Oracle Cloud Infrastructure FastConnect Classic – (Private or Public Peering)
Step Owner Description Preparation 1 Customer and Verizon You must be a Verizon Private IP customer to complete this activation process. If not, a Private IP connection must be established to at least one of your locations. As this component is probably the one with the longest deliverable timeframe, you should not proceed with the rest of the activation process until this step is completed. 2 Verizon You must be provided with access to Verizon Enterprise Center/Dynamic Network Manager including access to your Secure Cloud Interconnect service.
This step could be completed once the Secure Cloud Interconnect order is entered.
3 Customer and Verizon Verizon Account Team to work with you to provide you with a clear understanding of Secure Cloud Interconnect NATing capabilities as well as the possible scenarios where you are required to provide public IP address for some of the features.
Please review the Secure Cloud Interconnect NAT section for more details on this subject.
4 Customer and Verizon If you have plans to use MSS Cloud Firewall as an addition to your Secure Cloud Interconnect service needs, check the section on MSS Cloud Firewall for information on how to provision that service.
MSS Cloud Firewall has to be ordered at the same time as the Secure Cloud Interconnect port and cannot be added to an existing Secure Cloud Interconnect service.
5 Customer Oracle CSP services will initiate sessions towards your VPN. Verizon needs to leak the public IP addresses of the servers that Oracle needs to reach for that purpose. Please check the “Adding Server's IP Address” ' section for the steps to provide Verizon with those IP addresses. Ordering and Provisioning 1 Customer
- Sign in to the Oracle FastConnect Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click theSite menu near the top of the page.
- Click the Network tab.
- In the Network drop-down list, expand FastConnect, and then click Virtual Circuits.
- Click Create Virtual Circuit.
- Select or enter the following information.
- Name: Enter a unique name for the virtual circuit.
- Connection Type: Select Direct Cross Connect to establish a direct connection to an Oracle data center using cross connects. If you want to establish a connection through an Oracle FastConnect partner, select a partner based on their availability at the location from which you want to connect to FastConnect Classic.
- Circuit Type: Select Public or Private based on whether you want to advertise public or private IP addresses over the connection. For example, select Public if you want to access Oracle Cloud services through FastConnect Classic by using public IP prefixes. SelectPrivate when you want to extend your on-premise private networks to the Oracle Cloud. A private virtual circuit will enable you to connect to Oracle Cloud resources from your on-premise private (RFC1918) networks. When you use a private virtual circuit, it eliminates the need for IPSec VPN and Network Address Translation (NAT) to extend your private routing domain.
- Private Gateway: If you select Private, you must select the private gateway that you have created. A private gateway allows you to connect from your on-premises data center to instances on IP networks using their private IP addresses.
- Public IP Prefixes: If you select Public, specify the public IPv4 prefixes (in CIDR notation) that you want to advertise over the connection. You can also specify reverse NAT IP addresses. These IPv4 prefixes must be registered to you in an IRR or RIR.
2 Customer When you create a virtual circuit, a FastConnect ID is created to uniquely identify the virtual circuit that you have created. Note the FastConnect ID.
You will need to provide Verizon with the FastConnect ID given to you by Oracle as well as the Secure Cloud Interconnect location.
Note: Both the VPC model and non-VPC models are supported with Oracle.See https://docs.oracle.com/en/cloud/get-started/subscriptions-cloud/ofcug/contact-your-fastconnect-partner-service-provider.html#GUID-459718EE-2641-4240-89E4-FC3FA181F4FE
3 Customer and Verizon The Verizon Account Team, in consultation with you, identifies the appropriate time for activating the Secure Cloud Interconnect connection. 4 Verizon At the appropriate time, the Verizon Account Team places the Secure Cloud Interconnect order using your provided FastConnect ID based on your network requirements:
- FastConnect OCI Classic - Public Peering
- FastConnect OCI Classic - Cust Provided NAT
- FastConnect OCI Classic - Private Peering
5 Verizon The Verizon Account Team could verify on EZStatus whether the Secure Cloud Interconnect provisioning on Verizon side is completed, which is the pre-requisite for Secure Cloud Interconnect activation. 6 Customer and Verizon Once the order is completed, the Verizon Account Team emails you the parameters of the Secure Cloud Interconnect port. Update the virtual circuit with the information that you receive from Verizon. See Updating a Virtual Circuit. 7 Customer and Verizon By default, the Private IP VPN entered with the Secure Cloud Interconnect order is connected to the Secure Cloud Interconnect port. If you want to add additional VPNs, you can use the Dynamic Network Manager to add one or more of your Private IP VPNs to the Secure Cloud Interconnect port (using the Add/Remove VPN menu).
PLEASE NOTE: When you add or remove Private IP VPNs to a Secure Cloud Interconnect port, it is important to ensure that the IP addresses of the Private IP VPNs don’t overlap and the total number of Private IP prefixes do not exceed the MAX number specified in the VPNs. In the latter case, you must contact the Verizon Account Team and request an increase to that MAX number.If you are using non-standard Secure Cloud Interconnect designs reach out and coordinate with your Verizon Account Team before proceeding with this step.
The connection should be in operation at this point.
Check the “Shutting Down the Secure Cloud Interconnect Port” section for the steps to shut down the port if needed.
Secure Cloud Interconnect NAT 1 Verizon and Customer All traffic from you to Oracle will be source NATed by Verizon. 2 Verizon and Customer For outbound traffic (from Verizon towards the CSP) Verizon will provide Source NATing functionality that NATs the source address of all outbound traffic. Verizon will provide the public IP addresses required for the outbound NATing. 3 Verizon At the Secure Cloud Interconnect provisioning time, Verizon will select a single, permanent /32 address from the 188.8.131.52/22 to 184.108.40.206/22 pool (based on the Secure Cloud Interconnect location) and assign it to you.
The assigned address will be for the lifetime of the Secure Cloud Interconnect port.
4 Customer or Verizon The assigned address can be retrieved by you (or the Verizon Account Team) from Dynamic Network Manager. 5 Customer For CSP initiated sessions, the CSP mandates that public IP addresses be provided for servers that the CSP needs to access. It is your responsibility to provide those public IP addresses. Furthermore, Verizon will not support static NATing for those public addresses but will configure our Firewalls to leak those addresses to the CSP.
Please check 'Adding Server's IP Addresses' in this document for how to provide and configure those addresses.
6 Customer and Verizon You must also be aware that with all CSP initiated sessions, the CSP traffic must be SNATed before it enters your network.
Verizon will provide that SNAT functionality but you must expect to see Verizon NAT addresses advertised on your VRF (Private IP VPN).
If you want to know the IP address used with that NATing, the Verizon Account Team can reach out to Verizon engineering to request that value (for now until the address is added to the Dynamic Network Manager portal).
7 Customer You should verify with Oracle that the following IP addresses (based on the location of your Secure Cloud Interconnect port) are whitelisted on your Oracle account.
Cloud Partner Location Secure Cloud Interconnect IP Ranges to add to Oracle Whitelist:
Chicago, IL X.X.X.X
Ashburn, VA X.X.X.X
Shutting Down the Secure Cloud Interconnect Port 1 Customer or Verizon Once the port is provisioned, you or your Verizon Account Team logs into Dynamic Network Manager and select the Secure Cloud Interconnect port.
As highlighted, click on the pen following the “Modify Admin Status” field.
2 Customer or Verizon The following screen shot shows the page that will open once the “Modify Admin Status” pen is clicked on.
The Shutdown / No Shutdown of the port can be done through the “New Admin Status” drop down menu.