Oracle Cloud Infrastructure Documentation

Creating a VCN (Flannel Overlay)

On Compute Cloud@Customer, to configure OKE, create a VCN, and a public route and a private route.

Create the following resources in the order listed:

  1. Create the VCN

  2. Create a route table with the following route rules:

    • Public clusters:

      • Internet gateway and a route table with a route rule that references that internet gateway.

      • NAT gateway and a route table with a route rule that references that NAT gateway.

    • Private clusters:

      • Route table with no route rules.

      • (Optional) Dynamic Routing Gateway (DRG) and a route table with a route rule that references that DRG. See Private Clusters.

      • (Optional) Local Peering Gateway (LPG) and a route table with a route rule that references that LPG. See Private Clusters.

  3. Modify the VCN Default Security List

Resource names and CIDR blocks are example values.

Create the VCN

To create the VCN, follow the instructions in Creating a VCN, and use the parameters listed in this section. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

Note

Subnets are created later, and described in subsequent sections.

For this example, use the following input to create the VCN. The VCN covers one contiguous CIDR block. The CIDR block can't be changed after the VCN is created.

Compute Cloud@Customer Console property

CLI property

  • Name: oketest-vcn

  • CIDR Block: vcn_cidr

  • DNS Label: oketest

    This label must be unique across all VCNs in the tenancy.

  • --display-name: oketest-vcn

  • --cidr-blocks: '["vcn_cidr"]'

  • --dns-label: oketest

    This label must be unique across all VCNs in the tenancy.

Note the OCID of the new VCN for use later. In the examples in this guide, this VCN OCID is ocid1.vcn.oke_vcn_id.

Next Steps

  • Public internet access. For traffic on a public subnet that connects to the internet using public IP addresses, create an internet gateway and a route rule that references that internet gateway.

  • Private internet access. For traffic on a private subnet that needs to connect to the internet without exposing private IP addresses, create a NAT gateway and a route rule that references that NAT gateway.

  • VCN-only access. To restrict communication to only other resources on the same VCN, use the default route table, which has no route rules.

  • Instances in another VCN. To enable communication between the cluster and an instance running on a different VCN, create a Local Peering Gateway (LPG) and a route rule that references that LPG.

  • On-premises IP address space. To enable communication between the cluster and the on-premises network IP address space, create a Dynamic Routing Gateway (DRG), attach the OKE VCN to that DRG, and create a route rule that references that DRG.

Edit the VCN Private Route Table

Edit the default route table that was created when you created the VCN. Change the name of the route table to vcn_private. This route table does not have any route rules. Do not add any route rules.

Create a NAT Private Route Table

Create a NAT gateway and a route table with a route rule that references the NAT gateway.

NAT Gateway

To create the NAT gateway, use the instructions in Configuring a NAT Gateway. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

Note the name and OCID of the NAT gateway for assignment to the private route rule.

Private Route Rule

Modify the default route table, using the following input to create a private route rule that references the NAT gateway that was created in the preceding step. See Creating a Route Table.

For this example, use the following input to create the route table with a private route rule that references the NAT gateway that was created in the preceding step.

Compute Cloud@Customer Console property

CLI property

  • Name: nat_private

Route rule

  • Target Type: NAT Gateway

  • NAT Gateway: Name of the NAT gateway that was created in the preceding step

  • CIDR Block: 0.0.0.0/0

  • Description: NAT private route rule

  • --display-name: nat_private

--route-rules

  • networkEntityId: OCID of the NAT gateway that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: 0.0.0.0/0

  • description: NAT private route rule

Note the name and OCID of this route table for assignment to private subnets.

Create a Local Peering Gateway

Create a Local Peering gateway (LPG) and a route table with a route rule that references the LPG.

Local Peering Gateway

Create the LPG. See Connecting VCNs through a Local Peering Gateway (LPG).

Note the name and OCID of the LPG for assignment to the private route rule.

Private Route Rule

Create a route table. See Creating a Route Table.

For this example, use the following input to create the route table with a private route rule that references the LPG that was created in the preceding step.

Compute Cloud@Customer Console property

CLI property

  • Name: lpg_rt

Route rule

  • Target Type: Local Peering Gateway

  • Local Peering Gateway: Name of the LPG that was created in the preceding step

  • CIDR Block: CIDR_for_the_second_VCN

  • Description: LPG private route rule

  • --display-name: lpg_rt

--route-rules

  • networkEntityId: OCID of the LPG that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: CIDR_for_the_second_VCN

  • description: LPG private route rule

Note the name and OCID of this route table for assignment to the "control-plane-endpoint" subnet (Creating an OKE Control Plane Load Balancer Subnet (Flannel Overlay)).

