{"id":948,"date":"2026-04-17T05:57:36","date_gmt":"2026-04-17T05:57:36","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-networking-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/"},"modified":"2026-04-17T05:57:36","modified_gmt":"2026-04-17T05:57:36","slug":"oracle-cloud-networking-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-networking-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/","title":{"rendered":"Oracle Cloud Networking Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking, Edge, and Connectivity"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Networking, Edge, and Connectivity<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Networking<\/strong> (within Oracle Cloud Infrastructure, OCI) is the set of foundational services that let you design private networks in the cloud, connect them to the internet and to on-premises environments, and control traffic flow and security at multiple layers.<\/p>\n\n\n\n<p>In simple terms: <strong>Networking is how you create your cloud \u201cdata center network\u201d in Oracle Cloud<\/strong>\u2014you build a Virtual Cloud Network (VCN), carve it into subnets, decide which routes exist, and define what traffic is allowed in or out.<\/p>\n\n\n\n<p>Technically, Oracle Cloud Networking provides <strong>software-defined networking (SDN)<\/strong> primitives\u2014VCNs, subnets, route tables, gateways (Internet Gateway, NAT Gateway, Service Gateway), Dynamic Routing Gateway (DRG), peering, and security controls (Security Lists, Network Security Groups)\u2014that together define your <strong>network topology<\/strong>, <strong>connectivity<\/strong>, <strong>segmentation<\/strong>, and <strong>packet filtering<\/strong>. You attach compute, load balancers, and managed services to these networks and apply consistent routing and security.<\/p>\n\n\n\n<p>The problem it solves: <strong>secure, scalable, repeatable network design<\/strong> for cloud workloads\u2014whether you\u2019re building a simple web app, a multi-tier enterprise platform, or hybrid connectivity to on-premises networks\u2014without needing to manage physical routers, firewalls, and cabling.<\/p>\n\n\n\n<blockquote>\n<p>Service name check: In Oracle Cloud\/OCI, \u201cNetworking\u201d is the umbrella category used across console and documentation for VCN and related connectivity services. Core constructs like <strong>Virtual Cloud Network (VCN)<\/strong> and <strong>Dynamic Routing Gateway (DRG)<\/strong> are active and current. Some older patterns (for example, <strong>AD-specific subnets<\/strong>) still exist but Oracle recommends <strong>regional subnets<\/strong> for most new designs\u2014verify current best practices in the official docs.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Networking?<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Networking<\/strong> is OCI\u2019s core networking stack that lets you:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create isolated private networks (<strong>VCNs<\/strong>) in a region<\/li>\n<li>Segment them into <strong>subnets<\/strong><\/li>\n<li>Control packet flow with <strong>route tables<\/strong><\/li>\n<li>Provide connectivity via <strong>gateways<\/strong> (internet, NAT, service gateway)<\/li>\n<li>Connect networks together (peering) and connect to on-premises (IPSec VPN, FastConnect) typically via <strong>DRG<\/strong><\/li>\n<li>Enforce network security using <strong>Security Lists<\/strong> and <strong>Network Security Groups (NSGs)<\/strong><\/li>\n<li>Observe and troubleshoot traffic with tools like <strong>VCN Flow Logs<\/strong> and <strong>VTAP<\/strong> (traffic mirroring)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose (practical framing)<\/h3>\n\n\n\n<p>Networking provides the <strong>connectivity and security foundation<\/strong> required by nearly every other OCI service. Without Networking, you can\u2019t place compute instances in private address space, control ingress\/egress, or integrate hybrid connectivity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Virtual Cloud Networks (VCNs):<\/strong> Your private, software-defined network boundary<\/li>\n<li><strong>Subnets:<\/strong> Regional segments where you attach compute and other resources<\/li>\n<li><strong>Routing:<\/strong> Route tables that decide where traffic goes (e.g., to IGW\/NAT\/DRG)<\/li>\n<li><strong>Gateways:<\/strong> Internet, NAT, Service Gateway, plus peering gateways<\/li>\n<li><strong>Hybrid connectivity:<\/strong> IPSec VPN and FastConnect (commonly anchored via DRG)<\/li>\n<li><strong>Security controls:<\/strong> Security Lists (subnet-level) and NSGs (VNIC-level)<\/li>\n<li><strong>Addressing:<\/strong> IPv4 private addressing, public IPs, secondary IPs; IPv6 support exists (verify current constraints by region and feature set)<\/li>\n<li><strong>Observability:<\/strong> Flow logs, traffic mirroring (VTAP), and integration with OCI Logging\/Monitoring<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (high-level)<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Component<\/th>\n<th>What it is<\/th>\n<th>Typical use<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>VCN<\/td>\n<td>Regional virtual network<\/td>\n<td>Primary network container for workloads<\/td>\n<\/tr>\n<tr>\n<td>Subnet (public\/private)<\/td>\n<td>Segment of a VCN<\/td>\n<td>Tier separation (web\/app\/data), isolation<\/td>\n<\/tr>\n<tr>\n<td>Route table<\/td>\n<td>Routing rules for subnets<\/td>\n<td>Direct traffic to IGW\/NAT\/DRG, etc.<\/td>\n<\/tr>\n<tr>\n<td>Internet Gateway (IGW)<\/td>\n<td>Public internet routing target<\/td>\n<td>Public inbound\/outbound for public subnets<\/td>\n<\/tr>\n<tr>\n<td>NAT Gateway<\/td>\n<td>Outbound internet without inbound<\/td>\n<td>Private subnets needing updates\/package installs<\/td>\n<\/tr>\n<tr>\n<td>Service Gateway<\/td>\n<td>Private access to OCI services<\/td>\n<td>Access Object Storage, etc., without public internet<\/td>\n<\/tr>\n<tr>\n<td>DRG<\/td>\n<td>Virtual router for VCN edge<\/td>\n<td>Hub for VPN\/FastConnect\/peering\/transit routing<\/td>\n<\/tr>\n<tr>\n<td>LPG \/ RPC<\/td>\n<td>Peering constructs<\/td>\n<td>Connect VCNs in-region or cross-region<\/td>\n<\/tr>\n<tr>\n<td>Security List<\/td>\n<td>Subnet-level firewall rules<\/td>\n<td>Baseline controls (stateful)<\/td>\n<\/tr>\n<tr>\n<td>NSG<\/td>\n<td>VNIC-level firewall rules<\/td>\n<td>App-centric segmentation, preferred for many designs<\/td>\n<\/tr>\n<tr>\n<td>Public\/Private IPs<\/td>\n<td>Addresses for VNICs<\/td>\n<td>Public exposure, internal services<\/td>\n<\/tr>\n<tr>\n<td>DHCP options<\/td>\n<td>DNS\/search domain settings<\/td>\n<td>Control resolver\/search domain behavior<\/td>\n<\/tr>\n<tr>\n<td>Flow Logs \/ VTAP<\/td>\n<td>Traffic visibility<\/td>\n<td>Troubleshooting, security monitoring<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<p>Networking is an <strong>IaaS foundational service<\/strong> (software-defined networking). Many constructs are configuration objects (often low or no direct cost), while some connectivity services have usage-based pricing (for example, NAT Gateway, DRG, VPN\/FastConnect, and especially data egress).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (regional\/global\/compartment)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VCNs are regional<\/strong> in OCI.<\/li>\n<li>Most Networking resources are <strong>regional<\/strong> and created within a <strong>compartment<\/strong> in your tenancy.<\/li>\n<li>Policies and governance are tenancy-wide but can be scoped to compartments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n<p>Networking underpins:\n&#8211; <strong>Compute<\/strong> (instances require VNICs in a subnet)\n&#8211; <strong>Load Balancing<\/strong> (LBs attach to subnets)\n&#8211; <strong>Kubernetes (OKE)<\/strong> (pods\/services rely on VCN\/subnets, CNI behavior depends on OKE networking mode)\n&#8211; <strong>Database services<\/strong> (DB Systems, Exadata Cloud Service, etc. are placed into VCN\/subnets)\n&#8211; <strong>Security and monitoring<\/strong> (Audit, Logging, Monitoring, Cloud Guard signals often depend on network telemetry)<\/p>\n\n\n\n<p>Official documentation entry points (start here):\n&#8211; OCI Networking overview: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/overview.htm\n&#8211; VCN: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/virtualcloudnetwork.htm\n&#8211; DRG: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Tasks\/managingDRGs.htm (verify latest DRG docs section names)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Networking?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster time to market:<\/strong> Build network environments in minutes rather than procuring physical gear.<\/li>\n<li><strong>Standardization:<\/strong> Use reusable blueprints (VCN patterns, Terraform modules) across teams.<\/li>\n<li><strong>Hybrid readiness:<\/strong> Many enterprises need secure connectivity to on-prem; DRG + VPN\/FastConnect provide a structured approach.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Isolation:<\/strong> Each VCN is an isolated address space and routing domain.<\/li>\n<li><strong>Segmentation:<\/strong> Subnets + NSGs enable tiered architectures and least-privilege network policies.<\/li>\n<li><strong>Control of ingress\/egress:<\/strong> You decide what is public, what is private, and how traffic flows.<\/li>\n<li><strong>Scalable routing:<\/strong> Hub-and-spoke patterns with DRG simplify multi-VCN connectivity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Repeatability:<\/strong> Infrastructure-as-code (Terraform\/OCI CLI) supports consistent builds.<\/li>\n<li><strong>Observability:<\/strong> Flow logs and traffic mirroring help troubleshoot connectivity issues faster.<\/li>\n<li><strong>Change control:<\/strong> Route tables and security rules can be audited and versioned (with IaC).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Policy-driven access:<\/strong> OCI IAM policies govern who can change network topology.<\/li>\n<li><strong>Private service access:<\/strong> Service Gateway reduces reliance on public internet for OCI service access.<\/li>\n<li><strong>Compartmentalization:<\/strong> Separate environments (dev\/test\/prod) into compartments with independent network policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional VCN design:<\/strong> Avoid availability-domain-specific networking constraints (where possible) and support multi-AD or multi-fault-domain deployments.<\/li>\n<li><strong>Private backbone:<\/strong> OCI provides regional connectivity and private access to OCI services (where supported) to reduce exposure and improve reliability.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need <strong>any<\/strong> OCI workload beyond the most basic public service usage.<\/li>\n<li>You are building <strong>multi-tier apps<\/strong>, <strong>private databases<\/strong>, or <strong>hybrid connectivity<\/strong>.<\/li>\n<li>You need <strong>segmentation<\/strong> (NSGs), <strong>controlled egress<\/strong>, and <strong>auditable network changes<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it (or should keep it minimal)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If your workload is entirely <strong>SaaS<\/strong> and doesn\u2019t require OCI compute\/network placement.