Oracle Cloud Networking And Security Exposed

Oracle Network Cloud Service Foundations & Offering

Giuseppe Russo Chief Technologist, Systems LoB Claudio Paolucci Principal Sales Consultant, Systems LoB

BrainTalks , Oracle Italy Systems Presales Linkedin Group PRESENTS:

2

Agenda

• Why Networking matter in Cloud Computing?

• The Internet Layer revised

• Multi Protocol Label Switching

• Protecting Data in Transit - What is VPN?

• FastConnect - Overview

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Why Networking matter in Cloud Computing?


Why Networking matter in Cloud Computing?

• The National Institute of Standards and Technology (NIST) defines the essential characteristics of cloud computing:

– Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (for example, mobile phones, laptops, and personal digital assistants [PDAs]) and other traditional or cloud-based software services.

– Image Rapid elasticity

– Measured service

– On-demand self-service

– Resource pooling

Oracle Confidential – Internal 4


A typical cloud service context

• workstations within an enterprise LAN or set of LAN

• connected by a router through a network or the Internet to the CSP

• CSP maintains a massive collection of servers, which it manages with a variety of network management, redundancy, and security tools



Cloud network model developed by ITU-T

• CSP maintains one or more local or regional cloud infrastructures

• An intracloud network connects the elements of the infrastructure, including database servers, storage arrays, and other servers (FW, LB, IDS/IPS)

• Within the infrastructure, database servers are organized as a cluster of virtual machines, providing virtualized, isolated computing environments for different users

• a core transport network is used by customers to access and consume cloud services deployed within the CSP data center


ITU-T. Focus Group on Cloud Computing Technical Report Part 3


Complete Infrastructure for Enterprise Workloads

Oracle Cloud Infrastructure

Compute Elastic Compute

Network Software-Defined

Storage Elastic Storage

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 8

Oracle Network Cloud Fast Connect PE

Oracle Network Cloud Fast Connect SE

VPN

Dedicated Routers

Enterprise Data Center

Branch Office

MPLS/ECX


Branch Office

Confidential – Oracle Internal

Oracle Network Cloud Services


Problem Statement

9

Public internet is shared, unpredictable and

unsecure.

Applications that need to transfer large volume

of data require higher WAN bandwidth.

Some applications are sensitive to network

latency.

Sensitive data traversing through public internet

is a huge security risk.

Enterprises would like to have access to

Dedicated compute zone as a part of their own

network

Security and

Privacy

CIO’s Concerns

Speed of IT Delivery and Time to Market


Solution

10

Compute Storage

Backup

Database Java

Big Data

FastConnect

Deterministic route to Oracle

Public Cloud with predictable

performance over 1G or 10G link

VPN

Encrypted data transfer

between your Datacenter and

Oracle Public Cloud while

extending your private network


Routing: The primary function of Internet

• a path or route through the network must be determined

• more than one route is possible

• the selection of a route based on some performance criterion:

– the minimum-hop route

– associated line’s costs

– Others


accept packets from a source station and deliver them to a destination station


Routing: Packet Forwarding


determining the right path


Routing: Packet Forwarding

• Each router makes routing decisions based on knowledge of the topology and traffic/delay conditions of the internet

• the router must avoid:

– portions of the network that have failed

– portions of the network that are congested

• To make such dynamic routing decisions, routers exchange routing information using routing protocols


determining the right path


The Internet Layer revised


Infi

niB

and

Network Layered Design


Network Layer Design Issue

• Connection Oriented or Connectionless

• Reliable or Unreliable


Connection Oriented

Connectionless

Reliable ATM

Unreliable IP

• Connection Oriented virtual circuit (telephone systems)

• Connectionless datagrams (like telegrams)

• The idea behind virtual circuits is to avoid having to choose a new route for every packet sent.

• In datagrams networks successive packets may follow different routes.


Network Layer Design Issue


Issue Datagram Net VC net

Circuit Setup Not needed Required

Addressing Each packet contains the full source and

destination address Each packet contains a short VC number

State Information Net does not hold state information Each VC requires net table space

Routing Each packet is routed independently Route chsen when VC is set-up; all packets follow this route

Effect of Router Failure None; except for packets lost during the crash All VCs that passed throught the failed router are terminated

Congestion Control Difficult Easy if enough buffers can be allocated in advance for each VC

• For transaction processing systems use of VCs makes little sense.

