Introduction

In this tutorial, we walk through the complete process of bringing your IPv6 address space (BYOIP) into Oracle Cloud Infrastructure (OCI) using an IPv6 CIDR block allocated and administered through NCC RIPE. This approach benefits organizations that already own IPv6 ranges or need to maintain consistent IP addressing across hybrid or multi-cloud environments.

By following this guide, you'll not only learn how to prepare your IPv6 address space for import into OCI but also how to configure the administrative records in the RIPE NCC portal properly, authorize Oracle to advertise your prefix, and ultimately assign your custom IPv6 addresses to OCI resources such as Virtual Cloud Networks (VCNs) and compute instances.

This tutorial covers each step in detail — from acquiring or verifying your IPv6 CIDR to updating registry records to using your imported range within OCI networking. Whether you're migrating workloads, setting up hybrid connectivity, or building an internet-facing architecture, this guide gives you the foundation to integrate BYOIP IPv6 into your OCI cloud infrastructure.

Let's get started.

The Steps

• STEP 01: Determine the IPv6 range you want to bring to OCI / Get an IPv6 range you want to bring to OCI
• STEP 01a: Purchase / Rent an IPv6 CIDR
• STEP 01b: Preform NCC RIPE administration tasks
• STEP 01c: Verify IPv6 CIDR assignment in the NCC RIPE console
• STEP 02: Start the import of the IPv6 CIDR in OCI
• STEP 03: Add the token string as a new "descr" field associated with your address range
• STEP 04: Create a Route Origin Authorization (ROA) object that authorizes Oracle to advertise the BYOIP CIDR block
• STEP 05: Finish the import of the IPv6 CIDR in OCI
• STEP 06: Verify the import of the IPv6 CIDR in OCI
• STEP 07: Advertise the IPv6 CIDR to the Internet
• STEP 08: Assign BYOIP IPv6 CIDR to a VCN
• STEP 09: Create a Subnet inside BYOIP IPv6 CIDR range
• STEP 10: Create and assign a new routing table for VCN
• STEP 11: Create an Instance and use an IPv6 address from the BYOIP IPv6 CIDR range

STEP 01 - Determine the IPv6 range you want to bring to OCI - Get an IPv6 range you want to bring to OCI

To use the Bring Your Own IP (BYOIP) feature in Oracle Cloud Infrastructure (OCI) with an IPv6 CIDR block, the first requirement is to have a publicly routable IPv6 address space that is appropriately registered and administered through a Regional Internet Registry (RIR) — in this case, RIPE NCC.

> [!NOTE] NOTE > I am renting IPv6 space from a third-party provider, as I do not own an IPv6 allocation. If you already own IPv6 address space and manage it directly under your RIPE account or LIR (Local Internet Registry), you can skip STEP 01 and continue with STEP 02.

STEP 01a - Purchase - Rent an IPv6 CIDR

If you don't already own an IPv6 range, you'll need to either:

• Purchase a block of IPv6 addresses from a provider or broker, or
• Rent an IPv6 CIDR from a third-party company offering leased address space, routing, and registry control.

I am using a company called NoPKT LLC that provides Local Internet Registry (LIR) services. Several other providers offer similar LIR services, so you can choose the one that best fits your needs.

Before making any purchases at NoPKT LLC, we must create an account.

• Once registered and logged in, go to the NoPKT Store.
• Click on LIR Service.

• NoPKT is offering to rent IPv6 CIDRs from RIPE or ARIN (at the time of this writing).
• We are choosing to go for the RIPE option.

• We will select the RIPE /44 IPv6 product ($2.00)

• Add the RIPE /44 IPv6 product to the cart

• Select the plan.
• In our case, we went for the annual plan.
• Click on Checkout.

• Click on Checkout.

• Click on Pay and perform the payment.

• After the payment, it can take a few hours before NoPKT assigns the /44 IPv6 CIDR to your account.
• Below, you can see that the #337 order is an assigned Resource.
• This is the IPv6 Range we will use inside OCI with BYOIP.

• You can review the services by clicking the Services tab.

