Disclaimer

Tuesday, 9 June 2026

Peering in OCI

 



















Interview-Ready Answer

In OCI, a subnet can be associated with multiple security lists, with a maximum limit of 5 security lists per subnet. All rules from the attached security lists are evaluated together, and traffic is allowed if any applicable rule permits it.


 


at No comments:

Service Gateway Practical in OCI

 


How to install --> oci-cli

Microsoft Windows [Version 10.0.19045.6466]
(c) Microsoft Corporation. All rights reserved.

C:\Users\amit>cd C:\Users\amit\Desktop\Keys

C:\Users\amit\Desktop\Keys>
C:\Users\amit\Desktop\Keys>ssh -i am_openssh.key opc@130.61.175.208
Last login: Sun Jun  7 05:10:55 2026 from 150.129.159.205
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$ sudo dnf install python3-pip -y
Ksplice for Oracle Linux 9 (aarch64)                                                    155 kB/s | 3.5 kB     00:00
Oracle Linux 9 OCI Included Packages (aarch64)                                          127 kB/s | 3.5 kB     00:00
Oracle Linux 9 BaseOS Latest (aarch64)                                                  135 kB/s | 4.3 kB     00:00
Oracle Linux 9 BaseOS Latest (aarch64)                                                   49 MB/s | 146 MB     00:02
Oracle Linux 9 Application Stream Packages (aarch64)                                    211 kB/s | 4.5 kB     00:00
Oracle Linux 9 Application Stream Packages (aarch64)                                     58 MB/s |  48 MB     00:00
Oracle Linux 9 Addons (aarch64)                                                          15 kB/s | 3.5 kB     00:00
Oracle Linux 9 UEK Release 8 (aarch64)                                                  113 kB/s | 3.5 kB     00:00
Oracle Linux 9 UEK Release 8 (aarch64)                                                   59 MB/s |  69 MB     00:01
Dependencies resolved.
========================================================================================================================
 Package                     Architecture           Version                         Repository                     Size
========================================================================================================================
Installing:
 python3-pip                 noarch                 21.3.1-1.el9                    ol9_appstream                 3.0 M

Transaction Summary
========================================================================================================================
Install  1 Package

Total download size: 3.0 M
Installed size: 8.8 M
Downloading Packages:
python3-pip-21.3.1-1.el9.noarch.rpm                                                     8.3 MB/s | 3.0 MB     00:00
------------------------------------------------------------------------------------------------------------------------
Total                                                                                   8.2 MB/s | 3.0 MB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                1/1
  Installing       : python3-pip-21.3.1-1.el9.noarch                                                                1/1
  Running scriptlet: python3-pip-21.3.1-1.el9.noarch                                                                1/1
  Verifying        : python3-pip-21.3.1-1.el9.noarch                                                                1/1

