OCI Partner FastConnect deployment with Terraform

OCI FastConnect

Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. OCI provides two main types of FastConnect links – Partner and Direct – each with its own workflow for deployment. As the deployment is quite different between the two types, we will only focus on FastConnect Partner for this blog entry.

When setting up private connectivity between two entities, there is a lot to do: physical connections, protocols agreement, and so on. It’s a hassle that can take months. FastConnect Partner is a service that will get part of your private connection to OCI up and running in minutes. Most of the work has already been done, you just need to specify a few parameters and the connection between Oracle and the Partner you chose gets established. At a very high level, you need:

• The OCI region where you want to connect and the compartment of the tenancy
• To choose a Partner from OCI’s partner list
• To specify a few BGP parameters (Peer IPs, your ASN)
• Link details – bandwidth, MTU
• A Dynamic Routing Gateway

Note: the full list of Partners can be found here: FastConnect Providers

The workflow to deploy an OCI Partner FastConnect is as follows:

1. You go into the OCI Portal and deploy the FastConnect with the details above. Once you deployed, you will receive an OCID – a long string which IDs your connection.
2. You provide the OCID to the Partner. Most Partners, if not all, have their own portals where you need to input the OCID provided at step 1. After you provided the OCID, automation will kick in which will create the logical link between Oracle and the Partner.
3. You connect your own Datacenter to the Partner  .

As this blog’s focus is Terraform, we will look into coding step 1 and also do a quick demo on one of OCI’s Partners.

Terraform

It is expected that you already know how Terraform works and what tools you need to be able to use Terraform with any Provider. Before deploying any code, you need to enable your OCI user to call the APIs by following this tutorial: Setup Terraform for OCI.

In the end, you should have:
- All the necessary configuration done inside OCI’s IAM user management
- A provider declaration in your Terraform code, similar to the one below:

After you got that covered, let’s look at what the Virtual Circuit resource (which is the actual resource of the FastConnect service) looks like. You can get the info from here: Terraform Virtual Circuit.

Here is what it looks like:

As you can see, there are a lot of options for the resource. In our case, for FastConnect Partner, the most important one is “provider_service_id” because that’s the one telling the API which Partner you chose. The rest of the options are under your control but the Provider ID is a little harder to get.

You can get the “Provider Service ID” in two ways:

a) By calling the OCI REST API in the manner explained here: API FastConnect Provider.
    This has to be an authenticated request so you need to work a little to set up your OCI API calls.
b) By using OCI’s CLI in the manner explained here: OCI CLI FastConnect Provider.
    This also needs to be an authenticated request but I find OCI CLI much easier to set up. If you are having issues, follow our documentation from here: OCI CLI setup.

Regardless of which method you use, you will get a list of all Providers IDs in a certain region (based on your CLI definition).

Demo

For the Demo, I will create a Virtual Circuit in OCI’s Frankfurt region. The Partner will be Megaport (but the principle applies to any partner).

Step 1 - Let’s get Magaport’s ID

I have set up OCI CLI on a Linux Virtual Machine, as described in the documentation. I also hardcoded the region Frankfurt in my profile. The command we need to run is:

oci network fast-connect-provider-service list --compartment-id ocid1.compartment.oc1..aaaaaaaalk7vovaqsqaskshz33zpodwsdsx73hyfwmp6vataslwgq4fkajia

The compartment can be root or the actual compartment of the tenancy in which you will deploy the Virtual Circuit. The output of that command will give you details on all partners in that region. I went through the list and found Megaport:

As you can see, the output also gives us the ID which we will use in the Terraform code:

"id": "ocid1.providerservice.oc1.eu-frankfurt-1.aaaaaaaa5baql7rbxno6f7mb3pqhtihfzl6impvhi6ynacds3uvsaz5unhca"

Step 2 – Setting up the code

I created a simple code to deploy the Virtual Circuit. Note that some parameters I input directly and some are declared as variables.

Let’s run through the code:

• I provide the compartment for the Virtual Circuit
• The connection type will be PRIVATE. OCI supports both Private and Public Peerings but we will use private for this demo
• I want the allocated bandwidth to be 1 Gbps
• I provide BGP details (Peer IPs, the client ASN, Oracle’s side will always be 31898 for the Commercial Cloud)
• I give it a name
• I provide the provider service ID which we worked hard to get
• I provide the DRG’s OCID
• I also request the resulting OCID of the Virtual Circuit because I need that on the Partner’s Website

 Step 3 – Let’s apply the code

As you can see, it only took 10s and the VC was created. We need the OCID from the output to input in the Partners’s website.

Let’s see how it looks in the portal:

The Virtual Circuit is waiting for you to take the OCID  (either from the Console or from the Terraform output) and input it in the Partner’s portal so the automation can kick in. Remember the steps discussed at the beginning, it’s the Partner side that will start the automation. The Partner part will vary but most Partners will have a page where you input the OCID. For Megaport, it looks like this:

I added the OCID there and some more info relevant to the location and applied the configuration. After only a few minutes, without any intervention from me, the status of the FastConnect in the OCI Portal changed from “Pending Partner” to “Provisioning”.

Again, after another couple of minutes, the status changed to Provisioned (the final state) and BGP came UP:

Note: In order for BGP to come up I had to use a Megaport service (MCR) so I can have a virtual router in their network that “talks” BGP. In most cases, the BGP state will be “down”, pending you finish your connection to the Provider.

And that’s it, we created a FastConnect Virtual Circuit with an OCI Partner using Terraform.

One last thing to consider

While that worked great, we need to talk about some limitations. Let’s consider this:

1. Everything you deploy on the Oracle Cloud gets an OCID (Oracle Cloud ID). This OCID is random, unique across all the cloud (for all clients) and it cannot be recovered if lost. That means that if you delete a resource and you deploy it again it will get a new OCID every time.
2. The Partner link to OCI is tied to the Virtual Circuit OCID.

Combining the two points above gives us something to think about. If you delete the Virtual Circuit by mistake and you redeploy, the link will NOT come UP. You will need to go to the Partner Page and create a new connection based on the new OCID so automation can kick in.

Let’s test the above.

Step 1 – I will delete the VC from the portal directly.

Step 2 – run the Terraform code again

As Terraform has in its STATE file the circuit, it will want to deploy it again.

We can immediately see what the impact:

After the Apply we can see that the FastConnect workflow was restarted so we need to go back to the Partner’s Portal and redo the connection based on the new OCID.