Interconnect for Google Cloud

This topic describes how to set up Oracle Interconnect for Google Cloud.

Oracle Interconnect for Google Cloud lets you create a cross-cloud connection between Oracle Cloud Infrastructure and Google Cloud Platform (GCP) in certain regions. This connection lets you set up cloud-to-cloud workloads without the traffic between the clouds going over the internet. This topic describes how to set up virtual networking infrastructure resources to enable this deployment.

Highlights

  • You can connect an Oracle Cloud Infrastructure (OCI) virtual cloud network (VCN) with a GCP virtual private cloud (VPC) and run a cloud-to-cloud workload. In the typical use case, you might deploy an Oracle Database on OCI, and deploy a custom application in GCP.
  • The two virtual networks must belong to the same company or organization and not have overlapping CIDRs. Oracle Interconnect for Google Cloud requires you to create a Partner Interconnect circuit and an OCI FastConnect virtual circuit.

Availability

Oracle Interconnect for Google Cloud is only available in the paired regions depicted in the following maps and tables. For more information on GCP region locations see the Colocation Facilities Locations table in the GCP documentation.

The following image shows regions with Oracle Interconnect for Google Cloud, showing all commercial OCI regions and noting regions with interconnect to both Azure and GCP. Participating GCP regions are also listed in the following tables.

Map showing which regions interconnect with Azure or GCP.

US Government Cloud regions with Oracle Interconnect for Google Cloud are listed in the US Government Cloud documentation,

Asia Pacific

OCI region - key Google Cloud region

Australia East (Sydney) / ap-sydney-1 - SYD

Sydney (australia-southeast1)

Australia Southeast (Melbourne) / ap-melbourne-1 - MEL

Melbourne (australia-southeast2)

India West (Mumbai) / ap-mumbai-1 - BOM

Mumbai (asia-south1)

Japan East (Tokyo) / ap-tokyo-1 - NRT

Tokyo (asia-northeast1)

Singapore (Singapore) / ap-singapore-1 - SIN

Singapore (asia-southeast1)

Europe, Middle East, Africa (EMEA)

OCI region - key Google Cloud region

Germany Central (Frankfurt) / eu-frankfurt-1 - FRA

Frankfurt (europe-west3)

Spain Central (Madrid) / eu-madrid-1 - MAD

Madrid (europe-southwest1)

UK South (London) / uk-london-1 - LHR

London (europe-west2)

Switzerland North (Zurich) / eu-zurich-1 - ZRH

Zurich (europe-west6)

Latin America (LATAM)

OCI region - key Google Cloud region

Brazil East (Sao Paulo) /sa-saopaulo-1 - GRU

São Paulo (southamerica-east1)

North America (NA)

OCI location - key Google Cloud region

Canada Southeast (Montreal) (ca-montreal-1) - YUL

Montréal (northamerica-northeast1)

Canada Southeast (Toronto) (ca-toronto-1) - YYZ

Toronto (northamerica-northeast2)

US East (Ashburn) (us-ashburn-1) - IAD

N. Virginia (us-east4)

Overview of Supported Traffic

Here are more details about the supported types of traffic.

VCN-to-VPC Connection: Extension from One Cloud to Another

You can connect a VCN and VPC so that traffic that uses private IP addresses goes over a cloud-to-cloud connection.

For example, the following diagram shows a VCN connected to a VCP. Resources in the VPC are running an application that accesses an Oracle database that runs on Database service resources in the VCN. The traffic between the application and database uses a logical circuit that runs on the cloud-to-cloud connection between GCP and OCI.

This diagram shows the connection between a GCP VPC and OCI VCN.

To enable the connection between the VPC and VCN, you set up a GCP VLAN attachment and an OCI FastConnect virtual circuit. The connection doesn't have built-in redundancy, which means you need to set up a second Oracle Interconnect for Google Cloud connection to enable a highly available, resilient network design.

For detailed instructions, see Setting up a Connection.

Peered VCNs

The connection traffic can flow from the VPC to one or more peered VCNs in the same OCI region or in other OCI regions.