• In line sconnectiong DCs VCs that are set-up manually and last for months or years may be useful.

datagrams virtual circuits

connectionless UDP

IP

UDP IP

ATM

connection oriented TCP IP

ATM AAL1 ATM

L3

L4


IP Protocol | IP Address

Special IP addresses

Net Type # Net # Host

A 126 16M

B 16382 64K

C 2M 254

• IP header has a 20-byte fixed part and a variable length part

• Is transmitted in big-endian order (like SPARC). In x86 CPU translation is required.


IP Protocol | IP Subnet & CIDR • Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet Protocol packets.

• The IETF introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet.

• CIDR main goal was to slow the rapid exhaustion of IPv4 addresses.

• 192.168.100.14/24 represents the IPv4 address 192.168.100.14 and its associated routing prefix 192.168.100.0, or equivalently, its subnet mask 255.255.255.0, which has 24 leading 1-bits. Old notation is 192.168.100.0/255.255.255.0

Consider 192.168.100.0/22 → 11000000.10101000.01100100.00000000

First address 11000000.10101000.01100100.00000000 → 192.168.100.0

Last address 11000000.10101000.01100111.11111111 → 192.168.103.255

• a.b.c.d/30 glue network (point-to-point link) and a.b.c.d/31 point-to-point link (RFC3021).


IP Protocol | IPv6 • IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4

address exhaustion.

• IPv6 is intended to replace IPv4. a.b.c.d 84 bit 232 addresses = 4.3 109 (e.g. www.facebook.com IPv4 31.13.90.36)

a.b.c.d.e.f.g.h 168 bit 2128 addresses = 3.4 1038 (e.g. www.facebook.com IPv6 2a03:2880:f01a:1e:face:b00c:0:25de)

19109 IP/cm3

• As of 2014, IPv4 still carried more than 99% of worldwide Internet traffic.

• The Internet exchange in Amsterdam is the only large exchange that publicly shows IPv6 traffic statistics, which as of November 2016 is tracking at about 1.6%, growing at about 0.3% per year.

• As of 22 April 2015, deployment of IPv6 on web servers also varied widely, with over half of web pages available via IPv6 in many regions.


TCP/IP | Stacking Headers


Routing Algorithm

• Non adaptive algorithm

– Routing decision not based on measurement or estimates of traffic or topology (aka static routing).

• Adaptive algorithm

– Change routing decision to reflect changes in traffic and topology.

22

• virtual circuits routing decision made when VC is being set-up

• datagrams routing decision made for every arriving data packet

Optimality Principle

If router J is on the optimal path from I to K, then the optimal path from J to K falls along

the same route.

I J

K r1 r2

A

A

sink tree – no loop

The goal of all routing algorithm is to discover and use the sink tree for all routers.


Shortest Path Routing | Static

23

• Labeling for distance, queing time and latency

• Dijkstra (1959)


Distance Vector Routing | Dynamic

24

• Bellman-Ford or Ford-Fulkerson

• Used in ARPANET and Internet with name RIP (Routing Information Protocol)

• In the vector we can have hop, queue lenght, delay (measured with ECHO packets)

PING (Packet INternet Groper) ICMP (Internet Control Message Protocol) ECHO request / ECHO reply


Hierarchical Routing

25

• As net grow in size, router routing tables grow proportionally

• Router are divided in regions

• Router know details about region

• Router know nothing about other regions

• regions → clusters → zones → groups

1A

1B

1C

2A 2B

2D 2C

5B 5C

5D

5E

5A

4A

4C 4B

3B 3A

Dest. Line Hops

1A - -

1B 1B 1

1C 1C 1

2A 1B 2

2B 1B 3

2C 1B 3

2D 1B 4

3A 1C 3

3B 1C 2

4A 1C 3

4B 1C 4

4C 1C 4

5A 1C 4

5B 1C 5

5C 1B 5

5D 1C 6

5E 1C 5

Full table for 1A

Dest. Line Hops

1A - -

1B 1B 1

1C 1C 1

2 1B 2

3 1C 2

4 1C 3

5 1C 4

Hierarchical table for 1A


The Network Layer in Internet | AS

26

• Autonomous System (AS) is a network or a group of networks under a single administrative domain.

• ASs have a unique routing policy for their networks.

• Everything inside the AS is internal.

