1. Using Oracle API Platform Cloud Service - Classic
  2. Administering Oracle API Platform Cloud Service - Classic
  3. Managing Access Rules for Oracle API Platform Cloud Service - Classic Instances

Managing Access Rules for Oracle API Platform Cloud Service - Classic Instances

You can create and manage access rules from the My Services Console and the Oracle API Platform Cloud Service - Classic Overview page.

Access rules enable you to control access to the VMs that make up your service instance. For example, you can enable the database to use a an available port to access the VM for the WebLogic Administration Server for your service instance. The system creates default rules such as access on port 22 from the public internet to the WebLogic Administration Server VM.

To create access rules for your Oracle API Platform Cloud Service - Classic instance:
  1. Navigate to the My Services Console.
  2. Click the Action menu Menu icon adjacent to the service instance name and select Access Rules.
    The Access Rules page is displayed, showing the list of all access rules.
  3. Click Create Rule.
  4. Specify a unique name for the access rule.

    The name must begin with a letter, and can contain numbers, hyphens, or underscores. The length cannot exceed 50 characters. When you create a rule, you cannot use prefixes ora_ or sys_.

  5. (Optional) Specify a description of the rule
  6. Specify a source for the rule:

    • PUBLIC-INTERNET —Any host on the internet

    • WLS_ADMIN_SERVER — The WebLogic Server Administration Server

    • WLS_MANAGED_SERVER — A WebLogic Server Managed Server

    • PAAS_INFRA — Internal for platform services. Used for various life cycle operations.

    • Load Balancer — The load balancer for the service. The load balancer is identified in the list by its internal name. Example: _100004–1505196282206.

    • <identifier>:DB — The database specified when the Oracle API Platform Cloud Service - Classic instance was created.

    • custom — A custom list of addresses from which traffic should be allowed. In the field that displays below when you select this option, enter a comma-separated list of the subnets (in CIDR format, such as 192.123.42.1/24) or IPv4 addresses for which you want to permit access.

    The source and the destination must be different.

  7. Choose a destination for the rule:

    • WLS_ADMIN_SERVER — The WebLogic Server Administration Server

    • WLS_MANAGED_SERVER — A WebLogic Server Managed Server

    • Load Balancer — The load balancer for the service. The load balancer is identified in the list by its internal name. Example: _100004–1505196282206.

    The source and the destination must be different.

  8. Specify a port or ports through which the source will access the destination. You can specify a single port or a range of ports (such as 7001–8001).
  9. Specify the transport protocol (TCP or UDP) with which the source will access the destination.
  10. Click Create.
  11. To manage your access rules on the Access Rules page, click the Action menu Menu icon and choose an option:

    • Enable — Rules of type USER or DEFAULT can be enabled. Rules of type SYSTEM cannot

    • Disable — Rules of type USER or DEFAULT can be disabled. Rules of type SYSTEM cannot.

    • Delete — Rules of type USER can be deleted. Rules of type DEFAULT or SYSTEM cannot.

Default Oracle API Platform Cloud Service - Classic Access Rules

The following table describes the default access rules that are created when you create an Oracle API Platform Cloud Service - Classic Instance.

Rule Name Dafault Status Ports Protocol Source Destination Description Rule Type Application

sys_ms2db_dblistener

Enabled

1521

tcp

WLS_MANAGED_SERVER

DBaaS:<dbaas_instance>:DB

DO NOT MODIFY: Permit listener connection to database from managed servers

SYSTEM

-

sys_ms2db_ssh

Enabled

22

tcp

WLS_MANAGED_SERVER

DBaaS:<dbaas_instance>:DB

DO NOT MODIFY: Permit managed servers to ssh to db

SYSTEM

-

ora_lb2wls_8001_1

Enabled

8001

tcp

<Load Balancer IPs>

WLS_MANAGED_SERVER

Do not edit or remove: Permit http connection to wls from load balancer

DEFAULT

-

ora_lb2admin_server_7001_1

Enabled

7001

tcp

<Load Balancer IPs>

WLS_ADMIN_SERVER

Do not edit or remove: Permit http connection to admin_server from load balancer

DEFAULT

-

ora_p2admin_ssh

Enabled

22

tcp

PUBLIC-INTERNET

WLS_ADMIN_SERVER

Permit public to ssh to admin server

DEFAULT

-

ora_p2admin_ahttps

Disabled

7002

tcp

PUBLIC-INTERNET

WLS_ADMIN_SERVER

Permit public to https to admin server

DEFAULT

-

sys_infra2admin_ssh

Enabled

22

tcp

PUBLIC INTERNET

WLS_ADMIN_SERVER

DO NOT MODIFY: Permit PSM to ssh to admin server

SYSTEM

-

Default Oracle API Platform Cloud Service - Classic Security Lists

The following table describes the default security lists that are created when you create an Oracle API Platform Cloud Service - Classic Instance.

Security List Name Account

wls/ora_admin

/opcapics/default

wls/ora_ms

/opcapics/default

wls/ora_wls_infraadmin

/opcapics/default

lb/ora_otd

/opcapics/default

lb/ora_otd_infraadmin

/opcapics/default

Default Oracle API Platform Cloud Service - Classic Security Applications

The following table describes the default security applications that are created when you create an Oracle API Platform Cloud Service - Classic instance.

Name Protocol Port Description

sys_chttp

TCP

9073

DO NOT MODIFY: Permit HTTP connection to managed servers from OTD

sys_chttps

TCP

9074

DO NOT MODIFY: Permits HTTP connection to managed servers from OTD

sys_dblistener

TCP

1521

DO NOT MODIFY. Permits listener connection to database from managed servers.

wls/ora_ahttps

TCP

7002

Permits traffic from the public internet over HTTPS to the Administration Server.

lb/ora_ahttps

TCP

8989

Permits public to https to OTD admin server

lb/ora_chttps

TCP

443

Permits traffic from the public internet over HTTPS to the Managed Servers.