OCI VCN Subnet Planning
Oracle Cloud Infrastructure (OCI) reserves 3 IP addresses per subnet, the fewest of any major cloud provider. This makes OCI the most address-efficient option for tightly-packed subnet plans.
OCI Reserved IPs
For any subnet, OCI reserves:
| Address | Purpose |
|---|---|
| Network + 0 | Network address |
| Network + 1 | Default gateway |
| Last address | Broadcast address |
Example: In a 10.0.1.0/24 subnet:
- 10.0.1.0 is the network address
- 10.0.1.1 is the default gateway
- 10.0.1.255 is the broadcast address
- Usable range: 10.0.1.2 through 10.0.1.254 = 253 hosts
This is only 1 less than the theoretical standard mode maximum (254), making OCI the closest to standard RFC 950 behavior among cloud providers.
Minimum Subnet Size
The smallest subnet OCI allows is /30 (4 addresses, 1 usable). This is smaller than AWS (/28) and Azure/GCP (/29). A /30 in OCI provides a single usable IP, which can be useful for dedicated service endpoints.
VCN Architecture
OCI networking is organized around Virtual Cloud Networks (VCNs). A VCN is assigned a CIDR block (or multiple blocks since OCI supports multiple CIDR ranges per VCN). Subnets can be either regional (span all availability domains in a region) or AD-specific (limited to one availability domain).
Regional subnets are recommended for new deployments because they simplify management and provide better availability.
Recommended VCN Layout
A common production VCN uses a /16 address space:
VCN: 10.0.0.0/16 (65,536 addresses)
+----- Public Subnets (regional)
| +--- 10.0.1.0/24 Load balancers (253 hosts)
| +--- 10.0.2.0/24 Bastion hosts (253 hosts)
+----- Private Subnets (regional)
| +--- 10.0.10.0/24 App tier (253 hosts)
| +--- 10.0.11.0/24 App tier overflow (253 hosts)
| +--- 10.0.20.0/24 Database tier (253 hosts)
| +--- 10.0.21.0/24 Database standby (253 hosts)
+----- OKE Subnets
| +--- 10.0.100.0/24 Worker nodes (253 hosts)
| +--- 10.0.200.0/16-subset Pod IPs (via CNI)
+----- Spare: remaining space for growthPublic vs. Private Subnets
In OCI, subnets have an explicit public or private designation:
- Public subnets allow instances to have public IP addresses. A public subnet must be associated with a route table that has an Internet Gateway.
- Private subnets block public IP assignment entirely. Instances reach the internet (if needed) via a NAT Gateway.
This is different from AWS where any subnet can technically have public IPs (controlled by auto-assign settings). In OCI, the public/private distinction is set at subnet creation time.
Security Model
OCI uses two layers of network security:
| Layer | Scope | State |
|---|---|---|
| Security Lists | Per-subnet | Stateful (default) or stateless |
| Network Security Groups (NSGs) | Per-VNIC (network interface) | Stateful |
Security Lists apply to all resources in a subnet. NSGs apply to individual VNICs and can be shared across subnets. OCI recommends using NSGs for fine-grained control and Security Lists for broad subnet-level rules.
Sizing Tips
| Scenario | Recommended CIDR | Usable (OCI) |
|---|---|---|
| Minimal service endpoint | /30 | 1 |
| Small utility subnet | /28 | 13 |
| Standard workload | /24 | 253 |
| OKE worker nodes | /24 | 253 |
| Large workload | /20 | 4,093 |
OKE (Kubernetes) Networking
Oracle Kubernetes Engine (OKE) supports two CNI plugins:
- Flannel overlay: Pods get IPs from a virtual overlay network, not from VCN subnets. Node subnet sizing only needs to fit node count.
- OCI VCN-Native Pod Networking: Pods get VCN IPs directly (similar to AWS VPC CNI). Requires larger subnets to fit both nodes and pods.
For VCN-Native networking, plan the pod subnet at /20 or larger to accommodate pod density.
Multi-VCN with DRG
For larger deployments, OCI uses a Dynamic Routing Gateway (DRG) to connect multiple VCNs:
- Hub VCN: Shared services, firewall appliances, DNS.
- Spoke VCNs: Workload-specific, peered through the DRG.
- On-premises: Connected via FastConnect or IPSec VPN through the DRG.
Each VCN needs a unique, non-overlapping CIDR range. Plan your IPAM across all VCNs before creating any.
Common Mistakes
- Overlapping CIDR ranges. VCN peering via DRG requires non-overlapping ranges. Plan the full address map up front.
- Using AD-specific subnets. Regional subnets are simpler and more resilient. Use AD-specific subnets only when required by legacy services.
- Forgetting the public/private distinction. Unlike AWS, this cannot be changed after creation. Plan subnet types before deploying.
- Undersizing for OKE VCN-Native networking. Pod IPs consume VCN addresses. Size the pod subnet for peak cluster capacity.
Tools
Use our subnet calculator with Oracle Cloud mode to see correct host counts with 3 reserved IPs. The VLSM planner can generate multi-tier VCN layouts with correct OCI sizing.