{"id":949,"date":"2026-04-17T06:03:25","date_gmt":"2026-04-17T06:03:25","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-network-command-center-services-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/"},"modified":"2026-04-17T06:03:25","modified_gmt":"2026-04-17T06:03:25","slug":"oracle-cloud-network-command-center-services-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-network-command-center-services-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/","title":{"rendered":"Oracle Cloud Network Command Center Services Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking, Edge, and Connectivity"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Networking, Edge, and Connectivity<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<p><strong>What this service is<\/strong><br\/>\n<strong>Network Command Center Services<\/strong> in <strong>Oracle Cloud (OCI)<\/strong> are a set of networking visibility and troubleshooting capabilities that help you <strong>understand network topology<\/strong> and <strong>analyze reachability<\/strong> across OCI networking constructs (VCNs, subnets, gateways, routing, and security controls).<\/p>\n<\/li>\n<li>\n<p><strong>Simple explanation (1 paragraph)<\/strong><br\/>\n  When an application can\u2019t connect\u2014SSH won\u2019t work, a load balancer can\u2019t reach backends, or a private subnet can\u2019t call an API\u2014Network Command Center Services help you quickly answer: <strong>\u201cIs the network path supposed to work, and if not, what configuration is blocking it?\u201d<\/strong> Instead of manually checking route tables, security lists, and network security groups, you use guided tooling to visualize and analyze the path.<\/p>\n<\/li>\n<li>\n<p><strong>Technical explanation (1 paragraph)<\/strong><br\/>\n  Network Command Center Services perform <strong>configuration-based<\/strong> network analysis using OCI\u2019s control-plane data. They correlate VCN topology and policies (routing, security lists, NSGs, gateways, DRG attachments, etc.) to produce <strong>topology views<\/strong> and <strong>path analysis results<\/strong> that indicate whether traffic should be allowed and where it is blocked. This is especially helpful in multi-VCN, DRG-centric hub-and-spoke designs where the number of networking objects grows quickly.<\/p>\n<\/li>\n<li>\n<p><strong>What problem it solves<\/strong><br\/>\n  They reduce mean time to resolution (MTTR) for networking incidents by providing:<\/p>\n<\/li>\n<li>Faster isolation of routing vs. security vs. gateway misconfiguration issues  <\/li>\n<li>A clearer understanding of complex OCI network architectures  <\/li>\n<li>A repeatable way to validate intended connectivity during changes and migrations  <\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Naming note (verify in official docs): OCI documentation commonly refers to this suite as <strong>Network Command Center<\/strong>. Some Oracle materials and consoles may use <strong>Network Command Center Services<\/strong> as the suite name. This tutorial uses <strong>Network Command Center Services<\/strong> as the primary term as requested, and maps it to OCI\u2019s networking visibility\/troubleshooting suite.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Network Command Center Services?<\/h2>\n\n\n\n<p><strong>Official purpose (high level)<\/strong><br\/>\nNetwork Command Center Services are designed to help you <strong>visualize OCI network topologies<\/strong> and <strong>analyze network reachability<\/strong> so that you can troubleshoot connectivity problems and validate network designs.<\/p>\n\n\n\n<p><strong>Core capabilities (what you typically use day-to-day)<\/strong><br\/>\nWhile exact feature names can evolve by region and console release (verify in official docs), Network Command Center Services typically include capabilities in two broad buckets:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Topology \/ visualization<\/strong>\n   &#8211; Visualize relationships among OCI networking resources (VCN, subnets, gateways, route tables, security constructs, and attachments).<\/p>\n<\/li>\n<li>\n<p><strong>Reachability \/ path analysis<\/strong>\n   &#8211; Analyze a proposed traffic flow between a source and destination to determine whether it is allowed, and identify the configuration element that blocks it (for example: route table entry, security list rule, NSG rule).<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Major components (conceptual)<\/strong><br\/>\n&#8211; <strong>Topology view \/ Network visualizer<\/strong>: Helps you understand how resources connect.<br\/>\n&#8211; <strong>Path analysis \/ Network path analyzer<\/strong>: Helps you verify whether traffic should be able to flow between endpoints and why\/why not.<br\/>\n&#8211; <strong>OCI networking resources being analyzed<\/strong>: VCNs, subnets, route tables, security lists, NSGs, gateways (IGW\/NAT\/Service Gateway), DRGs, attachments, and related constructs.<\/p>\n\n\n\n<p><strong>Service type<\/strong><br\/>\n&#8211; A <strong>control-plane, configuration-driven<\/strong> observability\/troubleshooting service for OCI networking.<br\/>\n&#8211; It is not a packet capture tool and does not replace flow logging. Instead, it answers \u201c<strong>should traffic flow<\/strong> based on configuration?\u201d<\/p>\n\n\n\n<p><strong>Scope (regional\/global\/account\/project)<\/strong><br\/>\n&#8211; OCI networking resources (VCNs, subnets, gateways) are <strong>regional<\/strong>, and analysis is typically performed <strong>within a region<\/strong> against resources in that region.<br\/>\n&#8211; Access and organization are typically <strong>compartment-scoped<\/strong> (OCI\u2019s resource grouping model).<br\/>\n&#8211; Exact scoping and cross-compartment behavior should be validated in the official documentation for your tenancy and region.<\/p>\n\n\n\n<p><strong>How it fits into the Oracle Cloud ecosystem<\/strong><br\/>\nNetwork Command Center Services sit in the <strong>Networking, Edge, and Connectivity<\/strong> pillar and complement:\n&#8211; <strong>VCN Flow Logs<\/strong> (traffic evidence)<br\/>\n&#8211; <strong>OCI Monitoring<\/strong> (metrics) and <strong>OCI Logging<\/strong> (logs)<br\/>\n&#8211; <strong>OCI IAM<\/strong> (who can see\/analyze network data)<br\/>\n&#8211; <strong>OCI Bastion<\/strong> (secure admin access pattern)<br\/>\n&#8211; <strong>DRG \/ VPN \/ FastConnect<\/strong> (hybrid connectivity designs)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Network Command Center Services?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced downtime and faster incident response<\/strong>: Faster diagnosis directly reduces outage duration and support costs.<\/li>\n<li><strong>Safer changes<\/strong>: Use path analysis to validate expected connectivity before and after changes.<\/li>\n<li><strong>Lower operational overhead<\/strong>: Less manual checking across dozens of networking objects.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Configuration-based reachability checks<\/strong>: Great for answering \u201cis this blocked by routing or security rules?\u201d<\/li>\n<li><strong>Topology clarity<\/strong>: Visualizing relationships reduces mistakes in complex architectures.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Repeatable troubleshooting<\/strong>: Standardizes how engineers investigate connectivity.<\/li>\n<li><strong>Better handoffs<\/strong>: Topology and analysis outputs provide shared context between platform, security, and application teams.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security \/ compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege validation<\/strong>: Helps ensure you didn\u2019t accidentally open a path you didn\u2019t intend\u2014or block a required one.<\/li>\n<li><strong>Change governance support<\/strong>: When paired with auditing (OCI Audit) and tagging, analysis supports traceability of changes (who changed what, and what impact occurred).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability \/ performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>As environments scale (more VCNs, DRG attachments, and microsegmentation rules), manual analysis becomes error-prone. Network Command Center Services scale operationally by improving human efficiency.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Use Network Command Center Services when:\n&#8211; You operate multiple VCNs and complex routing\/security policies\n&#8211; You rely on DRG-based connectivity (hub-and-spoke, shared services)\n&#8211; You frequently troubleshoot \u201cit works here but not there\u201d connectivity issues\n&#8211; You need visibility for audits, migrations, or multi-team operations<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Network Command Center Services are not sufficient by themselves when:\n&#8211; You need <strong>evidence of actual traffic<\/strong> (use <strong>VCN Flow Logs<\/strong>, load balancer logs, firewall logs, etc.)