Network Architecture
This section provides detailed information about the network topology, subnet allocation, and security configuration for the LogScale OCI infrastructure.
Multi-Region DR Deployment: When deploying a DR pair, each cluster (primary and secondary) has its own independent Virtual Cloud Network (VCN). The suggested CIDR allocation is:
Primary:
10.0.0.0/16Secondary:
10.1.0.0/16
VCN CIDRs must be unique per cluster within the same compartment. Cross-cluster communication happens via OCI DNS steering policies and remote Terraform state, not VCN peering.
Network Components Summary
The infrastructure uses a single VCN with carefully planned subnet allocation to separate public and private resources:
| Component | Subnet Name | CIDR Block | Type | Purpose | Availability |
|---|---|---|---|---|---|
| VCN |
${cluster_name}-vcn
|
10.0.0.0/16
| Regional | Primary network container for all resources | All ADs |
| Cluster Endpoint Subnet |
${cluster_name}-cluster-endpoint-subnet
|
10.0.1.0/28
| Private | OKE control plane API endpoint | Regional |
| Load Balancer Subnet |
${cluster_name}-lb-subnet
|
10.0.2.0/24
| Public | External load balancers and ingress | Regional |
| Worker Node Subnets |
${cluster_name}-node-pool-${AD}
| Configurable per AD | Private | OKE worker nodes (per AD) | AD-specific |
| Pod Subnet |
${cluster_name}-pod-subnet
|
10.0.64.0/18
| Private | Kubernetes pod networking (VCN-native) | Regional |
| Bastion Service | Uses first worker node subnet | N/A | Private | OCI Bastion Service target | AD-specific |
Note
Worker node subnet CIDR blocks are configurable through the
ad_and_subnets variable. The example
terraform.tfvars.example shows subnets like
10.0.160.0/20, 10.0.176.0/20, and
10.0.192.0/20 for different availability domains.
Network Security Groups
Network Security Groups (NSGs) provide granular traffic control for different components:
| NSG Name | Applied To | Key Rules | Purpose |
|---|---|---|---|
| Worker Node NSG | Worker nodes | SSH from Bastion NSG, HTTPS from LB Subnet, K8s API (6443) from VCN | Control worker node access |
| API Endpoint NSG | Control plane | K8s API (6443) from VCN, HTTPS (443) from VCN | Secure API server access |
| Bastion NSG | Bastion service | SSH (22) from allowed IPs, Outbound to Worker NSG | Enable secure admin access |
| Load Balancer NSG | Load balancers | HTTP/HTTPS from internet, Outbound to Worker NSG | External traffic ingress |
Gateway Configuration
The VCN uses three types of gateways for different traffic patterns:
| Gateway Type | Purpose | Route Target | Associated Subnets |
|---|---|---|---|
| Internet Gateway | Internet access for public resources |
0.0.0.0/0 to/from Internet
| Public subnets (LB, Bastion) |
| NAT Gateway | Outbound internet access for private resources |
0.0.0.0/0 to Internet
| Private subnets (Workers, Pods) |
| Service Gateway | Access to OCI services | OCI service networks | All subnets |
Required Ports
The following ports are configured in the network security rules:
| Service | Port | Protocol | Direction | Purpose |
|---|---|---|---|---|
| SSH Access | 22 | TCP | Bastion to Workers | Administrative access |
| Kubernetes API | 6443 | TCP | VCN to Control Plane | Cluster management |
| Kubelet | 10250 | TCP | Control Plane to Workers | Node management |
| HTTP Ingress | 80 | TCP | Internet to Load Balancer | Web traffic |
| HTTPS Ingress | 443 | TCP | Internet to Load Balancer | Secure web traffic |
| NodePort Range | 30000-32767 | TCP | Load Balancer to Workers | Service exposure |
Network Flow
External Access (Internet to Public Subnets):
Users access the Load Balancer via HTTPS (port 443) for application traffic
Administrators connect to the OCI Bastion Service for secure SSH access to private resources
Internal Communication (Private Subnets):
Load Balancer forwards traffic to Worker Nodes using NodePort services (30000-32767)
OCI Bastion Service provides secure SSH access to Worker Nodes and Control Plane
Control Plane manages Worker Nodes via Kubernetes API (port 6443)
Worker Nodes communicate with Pods using VCN-native networking
Outbound Connectivity (Private to Internet):
Worker Nodes access internet through NAT Gateway for updates and external services
Worker Nodes store data in Object Storage using private OCI service endpoints
Security Boundaries
| Zone | Access Level | Components | Security Controls |
|---|---|---|---|
| Internet | Public | Users, External Services | DDoS Protection, WAF |
| Public Subnets | Controlled | Load Balancer, Bastion | NSG Rules, IP Allowlists |
| Private Subnets | Restricted | Control Plane, Workers, Pods | Private IPs, NSG Isolation |
| OCI Services | Internal | NAT, Storage | Service Gateway, IAM |
Network CIDR Allocation
| Component | CIDR Block | Available IPs | Purpose |
|---|---|---|---|
| VCN |
10.0.0.0/16
| 65,536 | Primary network container |
| Load Balancer |
10.0.2.0/24
| 256 | External traffic ingress |
| Control Plane |
10.0.1.0/28
| 14 | Kubernetes API endpoint |
| Worker Nodes | Dynamic /20 | 4,094 per AD | Compute instances |
| Pod Network |
10.0.64.0/18
| 16,382 | Container networking |