Mastering OCI Networking - Scenario 1 (Hub and Spoke with OCI Firewall)- Part B

00:00

hello all welcome back to my channel

00:03

and

00:05

in this video I'm going to just quickly

00:06

show you uh give you a video demo of my

00:10

setup that I've created for this Urban

00:12

spook topology with an ocfi wall

00:15

deployed in the hub

00:17

and if you are you are looking at the

00:19

three vcns that I've created vcna will

00:22

be the Hub mbnc are the spokes

00:27

and I've also set up a side to side VPN

00:31

with my on-prem CP which is this

00:35

if I click on that you'd see one of the

00:38

tunnels will be up just I've just

00:40

configured one for the demo purpose

00:42

and um

00:44

that on on-prem network will be in 100

00:47

range

00:49

while the vcns are

00:53

in this this range and a good way of

00:56

validating your network setup and

00:59

routing is done right is by going to the

01:02

network visualizer

01:05

and if you

01:08

so I let the

01:10

uh the map populate there you go so now

01:13

if you see

01:14

um you have an on-prem Network and three

01:19

um

01:20

recents and one of them is the Hub so if

01:24

you select this link you'd see it was

01:26

able to make a connection it has linked

01:28

towards every Network point which is

01:31

this you can see B and the on-prem

01:33

network

01:34

whereas if you select any other vcn or

01:37

even the on-prem ipsec VPN it would be

01:41

able to connect only to the hub vcn

01:44

which means that the Hub vcn is the

01:48

central Connecting Point for all these

01:51

so any traffic that's going to come off

01:53

this on-prem will be directed to the hub

01:55

vcn and the Hub Vision will be able to

01:58

send it after inspecting will be able to

02:00

send it back to the spoke vcns so this

02:03

is a good way of validating if your

02:04

routing is right

02:06

now let me quickly show you how the drg

02:09

is configured let me show you the show

02:11

you around the drg and its route tables

02:13

so the first thing is the drg route

02:16

table you will see route table number

02:18

one which is meant for on-prem Route

02:21

table number two which is meant for

02:23

spoke vcns Android number three which is

02:27

meant for the Hub vcn and the routable

02:29

number one which is meant for uh

02:33

the on-prem networks we are essentially

02:38

advertising a static route of 170 to 16

02:41

0.0 16 which is your OC C8 let's assume

02:45

that you're going to any future vcns

02:47

that are put you're going to spin up

02:48

will be of this cidr range you will have

02:51

to enter that range and then point it uh

02:54

to your vcn hub

02:56

uh which is vcna attachment

02:59

and create a route table

03:02

and Route table number two will be

03:06

any traffic that's going to come out of

03:07

these uh in Spoke vcns your oci vcns the

03:12

be it uh internet or on-prem anything

03:14

that any traffic that's going to come

03:16

out of it will be down forwarded to your

03:19

uh Hub vcn attachment

03:23

and uh that's again a static of the

03:25

nuclear create and for the Hub vcn you

03:29

create a dynamic routing that is you

03:31

create an import route distribution and

03:33

how do you do it is by if you go to the

03:36

drg and go to import route distribution

03:39

you create a new import or distribution

03:42

and add a similar policy where you

03:46

include all IP second virtual circuit

03:48

attachments you can also include your

03:50

RPC attachments for those such few use

03:52

cases um

03:54

where you want to inspect traffic coming

03:56

from your other region

03:59

with the with the firewall and you also

04:02

include the vcn attachments here

04:06

um and use this what does import route

04:08

distribution does is it automatically

04:10

downloads all those routes that it

04:11

learns and um you then create a route

04:15

table using that

04:18

uh

04:19

so when you create it

04:21

it would let you choose an import route

04:23

distribution so you will just enable

04:25

import or distribution and use of import

04:28

and then say the changes now if you

04:30

click on get all roads

04:32

all those routes would appear

04:34

automatically

04:36

so this is my on-prem route and this is

04:38

my workload server in which I've

04:41

deployed a web server behind a load

04:44

balancer

04:46

excuse me so

04:49

um so that's the drg route tables that

04:52

I've created and after creating the dr0

04:53

out tables I had to go and attach them

04:55

to the

04:57

vcns so the spoke vcns are going to have

05:00

route table number two if you click on

05:03

the vcn attachment click on edit

05:05

Advanced options you will it will give

05:08

you an option to choose the route table

05:09

so you go change the route table here

05:11

the one that you created do that for all

05:14

these attachments and also for the ipsec

05:16

attachment

05:18

click open the attachment click on edit

05:21

choose the drg route table and then we

05:24

are good

05:25

so you should be able so now so you've

05:29

created those route tables attach it to

05:30

the to associated with the attachments

05:33

and any traffic that's going to come in

05:35

hit the drg will use those respective

05:38

route tables and Route those traffic to

05:41

the destination

05:43

and now let's go to the hub Vision

05:45

routing configuration let me show you

05:47

around

05:49

what routes were required in the hub vcn

05:53

and in the hub vcn you've got private

05:55

and public subnet so you're going to

05:57

need two route tables one for private

06:01

and one for public

06:03

in the public route table you will have

06:06

a default route pointing to the internet

06:07

gateway

06:08

and the internal vcn will be pointed to

06:11

the firewall

06:13