\n&#8211; You need <strong>packet captures<\/strong> or deep inspection (use network appliances or host-based tooling)\n&#8211; Your problem is <strong>application-layer<\/strong> (TLS, DNS, auth) rather than network reachability (although path analysis can help rule out networking)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Network Command Center Services used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Finance &amp; fintech<\/strong>: Strict segmentation, audits, and hybrid connectivity.<\/li>\n<li><strong>Healthcare<\/strong>: Regulated environments, strong network controls, and incident response requirements.<\/li>\n<li><strong>Retail &amp; e-commerce<\/strong>: Availability-sensitive architectures with multiple tiers and load balancers.<\/li>\n<li><strong>SaaS providers<\/strong>: Multi-environment (dev\/stage\/prod) plus multi-tenant segmentation.<\/li>\n<li><strong>Manufacturing &amp; logistics<\/strong>: Hybrid connectivity to plants, warehouses, and edge sites.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud platform \/ landing zone teams<\/li>\n<li>Network engineering teams building VCN\/DRG patterns<\/li>\n<li>SRE\/DevOps teams on-call for connectivity incidents<\/li>\n<li>Security engineering teams validating segmentation boundaries<\/li>\n<li>Application teams troubleshooting service-to-service communication<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>3-tier web apps (LB \u2192 app \u2192 DB)<\/li>\n<li>Kubernetes clusters (OCI Container Engine for Kubernetes \/ OKE) where network policies and security rules intersect (verify exact analysis coverage in docs)<\/li>\n<li>Hybrid enterprise apps accessing on-prem databases\/services over VPN\/FastConnect<\/li>\n<li>Shared-services architectures (central DNS, logging, security scanning)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Single VCN<\/strong> (simple, but still benefits from path analysis)<\/li>\n<li><strong>Hub-and-spoke<\/strong> with DRG and shared services<\/li>\n<li><strong>Multi-region<\/strong> patterns (note: analysis is generally regional; validate cross-region behavior in docs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: Most valuable for incident response, change validation, and audit support.<\/li>\n<li><strong>Dev\/test<\/strong>: Great for learning OCI networking and validating templates (Terraform) before promoting to production.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic use cases where Network Command Center Services are a strong fit. Exact UI options and supported endpoint types can vary\u2014verify details in the official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) \u201cWhy can\u2019t I SSH into my instance?\u201d<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: SSH times out or is refused.<\/li>\n<li><strong>Why this service fits<\/strong>: Path analysis can highlight missing routes, blocked security list\/NSG rules, or gateway issues.<\/li>\n<li><strong>Example scenario<\/strong>: A new engineer launches an instance in a public subnet but forgets to allow TCP\/22 from their IP. Path analysis points to the ingress rule.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Load balancer can\u2019t reach backend servers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Health checks fail; backends show critical.<\/li>\n<li><strong>Why this service fits<\/strong>: Identifies whether the backend subnet security list\/NSG blocks the LB subnet or whether routes are incorrect.<\/li>\n<li><strong>Example scenario<\/strong>: An internal LB in a shared-services subnet needs to reach app instances in a spoke VCN over DRG\/LPG; traffic is blocked by NSGs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Private subnet can\u2019t reach the internet for updates<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Instances can\u2019t <code>yum update<\/code> or fetch packages.<\/li>\n<li><strong>Why this service fits<\/strong>: Path analysis can validate NAT gateway routes and egress rules.<\/li>\n<li><strong>Example scenario<\/strong>: The private subnet route table doesn\u2019t have a default route to the NAT gateway.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Service Gateway connectivity to OCI services fails<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Private instances can\u2019t access OCI Object Storage without internet.<\/li>\n<li><strong>Why this service fits<\/strong>: Helps validate service gateway route rules and subnet association.<\/li>\n<li><strong>Example scenario<\/strong>: A subnet uses the wrong route table; path analysis shows traffic not routed to the service gateway.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) DRG route distribution issues in hub-and-spoke<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Spoke VCN A can\u2019t reach Spoke VCN B.<\/li>\n<li><strong>Why this service fits<\/strong>: Helps reveal where routing\/attachments\/route tables prevent transit.<\/li>\n<li><strong>Example scenario<\/strong>: A DRG attachment is present, but route import\/export (or equivalent route distribution settings) is misconfigured. (Verify exact DRG route distribution terminology in your OCI version.)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Segmentation validation for compliance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Need proof that dev can\u2019t reach prod DB.<\/li>\n<li><strong>Why this service fits<\/strong>: Path analysis provides a deterministic \u201cblocked\u201d outcome and indicates the blocking control.<\/li>\n<li><strong>Example scenario<\/strong>: A compliance audit requires demonstration that only app subnets can reach DB ports.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Troubleshooting microsegmentation with NSGs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Specific port connectivity fails between two instances.<\/li>\n<li><strong>Why this service fits<\/strong>: Pinpoints whether NSG rules (or security lists) allow the protocol\/port.<\/li>\n<li><strong>Example scenario<\/strong>: App instance NSG allows 443 outbound but DB NSG does not allow 1521 inbound.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Validating Terraform networking changes before apply<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Fear of breaking connectivity when updating security rules.<\/li>\n<li><strong>Why this service fits<\/strong>: After applying in a test compartment, you can validate critical paths quickly and consistently.<\/li>\n<li><strong>Example scenario<\/strong>: A new route table design is introduced; validate app-to-db, bastion-to-app, and app-to-object-storage flows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Incident triage during outages<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Multiple teams suspect network is down, but root cause is unclear.<\/li>\n<li><strong>Why this service fits<\/strong>: Quickly rules in\/out network configuration as the cause.<\/li>\n<li><strong>Example scenario<\/strong>: After a DRG change, connectivity to on-prem fails; path analysis highlights the missing route propagation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Network topology documentation for operations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: New teams don\u2019t understand how VCNs and gateways relate.<\/li>\n<li><strong>Why this service fits<\/strong>: Topology visualizations reduce onboarding time and operational risk.<\/li>\n<li><strong>Example scenario<\/strong>: A platform team shares topology views during change advisory board (CAB) reviews.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Post-migration validation (on-prem to OCI)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: After migration, some services are reachable and others aren\u2019t.<\/li>\n<li><strong>Why this service fits<\/strong>: Validate expected paths from new OCI subnets to on-prem systems.<\/li>\n<li><strong>Example scenario<\/strong>: Only certain subnets have correct DRG route table associations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Troubleshooting asymmetric routing symptoms<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Connections establish but fail mid-stream or return traffic is missing.<\/li>\n<li><strong>Why this service fits<\/strong>: Helps validate configuration symmetry in routing and security controls (within the limits of config-based analysis).<\/li>\n<li><strong>Example scenario<\/strong>: Traffic from subnet A to subnet B routes via DRG, but return path differs due to route table mismatch.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>The exact feature set and naming can vary by OCI release and region. The features below reflect the commonly documented capabilities associated with OCI Network Command Center. Verify current details in official docs.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) Network topology visualization (Network Visualizer \/ topology views)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides a visual representation of networking resources and their relationships (VCNs, subnets, gateways, route tables, attachments).<\/li>\n<li><strong>Why it matters<\/strong>: Humans troubleshoot faster with a correct topology map than with lists of resources.<\/li>\n<li><strong>Practical benefit<\/strong>: Speeds up onboarding and incident response; improves change reviews.