Using OCI Network Path Analyser with On-Premises end-points
OCI Network Path Analyser is a diagnostic tool provided by Oracle Cloud Infrastructure (OCI) to help users troubleshoot and optimize network paths within their cloud environments. OCI Network Path Analyser with On-Premises end-points extends the capabilities of the OCI Network Path Analyser to include analysis of network paths that start or end in an on-premises environment.
This tutorial will show you different scenarios of how this OCI Network Path Analyser with On-Premises end-point enabled and disabled.
OCI Network Path Analyser (NPA)
OCI Network Path Analyser is a diagnostic tool provided by Oracle Cloud Infrastructure (OCI) to help users troubleshoot and optimize network paths within their cloud environments. This tool is handy for identifying potential network issues, understanding the performance of network paths, and ensuring that the network configurations align with best practices and operational requirements.
Key Features and Capabilities
1. End-to-End Path Analysis: The Network Path Analyser can trace the complete path between two points in your network, such as between instances, subnets, or across VCNs (Virtual Cloud Networks). This helps in understanding the route traffic takes and identifying any potential bottlenecks or misconfigurations.
2. Network Hop Visibility: It provides detailed visibility into each hop along the network path, including details like latency, packet loss, and the status of each hop. This helps in pinpointing where issues may be occurring.
3. Performance Metrics: Users can view performance metrics for each segment of the path, which aids in diagnosing performance-related issues and ensuring that the network is performing optimally.
4. Configuration Validation: The tool can validate network configurations against OCI best practices, helping to identify misconfigurations that could lead to network performance issues or failures.
5. Security Group and Route Table Analysis: It analyzes security group rules and route tables that affect the network path, providing insights into whether the correct rules and routes are in place for the desired traffic flow.
6. Troubleshooting Assistance: By identifying and highlighting problem areas in the network path, the Network Path Analyser aids in faster troubleshooting and resolution of network issues.
Use Cases
- Network Troubleshooting: Quickly identify where network issues are occurring and understand the root cause.
- Performance Optimisation: Ensure that your network paths are configured for optimal performance by analyzing latency and packet loss.
- Configuration Audits: Regularly check your network configurations to ensure they align with OCI best practices and operational requirements.
- Security Validation: Verify that security group rules and route tables are correctly configured to allow or deny the intended traffic.
How It Works
- Initiation: Users can initiate the network path analysis from the OCI console by specifying the source (an on-premises endpoint) and the destination (within OCI or another on-premises location).
- Path Mapping: The tool maps out the entire network path, including OCI components (VCNs, subnets, etc.) and on-premises network components (routers, switches, firewalls, etc.).
- Data Collection and Analysis: Collects performance metrics and configuration data at each hop along the path, providing detailed insights into each segment.
- Visualization and Reporting: Presents the analyzed data in a user-friendly interface, often with visual representations of the network path, performance metrics, and configuration status.
Benefits
- Improved Visibility: Gain deep visibility into your network paths within OCI.
- Enhanced Performance: Optimize network performance by identifying and resolving issues.
- Increased Security: Ensure that your network security configurations are correctly implemented and effective.
- Efficient Troubleshooting: Reduce the time and effort needed to diagnose and fix network problems.
OCI Network Path Analyser is a powerful tool for any organization using Oracle Cloud Infrastructure, helping to maintain a robust, efficient, and secure cloud network environment.
NPA with On-Premises end-points
OCI Network Path Analyser with On-Premises end-points extends the capabilities of the OCI Network Path Analyser to include analysis of network paths that start or end in an on-premises environment. This integration is particularly beneficial for hybrid cloud architectures where resources are spread across both on-premises data centers and Oracle Cloud Infrastructure (OCI).
The testing scenarios
Initial Architecture
The initial network architecture that I will use for testing is an OCI environment with two VCNs and an ON-PREM environment that is connected with an IPSEC tunnel to the OCI environment.
The subnet information for the full architecture can be found below:
Location | Subnet | Notes |
---|---|---|
ON-PREM | 10.222.10.0/24 | This is an overlapping subnet with NPA-VCN-A! |
NPA-VCN-A | 10.222.10.0/24 | This is an overlapping subnet with ON-PREM! |
NPA-VCN-B | 10.222.11.0/24 |
Because NPA-VCN-A and ON-PREM have overlapping CIDR space I will start with a DE-ATTACHED NPA-VCN-A. So NPA-VCN-A will not be attached to the DRG and will not participate in the routing architecture from the start.
