Hybrid is the normal state for Oracle estates. Databases, identity systems, file shares and legacy applications stay on premises for years while new workloads land in OCI, and the two have to behave as one network. The quality of that connection decides whether the hybrid period feels seamless or fragile. This guide walks through the connectivity options, when each fits, and how to build the link so a single failure does not take it down.
The three building blocks
Connecting OCI to on premises uses three components in combination. The Dynamic Routing Gateway is the OCI side router that on premises connectivity attaches to. FastConnect is a private, dedicated link between your network and OCI that does not traverse the public internet. Site to site VPN is an encrypted tunnel that runs over the public internet. Almost every design uses the DRG plus one or both of FastConnect and VPN.
We compare the two link types in depth in FastConnect vs VPN on OCI, and explain the routing device in the DRG guide. Here the focus is on choosing and combining them for a production hybrid network.
FastConnect, VPN, or both
| Factor | FastConnect | Site to site VPN |
|---|---|---|
| Path | Private, dedicated circuit | Encrypted tunnel over the public internet |
| Bandwidth | 1 Gbps to 100 Gbps, predictable | Limited per tunnel, variable |
| Latency | Low and consistent | Depends on internet conditions |
| Setup time | Days to weeks via a partner or provider | Hours, software configuration only |
| Cost profile | Port fee plus provider circuit | No OCI charge, internet egress applies |
| Typical role | Primary path for production | Backup path, or primary for small estates |
The mature answer for production is usually both. FastConnect carries the steady, high volume traffic with predictable latency, and a site to site VPN stands by as an automatic failover so the estate stays connected if the circuit drops. Small estates and early projects often start with VPN alone because it is fast to stand up, then add FastConnect once the workload justifies the circuit.
A connectivity decision framework
- Quantify the traffic. Estimate sustained throughput, peak bursts and latency tolerance between OCI and on premises. Database replication and backup traffic dwarf interactive traffic and usually decide the link size.
- Set the resilience target. Decide whether the link needs to survive a single circuit failure, a provider failure or a regional event, and design redundancy to match that target rather than to a generic ideal.
- Choose the primary path. FastConnect for sustained production volume and predictable latency, VPN for speed of delivery, low volume or as a stopgap before a circuit lands.
- Add a backup path. A VPN backing up FastConnect is the common production pattern. For higher assurance, use two FastConnect circuits through diverse providers and locations.
- Define routing and failover. Use dynamic routing over the DRG so failover is automatic, and confirm both paths advertise the right ranges with sensible preferences.
Building for resilience
A single FastConnect circuit through a single provider is a single point of failure no matter how reliable the provider claims to be. For production, design redundancy at the level your resilience target demands. The lightest pattern is FastConnect as primary with a VPN backup over the internet, which protects against a circuit fault but shares fate with your internet path. A stronger pattern uses two FastConnect circuits terminating at different edge locations through different providers, so no single fibre cut or provider outage isolates the estate.
On the OCI side, the DRG is regionally redundant by design, so your effort goes into the customer edge. Use two customer edge devices, dynamic routing on both, and test failover deliberately rather than assuming it works. The most common surprise in a real outage is that failover was configured but never exercised, and a stale route or a one sided configuration prevents the backup from taking over.
Routing and address planning
Dynamic routing using BGP over the DRG is strongly preferred over static routes for anything beyond a trivial setup, because it allows automatic failover and adapts when ranges change. Advertise only the ranges that genuinely need to cross the link, and keep your OCI address ranges from overlapping with on premises ranges. Overlap is the single most expensive mistake in a hybrid build, because resolving it later usually means re addressing live systems.
If many OCI networks need to reach on premises through one link, terminate that link on a single DRG and use transit routing so every spoke reaches the corporate network through the shared path. That avoids buying a circuit per VCN and keeps the routing policy in one place.
Security across the boundary
A private circuit is not an encrypted one. FastConnect keeps traffic off the public internet but does not encrypt it, so for sensitive data run an encrypted tunnel over the circuit or rely on application layer encryption. Apply security lists and network security groups so that on premises systems can reach only the OCI resources they need, and nothing more. The boundary between cloud and ground is exactly where least privilege matters most, and our network security best practices cover the controls in detail.
Bandwidth that matches the real workload
The most common sizing mistake is to scale the link to the number of users rather than to the data the workload moves. Interactive traffic from people clicking around an application is tiny. The traffic that actually fills a link is machine generated: database replication keeping a standby in step, nightly backups copying to or from on premises, and bulk data loads. A few hundred users might generate a fraction of the volume of a single replication stream. Size the link to those machine flows, with headroom for their peaks, and the interactive traffic looks after itself.
It also pays to understand the direction of the traffic. Many hybrid designs are asymmetric, pulling far more data one way than the other, for example when OCI is the disaster recovery target receiving replication from on premises. Knowing the dominant direction lets you reason about both performance and cost, since inter site data movement is one of the places a hybrid estate accumulates charges. Measure the real flows over a representative period before committing to a circuit speed, rather than estimating from headcount.
Operating the link after go live
A hybrid connection is not finished when it carries its first packet. It needs monitoring like any production component, with alarms on tunnel and circuit state so that a failover, or a failure of the backup that was supposed to be ready, is noticed immediately rather than discovered during the next outage. The classic incident is a primary circuit that has been quietly running on its backup for weeks because nobody was alerted when the primary dropped, leaving the estate one fault away from isolation without anyone knowing.
Build the monitoring so that both paths are observed independently, test failover on a schedule rather than trusting that it works, and keep the routing configuration in code so that the running state is reviewable and reproducible. A hybrid link that is monitored, tested and version controlled is one you can rely on. One that was configured once and never touched is a latent outage waiting for the day the primary path fails.
Bringing it together
A good on premises connection is invisible. It carries production traffic at predictable latency, fails over without anyone noticing, and enforces least privilege at the boundary. Getting there is a matter of sizing the link to real traffic, choosing FastConnect or VPN deliberately, designing redundancy to a stated target, and using dynamic routing so failover is automatic. For the full set of networking decisions that surround this one, see the complete OCI networking guide, and if you want the connection designed and validated against your resilience target, our OCI networking solution covers exactly this work.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.