28 ‐ OCI Scenario – Single VCN with No Internet (Object Storage) - SanjeevOCI/Study GitHub Wiki

Scenario: Single Private VCN with No Internet, Having All Other Services Connected (Object Storage)

Key Points

  • No Internet access for compute workloads.
  • Service Gateway for private Object Storage / OSMS access.
  • NAT Gateway (optional) for controlled outbound updates.
  • 3 reserved IPs per subnet in OCI.
  • NSGs enforce least privilege security.

Architecture (Mermaid)

    A[VCN 10.0.0.0/16] --> B[Subnet 10.0.0.0/24]
    B --> C[Compute Instance (Private IP only)]
    B --> D[NSG (Restrict inbound/outbound)]
    A --> E[Service Gateway (Object Storage)]
    A --> F[NAT Gateway (optional)]

  1. First, I will confirm the tenancy, compartment, and region, since these are mandatory details before designing the network. Then, based on the requirement of resources, I will plan my VCN and subnets. As an architect, I should always ask how many services we need to create inside the VCN. Based on that, I will plan the CIDR block.

  2. For simplicity, I will consider 10.0.0.0/16 as the VCN CIDR. In a real-world scenario, I would calculate the number of resources, and based on that, I would plan the subnets. I will also consider 40–50% additional IPs to accommodate future growth. Generally, I design with a 3-tier architecture, so I ask how many load balancers, application services, and databases will be created. Then, I map my subnets accordingly.

    • Sometimes, even if we need only 32 IPs, we must plan a higher CIDR range because these IPs will be distributed among multiple subnets.
    • In OCI, there are 3 reserved IPs per subnet, so this must be factored into subnet planning.

    For this scenario, I will create one subnet, say 10.0.0.0/24, since you asked for one resource. If more resources are needed, I will allocate new CIDR ranges for additional subnets.

  3. Once the VCN and subnet are ready, I will move ahead with services. After defining the network, the next step is to plan gateways and routes. Since the compute instance needs to connect to services like Object Storage without using the internet, I will use a Service Gateway. I will also provision a NAT Gateway but keep it unused initially, following the least-access principle, in case future outbound connectivity is required.

  4. Next, I will configure the route table. Default system routes are available, but I may need to add custom routes. I will create a route pointing to the Service Gateway for private access to Object Storage. Another route will be reserved for the NAT Gateway if needed later.

  5. After this, I will move to security. Before creating a Network Security Group (NSG), I must first provision a compute instance. Once the compute instance is created, I will attach a custom NSG instead of the default one. Initially, it will have no allow rules, just the default deny posture. Later, I will add rules as per requirements.

    • For ingress, I will allow port 22 (SSH) because administrators will need access to the compute instance.
    • The source CIDR will be restricted to the corporate private network range for secure access.
    • If private connectivity to on-premises is needed in the future, FastConnect or IPSec VPN would be required, along with additional route table and NSG configurations. For now, that is out of scope.

  6. With this setup, we have a private VCN with no internet connectivity, compute resources, NSGs, route tables, and gateways properly planned. This ensures Object Storage and other OCI services can be securely accessed within the VCN, without exposure to the public internet.