Test Scenario 1
The first test scenario will use the following Path Analysis Parameters:
Location | IP address | IP address on-premises setting | Port | |
---|---|---|---|---|
Source | OCI | 10.222.11.65 | Unchecked | N/A |
Destination | ON-PREM | 10.222.10.100 | Checked | 22 |
Keep in mind that NPA-VCN-A with overlapping Subnet ON-PREM is not part of the routing architecture.
1. Click on the hamburger menu in the upper left corner.
2. Click on Networking.
3. Click on Network Path Analyser.
Path Analysis Settings
- Click on the Create path analysis button.
1. Specify a name.
2. Select TCP for the protocol.
3. Select Enter IP address for the Source.
4. Type in the Source IP address.
5. Scroll Down
1. Select Enter IP address for the Destination.
2. Type in the Destination IP address.
3. Check the box: The IP address is an on-premises endpoint.
4. Type in the Destination Port.
5. Click on the Run analysis button.
- Scroll down.
- Notice that the analysis has started, it will take around a minute to complete.
Test Results
1. Notice that the forward path status is reachable and the number of hops is 4.
2. Notice the visual routing path the packet has taken from the source to the destination.
3. Click on the arrow to expand.
4. Look at the detailed diagram information.
5. Scroll down.
1. Notice that the return path status is reachable and the number of hops is 4.
2. Notice the visual routing path the packet has taken from the source to the destination.
3. Click on the arrow to expand.
4. Look at the detailed diagram information.
5. Click on the Save analysis button.
This test passed because there is a network with 10.222.10.0/24 in the routing table, and NPA is checking for this network ON-PREM.
Test Scenario 2
The first and second scenarios will use the following Path Analysis Parameters:
Location | IP address | IP address on-premises setting | Port | |
---|---|---|---|---|
Source | OCI | 10.222.11.65 | Unchecked | N/A |
Destination | ON-PREM | 10.222.10.100 | Unchecked | 22 |
Keep in mind that NPA-VCN-A with overlapping Subnet ON-PREM is not part of the routing architecture.
Path Analysis Settings
- Click on the Create path analysis button.
1. Specify a name.
2. Select TCP for the protocol.
3. Select Enter IP address for the Source.
4. Type in the Source IP address.
5. Scroll Down
1. Select Enter IP address for the Destination.
2. Type in the Destination IP address.
3. Leave the box unchecked: The IP address is an on-premises endpoint.
4. Type in the Destination Port.
5. Click on the Run analysis button.
- Notice that the analysis has started, it will take around a minute to complete.
Test Results
1. Notice that the forward path status is indeterminate and the number of hops is 0.
2. Notice error message
Cannot determine the path.
IP address 10.222.10.100 is associated with the following listed overlapping resources.
Possible causes:
- 1: There are multiple route table entries for the destination. - Review route table for overlaps for 10.222.10.0/25. - 2: There is a missing route table entry for the destination. - Review the route table for missing routes for 10.222.10.0/25. - Overlapping resources: ExternalNetwork, ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaas3jilha3is4uhq7q25qzeyxcv4qqqt5bucjlwszujf6krs3ydy6q, ExternalNetwork - 3. Click on the Save analysis button.
This test failed because there is no network with 10.222.10.0/24 in the routing tables, and NPA is not checking for this network ON-PREM.
Test Scenario 3
The third-second scenario will use the following Path Analysis Parameters:
Location | IP address | IP address on-premises setting | Port | |
---|---|---|---|---|
Source | OCI | 10.222.11.65 | Unchecked | N/A |
Destination | ON-PREM | 10.222.10.100 | Checked | 22 |
Notice that NPA-VCN-A with overlapping Subnet ON-PREM is now of the routing architecture.
Attaching NPA-VCN-A
- Before we start testing scenario #3 I will first attach the NPA-VCN-A to the DRG.
1. Click on the hamburger menu in the upper left corner.
2. Click on Networking.
3. Click on Dynamic Routing Gateway.
- Click on the DRG.
