A Gateway in Oracle Cloud Infrastructure (OCI) is a crucial network component that acts as an entry and exit point for moving data between OCI Virtual Cloud Network (VCN) and other networks, such as the public internet, Oracle services, on-premises environments, or even other VCNs.

Each gateway serves a specific purpose in enabling, securing, and managing connectivity, both internally and externally

Internet Gateway:

1. The only way for resources (instances) with public IPs, within public subnets, to reach the Internet and vice versa.
2. Only one IGW per VCN is permitted; traffic control is managed via route tables and security lists.

Service Gateway:

1. Gives private network-only access to supported Oracle Cloud services.
2. Data never leaves the Oracle network — as opposed1 to the Internet Gateway, which route via the internet.

Dynamic Routing Gateway:

1. Functions as a virtual router, enabling connections to on-premises networks or to remote VCNs (in same/different regions).
2. It must be attached to the VCN to route traffic outside it.

1. Gateways and route tables are foundational to secure, flexible networking in OCI.
2. By associating appropriate route rules with your network gateways and subnets, you control the flow of traffic—whether within the cloud, to the internet, or to remote locations.

Route Tables

Each route table is attached to a subnet or gateway and defines how outbound traffic is routed.

Each rule in a table has:

1. Destination CIDR block: Range of IPs (e.g., 0.0.0.0/0 for all destinations).
2. Target: The next hop—usually a gateway.

How Routing Works

Intra-VCN Routing

Default routing: Traffic between resources within the same VCN is directly routed; no user rules needed.

Custom routing: To force traffic via an appliance (like a firewall), place resources in separate subnets and add a route rule targeting the appliance’s private IP.

Egress Routing

1. Internet Access: Attach a route table to a public subnet with a rule: “0.0.0.0/0 via Internet Gateway”
2. Private Subnet Internet Access: Use “0.0.0.0/0 via NAT Gateway” for outbound-only internet.
3. On-premises Access: Use “ via DRG” to connect to on-prem or remote networks.

Ingress Routing

1. Traffic from outside the VCN (internet or other networks) enters via a gateway.
2. Ingress source: Internet, another VCN, or Oracle service.
3. The matching gateway (IGW, NATGW, SGW, DRG, LPG) routes the request inside.

Prioritization and Best Practices

Longest Prefix Match (LPM): If multiple routes could apply, the one with the most specific prefix wins (e.g., 10.0.1.0/24 preferred over 10.0.0.0/16).

Default Local Route: Always present, directing traffic within the VCN CIDR—cannot be deleted.

Attach Route Tables Appropriately: Route tables must be attached to the relevant subnet or gateway to be effective.

Practically if you have:

Public subnet: Needs full internet access (uses IGW).

Private subnet: Needs outbound internet (via NATGW) and access to on-premises DNS (via DRG).

Sample route table for the private subnet:

1. 0.0.0.0/0 → NAT Gateway
2. 192.168.10.0/24 (on-premises network) → DRG

Step-by-Step Setup Guide

1. Create a VCN and subnets (public and private)
2. Add an Internet Gateway to your VCN (for internet access)
3. Add a NAT Gateway if private subnet needs outbound internet
4. Add a Service Gateway for Oracle service traffic
5. Add a DRG and connect to your on-premises or remote network
6. Create route tables and add rules specific to your needs
7. Attach route tables to the appropriate subnet or gateway
8. Test connectivity to ensure traffic flows as intended