Enabling Network Access to a Compute Node

Oracle Database Exadata Cloud Service provides mechanisms to control network access to your Exadata environment. How you control network access depends on the configuration of your Exadata Cloud Service instance:

  • If the Exadata Cloud Service instance is configured to use IP Networks, then you must use the network management interfaces that are associated with Oracle Cloud Infrastructure Compute Classic to control network access.

    To control network traffic using IP networks, including enabling access to Exadata Cloud Service compute node ports, see Creating a Security Rule for IP Networks in Using Oracle Cloud Infrastructure Compute Classic.

  • If the Exadata Cloud Service instance is not configured to use IP networks, but the instance-level action menu (Menu icon) in the Service Details page contains the Manage Security Groups option, then it is configured to use self-service firewall functionality that is native to Exadata Cloud Service. See Using the Exadata Cloud Service Self-Service Firewall.

  • Otherwise, the instance is configured to use the Oracle-managed firewall. In that case, to enable access to a specific port on the compute nodes associated with your Exadata Cloud Service environment, you must submit a Service Request to Oracle Support. See How to Request Service Configuration for Oracle Database Exadata Cloud Service.

Using the Exadata Cloud Service Self-Service Firewall

You can use the Exadata Cloud Service self-service firewall if you can access the Manage Security Groups option in the action menu (Menu icon) that is associated with your service instance, which is located on the Service Details page that is accessible from the My Services dashboard.

You can use the self-service firewall to configure security rules and associate them with your Exadata Cloud Service instance. The security rules effectively define a white-list of allowed network access points.

The firewall provides a system of rules and groups. By default, the firewall denies network access to the Exadata Cloud Service instance. When you enable a security rule you enable access to the Exadata Cloud Service instance. To enable access you must:

  1. Create a security group.

  2. Within the security group, create security rules that define specific network access allowances.

  3. Associate the security group with your Exadata Cloud Service instance.

You can define numerous security groups, and each security group can contain numerous security rules. You can associate numerous security groups with each Exadata Cloud Service instance, and each security group can be associated with numerous Exadata Cloud Service instances. You can dynamically enable and disable different security rules by modifying the security groups that are associated with each Exadata Cloud Service instance.

Creating Security Groups

To create a security group:

  1. Open the My Services dashboard.

    For detailed instructions, see Accessing the My Services Dashboard and the Oracle Database Cloud Service Console.

  2. Click the action menu (Menu icon) in the Exadata Classic tile and choose View Details.

    The Service Details page is displayed, with the Overview tab showing.

  3. Locate your service instance in the list. Click the action menu (Menu icon) located beside the service instance name and choose Manage Security Groups.

    The Security Groups and Security Rules management page is displayed.

  4. Click Create Group.

    The Create Security Group dialog is displayed.

  5. Specify a Name and a Description for the new security group. Then, click Create.

Creating Security Rules

To create a security rule within a security group:

  1. Open the My Services dashboard.

    For detailed instructions, see Accessing the My Services Dashboard and the Oracle Database Cloud Service Console.

  2. Click the action menu (Menu icon) in the Exadata Classic tile and choose View Details.

    The Service Details page is displayed, with the Overview tab showing.

  3. Locate your service instance in the list. Click the action menu (Menu icon) located beside the service instance name and choose Manage Security Groups.

    The Security Groups and Security Rules management page is displayed.

  4. Select the desired security group from the list of security groups.

    The selected Security Group is highlighted.

  5. Click Create Rule.

    The Add Security Rule dialog is displayed.

  6. Specify the following attributes for the new security rule. Then, click Add.

    • Direction — select the direction of the network communications that are subject to this rule:

      • Inbound — configures the rule to allow network communications to be received from the location specified in the rule.

      • Outbound — configures the rule to allow network communications to be sent to the location specified in the rule.

    • Protocol — select the protocol of the network traffic that is subject to this rule:

      • TCP — configures the rule to allow TCP/IP network communications.

      • UDP — configures the rule to allow UDP network communications.

    • Interface — select the network interface that is subject to this rule:

      • Admin — specifies that the rule applies to network communications over the administration network interface. The administration network is typically used to support administration tasks by using terminal sessions, monitoring agents, and so on.

      • Client — specifies that the rule applies to network communications over the client access network interface, which is typically used by Oracle Net Services connections.

      • Backup — specifies that the rule applies to network communications over the backup network interface, which is typically used to transport backup information to and from network-based storage that is separate from Exadata Cloud Service.

    • Port — determines whether the rule applies to a specific network port or to a range of ports:

      • With Range — specifies that the rule applies to the range of port numbers bounded by Start Port and End Port. If you select this option you must also specify values for Start Port and End Port.

      • Without Range — specifies that the rule applies to the port number specified by Port Value. If you select this option you must also specify a value for Port Value.

    • Start Port, End Port, and Port Value — specify the network ports that are subject to this rule. You must enter a valid port number within the range 065535.

    • IP Subnet — specifies the IP addresses that are subject to this rule. You must enter a single IP address, or specify a range of IP addresses using Classless Inter-Domain Routing (CIDR) notation.

    Note:

    You can repeat steps 5 and 6 to create multiple rules within a security group.
  7. To save and apply the newly created security rules, click Apply on the Security Groups and Security Rules management page and then click Apply in the Apply Rule dialog.

    Note:

    Click Cancel on the Security Groups and Security Rules management page to remove unapplied security rules. Also, unapplied security rules are automatically removed if you navigate away from the page before they are applied.

Associating Security Groups with an Exadata Cloud Service Instance

To associate security groups with an Exadata Cloud Service instance:

  1. Open the My Services dashboard.

    For detailed instructions, see Accessing the My Services Dashboard and the Oracle Database Cloud Service Console.

  2. Click the action menu (Menu icon) in the Exadata Classic tile and choose View Details.

    The Service Details page is displayed, with the Overview tab showing.

  3. Locate your service instance in the list. Click the action menu (Menu icon) located beside the service instance name and choose Associate Security Groups.

    The Associate Security Groups dialog is displayed.

  4. Use the dialog controls to specify the desired list of security groups in the Associated Security Groups list. Then, click Add.

    The security groups, and their corresponding security rules, are enabled immediately.

    Note:

    You can also use the Associate Security Groups dialog to disable access by removing security groups from the Associated Security Groups list.