A detailed walk-through and demo of setting up a VPN between Oracle Cloud and your own data centre. Part A provides an overview and covers VPNaaS; Part B covers Corente. First delivered at the UKOUG Tech17 conference in Birmingham in December 2017.

1. Copyright © 2014, eProseed and/or its affiliates. All rights reserved. | Confidential
CONNECTING ORACLE CLOUD
TO YOUR DATA CENTRE
A Detailed Walk-Through (Part A)
Simon Haslam
Technical Director
eProseed
1

2. Copyright © 2017, eProseed UK Ltd
INTRODUCTION
Simon Haslam
• Platform / Infrastructure Architect
with a focus on HA, DR, automation etc
• Using Oracle products since 1994 (Oracle7)
• Formerly UKOUG App Server & Middleware SIG Chair
About eProseed
• Multi award-winning Oracle Platinum Partner
• HQ in Luxembourg with 9 subsidiaries across the world
including UK, NL, PT, KSA, USA & now Australia!
• A highly technical Oracle practice with 7 active ACEDs

3. 3 Membership Tiers:
• Oracle ACE Director
• Oracle ACE
• Oracle ACE Associate
bit.ly/OracleACEProgram
500+ Technical Experts
Helping Peers Globally
Connect:
Nominate yourself or someone you know: acenomination.oracle.com
@oracleace
Facebook.com/oracleaces
oracle-ace_ww@oracle.com

4. 4
• Overview
• VPNaaS walk-through
• Recap IP networking
• Corente ‘Classic’
• Recommendations

5. Copyright © 2017, eProseed UK Ltd
3 TYPES OF INTERNAL NETWORKS IN ORACLE CLOUD
• IPv4 internal networks described by RFC 1918 (in colloquial notation):
– 10.*.*.* 16 million
– 172.16.*.* to 17.31.*.* 1 million
– 192.168.*.* 65 thousand
• Oracle offers 3 types of internal networks for IaaS:
5
1 Shared Network Compute Classic Old
2 IP Networks Compute Classic Newer
3 Virtual Cloud Networks Oracle Cloud Infrastructure
fka Bare Metal Cloud
Newest

6. Copyright © 2017, eProseed UK Ltd
1. SHARED NETWORK
• “Traditionally” Oracle only had Shared Network for PaaS / IaaS
– Internal IPs are dynamically allocated and subject to change on instance restart
– Hosts can be NAT/PAT’d to Public IPs from Oracle ASN address spaces
Good: you don’t need to think much
Bad: how do we address Oracle VMs from on-prem systems without clashes etc?
Shared network is pretty complex for intra-host firewalling
Readiness “for cloud scale”?
6

7. Copyright © 2017, eProseed UK Ltd
2. IP NETWORKS & 3. VIRTUAL CLOUD NETWORKS
• IP Networks (not very descriptive name!) is very similar to AWS Virtual Private Cloud
– Allows you to choose the IP subnets you want to use internally within Oracle Cloud
– Provides “IP Exchanges” which are gateways between IP Networks
• Allows you to make Cloud data centre look much more like an on-prem one
Virtual Cloud Networks
New Oracle Cloud Infrastructure (OCI) has Virtual Cloud Networks which look very similar
to IP Networks (but managed within compartments etc)
– I need to do more research there
7

8. Copyright © 2017, eProseed UK Ltd
 VPNS, THEY ARE A CHANGIN’ 
• Last year in my “3 ways to connect to Oracle Cloud” presentation we had:
 VPN for Shared Compute (aka Corente)
 VPN For Dedicated Compute
 Fast Connect
(0. was ‘Directly’ which doesn’t really count!)
• Since then lots of new shiny things have arrived:
– IP Networks (just arriving at end of 2016)
– Oracle Cloud Infrastructure (this is soooo big and shiny it deserves a session of its own!)
with its Virtual Cloud Networks
– VPNaaS for Classically Classic Cloud Compute Classic
8 © Official Disney UK Channel
https://www.youtube.com/watch?v=RiC-dMMYevc

9. Copyright © 2017, eProseed UK Ltd
ORACLE CLOUD VPN EVOLUTION
9
Early 2016
Orchestration &
Console Visibility
Nov 2016
Create CSG wizard
Mid 2017
VPNaaS (optional)
Nov 2017
VPNaaS only

10. Copyright © 2017, eProseed UK Ltd
THE WRITING IS ON THE WALL
10
Oracle Cloud Infrastructure (fka IaaS) – Compute Classic
November 2017
17.4
My speculation:
Shared Network will soon be deprecated*
* find out why later

11. Copyright © 2017, eProseed UK Ltd
NETWORKING MENU IN COMPUTE CLASSIC
11
Provisioned Pre-Nov 17 Provisioned Nov 17+
Note: Dec 17 Compute Classic console

12. Copyright © 2017, eProseed UK Ltd
VPNS COMPARED
12
VPNaaSCorente
Evolution

VM
Shared Network
VM VM
IP Network(s)

13. Copyright © 2017, eProseed UK Ltd
QUESTIONS
• Is this Distinction between Corente VPN and VPNaaS important?
– Yes! Corente is a gateway appliance you manage, whereas VPNaaS is a black box running in the
network
• Does this mean I should always use Corente as it gives me flexibility to choose Shared or
IP Networks?
– No. VPNaaS is much easier to set up and appears to be Oracle’s strategic approach: use that if possible.
– WARNING: no diagnostics for gateway end of VPNaaS (currently), i.e. have to diagnose issues from
your 3rd party device.
• Corente can be used for cloud-to-cloud connections – how about VPNaaS?
– Sounds plausible but no documentation seen about it yet
13
This means you should be using IP Networks for all new
PaaS instances you create, and probably VPNaaS to access them