• [Oracle Cloud Infrastructure (OCI) requires] the ROA (Route Origin Authorization) to be done with RPKI (Resource Public Key Infrastructure) because this is an industry-standard security mechanism used to validate BGP route origin.

• I opened a support ticket with this request and provided the Oracle BGP ASN so the LIR could complete the request.

Before the LIR can assign the rented IPv6 range to your account—so you can perform the required administrative tasks—you must first create a RIPE NCC account and set up the necessary administrative objects. These objects (such as the role, mntner, and organization) must be appropriately configured and linked. Once this setup is complete, RIPE will issue an Organization ID, which you must provide to the LIR. The LIR will then use this ID to assign the IPv6 range to your RIPE account.

STEP 01b - Preform NCC RIPE administration tasks

To prepare your IPv6 CIDR for import into Oracle Cloud Infrastructure, you must complete the following administrative tasks in the RIPE NCC database. These steps ensure you have the proper control over the address space and meet OCI's validation requirements.

You must:

• Register for a RIPE NCC account if you don't already have one.
• This account will give you access to the LIR Portal and allow you to manage registry objects.
• Create a role object and a mntner (maintainer) object.
• These objects are required to define who manages the resources and to secure access to the registry entries.
• Add an abuse-c attribute to your role object.
• This is a mandatory field for reporting abuse related to the IP space.
• Create an organization object to represent your entity in the RIPE database.
• This object will be linked to the IPv6 CIDR block and other registry entries.
• Once this is done and the organization is identified, you will bet a unique organization ID you must provide to the LIR so they can assign the rented IPv6 range to your RIPE account (organization).
• Add your LIR provider's maintainer (e.g., NoPKT-MNT if you're using NoPKT LLC) as the mnt-ref in your organization object.
• This ensures that the LIR can continue to manage the allocation on your behalf.

Make sure all objects are correctly linked and visible in the RIPE database. You will later update the inet6num object associated with your IPv6 range to complete the OCI validation steps.

This administrative step is critical — OCI will validate your ownership or control of the prefix through the changes you make in the RIPE NCC database.

• Create a RIPE NCC account and log in.

• Click on Create an Object.

• Select the Object type to be role and maintainer pair.
• Click on Create.

• Create a RIPE Maintainer and a Role, and make sure the maintainer is linked to the role.
• Make sure you specify ALL the fields as I did.

• Link a new organization object to the correct maintainer object.

• Adding NoPKT-MNT to your RIPE organization object is necessary for authorization and control over your RIPE resources.
• Make sure the NoPKT-MNT maintainer is added as the organization using the mnt-ref field.

• Note down your Unique RIPE IDs:
• role with primary key: NO2XXX-RIPE
• mntner with the primary key: XXX-MNT
• organization: ORG-XXXXX-RIPE

Provide the organization ID to the LIR so they can assign the rented IPv6 block to your RIPE account/role/organization.

STEP 01c - Verify IPv6 CIDR assignment in the NCC RIPE console

• The LIR will assign the rented IPv6 block to your RIPE account/role/organization.
• Once this is done, they will notify you.

• In the RIPE console click on My Resources -> IPv6 and review the rented IPv6 range.
• Now, you can perform administration tasks on the subnet (which the OCI BYOIP must complete).

STEP 02 - Start the import of the IPv6 CIDR in OCI

Once your IPv6 CIDR is registered and visible in the RIPE NCC database under your Organization ID, you can begin the BYOIP (Bring Your Own IP) import process in Oracle Cloud Infrastructure (OCI).

• Open the OCI Console and navigate to: Networking → BYOIP (Bring Your Own IP)

• Click Import BYOIP CIDR block/prefix.

• Name: Specify a name for the prefix..
• IPv6 CIDR Block: Enter the exact IPv6 prefix as it appears in the RIPE database.
• Click Import BYOIP CIDR block/prefix.

• Notice that the state of the prefix will be Creating.
• Click on the name.

• OCI will generate a validation token, which you must publish in the RIPE database in the next step.
• Copy this validation token in a notepad.
• OCI will later validate this token to confirm that you have administrative control over the IPv6 block.

> [!NOTE] IMPORTANT! > Do not proceed with finishing the import yet. > You first need to add the verification token to your RIPE inet6num object (see STEP 03) and create an ROA object (see STEP 04). > Only after both are done can OCI validate and complete the import process.