Installed:
  python3-pip-21.3.1-1.el9.noarch

Complete!
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$ oci --version
-bash: oci: command not found
[opc@private-instance-vm2 ~]$ pip3 install oci-cli
Defaulting to user installation because normal site-packages is not writeable
Collecting oci-cli
  Downloading oci_cli-3.86.0-py3-none-any.whl (27.0 MB)
     |████████████████████████████████| 27.0 MB 21.4 MB/s
Requirement already satisfied: pytz<=2026.2,>=2016.10 in /usr/lib/python3.9/site-packages (from oci-cli) (2021.1)
Collecting oci==2.178.0
  Downloading oci-2.178.0-py3-none-any.whl (35.7 MB)
     |████████████████████████████████| 35.7 MB 152 kB/s
Requirement already satisfied: six<2.0.0,>=1.15.0 in /usr/lib/python3.9/site-packages (from oci-cli) (1.15.0)
Collecting prompt-toolkit<=3.0.43,>=3.0.38
  Downloading prompt_toolkit-3.0.43-py3-none-any.whl (386 kB)
     |████████████████████████████████| 386 kB 29.3 MB/s
Collecting arrow<2.0.0,>=1.0.0
  Downloading arrow-1.4.0-py3-none-any.whl (68 kB)
     |████████████████████████████████| 68 kB 10.2 MB/s
Requirement already satisfied: cryptography<47.0.0,>=3.2.1 in /usr/lib64/python3.9/site-packages (from oci-cli) (36.0.1)
Requirement already satisfied: pyOpenSSL<27.0.0,>=17.5.0 in /usr/lib/python3.9/site-packages (from oci-cli) (19.0.0)
Collecting certifi<2026.0.0,>=2025.1.31
  Downloading certifi-2025.11.12-py3-none-any.whl (159 kB)
     |████████████████████████████████| 159 kB 34.9 MB/s
Requirement already satisfied: PyYAML<=6.0.2,>=5.4 in /usr/lib64/python3.9/site-packages (from oci-cli) (5.4.1)
Collecting jmespath<=1.0.1,>=0.10.0
  Downloading jmespath-1.0.1-py3-none-any.whl (20 kB)
Requirement already satisfied: python-dateutil<3.0.0,>=2.5.3 in /usr/lib/python3.9/site-packages (from oci-cli) (2.9.0.post0)
Collecting terminaltables==3.1.10
  Downloading terminaltables-3.1.10-py2.py3-none-any.whl (15 kB)
Collecting click<=8.1.2
  Downloading click-8.1.2-py3-none-any.whl (96 kB)
     |████████████████████████████████| 96 kB 11.2 MB/s
Collecting urllib3==1.26.20
  Downloading urllib3-1.26.20-py2.py3-none-any.whl (144 kB)
     |████████████████████████████████| 144 kB 40.8 MB/s
Collecting crc32c==2.7.1
  Downloading crc32c-2.7.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (53 kB)
     |████████████████████████████████| 53 kB 4.9 MB/s
Requirement already satisfied: circuitbreaker<3.0.0,>=1.3.1 in /usr/lib/python3.9/site-packages (from oci==2.178.0->oci-cli) (1.3.2)
Collecting tzdata
  Downloading tzdata-2026.2-py2.py3-none-any.whl (349 kB)
     |████████████████████████████████| 349 kB 29.8 MB/s
Requirement already satisfied: cffi>=1.12 in /usr/lib64/python3.9/site-packages (from cryptography<47.0.0,>=3.2.1->oci-cli) (1.14.5)
Collecting wcwidth
  Downloading wcwidth-0.8.1-py3-none-any.whl (323 kB)
     |████████████████████████████████| 323 kB 30.2 MB/s
Requirement already satisfied: pycparser in /usr/lib/python3.9/site-packages (from cffi>=1.12->cryptography<47.0.0,>=3.2.1->oci-cli) (2.20)
Requirement already satisfied: ply==3.11 in /usr/lib/python3.9/site-packages (from pycparser->cffi>=1.12->cryptography<47.0.0,>=3.2.1->oci-cli) (3.11)
Installing collected packages: wcwidth, urllib3, tzdata, crc32c, certifi, terminaltables, prompt-toolkit, oci, jmespath, click, arrow, oci-cli

Successfully installed arrow-1.4.0 certifi-2025.11.12 click-8.1.2 crc32c-2.7.1 jmespath-1.0.1 oci-2.178.0 oci-cli-3.86.0 prompt-toolkit-3.0.43 terminaltables-3.1.10 tzdata-2026.2 urllib3-1.26.20 wcwidth-0.8.1
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$ oci --version
3.86.0
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$





Change the NAT gateway to Service Gateway



Edit as per below screenshot




Current Environment

VCN
AM_VCN2
192.168.0.0/16
Public VM
Public_Instance_VM2
Public IP : 130.61.175.208
Private IP: 192.168.10.57
Private VM
Private_Instance_VM2
Private IP: 192.168.20.80
Service Gateway:
Service_Gateway_2
Route Table:
Private_Route_Service_Gateway
Destination:
All FRA Services In Oracle Services Network


Step 1: Start Both VMs

OCI Console

Compute

Instances

Start:

Public_Instance_VM2
Private_Instance_VM2

Wait until:

State = Running


Step 2: SSH to Public VM

From your laptop:

ssh -i private_key opc@130.61.175.208

Verify:

hostname

You are now inside:

Public_Instance_VM2
192.168.10.57



Step 3: SSH to Private VM

From Public VM:

ssh opc@192.168.20.80

Verify:

hostname
ip addr

Now you are inside:

Private_Instance_VM2
192.168.20.80


Step 4: Verify Private VM Has No Public IP

Run:

ip addr

You'll see:

192.168.20.80

Only private IP.