<\/li>\n<li><strong>Limitations\/caveats<\/strong>:<\/li>\n<li>A topology view reflects <strong>configuration<\/strong>, not traffic volume or performance.<\/li>\n<li>Very large environments can be visually dense; use compartments and naming\/tagging to manage complexity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Network Path Analyzer (reachability analysis)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Evaluates whether traffic can flow between a source and destination under specific protocol\/port assumptions based on routing and security configuration.<\/li>\n<li><strong>Why it matters<\/strong>: Most connectivity failures are configuration issues\u2014routes, NSGs, or security lists.<\/li>\n<li><strong>Practical benefit<\/strong>: Identifies the <em>first blocking point<\/em> quickly.<\/li>\n<li><strong>Limitations\/caveats<\/strong>:<\/li>\n<li>Typically configuration-based; it does not guarantee the application is healthy.<\/li>\n<li>Host firewalls (iptables\/firewalld), OS routing, and app-level ACLs are outside pure VCN config (you still need OS\/app checks).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Hop-by-hop and \u201cblocking control\u201d identification<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Surfaces which object blocks traffic (for example, a missing route or a denied security rule).<\/li>\n<li><strong>Why it matters<\/strong>: Reduces guesswork and ping-pong between teams.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster remediation and clearer change requests.<\/li>\n<li><strong>Limitations\/caveats<\/strong>:<\/li>\n<li>The analysis is only as accurate as the current configuration state and supported object types.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Works with core OCI networking constructs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Operates against VCN constructs like subnets, route tables, security lists, NSGs, and gateways.<\/li>\n<li><strong>Why it matters<\/strong>: These are the primary \u201clevers\u201d controlling connectivity in OCI.<\/li>\n<li><strong>Practical benefit<\/strong>: A single place to reason about multi-layer controls.<\/li>\n<li><strong>Limitations\/caveats<\/strong>:<\/li>\n<li>Coverage for advanced scenarios (certain appliance patterns, third-party NVAs, complex overlay networks) should be verified.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Compartment-based governance and IAM-controlled access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Respects OCI IAM policies and compartment boundaries.<\/li>\n<li><strong>Why it matters<\/strong>: Network visibility is sensitive; access must be controlled.<\/li>\n<li><strong>Practical benefit<\/strong>: Security teams can allow \u201cread-only troubleshooting\u201d without granting full network admin rights.<\/li>\n<li><strong>Limitations\/caveats<\/strong>:<\/li>\n<li>IAM policies must be designed carefully; overly broad read access can expose network architecture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Complements (not replaces) traffic logging\/monitoring<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides design-time and config-time insight; pairs well with flow logs and metrics for runtime evidence.<\/li>\n<li><strong>Why it matters<\/strong>: You need both: \u201cshould this work?\u201d and \u201cdid traffic actually flow?\u201d<\/li>\n<li><strong>Practical benefit<\/strong>: End-to-end troubleshooting workflow (analyze \u2192 validate with logs\/metrics \u2192 remediate).<\/li>\n<li><strong>Limitations\/caveats<\/strong>:<\/li>\n<li>If your environment requires forensic-level audit of flows, you must also implement flow logs and centralized logging.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Network Command Center Services sit in OCI\u2019s control plane and query\/interpret network configuration objects. They do not sit inline in your data path.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane<\/strong>: Reads configuration metadata (routes, security rules, attachments).<\/li>\n<li><strong>Data plane<\/strong>: Your actual packets traverse VCN, gateways, DRG, etc. Network Command Center Services do not forward traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Request \/ data \/ control flow (conceptual)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>An operator selects topology or runs a path analysis.<\/li>\n<li>The service evaluates current OCI configuration state for relevant resources.<\/li>\n<li>The service returns:\n   &#8211; A topology view or\n   &#8211; A path analysis result (allowed\/blocked) with details.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related OCI services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Virtual Cloud Network (VCN)<\/strong>: Primary objects analyzed.<\/li>\n<li><strong>Compute instances<\/strong>: Common source\/destination endpoints (via VNICs and private IPs).<\/li>\n<li><strong>Load Balancer<\/strong>: Often part of connectivity investigations.<\/li>\n<li><strong>Dynamic Routing Gateway (DRG)<\/strong>: Common in hybrid\/hub-spoke architectures.<\/li>\n<li><strong>OCI IAM<\/strong>: Controls who can inspect\/perform analysis.<\/li>\n<li><strong>OCI Audit<\/strong>: Records API calls; helpful for governance.<\/li>\n<li><strong>OCI Logging \/ Monitoring<\/strong>: Complements NCC with runtime evidence and metrics.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Networking control-plane APIs and inventory<\/li>\n<li>IAM authorization service<\/li>\n<li>(Optional) If you operationalize results: Logging, Monitoring, Notifications, and ticketing tools<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Auth is via <strong>OCI IAM<\/strong>:<\/li>\n<li>Users\/groups or dynamic groups<\/li>\n<li>Policies granting permission to inspect\/read networking objects and (if applicable) manage analysis resources<\/li>\n<li>Recommended: separate \u201cNetwork Operators (read\/analyze)\u201d from \u201cNetwork Admins (change)\u201d.<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>IAM policy specifics: OCI has precise resource-type names (for example, <code>virtual-network-family<\/code>). Network Command Center Services may have their own resource types for managing saved analyses\/tests. <strong>Verify the exact policy statements in the official docs<\/strong> for your region and tenancy.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The service is not deployed into your VCN; it operates at the OCI service layer.<\/li>\n<li>Your VCN configuration remains the source of truth for route\/security decisions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>OCI Audit<\/strong> to see who ran changes and when (and sometimes who invoked analysis APIs).<\/li>\n<li>Use naming standards and tags on network objects so topology and troubleshooting outputs are readable.<\/li>\n<li>Pair with <strong>VCN Flow Logs<\/strong> (if enabled) when you need to confirm real traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (conceptual)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  User[Operator \/ Engineer] --&gt;|Console\/API| NCC[Network Command Center Services]\n  NCC --&gt;|Reads config| VCN[OCI VCN Resources]\n  VCN --&gt; RT[Route Tables]\n  VCN --&gt; SL[Security Lists]\n  VCN --&gt; NSG[Network Security Groups]\n  VCN --&gt; GW[IGW\/NAT\/Service Gateway]\n  VCN --&gt; DRG[DRG Attachments]\n  NCC --&gt;|Outputs| Result[Topology View \/ Path Analysis Result]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (hub-and-spoke + hybrid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  OnPrem[On-Prem Network] --- VPN[Site-to-Site VPN \/ FastConnect]\n  VPN --- DRG[Dynamic Routing Gateway]\n\n  DRG --- HubVCN[Hub VCN (Shared Services)]\n  DRG --- Spoke1[Spoke VCN - App]\n  DRG --- Spoke2[Spoke VCN - Data]\n\n  HubVCN --- DNS[DNS \/ Shared Tools]\n  Spoke1 --- LB[Load Balancer]\n  LB --- App[Compute\/OKE Workers]\n  Spoke2 --- DB[Database Subnet]\n\n  NCC[Network Command Center Services] --&gt;|Analyze topology + reachability| DRG\n  NCC --&gt; HubVCN\n  NCC --&gt; Spoke1\n  NCC --&gt; Spoke2\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy\/account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Oracle Cloud<\/strong> tenancy (OCI).<\/li>\n<li>Ability to create and manage resources in a compartment (or access to an existing networking lab compartment).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You need IAM permissions to:\n&#8211; Create and manage basic networking resources (VCN, subnet, gateways, route tables, security lists\/NSGs)\n&#8211; Create compute instances (for the lab)\n&#8211; Access Network Command Center Services pages in the console and run analyses<\/p>\n\n\n\n<p>If you\u2019re not an admin, ask for:\n&#8211; Network admin permissions in a dedicated compartment for the lab, <strong>or<\/strong>\n&#8211; A limited policy set that allows read\/analyze plus separate change approvals<\/p>\n\n\n\n<blockquote>\n<p><strong>Verify in official docs<\/strong>: exact OCI IAM policy statements for Network Command Center Services features and any \u201cpath analyzer\u201d resource types.