Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Create and Configure Oracle Cloud Infrastructure Zero Trust Packet Routing

Introduction

Oracle Cloud Infrastructure (OCI) Zero Trust Packet Routing prevents unauthorized access to data by managing network security policies separately from the underlying network architecture. Using an easily understood and intent-based policy language, security administrators can define specific access pathways for data. Traffic that is not explicitly allowed by policy cannot travel the network, improving security while simplifying the work of security, network, and audit teams.

The following tutorial provides details of how to configure OCI Zero Trust Packet Routing to apply security controls to govern communication across the network within an Oracle Cloud Infrastructure (OCI) tenancy. For this tutorial, the following architecture has been deployed.

In this architecture, the following resources have been configured:

• financeprod is an instance of Oracle Autonomous Database, configured as the production database, hosted in a private network, made accessible within the private subnet through a private endpoint.

• client-prod is a compute instance simulating an enterprise application in the production environment. For this scenario, this is an Oracle Linux instance running the Oracle Instant Client.

• client-dev is a compute instance simulating an enterprise application in the development environment. As with client-prod, this is an Oracle Linux instance running the Oracle Instant Client.

In addition, a separate VCN (so-vcn-pt) has been configured for this use case, comprising of:

• subnet-public is the public subnet containing the compute instances.

• subnet-private is the private subnet containing the database.

• sl-allow-public is a security list allowing SSH access from the internet. An egress rule has also been configured to allow outbound traffic. It is assigned to subnet-public.

• sl-allow-private is a security list allowing Oracle Instant Client traffic (port 1522) from subnet-public. An egress rule has also been configured to allow outbound traffic. This security list is assigned to subnet-private.

• route-public is the route table to route all traffic to the internet gateway. This is assigned to subnet-public.

• route-private is the route table to route all traffic to the NAT gateway. This is assigned to subnet-private.

• gw-internet is the internet gateway used in route-public.

• gw-nat is the NAT gateway used in route-private.

Objectives

• Configure new security attributes for OCI Zero Trust Packet Routing.

• Create OCI Zero Trust Packet Routing policies to control the flow of network traffic.

• Assign OCI Zero Trust Packet Routing security attributes to resources.

• Test the OCI Zero Trust Packet Routing policies.

Prerequisites

• A paid subscription for the OCI tenancy with appropriate permissions to manage OCI Zero Trust Packet Routing resources.

• The networking structure as defined in the architecture.

• Two compute instances as per the architecture, deployed in the public subnet.

• Install and configure Oracle Instant Client (including the SQL*Plus client) on both compute instances.

  Note: Download and install Oracle Instant Client from here: Installing Oracle Instant Client Using RPMs.

• Create an Oracle Autonomous Database instance as per the architecture, and deploy it with a private endpoint within the private subnet.

• Configure access to the database from the Oracle Instant Client on both compute instances.

Task 1: Confirm Access to the Database from Clients

In this task, we will confirm that both compute instances are able to access the database through the Oracle Instant Client.

1. Connect to your client-prod compute instance using SSH as the opc user.

2. Run the sqlplus command to connect to your autonomous database.

   As per the Prerequisites, the Oracle Instant client should be installed and configured. Here is a summary of the setup steps:

   • Download and install Oracle Instant Client.

   • Configure Oracle Instant Client.

   • Download the connection wallet for your autonomous database from OCI.

   • Extract the wallet into a folder.

   • Configure the sqlnet.ora file within your wallet folder to point to your wallet location.

   • Export the variable TNS_ADMIN to point to your extracted wallet location. For example, export TNS_ADMIN=/opt/wallet.

   • Run the sqlplus command, for example, sqlplus admin@financeprod_low and enter your password when prompted.

   If your Oracle Instant Client is working correctly and all your Prerequisites have been done, you should successfully connect to your database and be able to run commands. Run the show user; command to see the users.

   

3. Repeat the database connection test from client-dev.

   

   If your Oracle Instant Client is working correctly and all your Prerequisites have been done, you should successfully connect to your database and be able to run commands. Run the show user; command to see the users.

Task 2: Enable OCI Zero Trust Packet Routing

If this is the first time you have used OCI Zero Trust Packet Routing within your tenancy, it will need to be enabled.

1. Log in to the OCI Console as a user with suitable permissions to manage OCI Zero Trust Packet Routing resources and the other resources used in this tutorial.

2. Go to Identity and Security and click Zero Trust Packet Routing.

3. Click Enable ZPR, the button will become greyed out and the OCI Zero Trust Packet Routing menus will become accessible.

