IPsec: GCP and OCI Classic

Some organizations use multiple cloud Service Providers (CSP) when deploying their cloud applications. The reason for this could be one of the those discussed in Multi-Cloud Architectures.

Whatever the reasons for using multiple CSPs, we would still need to connect the two CSP environments together. Connectivity can be provided either through a dedicated link or through IPsec VPN tunnel over the public internet.

We will now take a look at how to connect Google Cloud Platform (GCP) with Oracle Cloud Infrastructure (OCI) Classic via an IPsec connection.

This is just a simple IKEv1 policy-based IPsec VPN between GCP and OCI Classic. Although GCP currently supports IKEv2 and dynamic routing, we will not be using these features as they are not yet supported on OCI Classic.

On GCP, we simply create a Virtual Private Cloud (VPC) and a subnet 172.16.10.0/24. We then create an instance with the IP address 172.16.10.2. Similarly, on OCI Classic, we create a subnet 192.168.100.0/24 and then create an instance with an IP address 192.168.100.2. The overall aim is to achieve connectivity between the instances in GCP and OCI Classic.

 

Configuring OCI Classic VPNaaS

1) Create IP Network

Create an IP Network as described in Oracle documentation – Creating an IP Network. In our scenario, we are creating an IP Network with subnet 192.168.100.0/24.

2) Create an Instance

Create an instance as described in Oracle documentation – Creating an Instance from the Instances Page. The instance created is attached to the IP Network and has an IP address of 192.168.100.2.

3) Create a vNICset

Create a vNICset as described in Oracle documentation – Creating a vNICset. At this stage, we should only attach the vNIC of the instance created in step 3. The Access Control Lists (ACL) will be automatically created by the VPNaaS (VPN orchestration) and we will attach it later in step 9.

4)  Create a VPN Connection using VPNaaS

Create a VPN connection as described in Oracle documentation – Creating a Connection Using VPNaaS.

As shown below, the IP Network (192.168.100.0/24) is selected. We also attach the vNICset created earlier. The vNICset is a logical construct that associates vNIC of an instance with the Access Control List (ACL) that will allow traffic from the remote VPN network.

The customer gateway is the public IP address of the VPN gateway in Google cloud. The reachable network behind the Google VPN gateway is 172.16.10.0/24.

In this example, we selected the default IKE (Phase 1) and ESP (Phase 2) security associations. Google cloud supports all the security associations selected.

5) Verify Network Security Rules

Next, we verify the Security Rules created by the VPNaaS orchestration. View the Security Rules as described in Oracle documentation – Listing Security Rules for IP Networks. In this example, we can see both ingress and ingress rules that allow traffic coming from remote VPN subnet 172.16.10.0/24. This subnet can be seen in step 7 under IP Address Prefix Set. Essentially, the security will only allow traffic from 172.16.10.0/24 subnet over the IPsec tunnel.

6) Verify Network Access Control List

And next, we verify the ACL created by the VPNaaS orchestration. View the ACL as described in Oracle documentation – Listing ACLs. This is the same ACL (as seen in step 5) that we have created the ingress and egress security rules under.

7) Verify IP Address Prefix Sets

We can verify that the VPNaaS orchestration has created an IP Address Prefix Set for the remote VPN subnet. This is the IP Address Prefix Set that is matched in the security rules created in step 5. View the IP Address Prefix Set as described in Oracle documentation – Listing IP Address Prefix Sets.

8) Create IP Route

Next, we need to let the Oracle cloud SDN controller know how to route traffic destined to remote subnet 172.16.10.0/24. To do this, we need to create a route.

9) Update vNICset

And finally, we add the ACL created by VPNaaS orchestration as a continuation of step 3. This associates the remote network ACL with the VNIC of the instance in Oracle cloud. The ACL created is vpn-acl-436787083b277a6414f750701801b49f. The default ACL in the image below is not part of the VPN tunnel configuration – this is just to allow access to the instance.

 

Configuring GCP VPN

1) Create VPC Network

First, we create a custom Virtual Private Cloud (VPC) network as described in Google documentation – Creating a new VPC network with custom subnets. In this example, we created a VPC with a subnet 172.16.10.0/24.

2) Create VPN Connection

Next, we create the VPN connection as described in Google documentation – Creating a VPN. The region selected is us-east1 – which is the same region as the VPC. The VPN gateway static IP address 35.227.23.174 was created. This IP address is the Ip address used in configuring the Oracle VPN gateway described earlier.

3) Create VPN Tunnel

Next, we create the IPsec tunnel.

The remote peer address (129.158.68.67) is the static IP address of the Oracle cloud VPN gateway.

As Oracle cloud VPNaaS currently supports only IKEv1, we have selected IKEv1 on Google cloud as well.

Also, as Oracle cloud VPNaaS currently supports only policy-based VPN, we have used static routing option in setting up the tunnel on Google cloud. By choosing static routing, this means we have to manually select the local and remote networks as required by policy-based VPN configuration.

4) Create Firewall Rule for VPN Traffic

Lastly, we create a firewall rule to allow traffic through the IPsec tunnel as described in Google documentation – Creating Firewall Rules. In this example, we have created the rule to allow all IP addresses, protocols and ports because this is just a demo environment. In a production environment, you would want to limit the IPsec tunnel traffic to the exact IP addresses, protocols and ports required.

 

Testing the IPsec VPN Connectivity

At this point, we have a working IPsec VPN connection between Oracle Cloud and Google Cloud.

On GCP, we can verify that the VPN connection status is up and running. This is indicated by the green tick seen next to the Remote peer IP address.

On the Oracle OCI Classic platform, we can verify that the VPN connection is up and running. This is indicated as Up/Ready in the Tunnel/Life Cycle Status column.

And to verify actual network connectivity from the instances, we can do ping tests bidirectionally. We are able to ping 192.168.100.2 (Oracle Cloud instance) from 172.16.10.2 (Google cloud instance).

And we are also able to ping 172.16.10.2 (Google cloud instance) from 192.168.100.2 (Oracle Cloud instance).

Leave a Reply

Your email address will not be published. Required fields are marked *