<\/li>\n<li>If you only need a managed service endpoint and <strong>no private compute<\/strong> (rare in OCI architectures).<\/li>\n<li>If you\u2019re prototyping and want to minimize complexity: start with the simplest VCN + subnets pattern, then iterate.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Networking used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial services:<\/strong> Segmented networks, strict egress control, hybrid connectivity.<\/li>\n<li><strong>Healthcare:<\/strong> Compliance-driven isolation and logging.<\/li>\n<li><strong>Retail\/e-commerce:<\/strong> Public web tiers + private app\/data tiers, global operations.<\/li>\n<li><strong>Manufacturing\/IoT:<\/strong> Hybrid connectivity to factories, private telemetry pipelines.<\/li>\n<li><strong>Public sector:<\/strong> Compartmentalized multi-environment design and governance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud\/platform engineering teams building landing zones<\/li>\n<li>Network engineering teams extending enterprise networks<\/li>\n<li>DevOps\/SRE teams owning environment reliability<\/li>\n<li>Security teams implementing segmentation and monitoring<\/li>\n<li>Application teams deploying into shared VCNs (with guardrails)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web applications (public + private tiers)<\/li>\n<li>Microservices on OKE<\/li>\n<li>Oracle and non-Oracle databases in private subnets<\/li>\n<li>Batch processing needing outbound access via NAT<\/li>\n<li>Hybrid workloads spanning on-prem and OCI<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single-VCN simple deployment (dev\/test)<\/li>\n<li>Multi-tier VCN (web\/app\/data) for production<\/li>\n<li>Hub-and-spoke multi-VCN topology with DRG as transit hub<\/li>\n<li>Multi-region with remote peering, disaster recovery, and replicated services<\/li>\n<li>Shared services VCN (DNS, bastion, logging collectors) plus application VCNs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> Strong segmentation, dedicated route tables, DRG-based hybrid, flow logs, tagging, change management.<\/li>\n<li><strong>Dev\/test:<\/strong> Minimal topology, tighter cost controls, simplified rules; often still uses private subnets and NAT to mimic production.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Oracle Cloud Networking is the enabling foundation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Build a secure two-tier web application<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Web tier must be public; app tier must be private.<\/li>\n<li><strong>Why Networking fits:<\/strong> Public subnet + IGW for load balancer\/web; private subnet + NAT for app egress; NSGs for tier rules.<\/li>\n<li><strong>Example:<\/strong> Public LB forwards to web instances; web talks to private app instances on TCP 8080; DB in private subnet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Private database with controlled egress<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Database servers must not have public IPs but need OS patching.<\/li>\n<li><strong>Why it fits:<\/strong> Private subnet + NAT Gateway for outbound; no IGW route on DB subnet.<\/li>\n<li><strong>Example:<\/strong> Oracle Linux DB nodes pull updates via NAT; inbound only from app NSG.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Hybrid connectivity to on-premises via IPSec VPN<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Extend corporate network to OCI securely.<\/li>\n<li><strong>Why it fits:<\/strong> DRG provides attachment point; IPSec VPN offers encrypted tunnels.<\/li>\n<li><strong>Example:<\/strong> On-prem CIDR routes to VCN CIDR through VPN; apps access on-prem AD\/LDAP.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Dedicated private connectivity via FastConnect<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need predictable bandwidth\/latency and avoid public internet for enterprise traffic.<\/li>\n<li><strong>Why it fits:<\/strong> FastConnect integrates with DRG and enterprise WAN.<\/li>\n<li><strong>Example:<\/strong> ERP system uses FastConnect to reach OCI databases with consistent performance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Multi-VCN hub-and-spoke transit routing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Multiple application VCNs must connect to shared services and on-prem without full mesh complexity.<\/li>\n<li><strong>Why it fits:<\/strong> DRG as hub; route tables and attachments create scalable connectivity.<\/li>\n<li><strong>Example:<\/strong> Shared services VCN hosts DNS and logging collectors; spokes host apps per BU.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Microsegmentation with NSGs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Subnet-level rules are too coarse; need app-centric controls.<\/li>\n<li><strong>Why it fits:<\/strong> NSGs apply to VNICs; rules reference NSGs (not IP ranges).<\/li>\n<li><strong>Example:<\/strong> Only payment service pods\/instances can talk to DB port 1521.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Secure outbound-only subnets for build agents<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> CI runners need to download dependencies but must not accept inbound.<\/li>\n<li><strong>Why it fits:<\/strong> Private subnet + NAT; no public IPs; tight NSG egress rules.<\/li>\n<li><strong>Example:<\/strong> Build agents pull from package repos and push artifacts to OCI Object Storage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Isolate environments with compartments and separate VCNs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Reduce blast radius between dev\/test\/prod.<\/li>\n<li><strong>Why it fits:<\/strong> Separate VCNs per environment; IAM policies per compartment.<\/li>\n<li><strong>Example:<\/strong> Prod VCN has DRG + VPN; dev VCN has internet-only access and stricter budgets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Cross-region connectivity for disaster recovery<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need app failover between regions.<\/li>\n<li><strong>Why it fits:<\/strong> Remote peering (via DRG) supports inter-region VCN connectivity patterns.<\/li>\n<li><strong>Example:<\/strong> Primary region services replicate to DR region; private traffic stays on Oracle backbone.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Traffic visibility for incident response<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need packet\/flow insight without installing agents everywhere.<\/li>\n<li><strong>Why it fits:<\/strong> VCN Flow Logs and VTAP help observe traffic patterns and investigate anomalies.<\/li>\n<li><strong>Example:<\/strong> Enable flow logs on subnets; mirror suspicious VNIC traffic to an IDS sensor.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Private access to OCI services without internet exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Workloads must access OCI services without routing to public internet.<\/li>\n<li><strong>Why it fits:<\/strong> Service Gateway routes to OCI Services Network.<\/li>\n<li><strong>Example:<\/strong> Private compute writes logs to Object Storage while remaining non-public.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Secure admin access pattern using a bastion\/jump host<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Admin SSH\/RDP must not be open to the internet for private servers.<\/li>\n<li><strong>Why it fits:<\/strong> Public subnet jump host; private subnets for targets; NSGs restrict SSH to jump host only.<\/li>\n<li><strong>Example:<\/strong> Only jump host has public IP; admins SSH to jump then to private instances.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>This section focuses on <strong>current, commonly used OCI Networking features<\/strong>. Some features vary by region\u2014verify availability in official docs and your tenancy.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Virtual Cloud Network (VCN)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Creates a private, isolated network in a region with your chosen CIDR blocks.<\/li>\n<li><strong>Why it matters:<\/strong> It\u2019s the top-level boundary for routing, segmentation, and security.<\/li>\n<li><strong>Practical benefit:<\/strong> You can mirror on-prem network concepts (subnets, routing, firewalling) in OCI.<\/li>\n<li><strong>Caveats:<\/strong> Plan CIDRs carefully to avoid overlaps with on-prem or other VCNs (important for peering\/hybrid).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional subnets (recommended)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> A subnet spans the whole region (not tied to a single availability domain).<\/li>\n<li><strong>Why it matters:<\/strong> Simplifies high availability patterns and reduces operational complexity.<\/li>\n<li><strong>Practical benefit:<\/strong> You can deploy resources across availability domains without changing subnet design.<\/li>\n<li><strong>Caveats:<\/strong> OCI still supports AD-specific subnets in some contexts; Oracle\u2019s guidance generally favors regional subnets for new deployments\u2014verify current guidance in VCN docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Route tables<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Defines routes for traffic leaving a subnet (destination CIDR\/service + next hop).<\/li>\n<li><strong>Why it matters:<\/strong> Most connectivity issues are routing-related; route tables make traffic flow explicit.<\/li>\n<li><strong>Practical benefit:<\/strong> Separate route tables per tier (public vs private) for clearer intent.<\/li>\n<li><strong>Caveats:<\/strong> Route rules must align with gateways and security rules; avoid overly broad \u201c0.0.0.0\/0 everywhere\u201d in private tiers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Internet Gateway (IGW)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables public internet routing for a VCN.<\/li>\n<li><strong>Why it matters:<\/strong> Required for public subnets to send\/receive internet traffic.<\/li>\n<li><strong>Practical benefit:<\/strong> Public-facing workloads (LB, web) become reachable.<\/li>\n<li><strong>Caveats:<\/strong> IGW alone doesn\u2019t make instances public; they also need public IPs and security rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">NAT Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows instances in private subnets to initiate outbound connections to the internet without accepting inbound connections.<\/li>\n<li><strong>Why it matters:<\/strong> Common for patching, package downloads, and external API calls without exposing servers.<\/li>\n<li><strong>Practical benefit:<\/strong> Stronger security posture for private tiers.<\/li>\n<li><strong>Caveats:<\/strong> NAT Gateway typically has <strong>hourly and\/or data processing charges<\/strong> (verify current pricing). Also, your egress traffic is still subject to data transfer pricing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables private access from a VCN to selected OCI services via the <strong>OCI Services Network<\/strong>.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces internet exposure and can simplify compliance posture.