Network Architecture
This section provides detailed information about the network topology, subnet allocation, and security configuration for the LogScale OCI infrastructure.
Multi-Region DR Deployment: When deploying a DR pair, each cluster (primary and secondary) has its own independent Virtual Cloud Network (VCN). The suggested CIDR allocation is:
Primary:
10.0.0.0/16Secondary:
10.1.0.0/16
VCN CIDRs must be unique per cluster within the same compartment. Cross-cluster communication happens via OCI DNS steering policies and remote Terraform state, not VCN peering.
Network Components Summary
The infrastructure uses a single VCN with carefully planned subnet allocation to separate public and private resources:
| Component | Subnet Name | CIDR Block | Type | Purpose | Availability |
|---|---|---|---|---|---|
| VCN | ${cluster_name}-vcn | 10.0.0.0/16 | Regional | Primary network container for all resources | All ADs |
| Cluster Endpoint Subnet | ${cluster_name}-cluster-endpoint-subnet | 10.0.1.0/28 | Private | OKE control plane API endpoint | Regional |
| Load Balancer Subnet | ${cluster_name}-lb-subnet | 10.0.2.0/24 | Public | External load balancers and ingress | Regional |
| Worker Node Subnets | ${cluster_name}-node-pool-${AD} | Configurable per AD | Private | OKE worker nodes (per AD) | AD-specific |
| Pod Subnet | ${cluster_name}-pod-subnet | 10.0.64.0/18 | Private | Kubernetes pod networking (VCN-native) | Regional |
| Bastion Service | Uses first worker node subnet | N/A | Private | OCI Bastion Service target | AD-specific |
Note
Worker node subnet CIDR blocks are configurable through the ad_and_subnets variable.
The example terraform.tfvars.example shows subnets like 10.0.160.0/20,
10.0.176.0/20, and 10.0.192.0/20 for different availability domains.
Network Security Groups
Network Security Groups (NSGs) provide granular traffic control for different components:
| NSG Name | Applied To | Key Rules | Purpose |
|---|---|---|---|
| Worker Node NSG | Worker nodes | SSH from Bastion NSG, HTTPS from LB Subnet, K8s API (6443) from VCN | Control worker node access |
| API Endpoint NSG | Control plane | K8s API (6443) from VCN, HTTPS (443) from VCN | Secure API server access |
| Bastion NSG | Bastion service | SSH (22) from allowed IPs, Outbound to Worker NSG | Enable secure admin access |
| Load Balancer NSG | Load balancers | HTTP/HTTPS from internet, Outbound to Worker NSG | External traffic ingress |
Gateway Configuration
The VCN uses three types of gateways for different traffic patterns:
| Gateway Type | Purpose | Route Target | Associated Subnets |
|---|---|---|---|
| Internet Gateway | Internet access for public resources | 0.0.0.0/0 to/from Internet | Public subnets (LB, Bastion) |
| NAT Gateway | Outbound internet access for private resources | 0.0.0.0/0 to Internet | Private subnets (Workers, Pods) |
| Service Gateway | Access to OCI services | OCI service networks | All subnets |
Required Ports
The following ports are configured in the network security rules:
| Service | Port | Protocol | Direction | Purpose |
|---|---|---|---|---|
| SSH Access | 22 | TCP | Bastion to Workers | Administrative access |
| Kubernetes API | 6443 | TCP | VCN to Control Plane | Cluster management |
| Kubelet | 10250 | TCP | Control Plane to Workers | Node management |
| HTTP Ingress | 80 | TCP | Internet to Load Balancer | Web traffic |
| HTTPS Ingress | 443 | TCP | Internet to Load Balancer | Secure web traffic |
| NodePort Range | 30000-32767 | TCP | Load Balancer to Workers | Service exposure |
Network Flow
External Access (Internet to Public Subnets):
Users access the Load Balancer via HTTPS (port 443) for application traffic
Administrators connect to the OCI Bastion Service for secure SSH access to private resources
Internal Communication (Private Subnets):
Load Balancer forwards traffic to Worker Nodes using NodePort services (30000-32767)
OCI Bastion Service provides secure SSH access to Worker Nodes and Control Plane
Control Plane manages Worker Nodes via Kubernetes API (port 6443)
Worker Nodes communicate with Pods using VCN-native networking
Outbound Connectivity (Private to Internet):
Worker Nodes access internet through NAT Gateway for updates and external services
Worker Nodes store data in Object Storage using private OCI service endpoints
Security Boundaries
| Zone | Access Level | Components | Security Controls |
|---|---|---|---|
| Internet | Public | Users, External Services | DDoS Protection, WAF |
| Public Subnets | Controlled | Load Balancer, Bastion | NSG Rules, IP Allowlists |
| Private Subnets | Restricted | Control Plane, Workers, Pods | Private IPs, NSG Isolation |
| OCI Services | Internal | NAT, Storage | Service Gateway, IAM |
Network CIDR Allocation
| Component | CIDR Block | Available IPs | Purpose |
|---|---|---|---|
| VCN | 10.0.0.0/16 | 65,536 | Primary network container |
| Load Balancer | 10.0.2.0/24 | 256 | External traffic ingress |
| Control Plane | 10.0.1.0/28 | 14 | Kubernetes API endpoint |
| Worker Nodes | Dynamic /20 | 4,094 per AD | Compute instances |
| Pod Network | 10.0.64.0/18 | 16,382 | Container networking |