Types of Traffic Not Supported by the Connection

This connection doesn't enable traffic between an on-premises network through OCI to the VPC, or from an on-premises network through GCP to OCI.

Important Implications of Connecting Clouds

This section summarizes some access control, security, and performance implications of Oracle Interconnect for Google Cloud. In general, you can control access and traffic by using IAM policies, route tables in the VCN, and security rules in the VCN.

The sections that follow discuss implications from the perspective of a VCN. Similar implications affect a VPC. As with a VCN, you can use GCP resources such as route tables and network security groups to secure a VPC.

Controlling the Establishment of a Connection

With Oracle Cloud Infrastructure IAM policies, you can control:

Controlling Traffic Flow Over the Connection

Even if a connection has been established between VCN and VPC, you can control the packet flow over the connection with VCN route tables. For example, you can restrict traffic to only specific subnets in the VPC.

Without terminating the connection, you can stop traffic flow to the VPC by removing route rules that direct traffic from the VCN to the VPC. You can also effectively stop the traffic by removing any security rules that enable VPC ingress or egress traffic. This doesn't stop traffic flowing over the connection, but stops it at the VNIC level.

Controlling the Specific Types of Traffic Allowed

Ensure that all outbound and inbound traffic with the VPC is intended or expected and defined. Implement GCP security and Oracle security rules that explicitly state the types of traffic one cloud can send to the other and accept from the other.

Important

Oracle Cloud Infrastructure instances running Linux or Windows platform images also have firewall rules that control access to the instance. When troubleshooting access to an instance, ensure that the following items are set correctly: the network security groups that the instance is in, the security lists associated with the instance's subnet, and the instance's firewall rules.

If an instance is running Oracle Autonomous Linux 8.x, Oracle Autonomous Linux 7, Oracle Linux 8, Oracle Linux 7, or Oracle Linux Cloud Developer 8, you need to use firewalld to interact with the iptables rules. For reference, here are commands for opening a port (1521 in this example):

sudo firewall-cmd --zone=public --permanent --add-port=1521/tcp
								
sudo firewall-cmd --reload

For instances with an iSCSI boot volume, the preceding --reload command can cause problems. For details and a workaround, see Instances experience system hang after running firewall-cmd --reload.

In addition to using security rules and firewalls, evaluate other OS-based configuration on the instances in the VCN. There could be default configurations that don't apply to the VCN's CIDR, but inadvertently apply to the VPC's CIDR.

Using Default Security List Rules with the VCN

If the VCN's subnets use the default security list with the default rules, two rules in that list allow ingress traffic from anywhere ( 0.0.0.0/0, and thus the VPC):

  • Stateful ingress rule that allows traffic on TCP port 22 (SSH) traffic from 0.0.0.0/0 and any source port
  • Stateful ingress rule that allows traffic on ICMP type 3, code 4 traffic from 0.0.0.0/0 and any source port

Evaluate these rules and whether you want to keep or update them. As stated earlier, ensure that all allowed inbound or outbound traffic is intended or expected and defined.

Preparing for Performance Impact and Security Risks

In general, prepare the VCN for the ways it could be affected by the VPC. For example, the load on the VCN or its instances could increase. Or the VCN could experience a malicious attack directly from or by way of the VPC.

Regarding performance: If the VCN is providing a service to the VPC, be prepared to scale up service to accommodate the demands of the VPC. This might mean being prepared to create more instances as necessary. Or if you're concerned about high levels of network traffic coming to the VCN, consider using stateless security rules to limit the level of connection tracking the VCN must perform. Stateless security rules can also help slow the impact of a denial-of-service (DoS) attack.

Regarding security risks: If the VPC is connected to the internet, the VCN can be exposed to bounce attacks. A bounce attack involves a malicious host on the internet sending traffic to the VCN that appears to be coming from the VPC. To guard against this, as mentioned earlier, use security rules to carefully limit the inbound traffic from the VPC to expected and defined traffic.

Setting up a Connection

This section describes how to set up Oracle Interconnect for Google Cloud (for background, see Overview of Supported Traffic).