1. Click on VCN Attachments.
2. Click on the Create virtual cloud network attachment button.
1. Specify a name.
2. Select the NPA-VCN-A VCN
3. Click on the Create VCN attachment button.
- Notice that the NPA-VCN-A VCN is now attached.
Path Analysis Settings
- Go back the the Path Analyser and create a new path analysis.
1. Specify a name.
2. Select TCP for the protocol.
3. Select Enter IP address for the Source.
4. Type in the Source IP address.
5. Scroll Down
1. Select Enter IP address for the Destination.
2. Type in the Destination IP address.
3. Check the box: The IP address is an on-premises endpoint.
4. Type in the Destination Port.
5. Click on the Run analysis button.
- Notice that the analysis has started, it will take around a minute to complete.
Test Results
1. Notice that the forward path status is indeterminate and the number of hops is 0.
2. Notice the error message
Cannot determine the path.
IP address 10.222.10.100 is associated with the following listed overlapping resources.
Possible causes:
- 1: There are multiple route table entries for the destination.
- Review route table for overlaps for 10.222.10.0/25.
- 2: There is a missing route table entry for the destination.
- Review the route table for missing routes for 10.222.10.0/25.
- Overlapping resources: ExternalNetwork, ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaas3jilha3is4uhq7q25qzeyxcv4qqqt5bucjlwszujf6krs3ydy6q
3. Click on the Save analysis button.
This test failed because of the overlapping Subnets ON-PREM and NPA-VCN-A. NPA has two paths to the 10.222.10.0/24 network and does not know which one to take even though the NPA is checking for this network ON-PREM.
Test Scenario 4
The fourth-second scenario will use the following Path Analysis Parameters:
Location | IP address | IP address on-premises setting | Port | |
---|---|---|---|---|
Source | OCI | 10.222.11.65 | Unchecked | N/A |
Destination | ON-PREM | 10.222.10.100 | Unchecked | 22 |
Notice that NPA-VCN-A with overlapping Subnet ON-PREM is still part of the routing architecture.
Path Analysis Settings
- Click on the Create path analysis button.
1. Specify a name.
2. Select TCP for the protocol.
3. Select Enter IP address for the Source.
4. Type in the Source IP address.
5. Scroll Down
1. Select Enter IP address for the Destination.
2. Type in the Destination IP address.
3. Leave the box unchecked: The IP address is an on-premises endpoint.
4. Type in the Destination Port.
5. Click on the Run analysis button.
- Notice that the analysis has started, it will take around a minute to complete.
Test Results
1. Notice that the forward path status is reachable and the number of hops is 3.
2. Notice the visual routing path the packet has taken from the source to the destination.
3. Click on the arrow to expand.
4. Look at the detailed diagram information.
5. Scroll down.
1. Notice that the return path status is reachable and the number of hops is 4.
2. Notice the visual routing path the packet has taken from the source to the destination.
3. Click on the arrow to expand.
4. Look at the detailed diagram information.
5. Click on the Save analysis button.
Notice that I specified the IP address that is ON-OREM (10.222.10.100) but the path that the NPA has taken is towards the OCI NPA-VCN-A VCN.
This test is passing even though I have specified an IP address ON-PREM, but because NPA is not checking for this network ON-PREM and the same network is available within OCI NPA will mark it as a pass.
Test Scenario 5
The fifth-second scenario will use the following Path Analysis Parameters:
Location | IP address | IP address on-premises setting | Port | |
---|---|---|---|---|
Source | OCI | 10.222.11.65 | Unchecked | N/A |
Destination | OCI | 10.222.10.98 | Checked | 22 |
Notice that I am now using the OCI Subnet (inside the NPA-VCN-A VCN) as a destination.
Notice that NPA-VCN-A with overlapping Subnet ON-PREM is still part of the routing architecture.
Path Analysis Settings
- Click on the Create path analysis button.
1. Specify a name.
2. Select TCP for the protocol.
3. Select Enter IP address for the Source.
4. Type in the Source IP address.
5. Scroll Down
1. Select Enter IP address for the Destination.
2. Type in the Destination IP address.
3. Check the box: The IP address is an on-premises endpoint.
4. Type in the Destination Port.
5. Click on the Run analysis button.
- Notice that the analysis has started, it will take around a minute to complete.
Test Results
1. Notice that the forward path status is indeterminate and the number of hops is 0.
2. Notice the error message
Cannot determine the path.
