Skip to main content

Oracle OCI — multi-region transit connectivity with Aviatrix MCNA

Co-Author: Faisal Hasan – Currently working at Oracle Cloud as Senior Principal Product Manager. Before joining Oracle in 2018, I have spent many years at VMware, NEC Australia, and Cisco Systems working on several roles ranging from Network Engineering to Product Management.

Oracle Cloud Infrastructure

Oracle Cloud Infrastructure combines the elasticity of public cloud with the granular control, security and predictability of on-premises infrastructure to deliver high-performance and cost-effective infrastructure services. OCI is designed with a primary focus on the needs of enterprise customers and is purpose-built for the most mission-critical application & database workloads.

OCI is uniquely positioned to be one of the beneficiaries of the push to move workloads to public clouds, specifically in the enterprise sector. This article describes why OCI is fast becoming a threat to the current incumbent IaaS CSPs.

OCI has implemented “isolated network virtualization”, taking the network & IO virtualization outside the server and putting it in the network. This results in delivering consistent performance across the entire stack with enhanced security on a non-blocking / non-oversubscribed, full software-defined layer 3 network topology.

Customers can leverage virtual machine, bare-metal hosts, containers, optimized database systems like Oracle Exadata together with cloud-native security & governance capabilities of a layer 3 virtual cloud network.

As OCI rapidly expands its global footprint with a growing service portfolio, it is also working with a rich eco-system of partners. Aviatrix complements Oracle Cloud’s solutions with its rich set of networking capabilities. In this post, we focus on a key joint OCI-Aviatrix use case.

OCI-Aviatrix transit connectivity in multi-region environment

A very popular use-case for OCI-Aviatrix customers is multi-region connectivity. In this scenario, the customer has an on-prem DC in their main geography, connected to their main OCI region using FastConnect. The connection lands in the VCN marked below as Aviatrix Transit & Firewall, Network which provides links to the Spoke VCNs in that region (Region2 in the figure below).

The peerings in the diagram (green links) are Aviatrix Encrypted Peerings (leveraging IPsec) and they do not rely on OCI’s Local Peering nor Remote Peering connections. Instead, they use public IPs of Aviatrix Gateways to create the encrypted tunnels — the great part is that even though public IPs are used, the connectivity remains on the high-quality backbone of OCI.

Leveraging the main region’s Transit & Firewall VCN the traffic from the on-prem DC can also reach Spoke VCNs in Region1 or Region3 — these other regions are peered with the main region (Region2) using Aviatrix Encrypted Peering. Important note: the Aviatrix Transit Peerings (encrypted peerings between Transit VCN GWs) are creating a full-mesh, so each other region is just a single hop away. Sample flows are visualized below.

Aviatrix Controller makes sure that Route Tables in Spoke VCNs are updated correctly, pointing all the East-West destinations towards the Aviatrix Gateway as the next-hop. Once the traffic reaches the first Aviatrix Gateway, the internal Route Table specifies which of the Aviatrix Peerings should be used to jump to the next GW, and so on, until the destination VCN is reached. At that point the traffic is egressing from the GW and the local Route Table in the VCN sends it to the final destination.
In the Blue traffic path in the diagram above, the DC device terminating the IPsec tunnel from Aviatrix Transit GW in Region2 can be any IPsec speaker (or Aviatrix High Performance Encryption appliance — coming soon). DRG and FastConnect are used as “underlay” in this design.

These principles do not only work in the multi-region context, but also in multi-cloud environments. We have seen scenarios where customers need connectivity between their on-prem workloads and those deployed in Azure, OCI & AWS simultaneously. For example, with the Aviatrix Multi-Cloud Network Architecture (MCNA) enterprises can connect from their DC to Azure using ExpressRoute and then leverage OCI-Azure interconnect provide the required access to the resources in OCI and / or OCI. A simple representation of this is given in the figure below.

The connectivity explained above unlocks a very popular scenario where customers migrate their databases to OCI and then use the OCI-Aviatrix joint solution to enable private & secure connectivity from the remaining services running in the on-prem DC, but also from other VCNs, other regions and other clouds.

Getting started with Aviatrix

Aviatrix is a powerful and advanced platform providing networking and security services in the public clouds, with multi-cloud optionality. While being comprehensive, it is also perfectly modular — you can start really small with just one or two services, and if you need to add more services, or expand into other clouds, you can do it at any time. The platform is flexible and can easily follow your current needs. Start anywhere, grow anywhere.

In this scenario we were talking about multi-region connectivity for OCI. Once this base platform is built out, the customer can add more services:

  • Next Generation Firewall inspection (Palo Alto, Fortinet, Checkpoint)
  • Stateful L4 Firewall
  • Network segmentation
  • User VPN
  • FQND Egress Filtering
  • Multi-Cloud connectivity and network segmentation
  • Encryption over FastConnect
  • Advanced NAT for interconnecting networks with overlapping IPs

and many more.

Are you ready to deploy Aviatrix in your OCI environment?
Start here: https://cloudmarketplace.oracle.com/marketplace/en_US/listing/65804594

Contact us: tomasz@aviatrix.com, faisal.hasan@oracle.com for additional information.