particular service CIDR label.