Here I’m exploring how to control the basic network level resource security accesses. In AWS there is a concept called Security Groups. In OCI Oracle Cloud the similar concept is called Network Security Groups, also there is a little bit less powerful concept called Security Lists. A good imprevement with Network Security Groups over Security Lists is that in rules you can refer to other NSGs, not only CIDR.<\/p>\n\n\n\n
Below I create two NSG – one for databases and one for application servers, and allow unrestricted outgoing traffc from them both.<\/p>\n\n\n\n
# security.tf\n\n# Rules for appservers\n\nresource \"oci_core_network_security_group\" \"appserver\" {\n compartment_id = oci_identity_compartment.compartment.id\n vcn_id = oci_core_vcn.main.id\n display_name = \"Application servers\"\n}\n\nresource \"oci_core_network_security_group_security_rule\" \"appserver_egress\" {\n network_security_group_id = oci_core_network_security_group.appserver.id\n direction = \"EGRESS\"\n protocol = \"all\"\n description = \"Allow all Egress traffic\"\n destination = \"0.0.0.0\/0\"\n destination_type = \"CIDR_BLOCK\"\n}\n\n# Rules for databases\n\nresource \"oci_core_network_security_group\" \"db\" {\n compartment_id = oci_identity_compartment.compartment.id\n vcn_id = oci_core_vcn.main.id\n display_name = \"Databases\"\n}\n\nresource \"oci_core_network_security_group_security_rule\" \"db_egress\" {\n network_security_group_id = oci_core_network_security_group.db.id\n direction = \"EGRESS\"\n protocol = \"all\"\n description = \"Allow all Egress traffic\"\n destination = \"0.0.0.0\/0\"\n destination_type = \"CIDR_BLOCK\"\n}<\/code><\/pre>\n\n\n\nSome rule examples to allow traffic from appservers towards databases. Here referring to the appserver NSG as source – not a CIDR.<\/p>\n\n\n\n
# This rule allows port 1521\/tcp to be accessed from NSG \"appserver\" created earlier\nresource \"oci_core_network_security_group_security_rule\" \"db_appserver_oracle\" {\n network_security_group_id = oci_core_network_security_group.db.id\n direction = \"INGRESS\"\n protocol = \"6\" # TCP\n description = \"Allow ingress from application servers to 1521\/tcp\"\n source_type = \"NETWORK_SECURITY_GROUP\"\n source = oci_core_network_security_group.appserver.id\n tcp_options {\n destination_port_range {\n min = 1521\n max = 1521\n }\n }\n}\n\n# This rule allows port 5432\/tcp to be accessed from NSG \"appserver\" created earlier\nresource \"oci_core_network_security_group_security_rule\" \"db_appserver_postgres\" {\n network_security_group_id = oci_core_network_security_group.db.id\n direction = \"INGRESS\"\n protocol = \"6\" # TCP\n description = \"Allow ingress from application servers to 5432\/tcp\"\n source_type = \"NETWORK_SECURITY_GROUP\"\n source = oci_core_network_security_group.appserver.id\n tcp_options {\n destination_port_range {\n min = 5432\n max = 5432\n }\n }\n}<\/code><\/pre>\n\n\n\nAnd one example rule for appserver group, here I just want to show that the source NSG can refer to itself – so the port is open only to resources placed in the same NSG.<\/p>\n\n\n\n
# This rule allows port 80\/tcp to be accessed from the NSG itself\n# Example use - the application is running unencrypted HTTP and is expected to have a loadbalancer in front, that does the encryption. In this case loadbalancer could be put to the same NSG.\n# Or if the different application servers need to have a backbone communication port between each other - like cluster interconnect\nresource \"oci_core_network_security_group_security_rule\" \"appserver_http\" {\n network_security_group_id = oci_core_network_security_group.appserver.id\n direction = \"INGRESS\"\n protocol = \"6\" # TCP\n description = \"Allow access port port 80\/tcp only from current NSG (self)\"\n source_type = \"NETWORK_SECURITY_GROUP\"\n source = oci_core_network_security_group.appserver.id\n tcp_options {\n destination_port_range {\n min = 80\n max = 80\n }\n }\n}<\/code><\/pre>\n\n\n\nNow, network security groups need to be attached to the resources they are intended to protect. NSG-s are attached to the virtual network adapers VNICs.<\/p>\n\n\n\n
To attach NSG to my previously created compute instance, I have to go back and edit the compute instance declaration to attach a NSG to the primary VNIC of that instance.<\/p>\n\n\n\n
# compute.tf\n\nresource \"oci_core_instance\" \"arm_instance\" {\n compartment_id = oci_identity_compartment.compartment.id\n # oci iam availability-domain list\n availability_domain = \"MpAX:EU-STOCKHOLM-1-AD-1\"\n # oci compute shape list --compartment-id \n shape = \"VM.Standard.A1.Flex\" # ARM based shape\n shape_config {\n # How many CPUs and memory\n ocpus = 2\n memory_in_gbs = 4\n }\n display_name = \"test-arm-1\"\n source_details {\n # The source operating system image\n # oci compute image list --all --output table --compartment-id \n source_id = data.oci_core_images.oel.images[0].id\n source_type = \"image\"\n }\n create_vnic_details {\n # Network details\n subnet_id = oci_core_subnet.subnet.id\n assign_public_ip = true\n # attaching Network Security Groups - NSGs\n nsg_ids = [oci_core_network_security_group.appserver.id]\n }\n # CloudInit metadata - including my public SSH key\n metadata = {\n ssh_authorized_keys = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZ4bqPK+Mwiy+HLabqJxCMcQ\/hY7IPx\/oEQZWZq7krJxkLLUI6lkw44XRCutgww1q91yTdsSUNDZ9jFz9LihGTEIu7CGKkzmoGtAWHwq2W38GuA5Fqr0r2vPH1qwkTiuN+VmeKJ+qzOfm9Lh1zjD5e4XndjxiaOrw0wI19zpWlUnEqTTjgs7jz9X7JrHRaimzS3PEF5GGrT6oy6gWoKiWSjrQA2VGWI0yNQpUBFTYWsKSHtR+oJHf2rM3LLyzKcEXnlUUJrjDqNsbbcCN26vIdCGIQTvSjyLj6SY+wYWJEHCgPSbBRUcCEcwp+bATDQNm9L4tI7ZON5ZiJstL\/sqIBBXmqruh7nSkWAYQK\/H6PUTMQrUU5iK8fSWgS+CB8CiaA8zos9mdMfs1+9UKz0vMDV7PFsb7euunS+DiS5iyz6dAz\/uFexDbQXPCbx9Vs7TbBW2iPtYc6SNMqFJD3E7sb1SIHhcpUvdLdctLKfnl6cvTz2o2VfHQLod+mtOq845s= ilmars_public_key\"\n }\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Here I’m exploring how to control the basic network level resource security accesses. In AWS there is a concept called Security Groups. In OCI Oracle Cloud the similar concept is called Network Security Groups, also there is a little bit less powerful concept called Security Lists. A good imprevement with Network Security Groups over Security […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[68,67],"class_list":["post-735","post","type-post","status-publish","format-standard","hentry","category-blog-entry","tag-oci","tag-terraform"],"_links":{"self":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/comments?post=735"}],"version-history":[{"count":2,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/735\/revisions"}],"predecessor-version":[{"id":737,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/735\/revisions\/737"}],"wp:attachment":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/media?parent=735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/categories?post=735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/tags?post=735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}