DEV Community

Cover image for OCI Networking Explained: Virtual Cloud Networks (VCN) Deep Dive
Lwandile Majola
Lwandile Majola

Posted on

OCI Networking Explained: Virtual Cloud Networks (VCN) Deep Dive

#oci #networking #cloud #oracle

When I started learning networking in Oracle Cloud Infrastructure, one thing became obvious very quickly: If IAM controls who can access resources, networking controls how everything communicates.

In this article, I’m breaking down Virtual Cloud Networks (VCN) properly. Not just definitions, but how it actually works underneath.

🧠 Part 1: CIDR Blocks and IP Notation (The Foundation)

Before we touch VCNs, we need to understand CIDR.

What is CIDR?

CIDR stands for Classless Inter-Domain Routing.

Format: A.B.C.D/x

Example: 10.0.0.0/16

/x = network portion
Remaining bits = host portion

An IPv4 address has:

  • 4 octets
  • 8 bits each
  • 32 bits total

The Rule of Size
The smaller the prefix, the larger the network.

Formula to calculate total IP addresses:
2^(32 - x)

Example:

For 10.0.0.0/16

2^(32 - 16) = 2^16 = 65,536 IP addresses
Enter fullscreen mode Exit fullscreen mode

Binary Conversion
Each octet is based on powers of 2:

| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |

Example:

192.168.0.2 in binary:

11000000.10101000.00000000.00000010
Enter fullscreen mode Exit fullscreen mode

You don’t need to convert manually every day, but understanding this makes subnetting much easier.

🏗️ Part 2: What is a VCN?

A Virtual Cloud Network (VCN) in OCI is:

  • Software-defined
  • Private
  • Regional
  • Highly available

It lives inside a single OCI region but can span multiple Availability Domains. Think of it as your own private data center network inside Oracle Cloud.

VCN hihg level diagram

CIDR Limits

  • Prefix must be between /16 and /30
  • A VCN can have up to 16 IPv4 and IPv6 CIDR blocks

Reserved IPs in Every Subnet

Oracle reserves 3 IP addresses:

  • First IP → Network address
  • Second IP → Default gateway
  • Last IP → Broadcast address

You can’t assign these to instances.

🧱 Part 3: Subnets

A VCN is divided into subnets.

Each subnet:

  • Is a contiguous range of IPs
  • Cannot overlap with other subnets in the same VCN

Subnet Scope

AD-Specific
Exists in one Availability Domain

Regional (Recommended)
Spans all ADs for high availability

Public vs Private Subnets

Private and Public subnet

| Feature           | Public         | Private             |
| ----------------- | -------------- | ------------------- |
| Public IP         | Yes            | No                  |
| Internet Access   | Direct         | Via NAT             |
| Use Case          | Web servers    | Databases, backend  |
Enter fullscreen mode Exit fullscreen mode

Important: You cannot change a subnet from public to private later.

🛣️ Part 4: Route Tables

Route Tables control where traffic goes.

Every subnet must be associated with exactly one Route Table.

A Route Table rule contains:

  • Destination CIDR
  • Target (next hop)

Example:

| Destination CIDR    | Route Target                    |
| ------------------- | ------------------------------- |
| 0.0.0.0/0           | Internet Gateway                |
| 192.168.0.0/16      | Dynamic Routing Gateway (DRG)   |
Enter fullscreen mode Exit fullscreen mode

Longest Prefix Match (LPM)

If multiple routes match a destination, the most specific one wins.

Example:
For a packet destined to 192.168.20.19, if the table has 192.168.0.0/16 and 192.168.20.16/28, the /28 route is chosen because it is more specific (longer prefix).

🌍 Gateways Explained

Internet Gateway (IGW)

Provides bi-directional internet access.

Requirements:

  • Public subnet
  • Public IP
  • Security rules allowing traffic

Only one IGW per VCN.

NAT Gateway

Allows private subnet instances to access the internet without a public IP.

Characteristics:

  • Outbound only
  • Internet cannot initiate a connection
  • Supports TCP, UDP, ICMP
  • Up to 20,000 concurrent connections

Service Gateway

Allows private access to Oracle services over Oracle’s internal backbone.

Instead of hardcoding IP ranges, OCI uses Service CIDR Labels like:

  • All region services
  • Object Storage specific label

This removes manual maintenance when Oracle expands IP ranges.

Dynamic Routing Gateway (DRG)

Used to connect:

  • On-prem data centers
  • Other VCNs in different regions
  • Cross-region networks

This is how hybrid cloud connectivity is built securely.

🔐 Part 5: Security Layers

OCI networking uses layered security.

Security Lists (SL)

  • Applied at subnet level
  • Applies to all instances in subnet

Network Security Groups (NSG)

  • Applied at VNIC level
  • Granular, resource-specific control
  • Can reference other NSGs

Stateful vs Stateless

Stateful (Default):

  • Tracks connections
  • Response traffic is automatically allowed

Stateless:

  • No connection tracking
  • Requires manual response rules
  • Useful for high-volume traffic

The Union Rule
If both SLs and NSGs are used, traffic is allowed if any rule in Subnet Security List or attached NSG permits it.

This is OR logic, not AND.

🏘️ Simple Analogy

  • VCN → Entire housing estate
  • Subnet → A block inside the estate
  • Route Table → GPS directing traffic
  • Internet Gateway → Exit gate
  • Security List → Guard at block entrance
  • NSG → Guard at a specific house

🧠 Final Thoughts

If IAM is about identity, VCN is about connectivity.

Understanding CIDR, route tables, gateways (IGW, NAT, Service Gateway, DRG), and layered security is what separates “cloud user” from “cloud engineer”.

🔔 What’s Coming Next

In the next part of this OCI series, I’ll break down IP Management in OCI:

  • Private vs Public IP
  • Ephemeral vs Reserved
  • BYOIP
  • Public IP Pools

Because networking doesn’t stop at connectivity, it continues with smart IP design. And that’s where real architecture begins.

Stay tuned.

Top comments (0)