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Many networking objects are low-cost or no-cost, but compute and some gateways\/services may incur charges depending on tenancy and region.<\/li>\n<li>If using Always Free eligible resources, ensure your tenancy is eligible and you select eligible shapes\/services. See: https:\/\/www.oracle.com\/cloud\/free\/<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Console access (web browser)<\/li>\n<li>Optional: <strong>OCI Cloud Shell<\/strong> (recommended) or local terminal<\/li>\n<li>Optional: OCI CLI (Cloud Shell typically has it preinstalled; verify):<br\/>\n  https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cliconcepts.htm<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI networking is regional; ensure you select a region where you can create compute instances and networking.<\/li>\n<li>Network Command Center Services availability can vary; <strong>verify in official docs<\/strong> if you don\u2019t see it in the console navigation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Service limits apply to VCNs, subnets, route rules, security rules, and instances. Check \u201cService Limits\u201d in your tenancy.<\/li>\n<li>If you hit limits in the lab, use a dedicated compartment or request limit increases.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (for this tutorial lab)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Virtual Cloud Network (VCN)<\/li>\n<li>Compute instances (2 small instances)<\/li>\n<li>(Optional but used in lab) NAT Gateway<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing model (what you should expect)<\/h3>\n\n\n\n<p>Network Command Center Services are typically a <strong>control-plane capability<\/strong> and are often provided <strong>without a separate line-item charge<\/strong>. However, <strong>you must pay for the underlying resources<\/strong> you create and operate (compute, load balancers, gateways, data transfer, logging).<\/p>\n\n\n\n<p>Because OCI pricing changes over time and can vary by region and contract, <strong>verify current cost details<\/strong> using:\n&#8211; Oracle Cloud Pricing: https:\/\/www.oracle.com\/cloud\/pricing\/\n&#8211; OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/p>\n\n\n\n<blockquote>\n<p>If Network Command Center Services appear as separately billable in your tenancy\u2019s pricing pages, follow the official SKU details. If not listed, assume the main costs are indirect (compute\/networking\/logging).<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions to consider<\/h3>\n\n\n\n<p>Even if Network Command Center Services themselves are not billed directly, your troubleshooting\/visibility stack may include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Compute<\/strong><br\/>\n   &#8211; Instances used as endpoints in testing (Always Free may help).<\/li>\n<li><strong>Load Balancing<\/strong><br\/>\n   &#8211; If your architecture uses LBs, they are typically billable.<\/li>\n<li><strong>Gateways \/ connectivity<\/strong><br\/>\n   &#8211; VPN, FastConnect, NAT usage patterns can have costs (verify current pricing).<\/li>\n<li><strong>Data transfer \/ egress<\/strong><br\/>\n   &#8211; Internet egress is often a cost driver.\n   &#8211; Cross-region traffic can be expensive depending on design.<\/li>\n<li><strong>Logging and monitoring<\/strong><br\/>\n   &#8211; If you enable <strong>VCN Flow Logs<\/strong> and export logs to Logging\/Storage\/SIEM, ingestion and storage costs may apply.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Always Free offerings may include certain compute shapes and core services. Always Free details are region-dependent\u2014verify: https:\/\/www.oracle.com\/cloud\/free\/<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Troubleshooting sprawl<\/strong>: Creating test instances across compartments\/regions can add compute costs.<\/li>\n<li><strong>Log retention<\/strong>: Keeping flow logs for long retention periods increases storage costs.<\/li>\n<li><strong>Data egress during validation<\/strong>: Downloading images\/patches to many instances can increase egress.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost optimization tips<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Always Free<\/strong> shapes for lab endpoints where possible.<\/li>\n<li>Prefer <strong>short-lived lab environments<\/strong>: create \u2192 test \u2192 delete.<\/li>\n<li>Use <strong>tags<\/strong> and budgets to track lab spending.<\/li>\n<li>Enable flow logs selectively and with appropriate retention.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n<p>A minimal lab might include:\n&#8211; 1 VCN, 2 subnets, IGW, NAT Gateway\n&#8211; 2 small compute instances for testing\n&#8211; Minimal or no logging<\/p>\n\n\n\n<p>Costs depend on:\n&#8211; Whether the instances are Always Free eligible\n&#8211; Whether NAT Gateway usage incurs charges in your region (verify)\n&#8211; Any data egress (OS updates, package downloads)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, Network Command Center Services are usually not the main cost driver. Instead, plan for:\n&#8211; Many VCNs\/subnets and large rule sets (operational cost, not direct billing)\n&#8211; Logging and SIEM integration costs (ingestion\/storage)\n&#8211; Hybrid connectivity and egress costs\n&#8211; Time saved in incident response (a \u201csoft\u201d but very real cost factor)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Use <strong>Network Command Center Services<\/strong> to:\n1. Visualize a simple VCN topology.\n2. Run a path analysis between two instances.\n3. Intentionally break connectivity using a security rule, confirm the block in path analysis, then fix it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will build a small, realistic network:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VCN<\/strong>: <code>10.0.0.0\/16<\/code><\/li>\n<li><strong>Public subnet<\/strong>: <code>10.0.1.0\/24<\/code> (Instance A with public IP)<\/li>\n<li><strong>Private subnet<\/strong>: <code>10.0.2.0\/24<\/code> (Instance B without public IP)<\/li>\n<li><strong>Internet Gateway (IGW)<\/strong>: for public subnet inbound\/outbound<\/li>\n<li><strong>NAT Gateway<\/strong>: for private subnet outbound updates (optional but common)<\/li>\n<li><strong>Security<\/strong>:<\/li>\n<li>Allow SSH to Instance A from your IP (lab-only)<\/li>\n<li>Control whether Instance A can SSH to Instance B<\/li>\n<\/ul>\n\n\n\n<p>You will then use Network Command Center Services to determine why A \u2192 B SSH fails and fix it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a compartment (optional but recommended)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the OCI Console, go to <strong>Identity &amp; Security \u2192 Compartments<\/strong>.<\/li>\n<li>Create a compartment such as <code>ncc-lab<\/code>.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: A dedicated compartment to keep lab resources isolated for cleanup and cost tracking.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a VCN with a public subnet<\/h3>\n\n\n\n<p>Use the VCN wizard to reduce mistakes.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Networking \u2192 Virtual Cloud Networks<\/strong>.<\/li>\n<li>Select your lab compartment.<\/li>\n<li>Click <strong>Create VCN<\/strong> and choose a wizard such as <strong>VCN with Internet Connectivity<\/strong> (wording may vary).<\/li>\n<li>Configure:\n   &#8211; VCN name: <code>ncc-vcn<\/code>\n   &#8211; VCN CIDR: <code>10.0.0.0\/16<\/code>\n   &#8211; Public subnet CIDR: <code>10.0.1.0\/24<\/code>\n   &#8211; Create an <strong>Internet Gateway<\/strong> and route rule for <code>0.0.0.0\/0<\/code> to IGW<\/li>\n<li>Create the VCN.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: A VCN with a public subnet and IGW, and a route table enabling internet access for that subnet.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Open the VCN and confirm:\n  &#8211; Internet Gateway exists and is attached to the VCN\n  &#8211; Public subnet exists and has a route table with <code>0.0.0.0\/0 \u2192 IGW<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a private subnet and NAT Gateway (common pattern)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the same VCN, create:\n   &#8211; <strong>NAT Gateway<\/strong> (name: <code>ncc-nat<\/code>)<\/li>\n<li>Create a <strong>private subnet<\/strong>:\n   &#8211; Name: <code>private-subnet<\/code>\n   &#8211; CIDR: <code>10.0.2.0\/24<\/code>\n   &#8211; Mark as private (no public IP assignment)<\/li>\n<li>Create or select a route table for the private subnet and add:\n   &#8211; <code>0.0.0.0\/0 \u2192 NAT Gateway<\/code><\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: Private subnet has outbound internet access via NAT (for updates) but no inbound from internet.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Confirm private subnet route table includes default route to NAT gateway.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create two compute instances (A in public, B in private)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">4.1 Generate an SSH key (Cloud Shell recommended)<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <strong>Cloud Shell<\/strong> in OCI Console.