<\/li>\n<li><strong>Practical benefit:<\/strong> Private workloads can reach services like Object Storage without traversing the public internet.<\/li>\n<li><strong>Caveats:<\/strong> Not all services are available through Service Gateway; availability is region-dependent. Verify supported services list in docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dynamic Routing Gateway (DRG)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Acts like a virtual edge router for VCNs; central point for attachments (VCNs, IPSec VPN, FastConnect, remote peering).<\/li>\n<li><strong>Why it matters:<\/strong> Enables scalable hybrid and multi-VCN designs.<\/li>\n<li><strong>Practical benefit:<\/strong> Hub-and-spoke topologies become manageable; simplifies routing domains.<\/li>\n<li><strong>Caveats:<\/strong> DRG is often billable (hourly). Routing configuration requires careful design (route tables on both VCN side and DRG side).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Local peering and remote peering<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Connects VCNs privately (within region via local peering; across regions via remote peering).<\/li>\n<li><strong>Why it matters:<\/strong> Avoids hairpinning traffic through the internet; supports shared services and DR.<\/li>\n<li><strong>Practical benefit:<\/strong> Private IP connectivity between VCNs.<\/li>\n<li><strong>Caveats:<\/strong> CIDR overlap is not allowed; route tables and security rules must explicitly allow traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security Lists (subnet-level)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Stateful virtual firewall rules applied at subnet level.<\/li>\n<li><strong>Why it matters:<\/strong> Basic security layer for controlling ingress\/egress.<\/li>\n<li><strong>Practical benefit:<\/strong> Simple baseline for small environments.<\/li>\n<li><strong>Caveats:<\/strong> Coarse-grained\u2014harder to manage at scale when many apps share a subnet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network Security Groups (NSGs) (VNIC-level)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Stateful security rules applied to VNICs (instances, LBs, etc.).<\/li>\n<li><strong>Why it matters:<\/strong> Enables microsegmentation independent of subnet membership.<\/li>\n<li><strong>Practical benefit:<\/strong> Easier least-privilege: allow \u201capp servers\u201d to talk to \u201cdb servers\u201d without hardcoding IPs.<\/li>\n<li><strong>Caveats:<\/strong> Requires disciplined NSG design and naming; avoid rule sprawl.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Public IPs and private IPs (VNIC\/IP management)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Assigns public IPs (ephemeral or reserved) and private IPs (primary\/secondary) to VNICs.<\/li>\n<li><strong>Why it matters:<\/strong> Public reachability and internal service addressing depend on it.<\/li>\n<li><strong>Practical benefit:<\/strong> You can keep servers private and only expose LBs or bastions.<\/li>\n<li><strong>Caveats:<\/strong> Track public IP usage to avoid accidental exposure; reserved public IPs may be preferred for stable endpoints.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">DHCP options and DNS behavior<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Controls DNS server type (VCN resolver), search domain, and options.<\/li>\n<li><strong>Why it matters:<\/strong> Name resolution issues can look like connectivity issues.<\/li>\n<li><strong>Practical benefit:<\/strong> Standardize DNS\/search domain across subnets.<\/li>\n<li><strong>Caveats:<\/strong> Custom DNS requirements may involve additional OCI DNS capabilities\u2014verify requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">VCN Flow Logs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Captures flow metadata (source\/destination\/ports\/accept\/deny) for traffic in a VCN\/subnet.<\/li>\n<li><strong>Why it matters:<\/strong> Critical for troubleshooting and security investigations.<\/li>\n<li><strong>Practical benefit:<\/strong> Identify which rule blocked traffic, see unexpected egress destinations.<\/li>\n<li><strong>Caveats:<\/strong> Generates logging volume (cost). Plan retention and filtering.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">VTAP (traffic mirroring)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Mirrors traffic from a VNIC to a target (e.g., IDS appliance).<\/li>\n<li><strong>Why it matters:<\/strong> Deep packet inspection and advanced troubleshooting.<\/li>\n<li><strong>Practical benefit:<\/strong> Supports security tooling without inline deployment.<\/li>\n<li><strong>Caveats:<\/strong> Adds operational complexity and potential cost; ensure privacy\/compliance review.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>OCI Networking is <strong>software-defined<\/strong>. You define configuration objects (VCN, subnets, route tables, gateways, security rules). OCI enforces those rules in the data plane.<\/p>\n\n\n\n<p>Key concept: <strong>Security and routing are independent.<\/strong>\n&#8211; Routing decides <strong>where<\/strong> packets go.\n&#8211; Security Lists\/NSGs decide <strong>whether<\/strong> packets are allowed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Control flow vs data flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane:<\/strong> You create\/modify networking resources via OCI Console, OCI CLI, SDKs, or Terraform. IAM policies govern who can do what.<\/li>\n<li><strong>Data plane:<\/strong> Packets flow between VNICs, gateways, and attachments according to route tables and security rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Typical request flow examples<\/h3>\n\n\n\n<p><strong>Example A: Public web request to a public instance<\/strong>\n1. Client on the internet sends traffic to a public IP.\n2. Internet Gateway is the route target for 0.0.0.0\/0 on the public subnet route table.\n3. Security List\/NSG ingress rules must allow the port (e.g., 443).\n4. Instance receives traffic on its VNIC.<\/p>\n\n\n\n<p><strong>Example B: Private instance outbound to internet<\/strong>\n1. Private instance sends traffic to 0.0.0.0\/0.\n2. Private subnet route table sends 0.0.0.0\/0 to NAT Gateway.\n3. NAT Gateway performs source NAT and sends traffic to internet.\n4. Return traffic is allowed due to stateful tracking.<\/p>\n\n\n\n<p><strong>Example C: Private instance to on-prem<\/strong>\n1. Private instance sends traffic to on-prem CIDR (e.g., 10.10.0.0\/16).\n2. Subnet route table sends that CIDR to DRG.\n3. DRG forwards to IPSec VPN or FastConnect attachment based on DRG route rules.\n4. On-prem receives and returns traffic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related OCI services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compute:<\/strong> Instances attach via VNICs to subnets and NSGs.<\/li>\n<li><strong>Load Balancer:<\/strong> Attaches to subnets; NSGs\/security lists control frontend\/backends.<\/li>\n<li><strong>OKE (Kubernetes):<\/strong> Uses VCN subnets and security rules; design depends on OKE networking mode.<\/li>\n<li><strong>Logging\/Monitoring:<\/strong> Flow logs and metrics integrate with OCI Logging and Monitoring services.<\/li>\n<li><strong>IAM:<\/strong> Policies define who can manage network objects (virtual-network-family).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM<\/strong> for access control and compartments<\/li>\n<li><strong>Logging\/Monitoring<\/strong> for observability (recommended)<\/li>\n<li><strong>Compute<\/strong> for hands-on validation (instances to test connectivity)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API calls to manage Networking require OCI API authentication (Console user session, API keys, instance principals, etc.).<\/li>\n<li>IAM policies define permissions such as <code>manage virtual-network-family<\/code>.<\/li>\n<li>Network security enforcement is done using <strong>stateful firewall rules<\/strong> (security lists and NSGs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (key behaviors)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Subnet routing is controlled by <strong>route tables attached to subnets<\/strong>.<\/li>\n<li>Security Lists apply to <strong>all VNICs in the subnet<\/strong>; NSGs apply to <strong>specific VNICs<\/strong>.<\/li>\n<li>Many OCI networking rules are <strong>stateful<\/strong> by default (return traffic allowed).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>VCN Flow Logs<\/strong> on critical subnets (or selectively) and ship to a central log group.<\/li>\n<li>Use <strong>tags<\/strong> (defined tags\/free-form tags) for cost allocation and governance (e.g., <code>env<\/code>, <code>app<\/code>, <code>owner<\/code>, <code>cost-center<\/code>).<\/li>\n<li>Use compartments and IAM guardrails to separate responsibilities (network team vs app team).<\/li>\n<li>Track service limits (VCNs per region, route rules per route table, NSGs per VNIC, etc.)\u2014see OCI Service Limits.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  Internet((Internet))\n  IGW[Internet Gateway]\n  NAT[NAT Gateway]\n  VCN[VCN: 10.0.0.0\/16]\n  PubSubnet[Public Subnet\\n10.0.1.0\/24]\n  PrivSubnet[Private Subnet\\n10.0.2.0\/24]\n  Web[Compute: Web\/Bastion\\nPublic IP]\n  App[Compute: App\\nPrivate IP]\n\n  Internet --&gt; IGW --&gt; PubSubnet --&gt; Web\n  PrivSubnet --&gt; NAT --&gt; Internet\n  Web --&gt; App\n  VCN --- PubSubnet\n  VCN --- PrivSubnet\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (hybrid + multi-tier)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  OnPrem[On-Prem Network\\n10.10.0.0\/16]\n  VPN[IPSec VPN or FastConnect]\n  DRG[Dynamic Routing Gateway]\n  VCNHub[Hub VCN\\nShared Services]\n  VCNApp[App VCN\\nProd]\n  VCNDev[App VCN\\nDev\/Test]\n\n  subgraph Hub[Hub VCN]\n    HubPub[Public Subnet\\nIngress]\n    HubPriv[Private Subnet\\nShared Services]\n    Bastion[Bastion \/ Admin Access]\n    DNS[DNS\/Resolvers\\n(if used)]\n  end\n\n  subgraph Prod[Prod VCN]\n    WebSubnet[Public Subnet\\nLB\/Web]\n    AppSubnet[Private Subnet\\nApp]\n    DbSubnet[Private Subnet\\nDB]\n    LB[Load Balancer]\n    AppNodes[App Nodes]\n    DB[DB System]\n    NATP[NAT Gateway]\n    SvcG[Service Gateway]\n  end\n\n  OnPrem &lt;--&gt; VPN &lt;--&gt; DRG\n  DRG --- VCNHub\n  DRG --- VCNApp\n  DRG --- VCNDev\n\n  LB --&gt; AppNodes --&gt; DB\n  AppSubnet --&gt; NATP --&gt; Internet((Internet))\n  AppSubnet --&gt; SvcG --&gt; OCI_Services[OCI Services Network\\nObject Storage, etc.]\n\n  Bastion --&gt; AppNodes\n  HubPub --&gt; Bastion\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy\/account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An <strong>Oracle Cloud (OCI) tenancy<\/strong> with permission to create Networking resources.<\/li>\n<li>A <strong>compartment<\/strong> to organize lab resources (recommended).