Professional Documents
Culture Documents
S105684GC11 Ag Lab02
S105684GC11 Ag Lab02
S105684GC11 Ag Lab02
Overview
A Dynamic Routing Gateway (DRG) is an OCI virtual router. It provides a path for traffic
between on-premises networks and Virtual Cloud Networks via Site-to-site VPN, or vía
FastConnect. DRGs are also used for routing traffic between VCNs that are located within the
same region, remote regions, and/or in other OCI accounts (tenancies). Using different types
of attachments, custom network topologies can be constructed using components in different
regions and tenancies. Each DRG attachment has an associated route table which is used to
route packets entering the DRG to their next hop.
A DRG can have multiple network attachments of each of the following types:
• VCN attachments: you can attach multiple VCNs to a single DRG. Each VCN can be in
the same or different tenancies as the DRG.
• RPC attachments: you can peer a DRG to other DRGs (including DRGs in other regions)
using remote peering connections.
• IPSEC_TUNNEL attachments: you can use Site-to-site VPN to attach two or more
IPSec tunnels to your DRG to connect to on-premises networks. This is also allowed
across tenancies.
• VIRTUAL_CIRCUIT attachments: you can attach one or more FastConnect virtual
circuits to your DRG to connect to on-premises networks.
In the following practices, you will configure the dynamic routing gateway created in Lab One
to connect to another group of resources (typically in another region_. This document will use
the UK South (London) region for this purpose, and will be connecting the two DRGs via OCI’s
remote peering connection (RPC). However, RPC can be established between two DRGs
located in the same region. Once this is successfully configured, the original DRG from the
previous lab will be configured to route traffic from on-premises to the new DRG, extending
the existing on-premises to OCI site-to-site VPN reach.
26 Remote Peering: InterConnect OCI resources between regions, and extend to on-premises.
In this lab, you’ll:
Remote Peering: InterConnect OCI resources between regions, and extend to on-premises. 27
Create a new set of Resources
VCN (Create with VCN Wizard. Enable ICMP echo Default Security List)
Name: LHR-AP-LAB02-1-VCN-01
CIDR Block: 172.17.0.0/16
Public Subnet
CIDR Block: 172.17.0.0/24
Private Subnet
CIDR Block: 172.17.1.0/24
DRG
Name: LHR-AP-LAB02-1-DRG-01
28 Remote Peering: InterConnect OCI resources between regions, and extend to on-premises.
Configure Dynamic Routing Gateway for Remote Peering
In this practice, you will attach the VCN to the DRG and create a route rule that will route traffic
to the OCI VCN from the previous lab via the DRG. Next, you will create a remote peering
connection, and capture the OCID of it so you can use it for RPC.
3. Select the VCN you previously created for this lab: LHR-AP-LAB02-1-VCN-01.
b. Under Choose a DRG … select the DRG you previously created for this lab: LHR–AP–
LAB02-1–DRG–01. Leave everything else as is.
Remote Peering: InterConnect OCI resources between regions, and extend to on-premises. 29
• IP Protocol: ICMP
• Type: 8
• Leave everything else leave as-is.
• Click Add Ingress Rules.
5. From the main menu, select Networking, and click Dynamic Routing Gateway.
6. Click the link for the DRG you previously created for this lab: LHR-AP-LAB02-1-DRG-01.
a. Name: LHR-AP-LAB02-1-RPC-01
3. Once it is created to completion, in the middle section of the screen under Remote
Peering Connection, click LHR–AP–LAB02-1–RPC–01.
4. Under Remote Peering Connection Information, find the OCID and copy it to paste in a
minute (Make sure it is not the DRG OCID). It should look similar to this one:
ocid1.remotepeeringconnection.oc1.uk-london-
1.aaaaaaaaqvqaofljpt7em4ae45dw3………………….wbqpxguuz2yjja
5. Under Dynamic Routing Gateways, select the DRG you created in the previous lab: PHX-
AP-LAB01-1-DRG-01.
b. Name: PHX–AP–LAB02-1–RPC–01
7. Once it is created to completion, In the middle section of the screen under Remote
Peering Connection click PHX–AP–LAB02-1–RPC–01.
30 Remote Peering: InterConnect OCI resources between regions, and extend to on-premises.
9. Under Region, from the drop-down list of regions, select the right one. In this document it
is uk-london-1.
10. In the Remote Peering Connection OCID field, paste the OCID you copied from the RPC
in the new DRG.
11. Under Remote Peering Connection Information, wait for the Peering status field to
change to Peered status.
13. Select the VCN you created for the previous lab: PHX-AP-LAB01-1-VCN-01.
17. In the breadcrumbs in the top left of the browser, click PHX-AP-LAB01-1-VCN-01.
You have configured remote peering connection between the two DRGs. Your compute
instances on either one of the VCNs should be able to ping the private IP address of the other
end. Test the connectivity. Retrieve the private IP address of your OCI compute instance from
Remote Peering: InterConnect OCI resources between regions, and extend to on-premises. 31
the previous lab. SSH into the new VM (the one you created in this lab) and ping it. Try the
opposite direction too. You can now route between your two OCI VCNs. This concludes this
section. Next, let’s configure routing from on-premises to the remote VCN!
32 Remote Peering: InterConnect OCI resources between regions, and extend to on-premises.
Route from On-premises to the Remote Region
In this practice, you will combine this lab and the first lab. You’ll route from your “on-premises”
resources via the site-to-site VPN (created in the previous lab) to the remote region via the
remote peering connection (from this lab). To accomplish this, you will configure the Original
DRG (from Lab 1) to route traffic from the VPN to the RPC, and vice versa.
When you configured the on-premises network route and security rules, you used the CIDR
Block 172.16.0.0/12. The reason for this was to include both OCI VCNs, which are 172.31.0.0/16
and 172. 17.0.0/16. Therefore this part was already preconfigured.
Before working on the DRG from lab 1, you’ll configure the route rules and security list in the
new VCN.
Remote Peering: InterConnect OCI resources between regions, and extend to on-premises. 33
This part is done. From the VCNs standpoint, it appears that you could ping the private IP
address of the “on-premises” compute instance from the new VM (LHR-AP-LAB02-1-VM-
01) . As part of this exercise, log into your new VM and try pinging you on-premises VM. It will
fail. Leave it running.
Now you will configure the DRG from the previous lab.
a. Name: PHX-AP-LAB02-1-RD-VPN-01
b. Priority: 1
a. Name: PHX–AP–LAB02-1–RD-RPC–01
b. Priority: 2
a. Name: PHX–AP–LAB02-1–RT-VPN–01
34 Remote Peering: InterConnect OCI resources between regions, and extend to on-premises.
b. Click Show Advanced Options.
a. Name: PHX–AP–LAB02-1–RT-RPC–01
10. To the right of the RPC Attachment listed, right-click Actions Menu (three vertical dots).
13. In the Choose a DRG Route Table drop-down list, select PHX-AP-LAB02-1-RT-RPC-01.
17. To the right of the IPSec tunnel Attachment listed, right-click the Actions Menu.
Remote Peering: InterConnect OCI resources between regions, and extend to on-premises. 35
22. In the breadcrumbs area, click PHX–AP–LAB01-1–DRG–01.
24. To the right of the IPSec tunnel Attachment listed, right-click the Actions Menu.
This completes the DRG configuration. Now go back to the pinging session you left running. It
is working!
You can find more information on managing DRGs, route distributions and route tables here:
https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm
36 Remote Peering: InterConnect OCI resources between regions, and extend to on-premises.