VLAN attachments for Partner Cross-Cloud Interconnect for Oracle Cloud Infrastructure (OCI) connections
(also known as interconnectAttachments
) connect your
Virtual Private Cloud (VPC) networks with your on-premises network through
the Oracle Cloud Infrastructure virtual cloud network (VCN) by
allocating VLANs over existing connections between the two cloud providers.
You can create unencrypted VLAN attachments, which support both IPv4 only (single stack) or IPv4 and IPv6 (dual stack).
Before you can create VLAN attachments for Partner Cross-Cloud Interconnect for OCI, you must already have an OCI account.
Hourly billing for VLAN attachments starts when OCI completes its
configurations, whether or not you pre-activated your attachments. OCI
configures your attachments when they are in the PENDING_CUSTOMER
or
ACTIVE
state. Billing stops when you or OCI deletes the
attachments (when they are in the DEFUNCT
state). You are not billed for
data transfer between the two clouds.
For definitions of terms used on this page, see Cloud Interconnect key terms.
To help you solve common issues that you might encounter when using Partner Cross-Cloud Interconnect for OCI, see Troubleshooting.
To configure the Google Cloud resources needed for Partner Cross-Cloud Interconnect for OCI, complete the following tasks:
- Create two VLAN attachments, one for each of your Partner Cross-Cloud Interconnect for OCI connections.
- Configure Border Gateway Protocol (BGP) sessions, one for each VLAN attachment.
Before you begin
This section lists required permissions, resources, and setup steps.
Required roles
Before proceeding, you need the required permissions. Ask your administrator to make sure that
you have the Compute Network Admin
(roles/compute.networkAdmin
) IAM role on the project. For more information about
granting roles, see
Manage access.
Required resources
Make sure that you have the following resources.
VPC network
If you don't already have a Virtual Private Cloud (VPC) network, create one. For more information, see Create and manage VPC networks.
Cloud Router
To configure Partner Cross-Cloud Interconnect for OCI, you need a Cloud Router. If you're working in the Google Cloud console, you can create your Cloud Router at the same time that you create your VLAN attachments.
If you want to create a Cloud Router in advance, see
Create a
Cloud Router to connect a VPC network to a peer network.
Give the Cloud Router an ASN of 16550
or any private ASN in the 64512
-65533
(inclusive) range except ASN 65534
.
For more information about the ASNs that OCI reserves for itself, see the
OCI documentation.
Place the Cloud Router in a region that's supported for your Google Cloud location.
Project selection
If you're using the Google Cloud CLI, set your project ID by using the
gcloud config set
command.
gcloud config set project PROJECT_ID
The gcloud CLI instructions on this page assume that you have set your project ID.
Check port status in Google Cloud
Before proceeding, verify that each of your Partner Cross-Cloud Interconnect for OCI ports is receiving a signal from OCI.
Console
- In the Google Cloud console, go to the Interconnect page.
- On the Physical connections tab, click the name of your Partner Cross-Cloud Interconnect for OCI connection.
- On the Interconnect details page, make sure that the Status field is set to
Active.
If Google Cloud displays a page titled Cross-Cloud Interconnect order confirmation, then your connection is not ready for configuration.
Utilize multiple VLAN attachments
VLAN attachments support traffic speeds up to 50 Gbps or 6.25 M packets per second (pps). Throughput depends on which limit you reach first. For example, if your traffic uses very small packets, you may reach the 6.25 M pps limit before the 50 Gbps limit.
To achieve higher throughput into a VPC network, you must configure multiple VLAN attachments into the VPC network. For each Border Gateway Protocol (BGP) session, you must use the same MED values to let the traffic use equal-cost multipath (ECMP) routing over all the configured VLAN attachments.
Create unencrypted VLAN attachments
Console
In the Google Cloud console, go to the Interconnect page.
On the VLAN attachments tab, click
Create VLAN attachments.Select Partner Interconnect connection.
In the Encrypt interconnect section, select Set up unencrypted Interconnect, and then click Continue.
Select I already have a service provider.
Select Create a redundant pair of VLAN attachments. Redundancy provides higher availability than a single connection. Both attachments serve traffic, and the traffic is load balanced between them. If one attachment goes down, such as during a scheduled maintenance, the other attachment continues to serve traffic. For more information, see Redundancy and SLA.
If you're creating an attachment for testing purposes or don't require high availability, select Create a single VLAN to create only one VLAN attachment.