<\/li>\n<li>Generate a key pair:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">mkdir -p ~\/.ssh\nssh-keygen -t ed25519 -f ~\/.ssh\/ncc_lab_key -N \"\"\ncat ~\/.ssh\/ncc_lab_key.pub\n<\/code><\/pre>\n\n\n\n<p>Copy the public key output.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: You have an SSH key pair. You will paste the public key into instance creation.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">4.2 Create Instance A (public)<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Compute \u2192 Instances \u2192 Create instance<\/strong><\/li>\n<li>Name: <code>instance-a-public<\/code><\/li>\n<li>Placement: choose an availability domain (default)<\/li>\n<li>Image: Oracle Linux (or another supported Linux)<\/li>\n<li>Shape: choose a small\/low-cost or Always Free eligible shape if available in your region (verify Always Free eligibility).<\/li>\n<li>Networking:\n   &#8211; VCN: <code>ncc-vcn<\/code>\n   &#8211; Subnet: public subnet (<code>10.0.1.0\/24<\/code>)\n   &#8211; Assign a public IPv4 address: <strong>Yes<\/strong><\/li>\n<li>Add SSH keys: paste the public key from Cloud Shell<\/li>\n<li>Create<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: Instance A has a public IP.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In instance details, note:\n  &#8211; Public IP address\n  &#8211; Private IP address (e.g., <code>10.0.1.x<\/code>)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">4.3 Create Instance B (private)<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create another instance:\n   &#8211; Name: <code>instance-b-private<\/code>\n   &#8211; Subnet: <code>private-subnet<\/code> (<code>10.0.2.0\/24<\/code>)\n   &#8211; Assign a public IPv4 address: <strong>No<\/strong>\n   &#8211; Add the same SSH public key<\/li>\n<li>Create<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: Instance B has only a private IP (e.g., <code>10.0.2.x<\/code>).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In instance details, confirm <strong>no public IP<\/strong> and note the private IP.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Configure security rules (intentionally create a failure)<\/h3>\n\n\n\n<p>OCI default security list rules vary depending on wizard choices. For a controlled lab, do this explicitly.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">5.1 Allow SSH from your IP to Instance A (lab-only)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Find the security list (or NSG) associated with the <strong>public subnet<\/strong>.<\/li>\n<li>Add an ingress rule:<\/li>\n<li>Source CIDR: <strong>your public IP\/32<\/strong><\/li>\n<li>Protocol: TCP<\/li>\n<li>Destination port: 22<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Lab-only note: Avoid <code>0.0.0.0\/0<\/code> for SSH in production. Use Bastion, VPN, or restricted IP ranges.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Expected outcome<\/strong>: You can SSH to Instance A from Cloud Shell (or your workstation).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">5.2 Ensure Instance A cannot SSH to Instance B (create the failure)<\/h4>\n\n\n\n<p>On the <strong>private subnet<\/strong> security list (or Instance B NSG), ensure there is <strong>no ingress rule<\/strong> that allows:\n&#8211; Source: <code>10.0.1.0\/24<\/code> (public subnet) or Instance A\u2019s private IP\n&#8211; TCP port 22 to Instance B<\/p>\n\n\n\n<p>If there is a broad \u201callow VCN CIDR\u201d rule, temporarily remove it or narrow it (lab-only change).<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: SSH A \u2192 B should fail due to ingress restriction at private subnet\/NSG.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Validate the failure with real SSH traffic<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">6.1 SSH into Instance A<\/h4>\n\n\n\n<p>From Cloud Shell:<\/p>\n\n\n\n<pre><code class=\"language-bash\">chmod 600 ~\/.ssh\/ncc_lab_key\nssh -i ~\/.ssh\/ncc_lab_key opc@&lt;INSTANCE_A_PUBLIC_IP&gt;\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>: You get a shell on Instance A.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">6.2 Attempt SSH from Instance A to Instance B\u2019s private IP<\/h4>\n\n\n\n<p>On Instance A:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/ncc_lab_key opc@&lt;INSTANCE_B_PRIVATE_IP&gt;\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>: Connection should time out or fail (because the private subnet\/NSG blocks TCP\/22 inbound).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Use Network Command Center Services to analyze the path<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In OCI Console, locate <strong>Network Command Center Services<\/strong> (menu location can vary; typically under <strong>Networking<\/strong>).<\/li>\n<li>Open <strong>Network Path Analyzer<\/strong> (or the equivalent within NCC).<\/li>\n<li>Create a new path analysis (wording varies):\n   &#8211; <strong>Source<\/strong>: Instance A (or its VNIC\/private IP)\n   &#8211; <strong>Destination<\/strong>: Instance B (or its VNIC\/private IP)\n   &#8211; <strong>Protocol<\/strong>: TCP\n   &#8211; <strong>Destination port<\/strong>: 22<\/li>\n<li>Run the analysis.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: The result should show <strong>Blocked<\/strong> (or not reachable), and indicate the blocking control\u2014commonly a missing ingress rule in:\n&#8211; Private subnet security list, or\n&#8211; Instance B NSG<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Review the result details for:\n  &#8211; Which hop\/resource is blocking\n  &#8211; Whether routing is correct (local VCN routing should be fine)\n  &#8211; The exact security list\/NSG and rule evaluation outcome<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Fix the security rule and re-test<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">8.1 Add the required ingress rule to allow SSH from public subnet to private instance (lab)<\/h4>\n\n\n\n<p>On the private subnet\u2019s security list (or Instance B NSG), add:\n&#8211; Source CIDR: <code>10.0.1.0\/24<\/code> (or Instance A\u2019s private IP <code>\/32<\/code> for tighter scope)\n&#8211; Protocol: TCP\n&#8211; Destination port: 22<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: Network should now allow SSH from A \u2192 B.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">8.2 Re-run path analysis<\/h4>\n\n\n\n<p>Run the same Network Path Analyzer test again.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: The result should show <strong>Allowed\/Reachable<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">8.3 Re-test SSH from Instance A to Instance B<\/h4>\n\n\n\n<p>On Instance A:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/ncc_lab_key opc@&lt;INSTANCE_B_PRIVATE_IP&gt;\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>: Successful SSH connection to Instance B.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Use Network Command Center Services topology visualization<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to the <strong>topology\/visualizer<\/strong> view in Network Command Center Services.<\/li>\n<li>Select the compartment and VCN (<code>ncc-vcn<\/code>).<\/li>\n<li>Explore the map:\n   &#8211; Public subnet \u2192 IGW\n   &#8211; Private subnet \u2192 NAT gateway\n   &#8211; Route tables and security constructs<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: You can visually confirm the intended architecture and the presence of gateways and subnets.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist to confirm the lab worked:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[ ] Instance A has a public IP and is reachable by SSH from Cloud Shell<\/li>\n<li>[ ] Instance B has no public IP<\/li>\n<li>[ ] SSH from Instance A \u2192 Instance B fails initially<\/li>\n<li>[ ] Network Path Analyzer shows the path is blocked and identifies the blocking control<\/li>\n<li>[ ] After adding ingress rule to private subnet\/NSG, path analysis shows allowed<\/li>\n<li>[ ] After fix, SSH from Instance A \u2192 Instance B succeeds<\/li>\n<li>[ ] Topology visualization shows IGW and NAT gateway relationships correctly<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>SSH to Instance A fails<\/strong>\n   &#8211; Check public subnet security list\/NSG ingress TCP\/22 from your IP\n   &#8211; Ensure Instance A has a public IP\n   &#8211; Ensure instance is in <code>RUNNING<\/code> state\n   &#8211; Check OS firewall (Oracle Linux images typically allow SSH; verify)<\/p>\n<\/li>\n<li>\n<p><strong>SSH from A to B still fails after adding rules<\/strong>\n   &#8211; Confirm you added the rule to the correct security list\/NSG attached to Instance B\u2019s VNIC\/subnet\n   &#8211; Confirm the source CIDR matches Instance A\u2019s private IP range\n   &#8211; Ensure B\u2019s OS firewall allows SSH (port 22)\n   &#8211; Verify you used the correct username (commonly <code>opc<\/code> on Oracle Linux; verify for your image)<\/p>\n<\/li>\n<li>\n<p><strong>Path Analyzer can\u2019t select endpoints<\/strong>\n   &#8211; You might not have permissions to read instance\/VNIC information\n   &#8211; Verify IAM policies and compartment selection\n   &#8211; Verify the feature is available in your region (console navigation can differ)<\/p>\n<\/li>\n<li>\n<p><strong>Private instance can\u2019t update packages<\/strong>\n   &#8211; Confirm private subnet route table has <code>0.0.0.0\/0 \u2192 NAT Gateway<\/code>\n   &#8211; Confirm egress security rules allow outbound traffic\n   &#8211; Confirm NAT gateway exists and is in the same VCN<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Terminate compute instances<\/strong>\n   &#8211; Compute \u2192 Instances \u2192 <code>instance-a-public<\/code> \u2192 Terminate<br\/>\n   &#8211; Compute \u2192 Instances \u2192 <code>instance-b-private<\/code> \u2192 Terminate<br\/>\n   (Choose to delete boot volumes if you don\u2019t need them.)