Today, we’re announcing the general availability of Oracle Cloud Infrastructure (OCI) Site-to-Site VPN over FastConnect private peering in all commercial regions.
Previously, we announced MACsec support for FastConnect Direct 10G and 100G connections. Now, we’re expanding the encryption options available to customers to secure your FastConnect traffic by providing the ability to establish IPsec VPN tunnels to the OCI Site-to-Site VPN managed service over any FastConnect Partner or FastConnect Direct private peering virtual circuit.
Site-to-site IPsec VPNs are frequently used to secure and protect traffic between on-premises environments and OCI. The OCI Site-to-Site VPN service provides a highly resilient and redundant IPsec VPN managed service, enabling you to encrypt your private traffic before sending it to OCI.
Traditionally, the encrypted IPsec traffic is routed over the internet between the customer premises equipment (CPE) and the OCI Site-to-Site VPN public IP endpoint. OCI is now expanding this functionality by allowing the Site-to-Site VPN endpoint to be any customer-defined, nonoverlapping IP address reachable by a FastConnect private peering virtual circuit. This VPN endpoint is reachable through the dynamic routing gateway (DRG), where your virtual circuit is attached, allowing you to use existing, enhanced DRG functionality to have full control over your routing policy for east-west traffic flows. For more information on the available functionality of an enhanced DRG, refer to the announcement blog.
The added functionality of Site-to-Site VPN over FastConnect offers the following features and benefits:
Figure 1. Send unencrypted and encrypted traffic over the same FastConnect private peering virtual circuit.
Send unencrypted and IPsec encrypted traffic over the same FastConnect private peering virtual circuit. Use DRG route tables with route advertisements from your on-premises environment to control whether traffic is sent directly over a virtual circuit unencrypted or route it to a VPN tunnel attachment for encryption before sending the traffic over the same virtual circuit. Figure 1 shows an example where nonproduction traffic is sent from OCI to an on-premises environment unencrypted, while production traffic is first encrypted with IPsec and only then sent by FastConnect from OCI to an on-premises environment.
With granular routing control on the DRG you can also guarantee that no traffic is ever sent unencrypted by forcing all traffic destined for on-premises to route through the VPN tunnel associated with your virtual circuit. You can manually configure your DRG route tables for isolation or enable a simple toggle on an individual virtual circuit to prevent sending of unencrypted traffic.
Figure 2. Use ECMP across multiple tunnels associated with the same FastConnect virtual circuit.
Configure multiple tunnels over the same FastConnect private peering virtual circuit. Enable equal-cost multipath (ECMP) to perform active-active, flow-based load balancing across multiple parallel VPN tunnels to achieve greater overall bandwidth for your encrypted traffic. OCI supports ECMP across up to eight redundant VPN tunnels. Depending on the provisioned bandwidth of the underlying virtual circuit, you can increase the number of VPN tunnels to scale your available bandwidth for encrypted traffic of a single virtual circuit, as shown in Figure 2. Alternatively, perform ECMP across VPN tunnels associated with redundant virtual circuits.
Figure 3. Achieve redundancy across multiple Site-to-Site IPsec VPN tunnels.
Whether you’ve already enabled redundancy between your on-premises environment and OCI with redundant FastConnect virtual circuits or are provisioning new redundant connections, you can achieve redundancy across the IPsec VPN tunnels enabled over these same virtual circuits. Configure your on-premises environment and OCI routing for active-active or active-passive redundancy across Site-to-Site VPN tunnels associated with redundant virtual circuits. Oracle recommends using route-based VPNs with border gateway protocol (BGP) for easier manageability and greater control over your routing policy. Use local preferences or similar BGP attributes to control which tunnel you use when sending traffic to OCI, and AS Path prepending to influence which tunnel OCI uses to send traffic in the return direction. For more details on how to influence route selection between OCI and on-premises environments, see Routing Details for Connections to Your On-Premises Network.
A DRG represents a virtual router in OCI that can attach to VCNs, remote peering connections (RPC), Site-to-Site IPsec VPN tunnels, and FastConnect virtual circuits. DRG route tables and route distributions define routing policies that route your traffic between attachments. You can dynamically import and export routes through these attachments. For example, VCN attachments export VCN subnet or VCN CIDRs, and VPN tunnel and virtual circuit attachments export routes advertised from on-premises.
With Site-to-Site VPN over FastConnect, we’re also introducing a new DRG attachment called a loopback attachment. In the context of Site-to-Site VPN over FastConnect, the loopback attachment logically represents the VPN endpoint for the Site-to-Site VPN service and is always paired with a specific VPN tunnel attachment. The loopback attachment is read-only and uses a unique DRG route table and import distribution, which the system fully manages. Based on customer intent configured during the Site-to-Site VPN over FastConnect provisioning process, the loopback attachment imports routes learned from the associated virtual circuit, representing on-premises BGP route advertisements, and allows for the advertising of the VPN endpoint IP to on-premises as a host route over the BGP session for the same virtual circuit.
Figure 4. DRG loopback attachment architecture for Site-to-Site VPN over FastConnect.
Figure 4 illustrates the traffic flow for both encrypted and unencrypted traffic over the same virtual circuit. The key concept to understand is that IPsec encrypted traffic is always routed to the loopback attachment when it arrives at the DRG through the virtual circuit attachment. Encrypted IPsec packets are forwarded through the loopback attachment to the Site-to-Site VPN service for decryption. When decrypted, traffic then loops back to the same DRG through the associated IPsec VPN tunnel attachment where another route lookup occurs based on the DRG route table associated with the VPN tunnel attachment before sending traffic to its destination—in this case, a resource in the VCN.
In the reverse direction, unencrypted traffic from a VCN attachment is routed to the VPN tunnel attachment for encryption, no different than with traditional Site-to-Site IPsec VPN over the internet. From there, traffic is encrypted by the Site-to-Site VPN service before being looped back to the same DRG through the associated loopback attachment where another route lookup occurs before routing the encrypted traffic to the appropriate virtual circuit attachment, and ultimately to on-premises. Alternatively, unencrypted traffic can be routed directly from the VCN attachment to the virtual circuit attachment to be sent over the FastConnect as it is, and vice versa.
Thank you for your interest in Site-to-Site VPN over FastConnect private peering. Site-to-Site VPN over FastConnect is available for all new and existing private peering virtual circuits. It has support for both FastConnect Partner and Direct with any virtual circuit bandwidth setting. For more details on this new feature and the new DRG loopback attachment, refer to FastConnect Security and Setting Up Site-to-Site VPN.
To learn more about any enhanced DRG capabilities, see the DRG documentation.
We encourage you to read more about this feature and provide any product feedback that you may have.