Create VLAN attachments

VLAN attachments for Partner Cross-Cloud Interconnect for Oracle Cloud Infrastructure (OCI) connections (also known as interconnectAttachments) connect your Virtual Private Cloud (VPC) networks with your on-premises network through the Oracle Cloud Infrastructure virtual cloud network (VCN) by allocating VLANs over existing connections between the two cloud providers.

You can create unencrypted VLAN attachments, which support both IPv4 only (single stack) or IPv4 and IPv6 (dual stack).

Before you can create VLAN attachments for Partner Cross-Cloud Interconnect for OCI, you must already have an OCI account.

Hourly billing for VLAN attachments starts when OCI completes its configurations, whether or not you pre-activated your attachments. OCI configures your attachments when they are in the PENDING_CUSTOMER or ACTIVE state. Billing stops when you or OCI deletes the attachments (when they are in the DEFUNCT state). You are not billed for data transfer between the two clouds.

For definitions of terms used on this page, see Cloud Interconnect key terms.

To help you solve common issues that you might encounter when using Partner Cross-Cloud Interconnect for OCI, see Troubleshooting.

To configure the Google Cloud resources needed for Partner Cross-Cloud Interconnect for OCI, complete the following tasks:

Create two VLAN attachments, one for each of your Partner Cross-Cloud Interconnect for OCI connections.
Configure Border Gateway Protocol (BGP) sessions, one for each VLAN attachment.

Before you begin

This section lists required permissions, resources, and setup steps.

Required roles

Before proceeding, you need the required permissions. Ask your administrator to make sure that you have the Compute Network Admin (roles/compute.networkAdmin) IAM role on the project. For more information about granting roles, see Manage access.

Required resources

Make sure that you have the following resources.

VPC network

If you don't already have a Virtual Private Cloud (VPC) network, create one. For more information, see Create and manage VPC networks.

Cloud Router

To configure Partner Cross-Cloud Interconnect for OCI, you need a Cloud Router. If you're working in the Google Cloud console, you can create your Cloud Router at the same time that you create your VLAN attachments.

If you want to create a Cloud Router in advance, see Create a Cloud Router to connect a VPC network to a peer network. Give the Cloud Router an ASN of 16550 or any private ASN in the 64512-65533 (inclusive) range except ASN 65534. For more information about the ASNs that OCI reserves for itself, see the OCI documentation.

Place the Cloud Router in a region that's supported for your Google Cloud location.

Project selection

If you're using the Google Cloud CLI, set your project ID by using the gcloud config set command.

gcloud config set project PROJECT_ID

The gcloud CLI instructions on this page assume that you have set your project ID.

Check port status in Google Cloud

Before proceeding, verify that each of your Partner Cross-Cloud Interconnect for OCI ports is receiving a signal from OCI.

Console

In the Google Cloud console, go to the Interconnect page.

Go to Interconnect

On the Physical connections tab, click the name of your Partner Cross-Cloud Interconnect for OCI connection.
On the Interconnect details page, make sure that the Status field is set to Active.
If Google Cloud displays a page titled Cross-Cloud Interconnect order confirmation, then your connection is not ready for configuration.

Utilize multiple VLAN attachments

VLAN attachments support traffic speeds up to 50 Gbps or 6.25 M packets per second (pps). Throughput depends on which limit you reach first. For example, if your traffic uses very small packets, you may reach the 6.25 M pps limit before the 50 Gbps limit.

To achieve higher throughput into a VPC network, you must configure multiple VLAN attachments into the VPC network. For each Border Gateway Protocol (BGP) session, you must use the same MED values to let the traffic use equal-cost multipath (ECMP) routing over all the configured VLAN attachments.

Create unencrypted VLAN attachments

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following Identity and Access Management (IAM) roles.

Permissions

compute.interconnects.use
compute.interconnectAttachments.create
compute.interconnectAttachments.get
compute.routers.create
compute.routers.get
compute.routers.update

Roles

roles/owner
roles/editor
roles/compute.networkAdmin

Console

In the Google Cloud console, go to the Interconnect page.

Go to Interconnect
On the VLAN attachments tab, click Create VLAN attachments.
Select Partner Interconnect connection.
In the Encrypt interconnect section, select Set up unencrypted Interconnect, and then click Continue.
Select I already have a service provider.
Select Create a redundant pair of VLAN attachments. Redundancy provides higher availability than a single connection. Both attachments serve traffic, and the traffic is load balanced between them. If one attachment goes down, such as during a scheduled maintenance, the other attachment continues to serve traffic. For more information, see Redundancy and SLA.