Add the same route rule on the second VCN (the peered VCN), specifying the OKE VCN CIDR as the destination.

Create a Dynamic Routing Gateway

Create a Dynamic Routing gateway (DRG) and a route table with a route rule that references the DRG.

Dynamic Routing Gateway

To create the DRG and attach the OKE VCN to that DRG See Connecting to the On-Premises Network through a Dynamic Routing Gateway (DRG). Create the DRG in the OKE VCN compartment, and then attach the OKE VCN to that DRG.

Note the name and OCID of the DRG for assignment to the private route rule.

Private Route Rule

Create a route table. See Creating a Route Table.

For this example, use the following input to create the route table with a private route rule that references the DRG that was created in the preceding step.

Compute Cloud@Customer Console property

CLI property

  • Name: drg_rt

Route rule

  • Target Type: Dynamic Routing Gateway

  • Dynamic Routing: Name of the DRG that was created in the preceding step

  • CIDR Block: 0.0.0.0/0

  • Description: DRG private route rule

  • --display-name: drg_rt

--route-rules

  • networkEntityId: OCID of the DRG that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: 0.0.0.0/0

  • description: DRG private route rule

Note the name and OCID of this route table for assignment to the "control-plane-endpoint" subnet (Creating an OKE Control Plane Load Balancer Subnet (Flannel Overlay)).

Create a Public Route Table

Create an Internet gateway and a route table with a route rule that references the Internet gateway. This enables internet access for OKE nodes.

Create an Internet Gateway

To create the internet gateway, use the instructions in Configuring an Internet Gateway. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

Note the name and OCID of the internet gateway for assignment to the public route rule.

Create a Public Route Rule

Create a public route rule for the internet gateway you just created. To create a route table, use the instructions in Creating a Route Table. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

For this example, use the following input to create the route table with a public route rule that references the internet gateway that was created in the preceding step.

Compute Cloud@Customer Console property

CLI property

  • Name: public

Route rule

  • Target Type: Internet Gateway

  • Internet Gateway: Name of the internet gateway that was created in the preceding step

  • CIDR Block: 0.0.0.0/0

  • Description: OKE public route rule

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: public

--route-rules

  • networkEntityId: OCID of the internet gateway that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: 0.0.0.0/0

  • description: OKE public route rule

Modify the VCN Default Security List

To modify a security list, see Updating a Security List. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

Delete all the default rules, then create the rules shown in the following table.

Compute Cloud@Customer Console property

CLI property

  • Name: Default

--security-list-id: ocid1.securitylist.default_securitylist_id

One egress security rule:

  • Stateless: clear the box

  • Egress CIDR: 0.0.0.0/0

  • IP Protocol: All protocols

  • Description: "Allow all outgoing traffic."

One egress security rule:

--egress-security-rules

  • isStateless: false

  • destination: 0.0.0.0/0

  • destinationType: CIDR_BLOCK

  • protocol: all

  • description: "Allow all outgoing traffic."

Three ingress security rules:

Three ingress security rules:

--ingress-security-rules

Ingress Rule 1

  • Stateless: clear the box

  • Ingress CIDR: vcn_cidr

  • IP Protocol: ICMP

    • Parameter Type: 8: Echo

  • Description: "Allow ping from VCN."

Ingress Rule 1

  • isStateless: false

  • source: vcn_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 8

  • description: "Allow ping from VCN."

Ingress Rule 2

  • Stateless: clear the box

  • Ingress CIDR: 0.0.0.0/0

  • IP Protocol: ICMP

    • Parameter Type: 3: Destination Unreachable

  • Description: "Blocks incoming requests from any source."

Ingress Rule 2

  • isStateless: false

  • source: 0.0.0.0/0

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 3

  • description: "Blocks incoming requests from any source."

Ingress Rule 3

  • Stateless: clear the box

  • Ingress CIDR: 0.0.0.0/0

  • IP Protocol: ICMP

    • Parameter Type: 11: Time Exceeded

  • Description: "Time exceeded."

Ingress Rule 3

  • isStateless: false

  • source: 0.0.0.0/0

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 11

  • description: "Time exceeded."

Note the name and OCID of this default security list for assignment to subnets.

What's Next:

Creating a Worker Subnet (Flannel Overlay)