No public IP.

Meaning:

Internet cannot directly reach this VM.


Step 5: Verify NAT Gateway Works

Run:

curl ifconfig.me

Expected:

158.180.xx.xx

(or your NAT public IP)

Traffic flow:

Private VM
192.168.20.80
      |
NAT2
158.180.27.14
      |
Internet

This proves NAT Gateway is working.




Step 6: Understand What We Want To Test

We want:

Private VM
      |
Service Gateway
      |
Object Storage

instead of:

Private VM
      |
NAT Gateway
      |
Internet
      |
Object Storage


Step 7: Install OCI CLI

On Private VM:

sudo dnf install python3-pip -y
pip3 install oci-cli

Verify:

oci --version


Step 8: Create Object Storage Bucket

OCI Console

Navigate:

Storage

Object Storage

Buckets

Create bucket:

Name:
amit-test-bucket


Step 9: Create Test File

On Private VM:

echo "Hello Service Gateway" > test.txt

Verify:

ls -ltr


Step 10: Check Route Table

Verify:

Private_Subnet_2

is attached to:

Private_Route_Service_Gateway

Inside route table:

Destination:
All FRA Services In Oracle Services Network

Target:
Service_Gateway_2

This is the critical step.



Step 11: Upload File to Object Storage

Using OCI CLI:

oci os object put \
--bucket-name amit-test-bucket \
--file test.txt



What Happens Internally?

When you execute:

oci os object put

VM asks:

Where is Object Storage?

Route Table checks:

Destination?

Answer:

Object Storage

Route table finds:

All FRA Services In Oracle Services Network

Therefore:

Send traffic to Service_Gateway_2

Traffic path becomes:

Private VM
192.168.20.80
      |
Private_Subnet_2
      |
Private_Route_Service_Gateway
      |
Service_Gateway_2
      |
Oracle Backbone Network
      |
Object Storage

No Internet involved.

No NAT involved.

No IGW involved.



Step 12: Visualize Packet Journey

Imagine one packet leaves:

192.168.20.80

Packet asks:

Where should I go?

Route Table replies:

Destination is OCI Service

Packet goes:

Service_Gateway_2

instead of:

NAT2


Step 13: Prove Route Table Is Controlling Everything

Temporarily detach:

Private_Route_Service_Gateway

from:

Private_Subnet_2

Attach another route table without Service Gateway rule.

Now try:

oci os object put ...

Expected:

Failed

because VM no longer knows where OCI services are.

Reattach:

Private_Route_Service_Gateway

Retry:

oci os object put ...

Works again.

This proves:

Service Gateway itself is not enough.
Route Table directs the traffic.


The Exact Decision OCI Makes

When packet leaves 192.168.20.80:

Destination = Google

google.com

Match:

0.0.0.0/0

Route:

NAT2



Destination = Object Storage

objectstorage.eu-frankfurt-1.oraclecloud.com

Match:

All FRA Services In Oracle Services Network

Route:

Service_Gateway_2


One-Line Practical Understanding

In your environment:

Private_Instance_VM2
        |
        |--- Google ------> NAT2
        |
        |--- OCI Object Storage ---> Service_Gateway_2

The route table acts like a traffic police officer, deciding whether traffic should go to the NAT Gateway or the Service Gateway based on the destination.




at No comments:
Subscribe to: Posts (Atom)

Peering in OCI

  Interview-Ready Answer In OCI, a subnet can be associated with multiple security lists, with a maximum limit of 5 security lists per sub...