Cross Connect Across OCI Tenancies through VCN Peering
In OCI, workloads are often distributed across different tenancies for reasons such as organizational separation or project isolation. In such cases, there may still be a requirement for private communication between resources hosted in separate tenancies. We will see how we can make the cross connectivity across regions.
In this exercise the tenancies are in the same region. We have used DRG to make the connectivity between them. Since both VCNs are in the same OCI region, this exercise uses a cross-tenancy VCN attachment to a DRG. RPC is used for DRG-to-DRG remote peering scenarios, commonly across regions or where separate DRGs are peered. In this article, we are not using RPC.
For this exercise we name the tenancies as below.
Requestor tenancy: owns the DRG.
Acceptor tenancy: owns the VCN that will be attached to the requestor DRG.
As per the prerequisites, we need OCID of both the tenancies
and we need an IAM group on both the side to manage this attachment. In this
exercise we have chosen Administrators group as we are going to have this setting
at tenancy level. DRG and VCN are
available already in the respective tenancies. For connectivity testing purpose,
we can windows VM at requestor tenancy and a Database VM in the acceptor tenancy.
Source Tenancy Name : Requestor
Requestor OCID: ocid1.tenancy.oc1..aaaaaaaacq5gprsqz26em4koaokcntrpey4adi7mzzgve53cm44ozbxa4z4a
IAM Group in Requestor: ocid1.group.oc1..aaaaaaaa5xhfg6q6pefhbvwmtvzelih2kiuxgjwf5bg6bfqseeewjapd5mha
VCN CIDR Range: 192.168.0.0/16
Target Tenancy Name: Acceptor
Acceptor OCID: ocid1.tenancy.oc1..aaaaaaaargwveli3zwyyeywzeex6x4zxqodjkbvnde4la7j5cckwioxqfncq
IAM Group name in Acceptor: ocid1.group.oc1..aaaaaaaat4idcm3dbat2zlgqar3wzvxkz4hqlxynwkyo3gztsbtgg4on2xhq
VCN CIDR Range: 10.0.0.0/16
At the requestor tenancy, Goto OCI Console -> Identity &
Security -> Policy.
Create Policy in root compartment. But if there is a
requirement that peering has to be done between particular compartment, then we
can create the policy in those compartments.
Click Policy editor and provide below policy statements.
Define tenancy AcceptorTenancy as
ocid1.tenancy.oc1..aaaaaaaargwveli3zwyyeywzeex6x4zxqodjkbvnde4la7j5cckwioxqfncq
Define group VCN-Admin as
ocid1.group.oc1..aaaaaaaat4idcm3dbat2zlgqar3wzvxkz4hqlxynwkyo3gztsbtgg4on2xhq
Endorse group Default/Administrators to manage
drg-attachment in tenancy AcceptorTenancy
Admit group VCN-Admin of tenancy AcceptorTenancy to manage
drg in tenancy
Endorse group Default/Administrators to manage
virtual-network-family in tenancy AcceptorTenancy
Let me explain the policy statements.
First statement defines the Acceptor tenancy OCID.
Second statement defines VCN-Admin as OCID of group available at acceptor
Third statement endorses that at acceptor tenancy the requestor tenancy group
(administrators) can manage DRG attachment. This is required since the VCN at
the acceptor going to be attached with DRG of requestor as shown in the
picture.
Fourth statement is equivalent of third, but in the reverse order.
Fifth statement is required to make the group to manage virtual network family
in acceptor tenancy. I was getting Privilege error without this statement. I
suggest not to ignore this policy.
After policy are entered, click create button to create the
policy.
At the Acceptor tenancy, Goto OCI Console -> Identity &
Security -> Policy.
Create Policy in root compartment. But if there is a
requirement that peering has to be done between particular compartment, then we
can create the policy in those compartments.
Click Policy editor and provide below policy statements.
Define tenancy RequestorTenancy as
ocid1.tenancy.oc1..aaaaaaaacq5gprsqz26em4koaokcntrpey4adi7mzzgve53cm44ozbxa4z4a
Define group DRG-Admin as
ocid1.group.oc1..aaaaaaaa5xhfg6q6pefhbvwmtvzelih2kiuxgjwf5bg6bfqseeewjapd5mha
Admit group DRG-Admin of tenancy RequestorTenancy to manage
virtual-network-family in tenancy
Admit group DRG-Admin of tenancy RequestorTenancy to manage
drg-attachment in tenancy
Endorse group Default/Administrators to manage drg in
tenancy RequestorTenancy
Let me explain the policy statements.
First statement defines the Requestor tenancy OCID.
Second statement defines DRG-Admin as OCID of group available at requestor
Third statement admits that DRG-Admin of tenancy can manage network in acceptor
tenancy. Again, I suggest not to this policy. I was getting privilege error
without this policy.
Fourth statement admits that DRG-Admin can also manage
drg-attachment in acceptor tenancy.
Fifth statement is endorses acceptor group (administrators)
can manage DRG in requestor tenancy.
Click Create and complete the policy creation.
Now we have created policies at both tenancies and we can go
ahead and create the connectivity.
In the Acceptor tenancy, open the DBVCN VCN.
Go to Resources → Dynamic Routing Gateway Attachments.
Click Create DRG Attachment.
Choose Another tenancy.
Provide the DRG OCID from the Requestor tenancy.
Create the attachment.
It will create Attachment with DRG.
You can find the cross-tenancy column as “Yes”.
The tenancies are connected now. You can find the same in
DRG of requestor.
In the requestor tenancy, Go to Networking -> Customer Connectivity
-> Dynamic Routing Gateway.
Choose the DRG. In the DRG page, move to Attachments section.
We could see VCN attachments.
This confirms that cross-tenancy connection is successful at
requestor side as well. But currently only connection has established, but
Security list and Route table needs to be updated to allow the connection s
between these tenancies. For quick lab validation, we temporarily allowed
broader traffic. For production, restrict the rules to the required ports and
source CIDRs.
Security list – Requestor
Route table – Requestor
Destination CIDR: 10.0.0.0/16
Target: DRG
Security list – Acceptor
Route table – Acceptor
Destination CIDR: 192.168.0.0/16
Target: DRG
Connectivity testing
Requestor Windows VM to VM database connectivity.
VM Database server to Windows VM
This completes the cross-tenancy network foundation. In the
next article, we will build on this setup and create a database link from an
OCI Autonomous Database private endpoint to the VM-based Oracle Database across
tenancies.
No comments:
Post a Comment