• Thus AS helps to draw a line between the external routing and the internal routing.

• ASN is a unique 32-bit number allocated by IANA (Internet Assigned Numbers Authority) in block to the RIRs (5 Regional Internet Registry)

• ASN for private use are 64512-65534

• Routing inside the AS would be done by the internal routing protocols and…

• …external routing protocol would be responsible for routing between these ASs.


• Interior Gateway Routing Protocols (used inside the ASs) e.g. OSPF, RIP, EIGRP, etc.

• Exterior Gateway Routing Protocols (used between ASs) BGP (Border Gateway Protocol)

Enhanced Interior Gateway Routing Protocol (by CISCO)

The Network Layer in Internet | ASs


• The Internet Backbone is simply the collection of the physical infrastructure (layer 1 to 3) that connects one large network (i.e. an autonomous system) with another large network.

• The majority of these networks are ISPs and NSPs (Network Service Providers), and a few might be other giant companies.

• The internet backbone is decentralized, distributed and managed by no single organization or entity.

• There are different ways to connect networks: transit, peering, IXPs (Internet Exchange Points) .

The Network Layer in Internet | Backbones

Big ISP

Small ISP

Upstream Provider

sell “transit service”

ISP A ISP B

Private Peering

ISP A ISP B

Peering via IXP (e.g. TIX, MIX)

ISP A

IXP


The Network Layer in Internet | Global Traffic Flow


Interior Gateway Routing Protocol | OSPF • Originally used distance vector or RIP

• In 1978 was replaced by link state

• In 1988 IETF began work on a successor

• It became a standard a standard in 1990: OSFP (Open Shortest Path First) – RFC1247

• OSFP:

• is open

• support a variety of metrics (distance, delay, etc.)

• dynamic

• ToS support (e.g. IP ToS for real time traffic)

• load balancing

• support hierarchical systems

• security

OSPF OSPF BGP

Area1 Area2 Area3

Backbone

Area Border Router

Backbone Router

Internal Router

ASi


Exterior Gateway Routing Protocol | BGP

• For example:

• No transit through certain ASs

• Never put Iraq on a route starting at Pentagon

• Traffic starting at Oracle should not transit Microsoft

• etc.

• Policies are manually configured into each BGP router.

• From BGP point-of-view nets are grouped in:

• stub networks (1 connection to BGP graph)

• multiconnected networks (used for transit traffic, if accepted)

• transit network (backbones, handles 3-party packets)

AS 1 AS 2 AS 3

• EGRP have to worry about politics.


Exterior Gateway Routing Protocol | BGP • BGP is a vector distance protocol with cost = accepted path

• router discard E and I

• choose between B and G based on scoring

• any route violating a policy has a score of infinity

• scoring function is not part of the BGP protocol

• BGP is described in RFC1654 (and RFC1268)

• Among routing protocols, BGP is unique in using TCP as its transport protocol.


MPLS | Introduction

• Multiprotocol Label Switching was invented to join technical features of IP and ATM

• Different protocol was proposed based on common principles:

• Use a standard routing protocol (e.g. OSPF) to find the route

• Label the path

• Attach the label to the packets (layer 2.5 protocol)

• Packet switching made on label basis (label switching)

• ATM is based on label switching and in the ‘90 ATM performance was higher than IP

• MPLS was released in January 2001; at that time IP performance was greater than ATM one

• MPLS survived for different reasons:

• QoS – IP is connectionless while circuits quarantee QoS

• Traffic Engineering – Whit MPLS is possible to create different paths and distribute traffic on available resources

• Advanced Services – VPN is the more important

• Fault tolerance – Path reconfiguration in case of router fault


MPLS | Architecture MPLS Domain

LSP (Label Switched Path) in a MPLS network


Protecting Data in Transit | What is VPN?


What is VPN?

• A virtual private network (VPN) in the context of IAAS/PAAS extends a private

network across the internet into the Cloud

• VPN provides the necessary security and control, enterprises need to move their

workloads into the cloud

• VPN connects two endpoints over a public network to form a logical connection.

