1. User Guide
  2. Networking
  3. Network Gateway Example: Internet Gateway

Network Gateway Example: Internet Gateway

VCNs are the basic networking unit of the Oracle Private Cloud Appliance, and can communicate with other processes through various types of gateways used for a particular purpose.

In this example, access to a VCN from outside the rack is established through an Internet gateway (IGW). All steps to produce a working IGW are detailed.

This example sets up an IGW to allow access to web servers on a public IP subnet running inside an instance. It also adds an ingress rule to the default security list to allow outside access to the web servers on the public subnet. Then this example allows ingress connections for HTTPS connections on TCP port 443, the standard port for HTTP encrypted traffic.

Without this ingress rule, inbound HTTPS connections are not allowed. You should make the new rule stateful, which is the default and allows a reply to an HTTPS request without creating an explicit rule for responses.

Next, this example adds the existing IGW target to the route rules. The route rules are added to the default route table for the VCN, or a new route table created for reaching the IGW specifically. The route rule uses CIDR block 0.0.0.0/0. This means that all traffic not already covered by other rules in the route table goes to the IGW target specified in this new rule.

This example includes steps to enable or disable the IGW, and how to delete it.

Overview

There are three major operations for establishing and using an IGW. Each step has its own set of prerequisites and can usually be configured with the Compute Web UI or the OCI CLI. If both methods are available, both methods are presented.

The three activities used to configure and operate an IGW are:

  • Set up an IGW
  • Create or update a route table to include a rule for an IGW
  • Update the Security List or NSG

Set Up an Internet Gateway

The first thing that needs to be done is to configure the IGW.

Basic Internet Gateway Configuration

There are certain considerations that need to be assessed before setting up and using an IGW:

  • There are public subnets in the VCN that need internet access. (Only public subnets can use the IGW successfully.)
  • Because the default condition is to deny access, the types of ingress and egress internet traffic that are allowed must have been determined. These include ingress HTTPS connections, ingress ICMP pings, or other types of traffic. The IGW primarily responds to ingress network protocol requests.

For the basic configuration of an IGW, see Providing Public Access through an Internet Gateway. You must perform this initial configuration before proceeding.

Once the IGW has been created, there are two additional steps needed to make the IGW work properly with route tables and security list for the VCN or instance port Network Security Groups (NSGs). First, route table entries for the subnet must be configured to direct authorized traffic to the proper gateway destination. Second, the VCN containing to IGW must have the correct security rules to prevent unauthorized access and yet allow users to access resources they need.

Establish the Route Table Entries

Each public subnet that needs to use the internet gateway needs to update the subnet's route table entry to include a route to the IGW.

Each route rule specifies a destination CIDR block and the target (the next hop) for any traffic that matches that CIDR. Before you can create a rule, you must create a target for the rule, in this case, an IGW.

This example adds the existing IGW target to the route rules of the default route table for the VCN. You can also create a new route table for reaching the IGW specifically, but that is not done here. The route rule uses CIDR block 0.0.0.0/0 so that all traffic not covered by other rules in the route table goes to the IGW target specified in this new rule.

Using the Compute Web UI

  1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

  2. Click the name of the VCN for which you want to create a route table. The VCN details page is displayed.

  3. Under Resources, click Route Tables.

  4. Go to the details page of the Default Route Table and click the Add Route Rule button.

  5. Click +New Rule, and enter the following information for this example:

    • Target Type: Select Internet Gateway from the list.

    • CIDR Block: Enter 0.0.0.0/0 as the destination CIDR block for the traffic.

    • Target: The target is the IGW. Click the arrow and select the target IGW. You might need to change the compartment just above the arrow.

    • Description: An optional description of the rule, such as "New rule for IGW."

  6. Click the Create Route Table Rule button in the dialog.

    The details page of the edited default route table is displayed. Because the subnet was set up to use the default route table, the resources in the subnet can now use the internet gateway.

Using the OCI CLI

  1. Gather the information you need to run the command:

    • The OCID of the compartment where you want to create this route table (oci iam compartment list)

    • The OCID of the VCN for this route table (oci network vcn list --compartment-id compartment_OCID)

  2. Construct an argument for the --route-rules option.

    Route rules are in JSON format. To see how to format a rule, use the following command:

    oci network route-table update --generate-param-json-input route-rules > route_rule_format.json

    Example (put the following content into the IGW_route_rule.json file): 

    [
  {
    "cidr-block": "0.0.0.0/0",
    "description": null,
    "destination": null,
    "destination-type": "CIDR_BLOCK",
    "network-entity-id": "ocid1.internetgateway.unique_ID"
 }
]

  3. Run the route table update command.

    Syntax:

    oci network route-table update --compartment-id compartment_OCID \
--vcn-id vcn_OCID --route-rules file:///home/flast/IGW_route_rule.json

While the new route table is still provisioning, the route-rules property might be empty. To confirm the options, use the OCID in the id property of the create output to run a get command: 

oci network route-table get --rt-id ocid1.routetable.unique_ID

Once the route table rule has been added, the IGW is now reachable from the subnet and VCN.