STEP 03 - Add the token string as a new descr field associated with your address range

After initiating the import process in OCI, a verification token is generated. This token is a unique string that Oracle uses to confirm you have administrative control over the IPv6 CIDR block you are attempting to bring into the cloud.

To verify ownership, you must add this token as a new descr field in the inet6num object for your IPv6 range in the RIPE NCC database.

• In the RIPE console, click on My Resources -> IPv6
• Click on the IPv6 subnet,

• Click on "Update object".

• Click on any + sign.
• Add a new descr attribute field.
• Paste in the OCI token provided in the OCI console.
• Click on Submit.

• Notice that the object has been successfully updated with the ned descr attribute.

OCI will now periodically check the RIPE registry for the presence of this token. Once the token is detected, the CIDR can move to the next verification stage (ROA validation).

STEP 04 - Create a Route Origin Authorization -ROA- object that authorizes Oracle to advertise the BYOIP CIDR block

In addition to adding the verification token to the RIPE database, Oracle requires that you explicitly authorize it to advertise your IPv6 CIDR block via BGP. This is done by creating a Route Origin Authorization (ROA) object in the RIPE NCC RPKI dashboard.

The ROA object tells the internet routing ecosystem that Oracle (identified by its Autonomous System Number, or ASN) can announce your IPv6 prefix. Without this authorization, OCI will not complete the BYOIP import process.

I have requested the LIR to do this for me, and they confirmed in the ticket in STEP 01c that this is done.

We can also check this ourselves by using [this website]:

• Go to the [website].
• Type in your IPv6 prefix.
• Type in your ASN (This will be Oracle's AS Number AS31898)
• Click Validate

Once both the verification token and the ROA object are published and recognized, Oracle will validate the ownership and routing authorization of your BYOIP IPv6 CIDR block. But before this is done, you must still click on the Finish import button in the OCI console.

STEP 05 - Finish the import of the IPv6 CIDR in OCI

When you have:

• Added the verification token as a descr field in the RIPE inet6num object (STEP 03) and
• Created a valid Route Origin Authorization (ROA) object authorizing Oracle's ASN AS31898 (STEP 04),

Oracle Cloud Infrastructure (OCI) will automatically begin the verification process once you click the Finish import button.

• Confirm with clicking the Finish import button.

• Notice that the status went from CREATING to VALIDATING.
• Also, notice that there will be a message that the import process can take up to 10 business days.

• Review the BYOIP status screen.

Oracle will take the required internal validations and do the required internal configurations to complete the import.

!!!REMOVE THIS WHEN PUBLISHED!

There are multiple steps for OCI (for the 10 working days).  
* Updating RADB
* Propagating the prefix information to el-paso
* Adding the prefix to the region's internet plan
* Having our geolocation partners update the GeoIP Location of the prefix
* Working with various ISPs in case they have requirements for manual filter updates

STEP 06 - Verify the import of the IPv6 CIDR in OCI

After completing the import process in the OCI Console, it's essential to verify that your IPv6 CIDR has been successfully validated and provisioned and is ready for use.

• In the BYOIP management screen, you will see that the state of the imported BYOIP range is now set to Provisioned.
• Notice that the the Advertised column is set to No.

!!!REMOVE THIS WHEN PUBLISHED!

https://bgp.tools/prefix/2a14:7581:f00::/44

• We can verify if the subnet is available online using the [bgp.tools website].
• When we type in the prefix (and search for it), we can see that it is not found (on the Internet).

Once verified, your IPv6 CIDR is fully onboarded and ready to be advertised and assigned within OCI. Please proceed to the next step to make it available on the Internet.

STEP 07 - Advertise the IPv6 CIDR to the Internet

Once your IPv6 CIDR has been successfully imported and verified in Oracle Cloud Infrastructure (OCI), the final step in making it globally reachable is to advertise it to the Internet.

This step tells OCI to start announcing your IPv6 CIDR via BGP from Oracle's network (ASN 31898), allowing traffic from the public Internet to reach your IPv6 space in the cloud.