• VPN technologies can be classified broadly on these logical connection models as

Layer 2 VPNs or Layer 3 VPNs

• VPN add a “delivery header” in front of the payload to get it to the destination site


Types of VPN

• Remote Access

– Provides a remote user access to the enterprise network

– Example: CiscoAnyConnect

• Site to Site – A site-to-site VPN uses a VPN gateway appliance to connect one network to another

– Several Software or Hardware based solutions available • Corente

• Cisco

• Juniper and others

37


Types of VPN: L2 VPN

• Layer 2 VPNs

– point-to-point and establish connectivity between sites over a virtual circuit.

– A virtual circuit is a logical end-to end connection between two endpoints in a network, and can span multiple elements and multiple physical segments of a network.

– The virtual circuit is configured end-to-end and is usually called a permanent virtual circuit (PVC)

– A dynamic point-to-point virtual circuit is also possible and is known as a switched virtual circuit (SVC)

– One of the advantages of a Layer 2 VPN is the independence of the Layer 3 traffic payload that can be carried over it

38


Types of VPN: L3 VPN

• the delivery header is at Layer 3 of the OSI model

• Layer 3 VPNs can be:

– point-to-point to connect two sites such as GRE and IPSec

– may establish any-to-any connectivity to many sites using MPLS VPNs.

39


Oracle Network Cloud Services Offering


Oracle Network Cloud Fast Connect PE

Oracle Network Cloud Fast Connect SE

VPN

Dedicated Routers


Branch Office

MPLS/ECX


Branch Office

Confidential – Oracle Internal



FastConnect | Overview


• Dedicated: Access your Oracle Public cloud services in

a secure, consistent and cost effective manner.

• Reliable: Delivered as a fully redundant service with

two physical connections from your network edge.

• Standards Based: Leverages industry standard BGP

routing to manage the exchange of routes between

Oracle Public Cloud and your networks.

• Rapid Service Provisioning: Service can be turned up

rapidly (in minutes) if you are already in the same

Datacenter.

FastConnect : Overview

43

FastConnect Partner Edition


FastConnect | Use Cases

• Bidirectional transfer of large volumes of data

(batch jobs)

• Application that require consistent latency and

network performance

• Sensitive data transfers that cannot traverse the

public internet

44

MPLS VPN service

Public facing services

from Oracle Public Cloud.

DMZ(Public Access)

Customer Collocated at same

Datacenter as Oracle

Private

cloudDMZ

(Public Access)

Customer Premise

(Remote Datacenter)

Private

cloudDMZ

(Public Access)

Customer DMZ within Equinix

datacenter

DMZ(Public Access)

Customer DMZ (Not at Equinix

datacenter)

DMZ(Public Access)

Customer Private Network

(MPLS VPN service)

Private

cloud

Equinix

Cloud

Exchange

MPLS-Service-Provider

Gateway

Private line

Private Line

Private network extension


Private Ethernet WAN link

Local crossconnect within

datacenter

Private Extension Public services

Metro/ City

Fast Connect Routers Internet Routers

Oracle Data Center

Public

ServicesPublic

services

Dedicated

ComputeDedicated

Compute

Oracle Data Center

IPSec

Tunnel

IPSec

TunnelIPSec

TunnelIPSec

Tunnel


• Standard Edition

• Connectivity at any Datacenter with Oracle Cloud

Service collocated

• Partner Edition - Equinix Cloud Exchange

• Easy connectivity at Equinix facilities

• Partner Edition - BT Cloud Connect (EMEA)

• Directly connect your BT MPLS IP VPN to Oracle

Public Cloud Services

• Partner Edition - Verizon SCI (NA)

• Leverage your existing Verizon infrastructure (MPLS

IP VPN) to connect to Oracle Public Cloud Services

FastConnect : Options

45



MPLS VPN service

Public facing services


DMZ(Public Access)

Customer Collocated at same

Datacenter as Oracle

Private

cloudDMZ

(Public Access)

Customer Premise

(Remote Datacenter)

Private

cloudDMZ

(Public Access)

Customer DMZ within Equinix

datacenter

DMZ(Public Access)

Customer DMZ (Not at Equinix

datacenter)

DMZ(Public Access)

Customer Private Network

(MPLS VPN service)

Private

cloud

Equinix

Cloud

Exchange

MPLS-Service-Provider

Gateway

Private line

Private Line

Private network extension


Private Ethernet WAN link

Local crossconnect within

datacenter


Metro/ City

Fast Connect Routers Internet Routers

Oracle Data Center

Public

ServicesPublic

services

Dedicated

ComputeDedicated

Compute

Oracle Data Center

IPSec

Tunnel

IPSec

TunnelIPSec

TunnelIPSec

Tunnel

46

FastConnect : Options

• Customers will be able to access their Oracle PaaS and Compute services through one of the following options