<\/li>\n<li>Billing: While many networking constructs are free, <strong>Compute instances and data egress<\/strong> can incur costs. Use <strong>Always Free<\/strong> eligible shapes where available (verify Always Free eligibility in your region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM policies<\/h3>\n\n\n\n<p>At minimum for the lab, your user\/group should be allowed to manage:\n&#8211; Networking resources (VCN, subnets, gateways, NSGs)\n&#8211; Compute instances (to validate connectivity)<\/p>\n\n\n\n<p>Example policy statements (adjust compartment names):\n&#8211; <code>Allow group NetworkAdmins to manage virtual-network-family in compartment &lt;compartment&gt;<\/code>\n&#8211; <code>Allow group NetworkAdmins to manage instance-family in compartment &lt;compartment&gt;<\/code><\/p>\n\n\n\n<p>If your organization separates duties, you might only get <code>use<\/code> permissions for networking and <code>manage<\/code> for instances. For official IAM syntax and best practices, verify IAM docs:\n&#8211; IAM overview: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Concepts\/overview.htm<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<p>You can do the lab entirely in the <strong>OCI Console<\/strong>. Optional tools:\n&#8211; <strong>OCI Cloud Shell<\/strong> (recommended for CLI commands without local setup): https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cloudshellintro.htm\n&#8211; <strong>OCI CLI<\/strong> docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cliconcepts.htm\n&#8211; SSH client:\n  &#8211; macOS\/Linux: <code>ssh<\/code>\n  &#8211; Windows: PowerShell\/OpenSSH or PuTTY<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VCN and core networking are broadly available across OCI regions.<\/li>\n<li>Specific connectivity offerings (FastConnect locations, some service gateway service lists, IPv6 features, etc.) can vary\u2014verify in official docs for your region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI enforces <strong>service limits<\/strong> (per region\/tenancy\/compartment).<\/li>\n<li>Before production builds, review limits for:<\/li>\n<li>number of VCNs, subnets, route tables<\/li>\n<li>route rules per route table<\/li>\n<li>NSGs and rules<\/li>\n<li>DRG attachments<\/li>\n<li>Service limits: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/General\/Concepts\/servicelimits.htm<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>For the hands-on tutorial, you\u2019ll use:\n&#8211; Networking (VCN, subnets, gateways, NSGs)\n&#8211; Compute (2 instances for validation)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Oracle Cloud Networking pricing is a mix of:\n&#8211; <strong>No-charge configuration objects<\/strong> (commonly VCNs, subnets, route tables, NSGs, security lists)\n&#8211; <strong>Usage-based connectivity services<\/strong> (commonly NAT Gateway, DRG, IPSec VPN, FastConnect)\n&#8211; <strong>Data transfer charges<\/strong> (especially outbound data egress to the internet)<\/p>\n\n\n\n<p>Because pricing can vary by region and may change, use official sources:\n&#8211; OCI Pricing page (Networking section): https:\/\/www.oracle.com\/cloud\/price-list\/\n&#8211; OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html (verify current URL\/availability)\n&#8211; OCI Free Tier overview: https:\/\/www.oracle.com\/cloud\/free\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical)<\/h3>\n\n\n\n<p>Verify exact SKUs in the pricing page for your region, but expect dimensions such as:\n&#8211; <strong>Per hour<\/strong>: NAT Gateway, DRG, VPN connections (often hourly), FastConnect port charges\n&#8211; <strong>Per GB processed<\/strong>: NAT Gateway data processing, possibly other gateway services\n&#8211; <strong>Data transfer (egress)<\/strong>:\n  &#8211; Internet egress is commonly billable per GB beyond any free allowances\n  &#8211; Intra-region traffic pricing rules vary by service and path\u2014verify in pricing docs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Many foundational configuration objects cost $0.<\/li>\n<li>Always Free may include limited compute capacity suitable for labs.<\/li>\n<li><strong>Data egress<\/strong> and certain gateway services may still incur cost even in a \u201cfree-ish\u201d lab if you generate traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Direct cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NAT Gateway hours<\/strong> (if enabled)<\/li>\n<li><strong>DRG hours<\/strong> (if used)<\/li>\n<li><strong>VPN connection hours<\/strong><\/li>\n<li><strong>FastConnect port<\/strong> and provider charges (enterprise)<\/li>\n<li><strong>Data egress to internet<\/strong> (updates, downloads, API calls, user traffic)<\/li>\n<li><strong>Logging volume<\/strong> (Flow Logs stored in Logging can incur ingestion\/storage costs\u2014verify)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Flow logs retention<\/strong>: storing large volumes of logs<\/li>\n<li><strong>Packet mirroring (VTAP)<\/strong>: can increase network traffic and downstream capture storage\/processing<\/li>\n<li><strong>Cross-region traffic<\/strong>: disaster recovery replication can be expensive<\/li>\n<li><strong>Public load balancers<\/strong>: separate service with its own pricing<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost (without breaking security)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Service Gateway<\/strong> where applicable to access OCI services without public internet exposure (cost impact depends on service and data transfer rules\u2014verify).<\/li>\n<li>Keep NAT Gateways only in environments that need them; consider scheduling non-prod environments.<\/li>\n<li>Restrict outbound traffic (NSG egress) to reduce accidental data transfer.<\/li>\n<li>Right-size log collection: enable Flow Logs where needed, tune retention.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A minimal lab commonly includes:\n&#8211; 1 VCN, 2 subnets, route tables, NSGs (typically $0)\n&#8211; 2 small compute instances (Always Free eligible if available)\n&#8211; Optional NAT Gateway (hourly + data processing charges\u2014verify current rates)\n&#8211; Light outbound traffic for OS updates (possible egress costs depending on your region and free allowances)<\/p>\n\n\n\n<p>Use the official cost estimator and plug in:\n&#8211; region\n&#8211; NAT Gateway hours (if used)\n&#8211; estimated monthly outbound GB<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, recurring cost often comes from:\n&#8211; DRG + attachments (hourly)\n&#8211; VPN\/FastConnect (hourly + port\/provider)\n&#8211; Significant internet egress from user traffic\n&#8211; Centralized flow logging and long retention\n&#8211; Multi-region replication traffic<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Build a <strong>secure VCN<\/strong> in Oracle Cloud Networking with:\n&#8211; One <strong>public subnet<\/strong> (bastion\/jump host)\n&#8211; One <strong>private subnet<\/strong> (private app host)\n&#8211; <strong>Internet Gateway<\/strong> for public subnet\n&#8211; <strong>NAT Gateway<\/strong> for private subnet outbound-only internet access\n&#8211; <strong>NSGs<\/strong> to enforce least privilege\n&#8211; Validation using SSH and outbound connectivity checks\n&#8211; Full cleanup at the end<\/p>\n\n\n\n<p>This lab is designed to be <strong>low-risk and low-cost<\/strong>. Use Always Free compute shapes if available in your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will create:\n&#8211; VCN: <code>10.0.0.0\/16<\/code>\n&#8211; Public subnet: <code>10.0.1.0\/24<\/code> (has route to IGW)\n&#8211; Private subnet: <code>10.0.2.0\/24<\/code> (has route to NAT)\n&#8211; Compute instance <code>bastion01<\/code> in public subnet (has public IP)\n&#8211; Compute instance <code>app01<\/code> in private subnet (no public IP)\n&#8211; NSGs:\n  &#8211; <code>nsg-bastion<\/code>: allow inbound SSH from your IP\n  &#8211; <code>nsg-app<\/code>: allow inbound SSH only from <code>nsg-bastion<\/code>\n&#8211; Optional: Enable a basic Flow Log on one subnet (optional step, cost-aware)<\/p>\n\n\n\n<p>Expected outcome:\n&#8211; You can SSH from your laptop to <code>bastion01<\/code>.\n&#8211; You can SSH from <code>bastion01<\/code> to <code>app01<\/code> over private IP.\n&#8211; <code>app01<\/code> can reach the internet outbound via NAT (but cannot be reached inbound from the internet).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create (or choose) a compartment<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the OCI Console, open the navigation menu \u2192 <strong>Identity &amp; Security<\/strong> \u2192 <strong>Compartments<\/strong>.<\/li>\n<li>Click <strong>Create Compartment<\/strong>.<\/li>\n<li>Name: <code>lab-networking<\/code><\/li>\n<li>Parent compartment: your root compartment (or as per your org)<\/li>\n<li>Click <strong>Create Compartment<\/strong><\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> A dedicated compartment exists for cleanup and access control.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a VCN with public and private subnets<\/h3>\n\n\n\n<p>You can use the wizard, but to learn the pieces, create it manually (more educational).<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Networking<\/strong> \u2192 <strong>Virtual Cloud Networks<\/strong>.<\/li>\n<li>Select the compartment <code>lab-networking<\/code>.<\/li>\n<li>Click <strong>Create VCN<\/strong>.<\/li>\n<li>Choose <strong>VCN Only<\/strong> (or similar manual option).<\/li>\n<li>Enter:\n   &#8211; Name: <code>vcn-lab<\/code>\n   &#8211; CIDR Block: <code>10.0.0.0\/16<\/code><\/li>\n<li>Click <strong>Create VCN<\/strong><\/li>\n<\/ol>\n\n\n\n<p>Now create subnets:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Create the public subnet<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <code>vcn-lab<\/code>.<\/li>\n<li>Click <strong>Subnets<\/strong> \u2192 <strong>Create Subnet<\/strong>.<\/li>\n<li>Enter:\n   &#8211; Name: <code>subnet-public<\/code>\n   &#8211; Subnet Type: <strong>Regional<\/strong> (recommended)\n   &#8211; CIDR Block: <code>10.0.1.0\/24<\/code>\n   &#8211; Route Table: create new <code>rt-public<\/code>\n   &#8211; Security Lists: default is fine for now (we\u2019ll prefer NSGs)\n   &#8211; \u201cPublic subnet\u201d setting: enable public IP assignment if prompted (<strong>auto-assign public IPv4 address<\/strong>)<\/li>\n<li>Click <strong>Create Subnet<\/strong><\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Create the private subnet<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Click <strong>Create Subnet<\/strong> again.<\/li>\n<li>Enter:\n   &#8211; Name: <code>subnet-private<\/code>\n   &#8211; Type: <strong>Regional<\/strong>\n   &#8211; CIDR: <code>10.0.2.0\/24<\/code>\n   &#8211; Route Table: create new <code>rt-private<\/code>\n   &#8211; Auto-assign public IP: <strong>disable<\/strong><\/li>\n<li>Click <strong>Create Subnet<\/strong><\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> VCN exists with two subnets and two separate route tables.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create gateways (IGW + NAT) and attach route rules<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Create an Internet Gateway<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In <code>vcn-lab<\/code>, click <strong>Internet Gateways<\/strong> \u2192 <strong>Create Internet Gateway<\/strong>.<\/li>\n<li>Name: <code>igw-lab<\/code><\/li>\n<li>Click <strong>Create Internet Gateway<\/strong><\/li>\n<li>Ensure it is <strong>Enabled<\/strong>.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Add route rule to public route table<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <code>rt-public<\/code>.