IP address 10.222.10.98 is associated with the following listed overlapping resources.
Possible causes:
- 1: There are multiple route table entries for the destination.
- Review route table for overlaps for 10.222.10.0/25.
- 2: There is a missing route table entry for the destination.
- Review the route table for missing routes for 10.222.10.0/25.
- Overlapping resources: ExternalNetwork, ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaas3jilha3is4uhq7q25qzeyxcv4qqqt5bucjlwszujf6krs3ydy6q
3. Click on the Save analysis button.
This test failed because the IP address I specified in the destination is not ON-PREM but in OCI.
This test is the same as test scenario #3.
Test Scenario 6
The sixth-second scenario will use the following Path Analysis Parameters:
Location | IP address | IP address on-premises setting | Port | |
---|---|---|---|---|
Source | OCI | 10.222.11.65 | Unchecked | N/A |
Destination | OCI | 10.222.10.98 | Unchecked | 22 |
Notice that I am now using the OCI Subnet (inside the NPA-VCN-A VCN) as a destination.
Notice that NPA-VCN-A with overlapping Subnet ON-PREM is still part of the routing architecture.
Path Analysis Settings
- Click on the Create path analysis button.
1. Specify a name.
2. Select TCP for the protocol.
3. Select Enter IP address for the Source.
4. Type in the Source IP address.
5. Scroll Down
1. Select Enter IP address for the Destination.
2. Type in the Destination IP address.
3. Leave the box unchecked: The IP address is an on-premises endpoint.
4. Type in the Destination Port.
5. Click on the Run analysis button.
- Notice that the analysis has started, it will take around a minute to complete.
Test Results
1. Notice that the forward path status is reachable and the number of hops is 3.
2. Notice the visual routing path the packet has taken from the source to the destination.
3. Click on the arrow to expand.
4. Look at the detailed diagram information.
5. Scroll down.
1. Notice that the return path status is reachable and the number of hops is 4.
2. Notice the visual routing path the packet has taken from the source to the destination.
3. Click on the arrow to expand.
4. Look at the detailed diagram information.
5. Click on the Save analysis button.
This test passed because there is a network with 10.222.10.0/24 in the routing table, and NPA is not checking for this network ON-PREM. So the network has to be within OCI.
This test is the same as test scenario #4.
Conclusion
This tutorial has shown you how the OCI Network Path Analyser with On-Premises endpoints significantly enhances the ability of organizations to manage and troubleshoot their hybrid cloud environments. By providing comprehensive visibility into network paths that span both Oracle Cloud Infrastructure and on-premises data centers, this tool ensures that network performance is optimized and that potential issues can be identified and resolved quickly. The detailed performance metrics, configuration validations, and security checks offered by OCI NPA enable IT teams to maintain robust, efficient, and secure network infrastructures. As hybrid cloud architectures become increasingly common, tools like OCI Network Path Analyser with On-Premises endpoints are indispensable for achieving seamless integration and operation across diverse network environments. This leads to improved application performance, reduced downtime, and enhanced overall operational efficiency.
Test Scenario | Result | Overlapping CIDR | NPA On-Prem DST checked | Clarification |
---|---|---|---|---|
1 | PASS | No | Yes | This test passed because there is a network with 10.222.10.0/24 in the routing table, and NPA is checking for this network ON-PREM. |
2 | FAIL | No | No | This test failed because there is no network with 10.222.10.0/24 in the routing tables, and NPA is not checking for this network ON-PREM. |
3 | FAIL | Yes | Yes | This test failed because of the overlapping Subnets ON-PREM and in NPA-VCN-A. NPA has two paths to the 10.222.10.0/24 network and does not know which one to take even though the NPA is checking for this network ON-PREM. |
4 | PASS | Yes | No | This test is passing even though I have specified an IP address ON-PREM, but because NPA is not checking for this network ON-PREM and the same network is available within OCI NPA will mark it as a pass. |
5 | FAIL | Yes | Yes | This test failed because the IP address I specified in the destination is not ON-PREM but in OCI. This test is the same as test scenario #3. |
6 | PASS | Yes | No | This test passed because there is a network with 10.222.10.0/24 in the routing table, and NPA is not checking for this network ON-PREM. So the network has to be within OCI. This test is the same as test scenario #4. |