Establish the Internet Gateway Security Rules

After the IGW is created, the correct security setting must be established to prevent unauthorized access to the gateway. For example, all outside HTTPS access should only be allowed to access port 443 which is the default port of secure web page access. Without this explicit rule, the standard port isn't reachable.

This section uses security lists to accomplish this goal, but a similar result can be achieved using security rules in a Network Security Group (NSG).

For more information about security lists and NSGs, see Controlling Traffic with Security Lists and Controlling Traffic with Network Security Groups.

Important

If you have configured the public subnet to use the default security list, remember that the default includes several rules to enable basic access, such as ingress SSH and egress access to all destinations. We recommend that you become familiar with this basic access set of rules. If you don't use the default security list, ensure that basic access is still provided either in the customized security rules or in an NSG containing those modified rules.

This example adds an ingress rule to the default security list to allow ingress connections for HTTPS connections on TCP port 443, the standard port for HTTP encrypted traffic.

Without this ingress rule, inbound HTTPS connections aren't allowed. Make the new rule stateful, which allows a reply to an HTTPS request without creating an explicit rule for responses.

For information about creating a new security list instead of modifying the default or adding a rule to an existing security list, see Creating a Security List.

    1. In the Compute Cloud@Customer Console navigation menu, select Networking, then select Virtual Cloud Networks.

    2. If needed, change the compartment to find the resource you want.
    3. Select the name of the VCN for which you want to add the rule to a security list. The VCN details page is displayed.

    4. Under Resources, select Security Lists.

    5. Update or add new rules as follows:

      • For the security list that you want to add the rule, select the Actions menu (An image of the three dot icon.), then select Edit. Make changes as described below.

      • To add a new rule, in the Allow Rules sections, select +New Rule. You can also update the security list name and tags. Make changes as described below.

    6. Select Save Changes.

    For the HTTPS example using TCP port 443 ingress rule, enter the following information:

    • Stateless: To allow for a response to the incoming HTTPS request, the new rule should be stateful. Ensure that the stateless box is unchecked. For more information about stateless and stateful rules, see Controlling Traffic with Security Lists.

    • CIDR: The CIDR block for the example 0.0.0.0/0, which applies the rule to all IP source addresses.

    • IP Protocol: Select the TCP protocol from the drop-down list.

    • Port Range:

      • Source Port Range: Leave blank.

      • Destination Port Range: Enter 443.

    • Description: An optional description of the rule, such as "Allow stateful traffic for HTTPS on TCP port 443."

    You can always edit the new rule at any time.

  • Use the oci network security-list update command and required parameters to update the specified security list’s display name or rules. Avoid entering confidential information.

    Note

    The routeRules object you provide replaces the entire existing set of rules.

    oci network security-list update --security-list-id <security_list_OCID> [OPTIONS]

    For a complete list of CLI commands, flags, and options, see the Command Line Reference.

    Procedure

    1. Get the OCID of the default security list of the VCN that you want to update (oci network vcn list --compartment-id compartment_OCID)

    2. To update rules, construct arguments for the --ingress-security-rules and --egress-security-rules options as described in Creating a Security List. Arguments that you provide to these rules options overwrite any existing rules. If you want to keep some existing rules, use the following command to show the current rules, and then copy the rules that you want to keep into the new option arguments.

      oci network security-list get --security-list-id ocid1.securitylist.unique_ID

      Example (put the following content in the file IGW_ingress_rule.json):

      [
        {
          "description": null,
          "icmp-options": null,
          "is-stateless": false,
          "protocol": "6",
          "source": "0.0.0.0/0",
          "source-type": "CIDR_BLOCK",
          "tcp-options": {
            "destination-port-range": {
              "max": 22,
              "min": 22
            },
            "source-port-range": null
          },
          "udp-options": null
        },
        {
          "description": null,
          "icmp-options": null,
          "is-stateless": false,
          "protocol": "6",
          "source": "0.0.0.0/0",
          "source-type": "CIDR_BLOCK",
          "tcp-options": {
            "destination-port-range": {
              "max": 443,
              "min": 443
            },
            "source-port-range": null
          },
          "udp-options": null
        }
      ]
    3. Run the security list update command to add the rule for HTTPS and TCP port 443 traffic.

      Example:

      oci network security-list update  --security-list-id ocid1.securitylist.unique_ID --ingress-security-rules file:///home/flast/IGW_ingress_rule.json
      
      WARNING: Updates to defined-tags and egress-security-rules and freeform-tags and 
       ingress-security-rules will replace any existing values. 
       Are you sure you want to continue? [y/N]: y
  • Use the UpdateSecurityList operation to update the specified security list’s display name or rules.

    For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.