<\/li>\n<li><strong>Add Route Rules<\/strong>:\n   &#8211; Target Type: <strong>Internet Gateway<\/strong>\n   &#8211; Destination CIDR Block: <code>0.0.0.0\/0<\/code>\n   &#8211; Target: <code>igw-lab<\/code><\/li>\n<li>Save changes.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Create a NAT Gateway<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In <code>vcn-lab<\/code>, click <strong>NAT Gateways<\/strong> \u2192 <strong>Create NAT Gateway<\/strong>.<\/li>\n<li>Name: <code>nat-lab<\/code><\/li>\n<li>Click <strong>Create NAT Gateway<\/strong><\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Add route rule to private route table<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <code>rt-private<\/code>.<\/li>\n<li><strong>Add Route Rules<\/strong>:\n   &#8211; Target Type: <strong>NAT Gateway<\/strong>\n   &#8211; Destination CIDR Block: <code>0.0.0.0\/0<\/code>\n   &#8211; Target: <code>nat-lab<\/code><\/li>\n<li>Save changes.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; Public subnet has internet route via IGW.\n&#8211; Private subnet has outbound default route via NAT.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create NSGs (recommended security approach)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Create NSG for bastion<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In <code>vcn-lab<\/code>, go to <strong>Network Security Groups<\/strong> \u2192 <strong>Create Network Security Group<\/strong>.<\/li>\n<li>Name: <code>nsg-bastion<\/code><\/li>\n<li>Create.<\/li>\n<\/ol>\n\n\n\n<p>Add ingress rule to allow SSH from your IP:\n1. Open <code>nsg-bastion<\/code> \u2192 <strong>Security Rules<\/strong> \u2192 <strong>Add Ingress Rules<\/strong>.\n2. Configure:\n   &#8211; Stateless: off (stateful)\n   &#8211; Source Type: CIDR\n   &#8211; Source CIDR: <strong>your public IP\/32<\/strong> (find via <code>https:\/\/ifconfig.me<\/code> from your browser)\n   &#8211; IP Protocol: TCP\n   &#8211; Destination Port Range: 22\n3. Add.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Create NSG for app<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create NSG: <code>nsg-app<\/code><\/li>\n<li>Add ingress rule to allow SSH only from bastion NSG:\n   &#8211; Source Type: <strong>Network Security Group<\/strong>\n   &#8211; Source NSG: <code>nsg-bastion<\/code>\n   &#8211; Protocol: TCP\n   &#8211; Port: 22<\/li>\n<\/ol>\n\n\n\n<p>Optionally add an ingress rule for your application port (example 8080) from bastion only or from a load balancer NSG later.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Security policy is app-centric: only bastion is reachable from your IP; app host is reachable only from bastion.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create SSH key pair<\/h3>\n\n\n\n<p>On your local machine (or Cloud Shell), generate keys. Local is best for SSH from your laptop:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh-keygen -t ed25519 -f ~\/.ssh\/oci_lab_key -C \"oci-networking-lab\"\n<\/code><\/pre>\n\n\n\n<p>This creates:\n&#8211; Private key: <code>~\/.ssh\/oci_lab_key<\/code>\n&#8211; Public key: <code>~\/.ssh\/oci_lab_key.pub<\/code><\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have keys ready to paste into instance creation.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Create compute instance in the public subnet (bastion01)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Compute<\/strong> \u2192 <strong>Instances<\/strong> \u2192 <strong>Create Instance<\/strong>.<\/li>\n<li>Name: <code>bastion01<\/code><\/li>\n<li>Compartment: <code>lab-networking<\/code><\/li>\n<li>Placement: pick defaults (any AD\/FD options as presented)<\/li>\n<li>Image: <strong>Oracle Linux<\/strong> (or Ubuntu if preferred)<\/li>\n<li>Shape: choose an Always Free eligible shape if available in your region (verify)<\/li>\n<li>Networking:\n   &#8211; VCN: <code>vcn-lab<\/code>\n   &#8211; Subnet: <code>subnet-public<\/code>\n   &#8211; Assign public IPv4 address: <strong>Yes<\/strong>\n   &#8211; Network Security Groups: select <code>nsg-bastion<\/code><\/li>\n<li>Add SSH key: paste contents of <code>~\/.ssh\/oci_lab_key.pub<\/code><\/li>\n<li>Click <strong>Create<\/strong><\/li>\n<\/ol>\n\n\n\n<p>Wait until the instance is <strong>Running<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>bastion01<\/code> has a <strong>public IP<\/strong> and is reachable via SSH from your IP.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Create compute instance in the private subnet (app01)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Create Instance<\/strong> again.<\/li>\n<li>Name: <code>app01<\/code><\/li>\n<li>Image\/Shape: same as above<\/li>\n<li>Networking:\n   &#8211; VCN: <code>vcn-lab<\/code>\n   &#8211; Subnet: <code>subnet-private<\/code>\n   &#8211; Assign public IPv4 address: <strong>No<\/strong>\n   &#8211; NSG: select <code>nsg-app<\/code><\/li>\n<li>SSH key: use the same public key<\/li>\n<li>Click <strong>Create<\/strong><\/li>\n<\/ol>\n\n\n\n<p>Wait until <strong>Running<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>app01<\/code> has only a <strong>private IP<\/strong> and no public exposure.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: SSH to bastion, then to the private instance<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">SSH to bastion from your laptop<\/h4>\n\n\n\n<p>Find the public IP of <code>bastion01<\/code> in the instance details and run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">chmod 600 ~\/.ssh\/oci_lab_key\nssh -i ~\/.ssh\/oci_lab_key opc@&lt;BASTION_PUBLIC_IP&gt;\n<\/code><\/pre>\n\n\n\n<p>(If you used Ubuntu image, the user is typically <code>ubuntu<\/code> instead of <code>opc<\/code>.)<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You get a shell on <code>bastion01<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">From bastion, SSH to the private instance<\/h4>\n\n\n\n<p>From the OCI Console, copy the <strong>private IP<\/strong> of <code>app01<\/code>. Then from bastion:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/oci_lab_key opc@&lt;APP01_PRIVATE_IP&gt;\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can log into <code>app01<\/code> from <code>bastion01<\/code>, proving private subnet routing + NSG rules work.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Validate outbound internet from the private instance via NAT<\/h3>\n\n\n\n<p>On <code>app01<\/code>, run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -s https:\/\/ifconfig.me &amp;&amp; echo\n<\/code><\/pre>\n\n\n\n<p>or:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -I https:\/\/www.oracle.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The request succeeds. This indicates <code>app01<\/code> has outbound access through <strong>NAT Gateway<\/strong>.<\/p>\n\n\n\n<p>Now confirm inbound from internet is not possible:\n&#8211; <code>app01<\/code> has no public IP, so you should not be able to SSH to it directly from your laptop.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 10 (Optional, cost-aware): Enable VCN Flow Logs for the private subnet<\/h3>\n\n\n\n<p>Flow logs are extremely useful but can generate logging costs. Use briefly for learning and then disable or delete.<\/p>\n\n\n\n<p>High-level steps (exact console labels can vary):\n1. Go to <strong>Observability &amp; Management<\/strong> \u2192 <strong>Logging<\/strong>.\n2. Create a <strong>Log Group<\/strong> in compartment <code>lab-networking<\/code> (e.g., <code>lg-networking-lab<\/code>).\n3. Go back to <strong>Networking<\/strong> \u2192 your subnet (<code>subnet-private<\/code>) \u2192 look for <strong>Flow Logs<\/strong> (or <strong>Logs<\/strong>).\n4. Create a flow log:\n   &#8211; Source: subnet-private\n   &#8211; Destination: your log group\n   &#8211; Name: <code>flowlog-subnet-private<\/code><\/p>\n\n\n\n<p>Generate a test deny event by trying a blocked port from bastion to app (e.g., <code>curl http:\/\/&lt;app_private_ip&gt;:80<\/code> if no rule allows it).<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Flow log entries appear in Logging, showing accept\/deny metadata.<\/p>\n\n\n\n<blockquote>\n<p>If you can\u2019t find Flow Logs in your region\/tenancy UI, verify in official docs; availability and UI placement can change.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Public subnet routing works<\/strong>\n   &#8211; SSH from laptop \u2192 <code>bastion01<\/code> succeeds.<\/p>\n<\/li>\n<li>\n<p><strong>Private subnet isolation works<\/strong>\n   &#8211; Laptop \u2192 <code>app01<\/code> direct SSH fails (no public IP).<\/p>\n<\/li>\n<li>\n<p><strong>Private subnet reachability through bastion works<\/strong>\n   &#8211; SSH from <code>bastion01<\/code> \u2192 <code>app01<\/code> succeeds.<\/p>\n<\/li>\n<li>\n<p><strong>NAT egress works<\/strong>\n   &#8211; On <code>app01<\/code>, <code>curl https:\/\/ifconfig.me<\/code> returns a public IP (NATed).<\/p>\n<\/li>\n<li>\n<p><strong>Security rules are least-privilege<\/strong>\n   &#8211; Only your IP can reach TCP\/22 on bastion.\n   &#8211; Only bastion NSG can reach TCP\/22 on app.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: SSH to bastion fails (timeout)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Check:<\/strong> Your local IP changed; NSG ingress rule uses the wrong <code>\/32<\/code>.<\/li>\n<li><strong>Fix:<\/strong> Update <code>nsg-bastion<\/code> ingress source CIDR to your current IP.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: SSH to bastion fails (permission denied)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Check:<\/strong> Wrong username (<code>opc<\/code> vs <code>ubuntu<\/code>).<\/li>\n<li><strong>Fix:<\/strong> Confirm image type and use correct user.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: SSH from bastion to app fails (timeout)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Check:<\/strong> <code>nsg-app<\/code> ingress does not allow TCP\/22 from <code>nsg-bastion<\/code>.<\/li>\n<li><strong>Fix:<\/strong> Add\/verify NSG rule and ensure both instances are attached to correct NSGs.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: app01 cannot reach internet<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Check routing:<\/strong> <code>rt-private<\/code> must have <code>0.0.0.0\/0<\/code> \u2192 NAT Gateway.<\/li>\n<li><strong>Check NAT status:<\/strong> NAT Gateway must exist and be available.<\/li>\n<li><strong>Check security:<\/strong> Egress rules in NSG\/security list must allow outbound (default egress is often allowed, but verify).<\/li>\n<li><strong>Check DNS:<\/strong> If DNS resolution fails, try <code>curl https:\/\/1.1.1.1<\/code> (should fail due to TLS\/SNI but can indicate raw connectivity). Better: <code>nslookup oracle.com<\/code> (install tools if needed).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Confusion between Security Lists and NSGs<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Rule:<\/strong> Security Lists apply to subnet; NSGs to VNIC. Both can affect traffic.<\/li>\n<li><strong>Fix:<\/strong> For clarity in labs, keep security lists permissive (or default) and manage access with NSGs\u2014but do this intentionally and document it.