Migration of workloads to the cloud comes with its set of challenges. At Oracle Cloud Infrastructure (OCI), we view these transitions from the lens of our customers, keep their interests and goals in mind, and take these challenges as opportunities to build a seamless migration experience.
To simplify our your migration to OCI, we launched the Bring Your Own IP (BYOIP) capability in 2020, enabling you to reuse your own public IPs on OCI. This feature enables you to preserve the IP reputations tied to those IP addresses. Your customers and partners can also continue using the existing security policies after your services are migrated to OCI.
We’re now taking a step further in this direction by introducing the Bring Your Own Autonomous System Numbers (BYOASN) feature. With BYOASN support on OCI, you can now bring your own ASNs to OCI and use them for your BYOIP prefixes. This enhancement enables you to preserve your ASN and the reputation associated with it when migrating to Oracle cloud.
BYOASN is currently supported for ARIN, RIPE and APNIC Regional Internet Registries (RIR) and is available across all OCI commercial regions.
Why Do We Need BYOASN?
Preserving Network Reputation
The growing need for the BYOASN capability stems from the increasing emphasis on network reputation and Internet security. The reputation score of an ASN is a measure of the trustworthiness of the IP networks in the ASN. More organizations, such as internet services providers (ISPs), content delivery network (CDN) providers, and cyber security practitioners, are now examining not only the IP reputation but also ASN reputation. Keeping track of the ASN reputation scores of networks on the internet allows them to focus their security efforts on network entities with lower scores. For example, they can take appropriate action to block IP routes or monitor IP traffic associated with low-reputation ASNs.
Consequently, organizations who offer services over the internet are highly motivated to maintain and enhance their network reputations because strong IP and ASN reputations are essential to prevent their networks or traffic from being blocked by ISPs, CDN providers, or cyber security vendors. However, when migrating services to a new environment, they face the challenge of retaining these reputations to avoid reputation-related service disruptions. Because network reputations are tied directly to IP addresses and ASNs, an effective solution is to bring their existing IP addresses and ASNs to the new environment. This process is the root of the need for BYOIP and BYOASN on OCI.
BYOASN complements BYOIP for managing network reputations. BYOIP enables organizations to maintain their IP reputations by bringing their own public IP addresses to OCI, while BYOASN allows them to retain their ASN reputations by reusing their own ASNs on OCI. Together, these two capabilities provide a broader scope for preserving an organization’s existing network reputation.
Seamless Migration
By working in tandem with BYOIP, BYOASN offers an enhanced IP address management (IPAM) solution that facilitates seamless migration to OCI. Customers can continue using their own public IP CIDR blocks with their own ASN on OCI without concerns about more validations related to ASN association or ASN reputation checks. Retaining the same public IP CIDRs and ASNs during migration eliminates the need to update security rules or routing policies, simplifying the process and preventing downtime. This approach makes migration more seamless and efficient.
Enabling Greater Routing Control
With BYOIP, the BYOASN feature gives you the option to prepend your own ASNs to the AS-PATH in the BYOIP route advertisements by OCI. Adding more ASNs (prepending) to the AS-PATH can make the route less preferred compared to those with shorter AS-PATH for the same IP prefix if AS-PATH becomes the tiebreaker in the border gateway protocol (BGP) best path selection process. This AS-PATH prepend capability of the OCI BYOASN feature gives you greater control over how traffic can be routed to your network, enabling them to build more resilient cloud or hybrid-cloud data center designs, such as building a disaster recovery site on OCI for their on-premises datacenter. A demonstration of how to use the AS-PATH prepend capability to setup a disaster recovery site is provided in the case study section of this blog post.
OCI BYOASN Key Capabilities
The BYOASN feature on OCI has the following key capabilities:
- No limit on the number of ASNs: We don’t have any limit on the number of ASNs you can import into OCI.
- Import same ASN across multiple regions: You can opt to import the same ASN across multiple regions if you intend to deploy workloads in a multi-region setup.
