Oracle Cloud Infrastructure Documentation

Creating a VCN (VCN-Native Pod)

Learn how to create a VCN-Native Pod Networking VCN on Compute Cloud@Customer.

Create the following resources in the order listed:

  1. VCN

  2. Route rules

    • Public clusters:

      • Internet gateway and a route table with a route rule that references that internet gateway.

      • NAT gateway and a route table with a route rule that references that NAT gateway.

    • Private clusters:

      • Route table with no route rules.

      • (Optional) Dynamic Routing Gateway (DRG), attach the OKE VCN to that DRG, and create a route table with a route rule that references that DRG. See Private Clusters.

      • (Optional) Local Peering Gateway (LPG) and a route table with a route rule that references that LPG. See Private Clusters.

  3. Security list. Modify the VCN default security list

Resource names and CIDR blocks are example values.

VCN

To create the VCN, use the instructions inCreating a VCN. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the VCN. The VCN covers one contiguous CIDR block. The CIDR block can't be changed after the VCN is created.

Console property

CLI property

  • Name: oketest-vcn

  • CIDR Block: vcn_cidr

  • DNS Label: oketest

    This label must be unique across all VCNs in the tenancy.

  • --display-name: oketest-vcn

  • --cidr-blocks: '["vcn_cidr"]'

  • --dns-label: oketest

    This label must be unique across all VCNs in the tenancy.

Note the OCID of the new VCN. In the examples in this guide, this VCN OCID is ocid1.vcn.oke_vcn_id.

Next Steps

  • Public internet access. For traffic on a public subnet that connects to the internet using public IP addresses, create an internet gateway and a route rule that references that internet gateway.

  • Private internet access. For traffic on a private subnet that needs to connect to the internet without exposing private IP addresses, create a NAT gateway and a route rule that references that NAT gateway.

  • VCN-only access. To restrict communication to only other resources on the same VCN, use the default route table, which has no route rules.

  • Instances in another VCN. To enable communication between the cluster and an instance running on a different VCN, create a Local Peering Gateway (LPG) and a route rule that references that LPG.

  • Data center IP address space. To enable communication between the cluster and the on-premises network IP address space, create a Dynamic Routing Gateway (DRG) and a route rule that references that DRG.

VCN Private Route Table

Edit the default route table that was created when you created the VCN. Change the name of the route table to vcn_private. This route table does not have any route rules. Do not add any route rules.

NAT Private Route Table

Create a NAT gateway and a route table with a route rule that references the NAT gateway.

NAT Gateway

To create the NAT gateway, use the instructions in Enabling Public Connections through a NAT Gateway. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

Note the name and OCID of the NAT gateway for assignment to the private route rule.

Private Route Rule

Create a route table. See Creating a Route Table. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the route table with a private route rule that references the NAT gateway that was created in the preceding step.

Console property

CLI property

  • Name: nat_private

Route rule

  • Target Type: NAT Gateway

  • NAT Gateway: Name of the NAT gateway that was created in the preceding step

  • CIDR Block: 0.0.0.0/0

  • Description: NAT private route rule

  • --display-name: nat_private

--route-rules

  • networkEntityId: OCID of the NAT gateway that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: 0.0.0.0/0

  • description: NAT private route rule

Note the name and OCID of this route table for assignment to private subnets.

Local Peering Gateway

Create a Local Peering gateway (LPG) and a route table with a route rule that references the LPG.

Local Peering Gateway

Create the LPG. See Connecting VCNs through a Local Peering Gateway (LPG).

Note the name and OCID of the LPG for assignment to the private route rule.

Private Route Rule

Create a route table. See Creating a Route Table.

For this example, use the following input to create the route table with a private route rule that references the LPG that was created in the preceding step.

Console property

CLI property

  • Name: lpg_rt

Route rule

  • Target Type: Local Peering Gateway

  • Local Peering Gateway: Name of the LPG that was created in the preceding step

  • CIDR Block: CIDR_for_the_second_VCN

  • Description: LPG private route rule

  • --display-name: lpg_rt

--route-rules

  • networkEntityId: OCID of the LPG that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: CIDR_for_the_second_VCN

  • description: LPG private route rule

Note the name and OCID of this route table for assignment to the "control-plane-endpoint" subnet (Creating a Control Plane Load Balancer Subnet (VCN-Native Pod)).

