Now we have everything else setup on the network side apart from subnets. Subnets are continuous IP address blocks which don’t overlap with any other subnet IP address block in your VCN.
Things to remember:
As time of writing this Oracle has released new functionality regarding subnets, regional subnets. Earlier each subnet was tied in specific Availability Domain but now you can create subnet which spans across all Availability Domains.
In my example I’m going to deploy public subnet which has route table with Internet Gateway and private subnet which has route to NAT Gateway. Also previously created security lists will be linked.
As Terraform doesn’t yet support regional subnets in this example they are linked to an Availability Domain. For the subnet a CIDR block is needed and assignment of previously created resources to subnets.
Creating subnets with Terraform is defined here.
I also need to get my tenancy’s Availability Domains via Terraform data source. Remember the order of AD’s is specific to you so some other tenancy might have different AD as AD 1.
I’ve highlighted usage of data source – mainly you just send your tenancy’s OCID and get list of AD’s back which are then used on via lookup on calling the resource. For these both I’m using the first [0] item from the list.
Another thing to highlight is the usage of cidrsubnet. One option to define the cidr_block would be manually definining it in the variables. But with cidrsubnet we can take the variable vcn_cidr_block we defined when creating the VCN and allocate separate subnet CIDR blocks using it.
Usage of cidrsubnet is defined in this blog post and also in official documentation.
As VCN CIDR is /16 defining newbits ‘8’ will turn subnet block to /24 and netnum 0 means it will be first /24 block from that CIDR.
So our main.tf will get these added:
data "oci_identity_availability_domains" "ADs" {
compartment_id = "${var.tenancy_ocid}"
}
resource "oci_core_subnet" "CreatePublicSubnet" {
availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[0],"name")}"
cidr_block = "${cidrsubnet(var.vcn_cidr_block, 8, 0)}"
display_name = "${var.public_subnet_display_name}"
dns_label = "${var.public_subnet_dns_label}"
compartment_id = "${oci_identity_compartment.CreateCompartment.id}"
vcn_id = "${oci_core_virtual_network.CreateVCN.id}"
security_list_ids = ["${oci_core_security_list.CreatePublicSecurityList.id}"]
route_table_id = "${oci_core_route_table.CreatePublicRouteTable.id}"
dhcp_options_id = "${oci_core_virtual_network.CreateVCN.default_dhcp_options_id}"
prohibit_public_ip_on_vnic = "${var.public_prohibit_public_ip_on_vnic}"
}
resource "oci_core_subnet" "CreatePrivateSubnet" {
availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[0],"name")}"
cidr_block = "${cidrsubnet(var.vcn_cidr_block, 8, 1)}"
display_name = "${var.private_subnet_display_name}"
dns_label = "${var.private_subnet_dns_label}"
compartment_id = "${oci_identity_compartment.CreateCompartment.id}"
vcn_id = "${oci_core_virtual_network.CreateVCN.id}"
security_list_ids = ["${oci_core_security_list.CreatePrivateSecurityList.id}"]
route_table_id = "${oci_core_route_table.CreatePrivateRouteTable.id}"
dhcp_options_id = "${oci_core_virtual_network.CreateVCN.default_dhcp_options_id}"
prohibit_public_ip_on_vnic = "${var.private_prohibit_public_ip_on_vnic}"
}
And variables.tf gets these:
// PUBLIC AND PRIVATE SUBNET VARIABLES
variable "public_subnet_display_name" {
default = "PublicSubnet"
} // Name for public subnet
variable "private_subnet_display_name" {
default = "PrivateSubnet"
} // Name for private subnet
variable "public_subnet_dns_label" {
default = "pub"
} // DNS Label for public subnet
variable "private_subnet_dns_label" {
default = "pri"
} // DNS label for private subnet
variable "public_prohibit_public_ip_on_vnic" {
default = "false"
} // Can instances in public subnet get public IP
variable "private_prohibit_public_ip_on_vnic" {
default = "true"
}// Can instances in private subnet get public IP
We don’t need to define too many variables as most of them are from previously created resources.
After running terraform plan and apply I have two new resources. See the availability domain picked up and CIDR block created for each subnet.
oci_core_subnet.CreatePrivateSubnet: Creating...
availability_domain: "" => "xknJ:EU-FRANKFURT-1-AD-1"
cidr_block: "" => "172.16.1.0/24"
compartment_id: "" => "ocid1.compartment.oc1..xxxxx"
dhcp_options_id: "" => "ocid1.dhcpoptions.oc1.eu-frankfurt-1.xxxxx"
display_name: "" => "PrivateSubnet"
dns_label: "" => "pri"
freeform_tags.%: "" => "<computed>"
prohibit_public_ip_on_vnic: "" => "true"
route_table_id: "" => "ocid1.routetable.oc1.eu-frankfurt-1.xxxxx"
security_list_ids.#: "" => "1"
security_list_ids.2007611926: "" => "ocid1.securitylist.oc1.eu-frankfurt-1.xxxxx"
state: "" => "<computed>"
subnet_domain_name: "" => "<computed>"
time_created: "" => "<computed>"
vcn_id: "" => "ocid1.vcn.oc1.eu-frankfurt-1.xxxxx"
virtual_router_ip: "" => "<computed>"
virtual_router_mac: "" => "<computed>"
oci_core_subnet.CreatePublicSubnet: Creating...
availability_domain: "" => "xknJ:EU-FRANKFURT-1-AD-1"
cidr_block: "" => "172.16.0.0/24"
compartment_id: "" => "ocid1.compartment.oc1..xxxxx"
dhcp_options_id: "" => "ocid1.dhcpoptions.oc1.eu-frankfurt-1.xxxxx"
display_name: "" => "PublicSubnet"
dns_label: "" => "pub"
freeform_tags.%: "" => "<computed>"
prohibit_public_ip_on_vnic: "" => "false"
route_table_id: "" => "ocid1.routetable.oc1.eu-frankfurt-1.xxxxx"
security_list_ids.#: "" => "1"
security_list_ids.3189732490: "" => "ocid1.securitylist.oc1.eu-frankfurt-1.xxxxx"
state: "" => "<computed>"
subnet_domain_name: "" => "<computed>"
time_created: "" => "<computed>"
vcn_id: "" => "ocid1.vcn.oc1.eu-frankfurt-1.xxxxx"
virtual_router_ip: "" => "<computed>"
virtual_router_mac: "" => "<computed>"
oci_core_subnet.CreatePrivateSubnet: Creation complete after 1s (ID: ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaa...xxxxx)
oci_core_subnet.CreatePublicSubnet: Creation complete after 1s (ID: ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaa...xxxxx)
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
With that I have all necessary network components and what is left is to create the jump server on public subnet and then finally database on the private subnet.
I'm a huge fan of using tools available to help troubleshoot any issues there are.…
This post will be checklist for items you'll need when you have Firewall (or Hub)…
This time I go over on how to create 19c Oracle Database on OCI (hint:…