In the last post, we understood what’s a Virtual Cloud Network(VCN). In this post, we shall understand how VCN works with gateways within OCI. These are,
- Internet Gateway
- NAT Gateway
- Dynamic Routing Gateway
- Service Gateway
But before we talk about the available gateways within OCI, let’s understand some basics about networking. When we say there is an established network, it means that there is defined communication between two or more devices. How do these devices communicate with each other? That’s done with the help of network protocols. Simply put, a network protocol is the set of rules that are understood by the communicating devices. It means that if two devices want to connect/communicate they must be on the same protocol. There are many different protocols and some of them are household names are too, for example HTTP, FTP and TCP/IP. So, when you define a network between devices, you also decide which protocol these devices will be communicating on.
So we know now that we have to send the data across different machines, which are going to be assigned IP addresses (we discussed them in the last post) . Since the communication is nothing but the data being transferred so it’s important that correct data packet must reach to its destination. That’s something which is done by a Router. A router basically contains a routing table and helps in sending the data to its correct destination. Now, there can be different networks and for sure, these networks do not need to be using same protocol suites. Now, how will the communication happen? This is also taken care by router. An important aspect of a router is that it’s a physical component.
Now, let’s talk about Gateway. Well, Gateway is also a router or we can say, it’s a special type of router. It does inherit many properties of router i.e. it allows the translation between two different network protocols, helps in doing a collision detection, decides the shortest route for sending the data etc. Alike router, gateway also works with IP addresses and also works at Network layer of OSI model. But additionally, gateway works with all the layers above the Network layer as well and also, a gateway is like a combination of software and hardware, completely a software or a hardware. Also, a gateway allows the communication between not only between networks on different protocols but also on different architectures e.g. if you want to have a communication between the systems on LAN and WAN, it’s possible through a gateway. So a gateway is like an entrance to another network. So one of the machines in one network allows as a “gate” for the other network.
I hope this small and concise explanation did give you an idea about gateways. Why did we discuss it in the first place? Well because in the OCI we have two that we work with – Internet gateway and NAT gateway. Both of these are going to be used when you want to connect from your VCN to a network that’s on the internet.
Internet Gateway is used in the OCI to basically connect to the world, the internet. It means that the compute instance of yours will be in a Public subnet(we want this instance to be reachable from the outer world). So now, using the Internet gateway attached to your VCN, you can connect to the internet. One VCN is attached to one internet gateway. Of course, in one VCN there can be more than one subets so which subnet can communicate through the internet gateway, you control this using security rules which you create in the VCN.
NAT gateway is useful when you want to work with the outer world but in a limited fashion. For example, you want to get the security patches from the internet and apply. For this, internet communication is required. So you want to talk to the outer world but you don’t want outer world communicate back to you. So outbound connections should be allowed but inbound outer connections should be blocked. Just like an internet gateway, NAT gateway is also attached to the VCN but in the later, private subnet is used. So basically you define in the private subnet how to talk to the outer world but the you block inbound connections from the outer world(internet) . For one VCN , one NAT gateway is available but given the need, number can be increased by raising explicit request.
DRG(Dynamic Routing Gateway) is needed when you want to connect from your VCN network to another network which is not through the internet or at least not in the usual way. For example, you want to connect your VCN instance to a DNS server running in your local on-prem network. So basically DRG is alike a router but available logically for you(remember that VCN is a software-only entity). There are two ways this DRG router can be used by you to connect to your on-prem environment, IPsec VPN aka site-site VPN and FastConnect. Former uses public internet but the communication is encrypted (hence the reason name includes SEC(urity)) and later is going to be a dedicated network provided from your on-prem environment to where your compute instance resides.
Lastly, Service gateway allows a VCN to access other public OCI services which won’t be using the internet at all. Example of such gateway to be used is to have your backup being done on Object storage which is an OCI service. Any OCI public services are having their Public IP addresses and you access them through the compute instance’s private IP address. The communication travels through the OCI network fabric.
This concludes the introduction of gateways and their types available within OCI.
Hope that helped.