Skip to the content.

Home

Public Private Subnet Communication on Oracle Cloud Infrastructure (OCI)

Design

Implementation

Will just create nodes, and not worry about software installation in this use case.

Create Empty VCN

Don’t use “plus related resources”

This will create default dhcp options and default route table.

VCN created, without subnet

Create Internet Gateway and tie to route table

This is required otherwise communication can’t happen, refer this for more detail

Create security list

Here are all the security list for the vcn

public-web-in with 2 ingress rules : so the http/https traffic is allowed in

public-ssh-in with 1 ingress rule : to allow ssh communication

this is to be able to ping other hosts

this is to be able to ssh into other hosts

Create Public subnet BastionPub

This is public subnet, and would host only jump server (bastion)

Create Bastion in public subnet

Generate SSH keys to communicate with private subnet hosts

[opc@bastion01-4772 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/opc/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/opc/.ssh/id_rsa.
Your public key has been saved in /home/opc/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:NQSZzEy8kgDFtOziCuNf3/Ij0ofDH8AdVI4PR6iZnIM opc@bastion01-4772
The key's randomart image is:
+---[RSA 2048]----+
|  .=o  *o=+o     |
|   .o.  Oo+      |
|    o.o.==oo     |
|   . E+Bo.=.     |
|  . .  +S. .     |
| . .    .        |
|o .  .o ..       |
|oo  ...B.o.      |
|....  ..B+.      |
+----[SHA256]-----+
[opc@bastion01-4772 ~]$

keep a note of public key, will use this while creating other hosts

[opc@bastion01-4772 ~]$ cd .ssh
[opc@bastion01-4772 .ssh]$ ls
authorized_keys  id_rsa  id_rsa.pub
[opc@bastion01-4772 .ssh]$

Create NAT

This is required, so that hosts in private subnet can communicate outside, refer this for more details

Create Security List

Create private subnet

Create Two Compute Instances In Private subnet

Use the bastion ssh key generate above

Use the bastion ssh key generate above

[opc@bastion01-4772 .ssh]$ ssh opc@10.0.1.3
The authenticity of host '10.0.1.3 (10.0.1.3)' can't be established.
ECDSA key fingerprint is SHA256:i3UHcKzhqF4bwt2KKmhRb8u1LtVzIFHtIFRZeAuxNV0.
ECDSA key fingerprint is MD5:40:ae:a8:5b:bd:2c:7c:9f:aa:3e:72:68:48:88:20:7d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.3' (ECDSA) to the list of known hosts.
[opc@apache01 ~]$ exit
logout
Connection to 10.0.1.3 closed.
[opc@bastion01-4772 .ssh]$ ping 10.0.1.3
PING 10.0.1.3 (10.0.1.3) 56(84) bytes of data.
64 bytes from 10.0.1.3: icmp_seq=122 ttl=64 time=0.202 ms
64 bytes from 10.0.1.3: icmp_seq=123 ttl=64 time=0.163 ms
64 bytes from 10.0.1.3: icmp_seq=124 ttl=64 time=0.201 ms
64 bytes from 10.0.1.3: icmp_seq=125 ttl=64 time=0.175 ms
64 bytes from 10.0.1.3: icmp_seq=126 ttl=64 time=0.190 ms
64 bytes from 10.0.1.3: icmp_seq=127 ttl=64 time=0.184 ms
64 bytes from 10.0.1.3: icmp_seq=128 ttl=64 time=0.200 ms
64 bytes from 10.0.1.3: icmp_seq=129 ttl=64 time=0.185 ms
64 bytes from 10.0.1.3: icmp_seq=130 ttl=64 time=0.194 ms
64 bytes from 10.0.1.3: icmp_seq=131 ttl=64 time=0.187 ms
[opc@bastion01-4772 .ssh]$ ssh opc@10.0.1.4
The authenticity of host '10.0.1.4 (10.0.1.4)' can't be established.
ECDSA key fingerprint is SHA256:NL/nuH6Clk2CR34ojozuLTVrm0yX1UcD/pdWrd1PKac.
ECDSA key fingerprint is MD5:62:fc:54:ab:ac:ac:62:79:be:67:fa:72:7f:39:e5:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.4' (ECDSA) to the list of known hosts.
[opc@apache02 ~]$ exit
logout
Connection to 10.0.1.4 closed.
[opc@bastion01-4772 .ssh]$ ping 10.0.1.4
PING 10.0.1.4 (10.0.1.4) 56(84) bytes of data.
64 bytes from 10.0.1.4: icmp_seq=1 ttl=64 time=0.299 ms
64 bytes from 10.0.1.4: icmp_seq=2 ttl=64 time=0.267 ms
64 bytes from 10.0.1.4: icmp_seq=3 ttl=64 time=0.258 ms
64 bytes from 10.0.1.4: icmp_seq=4 ttl=64 time=0.275 ms

Final VCN

References