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges (especially NAT Gateway hours), delete resources in this order:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p>Terminate compute instances:\n   &#8211; <code>app01<\/code>\n   &#8211; <code>bastion01<\/code><\/p>\n<\/li>\n<li>\n<p>Delete optional logging resources:\n   &#8211; Flow log\n   &#8211; Log group (if created for lab)<\/p>\n<\/li>\n<li>\n<p>Delete gateways:\n   &#8211; NAT Gateway <code>nat-lab<\/code>\n   &#8211; Internet Gateway <code>igw-lab<\/code><\/p>\n<\/li>\n<li>\n<p>Delete NSGs:\n   &#8211; <code>nsg-app<\/code>\n   &#8211; <code>nsg-bastion<\/code><\/p>\n<\/li>\n<li>\n<p>Delete subnets:\n   &#8211; <code>subnet-private<\/code>\n   &#8211; <code>subnet-public<\/code><\/p>\n<\/li>\n<li>\n<p>Delete route tables (if they aren\u2019t default and not automatically removed):\n   &#8211; <code>rt-private<\/code>\n   &#8211; <code>rt-public<\/code><\/p>\n<\/li>\n<li>\n<p>Delete VCN:\n   &#8211; <code>vcn-lab<\/code><\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Compartment is empty (or only contains what you intentionally kept).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Design CIDR with growth and connectivity in mind<\/strong><\/li>\n<li>Avoid overlaps with on-prem and other VCNs to enable peering\/hybrid.<\/li>\n<li>Reserve ranges for future subnets (e.g., \/24 per tier, \/16 overall).<\/li>\n<li><strong>Use multiple route tables<\/strong><\/li>\n<li>Separate public, private, and database routing intent.<\/li>\n<li>Keep route rules minimal and well-commented via IaC.<\/li>\n<li><strong>Prefer NSGs over Security Lists for scalable segmentation<\/strong><\/li>\n<li>Treat NSGs as \u201capplication security groups\u201d.<\/li>\n<li>Reference NSGs in rules instead of IPs to reduce brittle configs.<\/li>\n<li><strong>Adopt a hub-and-spoke pattern for enterprises<\/strong><\/li>\n<li>Use DRG as a routing hub for on-prem and shared services.<\/li>\n<li>Keep app VCNs simpler and isolated.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege policies<\/strong><\/li>\n<li>Separate \u201cnetwork operators\u201d from \u201capp deployers\u201d.<\/li>\n<li>Use compartments per environment and per team where appropriate.<\/li>\n<li><strong>Guardrails<\/strong><\/li>\n<li>Restrict who can create IGWs, public IPs, or wide-open security rules in production compartments.<\/li>\n<li><strong>Tagging standards<\/strong><\/li>\n<li>Enforce tags for ownership and cost tracking: <code>env<\/code>, <code>owner<\/code>, <code>app<\/code>, <code>data-classification<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Minimize always-on billable gateways<\/strong><\/li>\n<li>NAT Gateway and DRG can be recurring; use only where necessary.<\/li>\n<li><strong>Control data egress<\/strong><\/li>\n<li>Cache dependencies, use private service access where applicable, and restrict outbound destinations.<\/li>\n<li><strong>Tune logs<\/strong><\/li>\n<li>Flow logs are valuable but can be expensive at scale\u2014scope carefully and set retention policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Keep traffic private where possible<\/strong><\/li>\n<li>Use private IPs for east-west traffic.<\/li>\n<li>Use service gateway\/private connectivity for OCI service access when applicable.<\/li>\n<li><strong>Avoid unnecessary middleboxes<\/strong><\/li>\n<li>Each hop adds complexity and potential bottlenecks; design for simplicity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Plan for multi-AD \/ fault-domain deployment<\/strong><\/li>\n<li>Use regional subnets and redundant instances\/load balancers.<\/li>\n<li><strong>Document network intent<\/strong><\/li>\n<li>Route tables, NSGs, and subnet purposes should be documented and reviewed like code.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use flow logs for critical tiers<\/strong><\/li>\n<li>Enable for subnets that host internet-facing or sensitive systems.<\/li>\n<li><strong>Standardize troubleshooting<\/strong><\/li>\n<li>Maintain a runbook: check route table \u2192 check NSG\/security list \u2192 check NACL equivalents (OCI uses security lists\/NSGs) \u2192 check host firewall \u2192 check DNS.<\/li>\n<li><strong>Automate with Terraform<\/strong><\/li>\n<li>Treat VCN topology as code to reduce drift.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name consistently: <code>vcn-&lt;env&gt;-&lt;region&gt;-&lt;purpose&gt;<\/code>, <code>subnet-&lt;tier&gt;-&lt;env&gt;<\/code>, <code>nsg-&lt;app&gt;-&lt;tier&gt;<\/code>.<\/li>\n<li>Keep separate compartments for <code>prod<\/code>, <code>nonprod<\/code>, <code>shared<\/code>, <code>security<\/code>.<\/li>\n<li>Use defined tags where your org needs reporting and policy enforcement.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI IAM controls who can:<\/li>\n<li>create\/modify VCNs, subnets, route tables, gateways<\/li>\n<li>attach DRGs and configure VPN\/FastConnect<\/li>\n<li>create NSGs and change rules<\/li>\n<li>Use compartment-scoped policies and avoid granting broad permissions in the root compartment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Networking components are control-plane constructs; encryption concerns typically apply to:<\/li>\n<li><strong>IPSec VPN<\/strong> (encryption in transit over public internet)<\/li>\n<li><strong>TLS<\/strong> for application traffic<\/li>\n<li>For private traffic within OCI, use application-layer encryption where required by compliance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure risks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Accidental public exposure usually happens via:<\/li>\n<li>public IP assignment to instances<\/li>\n<li>route table sending <code>0.0.0.0\/0<\/code> to IGW for a subnet that should be private<\/li>\n<li>overly permissive NSG\/security list rules (e.g., <code>0.0.0.0\/0<\/code> on SSH\/RDP)<\/li>\n<li>Mitigation:<\/li>\n<li>restrict who can create IGWs\/public IPs<\/li>\n<li>use NSGs with tight sources<\/li>\n<li>run periodic audits of public IPs and ingress rules<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<p>Networking doesn\u2019t store secrets, but hybrid setups often involve:\n&#8211; VPN shared secrets \/ certificates\n&#8211; API keys for automation\nBest practices:\n&#8211; Use OCI Vault for secrets where applicable (separate service).\n&#8211; Avoid hardcoding secrets in Terraform state or scripts; use secure variables and secret references.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Audit logs record API actions (who changed a route table\/NSG).<\/li>\n<li>Flow logs help you see traffic decisions (allow\/deny).<\/li>\n<li>Centralize logs into a security compartment and limit access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define data classification and network zones (e.g., \u201cpublic\u201d, \u201cinternal\u201d, \u201crestricted\u201d).<\/li>\n<li>Enforce segmentation between tiers and environments.<\/li>\n<li>Validate that private access patterns (Service Gateway, private endpoints where applicable) meet compliance requirements\u2014verify service-specific controls in docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using only security lists and sharing subnets broadly across unrelated apps.<\/li>\n<li>Leaving SSH open to <code>0.0.0.0\/0<\/code>.<\/li>\n<li>Treating \u201cno public IP\u201d as the only control (it\u2019s important, but not sufficient).<\/li>\n<li>Forgetting egress controls\u2014data exfiltration can occur via outbound traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>private subnets<\/strong> by default; only expose load balancers or bastions.<\/li>\n<li>Use <strong>NSGs<\/strong> with app-based grouping and minimal ingress.<\/li>\n<li>Use <strong>NAT<\/strong> for controlled outbound, and restrict egress destinations when feasible.<\/li>\n<li>Enable <strong>flow logs<\/strong> on high-risk subnets with planned retention.<\/li>\n<li>Implement change control around route tables, IGWs, and DRG routing.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Limits and behaviors can change; verify in official docs and your region.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Service limits on:<\/li>\n<li>number of VCNs\/subnets per region<\/li>\n<li>route rules per route table<\/li>\n<li>NSGs and rules<\/li>\n<li>DRG attachments and route tables<\/li>\n<li>Action: review and request limit increases early for production.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>FastConnect availability depends on location\/provider.<\/li>\n<li>Some features (IPv6 options, certain service gateway service lists, observability features) may vary\u2014verify before designing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NAT Gateway hourly\/data processing costs can surprise teams that assumed \u201cnetworking is free\u201d.<\/li>\n<li>DRG and VPN can be recurring costs.<\/li>\n<li>Internet egress can dominate costs for data-heavy workloads.<\/li>\n<li>Flow logs can generate significant logging ingestion\/storage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CIDR overlap prevents peering and complicates hybrid routing.<\/li>\n<li>Migrating from one network model to another (e.g., changing CIDRs) is difficult\u2014plan upfront.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Lists and NSGs both apply; a permissive NSG doesn\u2019t help if a restrictive security list blocks (and vice versa).<\/li>\n<li>Route tables are attached to subnets; moving an instance between subnets changes its routing\/security context.<\/li>\n<li>DNS misconfiguration can look like network failure\u2014always test both IP connectivity and name resolution.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances (OCI patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regional VCN\/subnet model differs from some clouds where subnets are zonal.<\/li>\n<li>DRG-based transit routing is central to many OCI enterprise architectures; learn DRG route tables and attachments carefully.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Oracle Cloud Networking is OCI\u2019s native SDN layer. Alternatives include other OCI services that complement it, other cloud providers\u2019 VPC equivalents, and self-managed SDN in private clouds.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Oracle Cloud Networking (VCN + gateways + DRG + NSG)<\/strong><\/td>\n<td>Any OCI workload, especially hybrid\/enterprise<\/td>\n<td>Deep integration with OCI services, strong segmentation, DRG for hub-and-spoke<\/td>\n<td>Requires solid routing\/security design; some features\/costs can surprise<\/td>\n<td>You run workloads on Oracle Cloud and need reliable connectivity and control<\/td>\n<\/tr>\n<tr>\n<td>OCI Load Balancing<\/td>\n<td>App delivery layer<\/td>\n<td>Managed L4\/L7 load balancing<\/td>\n<td>Separate cost\/service; not a full networking replacement<\/td>\n<td>You need scalable inbound traffic distribution<\/td>\n<\/tr>\n<tr>\n<td>OCI Network Firewall (separate service)<\/td>\n<td>Advanced L7 inspection, centralized policy<\/td>\n<td>Strong security controls<\/td>\n<td>Added cost\/complexity<\/td>\n<td>You need centralized firewall controls beyond NSG\/Security Lists<\/td>\n<\/tr>\n<tr>\n<td>AWS VPC<\/td>\n<td>AWS-native workloads<\/td>\n<td>Mature ecosystem, many integrations<\/td>\n<td>Different semantics; not portable 1:1<\/td>\n<td>You\u2019re primarily on AWS<\/td>\n<\/tr>\n<tr>\n<td>Azure Virtual Network (VNet)<\/td>\n<td>Azure-native workloads<\/td>\n<td>Strong enterprise integration (AD, etc.)