Route traffic between tenancies with DRG and VCN attachment

The new enhanced DRG now supports multiple VCN attachments within the same region. You can attach multiple VCNs to a single DRG. Each VCN can be in the same or different tenancies as the DRG. VCN to VCN traffic inside the same region can now pass through a mutually connected DRG. This way you fully use Oracle backbone to communicate between your VCN without the need to use a VPN to connect two tenancies.

This article will provide you with the details to do the configuration.

Prerequisites:

Tenancy Requestor owns and shares the DRG.
Tenancy Acceptor owns the VCN to attach to the Requestor DRG.
Users need group permission to manage VCN and DRG.
The policy must be in the root compartment.
VCN must be in the same region.

IAM configuration

The documentation provides the IAM policy details.

https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm

The policy itself must live in root

The endorse policy must live in root. The scope of the statement is external to any child compartments in your tenancy. The request doesn’t logically link to any child compartment(s).
The admit policy can belong to another compartment, we technically had a choice. It theoretically makes sense to admit access to a child compartment. However, that is also a risky operation and many customers don’t want the owner of a child or test compartment to be able to grant access to external tenancies. Keeping the policies in root was an intentional security choice to ensure that only tenancy admins could expose a tenancy to external principals.

You need to keep track of the following information.

Replace OCID examples with your current OCID.

As per the documentation, the core service drgs aggregate resource type contains drg-object, drg-route-table, drg-route-distribution, drg-attachment.