Networking is the backbone of every cloud deployment. In Oracle Cloud Infrastructure (OCI), it determines how your applications communicate securely, efficiently, and reliably across regions, data centers, and the internet.
This blog sets the foundation for our series by introducing the core networking concepts, building blocks, and design principles in OCI. Whether you are preparing for the OCI Networking Professional certification or designing enterprise-grade architectures, understanding these fundamentals is key.
🌍 What are Regions and Availability Domains?
In OCI, resources are organized geographically and logically to deliver high availability and fault tolerance:
Region → A localized geographic area such as Mumbai, Ashburn, or Frankfurt. Each region contains one or more Availability Domains (ADs).
Availability Domain (AD) → An isolated data center within a region with independent power and cooling. Multiple ADs ensure resiliency against data center failures.
Fault Domain (FD) → A logical grouping within an AD, similar to racks, to spread workloads for rack-level protection.
🚀 Why Networking is the Backbone of OCI Deployments
Every workload in OCI — whether a database, containerized app, or analytics pipeline — relies on networking for:
Connectivity → Enabling secure communication within and outside OCI.
Scalability → Handling increasing workloads across subnets, regions, and clouds.
Security → Controlling inbound and outbound traffic with precise policies.
High Availability → Ensuring redundant paths and fault domain isolation.
🧩 Key OCI Networking Building Blocks
1. Virtual Cloud Network (VCN) :-
Think of a VCN as your private data center in the cloud. Fully customizable with your own CIDR blocks. It can span all Availability Domains in a region.
2. Subnets :-
Logical subdivisions of a VCN. Public subnets → Resources with public IPs accessible via Internet Gateway. Private subnets → Resources with private IPs only, usually backend systems. Subnets are regional, but can be AD-specific depends on requirement and design.
3. Route Tables :-
Define how traffic leaves a subnet.
Common targets: Internet Gateway (IGW), NAT Gateway, Service Gateway, DRG (Dynamic Routing Gateway)
4. Security Lists & Network Security Groups (NSGs) :-
Security Lists: Operate at subnet level, like traditional firewalls.
NSGs: Operate at VNIC/instance level, offering micro-segmentation.
Both define stateless/stateful ingress & egress rules.
5. Dynamic Routing Gateway (DRG) :-
The bridge between your VCN and external networks. Supports IPSec VPN, FastConnect, and VCN-to-VCN connectivity. Enables hybrid and multi-VCN architectures.
6. Internet Gateway (IGW) :-
Provides bi-directional connectivity between VCN and internet. Required for public-facing workloads such as web servers.
7. NAT Gateway :-
Provides outbound internet access for private subnet resources. No inbound connections allowed, ensuring stronger security. Ideal for patching/updates of backend servers.
8. Service Gateway :-
Enables private access to Oracle Services Network (OSN) such as Object Storage. Keeps traffic inside Oracle’s private backbone (never traverses public internet).
The below diagram shows the gateways in OCI.
🗺️ Regional vs AD-Specific Resources
Understanding whether a resource is regional or AD-specific is crucial when planning networking and workloads.
🔹 Regional Resources (span the whole region)
VCN
Subnets
DRG, LPG
IGW, NAT Gateway, Service Gateway
Route Tables, Security Lists, NSGs
Load Balancers (regional by default)
🔹 AD-Specific Resources (bound to a single Availability Domain)
Compute Instances (VMs, Bare Metal, GPU)
Block Volumes (though they can be backed up/replicated across ADs)
File Storage Systems (FSS)
Exadata & other dedicated infrastructure services
🔐 Shared Responsibility Model for OCI Networking
Security and networking in OCI follow a shared responsibility model:
Oracle Responsibility: Secure the physical network, backbone, and global edge infrastructure.
Customer Responsibility: Designing VCNs, configuring gateways, defining firewall rules (NSGs/Security Lists), and managing routing.
🏁 Conclusion – Get Hands-On with OCI Networking
Understanding the theory is only the first step. The real learning begins when you start building and experimenting in your own tenancy. The good news is that most of the networking services in OCI can be explored using the Always Free Tier.
Here’s what you can try:
-
Create your first VCN (manual not by wizard) with both public and private subnets.
-
Attach an Internet Gateway and launch a small Compute instance in a public subnet → test access via SSH.
-
Use a NAT Gateway for a private subnet VM → verify outbound internet access without exposing a public IP.
-
Connect to Object Storage privately using a Service Gateway.
-
Experiment with NSGs vs Security Lists → try controlling access to your compute instance with different firewall rules.
-
Explore the OCI Console VCN Wizard → it auto-provisions a VCN, subnets, route tables, and gateways in minutes.
You can check Oracle documentation for more step by step approach in practice.
By the end of this hands-on practice, you’ll have a working network in OCI and a solid understanding of how traffic flows between your resources.
No comments:
Post a Comment