Create VLAN attachments

VLAN attachments for Partner Cross-Cloud Interconnect for Oracle Cloud Infrastructure (OCI) connections (also known as interconnectAttachment resources) connect the Google Cloud Virtual Private Cloud (VPC) network to the Oracle Cloud Infrastructure virtual cloud network (VCN) by allocating VLANs over existing connections between the two cloud providers.

You can create unencrypted VLAN attachments, which support both IPv4 only (single stack) or IPv4 and IPv6 (dual stack).

Before you can create VLAN attachments for Partner Cross-Cloud Interconnect for OCI, you must already have an OCI account.

Hourly billing for VLAN attachments starts when OCI completes its configurations, whether or not you pre-activated your attachments. OCI configures your attachments when they are in the PENDING_CUSTOMER or ACTIVE state. Billing stops when you or OCI deletes the attachments (when they are in the DEFUNCT state). You are not billed for data transfer between the two clouds.

For definitions of terms used on this page, see Cloud Interconnect key terms.

To help you solve common issues that you might encounter when using Partner Cross-Cloud Interconnect for OCI, see Troubleshooting.

To configure the Google Cloud resources needed for Partner Cross-Cloud Interconnect for OCI, complete the following tasks:

  • Create two VLAN attachments, one for each of your Partner Cross-Cloud Interconnect for OCI connections.
  • Configure Border Gateway Protocol (BGP) sessions, one for each VLAN attachment.

Before you begin

This section lists required permissions, resources, and setup steps.

Required roles

Before proceeding, you need the required permissions. Ask your administrator to make sure that you have the Compute Network Admin (roles/compute.networkAdmin) IAM role on the project. For more information about granting roles, see Manage access.

Required resources

Make sure that you have the following resources.

VPC network

If you don't already have a Virtual Private Cloud (VPC) network, create one. For more information, see Create and manage VPC networks.

Cloud Router

To configure Partner Cross-Cloud Interconnect for OCI, you need a Cloud Router. If you're working in the Google Cloud console, you can create your Cloud Router at the same time that you create your VLAN attachments.

If you want to create a Cloud Router in advance, see Create a Cloud Router to connect a VPC network to a peer network. Give the Cloud Router an ASN of 16550 or any private ASN in the 64512-65533 (inclusive) range except ASN 65534. For more information about the ASNs that OCI reserves for itself, see the OCI documentation.

Place the Cloud Router in a region that's supported for your Google Cloud location.

Project selection

If you're using the Google Cloud CLI, set your project ID by using the gcloud config set command.

gcloud config set project PROJECT_ID

The gcloud CLI instructions on this page assume that you have set your project ID.

Utilize multiple VLAN attachments

VLAN attachments support traffic speeds up to 50 Gbps or 6.25 M packets per second (pps). Throughput depends on which limit you reach first. For example, if your traffic uses very small packets, you may reach the 6.25 M pps limit before the 50 Gbps limit.

To achieve higher throughput into a VPC network, you must configure multiple VLAN attachments into the VPC network. For each Border Gateway Protocol (BGP) session, you must use the same MED values to let the traffic use equal-cost multipath (ECMP) routing over all the configured VLAN attachments.

Create unencrypted VLAN attachments

Console

  1. In the Google Cloud console, go to the Interconnect page.

    Go to Interconnect

  2. On the VLAN attachments tab, click Create VLAN attachments.

  3. Select Partner Interconnect connection.

  4. In the Encrypt interconnect section, select Set up unencrypted Interconnect, and then click Continue.

  5. Select I already have a service provider.

  6. Select Create a redundant pair of VLAN attachments. Redundancy provides higher availability than a single connection. Both attachments serve traffic, and the traffic is load balanced between them. If one attachment goes down, such as during a scheduled maintenance, the other attachment continues to serve traffic. For more information, see Redundancy and SLA.

    If you're creating an attachment for testing purposes or don't require high availability, select Create a single VLAN to create only one VLAN attachment.

  7. For the Network and Region fields, select the VPC network and Google Cloud region where your attachments are to connect.

  8. Specify the details of your VLAN attachments:

    • Cloud Router: a Cloud Router to associate with this attachment. You can only choose a Cloud Router in the VPC network and region that you selected with an ASN of 16550. If you don't have an existing Cloud Router, create one with an ASN of 16550. Each VLAN attachment can be associated with a single Cloud Router. Google automatically adds an interface and a BGP peer on the Cloud Router.