• Equinix Cloud Exchange - for all Platform or Compute services that are publicly accessible

• MPLS/VPN service provider Gateways – for publicly accessible Platform and Compute services as well as Dedicated Compute

• Direct connectivity from customer premise or from the customer cage – for publicly accessible Platform and Compute services as well as Dedicated Compute

Oracle Confidential – Restricted


FastConnect : Scenarios

There can be two scenarios

• Local

– Customer is considered as Local if they are collocated in the same Datacenter in the city

where they desire Oracle Cloud Services

• Remote

– Customer is considered as Remote if they are NOT collocated in the Datacenter in the city

where they desire Oracle Cloud Services.

47 Oracle Confidential – Restricted



Public Internet

Metro/ City

Fast Connect Routers

Public facing services from Oracle

Public Cloud.

Customer

DMZ(Public access)

Customer Collocated at same Datacenter as Oracle

Customer

Private network

Internet Routers

Customer orders crossconnects from

the Datacenter provider to Oracle

cage. LOA/CFA will be provided by

Oracle to the customer

Provisioned by Datacenter provider

Customer establishes BGP Peering

with Oracle after physical connectivity

to Oracle routers is setup

Datacenter where Fast Connect will be available

Customer orders Oracle Fast-Connect

Standard Edition from Oracle

Provisioned by Oracle

Dedicated

ComputeDedicated

Compute

Oracle Data Center

1

2

3

Oracle Data Center

Public

ServicesPublic

services

IPSec

Tunnel

• Both 1Gbps and 10Gbps options are available.

• LOA/CFA (Letter of Authority / Customer facility Assignment) will be provided by Oracle.

• Customers will work with their datacenter provider to order the cross connects. Customers can request for armored cables from the datacenter provider to enhance the physical security within the facility.

• Upon completion of the cross connect with the Oracle Routers, customers will establish logical connectivity and setup BGP with Oracle. Two independent BGP sessions will need to be established for the public and private address space respectively.


Fast Connect – Standard Edition



Public Internet

Metro/ City



Public Cloud.

Customer

DMZ(Public access)

Customer Premise (or Remote Datacenters)

Customer

Private cloud

Internet Routers

Network Service Provider orders

crossconnects through the Datacenter

provider for connection to Oracle routers


Customer establishes BGP Peering with

Oracle after physical connectivity to Oracle

routers is setup through the Network

Service Provider

Network service

provider

Customer orders Metro Ethernet or

Ethernet-WAN circuits through a Network

service provider from their premises to the

Oracle facility where Fast Connect is

required.

Provisioned by Network Service Provider





Dedicated

ComputeDedicated

Compute

Oracle Data Center

1

2

3

4

Oracle Data Center

Public

ServicesPublic

services

IPSec

Tunnel

• Oracle Fast Connect Standard Edition (Remote) will allow customers to establish private connectivity from their datacenter, collocation environment, IT hubs or offices using dedicated private links provided by network service providers.

• Customers will need to select and work with a network service provider and confirm their ability to provision private line service from the customer location to the Oracle Datacenter. Additionally customers will need to confirm that their network equipment will meet the needs for Fast Connect Standard Edition.

• Provides Layer3 connectivity for services that are accessible over the public internet as well as allow customers to access and manage their Dedicated Compute services as an extension of their private network. All configurations are managed between Oracle and the Customer.


Fast Connect – Standard Edition (Remote)


• Both 1Gbps and 10Gbps options are available.

• Customers will work with their selected network service provider to setup a private line from their facility to the Oracle Datacenter. The service provider will typically work with the datacenter provider to extend this private line to the Oracle assigned facility.

• Customers can request for armored cables within the datacenter to enhance the physical security within the facility.

• Upon completion of private line turn-up by the network service provider, customers will establish logical connectivity and setup BGP with Oracle. Two independent BGP sessions will need to be established for the public and private address space respectively.

• Customers are responsible for all configurations on their end as well as traffic management over FastConnect Standard Edition for the network addresses pertaining to their Oracle Cloud Services.



Public Internet

Metro/ City



Public Cloud.

