21_1 ‐ Single Private VCN with no internet, having all other services connected like block storage, object storage - SanjeevOCI/Study GitHub Wiki

Single Private VCN with No Internet – OCI

1. Create a Compartment

Create a compartment if it doesn’t already exist. This helps logically organize and isolate resources.

2. Create a New VCN

  • Create a Virtual Cloud Network (VCN) with a non-overlapping CIDR block to avoid IP conflicts.

3. Create a Private Subnet

  • Define a smaller CIDR range based on the number of workloads.
  • No public IP assigned to instances.
  • Subnet is not associated with an Internet Gateway.

4. Gateways Setup

4.1 Service Gateway

For accessing OCI services like:

  • Object Storage
  • OSMS (Oracle OS Management Service)
  • Other regional services within Oracle’s private network

Route Table Entry:

  • Destination CIDR Block: all-oci-services-in-oracle-services-network
  • Target: Service Gateway

4.2 NAT Gateway (Optional)

Only if you need outbound internet access for:

  • OS updates
  • Patching from repositories outside Oracle’s network

Route Table Entry:

  • Destination CIDR Block: 0.0.0.0/0
  • Target: NAT Gateway

5. Create a Compute Instance

Deploy in the private subnet:

  • No public IP assigned

Can access:

  • Block Volumes
  • Object Storage (via Service Gateway)
  • External patch repositories (via NAT Gateway, if configured)

6. Update Route Tables

  • Service Gateway Route:
    all-oci-services-in-oracle-services-network → Service Gateway
  • NAT Gateway Route:
    0.0.0.0/0 → NAT Gateway (only if external internet access is required for updates)

7. Configure Security Lists or NSGs

Egress Rules

For Service Gateway:

  • Destination: all-oci-services-in-oracle-services-network
  • Protocol: TCP
  • Port: 443 (HTTPS)

For NAT Gateway:

  • Destination: 0.0.0.0/0
  • Protocol: TCP
  • Port: 443 (HTTPS)

Ingress Rules

  • No inbound from the internet
  • Allow only from trusted sources (Bastion host, VPN, FastConnect)

8. Harden Security

  • Optionally deploy Palo Alto or OCI Network Firewall in private mode
  • Implement least-privilege NSG/Security List rules

9. Storage Configuration

  • Boot Volume (default)
  • Additional Block Volumes if needed
  • Volume backup policies
  • Object Storage for backups (via Service Gateway)

10. Verify Access

  • Use Bastion or VPN for admin access
  • Test Object Storage & OSMS connectivity via Service Gateway
  • Test patching via NAT Gateway (if configured)