If you're creating an attachment for testing purposes or don't require high availability, select Create a single VLAN to create only one VLAN attachment.
For the Network and Region fields, select the VPC network and Google Cloud region where your attachments are to connect.
Specify the details of your VLAN attachments:
- Cloud Router: a Cloud Router to associate with this attachment. You can only choose a Cloud Router in the VPC network and region that you selected with an ASN of 16550. If you don't have an existing Cloud Router, create one with an ASN of 16550. Each VLAN attachment can be associated with a single Cloud Router. Google automatically adds an interface and a BGP peer on the Cloud Router.
- VLAN attachment name: a name for the attachment. This name is displayed in the Google Cloud console and is used by the Google Cloud CLI to reference the attachment—for example, my-attachment.
- IP stack type: the IP stack type. Either IPv4 (single-stack), or IPv4 and IPv6 (dual-stack).
- Maximum transmission unit (MTU): the MTU for the attachment. To use the 1460-, 1500-, or 8896-byte maximum transmission unit (MTU), the VPC network that uses the attachment must have an MTU set to the same value. In addition, the OCI VM must set the same MTU.
To create the attachments, click Create. This action takes a few minutes to complete.
After creation is complete, copy the pairing keys. You share these keys with OCI when you create your FastConnect virtual circuit with OCI.

You can pre-activate the attachment by selecting Enable. Activating attachments lets you confirm that you're connecting to the expected service provider. Pre-activating attachments lets you skip the activation step and lets the attachments start passing traffic immediately after your virtual circuit is created.
To view a list of your VLAN attachments, click OK.

You can optionally update your BGP sessions to use MD5 authentication.

Optional: You can update your BGP session to use custom learned routes. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Update an existing session to use custom learned routes.

gcloud

Before you create a VLAN attachment, you must have an existing Cloud Router in the network and region that you want to reach from your on-premises network. If you don't have an existing Cloud Router, create one. The Cloud Router must have a BGP ASN of 16550.

Create a VLAN attachment of type PARTNER, specifying the names of your Cloud Router and the edge availability domain (metro availability zone) of the VLAN attachment. Google automatically adds an interface and a BGP peer on the Cloud Router. The attachment generates a pairing key that you need to share with OCI.

You can specify the MTU of your attachment. Valid values are 1440 (default), 1460, 1500, and 8896. To specify an MTU of 1460, 1500, or 8896 use the--mtu parameter—for example, --mtu 1500. To make use of the 1460-, 1500-, or 8896-byte MTU, the VPC network that uses the attachment must set the same MTU. In addition, the OCI VM must set the same MTU.

You can specify the stack type of your VLAN attachment. The default stack type is IPv4.

The following example creates a VLAN attachment in edge availability domain availability-domain-1:
```
gcloud compute interconnects attachments partner create ATTACHMENT_NAME \
    --region=REGION \
    --router=ROUTER_NAME \
    --stack-type=STACK_TYPE \
    --edge-availability-domain availability-domain-1
```
Replace the following:
- ATTACHMENT_NAME: a name for your VLAN attachment.
- REGION: the region of your VLAN attachment.
- ROUTER_NAME: the name of your Cloud Router.
- STACK_TYPE: the stack type for your VLAN attachment. The stack type can be one of the following:
  - IPV4_ONLY: selects IPv4 only (single stack).
  - IPV4_IPV6: selects IPv4 and IPv6 (dual stack).
Note: You can specify any for the edge availability domain, and then OCI assigns the domain for you. However, to create a redundant attachment (the second attachment), you need to wait until OCI configures your first VLAN attachment. You won't know which domain to use for your redundant attachment until OCI completes the configuration. You can pre-activate the attachment by selecting the --admin-enabled flag. Activating attachments lets you confirm that you're connecting to the expected service provider. Pre-activating attachments lets you skip the activation step and lets the attachments start passing traffic immediately after your service provider completes their configuration.
```
gcloud compute interconnects attachments partner create ATTACHMENT_NAME \
    --region=REGION \
    --router=ROUTER_NAME \
    --stack-type=STACK_TYPE \
    --edge-availability-domain availability-domain-1 \
    --admin-enabled
```
- ATTACHMENT_NAME: a name for your VLAN attachment.
- REGION: the region of your VLAN attachment.
- ROUTER_NAME: the name of your Cloud Router.
- STACK_TYPE: the stack type for your VLAN attachment. The stack type can be one of the following:
  - IPV4_ONLY: selects IPv4 only (single stack).
  - IPV4_IPV6: selects IPv4 and IPv6 (dual stack).

