13_2 ‐ Hub & Spoke Hybrid Networking: Connecting OCI and Azure - SanjeevOCI/Study GitHub Wiki

Hub & Spoke Hybrid Networking: Connecting OCI and Azure

Network Topology

The Hub-and-Spoke topology is used to connect OCI and Azure in a hybrid cloud environment. This topology ensures centralized control, secure communication, and scalability.

  1. Hub:

    • The Hub is the central VCN/VNet in both OCI and Azure, responsible for routing traffic between on-premises, OCI, and Azure spokes.
    • The Hub contains shared services like firewalls, VPN gateways, and monitoring tools.

  2. Spokes:

    • The Spokes are VNets/VCNs in OCI and Azure that host application-specific workloads (e.g., compute instances, databases, and storage).

  3. On-Premises:

    • On-premises infrastructure is connected to both OCI and Azure hubs for hybrid connectivity.

Gateways and Firewalls Used

1. Gateways

  • OCI:

    • Dynamic Routing Gateway (DRG): Connects the OCI VCN to on-premises via VPN or FastConnect and to Azure via IPSec VPN.
    • Service Gateway: Provides private access to OCI services like Object Storage.
    • Internet Gateway: Allows outbound internet access for public-facing workloads.

  • Azure:

    • VPN Gateway: Connects the Azure VNet to on-premises and OCI via IPSec VPN.
    • ExpressRoute Gateway: Used for private, high-speed connectivity to on-premises (optional).
    • Azure Virtual Network Gateway: Facilitates hybrid connectivity between Azure and OCI.

2. Firewalls

  • OCI:

    • OCI Network Firewall or Third-Party Firewalls (e.g., Palo Alto, Check Point) deployed in the Hub VCN for traffic inspection and filtering.
    • Security Lists and Network Security Groups (NSGs) to control traffic at the subnet and instance levels.

  • Azure:

    • Azure Firewall: Deployed in the Hub VNet for centralized traffic filtering and inspection.
    • NSGs: Used to control traffic at the subnet and NIC levels.

Components and Placement

1. OCI Components

  • Hub VCN:

    • Dynamic Routing Gateway (DRG): Connects to Azure and on-premises.
    • Network Firewall: Inspects and filters traffic between spokes and external networks.
    • Service Gateway: Provides private access to OCI services.
    • Internet Gateway: Allows outbound internet access for public-facing workloads.

  • Spoke VCNs:

    • Host application-specific workloads (e.g., compute instances, databases).
    • Use Route Tables to forward traffic to the Hub VCN for centralized routing.

2. Azure Components

  • Hub VNet:

    • VPN Gateway: Connects to OCI and on-premises.
    • Azure Firewall: Inspects and filters traffic between spokes and external networks.
    • ExpressRoute Gateway (optional): For private connectivity to on-premises.

  • Spoke VNets:

    • Host application-specific workloads (e.g., AKS, App Services, Databases).
    • Use User-Defined Routes (UDRs) to forward traffic to the Hub VNet for centralized routing.

3. On-Premises Components

  • VPN Device:
    • Connects to OCI's DRG and Azure's VPN Gateway via IPSec VPN.
  • Firewall:
    • Inspects and filters traffic between on-premises and cloud environments.

Traffic Flow

  1. On-Premises to OCI:

    • Traffic flows through the on-premises VPN device to OCI's DRG.
    • The DRG routes traffic to the appropriate spoke VCN via the Hub VCN.

  2. On-Premises to Azure:

    • Traffic flows through the on-premises VPN device to Azure's VPN Gateway or ExpressRoute Gateway.
    • The Hub VNet routes traffic to the appropriate spoke VNet.

  3. OCI to Azure:

    • Traffic flows through OCI's DRG to Azure's VPN Gateway via an IPSec VPN tunnel.
    • The Azure Hub VNet routes traffic to the appropriate spoke VNet.

  4. Spoke-to-Spoke Communication:

    • Traffic between spokes (e.g., OCI Spoke to Azure Spoke) is routed through the respective hubs for centralized control and inspection.

Diagram Representation

On-Premises
   |
   +-- VPN Device -- Firewall
   |       |
   |       +-------------------+
   |                           |
OCI Hub VCN                Azure Hub VNet
   |                           |
   +-- DRG -- IPSec VPN -- VPN Gateway
   |                           |
OCI Spoke VCNs            Azure Spoke VNets

Key Benefits

  1. Centralized Control:
    • All traffic is routed through the Hub for centralized monitoring, security, and routing.
  2. Scalability:
    • New spokes can be added easily without disrupting the existing architecture.
  3. Security:
    • Firewalls in the Hub ensure traffic inspection and filtering.
  4. Hybrid Connectivity:
    • Seamless integration between on-premises, OCI, and Azure.

Conclusion

The Hub-and-Spoke Hybrid Networking topology with DRG (OCI), VPN Gateway (Azure), and centralized firewalls ensures secure, scalable, and efficient connectivity between OCI, Azure, and on-premises environments.