Domain 2: OCI Networking Services for Migrations (5%)
Domain 2 of the OCI 2025 Migration Architect Professional exam (1Z0-1123-25) tests your knowledge of OCI networking components and how they support migration scenarios. At 5% of the exam (~3 questions), the focus is on practical understanding of VCN design, hybrid connectivity options, and security controls that enable secure data movement from on-premises to OCI.
1. Virtual Cloud Networks (VCN)
1.1 VCN Fundamentals
A VCN is a private virtual network within a single OCI region. It provides the foundational networking layer for all OCI resources. (OCI Networking Overview)
| Property | Detail |
|---|---|
| Scope | Single region |
| CIDR range | /16 to /30 (IPv4); /56 Oracle-allocated or /48+ BYOIP (IPv6) |
| Recommended CIDRs | RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 |
| Reserved IPs per subnet | 3 (network address, broadcast address, gateway address) |
| Cannot use | 169.254.0.0/16 (iSCSI/metadata), Class D (multicast), Class E (reserved) |
1.2 Subnets
Subnets are subdivisions of a VCN with their own CIDR block, route table, security list, and DHCP options.
| Type | Scope | Recommendation |
|---|---|---|
| Regional | Spans all ADs in the region | Recommended for all new deployments |
| AD-specific | Single availability domain | Legacy; use only when required |
Public vs. Private subnets:
- Public: Instances can have public IPv4 addresses. Internet-accessible via Internet Gateway.
- Private: No public IPv4 addresses. Use NAT Gateway for outbound internet, Service Gateway for Oracle services.
1.3 Gateways
| Gateway | Purpose | Key Detail |
|---|---|---|
| Internet Gateway (IGW) | Bidirectional internet access for public subnets | Requires public IP, route rule, and security rules |
| NAT Gateway | Outbound-only internet for private subnets | Blocks inbound connections; no public IP on instance needed |
| Service Gateway (SGW) | Private access to Oracle Services Network | Object Storage, Autonomous DB, etc. without internet traversal |
| Dynamic Routing Gateway (DRG) | On-premises and cross-VCN connectivity | Required for VPN, FastConnect, and VCN peering |
| Local Peering Gateway (LPG) | Same-region VCN peering | One LPG per peering relationship |
Migration relevance: Private subnets + NAT Gateway + Service Gateway is the standard pattern for migrated workloads. The Service Gateway enables private backups to Object Storage without internet exposure. The DRG is the single entry point for all on-premises traffic. (OCI Networking Overview)
2. Routing
2.1 Route Tables
Each subnet is associated with exactly one route table. Route tables contain rules that direct traffic leaving the VCN to gateways. (OCI Route Tables)
Key routing concepts:
| Concept | Behavior |
|---|---|
| VCN local routing | Implicit — traffic between subnets within a VCN is automatically routed. No explicit rules needed. |
| Longest prefix match | Most specific CIDR wins when rules overlap (e.g., /24 beats /16) |
| Static > implicit | User-defined static routes override implicit local routes for the same prefix |
| No match = blackhole | Traffic with no matching route is silently dropped |
| Intra-subnet | NOT routed — traffic within the same subnet is forwarded directly |
Route rule targets: DRG, IGW, NAT Gateway, Service Gateway, LPG, or Private IP (for network virtual appliances).
2.2 Per-Resource Routing
OCI supports a route table hierarchy for individual VNICs and IP addresses:
- IP address route table (highest priority)
- VNIC route table
- Subnet route table (default fallback)
Only one route table is consulted — the first match in the hierarchy wins. This enables multi-homed instances to route traffic differently per VNIC (e.g., on-premises via DRG on VNIC A, internet via IGW on VNIC B). (OCI Route Tables)
2.3 Gateway Ingress Routing
Route tables can be associated with gateways (IGW, DRG, LPG, NAT, SGW) to control inbound traffic routing — for example, directing all inbound traffic through a firewall appliance. Once a route table is associated with a gateway, it cannot be disassociated (only rules can be changed). (OCI Route Tables)
Limits: 300 route tables per VCN, 200 rules per route table.