<\/td>\n<td>Different constructs and governance<\/td>\n<td>You\u2019re primarily on Azure<\/td>\n<\/tr>\n<tr>\n<td>Google Cloud VPC<\/td>\n<td>GCP-native workloads<\/td>\n<td>Global VPC model (different design), strong tooling<\/td>\n<td>Different routing model than OCI<\/td>\n<td>You\u2019re primarily on GCP<\/td>\n<\/tr>\n<tr>\n<td>Self-managed SDN (e.g., OpenStack Neutron)<\/td>\n<td>Private cloud, strict control<\/td>\n<td>Full control, on-prem deployment<\/td>\n<td>High ops burden<\/td>\n<td>You must operate in your own data center with full control requirements<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Hybrid ERP platform with segmented tiers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A large enterprise runs ERP workloads on Oracle Cloud. The app must integrate with on-prem identity systems and data feeds, while meeting security requirements (private DB tier, controlled egress).<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>VCN with public LB subnet, private app subnet, private DB subnet<\/li>\n<li>DRG connected to on-prem via FastConnect (primary) and IPSec VPN (backup)<\/li>\n<li>NSGs for tier-to-tier rules (LB \u2192 web\/app \u2192 DB)<\/li>\n<li>NAT Gateway for limited outbound from private tiers<\/li>\n<li>Service Gateway for private access to OCI services (where applicable)<\/li>\n<li>Flow logs enabled on public and sensitive subnets with centralized retention<\/li>\n<li><strong>Why Networking was chosen:<\/strong> OCI Networking provides the exact primitives needed for hybrid routing (DRG), private segmentation (NSGs), and controlled internet exposure.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Reduced attack surface (DB private, least-privilege rules)<\/li>\n<li>Predictable connectivity to on-prem<\/li>\n<li>Clear routing domains and easier troubleshooting with flow logs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Secure SaaS MVP with minimal ops<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A small team needs to launch a SaaS MVP quickly while keeping production safe (no public DB, simple admin access).<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>One VCN with:<ul>\n<li>public subnet for a load balancer or a single web node<\/li>\n<li>private subnet for app workers and a managed DB<\/li>\n<\/ul>\n<\/li>\n<li>NAT Gateway for private outbound updates<\/li>\n<li>NSGs: only allow SSH to a single bastion from founders\u2019 IPs; app nodes private<\/li>\n<li><strong>Why Networking was chosen:<\/strong> It\u2019s required for compute placement and allows a secure baseline without buying appliances.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Fast deployment with clear \u201cpublic vs private\u201d separation<\/li>\n<li>Lower risk of accidental exposure<\/li>\n<li>Ability to evolve to multi-VCN and DRG later as the company grows<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is \u201cNetworking\u201d in Oracle Cloud the same as VCN?<\/strong><br\/>\nNetworking is the broader service area; <strong>VCN is the core building block<\/strong> within Networking. Networking also includes gateways, DRG, VPN\/FastConnect connectivity, peering, NSGs, and visibility features.<\/p>\n\n\n\n<p>2) <strong>Are VCNs global or regional in OCI?<\/strong><br\/>\nVCNs are <strong>regional<\/strong>. You typically design per-region networks and connect regions via remote peering or other patterns.<\/p>\n\n\n\n<p>3) <strong>What makes a subnet \u201cpublic\u201d in OCI?<\/strong><br\/>\nA subnet is effectively public when:\n&#8211; it has a route rule <code>0.0.0.0\/0<\/code> pointing to an <strong>Internet Gateway<\/strong>, and\n&#8211; the instance has a <strong>public IP<\/strong>, and\n&#8211; security rules allow inbound traffic.<\/p>\n\n\n\n<p>4) <strong>If an instance has no public IP, is it fully secure?<\/strong><br\/>\nIt\u2019s safer from direct internet inbound, but not \u201cfully secure.\u201d You still need correct NSGs\/security lists, OS hardening, and egress controls.<\/p>\n\n\n\n<p>5) <strong>Should I use Security Lists or NSGs?<\/strong><br\/>\nFor most scalable designs, use <strong>NSGs<\/strong> for app-centric segmentation. Security Lists can serve as baseline subnet-level controls.<\/p>\n\n\n\n<p>6) <strong>Do NSG rules override Security Lists?<\/strong><br\/>\nNo. Both can apply. Traffic must be allowed by the effective set of rules. If either layer blocks, traffic is blocked.<\/p>\n\n\n\n<p>7) <strong>What is a DRG used for?<\/strong><br\/>\nDRG is the edge routing hub for connecting VCNs to on-prem (VPN\/FastConnect) and for advanced routing topologies.<\/p>\n\n\n\n<p>8) <strong>Do I need a DRG for a simple internet-facing web app?<\/strong><br\/>\nNot necessarily. A simple app can use VCN + subnets + IGW\/NAT. DRG is more for hybrid and multi-VCN transit routing.<\/p>\n\n\n\n<p>9) <strong>What is the difference between NAT Gateway and Internet Gateway?<\/strong><br\/>\n&#8211; <strong>Internet Gateway<\/strong> enables inbound\/outbound internet for public subnets and public IPs.\n&#8211; <strong>NAT Gateway<\/strong> enables <strong>outbound-only<\/strong> internet for private instances without allowing inbound internet traffic.<\/p>\n\n\n\n<p>10) <strong>Can private subnets access OCI services without internet?<\/strong><br\/>\nOften yes, via <strong>Service Gateway<\/strong> (for supported services). Verify supported services per region in official docs.<\/p>\n\n\n\n<p>11) <strong>What are the common causes of \u201ccan\u2019t connect\u201d in OCI networking?<\/strong><br\/>\nMost issues come from:\n&#8211; missing\/incorrect route rules\n&#8211; NSG\/security list missing rules\n&#8211; host firewall (iptables\/firewalld) blocking\n&#8211; wrong subnet choice (public vs private)\n&#8211; DNS misconfiguration<\/p>\n\n\n\n<p>12) <strong>How do I troubleshoot blocked traffic effectively?<\/strong><br\/>\nUse a consistent checklist:\n1) route table next hop<br\/>\n2) NSG\/security list ingress\/egress<br\/>\n3) instance OS firewall<br\/>\n4) verify DNS vs IP connectivity<br\/>\n5) use <strong>VCN Flow Logs<\/strong> for evidence<\/p>\n\n\n\n<p>13) <strong>Does OCI support IPv6 in VCNs?<\/strong><br\/>\nOCI has IPv6 capabilities, but details vary by feature\/region and require careful planning. Verify the current IPv6 docs before designing production IPv6.<\/p>\n\n\n\n<p>14) <strong>Is traffic between VCNs encrypted by default?<\/strong><br\/>\nVCN-to-VCN private traffic is private within OCI\u2019s network, but encryption-at-transport is typically an application concern. Use TLS\/IPSec where required by policy.<\/p>\n\n\n\n<p>15) <strong>What is the safest way to provide admin access to private instances?<\/strong><br\/>\nCommon patterns include:\n&#8211; a hardened <strong>bastion host<\/strong> in a public subnet with strict SSH ingress rules, or\n&#8211; using <strong>OCI Bastion<\/strong> service (separate service) to avoid public SSH exposure (verify current product and region availability).<\/p>\n\n\n\n<p>16) <strong>How do compartments help networking?<\/strong><br\/>\nCompartments let you separate environments and apply IAM policies and budgets per environment\/team, reducing blast radius and supporting governance.<\/p>\n\n\n\n<p>17) <strong>What should I automate with Terraform first?<\/strong><br\/>\nStart with VCN, subnets, route tables, NSGs, gateways, and compute test instances. Automating these reduces drift and improves repeatability.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Networking<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Networking Overview \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/overview.htm<\/td>\n<td>Canonical entry point for Networking concepts and components<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Virtual Cloud Network (VCN) \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/virtualcloudnetwork.htm<\/td>\n<td>Deep coverage of VCNs, subnets, routing, gateways<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Security Lists \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/securitylists.htm<\/td>\n<td>Subnet-level security model and rule behavior<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Network Security Groups \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/networksecuritygroups.htm<\/td>\n<td>Best practice for scalable segmentation<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>DRG (Dynamic Routing Gateway) \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Tasks\/managingDRGs.htm<\/td>\n<td>Hybrid\/transit routing foundational doc (verify latest DRG guide pages)<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>IPSec VPN \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Tasks\/managingIPsec.htm<\/td>\n<td>Hybrid connectivity setup and concepts<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>FastConnect \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/fastconnect.htm<\/td>\n<td>Private connectivity option and architecture<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>OCI Price List \u2014 https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\n<td>Official pricing source for NAT\/DRG\/VPN and data transfer rules<\/td>\n<\/tr>\n<tr>\n<td>Official cost tool<\/td>\n<td>OCI Cost Estimator \u2014 https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<td>Helps model recurring gateway and data transfer costs (verify URL availability)<\/td>\n<\/tr>\n<tr>\n<td>Official getting started<\/td>\n<td>OCI Tutorials\/Labs (Landing page) \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/GSG\/Concepts\/baremetalintro.htm<\/td>\n<td>Entry point to hands-on OCI learning paths (networking labs may be linked from here)<\/td>\n<\/tr>\n<tr>\n<td>Official CLI docs<\/td>\n<td>OCI CLI Concepts \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cliconcepts.htm<\/td>\n<td>Essential for scripting and repeatable networking changes<\/td>\n<\/tr>\n<tr>\n<td>Official architecture<\/td>\n<td>OCI Architecture Center \u2014 https:\/\/docs.oracle.com\/solutions\/<\/td>\n<td>Reference architectures including network topologies and patterns<\/td>\n<\/tr>\n<tr>\n<td>Official free tier<\/td>\n<td>Oracle Cloud Free Tier \u2014 https:\/\/www.oracle.com\/cloud\/free\/<\/td>\n<td>Understand Always Free constraints for labs<\/td>\n<\/tr>\n<tr>\n<td>Trusted community<\/td>\n<td>Oracle Cloud Infrastructure on GitHub \u2014 https:\/\/github.com\/oracle\/oci-cli<\/td>\n<td>CLI source, issues, and examples (official repository)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The following training providers may offer courses or corporate training related to Oracle Cloud Networking and broader DevOps\/cloud engineering. Verify current curricula and schedules on their websites.