<\/p>\n<\/li>\n<li>\n<p><strong>Delete networking resources<\/strong>\n   &#8211; Delete NAT gateway\n   &#8211; Delete internet gateway (if not removed with VCN delete)\n   &#8211; Delete subnets\n   &#8211; Delete the VCN (<code>ncc-vcn<\/code>)<br\/>\n   OCI often requires deleting dependent resources before the VCN deletion succeeds.<\/p>\n<\/li>\n<li>\n<p><strong>Delete the compartment<\/strong> (optional)\n   &#8211; Only if it is dedicated to this lab and empty.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standardize on repeatable network patterns<\/strong>: hub-and-spoke, shared services, clear subnet tiers.<\/li>\n<li><strong>Keep route tables simple and explicit<\/strong>: prefer clear defaults and named route tables per subnet tier.<\/li>\n<li><strong>Use DRG intentionally<\/strong>: treat DRG attachments and route policies as critical infrastructure; document them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM \/ security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Separate duties<\/strong>:<\/li>\n<li>Read-only network visibility (operators)<\/li>\n<li>Change permissions (network admins)<\/li>\n<li><strong>Least privilege policies<\/strong>: grant only the compartments and resource families required.<\/li>\n<li><strong>Use NSGs for workload-level policy<\/strong> and security lists for coarse subnet-level defaults (common pattern; verify your org\u2019s standard).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Tag networking resources<\/strong> with environment, owner, and cost center.<\/li>\n<li><strong>Keep labs ephemeral<\/strong>; automate creation\/cleanup with Terraform where possible.<\/li>\n<li><strong>Control logging retention<\/strong> if enabling VCN Flow Logs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NCC is not a performance tool, but you can prevent performance incidents by:<\/li>\n<li>Reducing misroutes and suboptimal routing complexity<\/li>\n<li>Validating connectivity paths during changes<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use path analysis in change windows<\/strong> to validate critical paths after modifications.<\/li>\n<li><strong>Maintain an \u201cSLO path list\u201d<\/strong>: app\u2192db, lb\u2192backend, app\u2192object-storage, spoke\u2192shared-services, on-prem\u2192app.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a standard runbook:\n  1. Validate service health (compute\/LB)\n  2. Run path analysis for suspected paths\n  3. Check flow logs (if enabled) for evidence\n  4. Review recent changes (Audit)<\/li>\n<li>Use consistent naming so topology views are readable.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Naming convention examples:<\/li>\n<li><code>vcn-prod-hub<\/code>, <code>subnet-prod-app-private-1<\/code>, <code>rt-prod-private<\/code>, <code>nsg-prod-db<\/code><\/li>\n<li>Tag everything:<\/li>\n<li><code>Environment=Prod<\/code><\/li>\n<li><code>Owner=PlatformTeam<\/code><\/li>\n<li><code>Application=Payments<\/code><\/li>\n<li><code>CostCenter=1234<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Controlled by <strong>OCI IAM<\/strong>:<\/li>\n<li>Users, groups, dynamic groups<\/li>\n<li>Policies scoped to compartments<\/li>\n<li>Recommended approach:<\/li>\n<li>Grant most engineers <strong>read\/inspect<\/strong> access for troubleshooting<\/li>\n<li>Restrict <strong>manage<\/strong> permissions to a smaller admin group<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Verify official IAM resource types and verbs for Network Command Center Services in OCI documentation.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Network Command Center Services operate on configuration metadata; OCI control plane protections apply.<\/li>\n<li>For data plane encryption:<\/li>\n<li>Use TLS for application traffic<\/li>\n<li>Use OCI-native encryption for storage\/services as required<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The service itself does not require opening inbound ports.<\/li>\n<li>The risk usually comes from what you change while troubleshooting (for example, opening SSH to <code>0.0.0.0\/0<\/code>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid copying private keys into tickets or chat.<\/li>\n<li>Prefer OCI Bastion (production) rather than leaving SSH broadly open.<\/li>\n<li>Store secrets in <strong>OCI Vault<\/strong> where appropriate (verify your organization\u2019s secret management standard).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>OCI Audit<\/strong> to track changes to:<\/li>\n<li>route tables<\/li>\n<li>security lists\/NSGs<\/li>\n<li>gateways and DRG attachments<\/li>\n<li>For traffic evidence, use <strong>VCN Flow Logs<\/strong> (if enabled) and centralized logging.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Network topology and reachability results can be sensitive architecture information.<\/li>\n<li>Limit access and ensure exports\/screenshots are handled per policy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Over-broad SSH rules during troubleshooting<\/li>\n<li>Leaving temporary \u201callow all from VCN\u201d rules in production<\/li>\n<li>Granting broad <code>manage virtual-network-family<\/code> to too many users<\/li>\n<li>Not tagging resources, making audits and reviews harder<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a <strong>bastion pattern<\/strong> for admin access.<\/li>\n<li>Use NSGs for microsegmentation and restrict by source NSG where feasible.<\/li>\n<li>Maintain separate compartments for dev\/test\/prod.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Some items below depend on OCI\u2019s current implementation; verify in official docs.<\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Configuration-based, not packet-based<\/strong>: Path analysis typically tells you whether a path should be allowed given OCI config; it won\u2019t prove the app is listening or the OS firewall permits it.<\/li>\n<li><strong>Endpoint support can vary<\/strong>: Not every possible source\/destination type may be selectable (verify supported endpoints).<\/li>\n<li><strong>Complex third-party appliance patterns<\/strong>: If you use network virtual appliances (NVAs) with custom routing, analysis accuracy may depend on how OCI models those paths.<\/li>\n<li><strong>Cross-compartment visibility<\/strong>: You may not see or analyze resources in other compartments without explicit IAM permissions.<\/li>\n<li><strong>Rule evaluation nuance<\/strong>: Stateful vs stateless rules, NSG + security list interactions, and DRG routing policies can be subtle\u2014use a standardized troubleshooting checklist.<\/li>\n<li><strong>Large topology visualizations<\/strong>: Very large estates can become visually cluttered without good naming\/tagging.<\/li>\n<li><strong>Pricing surprises are indirect<\/strong>: Logs, data egress, and always-on test instances are common hidden costs.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Network Command Center Services are best understood as <strong>network topology + reachability analysis<\/strong>. Alternatives fall into three categories: other OCI services, other cloud equivalents, and self-managed tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Oracle Cloud Network Command Center Services<\/strong><\/td>\n<td>OCI network visibility and reachability troubleshooting<\/td>\n<td>Native OCI awareness of VCN constructs; fast \u201cshould it work?\u201d analysis; topology views<\/td>\n<td>Not packet capture; not a full NPM\/APM tool; feature scope depends on OCI support<\/td>\n<td>You run workloads on OCI and need topology + reachability analysis<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI VCN Flow Logs + OCI Logging<\/strong><\/td>\n<td>Proving traffic actually flowed; forensics<\/td>\n<td>Evidence-based, can support SOC workflows<\/td>\n<td>More cost\/ops overhead; doesn\u2019t directly answer \u201cshould it work?