    • VLAN attachment name: a name for the attachment. This name is displayed in the Google Cloud console and is used by the Google Cloud CLI to reference the attachment—for example, my-attachment.

    • IP stack type: the IP stack type. Either IPv4 (single-stack), or IPv4 and IPv6 (dual-stack).

    • Maximum transmission unit (MTU): the MTU for the attachment. To use the 1460-, 1500-, or 8896-byte maximum transmission unit (MTU), the VPC network that uses the attachment must have an MTU set to the same value. In addition, the OCI VM must set the same MTU.

  9. To create the attachments, click Create. This action takes a few minutes to complete.

  10. After creation is complete, copy the pairing keys. You share these keys with OCI when you create your FastConnect virtual circuit with OCI.

    You can pre-activate the attachment by selecting Enable. Activating attachments lets you confirm that you're connecting to the expected service provider. Pre-activating attachments lets you skip the activation step and lets the attachments start passing traffic immediately after your virtual circuit is created.

  11. To view a list of your VLAN attachments, click OK.

You can optionally update your BGP sessions to use MD5 authentication.

Optional: You can update your BGP session to use custom learned routes. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Update an existing session to use custom learned routes.

gcloud

Before you create a VLAN attachment, you must have an existing Cloud Router in the network and region that you want to reach from your on-premises network. If you don't have an existing Cloud Router, create one. The Cloud Router must have a BGP ASN of 16550.

  1. Create a VLAN attachment of type PARTNER, specifying the names of your Cloud Router and the edge availability domain (metro availability zone) of the VLAN attachment. Google automatically adds an interface and a BGP peer on the Cloud Router. The attachment generates a pairing key that you need to share with OCI.

    You can specify the MTU of your attachment. Valid values are 1440 (default), 1460, 1500, and 8896. To specify an MTU of 1460, 1500, or 8896 use the--mtu parameter—for example, --mtu 1500. To make use of the 1460-, 1500-, or 8896-byte MTU, the VPC network that uses the attachment must set the same MTU. In addition, the OCI VM must set the same MTU.

    You can specify the stack type of your VLAN attachment. The default stack type is IPv4.

    The following example creates a VLAN attachment in edge availability domain availability-domain-1:

    gcloud compute interconnects attachments partner create ATTACHMENT_NAME \
        --region=REGION \
        --router=ROUTER_NAME \
        --stack-type=STACK_TYPE \
        --edge-availability-domain availability-domain-1
    

    Replace the following:

    • ATTACHMENT_NAME: a name for your VLAN attachment.
    • REGION: the region of your VLAN attachment.
    • ROUTER_NAME: the name of your Cloud Router.
    • STACK_TYPE: the stack type for your VLAN attachment. The stack type can be one of the following:
      • IPV4_ONLY: selects IPv4 only (single stack).
      • IPV4_IPV6: selects IPv4 and IPv6 (dual stack).
    gcloud compute interconnects attachments partner create ATTACHMENT_NAME \
        --region=REGION \
        --router=ROUTER_NAME \
        --stack-type=STACK_TYPE \
        --edge-availability-domain availability-domain-1 \
        --admin-enabled
    
    • ATTACHMENT_NAME: a name for your VLAN attachment.
    • REGION: the region of your VLAN attachment.
    • ROUTER_NAME: the name of your Cloud Router.
    • STACK_TYPE: the stack type for your VLAN attachment. The stack type can be one of the following:
      • IPV4_ONLY: selects IPv4 only (single stack).
      • IPV4_IPV6: selects IPv4 and IPv6 (dual stack).
  2. Describe the attachment to retrieve its pairing key; you need to share this key with OCI when you create the virtual circuit with OCI:

    gcloud compute interconnects attachments describe ATTACHMENT_NAME \
        --region=REGION
    

    The output is similar to the following for IPv4 VLAN attachments:

    adminEnabled: false
    edgeAvailabilityDomain: AVAILABILITY_DOMAIN_1
    creationTimestamp: '2017-12-01T08:29:09.886-08:00'
    id: '7976913826166357434'
    kind: compute#interconnectAttachment
    labelFingerprint: 42WmSpB8rSM=
    name: ATTACHMENT_NAME
    pairingKey: 7e51371e-72a3-40b5-b844-2e3efefaee59/REGION/1
    region: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION
    router: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION/routers/ROUTER_NAME
    selfLink: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION/interconnectAttachments/ATTACHMENT_NAME
    stackType: IPV4_ONLY
    state: PENDING_PARTNER
    type: PARTNER
    

