Oracle has partnered with Alkira to greatly simplify multicloud network deployment, providing connectivity and securing your Oracle Cloud Infrastructure (OCI) workloads. This blog covers the overview of integration between OCI and the Alkira Cloud Service Exchange (CSX), which allows enterprises to onboard virtual cloud networks (VCNs) and connect their workloads and applications with simplicity, scalability, and uniform security offered by CSX.
Solution overview
Alkira Cloud Services Exchange is the industry’s first cloud networking as-a-service (CNaaS) solution. The Alkira CSX consists of a highly available and resilient network of globally interconnected Alkira Cloud Exchange Points (CXPs), virtual multicloud points of presence with a full routing stack and network services capabilities, and an Alkira CSX portal.
The integration automates the process of adding OCI VCNs as cloud connectors on Alkira CXPs and connects the VCNs to an enterprise’s on-premises and multicloud networks. It enables VCNs to use the Alkira CXPs for automated routing of east-west traffic between VCNs, north-south traffic from VCN to on-premises, and internet-bound traffic from the workloads.
The Alkira solution has the following capabilities:
-
Set NAT policies to overcome duplicate IP address ranges between the VCNs connected to the Alkira platform
-
Set routing policies to control the distribution of routing information for brownfield integration
-
Apply end-to-end segmentation to segregate OCI workloads and reduce the security attack surface
-
Add service chaining to inspect traffic with firewalls deployed within the Alkira CXP
Integration architecture
The main component in bringing data plane connectivity from OCI to Alkira involves connecting Alkira CXPs to a dynamic routing gateway (DRG) in OCI. Alkira CXPs are virtual multicloud points of presence distributed across the globe leveraging the hyperscale public cloud infrastructure. A DRG is a virtual router in OCI with a regional scope that can attach local VCNs, IPSec VPN tunnels, and virtual circuits.
Alkira uses the DRG within a customer’s OCI account for connectivity between a regional CXP and Oracle VCNs as shown in the following architecture diagram. The DRG is used to attach local VCNs and establish, at a minimum, dual IPSec VPN tunnels to the CXP. You can also use it to create multiple routing tables aligning to each attachment, so that you can change traffic flows according to your requirements.
This architecture results in the following outcomes:
-
Alkira CXP exchanges routes with the DRG using border gateway protocol (BGP) and learn the VCN routes. Similarly, the DRG learns the on-premises networks and other cloud networks from the CXP.
-
The local VCN uses the DRG attachment to reach the networks advertised by Alkira CXP.
-
The DRG uses multiple routing tables, including one for the VPN attachments from the CXP and others for the VCNs as needed. Route imports then mutually and selectively redistribute routes between the route tables.
Figure 1: Integration architecture
The second component of the integration involves using the OCI APIs to automate the provisioning of the DRG, attachments, and route import distributions. After the administrator securely provides the API credential within the Alkira CSX portal, it takes a couple clicks to onboard the VCN. Alkira uses the credential to accomplish all the necessary infrastructure configuration steps behind the scenes. Simultaneously, Alkira’s control plane seamlessly applies the global policies pertaining to the VCNs and dynamically propagate routing controls as needed.
Deployment use case
Alkira CNaaS solution simplifies the tasks of delivering networking and security to the VCNs deployed within the OCI environment connecting them to workloads running in other cloud providers and on-premises environments. Organizations can create many use cases using the Alkira solution as covered in the integration overview. To understand the product better, in this use case, we deploy VCNs in two different OCI regions and route the traffic accordingly.
Prerequisites
-
An Oracle Cloud account. If you don’t have an account, you can sign up for an Oracle Cloud Free Tier account.
-
Required permission to manage virtual-network-family
-
An Alkira CSX platform account
Topology
Figure 2: Network topology
Configuration
This section gives you an overview of requirements to deploy.
Add the required parameters to add an existing OCI credential in Alkira CSX platform to onboard OCI.
Figure 3: Adding OCI credentials in the Alkira portal
For each Alkira CXP, add the VCNs in the corresponding region as “OCI Connector.”
Figure 4: Add OCI Connector
Select the credentials to use and matching OCI region.
Figure 5: Choose OCI region
Choose the VCNs to onboard to Alkira.
Figure 6: Select VCNs to onboard
Configure subnets and routing preferences
The last step is to configure the networking parameters, such as the subnets to onboard and which route tables to program with the API. Provision the changes and that’s it!
Figure 7: Configure networking parameters
Validation
After the provisioning of Alkira CSX is complete, you can validate that your VCNs have been properly integrated by verifying the DRG created by Alkira and the reciprocal VCN route tables.
In the following screenshot, you can see a DRG created with VPN tunnel attachments and the integrated VCNs as attachments. The VCN attachments aren’t shown because of their placement in another compartment.
Figure 8: Validate DRG attachments
Similarly, if you validate the route tables used by the subnets in the integrated VCNs, you can see the corresponding routes with the DRG configured as their next hop. During the onboarding process, you can choose options other than the default route shown in the screenshot.
Figure 9: Validate VCN route table
Conclusion
This post highlights the integration of OCI into the Alkira cloud network as-a-service platform and explains the architecture allowing multicloud connectivity to VCNs through Alkira. Want to learn more about the Alkira cloud network as-a-service solution for the Oracle Cloud Infrastructure? Check out Alkira and Oracle Cloud Marketplace today!