For the Network and Region fields, select the VPC network and Google Cloud region where your attachments are to connect.
Specify the details of your VLAN attachments:
Cloud Router: a Cloud Router to associate with this attachment. You can only choose a Cloud Router in the VPC network and region that you selected with an ASN of
16550
. If you don't have an existing Cloud Router, create one with an ASN of16550
. Each VLAN attachment can be associated with a single Cloud Router. Google automatically adds an interface and a BGP peer on the Cloud Router.VLAN attachment name: a name for the attachment. This name is displayed in the Google Cloud console and is used by the Google Cloud CLI to reference the attachment—for example,
my-attachment
.IP stack type: the IP stack type. Either IPv4 (single-stack), or IPv4 and IPv6 (dual-stack).
Maximum transmission unit (MTU): the MTU for the attachment. To use the 1460-, 1500-, or 8896-byte maximum transmission unit (MTU), the VPC network that uses the attachment must have an MTU set to the same value. In addition, the OCI VM must set the same MTU.
To create the attachments, click Create. This action takes a few minutes to complete.
After creation is complete, copy the pairing keys. You share these keys with OCI when you create your FastConnect virtual circuit with OCI.
You can pre-activate the attachment by selecting Enable. Activating attachments lets you confirm that you're connecting to the expected service provider. Pre-activating attachments lets you skip the activation step and lets the attachments start passing traffic immediately after your virtual circuit is created.
To view a list of your VLAN attachments, click OK.
You can optionally update your BGP sessions to use MD5 authentication.
Optional: You can update your BGP session to use custom learned routes. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Update an existing session to use custom learned routes.
gcloud
Before you create a VLAN attachment, you must have an existing
Cloud Router in the network and region that you want to reach from
your on-premises network. If you don't have an existing Cloud Router,
create one.
The Cloud Router must have a BGP ASN of 16550
.
Create a VLAN attachment of type
PARTNER
, specifying the names of your Cloud Router and the edge availability domain (metro availability zone) of the VLAN attachment. Google automatically adds an interface and a BGP peer on the Cloud Router. The attachment generates a pairing key that you need to share with OCI.You can specify the MTU of your attachment. Valid values are
1440
(default),1460
,1500
, and8896
. To specify an MTU of1460
,1500
, or8896
use the--mtu
parameter—for example,--mtu 1500
. To make use of the 1460-, 1500-, or 8896-byte MTU, the VPC network that uses the attachment must set the same MTU. In addition, the OCI VM must set the same MTU.You can specify the stack type of your VLAN attachment. The default stack type is IPv4.
The following example creates a VLAN attachment in edge availability domain
availability-domain-1
:gcloud compute interconnects attachments partner create ATTACHMENT_NAME \ --region=REGION \ --router=ROUTER_NAME \ --stack-type=STACK_TYPE \ --edge-availability-domain availability-domain-1
Replace the following:
ATTACHMENT_NAME
: a name for your VLAN attachment.REGION
: the region of your VLAN attachment.ROUTER_NAME
: the name of your Cloud Router.STACK_TYPE
: the stack type for your VLAN attachment. The stack type can be one of the following:IPV4_ONLY
: selects IPv4 only (single stack).IPV4_IPV6
: selects IPv4 and IPv6 (dual stack).
gcloud compute interconnects attachments partner create ATTACHMENT_NAME \ --region=REGION \ --router=ROUTER_NAME \ --stack-type=STACK_TYPE \ --edge-availability-domain availability-domain-1 \ --admin-enabled
ATTACHMENT_NAME
: a name for your VLAN attachment.REGION
: the region of your VLAN attachment.ROUTER_NAME
: the name of your Cloud Router.STACK_TYPE
: the stack type for your VLAN attachment. The stack type can be one of the following:IPV4_ONLY
: selects IPv4 only (single stack).IPV4_IPV6
: selects IPv4 and IPv6 (dual stack).