Describe the attachment to retrieve its pairing key; you need to share this key with OCI when you create the virtual circuit with OCI:

gcloud compute interconnects attachments describe ATTACHMENT_NAME \
    --region=REGION

The output is similar to the following for IPv4 VLAN attachments:

adminEnabled: false
edgeAvailabilityDomain: AVAILABILITY_DOMAIN_1
creationTimestamp: '2017-12-01T08:29:09.886-08:00'
id: '7976913826166357434'
kind: compute#interconnectAttachment
labelFingerprint: 42WmSpB8rSM=
name: ATTACHMENT_NAME
pairingKey: 7e51371e-72a3-40b5-b844-2e3efefaee59/REGION/1
region: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION
router: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION/routers/ROUTER_NAME
selfLink: https://www.googleapis.com/compute/v1/projects/customer-project/regions/REGION/interconnectAttachments/ATTACHMENT_NAME
stackType: IPV4_ONLY
state: PENDING_PARTNER
type: PARTNER

The output is similar to the following for IPv4 and IPv6 (dual stack) VLAN attachments:

bandwidth: BPS_1G
cloudRouterIpAddress: 169.254.67.201/29
cloudRouterIpv6Address: 2600:2d00:0:1::1/125
creationTimestamp: '2017-12-01T08:31:11.580-08:00'
customerRouterIpAddress: 169.254.67.202/29
customerRouterIpv6Address: 2600:2d00:0:1::2/125
description: Interconnect for Customer 1
id: '7193021941765913888'
interconnect: https://www.googleapis.com/compute/alpha/projects/partner-project/global/interconnects/lga-2
kind: compute#interconnectAttachment
labelFingerprint: 42WmSpB8rSM=
name: partner-attachment
partnerMetadata:
  interconnectName: New York (2)
  partnerName: Partner Inc
  portalUrl: https://partner-portal.com
region: https://www.googleapis.com/compute/alpha/projects/partner-project/regions/REGION
selfLink: https://www.googleapis.com/compute/alpha/projects/partner-project/regions/REGION/interconnectAttachments/ATTACHMENT_NAME
stackType: IPV4_IPV6
state: ACTIVE
type: PARTNER
vlanTag8021q: 1000

The pairingKey field contains the pairing key that you need to share with OCI. Treat the pairing key as sensitive information until your VLAN attachment is configured.

The state of the VLAN attachment is PENDING_PARTNER until you request a connection with OCI and it completes your VLAN attachment configuration. After the configuration is complete, the state of the attachment changes to ACTIVE or PENDING_CUSTOMER.

Optional: You can update your BGP session to use custom learned routes. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Update an existing session to use custom learned routes.
Optional: You can update your BGP sessions to use MD5 authentication.

If you're building redundancy with a duplicate VLAN attachment, repeat these steps for the second attachment. Use the same Cloud Router, but specify a different edge availability domain. Also, when you request connections from OCI, you must select the same metropolitan area (city) for both attachments for them to be redundant. For more information, see Redundancy and SLA.

Configure BGP sessions

Partner Cross-Cloud Interconnect for OCI uses BGP to exchange routes between your VPC network and your OCI network. To that end, configure a BGP session for each of your VLAN attachments. The sessions aren't active until you configure your OCI resources, but you can configure the Google Cloud side of the sessions now.

Console

Configure the first session.
Do one of the following:
1. If the Configure Cloud Routers form is displayed, locate the name of your primary VLAN attachment and click Configure.
2. If the Configure Cloud Routers form isn't open:
3. Go to the Interconnect page.
4. On the VLAN attachments tab, click the name of the attachment.
5. In the Connection area of the form, click Configure BGP session.
6. Fill out the Create BGP session form:
7. Enter a Name for the session.
8. In the Peer ASN field, enter a value to represent the OCI side of the peering. Use 31898.
9. Optional: Enter a value for Advertised route priority. For information about this field, see Advertised prefixes and priorities.
10. Optional: Set MD5 Authentication to Enabled, and enter your secret MD5 authentication key. Later, when you configure peering in OCI, you must use the same key on the OCI side of peering. OCI supports only alphanumeric characters for the key. For more information about Google Cloud support for MD5 authentication, see Use MD5 authentication.
11. Click Save and continue.
Configure the second session.
Do one of the following:
- If you are in the Configure Cloud Routers form, locate the name of your redundant VLAN attachment and click Configure.
- If the Configure Cloud Routers form isn't open:
1. Go to the Interconnect page.
2. On the VLAN attachments tab, click the name of the attachment.
3. In the Connection area of the form, click Configure BGP session.
4. Fill out the Create BGP session form:
5. Enter a Name for the session.
6. In the Peer ASN field, enter a value to represent the OCI side of the peering. Use 31898.
7. Optional: Enter a value for Advertised route priority. For information about this field, see Advertised prefixes and priorities.
8. Optional: Set MD5 Authentication to Enabled, and enter your secret MD5 authentication key. Later, when you configure peering in OCI, you must use the same key on the OCI side of peering. OCI supports only alphanumeric characters for the key. For more information about Google Cloud support for MD5 authentication, see Use MD5 authentication.
9. Click Save and continue.
Click Save configuration.
Click Finish setup.

gcloud

To create the required BGP sessions, you must create two interfaces on the Cloud Router used by your VLAN attachments. (Alternatively, if each of your attachments uses a different Cloud Router, configure an interface on each Cloud Router.) After you create your interfaces, create a peering session for each interface.