3. Security: NSGs vs. Security Lists
OCI provides two packet-level firewall mechanisms. Understanding when to use each is a common exam topic. (OCI Security Rules)
| Aspect | Security Lists | Network Security Groups (NSGs) |
|---|---|---|
| Applies to | All VNICs in a subnet | Specific VNICs you choose |
| Max per resource | 5 per subnet | 5 per VNIC |
| Rule limit | 200 ingress + 200 egress per list | 120 total per NSG |
| Source/destination | CIDR only | CIDR, NSG, or Service |
| Default | VCN auto-creates one | None |
| Description field | No | Yes |
| Per-VCN limit | 300 | 1,000 |
Recommendation: Use NSGs for application-tier security (web tier, app tier, DB tier each in separate NSGs). Use security lists for broad subnet-level defaults. When both are applied to a VNIC, the union of all rules applies — if any rule in any list/group allows traffic, it passes.
3.1 Stateful vs. Stateless Rules
- Stateful (default): Connection tracking enabled. Response traffic automatically allowed. Single rule covers request + response. Idle timeout varies by protocol (TCP established: 1 day; UDP: 3 minutes; ICMP: 15 seconds).
- Stateless: No connection tracking. Must create explicit rules for both directions. Recommended for high-volume internet-facing traffic to avoid connection table overflow.
Priority rule: If traffic matches both a stateful and stateless rule, the stateless rule takes precedence.
3.2 Exam Trap
Security rules in OCI are allow-only — there are no explicit deny rules. Without any rule, all traffic is denied by default. The 169.254.0.0/16 range (iSCSI, metadata) is exempt from security rules entirely. (OCI Security Rules)
4. VCN Connectivity
4.1 VCN Peering
| Type | Scope | Mechanism | Requirements |
|---|---|---|---|
| Local peering | Same region | Local Peering Gateways (LPGs) | Non-overlapping CIDRs; IAM policies; route rules; security rules |
| Remote peering | Cross-region | Remote Peering Connections (RPCs) via DRG | Non-overlapping CIDRs; DRG in each region |
No traffic traverses the public internet in either case. (OCI Networking Overview)
4.2 Transit Routing (Hub-and-Spoke)
A common migration architecture: on-premises connects to a single DRG (hub), with multiple VCNs as spokes. The hub VCN provides shared services (DNS, monitoring) and the DRG enables access to all peered VCNs through a single connection. This also enables on-premises access to Oracle Services Network via a Service Gateway in the hub VCN. (OCI Networking Overview)
5. Site-to-Site VPN
5.1 Architecture
Each IPSec connection creates 2 redundant tunnels between a CPE (Customer Premises Equipment) device and an OCI DRG. Traffic traverses the public internet but is encrypted with IPSec in tunnel mode. (OCI IPSec Overview)
| Parameter | Value |
|---|---|
| Tunnels per connection | 2 (redundant) |
| Connections per CPE public IP | Up to 8 |
| Bandwidth per tunnel | ~250 Mbps |
| Static routes per connection | 1–10 |
| Shared secret characters | Letters, numbers, spaces only |
5.2 Routing Types (Per-Tunnel)
| Type | Description | When to Use |
|---|---|---|
| BGP dynamic | Routes learned dynamically. Requires BGP ASN + two IPs per tunnel. | Production (recommended) |
| Static | Manual routes. Default type. 1–10 routes per connection. | Simple environments, POCs |
| Policy-based | Similar to static; CPE must configure routes to VCN subnets. | Legacy CPE devices |
Each tunnel can use a different routing type. If a tunnel uses BGP, the connection's static routes are ignored for that tunnel. Oracle uses asymmetric routing across tunnels — configure firewalls accordingly. (OCI IPSec Overview)
5.3 Tunnel Preference (BGP)
Control which tunnel carries traffic using three mechanisms (all three needed for symmetric routing):
- BGP Local Preference on CPE — controls on-prem-to-OCI direction
- More specific routes — longest prefix match wins
- AS Path Prepending — BGP prefers shortest AS path; prepend on non-preferred tunnel
5.4 CPE Behind NAT
When the CPE is behind a NAT device, the default IKE identifier (public IP) will not match. Modify the "remote IKE ID" in the OCI Console to the CPE's private IP or FQDN (e.g., cpe.example.com). (OCI IPSec Overview)
6. FastConnect
FastConnect provides a dedicated private connection between on-premises and OCI that does not traverse the public internet. (OCI FastConnect Overview)
6.1 Connectivity Models
| Model | Port Speeds | Cross-Connect | LOA Required |
|---|---|---|---|
| Oracle Partner | 1, 10, 100 Gbps | Partner provides | No |
| Third-Party Provider | 1, 10, 100, 400 Gbps | Customer provides | Yes |
| Colocation | 1, 10, 100, 400 Gbps | Customer creates at FastConnect location | Yes |
All models require BGP and recommend Layer 3 support.
