Configure Security Lists

If you plan to provision your Oracle SOA Suite on Marketplace instance in an existing subnet, note that the provisioning process will not create any security lists to open ports in the subnets. You must open the ports explicitly before provisioning.

For more information, see Security Lists in the Oracle Cloud Infrastructure documentation.

Open required ports for your private or public subnet as described in the following scenarios:

Note:

  • Oracle recommends not to allow traffic from the public internet (0.0.0.0/0) on ports 22, 7002, and 9073. This will expose the instance to malicious traffic. You must configure security rules to allow traffic on these ports from known CIDRs only.
  • Oracle Marketplace servers will connect (ssh) to the VM during provisioning and they will report the status to Resource Manager, Stack Jobs. The end user will be able to track the provisioning status.
    • You must allow traffic from Oracle Marketplace servers for provisioning to complete.
    • For Oracle Marketplace server known CIDRs: You must allow traffic from CIDRs that are tagged as OCI, for your region.

Private subnet with private endpoint and load balancer

Private Subnet Port Settings
Private endpoint subnet

Port 22 to same subnet CIDR.

Oracle SOA Suite on Marketplace instance subnet

Port 22 to private endpoint subnet CIDR.

Port 9073 to load balancer subnet CIDR.

All ports to within the same subnet CIDR.

Load balancer subnet Port 443 to public internet (0.0.0.0/0) to allow SOA runtime traffic.
DB connectivity Port 1521 to SOA subnet CIDR.

Private subnet with private endpoint and without load balancer

Private Subnet Port Settings
Private endpoint subnet

Port 22 to same subnet CIDR.

Oracle SOA Suite on Marketplace instance subnet

Port 22 to private endpoint subnet CIDR.

All ports to within the same subnet CIDR.

DB connectivity Port 1521 to SOA subnet CIDR.

Private subnet with Bastion instance and load balancer

Private Subnet Port Settings
Bastion instance subnet

Port 22 to Oracle Marketplace server CIDRs.

See Note above.

Oracle SOA Suite on Marketplace instance subnet

Port 22 to Bastion subnet CIDR.

Port 9073 to load balancer subnet CIDR.

All ports to within the same subnet CIDR.

Load balancer subnet Port 443 to public internet (0.0.0.0/0) to allow SOA runtime traffic.
DB connectivity Port 1521 to SOA subnet CIDR.

Private subnet with Bastion instance and without load balancer

Private Subnet Port Settings
Bastion instance subnet

Port 22 to Oracle Marketplace server CIDRs.

See Note above.

Oracle SOA Suite on Marketplace instance subnet

Port 22 to Bastion subnet CIDR.

All ports to within the same subnet CIDR.

DB connectivity Port 1521 to SOA subnet CIDR.

Public subnet with load balancer

Public Subnet Port Settings
Oracle SOA Suite on Marketplace instance subnet

Port 22 to Oracle Marketplace server CIDRs.

See Note above.

Port 9073 to load balancer subnet's CIDR.

All ports to within the same subnet CIDR.

Load balancer subnet Port 443 to public internet (0.0.0.0/0) to allow SOA runtime traffic.
DB connectivity Port 1521 to SOA subnet CIDR.

Public subnet without load balancer

Public Subnet Port Settings
Oracle SOA Suite on Marketplace instance subnet

Port 22 to Oracle Marketplace server CIDRs.

See Note above.

Port 9074 to public.

All ports to within the same subnet CIDR.

DB connectivity Port 1521 to SOA subnet CIDR.

The following screen shows example ingress rules to allow traffic from Oracle Marketplace servers on port 22 in the Tokyo region:


Ingress Rules example

Note:

By default, for both multicast and unicast configurations, the cluster port 7574 is open for both UDP and TCP. TCP port 7 is open for the Coherence TcpRing and IpMonitor death detection feature.

The unicast port range is open for both UDP and TCP traffic. Ensure to set the unicast listen port range instead of using a system assigned ephemeral port.

The coherence.localhost, coherence.localport, and coherence.localport.adjust system properties are used to specify the unicast port and automatic port adjustment settings instead of using the operational override file.

Specify the unicast port using the -D args. For example:

-D coherence.localport=9000

-D coherence.localport.adjust=9200

The coherence.localport.adjust value is the upper limit to autoadjust the local ports. For example, the above example uses ports 9000 and 9200.

You can use any other port range.