21_2 – Single Private VCN (no internet) with Service Gateway (Object Storage OSMS) NAT Gateway - SanjeevOCI/Study GitHub Wiki

21_1 – Single Private VCN (no internet) with Service Gateway (Object Storage/OSMS) + Optional NAT Gateway

Goal

  • 1 private subnet, 1 private VM (no public IP)
  • Private access to OCI services (Object Storage, OSMS) via Service Gateway (SGW)
  • Optional outbound to public repos via NAT Gateway (NGW)
  • No inbound from internet

Architecture (Quick)

  • VCN: e.g., 10.1.0.0/16
  • Subnet (private): e.g., 10.1.1.0/24 (VM lives here, no public IP)
  • Service Gateway: created in the VCN, not in a subnet
  • NAT Gateway (optional): created in the VCN, not in a subnet
  • Internet Gateway: not used by private subnet

Admin Access Options

  • Preferred: Add a public subnet (tiny /28 is fine) to the same VCN and use OCI Bastion to reach the private VM.
  • Alternative: Use VPN/FastConnect from on-prem to the private subnet (no public subnet needed).

Network Configuration

Route Table (attach to the private subnet)

Destination Target Purpose
all-oci-services-in-oracle-services-network Service GW Private access to Object Storage, OSMS
0.0.0.0/0 (optional) NAT GW Outbound internet for public repos/updates

If you want no internet at all, omit the 0.0.0.0/0 → NAT GW route.

Security List (or NSG) – for the private subnet / VM VNIC

Egress

  • To Service Gateway:
    • Destination: all-oci-services-in-oracle-services-network
    • Protocol: TCP, Port: 443
  • To Internet via NAT (optional):
    • Destination: 0.0.0.0/0
    • Protocol: TCP, Port: 443

Ingress

  • No inbound from internet.
  • Allow only from trusted sources (e.g., Bastion/VPN/FastConnect CIDR, app-internal ports if needed).

Best practice: Keep subnet Security List minimal and use NSGs for VM-specific rules.

Bastion Placement (since you have only one private subnet)

  • Create an additional public subnet (e.g., 10.1.2.0/28) in the same VCN.
    • Route table: 0.0.0.0/0 → Internet Gateway
  • Deploy OCI Bastion (managed service) and create a Bastion session to the private VM.
    • The target is the private VM in the private subnet; the service handles the tunnel.
  • You do not assign any public IP to the private VM.

If you cannot add a public subnet, use VPN/FastConnect to reach the VM privately.

Verify Access

1) Verify Service Gateway (Object Storage)

# Should return your Object Storage namespace (e.g., ax7vdf1234)
oci os ns get --region <your-region>

# Optional: list buckets (ensure IAM allows this)
oci os bucket list --compartment-id <compartment-ocid> --region <your-region>