    The output is similar to the following for IPv4 and IPv6 (dual stack) VLAN attachments:

    bandwidth: BPS_1G
    cloudRouterIpAddress: 169.254.67.201/29
    cloudRouterIpv6Address: 2600:2d00:0:1::1/125
    creationTimestamp: '2017-12-01T08:31:11.580-08:00'
    customerRouterIpAddress: 169.254.67.202/29
    customerRouterIpv6Address: 2600:2d00:0:1::2/125
    description: Interconnect for Customer 1
    id: '7193021941765913888'
    interconnect: https://www.googleapis.com/compute/alpha/projects/partner-project/global/interconnects/lga-2
    kind: compute#interconnectAttachment
    labelFingerprint: 42WmSpB8rSM=
    name: partner-attachment
    partnerMetadata:
      interconnectName: New York (2)
      partnerName: Partner Inc
      portalUrl: https://partner-portal.com
    region: https://www.googleapis.com/compute/alpha/projects/partner-project/regions/REGION
    selfLink: https://www.googleapis.com/compute/alpha/projects/partner-project/regions/REGION/interconnectAttachments/ATTACHMENT_NAME
    stackType: IPV4_IPV6
    state: ACTIVE
    type: PARTNER
    vlanTag8021q: 1000
    

    The pairingKey field contains the pairing key that you need to share with OCI. Treat the pairing key as sensitive information until your VLAN attachment is configured.

    The state of the VLAN attachment is PENDING_PARTNER until you request a connection with OCI and it completes your VLAN attachment configuration. After the configuration is complete, the state of the attachment changes to ACTIVE or PENDING_CUSTOMER.

  3. Optional: You can update your BGP session to use custom learned routes. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Update an existing session to use custom learned routes.

  4. Optional: You can update your BGP sessions to use MD5 authentication.

If you're building redundancy with a duplicate VLAN attachment, repeat these steps for the second attachment. Use the same Cloud Router, but specify a different edge availability domain. Also, when you request connections from OCI, you must select the same metropolitan area (city) for both attachments for them to be redundant. For more information, see Redundancy and SLA.

Configure BGP sessions

Partner Cross-Cloud Interconnect for OCI uses BGP to exchange routes between your VPC network and your OCI network. To that end, configure a BGP session for each of your VLAN attachments. The sessions aren't active until you configure your OCI resources, but you can configure the Google Cloud side of the sessions now.

Console

  1. Configure the first session.
  2. Do one of the following:

    1. If the Configure Cloud Routers form is displayed, locate the name of your primary VLAN attachment and click Configure.
    2. If the Configure Cloud Routers form isn't open:

    3. Go to the Interconnect page.

    4. On the VLAN attachments tab, click the name of the attachment.

    5. In the Connection area of the form, click Configure BGP session.

    6. Fill out the Create BGP session form:

    7. Enter a Name for the session.

    8. In the Peer ASN field, enter a value to represent the OCI side of the peering. Use 31898.

    9. Optional: Enter a value for Advertised route priority. For information about this field, see Advertised prefixes and priorities.

    10. Optional: Set MD5 Authentication to Enabled, and enter your secret MD5 authentication key. Later, when you configure peering in OCI, you must use the same key on the OCI side of peering. OCI supports only alphanumeric characters for the key. For more information about Google Cloud support for MD5 authentication, see Use MD5 authentication.

    11. Click Save and continue.

  3. Configure the second session.

  4. Do one of the following:

    • If you are in the Configure Cloud Routers form, locate the name of your redundant VLAN attachment and click Configure.
    • If the Configure Cloud Routers form isn't open:
    1. Go to the Interconnect page.
    2. On the VLAN attachments tab, click the name of the attachment.
    3. In the Connection area of the form, click Configure BGP session.

    4. Fill out the Create BGP session form:

    5. Enter a Name for the session.

    6. In the Peer ASN field, enter a value to represent the OCI side of the peering. Use 31898.

    7. Optional: Enter a value for Advertised route priority. For information about this field, see Advertised prefixes and priorities.

