OK, I am doing a lab that consist of three cloud regions, which are
OCI Tokyo and San Jose
Azure San Jose
Azure region simulates as on premises data center, main service will be running on OCI Tokyo. To obtain better connectivity, Azure region will establish IPSec VPN with OCI San Jose region, and access main service in Tokyo through OCI remote peering.
There are two main parts in this lab, which are IPSec VPN connection between Azure and OCI and OCI remote peering. In this lab, the most important part is the configuration of DRG acting as transit gateway in OCI San Jose. Only main/key/important steps will be recorded here.
Steps:
- Create Vnet/VCN and necessary network components
- Provision Virtual Network Gateway (It takes about 45 mins)
- Create OCI CPE and VPN service
- Create Azure Local Network Gateway
- Establish VPN service between OCI and Azure San Jose region
- Establish Remote peering between OCI Tokyo and San Jose
- Configure DRG in OCI San Jose for transit connectivity
- Provision VMs and test network connectivity
Create Vnet/VCN and necessary network components
For OCI, provision VCN using VCN Wizard, which will be easier and faster.
Next, provision Dynamic Routing Gateway(DRG) and attach VCN to it.
Azure Vnet in San Jose is as below.
Provision Virtual Network Gateway
Get the IP address of VNG as it is needed for OCI CPE provision.
Create OCI CPE and VPN service
Create CPE first, which is Azure VNG.
Provision OCI VPN service and choose CPE created above.
Some key steps for provision VPN service.
Configure both Tunnel 1 and 2 same as above.
Finish view, get the Tunnel IP address to create Local Network Gateway(LNG) in Azure.
Create Azure Local Network Gateway
Finish view.
Establish VPN service between OCI and Azure San Jose region
We need to initiate VPN connection from Azure side by using connection.
Finish view. If everything is setup correctly, after few minutes, status will change to Connected.
Come back and check OCI VPN connection, you would see it is Up now.
Additional information for OCI VPN Tunnel-1
Establish Remote peering between OCI Tokyo and San Jose
Make sure VCN in Tokyo and San Jose are attached to DRG
Finish view for DRG in Tokyo.
Finish view for DRG attachment in San Jose
Create remote peering connection from DRG in Tokyo.
Finish view.
Repeat previous step for San Jose, finish view.
Now, take down the OCID of either remote peering connection(RPC), in my cause, I take the San Jose RPC OCID, click toTokyo.
Now, go back to the RPC of Tokyo and click toSanJose.
Establish RPC from Tokyo to San Jose.
Left is the RPC from Tokyo, right is the RPC from San Jose.
Finished view.
Back to remote peering page, you would see that the status is peered.
Configure DRG in OCI San Jose for transiting connectivity
Now, setup DRG in San Jose for transit routing, which is a very important setp. Without setting up it correctly, VM in Azure and OCI Tokyo will not be able to access each other through OCI San Jose.
Since by default IPSec VPN and RPC are using the same DRG route, for simplicity, I will just modify the route. For real cause, it is better to have separate route.
Go to DRG route tables, click on №2 to add routes.
Add route for IPSec VPN and RPC as below.
Finish view.
Provision VMs and test network connectivity
Now the last part, to verify connectivity from Azure VM in San Jose to OCI VM in Tokyo. Before doing that, we need to make sure routing and FW are all setup.
For Tokyo region, FW and routing rule applied to the subnet where my VM will be provisioned.
Route for VM in Azure.
Now we are good to verify if VM in Azure is able to access VM in OCI Tokyo through DRG in OCI San Jose.
VM in OCI Tokyo ping and ssh to Azure VM.
VM in Azure San Jose ping and ssh to OCI Tokyo VM.
That’s it, lab success! Hope you like it and help you in any possible way!
