Categories: cloudnetworkOCIOracle

OCI network with public and private subnets

When you create your VCN (Virtual Cloud Network) in Oracle Cloud Infrastructure so that you have a virtual network for your compute servers you then create subnets under the VCN. The subnets will contain part of CIDR block you have allocated for the VCN.

If you are not familiar with VCN then good place to start is from VCN FAQ:

https://cloud.oracle.com/en_US/bare-metal-network/vcn/faq

So for example your VCN is CIDR block of 172.30.0.0/16 (65,536 ip’s) and then you create a subnet under it with 172.30.1.0/24 (256 ip’s) . Oracle reserves two first IP’s and the last IP from each subnet on their use.

Either you will have instances which are faced against public internet or then you want to keep your instances private so only you can access them for example through your corporate network.

What do I need for my subnets?

If you need to create both public and private instances then you should create respective subnets. One subnet can be accessed from the internet and other one can not.

For the subnet which is public you can then allocate a public IP address to your server (or  actually for interface of it). The server will need public IP, a security list rule which allows traffic to specific ports and an Internet gateway which is mapped to the route table assigned to the public subnet.

For the private subnet we don’t need to add public IP or Internet gateway in the route table. In fact when you create a subnet and you choose private subnet it won’t allocate public IP addresses to that subnet.

With OCI you don’t need to add VCN’s CIDR block in the route table but instead if security lists allow then servers which belong to subnets in the same VCN have automatically a route between each other. This is  different compared to AWS!

Below image shows that I have used the default VCN route table for my subnets and it has the Internet gateway assigned for it.

If I don’t specify a route table when creating a subnet it will allocate the default route table to it. You can’t change the route table in the subnet anymore after that to another one! However you can modify the existing route table routes.

So if you share the route table between multiple subnets this could become an issue!

Now I have two subnets – public and private. Both have a default route table assigned which has a route to Internet gateway. I also have a security list which allows SSH traffic inside my subnets.

If I would like to access my private or public subnet from corporate network I would need to add a route to dynamic routing gateway (DRG) which would have VPN tunnel to my coroorcor network.

Accessing your subnets

I have also two VM’s – one in public (public1) and one in private(private1).

Two instances in different subnets

As you can see the other one has public IP address and the other one not and they belong to different subnets.

During VM creation I have created a SSH key which I will use to access my public and private VM. When logging in I will use my default VM user opc and supply the private key file I have created.

[simo@mylinux ~] ssh opc@130.1.1.1 -i s1.ppk
Last login: Wed Feb 14 09:54:46 2018 from
[opc@public1 ~]$

That’s it – so I can access my public VM fine. Now if I would need to access my private VM I can use my public VM as a jump server.

This is something you will need to think when creating your network. What is the method accessing your private subnets and how will they access the internet (to download packages etc). Jump servers and NAT gateways are an option in these cases.

As I mentioned earlier subnets within VCN don’t need a route with each other so I should be able to access my private VM from my public VM without modifications to the route table. Let’s test!


[opc@public1 ~]$ ssh opc@172.30.2.2 -i s1.ppk
Last login: Wed Feb 14 10:12:44 2018 from 172.30.1.2
[opc@private1 ~]$

Works smoothly! So to summarize you need to understand which servers you will place in public and which in private subnet. Also think of NAT gateways to access internet from your private subnet. In my example even though I have the same Internet gateway assigned to both subnets I can’t access internet from my private VM.

Oracle doesn’t have NAT gateway as a service yet but instead you need to create your own NAT instance in public subnet and route private subnet traffic through that NAT instance to internet.

Good example on deploying NAT instance with Terraform:

https://blogs.oracle.com/cloud-infrastructure/automate-deployment-nat-instance-in-oracle-cloud-infrastructure-with-terraform

After playing around I will want to remove my subnets so they aren’t left there as they have no further use. Remember that subnets must be empty before deleting them!

Simo

View Comments

  • so to connect from private subnet to internet is NAT gateway created in public subnet or DRG

  • Hi,
    how does we connect from on-premise to Private subnet servers ? is this using DRG VPN or fastconnect options only ?

    • Yes or if you want setup public subnet with a jump server which you can use to connect to private subnet. Just allow connections from the public subnet private CIDR block on your security lists or NSGs.

  • I have two regional subnets, one public and private. The public subnet has public load balancer installed in it and i have couple of VMs created in private subnet. The LB has back ends configured pointing to the private VMs in the private subnet. But this set up does not work for me. Whenever i hit the public address of LB, i get 502 bad gateway error. And the LB's health shows as Critical. If i change the private subnet into public, i have no issues. Do i need to configure anything specific to make LB communicate with the private VMs? How can i resolve the issue?

    • Hey James, great question! Can you provision an instance in LB subnet and see if you can access the private VM http(s) port? Could security lists be involved that they are blocking the access? Check if you need to allow access for the load balancer on the compute instances.

  • Hi ,

    I have created to subnets one private and one public. Both in the same AD. But i am not able to access private subnet from public one . I get some error as below . Not sure what could be the reason.

    Warning: Identity file privateKey.ppk not accessible: No such file or directory.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

    Thanks,
    Sushil

  • hi,

    I have a similar problem , I have 2 subnets in same VCN one is public and 2nd one is private , I am trying to access private instance from public instance by firing below commands but getting error.

    I tried following options but every time I am getting same error ,could you pls guide where am I wrong

    //1) Copying public key to private instance (10.0.3.2 )

    [opc@www1 ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub opc@10.0.3.2
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/opc/.ssh/id _rsa.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompt ed now it is to install the new keys
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    [opc@www1 ~]$

    //2) Trying to access private instance(public subnet) from public instance(private subnet)
    [opc@www1 ~]$ ssh opc@10.0.3.2 -i ~/.ssh/id_rsa
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    [opc@www1 ~]$

    Pls suggest.

    TiA
    - Deven

Recent Posts

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

1 month ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

2 months ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

6 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

6 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

6 months ago

OCI IP Address Insights

Recently OCI announced small but VERY useful service, IP Address Insights. Why this matters? I've…

6 months ago