6.2 Virtual Circuits
| Type | Purpose | DRG Required | Use Case |
|---|---|---|---|
| Private | Extend on-premises into VCN via private IPs | Yes | Hybrid cloud, lift-and-shift migration |
| Public | Access Oracle public services without internet routing | No | Object Storage, OCI APIs, public load balancers |
Public peering note: Treat public virtual circuits as untrusted interfaces (like internet-facing). Apply firewall rules accordingly. Public prefix verification takes up to 3 business days. (OCI FastConnect Overview)
6.3 Redundancy and BFD
- All metro area locations connect to the same availability domains for failure isolation.
- Bidirectional Forwarding Detection (BFD) enables faster failover than BGP timers alone — it verifies connectivity without exchanging route information and avoids false positives from short BGP timers.
- Oracle recommends redundant connections for all models.
6.4 FastConnect vs. VPN for Migration
| Factor | Site-to-Site VPN | FastConnect |
|---|---|---|
| Bandwidth | ~250 Mbps/tunnel | 1–400 Gbps |
| Latency | Variable (internet) | Low, predictable |
| Encryption | Built-in IPSec | Not encrypted by default |
| Setup time | Minutes to hours | Days to weeks |
| Cost model | No port fees; data transfer charges | Per-hour port fee; no egress charges |
| Best for | POCs, backup connectivity | Production, high-throughput migration |
Best practice: FastConnect as primary, VPN as backup. For encryption requirements on FastConnect, layer Site-to-Site VPN over FastConnect (IPSec over dedicated circuit). (OCI FastConnect Overview)
7. Load Balancers for Migration
OCI load balancers distribute incoming traffic across backend servers, enabling zero-downtime migration cutover patterns. (OCI Load Balancer Overview)
| Limit | Value |
|---|---|
| Backend sets per LB | 16 |
| Backend servers per set | 512 |
| Total servers per LB | 512 |
| Listeners per LB | 16 |
| Virtual hostnames per LB | 16 |
Public vs. private: Public LBs are internet-facing (migration cutover point). Private LBs are VCN-internal (inter-tier communication).
Migration pattern: Deploy a public load balancer, add both on-premises (via VPN/FastConnect) and OCI backends, use health checks to drain traffic from on-premises servers as OCI instances are validated, then remove on-premises backends.
IPv6 limitation: IPv6 load balancers do NOT support IPv6 backend servers. IPv6 is front-end only. Regional subnets are required for IPv6.
Cannot convert AD-specific load balancers to regional (or vice versa) after creation.