   

Task 3: Configure the OCI Zero Trust Packet Routing Security Attributes

To configure OCI Zero Trust Packet Routing, we need to set up the security attributes that will be used in your OCI Zero Trust Packet Routing policies.

In this task, we will create three new security attributes representing the network, databases, and applications. We will create predefined values for these security attributes.

1. Go to Zero Trust Packet Routing and click Security Attribute Namespace.

2. Under List scope, select the root Compartment. We will be presented with the predefined oracle-zpr Namespace.

   

3. Click oracle-zpr, you will see the predefined sensitivity security attribute. We will not use the attribute in this tutorial.

4. Select Create Security Attribute to create a new security attribute.

5. In Create Security Attribute, enter the following information.

   • Name: Enter app.
   • Description: Enter Security attribute representing applications.
   • Security attribute value type: Select A list of values.
   • Values: Enter prod and dev (on separate lines).

   

6. Click Create to create the new attribute.

7. Repeat step 5 and 6 to create two more security attributes.

   • Create a security attribute for databases using the following information:

     • Name: Enter db.
     • Description: Enter Security attribute representing databases.
     • Security attribute value type: Select A list of values.
     • Values: Enter prod and dev (on separate lines).

   • Create a security attribute for networks using the following information:

     • Name: Enter network.
     • Description: Enter Security attribute representing networks.
     • Security attribute value type: Select A list of values.
     • Values: Enter prod and dev (on separate lines).

   Once complete, you should see your list of security attributes, including the predefined sensitivity attribute.

   

Task 4: Create OCI Zero Trust Packet Routing Policies

We have defined the security attributes, now we need to create the policies to control the flow of information over the network.

For this use case, we need a policy that allows the production application to be able to communicate with the production database. In this task, we will configure the OCI Zero Trust Packet Routing policy to achieve that.

1. Go to the OCI Console, navigate to Identity and Security, Zero Trust Packet Routing and click Policies.

2. Click Create policy to create a new OCI Zero Trust Packet Routing policy.

3. Enter the following information and click Add policy statements to add a policy statement to your policy.

   • Name: Enter prod_policy.
   • Description: Enter Policy to allow production clients in the production network to access production databases.

4. Examine the three options for building policy statements, select Manual policy builder, enter the following policy statement and click Add to save the policy statement.

   • Policy statements: Enter in network:prod VCN allow app:prod endpoints to connect to db:prod endpoints with protocol = 'tcp/1522'.

   Note: The policy statement is easy to understand, even without an explanation. However, for clarity, you are telling OCI Zero Trust Packet Routing that you want any resources that have the security attribute app:prod assigned to them, to be able to talk to any resources that have the db:prod security attribute assigned to them, within the network:prod VCN over TCP protocol 1522.

   

   Your completed policy should look like:

   

5. Click Create policy to complete the creation of the prod_policy.

   Note: Once you assign security attributes to your resources, the OCI Zero Trust Packet Routing policy will be enforced and only traffic that matches an OCI Zero Trust Packet Routing policy will be allowed to transit the network. Since you will be assigning security attributes to your two compute instances, you will lose SSH access to those compute instances, since there is no OCI Zero Trust Packet Routing policy to allow SSH access to your clients. Therefore, you need to fix this by creating two additional policies.

6. Repeat step 2 to 5 to create two additional OCI Zero Trust Packet Routing policies, to allow you to connect to your compute instances through SSH.

   • Policy for allowing SSH access to client-prod:

     • Name: Enter prod_client_access_policy.
     • Description: Enter Policy to allow SSH access to the production clients in the production network.
     • Policy statements: Enter in network:prod VCN allow 'x.x.x.x/32' to connect to app:prod endpoints with protocol='tcp/22'.

   • Policy for allowing SSH access to client-dev:

     • Name: Enter dev_client_access_policy.
     • Description: Enter Policy to allow dev clients in the production network to access production databases.
     • Policy statements: Enter in network:prod VCN allow 'x.x.x.x/32' to connect to app:dev endpoints with protocol='tcp/22'.

     Note:

     • Replace x.x.x.x with your IP address.

     • In a production scenario, access to the clients will typically be through an OCI Bastion host. However, to keep this tutorial simple, access is direct. Therefore, the external IP address of the source machine connecting to the clients through SSH needs to be included.

   Your completed policies should look:

   

Task 5: Assign Security Attributes to your Resources

In this task, to configure OCI Zero Trust Packet Routing we will assign the security attributes to the necessary resources.

We will associate a db security attribute to your database, an app security attribute to your two clients, and a network security attribute to your VCN.

Note: When assigning security attributes, it can either be done from within the OCI Zero Trust Packet Routing screens, or from the individual resources. This tutorial will show you both methods.