\u201d<\/td>\n<td>You need runtime evidence and audit trails for traffic<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Monitoring \/ Alarms<\/strong><\/td>\n<td>Metrics-based operational monitoring<\/td>\n<td>Integrates with alerts\/notifications<\/td>\n<td>Not a reachability analyzer<\/td>\n<td>You need SLIs\/SLOs and operational alerting<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS VPC Reachability Analyzer (AWS)<\/strong><\/td>\n<td>Reachability analysis on AWS<\/td>\n<td>Mature reachability checks for AWS networking<\/td>\n<td>Not applicable to OCI<\/td>\n<td>Multi-cloud teams comparing patterns; choose when on AWS<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Network Watcher (Azure)<\/strong><\/td>\n<td>Azure network diagnostics<\/td>\n<td>Broad diagnostics suite<\/td>\n<td>Not applicable to OCI<\/td>\n<td>Choose when workloads are on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>GCP Network Intelligence Center (GCP)<\/strong><\/td>\n<td>GCP network visibility<\/td>\n<td>Strong network insights<\/td>\n<td>Not applicable to OCI<\/td>\n<td>Choose when workloads are on Google Cloud<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed diagramming + scripts (e.g., NetBox + custom)<\/strong><\/td>\n<td>Custom governance and documentation<\/td>\n<td>Highly customizable; can be cloud-agnostic<\/td>\n<td>High engineering effort; often stale; no native rule evaluation<\/td>\n<td>Choose when you need strict CMDB integration and multi-cloud normalization<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: hub-and-spoke OCI with hybrid connectivity<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<p><strong>Problem<\/strong><br\/>\n  A large enterprise runs 20+ spoke VCNs for application teams. Connectivity to on-prem systems is via DRG. After a change to DRG routing, multiple applications lose access to on-prem databases. Different teams suspect firewall, DNS, and routing.<\/p>\n<\/li>\n<li>\n<p><strong>Proposed architecture<\/strong> <\/p>\n<\/li>\n<li>DRG-based hub-and-spoke<\/li>\n<li>Shared services VCN (DNS, logging, security tooling)<\/li>\n<li>Spoke VCNs per application environment<\/li>\n<li>\n<p>Centralized policies and tagging<\/p>\n<\/li>\n<li>\n<p><strong>Why Network Command Center Services were chosen<\/strong> <\/p>\n<\/li>\n<li>Faster triage: confirm whether the path from app subnet \u2192 DRG \u2192 on-prem is blocked by OCI config<\/li>\n<li>Clear ownership: identify whether the block is in DRG route policy vs subnet route table vs NSG rules<\/li>\n<li>\n<p>Reduced MTTR during incidents<\/p>\n<\/li>\n<li>\n<p><strong>Expected outcomes<\/strong> <\/p>\n<\/li>\n<li>Incident response runbooks standardized around: Path analysis \u2192 confirm with logs \u2192 revert\/fix<\/li>\n<li>Fewer \u201cwar room\u201d hours spent manually reviewing route tables and security rules<\/li>\n<li>Better change validation during DRG modifications<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup \/ small-team example: simple 3-tier application<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<p><strong>Problem<\/strong><br\/>\n  A small SaaS team runs a web app on OCI with a load balancer, app instances, and a private database. During a release, the app can\u2019t reach the DB. The team needs quick answers without a dedicated network engineer.<\/p>\n<\/li>\n<li>\n<p><strong>Proposed architecture<\/strong> <\/p>\n<\/li>\n<li>Single VCN<\/li>\n<li>Public subnet for LB<\/li>\n<li>Private subnet for app and DB<\/li>\n<li>\n<p>NSGs for app\u2194db restrictions<\/p>\n<\/li>\n<li>\n<p><strong>Why Network Command Center Services were chosen<\/strong> <\/p>\n<\/li>\n<li>Self-service troubleshooting: engineers can identify a missing NSG rule<\/li>\n<li>Avoids risky broad \u201callow all\u201d changes<\/li>\n<li>\n<p>Helps document the network for new hires<\/p>\n<\/li>\n<li>\n<p><strong>Expected outcomes<\/strong> <\/p>\n<\/li>\n<li>Faster rollback\/fix during releases<\/li>\n<li>Improved security posture through precise rule changes<\/li>\n<li>Less dependence on tribal knowledge<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Network Command Center Services the same as flow logs?<\/strong><br\/>\n   No. Network Command Center Services are typically configuration\/topology\/reachability focused. Flow logs are evidence of actual traffic. Use both for comprehensive troubleshooting.<\/p>\n<\/li>\n<li>\n<p><strong>Does path analysis guarantee my application will work?<\/strong><br\/>\n   No. It usually indicates whether the network configuration permits traffic. Application issues (TLS, auth), OS firewalls, and service health can still break connectivity.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need to install agents on instances?<\/strong><br\/>\n   Generally no for configuration-based analysis. If you rely on runtime metrics\/logs, that\u2019s separate (Monitoring\/Logging).<\/p>\n<\/li>\n<li>\n<p><strong>Can it analyze DRG-based routing issues?<\/strong><br\/>\n   It is commonly used to troubleshoot routing and reachability across OCI constructs. Exact DRG feature coverage should be verified in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use it for multi-region troubleshooting?<\/strong><br\/>\n   OCI networking resources are regional. Analysis is typically performed within a region; verify cross-region capabilities in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Is it safe to use in production?<\/strong><br\/>\n   Yes, because it is generally read-only analysis of configuration. The risk comes from the changes humans make based on results.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need admin permissions to run analysis?<\/strong><br\/>\n   Not necessarily. You need sufficient IAM permissions to read network objects and run the tool. Exact policy requirements should be verified in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the difference between security lists and NSGs when troubleshooting?<\/strong><br\/>\n   Security lists apply at the subnet level; NSGs apply at the VNIC\/workload level. Traffic can be blocked by either (or both).<\/p>\n<\/li>\n<li>\n<p><strong>If path analysis says \u201callowed,\u201d why can\u2019t I connect?<\/strong><br\/>\n   Common reasons: OS firewall, wrong destination IP\/port, service not listening, DNS resolves incorrectly, application-level blocking, or asymmetric routing outside modeled paths.<\/p>\n<\/li>\n<li>\n<p><strong>Can it help with \u201cprivate subnet can\u2019t reach OCI services\u201d issues?<\/strong><br\/>\n   Yes, when the issue is due to service gateway routes or security rules (verify supported endpoint\/service modeling).<\/p>\n<\/li>\n<li>\n<p><strong>Does it replace a network diagram?<\/strong><br\/>\n   It can reduce the need for manual diagrams, but most organizations still maintain high-level architecture diagrams for governance. Use NCC topology views to keep diagrams accurate.<\/p>\n<\/li>\n<li>\n<p><strong>Can I export topology views?<\/strong><br\/>\n   Some consoles provide export\/share options; verify current export capabilities in official docs and your console.<\/p>\n<\/li>\n<li>\n<p><strong>Is Network Command Center Services billed separately?<\/strong><br\/>\n   Often it is not separately billed, but you must pay for underlying resources. Confirm via Oracle pricing pages for your region.<\/p>\n<\/li>\n<li>\n<p><strong>How do I operationalize it for change management?<\/strong><br\/>\n   Maintain a list of critical paths and re-run analyses after network changes. Combine with Audit logs and change tickets.<\/p>\n<\/li>\n<li>\n<p><strong>What should I learn first to use it effectively?<\/strong><br\/>\n   OCI VCN fundamentals: subnets, route tables, security lists, NSGs, gateways, DRG, and compartment\/IAM basics.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Network Command Center Services<\/h2>\n\n\n\n<blockquote>\n<p>Links and page structures can change. If a specific page moves, use Oracle Docs search for \u201cNetwork Command Center\u201d or \u201cNetwork Path Analyzer\u201d.<\/p>\n<\/blockquote>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Documentation (root) \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/home.htm<\/td>\n<td>Starting point to find authoritative NCC pages for your region\/version<\/td>\n<\/tr>\n<tr>\n<td>Official documentation (Networking)<\/td>\n<td>OCI Networking docs \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/overview.htm<\/td>\n<td>Foundations: VCN, routing, gateways, DRG concepts<\/td>\n<\/tr>\n<tr>\n<td>Official documentation (IAM)<\/td>\n<td>OCI IAM Policies \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Concepts\/policies.htm<\/td>\n<td>Required to design least-privilege access for network visibility<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Oracle Cloud Pricing \u2014 https:\/\/www.oracle.com\/cloud\/pricing\/<\/td>\n<td>Verify whether NCC has separate SKUs and review network-related charges<\/td>\n<\/tr>\n<tr>\n<td>Pricing tool<\/td>\n<td>OCI Cost Estimator \u2014 https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<td>Build region-specific estimates for compute\/logging\/egress used in troubleshooting<\/td>\n<\/tr>\n<tr>\n<td>Free tier info<\/td>\n<td>Oracle Cloud Free Tier \u2014 https:\/\/www.oracle.com\/cloud\/free\/<\/td>\n<td>Use Always Free resources to practice at low cost<\/td>\n<\/tr>\n<tr>\n<td>CLI documentation<\/td>\n<td>OCI CLI Concepts \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cliconcepts.htm<\/td>\n<td>Automate network provisioning and validation