OCI: Zero-Trust Packet Routing - Draft

 What is ZPR?

===> ZPR is a network-security control in OCI that introduces an intent-based security policy layer for packet routing (i.e., network traffic) based on resource attributes (“security attributes”) rather than just network topology, IPs, subnets, etc. 

Ref: https://docs.oracle.com/en-us/iaas/Content/zero-trust-packet-routing/

==>It is intended to decouple network architecture from network security. In other words, network changes (adding subnets, VCNs, routing fabric) should not inadvertently weaken the security posture because ZPR policies still govern “who can talk to whom” regardless of architecture. 

Ref: https://www.prnewswire.com/news-releases/oracle-strengthens-organizations-cloud-security-posture-by-separating-network-security-from-network-architecture-302243043.html 

==>The service was announced (in preview or GA) for OCI as of October 2024. 

Ref: https://docs.oracle.com/en-us/iaas/releasenotes/zero-trust-packet-routing/introducing-zpr.htm 

Local VCN Peering (Using LPGs) vs Remote Peering

 

 Technical Architecture

1. Local VCN Peering (LPGs):

• Uses Local Peering Gateways to connect two VCNs within the same region - Think of two playgrounds in the same neighborhood

• Traffic stays inside Oracle’s regional backbone, not traversing the internet.

• Routes must be configured in each VCN’s route table to send traffic through its LPG.

• Security rules and Network Security Groups (NSGs) apply to control access.

Example Use Cases:

• A “hub-and-spoke” network model within one region.

• Centralized network services (DNS, NAT, firewalls) accessed by other VCNs.

Key Points:

• Cannot connect VCNs in different regions.

• Simple, cost-effective, and low-latency.

• Each LPG can peer with one VCN at a time (one-to-one).

2. Remote VCN Peering:

• Uses Remote Peering Gateways (RPGs) to connect VCNs across regions - two playgrounds in different cities

• Communication occurs via OCI’s private backbone, not over the public internet.

• You set up an RPG in each VCN and establish a remote peering connection between them.

Example Use Cases:

• Multi-region deployments for disaster recovery.

• Cross-region data replication or centralized monitoring.

Key Points:

• Traffic remains private (never goes over the public internet).

• Slightly higher latency than local peering (due to inter-region distance).

• Each RPG can peer with only one other RPG.

Feature	Local VCN Peering (LPG)	Remote VCN Peering
Purpose	Connect VCNs within the same region	Connect VCNs across regions
Connection Type	Via Local Peering Gateways (LPGs)	Via Remote Peering Gateways (RPGs)
Latency	Lower latency (same-region routing)	Higher latency (cross-region routing)
Bandwidth	Uses regional network — typically higher	Limited by inter-region connectivity
Use Case	For multi-VCN architectures in a single region (e.g., shared services, segmentation)	For multi-region architectures (e.g., DR, cross-region data access)

Aspect	Local Peering	Remote Peering
Security Lists/NSGs	Required for traffic control between VCNs	Required for traffic control between VCNs
Route Tables	Must add route to LPG	Must add route to RPG
Policies (IAM)	Required if peering VCNs in different compartments	Required if VCNs are in different tenancies or compartments

Criteria	Local Peering (LPG)	Remote Peering (RPG)
Regions	Same	Different
Gateway Type	Local Peering Gateway (LPG)	Remote Peering Gateway (RPG)
Traffic Path	Regional backbone	OCI inter-region backbone
Performance	High (low latency)	Moderate (depends on distance)
Cost	No egress cost within region	Inter-region data transfer charges may apply
Setup Complexity	Simple	Slightly more complex
Common Use Case	Hub-and-spoke within region	Multi-region DR or replication