Describe the attachment to retrieve its pairing key; you need to share this key with OCI when you create the virtual circuit with OCI:
gcloud compute interconnects attachments describe ATTACHMENT_NAME \ --region=REGION
The output is similar to the following for IPv4 VLAN attachments:
adminEnabled: false edgeAvailabilityDomain: AVAILABILITY_DOMAIN_1 creationTimestamp: '2017-12-01T08:29:09.886-08:00' id: '7976913826166357434' kind: compute#interconnectAttachment labelFingerprint: 42WmSpB8rSM= name: ATTACHMENT_NAME pairingKey: 7e51371e-72a3-40b5-b844-2e3efefaee59/REGION/1 region: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION router: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION/routers/ROUTER_NAME selfLink: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION/interconnectAttachments/ATTACHMENT_NAME stackType: IPV4_ONLY state: PENDING_PARTNER type: PARTNER
The output is similar to the following for IPv4 and IPv6 (dual stack) VLAN attachments:
bandwidth: BPS_1G cloudRouterIpAddress: 169.254.67.201/29 cloudRouterIpv6Address: 2600:2d00:0:1::1/125 creationTimestamp: '2017-12-01T08:31:11.580-08:00' customerRouterIpAddress: 169.254.67.202/29 customerRouterIpv6Address: 2600:2d00:0:1::2/125 description: Interconnect for Customer 1 id: '7193021941765913888' interconnect: https://www.googleapis.com/compute/alpha/projects/partner-project/global/interconnects/lga-2 kind: compute#interconnectAttachment labelFingerprint: 42WmSpB8rSM= name: partner-attachment partnerMetadata: interconnectName: New York (2) partnerName: Partner Inc portalUrl: https://partner-portal.com region: https://www.googleapis.com/compute/alpha/projects/partner-project/regions/REGION selfLink: https://www.googleapis.com/compute/alpha/projects/partner-project/regions/REGION/interconnectAttachments/ATTACHMENT_NAME stackType: IPV4_IPV6 state: ACTIVE type: PARTNER vlanTag8021q: 1000
The
pairingKey
field contains the pairing key that you need to share with OCI. Treat the pairing key as sensitive information until your VLAN attachment is configured.The state of the VLAN attachment is
PENDING_PARTNER
until you request a connection with OCI and it completes your VLAN attachment configuration. After the configuration is complete, the state of the attachment changes toACTIVE
orPENDING_CUSTOMER
.Optional: You can update your BGP session to use custom learned routes. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Update an existing session to use custom learned routes.
Optional: You can update your BGP sessions to use MD5 authentication.
If you're building redundancy with a duplicate VLAN attachment, repeat these steps for the second attachment. Use the same Cloud Router, but specify a different edge availability domain. Also, when you request connections from OCI, you must select the same metropolitan area (city) for both attachments for them to be redundant. For more information, see Redundancy and SLA.
Configure BGP sessions
Partner Cross-Cloud Interconnect for OCI uses BGP to exchange routes between your VPC network and your OCI network. To that end, configure a BGP session for each of your VLAN attachments. The sessions aren't active until you configure your OCI resources, but you can configure the Google Cloud side of the sessions now.
Console
- Configure the first session.
Do one of the following:
- If the Configure Cloud Routers form is displayed, locate the name of your primary VLAN attachment and click Configure.
If the Configure Cloud Routers form isn't open:
Go to the Interconnect page.
On the VLAN attachments tab, click the name of the attachment.
In the Connection area of the form, click Configure BGP session.
Fill out the Create BGP session form:
Enter a Name for the session.
In the Peer ASN field, enter a value to represent the OCI side of the peering. Use
31898
.Optional: Enter a value for Advertised route priority. For information about this field, see Advertised prefixes and priorities.
Optional: Set MD5 Authentication to Enabled, and enter your secret MD5 authentication key. Later, when you configure peering in OCI, you must use the same key on the OCI side of peering. OCI supports only alphanumeric characters for the key. For more information about Google Cloud support for MD5 authentication, see Use MD5 authentication.
Click Save and continue.
Configure the second session.
Do one of the following:
- If you are in the Configure Cloud Routers form, locate the name of your redundant VLAN attachment and click Configure.
- If the Configure Cloud Routers form isn't open:
- Go to the Interconnect page.
- On the VLAN attachments tab, click the name of the attachment.
In the Connection area of the form, click Configure BGP session.
Fill out the Create BGP session form:
Enter a Name for the session.
In the Peer ASN field, enter a value to represent the OCI side of the peering. Use
31898
.Optional: Enter a value for Advertised route priority. For information about this field, see Advertised prefixes and priorities.
Optional: Set MD5 Authentication to Enabled, and enter your secret MD5 authentication key. Later, when you configure peering in OCI, you must use the same key on the OCI side of peering. OCI supports only alphanumeric characters for the key. For more information about Google Cloud support for MD5 authentication, see Use MD5 authentication.