workflows<\/td>\n<\/tr>\n<tr>\n<td>Tutorials\/labs<\/td>\n<td>Oracle LiveLabs \u2014 https:\/\/livelabs.oracle.com<\/td>\n<td>Hands-on OCI labs; search for networking and troubleshooting labs<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>OCI Architecture Center \u2014 https:\/\/docs.oracle.com\/solutions\/<\/td>\n<td>Reference architectures for hub-and-spoke, hybrid connectivity, and network design<\/td>\n<\/tr>\n<tr>\n<td>Videos<\/td>\n<td>Oracle Cloud Infrastructure YouTube \u2014 https:\/\/www.youtube.com\/@OracleCloudInfrastructure<\/td>\n<td>Visual walkthroughs of OCI networking concepts and operations (search within channel)<\/td>\n<\/tr>\n<tr>\n<td>SDKs &amp; samples<\/td>\n<td>OCI SDKs and CLI GitHub \u2014 https:\/\/github.com\/oracle\/oci-cli<\/td>\n<td>Trusted source for automation tooling; helpful for scripting provisioning and ops<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Oracle Cloud Community \u2014 https:\/\/community.oracle.com<\/td>\n<td>Practical Q&amp;A validate against official docs for correctness<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>OCI fundamentals, DevOps practices, automation, cloud operations (verify course catalog)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>SCM\/DevOps foundations, process, tooling (verify OCI-specific coverage)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>Cloud operations, monitoring, incident response patterns (verify OCI coverage)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs and reliability-focused engineers<\/td>\n<td>SRE practices, SLIs\/SLOs, operations and troubleshooting (verify OCI modules)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams adopting automation<\/td>\n<td>AIOps concepts, automation, operational analytics (verify OCI relevance)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify current topics)<\/td>\n<td>Beginners to intermediate<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training programs (verify OCI coverage)<\/td>\n<td>DevOps engineers, students<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps services\/training platform (verify offerings)<\/td>\n<td>Teams seeking practical guidance<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement (verify services)<\/td>\n<td>Ops\/DevOps teams needing hands-on help<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify service list)<\/td>\n<td>Cloud adoption, architecture, operations<\/td>\n<td>Landing zone setup, IaC pipelines, ops best practices<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>Training + consulting (verify offerings)<\/td>\n<td>DevOps transformation, platform enablement<\/td>\n<td>CI\/CD standardization, cloud ops processes, reliability practices<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>DevOps implementation, automation, support<\/td>\n<td>Infrastructure automation, monitoring setup, operational runbooks<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Network Command Center Services<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>OCI IAM basics<\/strong>\n   &#8211; Compartments, groups, policies<br\/>\n   &#8211; Official IAM concepts: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Concepts\/overview.htm<\/li>\n<li><strong>OCI Networking fundamentals<\/strong>\n   &#8211; VCN, subnets, route tables<br\/>\n   &#8211; Security lists vs NSGs<br\/>\n   &#8211; Gateways (IGW, NAT, Service Gateway)<br\/>\n   &#8211; DRG basics for hybrid connectivity  <\/li>\n<li><strong>Linux networking basics<\/strong>\n   &#8211; SSH, firewalls (iptables\/firewalld), listening ports, routing tables<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VCN Flow Logs<\/strong> and centralized logging patterns (for evidence-based troubleshooting)<\/li>\n<li><strong>Automation<\/strong> using Terraform and OCI CLI for repeatable networking deployments<\/li>\n<li><strong>Observability<\/strong>: Monitoring, alarms, incident response workflows<\/li>\n<li><strong>Security posture management<\/strong>: least privilege IAM, vault usage, segmentation patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Network Engineer (OCI)<\/li>\n<li>Cloud Solutions Architect<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>DevOps \/ Platform Engineer<\/li>\n<li>Security Engineer (network segmentation validation)<\/li>\n<li>Operations \/ NOC engineer for cloud infrastructure<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle certification offerings evolve. Common starting points often include:\n&#8211; <strong>Oracle Cloud Infrastructure Architect Associate<\/strong>\n&#8211; <strong>Oracle Cloud Infrastructure Architect Professional<\/strong>\n&#8211; Potential networking-focused tracks depending on Oracle University\u2019s current catalog<\/p>\n\n\n\n<p>Verify current OCI certifications at Oracle University:<br\/>\nhttps:\/\/education.oracle.com\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a hub-and-spoke network with DRG and validate spoke-to-spoke restrictions using path analysis.<\/li>\n<li>Create a 3-tier app and prove only LB\u2192app and app\u2192db paths are allowed.<\/li>\n<li>Implement a change-management checklist where every change requires re-running a set of critical path analyses.<\/li>\n<li>Enable VCN Flow Logs and compare \u201cpath allowed\u201d vs \u201cflow observed\u201d for troubleshooting discipline.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI (Oracle Cloud Infrastructure)<\/strong>: Oracle Cloud\u2019s IaaS platform and services.<\/li>\n<li><strong>Network Command Center Services<\/strong>: OCI networking visibility and troubleshooting suite focused on topology and reachability analysis.<\/li>\n<li><strong>VCN (Virtual Cloud Network)<\/strong>: A private, customizable network in OCI (regional).<\/li>\n<li><strong>Subnet<\/strong>: A CIDR range within a VCN, associated with route tables and security lists.<\/li>\n<li><strong>Route Table<\/strong>: Defines how traffic is forwarded (for example, to IGW\/NAT\/DRG).<\/li>\n<li><strong>Security List<\/strong>: Subnet-level stateful\/stateless firewall rules (ingress\/egress).<\/li>\n<li><strong>NSG (Network Security Group)<\/strong>: VNIC\/workload-level firewall rules (microsegmentation).<\/li>\n<li><strong>IGW (Internet Gateway)<\/strong>: Enables internet connectivity for public subnets.<\/li>\n<li><strong>NAT Gateway<\/strong>: Enables outbound internet access for private subnets without inbound exposure.<\/li>\n<li><strong>Service Gateway<\/strong>: Enables private access to certain OCI services without using the public internet (verify service coverage in your region).<\/li>\n<li><strong>DRG (Dynamic Routing Gateway)<\/strong>: Connects VCNs to on-prem networks and supports hub-and-spoke designs.<\/li>\n<li><strong>Reachability analysis<\/strong>: Determines whether traffic should be able to flow given network configuration.<\/li>\n<li><strong>VCN Flow Logs<\/strong>: Logs of network flow metadata used for traffic visibility and forensics (separate from config-based analysis).<\/li>\n<li><strong>Compartment<\/strong>: OCI resource container used for access control and organization.<\/li>\n<li><strong>IAM Policy<\/strong>: Rules that grant permissions in OCI.<\/li>\n<li><strong>MTTR<\/strong>: Mean Time To Resolution\u2014how quickly incidents are fixed.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p><strong>Network Command Center Services (Oracle Cloud)<\/strong> provide practical tooling to <strong>visualize OCI network topology<\/strong> and perform <strong>configuration-based reachability analysis<\/strong>. They help teams quickly isolate whether a connectivity problem is caused by <strong>routing, gateways, or security controls<\/strong>, and they scale operationally as your environment grows in complexity.<\/p>\n\n\n\n<p>From a cost perspective, Network Command Center Services are often not the primary direct cost; the real cost drivers are typically <strong>compute<\/strong>, <strong>logging\/retention<\/strong>, and <strong>data transfer\/egress<\/strong>\u2014so keep labs ephemeral and monitor spend with tags and budgets. From a security perspective, the biggest risk is not the analysis tool; it\u2019s the <strong>temporary broad rule changes<\/strong> engineers sometimes make while troubleshooting\u2014use least privilege IAM, bastion patterns, and disciplined change control.<\/p>\n\n\n\n<p>Use Network Command Center Services when you need faster, more reliable network troubleshooting and clearer topology understanding across OCI networking. Next, deepen your skills by pairing reachability analysis with <strong>VCN Flow Logs<\/strong>, <strong>OCI Logging<\/strong>, and <strong>Terraform-based<\/strong> network automation for production-grade operations.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networking, Edge, and Connectivity<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74,62],"tags":[],"class_list":["post-949","post","type-post","status-publish","format-standard","hentry","category-networking-edge-and-connectivity","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=949"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/949\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}