The dynamic routing gateway, the DRG, is the hub of OCI connectivity, the single point through which a VCN connects to everything beyond itself. Your data centre, other VCNs, other regions, the connections all flow through the DRG. Understanding it is the key to understanding how an OCI estate scales past a single isolated network, and the modern DRG is considerably more capable than the original design, which is worth knowing because a lot of older guidance describes limitations that no longer apply. This guide explains what the DRG does, how the modern version works, and the patterns it enables.
The DRG matters because it is where network topology decisions become real. The connectivity choices covered in our FastConnect versus VPN guide and the peering covered in our peering guide all attach here, so the DRG is the piece that ties the wider networking picture together.
What the DRG does
A DRG is a virtual router that sits at the edge of your network world and provides a single attachment point for private connectivity. You attach VCNs to it, you attach your connections to on premises through VPN or FastConnect, and the DRG routes traffic between them according to route tables you control. Without a DRG a VCN is an island reachable only through internet gateways. With one, it becomes a node in a private network that can span data centres, regions, and many VCNs, all routed through a single managed hub.
The modern DRG
The original DRG had a one to one relationship with a VCN, which limited the topologies you could build. The modern DRG removed that constraint. A single DRG can now have many VCN attachments, support route tables and distributions that give you fine control over how traffic flows, and act as a true routing hub rather than a simple gateway. This is what makes hub and spoke designs and transit routing practical on OCI, where traffic from one VCN can reach another, or reach on premises, by routing through the DRG. If you read older material describing DRG limits, check whether it predates this change, because much of it is now obsolete.
DRG capabilities
| Capability | What it enables |
|---|---|
| Multiple VCN attachments | Many VCNs through one routing hub |
| VPN attachments | Private connectivity to on premises over internet |
| FastConnect attachments | Dedicated private links into the estate |
| Remote peering connections | Connectivity across OCI regions |
| Route tables and distributions | Fine control over how traffic flows |
| Transit routing | One attachment reaching another through the hub |
Patterns the DRG enables
The hub and spoke pattern places shared services in a central VCN and connects workload VCNs to it through the DRG, so common infrastructure is built once and reached by all. Transit routing lets on premises traffic reach multiple VCNs, or one VCN reach another, by passing through the DRG as a transit point. Cross region connectivity uses remote peering attachments to link estates in different regions for resilience or data locality. Each of these is a topology that the modern DRG makes straightforward, and each connects to the broader design thinking in our complete networking guide.
Designing with the DRG
- Treat the DRG as the connectivity hub, the single point external traffic flows through.
- Attach VCNs deliberately, using route tables to control what reaches what.
- Attach on premises connections through VPN or FastConnect to the same DRG.
- Use route distributions to enforce the traffic flows your design intends.
- Plan address ranges to avoid overlap, because routing through the DRG depends on it.
The DRG is the piece that turns a collection of isolated VCNs into a coherent network, and the modern version is flexible enough to support almost any topology you need. The work is to design the route tables and attachments deliberately, so traffic flows where you intend and nowhere else, rather than letting connectivity accrete. The full context is in our complete networking guide, and we design DRG centred topologies for clients as part of our OCI networking solution.
Route tables and controlling traffic
The power of the modern DRG is in its route tables and distributions, which give you fine control over how traffic flows between attachments. Rather than every attachment seeing every other, you decide which attachments can route to which, so a workload VCN can reach shared services without being able to reach another workload VCN, for example. This is how you enforce isolation within a connected estate, allowing the connectivity each part legitimately needs and no more. The route tables are where your network policy lives, and designing them deliberately is what turns the DRG from a hub that connects everything to a hub that connects exactly what you intend. This is the same least privilege thinking that applies to identity, expressed in routing.
Scaling the estate through the DRG
As an estate grows, the DRG is what keeps it coherent. New VCNs attach to the existing hub rather than requiring a web of point to point connections, so connectivity scales linearly rather than combinatorially. A hub and spoke design built on the DRG can grow to many VCNs while keeping the routing comprehensible, because every connection passes through one well understood point. The alternative, a mesh of direct connections between VCNs, becomes unmanageable quickly, which is precisely the problem the DRG exists to solve. Centralising connectivity is what makes growth sustainable.
Common DRG design mistakes
The most common mistake with the DRG is the same one that plagues all of OCI networking, overlapping address ranges that make routing impossible. The second is failing to use route tables to enforce isolation, attaching everything to the DRG and letting all attachments reach all others, which throws away the control the DRG offers. The third is treating the DRG as an afterthought rather than designing the topology around it from the start. Each of these is avoided by the same discipline, plan ranges across the estate, route deliberately, and design the hub before you build the spokes. The full context sits in our complete networking guide and connects to the peering patterns in our peering guide.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.