Many Oracle Integration Cloud (OIC) customers run their applications in a hybrid environment, where some are deployed in Oracle Cloud such as Fusion Applications (or any other Oracle managed services) and some in their on-premise data center. In such scenarios, it is essential to integrate cloud applications with on-premise applications. This also requires fast, secure and reliable connectivity between Oracle cloud and on-premise data centers.
Although on-premise applications could call Oracle managed cloud applications over the public internet, on-premise applications are generally behind a firewall and cannot be invoked through the public internet.
This post provides architectural overview of two options to connect your on-premise applications with OIC.
The solution is to implement FastConnect between Oracle Cloud data center and on-premise. FastConnect is a way to create a private connection between customer on-premise and Oracle Cloud networks.
FastConnect supports bandwidths from 1Gbps to 10Gbps. There are three FastConnect options to choose from: Oracle Provider, Third-Party Provider, and Colocation. For more information on configuring FastConnect, refer to this.
The benefits of FastConnect include:
An alternative option to FastConnect is Virtual Private Network (VPN). VPN could also be a back-up configuration if FastConnect is down. It supports multiple scenarios such as private access to your VCN and both private and public access to your VCN. For more information on VPN, refer to this.
Note: Remember that VPN Connect can use either Border Gateway Protocol (BGP) or static routing, or a combination. FastConnect always uses BGP for route advertisements.
With OIC, the Connectivity Agent is mandatory to invoke on-premise applications irrespective of inter-connectivity such as FastConnect, VPN or public internet. For more information on Connectivity Agent, refer to this.
There are two options to connect on-premise applications with OIC using FastConnect or VPN.
1. FastConnect with Public Peering
In this scenario, on-premise applications can invoke (ingress) OIC through FastConnect public peering. But for OIC to invoke (egress) on-premise applications, the Connectivity Agent must be deployed in on-premise data center.
The following diagram illustrates the architectural overview and traffic flow with connectivity agent deployed on-premise:
2. FastConnect Private Peering and VPN
This configuration allows to deploy Connectivity Agent in Oracle Cloud/Virtual Cloud Network (VCN) or on-premise network. Both FastConnect and VPN provides private access to your VCN where Connectivity agent is deployed. Both types of connections terminate on a single DRG attached to the VCN. FastConnect always uses Border Gateway Protocol (BGP) for route advertisements while VPN can use either BGP or static routing.
The following diagram illustrates the high-level overview and traffic flow with connectivity agent deployed in Oracle Cloud customer VCN:
In order to setup on-premise network with private access to OIC (or any Oracle services), you must setup Service Gateway that supports transit routing in your VCN. In this scenario, DRG advertises more routes. For a list of those ranges, refer Public IP Addresses for VCNs and the Oracle Services Network.
Transit routing refers to a network setup in which your on-premises network uses a connected virtual cloud network (VCN) to reach Oracle resources or services beyond VCN such as OIC. You configure the VCN routing so that traffic transits through the VCN to its destination beyond the VCN such as OIC.
There are two routing options for private access to Oracle Services such as OIC:
The above diagram shows two route tables, each associated with a different resource:
The route table belongs to the VCN and is associated with the DRG attachment. Why the attachment and not the DRG itself? Because the DRG is a standalone resource that you can attach to any VCN in the same region and tenancy as the DRG. The attachment itself identifies which VCN.
The route table routes the inbound traffic that is from the on-premises network and destined for a supported Oracle service. You configure the rule to send that traffic to the service gateway.
In this scenario, you set up an instance in the VCN to filter or inspect the traffic between the on-premises network and Oracle Services Network, and route traffic through a private IP on the instance.
The instance has two VNICs, each with a private IP. One of the VNICs is in a subnet that faces the on-premises network (referred to here as the frontend subnet). The other VNIC is in a subnet that faces the Oracle Services Network (referred to here as the backend subnet). The frontend VNIC has private IP 10.0.4.3, and the backend VNIC has private IP 10.0.8.3.
The diagram shows four route tables, each associated with a different resource:
For information on Transit Routing, refer this.
This post shows multiple options of connecting on-premise applications and OIC in Oracle Cloud data center either with FastConnect or VPN. In addition, it also provides details on where to deploy Connectivity Agent either on-premise or Oracle Cloud customer VCN.