Establish the Internet Gateway Security Rules

Once the IGW has been created, the correct security setting must be established to prevent unauthorized access to the gateway. For example, all outside HTTPS access should only be allowed to access port 443 which is the default port of secure web page access. Without this explicit rule, the standard port is not reachable.

This section uses security lists to accomplish this goal, but a similar result can be achieved using security rules in a Network Security Group (NSG), which is what Oracle recommends.

For more information about security lists and NSGs, see the Virtual Networking Overview.

Important:

If you have configured the public subnet to use the default security list, remember that the default includes several rules to enable basic access, such as ingress SSH and egress access to all destinations. Oracle recommends that you become familiar with this basic access set of rules. If you do not use the default security list, make sure that basic access is still provided either in the customized security rules or in an NSG containing those modified rules.

This example adds an ingress rule to the default security list to allow ingress connections for HTTPS connections on TCP port 443, the standard port for HTTP encrypted traffic.

Without this ingress rule, inbound HTTPS connections are not allowed. You should make the new rule stateful, which allows a reply to an HTTPS request without creating an explicit rule for responses.

For information about creating a new security list instead of modifying the default or adding a rule to an existing security list, see Creating a Security List.

Using the Compute Web UI

  1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

  2. Click the name of the VCN for which you want to add the rule to a security list. The VCN details page is displayed.

  3. Under Resources, click Security Lists.

  4. For the security list that you want to add the rule, click the Actions menu and then click Edit to open the Edit Security List dialog. Update rules in the Allow Rules for Ingress and Allow Rules for Egress sections.

  5. To add a new rule, in the Allow Rules sections, click the +New Rule button. You can also update the security list name and tags.

  6. When you are done, click the Save Changes button on the dialog.

For the HTTPS example using TCP port 443 ingress rule, enter the following information:

  • Stateless: To allow for a response to the incoming HTTPS request, the new rule should be stateful. Make sure that the stateless box is unchecked. For more information about stateless and stateful rules, see "Security Lists" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

  • CIDR: The CIDR block for the example 0.0.0.0/0, which applies the rule to all IP source addresses.

  • IP Protocol: Select the TCP protocol from the drop-down list.

  • Port Range:

    • Source Port Range: Leave blank.

    • Destination Port Range: Enter 443.

  • Description: An optional description of the rule, such as "Allow stateful traffic for HTTPS on TCP port 443."

Click Save Changes to save your new rule. You can always edit the new rule at any time.

Using the OCI CLI

  1. Get the OCID of the default security list of the VCN that you want to update (oci network vcn list --compartment-id compartment_OCID)

  2. To update rules, construct arguments for the --ingress-security-rules and --egress-security-rules options as described in Creating a Security List. Arguments that you provide to these rules options overwrite any existing rules. If you want to keep some existing rules, use the following command to show the current rules, and then copy the rules that you want to keep into the new option arguments. 

    $ oci network security-list get --security-list-id ocid1.securitylist.unique_ID

    Example (put the following content in the file IGW_ingress_rule.json): 

    [
  {
    "description": null,
    "icmp-options": null,
    "is-stateless": false,
    "protocol": "6",
    "source": "0.0.0.0/0",
    "source-type": "CIDR_BLOCK",
    "tcp-options": {
      "destination-port-range": {
        "max": 22,
        "min": 22
      },
      "source-port-range": null
    },
    "udp-options": null
  },
  {
    "description": null,
    "icmp-options": null,
    "is-stateless": false,
    "protocol": "6",
    "source": "0.0.0.0/0",
    "source-type": "CIDR_BLOCK",
    "tcp-options": {
      "destination-port-range": {
        "max": 443,
        "min": 443
      },
      "source-port-range": null
    },
    "udp-options": null
  }
]

  3. Run the security list update command to add the rule for HTTPS and TCP port 443 traffic.

    Example:

    oci network security-list update  \
--security-list-id ocid1.securitylist.unique_ID \
--ingress-security-rules file:///home/flast/IGW_ingress_rule.json

WARNING: Updates to defined-tags and egress-security-rules and freeform-tags and 
 ingress-security-rules will replace any existing values. 
 Are you sure you want to continue? [y/N]: y