Skip Navigation
Expand
Service Gateway Routing Considerations
Answer ID 11851   |   Last Review Date 09/03/2021

What could cause a problem with an integration between Oracle services and our own tenancy?

Environment:

OCI, Integrations, Oracle Service Gateway

Issue:

In an integration where the connection from the Oracle tenancy to the customer's tenancy in the same region using the service gateway, the connection was lost on the return path. The egress from the Oracle tenancy to the customer's was fine:
B2C Service -> NAT Gateway -> Customer tenancy
The problem happened on the return path due to a route in the tenancy to send traffic to the SGW. As a result of that route the return was going to the SGW and then never made it back to the Oracle tenancy.
Customer tenancy -> SGW -> Black hole
 
Cause:
If the route table associated with your public subnet in a VCN includes the following two conflicting route rules, Oracle services might be unable to access your public instances in that subnet.
  1. Route rule with the Target Type set as internet gateway.
  2. Route rule with the Destination Service set as All <region> Services in Oracle Services Network and the Target Type set as service gateway.
The foregoing two route rules can lead to asymmetric routing when Oracle services initiate connections to public instances in your VCN. Oracle Cloud Infrastructure does not support these rules simultaneously within the same route table. Oracle has updated the service APIs and the Console to disable support for this configuration.
 

Resolution:

One way to resolve this issue is to add a static route from your VCN to the Oracle NAT Gateway via your Internet Gateway and not the SGW. 

Another resolution is to remove the route rule that has the Destination Service set as All <region> Services in Oracle Services Network and the Target Type set as service gateway. Revert to the configuration you used before adopting the service gateway for Oracle Services Network. With this change, your public instances retain access to all Oracle services through the internet gateway. Oracle services can continue to access your public instances.

However, your instances in the public subnet can continue to access Object Storage through the service gateway. Update the subnet's route table to include a route rule with Destination Service set as OCI <region> Object Storage and the Target set to the VCN's service gateway.

This known issue applies only to public subnets that have access to an internet gateway. Regarding private subnets: you can still configure a private subnet's route table to provide access to All <region> Services in Oracle Services Network or to OCI <region> Object Storage through the VCN's service gateway.

 

Additional Resources:

Access to Oracle Services: Service Gateway

Oracle Service Gateway

Virtual Cloud Network (VCN) FAQ