8. Bring Your Own IP (BYOIP)
BYOIP allows importing existing public IP ranges into OCI — critical for migrations where IP addresses are hardcoded in applications or where IP reputation must be maintained. (OCI BYOIP)
| Parameter | IPv4 | IPv6 |
|---|---|---|
| Minimum CIDR | /24 | /48 |
| Maximum CIDR | /8 | No documented max |
| Allocation method | IP pools, then reserved IPs | Direct to VCNs/subnets |
| Per-VCN limit | N/A | 5 prefixes total, 3 per subnet |
| Max imports per account | 20 (IPv4 + IPv6 combined) | 20 (combined) |
Supported RIRs: ARIN, RIPE NCC, APNIC. Requires Route Origin Authorization (ROA) authorizing Oracle BGP ASN 31898 with at least 6-month expiry. Validation takes up to 10 business days. Not available with Free Tier.
Exam trap: Withdrawing a BYOIP advertisement does NOT delete the prefix. Geolocation and RADB entries persist until you explicitly delete the BYOIP resource.
9. DNS Considerations
9.1 VCN DNS Structure
Instance FQDN: <hostname>.<subnet-label>.<VCN-label>.oraclevcn.com
Example: db01.privatesub.migrationvcn.oraclevcn.com
DNS labels are limited to 15 alphanumeric characters and are immutable after creation. (OCI DNS)
9.2 Hybrid DNS Resolution
The default "Internet and VCN Resolver" does not resolve on-premises hostnames. For hybrid environments during migration:
- Custom Resolver: Point to up to 3 DNS servers (can be on-premises via VPN/FastConnect).
- Private DNS Resolver: OCI-native resolver with forwarding rules for on-premises zones.
DHCP option changes require an instance DHCP client restart or reboot — otherwise changes are not applied until lease renewal (up to 24 hours). (OCI DNS)
10. Network Path Analyzer
Network Path Analyzer (NPA) is a diagnostic tool that validates connectivity by analyzing routing and security configurations without sending actual traffic. It uses the Batfish open-source analysis library. (OCI Path Analyzer)
Supported scenarios: OCI-to-OCI, OCI-to-on-premises, on-premises-to-OCI, internet-to-OCI, OCI-to-internet.
Key limitations:
- Does not support IPv6
- Cannot analyze paths through network virtual appliances, load balancers, or FWaaS (split into two tests: source-to-appliance, appliance-to-destination)
- Cross-region RPC and cross-tenancy LPG produce "indeterminate" results
- Does not function in tenancies with more than 100 compartments (requires support request)
11. Exam Tips for Domain 2
Private subnet pattern: Migrated workloads belong in private subnets with NAT Gateway (outbound internet) and Service Gateway (Oracle services). Public subnets are for load balancers and bastion hosts only.
NSG vs. Security List: NSGs for per-resource (application-tier) security; Security Lists for broad subnet defaults. NSGs can reference other NSGs as source/destination — Security Lists cannot (CIDR only).
Stateless rule priority: When traffic matches both stateful and stateless rules, stateless wins. Use stateless for high-volume traffic to avoid connection table overflow.
Route table hierarchy: IP address table > VNIC table > Subnet table. Only one is consulted.
FastConnect requires BGP: All three connectivity models require BGP. BFD provides faster failover than BGP timers. Private virtual circuits require a DRG; public virtual circuits do not.
VPN asymmetric routing: Oracle uses asymmetric routing across the two IPSec tunnels. Firewalls must allow traffic on both tunnels simultaneously.
BYOIP timeline: Plan for 10+ business days for validation. ROA must authorize Oracle ASN 31898 with 6-month minimum expiry. /24 minimum for IPv4, /48 minimum for IPv6.
DNS during migration: Default VCN resolver cannot resolve on-premises names. Use Custom Resolver or Private DNS Resolver for hybrid environments. DHCP changes require instance reboot to take effect immediately.
NPA limitations: Cannot analyze through virtual appliances or load balancers. Split the path into two tests. Does not support IPv6.
Transit routing: Hub-and-spoke with a single DRG is the standard multi-VCN migration architecture. On-premises connects once to the hub; spoke VCNs are accessed via peering.