Oracle’s Infrastructure as a Service (IaaS) public cloud provides raw compute and storage capabilities that can be used for almost any workload. This blog series will outline the process used to migrate existing workload from our on-premises data center to instances running on Oracle IaaS public cloud compute and storage services. The first part of this series covered the process to manually create the components needed to start an instance using Oracle provided Enterprise Linux image on the Oracle public cloud. This part of the series will describe the process to secure instances by configuring the provided security interfaces.
The basic process to secure an instance on the IaaS public cloud is as follows:
- Create a security IP list (optional)
- Define a security application if there is not a predefined one available
- Create a security list to group like instances
- Create security rules to enable ports to be available to and from security and/or IP lists
- Assign an instance to the appropriate security list
In the scenario outlined below, the process enables access to an Oracle database listener in the IaaS public cloud from a workstation within a corporate network.
Create a Security IP List:
A security IP list that will identify the IP address(es) that will be allowed to access IaaS instances:
In the main list of tabs, select Network and then select Security IP Lists from the options on the left hand side:
Click on the Create Security IP List button:
Enter a Name, Description, and IP List (comma separate for more than one). Note*** This is the IP address that allows access from the internet. It may not be the IP Address of your laptop. You may need to work with your local network admin to identify the correct IP list.
Create Security Application:
A security application is the component that defines the port or network function that will be enabled. In this scenario, we will be opening the port range that hold all of the Oracle database listeners in the IaaS public cloud instances.
While in the Network tab, select Security Applications from the list on the left and Click on the Create Security Application button:
Define the Name, Port Type, Port start and end range, and a description. Then click on Create:
Create a Security List:
The security list is the mechanism used to group IaaS public cloud instances and define inbound and outbound security policies. In this example, we are creating a security list that will be assigned to the instances containing Oracle database listeners.
From the network tab, select Security Lists from the list on the left and click on Create Security List:
Supply a name and description. Normally, the inbound and outbound policy will remain at the default. The default behavior is to deny all inbound traffic that is not in the allowed list and permit all outbound traffic.
Create a Security Rule:
A security rule is the mechanism that ties a source and target combination to security application (a list of ports or network function). So, the security rule will allow access from the source to the target via the security application. In this case, it will allow access from my workstation to the IaaS database instances via ports 1521 to 1525.
From the Network tab, select Security Rules from the list on the left, and click on the Create Security Rule button:
Enter the following:
Name – a unique name for the rule.
Status – Select Enabled (you can select disabled if you don’t want the rule enabled immediately)
Source – Either the Security Lists (which is used for a list of IaaS instances) or a Security IP Lists (which is used for resources external to the IaaS) can be selected. A Security List would be selected if you want to open ports between IaaS instances. In this example, we are opening up traffic from a workstation external to the IaaS instance. So, we will select Security IP Lists and pick Personal laptop from the list.
Destination – This is the Security Lists containing the list of IaaS instances to permit traffic
Description – Supply a description if desired
Assign an Instance to a Security List
The final step to enable security is to assign the instance to the appropriate Security List. From the instance tab, click on the View menu option for the instance to be updated:
In the Security List tile, click on the Add to Security List button:
From the drop down, select the appropriate security list and click attach:
You should now be able to connect to a database on the instance in the Security list from your laptop via a tool like SQL Developer.
The steps listed above are the basic operations needed to enable security for instances on the Oracle IaaS Public Cloud. With these basic operations, you can enable the ports and network interfaces that are necessary for your applications hosted on the IaaS Public Cloud to function and be accessible from the necessary end points. Also, remember that by default, the only external access that is available is ssh, so these steps are most likely something that will be needed to customize the environment to meet your application needs.
Stay tuned for the next part in this blog series: Oracle IaaS Public Cloud: Using Orchestrations
2 thoughts on “Oracle IaaS Public Cloud: Securing Instances”
Pingback: Oracle IaaS Public Cloud: Using Orchestrations | Flexagon FlexDeploy for DevOps and Deployment Automation
Great post, most informative, didn’t realize devops were into this.