Click Save and continue.
Click Save configuration.
Click Finish setup.
gcloud
To create the required BGP sessions, you must create two interfaces on the Cloud Router used by your VLAN attachments. (Alternatively, if each of your attachments uses a different Cloud Router, configure an interface on each Cloud Router.) After you create your interfaces, create a peering session for each interface.
To complete this setup, use the
gcloud compute routers add-interface
command
and the
gcloud compute routers add-bgp-peer
command.
Complete the following steps:
Create the primary interface:
gcloud compute routers add-interface ROUTER_NAME \ --interface-name=INTERFACE \ --interconnect-attachment=ATTACHMENT \ --region=REGION
Replace the following values:
ROUTER_NAME
: the name of the Cloud Router used by your primary VLAN attachmentINTERFACE
: the name of the new interfaceATTACHMENT
: the name of your primary VLAN attachmentREGION
: the region where the Cloud Router is located
Create the redundant interface:
gcloud compute routers add-interface ROUTER_NAME_2 \ --interface-name=INTERFACE_2 \ --interconnect-attachment=ATTACHMENT_2 \ --region=REGION
Replace the following:
ROUTER_NAME_2
: the name of the Cloud Router used by your redundant VLAN attachmentINTERFACE_2
: the name of the redundant interfaceATTACHMENT_2
: the name of your redundant VLAN attachmentREGION
: the region where the Cloud Router is located
Create a BGP session for the primary VLAN attachment:
gcloud compute routers add-bgp-peer ROUTER_NAME \ --interface=INTERFACE \ --peer-asn=--peer-asn=31898 \ --peer-name=PEER_NAME \ --region=REGION \ --md5-authentication-key=YOUR_KEY
Replace the following:
ROUTER_NAME
: the name of the Cloud Router used by your primary VLAN attachmentINTERFACE
: the name of the primary interfacePEER_NAME
: the name of the peerREGION
: the region where the Cloud Router is locatedYOUR_KEY
: the secret key to use for MD5 authentication; later, when you configure peering in OCI, you must use the same key (OCI supports only alphanumeric characters for the key)
Create a BGP session for the redundant VLAN attachment:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --interface=INTERFACE_2 \ --peer-asn=--peer-asn=31898 \ --peer-name=PEER_NAME_2 \ --region=REGION \ --md5-authentication-key=YOUR_KEY_2
Replace the following:
ROUTER_NAME_2
: the name of the Cloud Router used by your primary VLAN attachmentINTERFACE_2
: the name of the primary interfacePEER_NAME_2
:the name of the peerREGION
: the region where the Cloud Router is locatedYOUR_KEY_2
: the secret key to use for MD5 authentication; later, when you configure peering in OCI, you must use the same key (OCI supports only alphanumeric characters for the key)
Get details about your VLAN attachments
After you create your VLAN attachments, retrieve the details that you need to configure your OCI resources.
Console
- In the Google Cloud console, go to the Interconnect page.
- On the VLAN attachments tab, click the name of your primary VLAN attachment.
- Make a note of the Cloud Router BGP IP and BGP Peer IP values. You need these values when you configure your OCI resources.
- Repeat the preceding steps for your redundant attachment.
gcloud
Use the
gcloud compute interconnects attachments describe
command.
Run the following command twice—once for each attachment:
gcloud compute interconnects attachments describe NAME --region REGION
Replace the following:
NAME
: the name of the VLAN attachmentREGION
: the region where the VLAN attachment is located
The command returns output that includes cloudRouterIpAddress
and
customerRouterIpAddress
. Make a note of these values. You need them when you
configure your OCI resources.
Restrict Partner Cross-Cloud Interconnect for Oracle Cloud Infrastructure (OCI) usage
By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For more information, see Restrict Cloud Interconnect usage.For information about how to configure Oracle Cloud Infrastructure resources, see Configure OCI resources in the OCI documentation.
What's next
- To find answers to common questions about Cloud Interconnect architecture and features, see the Cloud Interconnect FAQ.
- To find out more about Cloud Interconnect, see the Cloud Interconnect overview.
- To learn about best practices when planning for and configuring Cloud Interconnect, see Best practices.
- To find Google Cloud resource names, see the Cloud Interconnect APIs.