When you need to connect OCI privately to your own data centre, you have two options, and the choice between them is one of the cleaner engineering trade offs in cloud networking. A site to site VPN runs an encrypted tunnel over the public internet. FastConnect provides a dedicated, private physical connection. One is fast to stand up and cheap, the other is consistent and predictable. Choosing well means being honest about what your workloads actually need from the connection, because the right answer depends entirely on whether predictability matters more than speed of setup and cost. This guide compares the two across the dimensions that decide it.
This is a decision worth making deliberately rather than by default, because the connection between OCI and your estate carries production traffic and is hard to change once applications depend on its behaviour. The wider context is in our complete networking guide, and both options attach to the dynamic routing gateway covered in our DRG guide.
Site to site VPN
A VPN creates an encrypted tunnel between your network and your VCN over the public internet. Its strengths are that it is quick to configure, often within hours, and inexpensive, because it uses internet connectivity you already have. Its limitation is that it inherits the internet, meaning its bandwidth and latency vary with conditions outside your control, and it is capped by the throughput of the tunnel. For lower volume connectivity, for getting started quickly, or as a backup path, a VPN is often exactly right. For high throughput production traffic where consistency matters, its variability becomes a problem.
FastConnect
FastConnect is a dedicated private connection between your network and OCI that does not traverse the public internet. Because it is dedicated, its bandwidth and latency are predictable, and it scales to far higher throughput than a VPN tunnel. The cost is higher, both in the connection itself and in the time and coordination to provision it, often weeks rather than hours because it involves physical connectivity through a provider. For production workloads that move significant data or that need consistent low latency, FastConnect is the right foundation. The predictability is the whole point, you are paying to take the internet out of the equation.
The two options compared
| Dimension | Site to site VPN | FastConnect |
|---|---|---|
| Path | Encrypted over public internet | Dedicated private link |
| Setup time | Hours | Weeks, involves a provider |
| Cost | Low, uses existing internet | Higher, dedicated connection |
| Bandwidth | Capped by tunnel, variable | High and predictable |
| Latency | Varies with internet | Consistent |
| Best for | Quick start, backup, lower volume | Production, high throughput, low latency |
Running both together
The two options are not mutually exclusive, and many well designed estates run both. A common pattern is to stand up a VPN first to get connectivity working immediately, then provision FastConnect as the production path while keeping the VPN as a backup. If FastConnect ever fails, traffic fails over to the VPN tunnel, degraded but functional, rather than dropping entirely. This is a resilience pattern as much as a connectivity one, and it ties into the high availability thinking in our peering guide and the broader networking guide.
Choosing between them
- Assess your traffic. Volume, latency sensitivity, and how much consistency matters.
- Start with VPN if you need connectivity now, while you plan the longer term.
- Move to FastConnect for production throughput where predictability is required.
- Keep VPN as a backup path so a FastConnect failure degrades rather than breaks.
- Attach both to the DRG as the single point of external connectivity.
The decision comes down to honesty about the workload. If you genuinely need predictable high throughput, FastConnect earns its cost. If your needs are modest or you are still getting started, a VPN is the pragmatic choice, and you can always add FastConnect later. The mistake is choosing by reflex rather than by requirement. The full picture sits in our complete networking guide, and we design and provision both for clients as part of our OCI networking solution.
Bandwidth and the real requirement
The decision often turns on bandwidth, and the trap is overestimating what you need out of caution and overpaying for it. The honest way to decide is to measure or estimate the actual data flows your workloads will generate, peak and sustained, and choose the connection that comfortably carries them. A VPN tunnel has a practical throughput ceiling, and if your traffic sits well below it, the tunnel is fine and FastConnect would be paying for headroom you never use. If your traffic approaches or exceeds that ceiling, or if it needs predictable performance regardless of internet conditions, FastConnect is what carries it. The discipline is to size to the real requirement, not to the worst case you can imagine, because the worst case you can imagine is usually far larger than the workload actually produces.
Security considerations
Both options can be secure, but they secure differently. A VPN encrypts traffic over the public internet, so the data is protected even though the path is shared. FastConnect uses a dedicated private path, so the traffic does not traverse the public internet at all, though many organisations still encrypt over it for defence in depth. Neither is inherently more secure than the other when configured properly, but the reasoning differs, the VPN protects shared transit through encryption, FastConnect avoids shared transit through dedication. For regulated workloads, the dedicated path of FastConnect sometimes simplifies the compliance argument, which can tip the decision independent of bandwidth.
The pragmatic path
For most estates the pragmatic path is to start with a VPN, because it gives you working connectivity in hours and lets you make progress while the longer FastConnect provisioning runs in the background. Once FastConnect is live, you promote it to the production path and keep the VPN as a backup, giving you both predictable performance and a fallback. This staged approach avoids the false choice of waiting weeks for connectivity or committing permanently to a VPN that may not scale. It is the approach we most often recommend, and it fits cleanly into the topology built around the dynamic routing gateway in our DRG guide.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.