OCI Network Checklist

This page has checklist which I’ve found useful to debug OCI connectivity issues. It’s a list which keeps getting updated so if you find something which is not there let me know. Right now as of October 2021, most of the checklists are towards new OCI DRGv2.

Always start verifying connectivity from the ground up, from the server going to subnet, going to route tables etc.

Connectivity Checklist inside VCN

Compute or Database instance internal firewall allows traffic
Network Security Groups assigned to resource allow traffic from source
Compute instance has correct Network Security Group(s) assigned
Subnet Security List allows traffic
VCN routing is routed by default in OCI, no routing is needed in the route table
Are necessary gateways provisioned:
-Public Internet from Public Subnet: Internet Gateway
-Public Internet from Private Subnet: NAT Gateway
-Oracle Services (for example yum repository) within the Region: Service Gateway
Route table has necessary routes towards gateways

Connectivity Checklist between VCNs (inter-Region)

If Local Peering Gateways are used, LPGs must be peered
On the subnet route table LPG needs to be set as destination
DRGv2: Subnet route table has route towards DRG with the destination VCN CIDR (can be 0.0.0.0/0 so all traffic goes to DRG which handles correct destination)
DRGv2: VCN attachment exists for source and has a route table which advertises the source VCN CIDR
DRGv2: VCN attachment exists for destination and has a route table which advertises the destination CIDR
DRGv2: DRG Route tables can be same or separate for VCN attachments
DRGv2: VCN attachment route table has either static routes or import route distributions enabled
“Get All Route Rules” shows all required routes being available from the DRG route table

Connectivity Checklist between VCNs (Cross-Region)

Remote Peering Connections (RPC) have been created in both Regions
Remote Peering Connections have been established between Regions
DRGv2: Subnet route table has route towards DRG with the remote peered VCN CIDR (can be 0.0.0.0/0 so all traffic goes to DRG which handles correct destination)
DRGv2: RPC attachment exists for source and has route table which advertises the source VCN CIDR
DRGv2: RPC attachment exists for destination and has route table which advertises the destination CIDR
DRGv2: RPC attachment route table has either static routes or import route distributions enabled
“Get All Route Rules” shows all required routes being available from the DRG route table

Connectivity Checklist from on-premises to OCI with FastConnect

FastConnect location has been provisioned and status shows “Up” for the connection
ASN & BGP information has been validated
DRGv2: Subnet route table has route towards DRG with the customer network CIDR
DRGv2: Virtual Circuit (VC) Attachment exists for all required Virtual Circuits
DRGv2: VC attachment route table has either static routes or import route distributions enabled for VCN routes
DRGv2: VCN attachment route table has either static routes or import route distributions enabled for ALL routes
Necessary firewalls have been opened between on-premises & OCI
Necessary routes are advertised from on-premises and received from OCI

Connectivity Checklist to Spoke VCN with Transit Networking

Source VCN subnet has routes towards DRG
Hub & Spoke are connected with LPG and connection is established
Spoke subnet has route table towards LPG
Hub VCN has route table which has routes towards Spoke LPG (can’t have other rules associated)
DRGv2: VCN attachment for Hub VCN has additional VCN route table associated with routes towards LPG (“Attachment – Edit Attachment – Advanced Options – VCN Route table”)
DRGv2: VCN attachment route table has either static routes or import route distributions enabled
“Get All Route Rules” shows all required routes being available from the DRG route table