whereas in the firewall is deployed in

06:16

the private subnet so the private

06:19

routing table will have the default

06:21

route pointing to the nand Gateway and

06:23

the on-prem and internal network will be

06:25

pointed to the dynamic routing gateways

06:30

and if you go to uh the drg transit

06:34

routing table in which will be used to

06:36

Route the traffic

06:37

to the firewall incoming traffic from

06:39

the drg to the firewall you had

06:42

a default route pointing uh to your

06:46

firewall and you also add another uh

06:49

specific route for your 100 to 160.128

06:53

which is your public subnet so

06:57

you may ask why why would I write

07:00

another route on when I already have a

07:02

default route pointing to the firewall

07:04

which is a valid question but then when

07:07

an incoming traffic hits the drg

07:09

incoming traffic from the drg hits the

07:12

transit

07:13

or the bcn attachment the vcn already

07:17

knows that Monster energy 16

07:19

0.128 uh it's it's part of an implicit

07:23

route table that is already available

07:25

with the oci so you writing a 0.0.0

07:30

route finding the firewall does not mean

07:33

that gets overwritten so it would still

07:36

be able to send the traffic bypassing

07:37

the firewall so it is it becomes

07:39

important for you to

07:41

um

07:42

write that route

07:44

[Music]

07:44

um

07:45

also pointing to the firewall so that

07:47

you kind of override the implicit

07:49

routing that oci does so this is a

07:53

common

07:54

um mistake or people miss doing this and

07:58

they say that routing is not working so

08:00

so this is an important aspect so don't

08:03

forget don't forget to get this routing

08:07

also added in your route table so after

08:09

that is done

08:12

um

08:13

then the remaining is the not transit

08:15

route table this is for the reverse

08:18

traffic from other spoke vcns to go back

08:21

to the firewall

08:22

you use this and then associate it with

08:24

the NAT gateways

08:26

so you will see that routing table

08:28

Associated here

08:30

and the drg attachment has the drg

08:33

transit routing table associated

08:35

how do I associate It Is by clicking the

08:38

clicking on edit

08:40

the vcn attachment click on edit so go

08:42

to Advanced options we have vcn route

08:46

table

08:47

second tab you'd be able to see

08:51

that you we've Associated the drg

08:54

transit routing table like like this

08:56

here

08:58

and you can also do the same

09:01

for the NAD gateways

09:04

um so if you click three and click you

09:07

can associate a different route table

09:09

that you've created so all these dot

09:11

tables are created and Associated to

09:13

make sure this uh the inspection Works

09:15

in all four directions

09:18

and let me also show you the load

09:20

balancer that I've created

09:24

the load balance uh is deployed in the

09:27

public subnet

09:29

and has the back end

09:44

100 to 16 159 being the configured as

09:48

the back end so uh if I use the public

09:52

IP address

09:59

and try to do browse that website from

10:04

my home

10:06

there you go the page opens up this is

10:09

my web server running on the Oracle

10:10

Cloud infrastructure I'm able to access

10:12

this traffic I'm in the sub web

10:15

application which is deployed inside the

10:18

loaded bands behind the the workload vcn

10:23

and I can also

10:26

um so this is the the web server

10:31

which is behind

10:34

the firewall in a spoke vcn and I'm able

10:38

to also go out to the internet using

10:41

this all of this traffic are being

10:43

inspected by the firewall

10:48

and I can also reach to an on-prem

10:52

server

10:54

which is

10:55

10.0.1.91 which is deployed which is

10:59

behind my VPN ipsec VPN so

11:03

so let's say you have a use case where

11:05

your on-prem server which is this guy

11:12

he's trying to access your application

11:14

and OCA

11:16

and I'm just trying to do a curl so that

11:19

to show you that I'm able to browse the

11:21

website and I'm able to see the same

11:23

content that I'm seeing from the

11:25

internet

11:25

with the private IP address but then

11:27

here over the private arbitrus I'm able

11:29

to access the website just fine so the

11:32

East West access is also working both

11:34

ways

11:35

so and now how do I you can also do a

11:39

trace path

11:44

you can do a trace Pro path

11:46

to see if the traffic is going through

11:48

the firewall

11:50

so I'm trying to do a trace path from

11:54

yeah see look at this so this is going

11:57

to the

12:00

I'm just going to the firewall and that

12:03

gets getting routed to the drg and then

12:05

obviously the the liver span VPN server

12:08

that I have and the other tenancy does

12:09

not have IC and pay allowed so that's

12:11

why it's not completing but then you

12:13

should be able to validate with the

12:14

trace path if the traffic is going

12:16

through the firewall that's one good way

12:18

of checking it

12:19

and the other way the most reliable way

12:22

of checking it is going through the logs

12:25

so I go to identity security firewall

12:28

policies firewalls

12:31

and then

12:34

let's go check the logs

12:46

so the log should up you and will should

12:49

tell you what are the

12:50

traffic is going through and if you want

12:52

it to be more readable you go to explore

12:56

with Log search

12:57

and

13:00

you can filter it or or

13:05

arrange it in with

13:09

this way source

13:11

destination

13:17

port

13:20

in action

13:26

so you should see all the traffic with

13:29

different between different Source

13:30

destination destination port and action

13:33

here yeah that's how you validate if

13:36

your configuration is working

13:38

thank you so much I hope it helps