Customer

DMZ(Public access)

Customer Premise (or Remote Datacenters)

Customer

Private cloud

Internet Routers

Network Service Provider orders

crossconnects through the Datacenter

provider for connection to Oracle routers


Customer establishes BGP Peering with

Oracle after physical connectivity to Oracle

routers is setup through the Network

Service Provider

Network service

provider

Customer orders Metro Ethernet or

Ethernet-WAN circuits through a Network

service provider from their premises to the

Oracle facility where Fast Connect is

required.

Provisioned by Network Service Provider





Dedicated

ComputeDedicated

Compute

Oracle Data Center

1

2

3

4

Oracle Data Center

Public

ServicesPublic

services

IPSec

Tunnel

Fast Connect – Standard Edition (Remote)


FastConnect – Standard Edition: Prerequisites

As a customer of FastConnect-Standard Edition, you need to meet the following pre-requisites:

– You need a valid Oracle Order for FastConnect – Partner Edition with the appropriate port speed defined (currently 1 Gbps or 10 Gbps)

– You will require network equipment capable of supporting Layer3 routing

– You are responsible to provision the physical connectivity to the Oracle routers through a network service provider or carrier of your choice.

– The network service provider must be capable of connecting to the Oracle routers over single mode fiber.

– You can only advertise public IPv4 prefixes over this connection and the prefixes must be registered to you in an IRR/RIR (Internet Routing Registry/Regional Internet Registry).

Oracle Confidential – Internal/Restricted/Highly Restricted 51


FastConnect – Standard Edition: Prerequisites

• As a customer of FastConnect-Standard Edition, you need to meet the following pre-

requisites:

– You will require a public ASN that is registered to you for establishing the peering

session. If you do not have a registered public ASN, you can use private ASNs or

Oracle will provide fixed ASN to be used for the configuration.

– You will need to provide two /30 or /31 public IP subnets for the routing

interfaces. These IP subnets should be owned by you and registered in an IRR/RIR.

If you do not have registered IP subnets for this purpose, Oracle will provision two

/31 IP subnets for the connection.



• Customers that are not already connected to Equinix Cloud Exchange will need to establish that connectivity by ordering a port and cross connect from Equinix

• Customers meeting the above requirements will order Oracle FastConnect Partner Edition from Oracle. Both 1Gbps and 10Gbps options are available

• Customers will then need to enable their Oracle FastConnect service through the Equinix Cloud Exchange portal (or work with Equinix to automate the process using their APIs)

• The enablement process with Equinix will set up BGP peering between the customer’s network and Equinix, allowing routes to be exchanged between Oracle and the customers.

• Customers will need to manage their routing policy to prefer the Equinix Cloud Exchange for traffic to the network addresses pertaining to their Oracle service

53

Fast Connect – Partner Edition : Equinix Cloud Exchange (Local)


Equinix

Cloud Exchange

(ECX)Public Internet

Customer

DMZ(Public access)

Metro


Customer Cage at Equinix in the Metro

Customer orders ECX Port (with Cross

connect) from Equinix to connect to

ECX

Provisioned by Equinix

EQUNIX facility


Public Cloud.

Customer configures BGP on their

routers with the information obtained

from ECX portal and policies for

Oracle Fast Connect

Completed by Customer

Internet Routers


Partner Edition from Oracle to connect

via ECX


Public services

1

2

4

Oracle Data Center

Public

ServicesPublic

services

Customer requests Layer3 connectivity

to Oracle Fast Connect on ECX portal


3

IPSec

Tunnel

Dedicated

ComputeDedicated

Compute

Oracle Data Center


• Customers will need to establish connectivity to Equinix Cloud Exchange by ordering the ECX Port (and cross connect) from Equinix and order an Ethernet Private Line from their network edge to Equinix Cloud Exchange.

• Customers meeting the above requirements will order Oracle FastConnect Partner Edition from Oracle. Both 1Gbps and 10Gbps options are available.

• Customers will then need to enable their Oracle FastConnect service through the Equinix Cloud Exchange portal (or work with Equinix to automate the process using their APIs).

• The enablement process with Equinix will set up BGP peering between the customer’s network and Equinix, allowing routes to be exchanged between Oracle and the customers.