To complete this setup, use the gcloud compute routers add-interface command and the gcloud compute routers add-bgp-peer command.

Complete the following steps:

Create the primary interface:
```
gcloud compute routers add-interface ROUTER_NAME \
   --interface-name=INTERFACE \
   --interconnect-attachment=ATTACHMENT \
   --region=REGION
```
Replace the following values:
- ROUTER_NAME: the name of the Cloud Router used by your primary VLAN attachment
- INTERFACE: the name of the new interface
- ATTACHMENT: the name of your primary VLAN attachment
- REGION: the region where the Cloud Router is located
Create the redundant interface:
```
gcloud compute routers add-interface ROUTER_NAME_2 \
    --interface-name=INTERFACE_2 \
    --interconnect-attachment=ATTACHMENT_2 \
    --region=REGION
```
Replace the following:
- ROUTER_NAME_2: the name of the Cloud Router used by your redundant VLAN attachment
- INTERFACE_2: the name of the redundant interface
- ATTACHMENT_2: the name of your redundant VLAN attachment
- REGION: the region where the Cloud Router is located
Create a BGP session for the primary VLAN attachment:
```
gcloud compute routers add-bgp-peer ROUTER_NAME \
   --interface=INTERFACE \
   --peer-asn=--peer-asn=31898 \
   --peer-name=PEER_NAME \
   --region=REGION \
   --md5-authentication-key=YOUR_KEY
```
Replace the following:
- ROUTER_NAME: the name of the Cloud Router used by your primary VLAN attachment
- INTERFACE: the name of the primary interface
- PEER_NAME: the name of the peer
- REGION: the region where the Cloud Router is located
- YOUR_KEY: the secret key to use for MD5 authentication; later, when you configure peering in OCI, you must use the same key (OCI supports only alphanumeric characters for the key)
Create a BGP session for the redundant VLAN attachment:
```
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \
   --interface=INTERFACE_2 \
   --peer-asn=--peer-asn=31898 \
   --peer-name=PEER_NAME_2 \
   --region=REGION \
   --md5-authentication-key=YOUR_KEY_2
```
Replace the following:
- ROUTER_NAME_2: the name of the Cloud Router used by your primary VLAN attachment
- INTERFACE_2: the name of the primary interface
- PEER_NAME_2:the name of the peer
- REGION: the region where the Cloud Router is located
- YOUR_KEY_2: the secret key to use for MD5 authentication; later, when you configure peering in OCI, you must use the same key (OCI supports only alphanumeric characters for the key)

Get details about your VLAN attachments

After you create your VLAN attachments, retrieve the details that you need to configure your OCI resources.

Console

In the Google Cloud console, go to the Interconnect page.

Go to Interconnect

On the VLAN attachments tab, click the name of your primary VLAN attachment.
Make a note of the Cloud Router BGP IP and BGP Peer IP values. You need these values when you configure your OCI resources.
Repeat the preceding steps for your redundant attachment.

gcloud

Use the gcloud compute interconnects attachments describe command. Run the following command twice—once for each attachment:

gcloud compute interconnects attachments describe NAME --region REGION

Replace the following:

NAME: the name of the VLAN attachment
REGION: the region where the VLAN attachment is located

The command returns output that includes cloudRouterIpAddress and customerRouterIpAddress. Make a note of these values. You need them when you configure your OCI resources.

Restrict Partner Cross-Cloud Interconnect for Oracle Cloud Infrastructure (OCI) usage

By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For more information, see Restrict Cloud Interconnect usage.

For information about how to configure Oracle Cloud Infrastructure resources, see Configure OCI resources in the OCI documentation.

What's next

To find answers to common questions about Cloud Interconnect architecture and features, see the Cloud Interconnect FAQ.
To find out more about Cloud Interconnect, see the Cloud Interconnect overview.
To learn about best practices when planning for and configuring Cloud Interconnect, see Best practices.
To find Google Cloud resource names, see the Cloud Interconnect APIs.

Paired locations

Request OCI connections