This page has checklist which I’ve found useful to debug OCI connectivity issues. It’s a list which keeps getting updated so if you find something which is not there let me know. Right now as of October 2021, most of the checklists are towards new OCI DRGv2.
Always start verifying connectivity from the ground up, from the server going to subnet, going to route tables etc.
Connectivity Checklist inside VCN
| Compute or Database instance internal firewall allows traffic |
| Network Security Groups assigned to resource allow traffic from source |
| Compute instance has correct Network Security Group(s) assigned |
| Subnet Security List allows traffic |
| VCN routing is routed by default in OCI, no routing is needed in the route table |
| Are necessary gateways provisioned: -Public Internet from Public Subnet: Internet Gateway -Public Internet from Private Subnet: NAT Gateway -Oracle Services (for example yum repository) within the Region: Service Gateway |
| Route table has necessary routes towards gateways |
Connectivity Checklist between VCNs (inter-Region)
| If Local Peering Gateways are used, LPGs must be peered |
| On the subnet route table LPG needs to be set as destination |
| DRGv2: Subnet route table has route towards DRG with the destination VCN CIDR (can be 0.0.0.0/0 so all traffic goes to DRG which handles correct destination) |
| DRGv2: VCN attachment exists for source and has a route table which advertises the source VCN CIDR |
| DRGv2: VCN attachment exists for destination and has a route table which advertises the destination CIDR |
| DRGv2: DRG Route tables can be same or separate for VCN attachments |
| DRGv2: VCN attachment route table has either static routes or import route distributions enabled |
| “Get All Route Rules” shows all required routes being available from the DRG route table |
Connectivity Checklist between VCNs (Cross-Region)
| Remote Peering Connections (RPC) have been created in both Regions |
| Remote Peering Connections have been established between Regions |
| DRGv2: Subnet route table has route towards DRG with the remote peered VCN CIDR (can be 0.0.0.0/0 so all traffic goes to DRG which handles correct destination) |
| DRGv2: RPC attachment exists for source and has route table which advertises the source VCN CIDR |
| DRGv2: RPC attachment exists for destination and has route table which advertises the destination CIDR |
| DRGv2: RPC attachment route table has either static routes or import route distributions enabled |
| “Get All Route Rules” shows all required routes being available from the DRG route table |
Connectivity Checklist from on-premises to OCI with FastConnect
| FastConnect location has been provisioned and status shows “Up” for the connection |
| ASN & BGP information has been validated |
| DRGv2: Subnet route table has route towards DRG with the customer network CIDR |
| DRGv2: Virtual Circuit (VC) Attachment exists for all required Virtual Circuits |
| DRGv2: VC attachment route table has either static routes or import route distributions enabled for VCN routes |
| DRGv2: VCN attachment route table has either static routes or import route distributions enabled for ALL routes |
| Necessary firewalls have been opened between on-premises & OCI |
| Necessary routes are advertised from on-premises and received from OCI |
Connectivity Checklist to Spoke VCN with Transit Networking
| Source VCN subnet has routes towards DRG |
| Hub & Spoke are connected with LPG and connection is established |
| Spoke subnet has route table towards LPG |
| Hub VCN has route table which has routes towards Spoke LPG (can’t have other rules associated) |
| DRGv2: VCN attachment for Hub VCN has additional VCN route table associated with routes towards LPG (“Attachment – Edit Attachment – Advanced Options – VCN Route table”) |
| DRGv2: VCN attachment route table has either static routes or import route distributions enabled |
| “Get All Route Rules” shows all required routes being available from the DRG route table |