14. Copyright © 2017, eProseed UK Ltd
14
• Overview
• VPNaaS walk-through
• Recap IP networking
• Corente ‘Classic’
• Recommendations

15. Copyright © 2017, eProseed UK Ltd
WHAT’S OUR GOAL?
15
VPNaaS
VM VM
IP Network(s) Corporate VLAN(s)
Host
Admin
PCs
VPN
Note: this doesn’t consider application access – that is normally over the internet
3rd Party
Device

16. Copyright © 2017, eProseed UK Ltd
HIGH-LEVEL WALKTHROUGH
Make friends with your network team!
 Agree the IP Network subnet addresses
– if you have them already hopefully you have discussed this before with them!
 Discuss the IPSec tunnel requirements, hardware vendors, etc
 You create the VPNaaS
 Network team sets up & tests the IPSec end point
(You & network team debug the VPN)
16

17. Copyright © 2017, eProseed UK Ltd
1. NETWORK NUMBERING
• Nothing new here – treat it like an on-prem data centre. Consider:
– How many networks (VLANs) you need (e.g. prod versus test, network zones)
– Think about how numbering will work when adding further Oracle Cloud data centres
– Consider a sensible subnet sizes according to potential use
17
We won’t be trunking VLANs –
each network gets a
gateway/endpoint pair –
so don’t go wild.
Keep it simple!

18. Copyright © 2017, eProseed UK Ltd
2. DISCUSS IPSEC TERMINATION REQUIREMENTS
• Your network team will almost certainly have set up IPSec VPNs on the same hardware
before
– They should know what sets of cypher suites etc that they support
– They probably have standard procedures / request form for new IPSec connections
• You need to think about access and how routes are advertised, etc
• My advice is to try to agree on the latest/strongest cyphers supported by both ends
– You don’t know when Oracle may choose to deprecate older ones, e.g. SHA-1 digests.
18

19. Copyright © 2017, eProseed UK Ltd
3. YOU CREATE THE VPNAAS GATEWAYS
19
Note:
you often have to specify the IKE ID,
typically as the external IP

20. Copyright © 2017, eProseed UK Ltd20

21. Copyright © 2017, eProseed UK Ltd
CLOUD CONSOLE VPNAAS CONFIGURATION ARTEFACTS
21
1 x
VPN Gateway
1 x
Customer Device
1 x Connection
In this case – 3 on-prem DC to 2 cloud DC – has 6 VPNaaS pairs
Cloud 2
Cloud 2
Cloud 2
A VPNaaS Gateway pair
can serve
one connection
to a Customer Device
Cloud 1 DC 1
DC 2
DC 3
Cloud 1
Cloud 1
Remember, this is not
necessarily just data
centres – could be e.g.
Head Office connection

22. Copyright © 2017, eProseed UK Ltd
VPNAAS: NAMING CONVENTIONS
• For VPNaaS you only have one decision to make. Characteristics:
– It is point to point, so I like to have same naming at each
– It is DC-to-DC within an identity domain (Classic Compute)
– It connects into one IP network only, but more are reachable
Example convention:
prd-{opc-dc}-{on-prem-dc}-{primary-IPnet}
e.g. prd-gbs1-wh-int01
Note: I use a short abbreviation for data centres (e.g. gbs1 for gbcom-south-1, eun-1 for eucom-north-1) as it’s helpful
to use the same abbreviations on your networking equipment
22

23. Copyright © 2017, eProseed UK Ltd
4. NETWORK TEAM SETS UP & TESTS THE IPSEC END POINT
• Your network team will almost certainly have set up IPSec VPNs on the same hardware
before
– They will have standard configuration steps
– They should have test methods, or at least a standard testing approach when both ends are ready
23
I recommend setting up the Oracle
VPNaaS gateways first since:
a) it’s easy ☺
b) it gives your network team
something to test against

24. Copyright © 2017, eProseed UK Ltd
HIGH AVAILABILITY
24

25. Copyright © 2017, eProseed UK Ltd
Simon’s House
DEMO
25
Firewall
VPN 1
Windows
Terminal
Server
Firewall
VPN 2
Laptop
PC
ICC
wifi
Firewall
Birmingham SloughDorset
VPNaaS
Cloud
VM 2
This shouldn’t be needed
but VPN-VPN needs some
config changes…

26. Copyright © 2017, eProseed UK Ltd
26
See Part B for Corente

27. Copyright © 2017, eProseed UK Ltd
RECOMMENDATIONS
• If starting completely new now:
– Use IP Networks
– Use VPNaaS (probably)
• If you have existing & Shared Network
– Use CSG
• Don’t bother with on-prem CSGs – use hardware device
• Make friends with your network team
• Forget any other ideas about using Corente except for cloud-to-DC VPNs
• Think about naming conventions for now & future plans
• IGNORE ANY DOCUMENTATION > ~6 MONTHS OLD ☺27

28. Copyright © 2017, eProseed UK Ltd
Where?
Hall 4 Tech17
Community drinks
When?
Monday 18:45 –
19:45