> [!NOTE] NOTE: > Advertising the CIDR is required before using the IPv6 range with internet-facing OCI resources such as load balancers, instances, etc.

• Click on the three dots at the end of the subnet.
• Click on Advertise.

• Click on Advertise.

• Notice that the the Advertised column is set to Yes.

!!!REMOVE THIS WHEN PUBLISHED!

https://bgp.tools/prefix/2a14:7581:f00::/44

• We can verify if the subnet is available online using the [bgp.tools website].
• When we type in the prefix (and search for it), we can see that it is found (on the Internet).

Once advertising is active, you can assign your IPv6 range to a Virtual Cloud Network (VCN) and use it inside OCI.

STEP 08 - Assign BYOIP IPv6 CIDR to a VCN

With your IPv6 CIDR successfully imported and advertised in OCI (to the Internet), the next step is to assign it to a Virtual Cloud Network (VCN). This makes the CIDR usable for creating subnets and attaching IPv6 addresses to resources like compute instances and load balancers.

• Open the OCI Console.
• Navigate to Networking → Virtual Cloud Networks.
• Click on the VCN to which you want to assign this IPv6 BYOIP.

• Scroll down.

• Notice that only one subnet is available, and this is a private subnet.

• Click on CIDR Blocks/Prefixes.
• Notice that only one CIDR Blocks/Prefix is available.
• Click on Add CIDR Block/IPv6 Prefix.

• Select the BYOIP prefix from the drop-down list.
• Click on Add CIDR Blocks/IPv6 Prefixes.

• Notice that the BYOIP IPv6 Prefix IPv6 is now added to the VCN.

• You can also navigate to Networking → BYOIP.
• Click on the imported BYOIP range.
• Notice that the range is now assigned to the VCN.

• You can also navigate to Networking → IP management → IP Address Insights.
• Notice that VCN D has the IPv6 range assigned.

• When you navigate to Networking → VCN.
• Notice that the BYOIP IPv6 range has also been added to the VCN.

You're ready to carve out subnets within your BYOIP IPv6 CIDR and assign them to OCI resources. Proceed to the next step to create a subnet using this range.

STEP 09 - Create a Subnet inside BYOIP IPv6 CIDR range

Now that your BYOIP IPv6 CIDR is assigned to a Virtual Cloud Network (VCN), the next step is to create a subnet within that IPv6 range. This subnet will allow you to allocate IPv6 addresses to OCI resources, such as compute instances or load balancers.

• Open the OCI Console and navigate to Networking → Virtual Cloud Networks.
• Select the VCN to which you assigned your BYOIP IPv6 CIDR.
• In the VCN details page, go to the Subnets section.
• Click “Create Subnet”.

Fill in the subnet details:

• Name: Provide a name for the subnet.
• Subnet Type: Choose a specific AD or select "Regional" for high availability.
• IPv4 CIDR Block: (Optional) Enter an IPv4 block if you're creating a dual-stack subnet.

• IPv6 Prefixes: Choose a subnet range from the BYOIP IPv6 CIDR.

   _Example: If your imported range is /44, you can assign a /64 subnet._

• The first part of the prefix is already provided, and to create a /64 subnet, only provide the last part 0::.

• Subnet Access: Select Public Subnet.
• Click “Create Subnet”.

• Notice that the new subnet is created with an IPv6 prefix carved out of the imported BYOIP range.

In the next step, you'll configure routing so the subnet can send and receive traffic over the Internet.

STEP 10 - Create and assign a new routing table for VCN

With your subnet created inside the BYOIP IPv6 CIDR range, the next step is to create and assign a routing table that enables the correct network traffic flow. This route table will define how traffic from your subnet (IPv6 traffic) is routed within and outside the VCN, including to the Internet.

• Open the OCI Console and navigate to Networking → Virtual Cloud Networks.
• Select your VCN.
• In the left-hand menu under Resources, click “Route Tables”.
• Click "Create Route Table".

Under Route Rules add:

• Name: Enter a descriptive name for your route table.
• Protocol Version: Select IPv6.
• Target Type: Select Internet Gateway if the subnet requires public internet access.
• Destination CIDR Block: Enter ::/0 to allow outbound IPv6 traffic to the internet.
• Target: Select the Internet Gateway associated with your VCN.
• Click “Create” to save the route table.