1. Assign the security attribute to the database.

   1. Go to the OCI Console, navigate to Oracle Database and Autonomous Database.

      Note: Ensure you are in the compartment where you created your database, you should see it listed.

      

   2. Select your database (for example, Finance-PROD) from the list of available databases.

   3. Click Security attributes. You will see that it is currently empty with no security attribute assigned.

      

   4. Click Add security attributes and enter the following information.

      • Namespace: Select oracle-zpr.
      • Key: Select db.
      • Value: Select prod.

      

   5. Click Add security attributes to assign the security attribute to the database. The database will update and the attribute will be assigned.

      

2. Assign the security attributes to the compute instances.

   1. Go to the OCI Console, navigate to Compute and Instances.

      Note: Ensure you are in the compartment where you created your compute instances, you should see them both listed.

      

   2. Select your client-prod instance from the list of available instances.

   3. Click Security. This is empty as no security attribute has been assigned to the instance yet.

      

   4. Click Add security attributes and enter the following information.

      • Namespace: Enter oracle-zpr.
      • Key: Enter app.
      • Value: Enter prod.

      

   5. Click Add security attributes to assign the security attribute to the database. The compute instance will update and the attribute will be assigned.

      

   6. Go to the OCI Console, navigate to Compute and Instances.

      

   7. Select your client-dev instance from the list of available instances.

   8. Click Security.

      

   9. Click Add security attributes and enter the following information.

      • Namespace: Select oracle-zpr.
      • Key: Select app.
      • Value: Select dev.

      

   10. Click Add security attributes to assign the security attribute to the database. The compute instance will update and the attribute will be assigned.

       

3. Assign the security attributes to the VCN.

   1. Go to the OCI Console, navigate to Networking and Virtual Cloud Networks.

      Note: Ensure you are in the compartment where you created your VCN, you should see it listed.

      

   2. Select your so-vcn-pt VCN from the list of available VCNs.

   3. Click Security.

      

      Note: For assigning this security attribute, you are going to assign it through the OCI Zero Trust Packet Routing menu, rather than from the resource. This shows you the two different ways of assigning OCI Zero Trust Packet Routing security attributes.

   4. Go to the OCI Console, navigate to Identity and Security, Zero Trust Packet Routing and click Protected Resources.

      You will see the existing list of resources that have been protected, for example, had security attributes assigned to them.

      

   5. Click Add security attribute to resources.

   6. To filter the list, select the Compartment where you created your VCN and Resource Type as Vcn.

      

   7. Select your VCN (so-vcn-pt) and click Next.

   8. Enter the following information.

      • Security attribute namespace: Select oracle-zpr.
      • Security attribute: Select network.
      • Security attribute value: Select prod.

      

   9. Click Next and review the summary.

      

   10. Click Submit and Close to exit the Work Request. After a couple of minutes, the work request will be completed and the VCN will appear in the Protected Resources. We can also check in the VCN to ensure the security attribute has been assigned.

   11. Repeat step 1 to 3 to see the security attribute assigned to your VCN.

       

Task 6: Testing the Policy

Now, the OCI Zero Trust Packet Routing configuration is completed, the final task is to test the policy. In this tutorial, we have two test cases.

1. The first test case is to ensure that client-prod is still able to access the financeprod database.

   1. Connect to your client-prod compute instance using SSH as the opc user.

      Your OCI Zero Trust Packet Routing policy is allowing this connection from your local machine and therefore, your SSH connection should be successful.

   2. Run the sqlplus command to connect to your autonomous database.

      Your OCI Zero Trust Packet Routing policy is allowing this connection from your production client (client-prod) to your production database (financeprod) and therefore you should successfully connect to your database and be able to run the show user; command.

      

2. The second test case is to ensure that client-dev is no longer able to access the financeprod database.

   1. Connect to your client-dev compute instance using SSH as the opc user.

      Your Zero Trust Packet Routing policy is allowing this connection from your local machine and therefore, your SSH connection should be successful.

   2. Run the sqlplus command to connect to your autonomous database.

      Since there is no OCI Zero Trust Packet Routing policy allowing this connection from your development client (client-dev) to your production database (financeprod), the connection will be blocked.

      

Related Links

• OCI Zero Trust Packet Routing

• Overview of OCI Zero Trust Packet Routing

• First Principles: Robust data breach protection with Zero Trust Packet Routing (and use case walkthrough)

Acknowledgments

• Authors - Paul Toal (Field CISO, Senior Director)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Create and Configure Oracle Cloud Infrastructure Zero Trust Packet Routing

G17481-01

October 2024

Copyright ©2024,

Oracle and/or its affiliates.