    8. Optional: Set MD5 Authentication to Enabled, and enter your secret MD5 authentication key. Later, when you configure peering in OCI, you must use the same key on the OCI side of peering. OCI supports only alphanumeric characters for the key. For more information about Google Cloud support for MD5 authentication, see Use MD5 authentication.

    9. Click Save and continue.

  5. Click Save configuration.

  6. Click Finish setup.

gcloud

To create the required BGP sessions, you must create two interfaces on the Cloud Router used by your VLAN attachments. (Alternatively, if each of your attachments uses a different Cloud Router, configure an interface on each Cloud Router.) After you create your interfaces, create a peering session for each interface.

To complete this setup, use the gcloud compute routers add-interface command and the gcloud compute routers add-bgp-peer command.

Complete the following steps:

  1. Create the primary interface:

    gcloud compute routers add-interface ROUTER_NAME \
       --interface-name=INTERFACE \
       --interconnect-attachment=ATTACHMENT \
       --region=REGION
    

    Replace the following values:

    • ROUTER_NAME: the name of the Cloud Router used by your primary VLAN attachment
    • INTERFACE: the name of the new interface
    • ATTACHMENT: the name of your primary VLAN attachment
    • REGION: the region where the Cloud Router is located
  2. Create the redundant interface:

    gcloud compute routers add-interface ROUTER_NAME_2 \
        --interface-name=INTERFACE_2 \
        --interconnect-attachment=ATTACHMENT_2 \
        --region=REGION
    

    Replace the following:

    • ROUTER_NAME_2: the name of the Cloud Router used by your redundant VLAN attachment
    • INTERFACE_2: the name of the redundant interface
    • ATTACHMENT_2: the name of your redundant VLAN attachment
    • REGION: the region where the Cloud Router is located
  3. Create a BGP session for the primary VLAN attachment:

    gcloud compute routers add-bgp-peer ROUTER_NAME \
       --interface=INTERFACE \
       --peer-asn=--peer-asn=31898 \
       --peer-name=PEER_NAME \
       --region=REGION \
       --md5-authentication-key=YOUR_KEY
    

    Replace the following:

    • ROUTER_NAME: the name of the Cloud Router used by your primary VLAN attachment
    • INTERFACE: the name of the primary interface
    • PEER_NAME: the name of the peer
    • REGION: the region where the Cloud Router is located
    • YOUR_KEY: the secret key to use for MD5 authentication; later, when you configure peering in OCI, you must use the same key (OCI supports only alphanumeric characters for the key)
  4. Create a BGP session for the redundant VLAN attachment:

    gcloud compute routers add-bgp-peer ROUTER_NAME_2 \
       --interface=INTERFACE_2 \
       --peer-asn=--peer-asn=31898 \
       --peer-name=PEER_NAME_2 \
       --region=REGION \
       --md5-authentication-key=YOUR_KEY_2
    

    Replace the following:

    • ROUTER_NAME_2: the name of the Cloud Router used by your primary VLAN attachment
    • INTERFACE_2: the name of the primary interface
    • PEER_NAME_2:the name of the peer
    • REGION: the region where the Cloud Router is located
    • YOUR_KEY_2: the secret key to use for MD5 authentication; later, when you configure peering in OCI, you must use the same key (OCI supports only alphanumeric characters for the key)

Get details about your VLAN attachments

After you create your VLAN attachments, retrieve the details that you need to configure your OCI resources.

Console

  1. In the Google Cloud console, go to the Interconnect page.
  2. Go to Interconnect

  3. On the VLAN attachments tab, click the name of your primary VLAN attachment.
  4. Make a note of the Cloud Router BGP IP and BGP Peer IP values. You need these values when you configure your OCI resources.
  5. Repeat the preceding steps for your redundant attachment.

gcloud

Use the gcloud compute interconnects attachments describe command. Run the following command twice—once for each attachment:

gcloud compute interconnects attachments describe NAME --region REGION
     

Replace the following:

  • NAME: the name of the VLAN attachment
  • REGION: the region where the VLAN attachment is located

The command returns output that includes cloudRouterIpAddress and customerRouterIpAddress. Make a note of these values. You need them when you configure your OCI resources.

Restrict Partner Cross-Cloud Interconnect for Oracle Cloud Infrastructure (OCI) usage

By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For more information, see Restrict Cloud Interconnect usage.

For information about how to configure Oracle Cloud Infrastructure resources, see Configure OCI resources in the OCI documentation.

What's next