Create an Access Rule

Not Oracle Cloud Infrastructure This topic does not apply to Oracle Cloud Infrastructure. Identify the Cloud Infrastructure Used by a Service Instance.

To control network access to the nodes in your Oracle Java Cloud Service instance, you can define access rules.

If you provisioned this service instance in an Oracle Cloud Infrastructure region, instead you must use the Oracle Cloud Infrastructure Console to create security lists instead of access rules. See Security Lists in the Oracle Cloud Infrastructure Services documentation.

For example, you can create rules that:

  • Enable an Oracle Database node to access a specific port on your WebLogic Server nodes

  • Enable public internet access to a specific port on the WebLogic Administration Server node

Oracle Java Cloud Service creates several default rules on a new service instance, such as public access to the WebLogic Administration Server node on port 22 for Secure Shell (SSH). Some of these are system rules, which cannot be disabled.

Access to the WebLogic Administration Console, Fusion Middleware Control Console, and Load Balancer Console is disabled by default on a new service instance. To use these consoles, you must enable the corresponding access rules.

Caution:

Make sure you consider the possible security implications before you open ports to external access.

Prior to creating an access rule, ensure that the destination node is configured to listen on the chosen ports. For example, on nodes running Oracle WebLogic Server you can configure network channels to control the listen ports for your Administration Server and Managed Servers. Refer to these topics in Administering Server Environments for Oracle WebLogic Server:

To create an access rule for a service instance:

  1. Access your service console.
  2. Beside the service that you want to modify, click Manage this instance Menu icon, and then select Access Rules.
  3. On the Access Rules page, click Create Rule.
  4. In the Rule Name field, enter a name for the access rule.
  5. Optional: In the Description field, enter a description for the access rule.
  6. In the Source field, select a source for the rule. The available source options depend on the topology of your service instance, and may include:
    • PUBLIC-INTERNET: Any host on the internet
    • WLS_ADMIN: The WebLogic Administration Server node
    • WLS_ADMIN_HOST: The WebLogic Administration Server node
    • WLS_MS: All WebLogic Managed Server nodes
    • OTD_ADMIN_HOST: The Oracle Traffic Director (OTD) Administration Server node
    • OTD_OTD_SERVER: All Oracle Traffic Director (OTD) Managed Server nodes
    • DBaaS:Name:DB: The database service named Name
    • <custom> : A custom list of addresses from which traffic should be allowed. In the field that appears below this one, enter a comma-separated list of the subnets (in CIDR format, such as 192.0.2.11/24) or IPv4 addresses for which you want to permit access.

    Note:

    The first node in your service instance runs an Administration Server and a Managed Server.
  7. In the Destination field, select the destination node within this service instance. The available source options depend on the topology of your service instance, and may include:
    • WLS_ADMIN: The WebLogic Administration Server node
    • WLS_ADMIN_HOST: The WebLogic Administration Server node
    • WLS_MS: All WebLogic Server nodes
    • OTD_ADMIN_HOST: The Oracle Traffic Director (OTD) Administration Server node
    • OTD_OTD_SERVER: All Oracle Traffic Director (OTD) Managed Server nodes
  8. In the Destination Port(s) field, enter the port or range of ports through which the source will be granted access to the destination.
  9. In the Protocol field, select the TCP or UDP transport for this rule.
  10. Click Create.

To return to either the Instances page or the Overview page for the selected service instance, click the locator links at the top of the page.