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>DevOpsSchool.com<\/strong><br\/>\n   &#8211; Suitable audience: DevOps engineers, SREs, platform teams, cloud beginners to intermediate<br\/>\n   &#8211; Likely learning focus: Cloud fundamentals, DevOps toolchains, cloud networking basics, automation<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>ScmGalaxy.com<\/strong><br\/>\n   &#8211; Suitable audience: SCM\/DevOps learners, engineers expanding into cloud operations<br\/>\n   &#8211; Likely learning focus: DevOps practices, CI\/CD, operational foundations that pair with cloud networking<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n<li>\n<p><strong>CLoudOpsNow.in<\/strong><br\/>\n   &#8211; Suitable audience: Cloud operations and platform operations teams<br\/>\n   &#8211; Likely learning focus: CloudOps practices, monitoring, reliability, operational playbooks (often includes networking fundamentals)<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.cloudopsnow.in\/<\/p>\n<\/li>\n<li>\n<p><strong>SreSchool.com<\/strong><br\/>\n   &#8211; Suitable audience: SREs, operations engineers, reliability-focused teams<br\/>\n   &#8211; Likely learning focus: SRE practices, incident response, observability\u2014useful for operating OCI Networking in production<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.sreschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>AiOpsSchool.com<\/strong><br\/>\n   &#8211; Suitable audience: Ops teams adopting AIOps approaches, monitoring\/automation engineers<br\/>\n   &#8211; Likely learning focus: AIOps\/automation, event correlation, operational intelligence (complements networking operations)<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>These sites are presented as trainer\/platform resources. Verify specific Oracle Cloud Networking coverage directly on each site.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>RajeshKumar.xyz<\/strong><br\/>\n   &#8211; Likely specialization: DevOps\/cloud training and guidance (verify specific offerings)<br\/>\n   &#8211; Suitable audience: Individuals and teams seeking practical coaching<br\/>\n   &#8211; Website: https:\/\/www.rajeshkumar.xyz\/<\/p>\n<\/li>\n<li>\n<p><strong>devopstrainer.in<\/strong><br\/>\n   &#8211; Likely specialization: DevOps training programs; may include cloud and infrastructure topics<br\/>\n   &#8211; Suitable audience: Beginners to intermediate DevOps practitioners<br\/>\n   &#8211; Website: https:\/\/www.devopstrainer.in\/<\/p>\n<\/li>\n<li>\n<p><strong>devopsfreelancer.com<\/strong><br\/>\n   &#8211; Likely specialization: Freelance DevOps services\/training and project support (verify specifics)<br\/>\n   &#8211; Suitable audience: Teams needing short-term expertise<br\/>\n   &#8211; Website: https:\/\/www.devopsfreelancer.com\/<\/p>\n<\/li>\n<li>\n<p><strong>devopssupport.in<\/strong><br\/>\n   &#8211; Likely specialization: DevOps support and mentoring; may include cloud operations support<br\/>\n   &#8211; Suitable audience: Operations teams needing hands-on troubleshooting assistance<br\/>\n   &#8211; Website: https:\/\/www.devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>These companies may provide consulting and implementation support. Descriptions below are intentionally neutral\u2014verify capabilities, references, and statements of work directly with each provider.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>cotocus.com<\/strong><br\/>\n   &#8211; Likely service area: Cloud\/DevOps consulting and engineering support (verify offerings)<br\/>\n   &#8211; Where they may help: Network design reviews, IaC implementation, environment standardization<br\/>\n   &#8211; Consulting use case examples:  <\/p>\n<ul>\n<li>Designing a hub-and-spoke VCN\/DRG topology  <\/li>\n<li>Implementing Terraform modules for VCN\/subnets\/NSGs  <\/li>\n<li>Troubleshooting routing\/NSG issues in production  <\/li>\n<li>Website: https:\/\/www.cotocus.com\/<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>DevOpsSchool.com<\/strong><br\/>\n   &#8211; Likely service area: DevOps and cloud consulting\/training<br\/>\n   &#8211; Where they may help: Landing zone creation, CI\/CD + infrastructure automation, operations enablement<br\/>\n   &#8211; Consulting use case examples:  <\/p>\n<ul>\n<li>Building a repeatable OCI network baseline (VCN, subnets, NAT\/IGW, NSGs)  <\/li>\n<li>Governance and tagging strategy  <\/li>\n<li>Operational runbooks for networking troubleshooting  <\/li>\n<li>Website: https:\/\/www.devopsschool.com\/<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>DEVOPSCONSULTING.IN<\/strong><br\/>\n   &#8211; Likely service area: DevOps consulting services (verify specific cloud coverage)<br\/>\n   &#8211; Where they may help: DevOps transformations that include cloud infrastructure and networking practices<br\/>\n   &#8211; Consulting use case examples:  <\/p>\n<ul>\n<li>Migrating workloads to OCI with secure subnet design  <\/li>\n<li>Implementing least-privilege NSG models  <\/li>\n<li>Cost optimization for NAT\/egress\/logging  <\/li>\n<li>Website: https:\/\/www.devopsconsulting.in\/<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Networking fundamentals:<\/li>\n<li>IP addressing, CIDR notation<\/li>\n<li>routing vs firewalling<\/li>\n<li>TCP\/UDP, ports, stateful vs stateless filtering<\/li>\n<li>NAT concepts<\/li>\n<li>Linux basics for troubleshooting:<\/li>\n<li><code>ip a<\/code>, <code>ip r<\/code>, <code>ss -lntp<\/code>, <code>curl<\/code>, <code>dig\/nslookup<\/code><\/li>\n<li>Cloud basics:<\/li>\n<li>identity and access management concepts<\/li>\n<li>regions\/availability domains<\/li>\n<li>infrastructure-as-code fundamentals<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hybrid networking<\/strong> deeper dive:<\/li>\n<li>DRG route tables, routing domains, and segmentation patterns (verify latest DRG model)<\/li>\n<li>IPSec VPN design, redundancy, BGP (if applicable in your setup)<\/li>\n<li>FastConnect architecture and operations<\/li>\n<li><strong>Security services<\/strong> around networking:<\/li>\n<li>WAF, Network Firewall, SIEM integrations (separate services)<\/li>\n<li><strong>OKE networking<\/strong>:<\/li>\n<li>Kubernetes networking, service exposure patterns, ingress controllers<\/li>\n<li><strong>Automation<\/strong>:<\/li>\n<li>Terraform for OCI networking<\/li>\n<li>CI\/CD for infrastructure changes<\/li>\n<li><strong>Observability and security operations<\/strong>:<\/li>\n<li>Flow logs, centralized logging, alerting, incident runbooks<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Network Engineer \/ Network Architect<\/li>\n<li>Cloud Solutions Architect<\/li>\n<li>DevOps Engineer \/ Platform Engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Security Engineer \/ Cloud Security Architect<\/li>\n<li>Cloud Operations Engineer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle offers OCI certifications. The exact names and paths change over time, so verify current tracks on Oracle University:\n&#8211; Oracle University OCI certifications: https:\/\/education.oracle.com\/<\/p>\n\n\n\n<p>A practical path often looks like:\n1. OCI foundations (core concepts)\n2. OCI architect or infrastructure track\n3. Specialize in networking\/hybrid + security<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a 3-tier VCN (web\/app\/db) using NSGs only (no security lists).<\/li>\n<li>Implement hub-and-spoke with DRG and two spoke VCNs; test routing and segmentation.<\/li>\n<li>Enable flow logs and build a troubleshooting dashboard\/report.<\/li>\n<li>Create a private subnet that reaches Object Storage via Service Gateway (verify supported services and DNS behavior).<\/li>\n<li>Build a \u201cno-public-IP\u201d policy set and audit script to detect violations.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI (Oracle Cloud Infrastructure):<\/strong> Oracle Cloud\u2019s IaaS platform; \u201cOracle Cloud\u201d in this tutorial refers to OCI services.<\/li>\n<li><strong>Networking:<\/strong> OCI service area covering VCNs, routing, gateways, DRG, security controls, and connectivity.<\/li>\n<li><strong>VCN (Virtual Cloud Network):<\/strong> A regional, private network in OCI.<\/li>\n<li><strong>Subnet:<\/strong> A segment of a VCN with its own CIDR range.<\/li>\n<li><strong>Route Table:<\/strong> Rules that define where traffic goes based on destination.<\/li>\n<li><strong>Internet Gateway (IGW):<\/strong> Gateway that enables internet connectivity for public subnets.<\/li>\n<li><strong>NAT Gateway:<\/strong> Allows outbound internet access from private instances without inbound internet exposure.<\/li>\n<li><strong>Service Gateway:<\/strong> Provides private access from a VCN to selected OCI services via OCI Services Network.<\/li>\n<li><strong>DRG (Dynamic Routing Gateway):<\/strong> Virtual router that connects VCNs to on-prem and other networks.<\/li>\n<li><strong>Local Peering:<\/strong> Private connectivity between VCNs in the same region.<\/li>\n<li><strong>Remote Peering:<\/strong> Private connectivity between VCNs in different regions (typically via DRG).<\/li>\n<li><strong>Security List:<\/strong> Subnet-level stateful firewall rules.<\/li>\n<li><strong>NSG (Network Security Group):<\/strong> VNIC-level stateful firewall rules; enables microsegmentation.<\/li>\n<li><strong>VNIC:<\/strong> Virtual network interface card attached to an OCI compute instance.<\/li>\n<li><strong>Public IP:<\/strong> Internet-routable IP address assigned to a resource.<\/li>\n<li><strong>Private IP:<\/strong> Non-internet-routable address inside a VCN.<\/li>\n<li><strong>Flow Logs:<\/strong> Captured metadata about network flows for observability and security analysis.<\/li>\n<li><strong>VTAP:<\/strong> Virtual Test Access Point; traffic mirroring capability.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Networking<\/strong> is the foundation for building secure and scalable network topologies in <strong>Oracle Cloud<\/strong> under the <strong>Networking, Edge, and Connectivity<\/strong> category. It centers on the <strong>VCN<\/strong> and extends through subnets, route tables, gateways (IGW\/NAT\/Service Gateway), and enterprise connectivity via <strong>DRG<\/strong>, VPN, and FastConnect.<\/p>\n\n\n\n<p>It matters because nearly every OCI workload depends on it for <strong>connectivity, isolation, segmentation, and control<\/strong>. The biggest cost considerations typically come from <strong>NAT\/DRG\/VPN usage<\/strong> and <strong>data egress<\/strong>, plus indirect costs like <strong>logging volume<\/strong> when flow logs are enabled. Security success depends on least-privilege IAM, careful public exposure controls, and disciplined use of <strong>NSGs<\/strong> and routing.<\/p>\n\n\n\n<p>Use Oracle Cloud Networking whenever you deploy compute or private services in OCI, especially when you need multi-tier segmentation or hybrid connectivity. Start next by learning <strong>DRG routing patterns<\/strong>, <strong>service gateway\/private access<\/strong>, and <strong>Terraform automation<\/strong> to make your network repeatable and production-ready.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networking, Edge, and Connectivity<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74,62],"tags":[],"class_list":["post-948","post","type-post","status-publish","format-standard","hentry","category-networking-edge-and-connectivity","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=948"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/948\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}