The Google Cloud Platform side of this connection uses what Google refers to as "Partner Interconnect." The OCI side uses the FastConnect Oracle Partner method.

Prerequisites: Resources You Need

You must already have:

  • A GCP VPC with subnets, a Google Cloud Router, and service perimeters
  • An Oracle Cloud Infrastructure VCN with subnets and an attached dynamic routing gateway (DRG). Remember to attach the DRG to the VCN after you create it. If you already have Site-to-Site VPN or FastConnect between an on-premises network and VCN, then the VCN already has an attached DRG. You use that same DRG here when setting up the connection to GCP.
  • IAM permissions to configure the resources needed for the required OCI components.
  • A valid subscription in both OCI and GCP for the regions you want to connect

As a reminder, here is a table that lists the comparable networking components involved in each side of the connection.

Component GCP Oracle Cloud Infrastructure
Virtual network Virtual Private Cloud (VPC) VCN
Virtual circuit VLAN attachment FastConnect private virtual circuit
Gateway Google Cloud Router dynamic routing gateway (DRG)
Routing route tables route tables
Security rules Service Perimeter network security groups (NSGs) or security lists

Prerequisites: BGP Information You Need

The connection between the VPC and VCN uses BGP dynamic routing. When you set up the Oracle virtual circuit, you provide the BGP IP addresses used for the two redundant BGP sessions between Oracle and GCP:

  • A primary pair of BGP addresses (one IP address for the Oracle side, one IP address for the GCP side)
  • A separate, secondary pair of BGP addresses (one IP address for the Oracle side, one IP address for the GCP side)

For each pair, you must provide a separate block of addresses with a subnet mask from /28 to /31.

The second and third addresses in each address block are used for the BGP IP address pair.

  • The second address in the block is for the Oracle side of the BGP session
  • The third address in the block is for the GCP side of the BGP session

The first and last addresses in the block are used for other internal purposes. For example, if the CIDR is 10.0.0.20/30, then the addresses in the block are:

  • 10.0.0.20
  • 10.0.0.21: Use this for the Oracle side (in the Oracle Console, enter the address as 10.0.0.21/30)
  • 10.0.0.22: Use this for the GCP side (in the Oracle Console, enter the address as 10.0.0.22/30, and notice that this address is referred to as the "Customer" side in the Console)
  • 10.0.0.23

Remember that you must also provide a second block with the same size for the secondary BGP addresses. For example: 10.0.0.24/30. In this case, 10.0.0.25 is for the Oracle side, and 10.0.0.26 is for the GCP side. In the  Oracle Console, you must enter these as 10.0.0.25/30 and 10.0.0.26/30.

Prerequisites: Required IAM Policy

You must already have the necessary GCP access and Oracle Cloud Infrastructure IAM access to create and work with the relevant GCP and Oracle networking resources. If your user account is in the Administrators group, you probably have the required authority, otherwise a policy similar to this one covers all the Networking resources:

Allow group NetworkAdmins to manage virtual-network-family in tenancy

To only create and manage a virtual circuit, you must have a policy such as this:

Allow group VirtualCircuitAdmins to manage drgs in tenancy

Allow group VirtualCircuitAdmins to manage virtual-circuits in tenancy

For more information, see IAM Policies for Networking.

Overall Process

The following diagram shows the overall process of connecting a VPC and a VCN.

This swimlane diagram shows the steps for connecting a GCP VPC and an OCI VCN

Task 4 (Optional): Activate the Connection

This step is only required if you didn't preactivate the GCP VLAN attachments when you were provided the pairing keys in Task 2: Create a Google Cloud Interconnect VLAN attachment.

After configuration and provisioning have completed on the OCI side, if you didn't preactivate the GCP VLAN attachments you receive an email notification from Google Cloud​​​​​​​. After receiving the email, you must Enable the VLAN attachment from the Google Cloud​​​ Console. Activating the connection and checking its activation status is required before you can verify that you have established connectivity with the Google Cloud​​​​​​​.

Managing Oracle Interconnect for Google Cloud