Add the same route rule on the second VCN (the peered VCN), specifying the OKE VCN CIDR as the destination.

Dynamic Routing Gateway

Create a Dynamic Routing gateway (DRG) and a route table with a route rule that references the DRG.

Dynamic Routing Gateway

Create the DRG and attach the OKE VCN to that DRG. See Connecting to the On-Premises Network through a Dynamic Routing Gateway (DRG). Create the DRG in the OKE VCN compartment, and then attach the OKE VCN to that DRG.

Note the name and OCID of the DRG for assignment to the private route rule.

Private Route Rule

Create a route table. See Creating a Route Table.

For this example, use the following input to create the route table with a private route rule that references the DRG that was created in the preceding step.

Console property

CLI property

  • Name: drg_rt

Route rule

  • Target Type: Dynamic Routing Gateway

  • Dynamic Routing: Name of the DRG that was created in the preceding step

  • CIDR Block: 0.0.0.0/0

  • Description: DRG private route rule

  • --display-name: drg_rt

--route-rules

  • networkEntityId: OCID of the DRG that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: 0.0.0.0/0

  • description: DRG private route rule

Note the name and OCID of this route table for assignment to the "control-plane-endpoint" subnet (Creating a Control Plane Load Balancer Subnet (VCN-Native Pod)).

Public Route Table

Create an Internet gateway and a route table with a route rule that references the Internet gateway.

Internet Gateway

To create the internet gateway, use the instructions in Configuring an Internet Gateway. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

Note the name and OCID of the internet gateway for assignment to the public route rule.

Public Route Rule

To create a route table, use the instructions in Creating a Route Table. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the route table with a public route rule that references the internet gateway that was created in the preceding step.

Console property

CLI property

  • Name: public

Route rule

  • Target Type: Internet Gateway

  • Internet Gateway: Name of the internet gateway that was created in the preceding step

  • CIDR Block: 0.0.0.0/0

  • Description: OKE public route rule

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: public

--route-rules

  • networkEntityId: OCID of the internet gateway that was created in the preceding step

  • destinationType: CIDR_BLOCK

  • destination: 0.0.0.0/0

  • description: OKE public route rule

Note the name and OCID of this route table for assignment to public subnets.

VCN Default Security List

Modify the default security list, using the input shown in the following table. Delete all of the default rules and create the rules shown in the following table.

To modify a security list, use the instructions in Updating a Security List. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

Console property

CLI property

  • Name: Default

--security-list-id: ocid1.securitylist.default_securitylist_id

One egress security rule:

  • Stateless: clear the box

  • Egress CIDR: 0.0.0.0/0

  • IP Protocol: All protocols

  • Description: "Allow all outgoing traffic."

One egress security rule:

--egress-security-rules

  • isStateless: false

  • destination: 0.0.0.0/0

  • destinationType: CIDR_BLOCK

  • protocol: all

  • description: "Allow all outgoing traffic."

Three ingress security rules:

Three ingress security rules:

--ingress-security-rules

Ingress Rule 1

  • Stateless: clear the box

  • Ingress CIDR: vcn_cidr

  • IP Protocol: ICMP

    • Parameter Type: 8: Echo

  • Description: "Allow ping from VCN."

Ingress Rule 1

  • isStateless: false

  • source: vcn_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 8

  • description: "Allow ping from VCN."

Ingress Rule 2

  • Stateless: clear the box

  • Ingress CIDR: 0.0.0.0/0

  • IP Protocol: ICMP

    • Parameter Type: 3: Destination Unreachable

  • Description: "Blocks incoming requests from any source."

Ingress Rule 2

  • isStateless: false

  • source: 0.0.0.0/0

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 3

  • description: "Blocks incoming requests from any source."

Ingress Rule 3

  • Stateless: clear the box

  • Ingress CIDR: 0.0.0.0/0

  • IP Protocol: ICMP

    • Parameter Type: 11: Time Exceeded

  • Description: "Time exceeded."

Ingress Rule 3

  • isStateless: false

  • source: 0.0.0.0/0

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 11

  • description: "Time exceeded."

Note the name and OCID of this default security list for assignment to subnets.