I must admit that this post was for me the most difficult one yet to write in this series.
Partly because it also touches how to structure things to keep it manageable in the future.
I have also been told it is a long post. So reserve some time, grab a coffee, tea or your favorite brew (although the latter best not at 10:00 in the office) and start reading.
Until now, our journey was mainly limited to the Database as a Service (DBaaS) part of the Oracle Cloud.
Today it is time to start exploring the Infrastructure as a Service (IaaS) fields.
Although you have full root access to the OS part of your Oracle DBaaS guest, the purpose of DBaaS is to host an Oracle database.
With IaaS, “all” you get is a virtual guest. And you install in that guest whatever your want.
As such there are more things to configure. Most notably on the networking part.
IaaS Network Types
There are 2 big types of network that you can configure within the Oracle Compute Classic:
In a Shared Network, each instance is assigned a private IP address from a common pool of Oracle-provided IP addresses. Access to the instance is determined by security lists and security rules.
With IP Networks, you can define an IP subnet in your account and use the IP addresses from that subnet for your guests. Access to your guest is managed via security rules and the access control lists.
A guest can be part of both a Shared Network and an IP Network.
In Part 2 of this blog series, we already created an IP network from which we assigned an IP address to our DBaaS guest.
Now, we will further extent the network configuration with the security and access rules.
The schema below comes from the Oracle documentation and is very useful to understand the relationships between the different parts.
A Security Protocol gives a name to protocol / port (eg TCP port 22 for ssh), and is used as item in the security rules.
The Security Rule can be either Ingress (incoming traffic) or Egress (outgoing traffic).
Next to specifying the Security Protocols (can be more than one) it applies to, you can also impose further limits on the source and / or destination.
Multiple Security Rules are combined into an Access Control List (but a Security Rule can only be part of a single ACL).
This ACL is then assigned to one or more vNICsets, which are collections of virtual network ports of IaaS guests.
Are you still with me?
There are more parts in the schema, but I will keep it to these.
Setting up an IP Network
I’m still a bit struggling on how to organize and group the different rules and such.
When I needed to work out the firewall requirements for on premises environments in the past, I tried to come up with a series of roles such as “linux server”, “DB server” or “Yum server”. For each of these rules a list of open ports would be defined and a server could then get assigned one or multiple of these roles.
An Oracle Cloud Control server for instance, would be assigned the Linux, DB and Oracle Management Server role.
This made it easier to keep things consistent and more clear why a server needed to have a certain port open.
The same method can be used with IP Networks, in which the ACL can be the “Role” combining multiple rules.
But as Security Rules can only be assigned to one ACL and limitations on source / destinations (using either IP addresses or vNICsets) can be imposed, some thought should be given to the naming conventions…
As such, we will use the following workflow:
- Create an IP prefix set (to name our company public ip)
- Create an Access Control List
- Create the Security Rules
- Create the virtual NIC set
Create an IP Prefix set
First we are going to create an IP prefix set to hold your home ip or the public ip of your company.
This is not strictly necessary, but makes it easier later on when it needs to be changed or to know what this IP address was about.
From the dashboard, open the service console in the Compute Classic tile.
There, open the “Network” tab and click on “IP Adress Prefix Sets”.
Click on the “Create IP Address Prefix Set” button.
Now, we can create the Access Control Lists, which we will use to group the security rules that are associated with a given server role.
To create the ACL, open the “Access Control Lists” page in the Network tab and click on the “Create Access Control List” button.
Note that there is already a default ACL with 2 rules: Ingress (incoming) and Egress (outgoing) and that our DBaaS guests has also automatically created an ACL (but you can’t manage it from here).
We are going to create 2 ACLs, which is a bit overkill in this situation, but I want to stick with my previous explanation on roles 🙂
Apart from the name and the status, there is nothing to configure.
Create the Security Rules
At this moment we can create the actual security rules, which specify the port that will be opened (either incoming or outgoing).
In our example, we only need 2 rules, one for each of the ACLs.
Click on the “Network” tab in the IaaS console and choose “Security Rules” in the left item list (under “IP network”).
This will show you the list of existing security lists.
The first rule we need is to allow ssh from our home ip address to a guest.
Click on “Create Security Rule” to start with the creation.
The type must be set to “Ingress” (incoming traffic) and we will connect this security list to the “generic_linux_server” access control list.
To specify the port, you need to select the corresponding “Security Protocols” (note that it is possible to create your own security protocols if the ones you need are not listed in the default list).
Because we don’t want to open this port for the entire world, we will use the “Source IP Adress Prefix Sets” box to limit this rule to data originating from our “home_public_ip” prefix that we created earlier.
Click on “Create” to save the new rule.
The second rule is to allow incoming http / https traffic to our web servers.
This rule will be connected to our “apache_front_webserver” ACL.
No further limits will be placed on the data source or destination.
When both rules are created, we can go back to the ACL list, where we can see the security rules listed next to our ACLs.
Create the virtual NIC Set
With the ACLs and the Security Rules created, we now need a way to apply them on our (future) guests.
This is done via a Virtual NIC Set.
Click on the “Network” tab in the IaaS console and choose “Virtual NIC Sets” in the left item list (under “IP network”).
You will now see a list of existing NIC Sets.
Click on “Create vNICset” to start creating our VNICset.
This VNICset will be used by our webservers, so we our applying the apache_front_webserver and the generic_linux_server ACLs we just created on it.
The vNICs box can be left empty. When we will create our guest, we will specify this VNICset and that will add the correct vNIC to it.
Click on “Create” to save our new configuration.
At this point we extended the IP network basis we created for our DBaaS guest with Access Control Lists, Security rules and Virtual NICsets, so we can use it when creating our IaaS guests.
There are still other moving parts with IP networks and there is also the shared network functionality, but those are out of scope for this blog series.
If you are interested (and you should), you can find the necessary information on them in the Oracle Compute Classic documentation.
Next up in this blog series will be the creation of our IaaS guest.