software

OCI Networking Explained: Virtual Cloud Networks (VCN) Deep Dive

Published: (February 23, 2026 at 08:41 AM EST)
5 min read
Source: Dev.to

Source: Dev.to

🧠 Part 1 – CIDR Blocks and IP Notation (The Foundation)

What is CIDR?

CIDR stands for Classless Inter‑Domain Routing.

Format: A.B.C.D/x (e.g., 10.0.0.0/16)

  • /x = network portion
  • Remaining bits = host portion

An IPv4 address has:

  • 4 octets
  • 8 bits each → 32 bits total

The Rule of Size

The smaller the prefix, the larger the network.

Formula to calculate total IP addresses:

2^(32 - x)

Example

10.0.0.0/16 → 2^(32‑16) = 2^16 = 65,536 IP addresses

Binary Conversion

Each octet is based on powers of 2:

1286432168421

Example

192.168.0.2 → 11000000.10101000.00000000.00000010

You don’t need to convert manually every day, but understanding this makes subnetting much easier.

🏗️ Part 2 – What is a VCN?

A Virtual Cloud Network (VCN) in OCI is:

  • Software‑defined
  • Private
  • Regional
  • Highly available

It lives inside a single OCI region but can span multiple Availability Domains (ADs). Think of it as your own private data‑center network inside Oracle Cloud.

VCN high‑level diagram

CIDR Limits

  • Prefix must be between /16 and /30
  • A VCN can have up to 16 IPv4 and IPv6 CIDR blocks

Reserved IPs in Every Subnet

Oracle reserves three IP addresses per subnet:

  1. First IP – Network address
  2. Second IP – Default gateway
  3. Last IP – Broadcast address

These cannot be assigned to instances.

🧱 Part 3 – Subnets

A VCN is divided into subnets. Each subnet:

  • Is a contiguous range of IPs
  • Cannot overlap with other subnets in the same VCN

Subnet Scope

ScopeDescription
AD‑SpecificExists in a single Availability Domain
Regional (recommended)Spans all ADs for high availability

Public vs Private Subnets

Private and Public subnet diagram

FeaturePublicPrivate
Public IPYesNo
Internet AccessDirectVia NAT
Typical Use CaseWeb serversDatabases, backend services

Important: You cannot change a subnet from public to private after it’s created.

🛣️ Part 4 – Route Tables

Route tables control where traffic goes.

  • Every subnet must be associated with exactly one route table.
  • A route‑table rule consists of:
    • Destination CIDR
    • Target (next hop)

Example Rules

Destination CIDRRoute Target
0.0.0.0/0Internet Gateway (IGW)
192.168.0.0/16Dynamic Routing Gateway (DRG)

Longest Prefix Match (LPM)

If multiple routes match a destination, the most specific (longest prefix) wins.

Example: For a packet destined to 192.168.20.19, a route for 192.168.20.16/28 is chosen over 192.168.0.0/16 because /28 is longer.

🌍 Gateways Explained

GatewayPurposeKey Characteristics
Internet Gateway (IGW)Provides bi‑directional internet access• Requires a public subnet & public IP
• Security rules must allow traffic
• One IGW per VCN
NAT GatewayAllows private‑subnet instances to reach the internet without a public IP• Outbound‑only
• No inbound initiation from internet
• Supports TCP, UDP, ICMP
• Up to 20 000 concurrent connections
Service GatewayPrivate access to Oracle services over OCI’s internal backbone• Uses Service CIDR Labels (e.g., “All region services”, “Object Storage”)
• No need to maintain IP ranges manually
Dynamic Routing Gateway (DRG)Connects to on‑prem data centers, other VCNs, or cross‑region networks• Core component for hybrid‑cloud connectivity

🔐 Part 5 – Security Layers

OCI networking uses layered security.

Security Lists (SL)

  • Applied at the subnet level
  • Affects all instances in the subnet

Network Security Groups (NSG)

  • Applied at the VNIC (instance) level
  • Provides granular, resource‑specific control
  • Can reference other NSGs

Stateful vs. Stateless Rules

TypeBehavior
Stateful (default)Tracks connections; response traffic is automatically allowed
StatelessNo connection tracking; you must explicitly allow return traffic (useful for high‑volume traffic)

The Union Rule

When both Security Lists and NSGs are in effect, traffic is allowed if any rule in either the subnet’s Security List or an attached NSG permits it. This is OR logic, not AND.

🏘️ Simple Analogy

Think of a VCN as a private neighborhood:

  • The region is the city.
  • Availability Domains are the blocks within the city.
  • Subnets are the individual streets.
  • Gateways are the entry/exit points (roads to the highway, service tunnels, etc.).
  • Route tables are the street signs directing traffic.
  • Security Lists and NSGs are the neighborhood watch rules that decide who may walk where.

Happy networking!

→ Entire housing estate

  • Subnet → A block inside the estate
  • Route Table → GPS directing traffic
  • Internet Gateway → Exit gate
  • Security List → Guard at block entrance
  • NSG → Guard at a specific house

🧠 Final Thoughts

If IAM is about identity, VCN is about connectivity.

Understanding CIDR, route tables, gateways (IGW, NAT, Service Gateway, DRG), and layered security is what separates a cloud user from a cloud engineer.

🔔 What’s Coming Next

In the next part of this OCI series, I’ll break down IP Management in OCI:

  • Private vs. Public IP
  • Ephemeral vs. Reserved
  • BYOIP
  • Public IP Pools

Because networking doesn’t stop at connectivity, it continues with smart IP design. And that’s where real architecture begins.

Stay tuned.

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »

A Discord Bot that Teaches ASL

This is a submission for the Built with Google Gemini: Writing Challengehttps://dev.to/challenges/mlh/built-with-google-gemini-02-25-26 What I Built with Google...

AWS who? Meet AAS

Introduction Predicting the downfall of SaaS and its providers is a popular theme, but this isn’t an AWS doomsday prophecy. AWS still commands roughly 30 % of...