- Prepend ASN to influence route preference: You can prepend the ASN up to 20 times to influence the route preference, which can be used when setting up an active-standby or disaster recovery site.
- Support for both 2-byte and 4-byte ASN: We support both 2-byte and 4-byte ASN. This flexibility ensures compatibility with a wide range of network configurations. Whether you’re using a legacy system or a modern setup, we have you covered.
- Support for both API and Terraform: In addition to support on the Console UI and CLI, we also provide compatibility with both APIs and Terraform. Whether you’re integrating with APIs or managing infrastructure using Terraform, BYOASN supports your operational tool of choice.
Process Overview: Bringing it all together
Similar with the BYOIP import process, you initiate the import of BYOASN from under IP Management on the Oracle Cloud Console. Oracle then issues a verification token for the ASN. Update your regional internet registry (RIR) with the verification token. When the token is successfully verified, thanks to the built-in automation, you can proceed to complete the import of your ASN. When the ASN has been imported into OCI, you can associate the ASN with your BYOIP prefixes (IPv4 and IPv6) and advertise them from OCI.
The following figure illustrates the complete workflow, showcasing how BYOASN and BYOIP work together to have the BYOIP prefixes advertised with the imported BYOASNs.
UI Walkthrough
You can launch the ASN import workflow from the BYOASN tab available under IP Management on the Oracle Cloud Console and import the 2-byte or 4-byte ASN. You can then copy the validation token for updating it in your account in RIR. When the RIR update is done, return to the Console and select Finish import to complete the import process. Upon successful validation, the ASN shows as Active and is now available for use. You can now go to the BYOIP tab and update the origin ASN for your BYOIP prefixes from Oracle ASN (default) to your own ASN. You can also optionally prepend the imported ASN up to 20 times in the AS-PATH while associating with a prefix to influence the routing preference. The figure below provides a walk through on the OCI console.
BYOASN in Action: How it Works for Customers
Let’s say Cyber Defense is a renowned company that offers security solutions for every layer of the application stack. With a loyal customer base that includes Fortune 500 companies, it has built a reputation for excellence.
The engineering teams at Cyber Defense work around the clock, strengthening security defenses with fixes for every new vulnerability reported by their partners. However, the volume of threats has grown over the years placing a significant strain on the company’s existing infrastructure. This has caused outages on their on-premises data center, occasionally even becoming inoperable. The CTO has tasked the team to explore setting up a backup site on public cloud to help mitigate these events from occurring in the future.
The network infrastructure team is confronted with the challenging task of setting up a backup site on the cloud, ensuring this would not cause any downtime or require major configuration changes to their vendor networks whenever failover occurs. At the same time, they must ensure that the company’s longstanding reputation for network reliability and performance, built over many years of operation remains intact.
During their search, OCI stands out as the one of the few who offer both BYOIP and BYOASN capabilities that could fulfil this requirement.To meet this need, Cyber Defense plans to host its services on a redundant pair of sites – current on-premise data center as the primary site, and the OCI London (LHR) region as a backup. Both sites use the same public-facing BYOIP prefixes and advertise them out to the Internet with the same ASN. However, to drive preference for the primary site when available, OCI BYOASN allows them to advertise routes to the backup LHR region with a longer AS-PATH through multiple ASN prepending option.
For example, they bring up the primary on-premises data center and advertise the BYOIP prefix 143.100.1.0/24 with the BYOASN 200 in the AS-Path [200] while their backup site in London(LHR) advertises the same 143.100.1.0/24 prefix with a longer AS-Path [OCN ASN, 200, 200, 200, 200]. The route advertised by the backup site is less preferable because of its longer AS-Path. When the primary site suffers an outage, it will withdraw its route advertisement for 143.100.1.0/24, and the route from the backup site becomes the new best route. This action triggers the internet traffic to fail over to the backup site.
Conclusion
We at OCI are committed to making your journey to transition to Oracle Cloud Infrastructure a seamless experience. To learn more about the BYOASN, BYOIP, and the overall cloud migration process, see the following resources: