Understand the Requirement: The goal is high availability (HA) and automatic failover for a Site-to-

Site VPN between an on-premises network and OCI with minimal disruption.

Evaluate Option A: A single VPN connection with one tunnel lacks redundancy. If the tunnel fails,

there’s no failover mechanism, as OCI doesn’t inherently provide automatic failover for a single

tunnel. This is a single point of failure.

Evaluate Option B: A single VPN connection with two tunnels using different CPE IP addresses

leverages OCI’s IPSec VPN capabilities. OCI supports multiple tunnels per VPN connection, and using

distinct CPE IPs (e.g., via different ISPs or devices) ensures that if one tunnel fails (due to ISP or CPE

failure), the second tunnel remains active. OCI’s Dynamic Routing Gateway (DRG) automatically

reroutes traffic to the active tunnel using IKE and IPSec health checks.

Evaluate Option C: Two separate VPN connections, each with one tunnel and different CPE IPs, also

provide HA. Using BGP, routes are advertised redundantly. However, managing two VPN connections

is more complex than a single connection with two tunnels, and BGP failover might introduce slight

delays compared to IPSec tunnel failover.

Evaluate Option D: Two tunnels with the same CPE IP address within one VPN connection don’t

provide true HA. If the CPE or its ISP fails, both tunnels fail, as they share a single point of failure.

Conclusion: Option B is the simplest, most resilient configuration that ensures automatic failover

with minimal disruption using OCI’s native VPN capabilities.

OCI’s Site-to-Site VPN supports multiple tunnels within a single IPSec connection for redundancy.

According to the Oracle Help Center:

"You can configure multiple tunnels for a single IPSec connection to provide redundancy. OCI uses IKE

(Internet Key Exchange) to monitor tunnel health and automatically fails over to an active tunnel if

one becomes unavailable."

"For maximum availability, use different CPE public IP addresses for each tunnel (e.g., different ISPs

or devices)."

This aligns with Option B, ensuring HA without the complexity of separate VPN connections or BGP.

Reference: Site-to-Site VPN Overview - Oracle Help Center (docs.oracle.com/en-

us/iaas/Content/Network/Tasks/settingupIPSec.htm).