Series – Get your database running with Terraform part 4: IGW and NAT GW

Previous part three on creating VCN can be found from here.

Now let’s start with basics. What are IGW and NAT GW.

Internet Gateway (IGW) in OCI is the connection point which routes your VCN traffic from and to public Internet depending on what traffic you allow through your security lists. If you use an IGW that means your subnet is a public one.

NAT Gateway (Network Address Translation) routes traffic outside to public internet from your private subnet. Let’s say you want to download patches or have a interface requiring data from public internet and you need to run your services on private subnet, then NAT GW is a good choice for you.

Both services are configured with high availability so you don’t need to do any further configuration except the usual setup. Both can be used only for traffic which originates from your VCN.

OCI documentation has also typical networking scenarios described which touches routing and other components I haven’t touched yet in this series but it gives good info on what you need on different cases. You can read it from here.

Terraform

At this point we have Compartment and VCN deployed which are required to create these resources.

I will add following lines to main.tf.

//Create NAT GW so private subnet will have access to Internet

resource "oci_core_nat_gateway" "CreateNatGateway" {
  compartment_id = "${oci_identity_compartment.CreateCompartment.id}"
  vcn_id         = "${oci_core_virtual_network.CreateVCN.id}"
  block_traffic  = "${var.nat_gateway_block_traffic}"
  display_name   = "${var.nat_gateway_display_name}"
}

//Create Internet Gateway for Public subnet

resource "oci_core_internet_gateway" "CreateIGW" {
  compartment_id = "${oci_identity_compartment.CreateCompartment.id}"
  enabled        = "${var.internet_gateway_enabled}"
  vcn_id         = "${oci_core_virtual_network.CreateVCN.id}"
  display_name   = "${var.internet_gateway_display_name}"
}

I’ve highlighted the use of previously created resources and usage of their OCID’s. In addition to those both resources just need variable for their name and if they are enabled or not (or block traffic).

In variables.tf I have:

// NAT GW VARIABLES
variable "nat_gateway_display_name" {
  default = "NatGateway"
} // Name for the NAT GW

variable "nat_gateway_block_traffic" {
  default = "false"
} // Is NAT GW active or not

// INTERNET GW VARIABLES

variable "internet_gateway_display_name" {
  default = "InternetGateway"
} // Name for the IGW

variable "internet_gateway_enabled" {
  default = "true"
} // Is IGW enabled or not

Next step is to run terraform, I’ve already executed terraform plan and see it adds two resources on top of existing configuration.

PS C:\git\OCI\terraform-templates\examples\builddemo> terraform.exe apply
oci_identity_compartment.CreateCompartment: Refreshing state... (ID: ocid1.compartment.oc1..aaaaaaaav43jwd5o...xxxxx)
oci_core_virtual_network.CreateVCN: Refreshing state... (ID: ocid1.vcn.oc1.eu-frankfurt-1.aaaaaaaar2...xxxxx)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + oci_core_internet_gateway.CreateIGW
      id:              <computed>
      compartment_id:  "ocid1.compartment.oc1..xxxxx"
      display_name:    "InternetGateway"
      enabled:         "true"
      freeform_tags.%: <computed>
      state:           <computed>
      time_created:    <computed>
      time_modified:   <computed>
      vcn_id:          "ocid1.vcn.oc1.eu-frankfurt-1.xxxxx"

  + oci_core_nat_gateway.CreateNatGateway
      id:              <computed>
      block_traffic:   "false"
      compartment_id:  "ocid1.compartment.oc1..xxxxx"
      display_name:    "NatGateway"
      freeform_tags.%: <computed>
      nat_ip:          <computed>
      state:           <computed>
      time_created:    <computed>
      vcn_id:          "ocid1.vcn.oc1.eu-frankfurt-1.xxxxx"


Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

oci_core_internet_gateway.CreateIGW: Creating...
  compartment_id:  "" => "ocid1.compartment.oc1..xxxxx"
  display_name:    "" => "InternetGateway"
  enabled:         "" => "true"
  freeform_tags.%: "" => "<computed>"
  state:           "" => "<computed>"
  time_created:    "" => "<computed>"
  time_modified:   "" => "<computed>"
  vcn_id:          "" => "ocid1.vcn.oc1.eu-frankfurt-1.xxxxx"
oci_core_nat_gateway.CreateNatGateway: Creating...
  block_traffic:   "" => "false"
  compartment_id:  "" => "ocid1.compartment.oc1..xxxxx"
  display_name:    "" => "NatGateway"
  freeform_tags.%: "" => "<computed>"
  nat_ip:          "" => "<computed>"
  state:           "" => "<computed>"
  time_created:    "" => "<computed>"
  vcn_id:          "" => "ocid1.vcn.oc1.eu-frankfurt-1.xxxxx"
oci_core_internet_gateway.CreateIGW: Creation complete after 1s (ID: ocid1.internetgateway.oc1.eu-frankfurt-...xxxxx)
oci_core_nat_gateway.CreateNatGateway: Creation complete after 2s (ID: ocid1.natgateway.oc1.eu-frankfurt-1.aaa...xxxxx)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

I’ve highlighted the part where Terraform refreshes the state of already created resources. Rest is business as usual and it creates our two new resources in a matter of few seconds.

Now we have IGW and NAT GW available. Next we need to create route tables where we will assign these and finally the route tables will be assigned to subnets so traffic gets routed correctly.

Simo

View Comments

  • HI ,
    Thank you . This was very informative .
    Would you have an idea of how Oracle prices these network components ?
    Ive been doing some research and the pricing calculator always seems to consider only the network utilization but I dont see a cost for the usage for each individual components like NAT Gateways .

    • NAT and IGW gateways are not separately priced AFAIK so you only pay for the traffic (if any). So makes calculations lot easier!

Recent Posts

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

1 month ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

2 months ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

6 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

6 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

6 months ago

OCI IP Address Insights

Recently OCI announced small but VERY useful service, IP Address Insights. Why this matters? I've…

6 months ago