Christoph's 2 Cents

A Backup for My Brain!

Oracle Developement

Oracle OPC Firewall Rules

Create Firewall Rules

Managing firewall rules on Oracle OPC can be a bit confusing. In this example we want to open up ports 80 and 443 to our compute instance, in order to allow the web server there to be accessed by the public internet.

There are four elements to a firewall rule:

  1. Security List – a named container for Security Rules. A security list can have multiple rules assigned to it. Multiple security lists can be assigned to an instance.
  2. Security Application – an port range and an associated protocol.
  3. Security IP List – a comma separated list of IP address that should get access to your instance. Using 0.0.0.0/0 specifies the public internet.
  4. Security Rule – says which port range (application) is assigned to an IP list (source) and to which security list (destination) this assignment belongs to.

To create an inbound firewall rule, create a rule for a Security Application and specify the Security IP List (in the Source filed) for which addresses can get through the ports in the Security Application. Then assign that rule to a Security List, specified in the Destination field.

diagram.png.001

Let’s go through the steps. Let’s assume we already have a compute instance with our web server on it. Log into your Oracle OCP cloud account dashboard, and click the Compute region. From there click the Open Service Console button. Here you should see your existing compute instance under the Instances tab.

instances

Click the Network tab where you should see existing security rules, if any. In the left navigation pane are the various elements we need for the firewall rule.
network_tab

 

Click the Security Lists link and then the Create Security List button to create a Security List. Security lists get assigned to instances and map the various ports and IP addresses to that instance:
security_list

Click the Security Applications link and then the Create Security Application button. We’ll create an application for port 443.
security_application

Click the create button again to add another security application for port 80 to allow http access:
security_application80

Click the Security IP Lists link and then the Create Security IP List button to create a security list which determines the IP addresses that can get through. Using 0.0.0.0/0 allows all IP addresses.
security_ip_list

Now map the Port(s) to the IP list and the security list. In other words, open up port 443 to the internet for the cmr_internet security list. This is done by creating a Security Rule. This rule basically says allow port 443 to be accessed by the public web, and assign this rule to the security list cmr_public_web. Below the security list will be assigned to the instance. Note that this is an inbound policy, meaning that this is for traffic from the internet to your compute instance. If you were to reverse the source and destination values, it would become an outbound policy.

Quick note about inbound and outbound:
Inbound and outbound policies need to coincide with the policies of the Security List. A rule only works if the corresponding policy is set to Deny. In regular language this would mean: “Deny everything except what’s in the security rules.” If the policy is set to Permit, it means “Let everything through.”

Click the Security Rules link and then the Create Security Rule button. Then map the Security Application to a Source and a Destination.

security_rule

Create another rule for the port 80 application and assign it to the same security list:
security_rule80

Now we can see that two rules are assigned to a single security list. One for HTTP and one for HTTPS. Both can be accessed via the public internet:
two_rules

Finally we assign this rule to our compute instance to allow our web server there to serve pages to the public internet via HTTP and HTTPS.

Switch back to the Instances tab, click the instance you want to assign the Security List to, and click the Add to Security List button:
add_list_to_instance

Repeat these steps to create a rule for SSH access on port 22, so that you can access the instance through a terminal. The final result should look like this:
security_lists_assigned

At this point the firewall settings are ready to go. The compute instance can now be accessed via the internet on ports 80 and 443. You can now add or remove other security lists, or add/remove rules from a particular security list to fit your needs.