• Notice that the new routing table is created.

Now, we need to assign the Route Table to the subnet:

• Navigate to VCN → Subnets.
• Click the name of the subnet you created earlier (within the BYOIP IPv6 CIDR).
• Click “Edit”.

• Under Route Table, select the new route table you just created.
• Click “Save Changes”.

• Your subnet is now using a route table that allows IPv6 traffic to reach the Internet via OCI's infrastructure.
• Any instance or resource with a public IPv6 address in this subnet can now send and receive IPv6 traffic.

Next, you're ready to launch a compute instance and assign it an IPv6 address from your BYOIP range.

STEP 11 - Create an Instance and use an IPv6 address from the BYOIP IPv6 CIDR range

Now that your VCN and subnet are configured and routing is in place, you can launch a compute instance and assign it an IPv6 address from your imported BYOIP IPv6 CIDR range. This makes the instance reachable over the Internet using your IPv6 space, which you control and manage.

• Open the OCI Console.
• Navigate to Compute → Instances.
• Click “Create Instance”.

Fill in the instance configuration:

• Name: Enter a name for the instance.
• Compartment: Select the appropriate compartment.
• Availability domain: Select an AD or use regional availability, depending on your setup.

• Image and shape: Choose your preferred OS image and shape (e.g., Ubuntu, Oracle Linux).

Under Networking:

• Select the VCN and public subnet you created earlier that uses your BYOIP IPv6 CIDR.

• Under IPv6 address, make sure this option is enabled.
• If you can not enable IPv6 address here (even though the VCN has a valid BYOIP IPv6 CIDR assigned), we can do it later.
• (Optional) Attach SSH keys for secure access (screenshot not shown).
• Click “Create” to create the instance.

• Notice that there is no IPv6 address assigned to the instance (yet).
• Scroll down.

• Click on the Attached VNICs menu on the left.
• Click on the existing VNIC of the instance.

• Click on IPv6 Addresses menu on the left.
• Click on Assign IPv6 Addresses.

• Select the BYOIP IPv6 Prefix from the drop down list.
• Select Automatically assign IPv6 addresses from prefix.
• Click on Assign.

• Notice that a new IPv6 address has been assigned to VNIC.

• Go back to the details.
• Notice that the public IPv6 address from your BYOIP IPv6 range has been added.

• Go to an online IPv4 port scanner eg. [SubnetOnline].
• Use the public IPv4 address to verify what ports are open.
• Notice that port TCP/22 is open.

• Go to an online IPv6 port scanner eg. [SubnetOnline].
• Use the public IPv6 address to verify what ports are open.
• Notice that port TCP/22 is open.
• This proves that our BYOIP IPv6 address is reachable from the Internet.

> [!NOTE] NOTE > Ensure your security lists or network security groups (NSGs) allow inbound and outbound IPv6 traffic (e.g., ICMPv6, TCP port 22 for SSH, or other required ports).

• We can also do one final check by logging in with SSH into the instance (I will connect to the public IPv4 address for now).
• Issue the command ip a.
• Notice that the IPv6 address is configured on the instance.

Congratulations — you now have a fully functional OCI compute instance using your own IPv6 address from a BYOIP CIDR, publicly routable and registered under your RIPE NCC administration.

Conclusion

Bringing your IPv6 address space into Oracle Cloud Infrastructure (OCI) offers complete control over your IP identity, allowing consistency across hybrid or multi-cloud environments and more flexible network design.

In this tutorial, you learned how to rent or acquire an IPv6 CIDR or how to use your own IPv6 CIDR, complete the necessary RIPE NCC administrative steps, import and validate the CIDR in OCI, and deploy it within your own OCI virtual network (VCN).

With your BYOIP IPv6 CIDR fully integrated and advertised, you can now assign and manage globally routable IPv6 addresses across your OCI workloads — under your RIR allocation.

Whether you're optimizing for compliance, network ownership, or technical consistency, BYOIP in OCI is a powerful capability that gives you complete autonomy over your cloud networking stack.