• Customers will need to manage their routing policy to prefer the Equinix Cloud Exchange for traffic to the network addresses pertaining to their Oracle service


Fast Connect – Partner Edition : Equinix Cloud Exchange (Remote)


Equinix

Cloud Exchange

(ECX)

Public Internet

Customer

DMZ(Public access)

Metro/ City


Customer Datacenter not collocated within Equinix

Customer orders Metro Ethernet or Ethernet-

WAN circuits from a Network service provider

to connect to ECX.

Also valid if a customer is located in a different

metro or city than Equinix/Oracle

Provisioned by Network Service Provider in

collaboration with EquinixEQUNIX facility

Network provider


Public Cloud.

Customer configures BGP on their routers

with the information obtained from ECX

portal and policies for Oracle Fast Connect

Completed by Customer

Internet Routers

Customer orders ECX port from Equinix



Partner Edition from Oracle to connect via

ECX


Public services

1

2

3

5

Oracle Data Center

Public

ServicesPublic

services

Customer requests Layer3 connectivity

to Oracle Fast Connect on ECX portal


4

IPSec

Tunnel

Dedicated

ComputeDedicated

Compute

Oracle Data Center


FastConnect Partner Edition - Equinix Cloud Exchange: Prerequisites

• As a customer of FastConnect-Partner Edition via Equinix Cloud Exchange, you need to meet the following pre-requisites:

– You will require network equipment capable of supporting Layer3 routing using BGP collocated at the Equinix IBX in the city where you desire service.

– You will need to establish connectivity with ECX –L3 at the city where you desire service.

– You need a valid Oracle Order for FastConnect – Partner Edition with the appropriate port speed defined (currently 1 Gbps or 10 Gbps)

– You will require a valid Public IP address and a valid Autonomous System Number (ASN) to establish configuration with Equinix Cloud Exchange. Please work with your ISP or one of the registries to obtain public IP address and an ASN.


Note: Please work with your Oracle Sales Team to determine the location where your OPC services are provisioned


Fast Connect – Partner Edition : BT Cloud Connect

• Can be leveraged by customers that use BT Cloud Connect MPLS IP VPNs to create a private enterprise network. BT Cloud Connect will extend the Private VPN through Oracle FastConnect to enable dedicated access into Oracle Public Cloud from the customers’ enterprise network

• Build on your existing network architecture taking advantage of pre provisioned infrastructure to deliver the service and realize the benefits faster.

Oracle Confidential – Internal/Restricted/Highly Restricted 56 Oracle Confidential – Restricted


• Customers will order Oracle Network Cloud Service - FastConnect Partner Edition - BT Cloud Connect at the location where your Oracle Cloud IaaS and PaaS services are provisioned.

• Customers will Specify the location where you desire connectivity through Oracle Network Cloud Service - FastConnect Partner Edition - BT Cloud Connect. This is the location where your Oracle Cloud IaaS and PaaS services, that you would like to access through the service, are provisioned.

• Customers will contact their BT Global Services account manager to order BT Cloud Connect for Oracle FastConnect.

• BT contacts Oracle to validate the details that you have provided and to ensure that your service is provisioned correctly. BT configures its routers to route your traffic through BT Cloud Connect for Oracle FastConnect, and then provides configuration information to Oracle. Oracle configures the Oracle edge routers based on the information received from BT.

Fast Connect – Partner Edition : BT Cloud Connect


FastConnect – Partner Edition via BT Cloud Connect: Prerequisites • As a customer of FastConnect-Partner Edition via BT Cloud Connect, you need to meet the

following pre-requisites:

– You must be an existing customer of BT IP Connect Global – MPLS IP VPN and have an active MPLS VPN in service. If you are not an existing customer of BT IP Connect Global - MPLS IP VPN, contact your BT Global Services account team to order the service.

– You will need network equipment as required by the BT IP Connect Global service requirements.

– You are responsible to provision any infrastructure or equipment as required by BT for connectivity through BT Cloud Connect for Oracle FastConnect.


Note: Please work with your Oracle Sales Team to determine the location where your OPC services are provisioned


• Leverage your existing Verizon Private IP network

• Pre provisioned infrastructure hence deliver the service and realize the benefits faster.

• Add as many sites as you want at no additional cost

• Initially available in North America only

• EMEA – Q2 FY17

Fast Connect – Partner Edition : Verizon SCI (Secure Cloud Interconnect)


The Ultimate in Cloud Flexibility

On-Premises. Cloud at Customer. Public Cloud.

Any Way You Like It.