When you create your VCN (Virtual Cloud Network) in Oracle Cloud Infrastructure so that you have a virtual network for your compute servers you then create subnets under the VCN. The subnets will contain part of CIDR block you have allocated for the VCN.
If you are not familiar with VCN then good place to start is from VCN FAQ:
https://cloud.oracle.com/en_US/bare-metal-network/vcn/faq
So for example your VCN is CIDR block of 172.30.0.0/16 (65,536 ip’s) and then you create a subnet under it with 172.30.1.0/24 (256 ip’s) . Oracle reserves two first IP’s and the last IP from each subnet on their use.
Either you will have instances which are faced against public internet or then you want to keep your instances private so only you can access them for example through your corporate network.
What do I need for my subnets?
If you need to create both public and private instances then you should create respective subnets. One subnet can be accessed from the internet and other one can not.
For the subnet which is public you can then allocate a public IP address to your server (or actually for interface of it). The server will need public IP, a security list rule which allows traffic to specific ports and an Internet gateway which is mapped to the route table assigned to the public subnet.
For the private subnet we don’t need to add public IP or Internet gateway in the route table. In fact when you create a subnet and you choose private subnet it won’t allocate public IP addresses to that subnet.
With OCI you don’t need to add VCN’s CIDR block in the route table but instead if security lists allow then servers which belong to subnets in the same VCN have automatically a route between each other. This is different compared to AWS!
Below image shows that I have used the default VCN route table for my subnets and it has the Internet gateway assigned for it.
If I don’t specify a route table when creating a subnet it will allocate the default route table to it. You can’t change the route table in the subnet anymore after that to another one! However you can modify the existing route table routes.
So if you share the route table between multiple subnets this could become an issue!
Now I have two subnets – public and private. Both have a default route table assigned which has a route to Internet gateway. I also have a security list which allows SSH traffic inside my subnets.
If I would like to access my private or public subnet from corporate network I would need to add a route to dynamic routing gateway (DRG) which would have VPN tunnel to my coroorcor network.
Accessing your subnets
I have also two VM’s – one in public (public1) and one in private(private1).
As you can see the other one has public IP address and the other one not and they belong to different subnets.
During VM creation I have created a SSH key which I will use to access my public and private VM. When logging in I will use my default VM user opc and supply the private key file I have created.
[simo@mylinux ~] ssh opc@130.1.1.1 -i s1.ppk Last login: Wed Feb 14 09:54:46 2018 from [opc@public1 ~]$
That’s it – so I can access my public VM fine. Now if I would need to access my private VM I can use my public VM as a jump server.
This is something you will need to think when creating your network. What is the method accessing your private subnets and how will they access the internet (to download packages etc). Jump servers and NAT gateways are an option in these cases.
As I mentioned earlier subnets within VCN don’t need a route with each other so I should be able to access my private VM from my public VM without modifications to the route table. Let’s test!
[opc@public1 ~]$ ssh opc@172.30.2.2 -i s1.ppk Last login: Wed Feb 14 10:12:44 2018 from 172.30.1.2 [opc@private1 ~]$
Works smoothly! So to summarize you need to understand which servers you will place in public and which in private subnet. Also think of NAT gateways to access internet from your private subnet. In my example even though I have the same Internet gateway assigned to both subnets I can’t access internet from my private VM.
Oracle doesn’t have NAT gateway as a service yet but instead you need to create your own NAT instance in public subnet and route private subnet traffic through that NAT instance to internet.
Good example on deploying NAT instance with Terraform:
After playing around I will want to remove my subnets so they aren’t left there as they have no further use. Remember that subnets must be empty before deleting them!
so to connect from private subnet to internet is NAT gateway created in public subnet or DRG
If you have instance in private subnet you will need to create the NAT host in public subnet and then use that as route for the instance in private subnet.
Good explanation also here with a slightly more complex setup to have HA NAT: https://cloud.oracle.com/iaas/whitepapers/nat_instance_configuration.pdf
Thanks Got It
Hi,
how does we connect from on-premise to Private subnet servers ? is this using DRG VPN or fastconnect options only ?
Yes or if you want setup public subnet with a jump server which you can use to connect to private subnet. Just allow connections from the public subnet private CIDR block on your security lists or NSGs.
I have two regional subnets, one public and private. The public subnet has public load balancer installed in it and i have couple of VMs created in private subnet. The LB has back ends configured pointing to the private VMs in the private subnet. But this set up does not work for me. Whenever i hit the public address of LB, i get 502 bad gateway error. And the LB’s health shows as Critical. If i change the private subnet into public, i have no issues. Do i need to configure anything specific to make LB communicate with the private VMs? How can i resolve the issue?
Hey James, great question! Can you provision an instance in LB subnet and see if you can access the private VM http(s) port? Could security lists be involved that they are blocking the access? Check if you need to allow access for the load balancer on the compute instances.
Hi ,
I have created to subnets one private and one public. Both in the same AD. But i am not able to access private subnet from public one . I get some error as below . Not sure what could be the reason.
Warning: Identity file privateKey.ppk not accessible: No such file or directory.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Thanks,
Sushil
hi,
I have a similar problem , I have 2 subnets in same VCN one is public and 2nd one is private , I am trying to access private instance from public instance by firing below commands but getting error.
I tried following options but every time I am getting same error ,could you pls guide where am I wrong
//1) Copying public key to private instance (10.0.3.2 )
[opc@www1 ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub opc@10.0.3.2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/opc/.ssh/id _rsa.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompt ed now it is to install the new keys
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[opc@www1 ~]$
//2) Trying to access private instance(public subnet) from public instance(private subnet)
[opc@www1 ~]$ ssh opc@10.0.3.2 -i ~/.ssh/id_rsa
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[opc@www1 ~]$
Pls suggest.
TiA
– Deven