If you're a typical Oracle Cloud Infrastructure customer, you may have resources in your virtual cloud network (VCN) that need to access the Oracle Cloud Infrastructure Object Storage service, which has publicly addressable endpoints. Until now, you could use either public subnets or a NAT instance, with an internet gateway in your VCN to access the service. However, you might not have wanted to use these options because of privacy, security, or operational concerns.
We are happy to announce the availability of the service gateway, which alleviates the preceding concerns by enabling the following functions:
You might have a private instance in your VCN that accesses the Object Storage bucket through a NAT instance and internet gateway. This section walks through that scenario and an example in which you enable the same private instance to access the same bucket privately and securely through a service gateway.
First consider a typical scenario in which private instances in the VCN access the Object Storage bucket through a NAT instance and internet gateway, as shown in the preceding figure.
Now create a service gateway in the VCN and enable private connectivity between the private subnet and the Object Storage endpoint.
Note: With the launch of service gateway, we have now introduced Service CIDR labels, that can be used in place of a CIDR block in the route rules and/or security rules. This label maps to all IP addresses of the service within the regions. You don't have to know the specific CIDR blocks for the service's public endpoints, which could change over time. As you can see from the image above, you can now choose Service Gateway as the Target Type and provide the label of the OCI Object Storage Service.
Voila! You have now successfully introduced a service gateway to your VCN to establish private connectivity between the private instance and an Object Storage endpoint.
Note: If your private instances need internet access for software updates or other functions, you may use the internet gateway and NAT instance in the VCN. In this case, you will need one route rule for the Object storage CIDR blocks through the service gateway and an additional default route rule in the private subnet route tables that direct all other traffic through NAT instance as shown below:
Let's take a minute to look at other features of the service gateway:
We recommend that you use the service gateway for all your Object Storage access needs. You can find more information about the service gateway in the Networking documentation.
Thank you for reading this post. Your feedback and recommendations for the post are most welcome.
Vijay Arumugam Kannan
Principal Product Manager
Oracle Cloud Infrastructure, Networking