When you create your VCN (Virtual Cloud Network) in Oracle Cloud Infrastructure so that you have a virtual network for your compute servers you then create subnets under the VCN. The subnets will contain part of CIDR block you have allocated for the VCN.

If you are not familiar with VCN then good place to start is from VCN FAQ:

https://cloud.oracle.com/en_US/bare-metal-network/vcn/faq

So for example your VCN is CIDR block of 172.30.0.0/16 (65,536 ip’s) and then you create a subnet under it with 172.30.1.0/24 (256 ip’s) . Oracle reserves two first IP’s and the last IP from each subnet on their use.

Either you will have instances which are faced against public internet or then you want to keep your instances private so only you can access them for example through your corporate network.

What do I need for my subnets?

If you need to create both public and private instances then you should create respective subnets. One subnet can be accessed from the internet and other one can not.

For the subnet which is public you can then allocate a public IP address to your server (or  actually for interface of it). The server will need public IP, a security list rule which allows traffic to specific ports and an Internet gateway which is mapped to the route table assigned to the public subnet.

For the private subnet we don’t need to add public IP or Internet gateway in the route table. In fact when you create a subnet and you choose private subnet it won’t allocate public IP addresses to that subnet.

oci_network_private2_subnet_choose

With OCI you don’t need to add VCN’s CIDR block in the route table but instead if security lists allow then servers which belong to subnets in the same VCN have automatically a route between each other. This is  different compared to AWS!

Below image shows that I have used the default VCN route table for my subnets and it has the Internet gateway assigned for it.

oci_network_private1_routetable

If I don’t specify a route table when creating a subnet it will allocate the default route table to it. You can’t change the route table in the subnet anymore after that to another one! However you can modify the existing route table routes.

So if you share the route table between multiple subnets this could become an issue!

Now I have two subnets – public and private. Both have a default route table assigned which has a route to Internet gateway. I also have a security list which allows SSH traffic inside my subnets.

If I would like to access my private or public subnet from corporate network I would need to add a route to dynamic routing gateway (DRG) which would have VPN tunnel to my coroorcor network.

Accessing your subnets

I have also two VM’s – one in public (public1) and one in private(private1).

oci_network_private1
Two instances in different subnets

As you can see the other one has public IP address and the other one not and they belong to different subnets.

oci_public

oci_private

During VM creation I have created a SSH key which I will use to access my public and private VM. When logging in I will use my default VM user opc and supply the private key file I have created.

[simo@mylinux ~] ssh opc@130.1.1.1 -i s1.ppk
Last login: Wed Feb 14 09:54:46 2018 from
[opc@public1 ~]$

That’s it – so I can access my public VM fine. Now if I would need to access my private VM I can use my public VM as a jump server.

This is something you will need to think when creating your network. What is the method accessing your private subnets and how will they access the internet (to download packages etc). Jump servers and NAT gateways are an option in these cases.

As I mentioned earlier subnets within VCN don’t need a route with each other so I should be able to access my private VM from my public VM without modifications to the route table. Let’s test!


[opc@public1 ~]$ ssh opc@172.30.2.2 -i s1.ppk
Last login: Wed Feb 14 10:12:44 2018 from 172.30.1.2
[opc@private1 ~]$

Works smoothly! So to summarize you need to understand which servers you will place in public and which in private subnet. Also think of NAT gateways to access internet from your private subnet. In my example even though I have the same Internet gateway assigned to both subnets I can’t access internet from my private VM.

Oracle doesn’t have NAT gateway as a service yet but instead you need to create your own NAT instance in public subnet and route private subnet traffic through that NAT instance to internet.

Good example on deploying NAT instance with Terraform:

https://blogs.oracle.com/cloud-infrastructure/automate-deployment-nat-instance-in-oracle-cloud-infrastructure-with-terraform

After playing around I will want to remove my subnets so they aren’t left there as they have no further use. Remember that subnets must be empty before deleting them!

3 thoughts on “OCI network with public and private subnets”

Leave a Reply

Your email address will not be published. Required fields are marked *