Virtual Cloud Network (VCN)

Oracle Cloud Infrastructure (OCI) VCNs are private, flexible data centers in the cloud with security policies and built-in administration and troubleshooting.

Use cases for OCI Virtual Cloud Networks

View more networking scenarios

VCN use case diagram, description below

This image shows four common use cases for virtual cloud networks. These use cases are as follows:

  1. Public access
  2. Private access
  3. Peering
  4. Both public and private access

Public access
The first use case, public access, is the bidirectional connection of a virtual cloud network to the internet via an internet gateway. Resources, such as virtual machines, can access the internet. With public IP addresses, external users can access resources in the virtual cloud network via the internet.

Private access
This second use case, private access, is a standalone virtual cloud network that is secure from access via the internet. Resources and workloads inside the private virtual cloud network have access to Oracle Cloud Infrastructure services and resources.

Peering, the third use case, is the bidirectional connection of two different virtual cloud networks. Using multiple virtual cloud networks enables you to organize your resources and workloads, along with other capabilities such as tenancies and compartments. You can peer, or connect, multiple virtual cloud networks so they can access data and resources across those networks.

Public and private access
The fourth use cases is public and private access. It is a combination of private, public, and peering uses cases. One virtual cloud network is private and is not connected to the internet. A second virtual cloud network is bidirectionally connected to the first virtual cloud network through peering. This second virtual cloud network is also bidirectionally connected to the internet. This allows external user to access resources in the second virtual cloud network, which can then proxy requests back to resources in the first virtual cloud network. External users are not allowed direct access to resources in the first virtual cloud network.

Benefits of OCI Virtual Cloud Network

1. Secure data center in the cloud

Use configurable security rules to control packet-level traffic in and out instances. Designate subnets as public or private. Put a VCN in a security zone to enforce best practice policies.

2. Pay less to move your data, sometimes nothing at all

OCI does not charge data transfer fees for intraregion data movement, including between virtual networks or availability domains.

3. Troubleshoot and resolve network issues

Powerful tools are included to view, diagnose, and inspect your network, including visual network layout, testing connectivity, and packet-level inspection.

How does OCI Virtual Cloud Network work?

A virtual cloud network (VCN) is a virtual, private network that closely resembles a traditional network, with firewall rules and specific types of communication gateways that you can choose. A VCN resides in a single OCI region and covers one or more CIDR blocks (IPv4 and IPv6, if enabled). Each subnet consists of a contiguous range of IP addresses (for IPv4 and IPv6, if enabled) that do not overlap with other subnets in the VCN.

You can designate a subnet to exist either in a single availability domain or across an entire region (regional subnets are recommended). All network interfaces in a given subnet use the same route table, security rules, and DHCP options. Subnets can be either public or private when you create them. Private means the network interfaces in the subnet can't have public IPv4 addresses and internet communication with IPv6 endpoints will be prohibited. Public means the network interfaces in the subnet can have public IPv4 addresses and internet communication is permitted with IPv6 endpoints.

Read the documentation

Virtual Cloud Network diagram, description below

This image shows a logical layout of resources in a typical OCI region.

A region in OCI is logically and physically divided into groupings known as availability domains. An availability domain may represent a separate area within a data center or even a completely separate data center. Each availability domain is designed to operate in the event that any other availability domain fails, possibly due to a loss of power or network connectivity.

A compartment is a logical grouping of customer-specific resources. It can include resources from all availability domains in an OCI region, although it isn’t required to.

A compartment may have a maximum security zone configuration, which enforces certain security guidelines to help protect a customer’s resources.

Compartments can include one or more virtual cloud networks, which are groupings of resources within an IP address space. A virtual cloud network can contain one or more subnets, which can cross all availability domains or exist within a single availability Domain.

A subnet is a logical grouping that contains resources that are assigned IP addresses from a single, classless, inter-domain routing range. The ranges of multiple subnets in a single virtual cloud network don’t have to be contiguous.

Each subnet enforces security policies that act like a firewall. Security policies can allow or deny network traffic based on specified characteristics, such as source, destination, protocol, and port.

A virtual cloud network typically is configured with an internet gateway, which allows access from the subnets inside the virtual cloud network to destinations in the internet. An internet gateway also allows external users to potentially access resources in virtual cloud networks that are defined as public.

Product tour

Set up your secure network to match your needs

Networking overview view

Take control with your network command center

Access a complete set of capabilities for your cloud networking environment from the networking overview page in OCI console.

Create a Virtual Cloud Network view

Create a network

Easily create a virtual cloud network by specifying the range as a CIDR block and the DNS information. You can specify IPv4 or IPv6.

Create a Network Security Group view

Apply packet-level security

Create a network security group that applies security rules for packets entering and leaving resources in your VCN, similar to typical firewalls. Specify whether you want the rule to be stateless or stateful.

Network Visualizer view

View your network layout

Use Network Visualizer to see a layout of your network.

Create path analysis view

Investigate reachability

Perform an intuitive hop-by-hop analysis of routing and security policies from source to destination to determine connectivity and reachability.

Create VTAP view

Deep traffic inspection

Perform a deep inspection of traffic at a chosen interface for troubleshooting or analysis.

Visualize your network

The Network Visualizer provides a diagram of the implemented topology of all VCNs in a selected region and tenancy, including dynamic routing gateways, virtual cloud networks, customer premises equipment.

Identify traffic patterns

Analyze traffic flows for insights, events, and security anomalies across all traffic entering and leaving a virtual network. Use OCI Logging Analytics or export the logs in standard JSON for analysis by third-party tools.

Investigate reachability

Perform an intuitive hop-by-hop analysis of routing and security policies from source to destination to determine connectivity and reachability. Confirm your configuration is correct before onboarding workloads and ensure that forward and return paths are correct.

Reference architectures and solution playbooks

See all reference architectures

Protect your cloud resources with a virtual firewall

OCI uses virtual cloud networks and subnets to create different segments of the network and a firewall to handle security controls.

Deploy HPC on Oracle Cloud Infrastructure

Deploy high performance computing (HPC) resources in a high-bandwidth, low-latency cloud network with performance that rivals that of on-premises HPC networks—but with the cost and operational advantages of cloud computing.

Troubleshoot network issues with VTAP for OCI and Wireshark

OCI Virtual Test Access Point (VTAP) provides insights into your network traffic, capturing the data required for in-depth network analysis.

Get started with Virtual Cloud Network

Oracle Cloud Free Tier

Build, test, and deploy applications on Oracle Cloud—for free. Sign up once, get access to two free offers.

Contact sales

Interested in learning more about Oracle Cloud Infrastructure? Let one of our experts help.