Note:

Create and Configure Oracle Cloud Infrastructure Zero Trust Packet Routing

Introduction

Oracle Cloud Infrastructure (OCI) Zero Trust Packet Routing prevents unauthorized access to data by managing network security policies separately from the underlying network architecture. Using an easily understood and intent-based policy language, security administrators can define specific access pathways for data. Traffic that is not explicitly allowed by policy cannot travel the network, improving security while simplifying the work of security, network, and audit teams.

The following tutorial provides details of how to configure OCI Zero Trust Packet Routing to apply security controls to govern communication across the network within an Oracle Cloud Infrastructure (OCI) tenancy. For this tutorial, the following architecture has been deployed.

Image showing the architecture for this ZPR use case.

In this architecture, the following resources have been configured:

In addition, a separate VCN (so-vcn-pt) has been configured for this use case, comprising of:

Objectives

Prerequisites

Task 1: Confirm Access to the Database from Clients

In this task, we will confirm that both compute instances are able to access the database through the Oracle Instant Client.

  1. Connect to your client-prod compute instance using SSH as the opc user.

  2. Run the sqlplus command to connect to your autonomous database.

    As per the Prerequisites, the Oracle Instant client should be installed and configured. Here is a summary of the setup steps:

    • Download and install Oracle Instant Client.

    • Configure Oracle Instant Client.

    • Download the connection wallet for your autonomous database from OCI.

    • Extract the wallet into a folder.

    • Configure the sqlnet.ora file within your wallet folder to point to your wallet location.

    • Export the variable TNS_ADMIN to point to your extracted wallet location. For example, export TNS_ADMIN=/opt/wallet.

    • Run the sqlplus command, for example, sqlplus admin@financeprod_low and enter your password when prompted.

    If your Oracle Instant Client is working correctly and all your Prerequisites have been done, you should successfully connect to your database and be able to run commands. Run the show user; command to see the users.

    Screenshot showing SSH access to client-prod.

  3. Repeat the database connection test from client-dev.

    Screenshot showing SSH access to client-dev.

    If your Oracle Instant Client is working correctly and all your Prerequisites have been done, you should successfully connect to your database and be able to run commands. Run the show user; command to see the users.

Task 2: Enable OCI Zero Trust Packet Routing

If this is the first time you have used OCI Zero Trust Packet Routing within your tenancy, it will need to be enabled.

  1. Log in to the OCI Console as a user with suitable permissions to manage OCI Zero Trust Packet Routing resources and the other resources used in this tutorial.

  2. Go to Identity and Security and click Zero Trust Packet Routing.

  3. Click Enable ZPR, the button will become greyed out and the OCI Zero Trust Packet Routing menus will become accessible.

    Screenshot showing ZPR enabled.

Task 3: Configure the OCI Zero Trust Packet Routing Security Attributes

To configure OCI Zero Trust Packet Routing, we need to set up the security attributes that will be used in your OCI Zero Trust Packet Routing policies.

In this task, we will create three new security attributes representing the network, databases, and applications. We will create predefined values for these security attributes.

  1. Go to Zero Trust Packet Routing and click Security Attribute Namespace.

  2. Under List scope, select the root Compartment. We will be presented with the predefined oracle-zpr Namespace.

    Screenshot showing ZPR security attribute namespace.

  3. Click oracle-zpr, you will see the predefined sensitivity security attribute. We will not use the attribute in this tutorial.

  4. Select Create Security Attribute to create a new security attribute.

  5. In Create Security Attribute, enter the following information.

    • Name: Enter app.
    • Description: Enter Security attribute representing applications.
    • Security attribute value type: Select A list of values.
    • Values: Enter prod and dev (on separate lines).

    Screenshot showing ZPR security attribute for app.

  6. Click Create to create the new attribute.

  7. Repeat step 5 and 6 to create two more security attributes.

    • Create a security attribute for databases using the following information:

      • Name: Enter db.
      • Description: Enter Security attribute representing databases.
      • Security attribute value type: Select A list of values.
      • Values: Enter prod and dev (on separate lines).
    • Create a security attribute for networks using the following information:

      • Name: Enter network.
      • Description: Enter Security attribute representing networks.
      • Security attribute value type: Select A list of values.
      • Values: Enter prod and dev (on separate lines).

    Once complete, you should see your list of security attributes, including the predefined sensitivity attribute.

    Screenshot showing the list of Zero Trust Packet Routing security attributes.

Task 4: Create OCI Zero Trust Packet Routing Policies

We have defined the security attributes, now we need to create the policies to control the flow of information over the network.

For this use case, we need a policy that allows the production application to be able to communicate with the production database. In this task, we will configure the OCI Zero Trust Packet Routing policy to achieve that.

  1. Go to the OCI Console, navigate to Identity and Security, Zero Trust Packet Routing and click Policies.

  2. Click Create policy to create a new OCI Zero Trust Packet Routing policy.

  3. Enter the following information and click Add policy statements to add a policy statement to your policy.

    • Name: Enter prod_policy.
    • Description: Enter Policy to allow production clients in the production network to access production databases.
  4. Examine the three options for building policy statements, select Manual policy builder, enter the following policy statement and click Add to save the policy statement.

    • Policy statements: Enter in network:prod VCN allow app:prod endpoints to connect to db:prod endpoints with protocol = 'tcp/1522'.

    Note: The policy statement is easy to understand, even without an explanation. However, for clarity, you are telling OCI Zero Trust Packet Routing that you want any resources that have the security attribute app:prod assigned to them, to be able to talk to any resources that have the db:prod security attribute assigned to them, within the network:prod VCN over TCP protocol 1522.

    Screenshot showing the prod_policy statement.

    Your completed policy should look like:

    Screenshot showing the prod_policy.

  5. Click Create policy to complete the creation of the prod_policy.

    Note: Once you assign security attributes to your resources, the OCI Zero Trust Packet Routing policy will be enforced and only traffic that matches an OCI Zero Trust Packet Routing policy will be allowed to transit the network. Since you will be assigning security attributes to your two compute instances, you will lose SSH access to those compute instances, since there is no OCI Zero Trust Packet Routing policy to allow SSH access to your clients. Therefore, you need to fix this by creating two additional policies.

  6. Repeat step 2 to 5 to create two additional OCI Zero Trust Packet Routing policies, to allow you to connect to your compute instances through SSH.

    • Policy for allowing SSH access to client-prod:

      • Name: Enter prod_client_access_policy.
      • Description: Enter Policy to allow SSH access to the production clients in the production network.
      • Policy statements: Enter in network:prod VCN allow 'x.x.x.x/32' to connect to app:prod endpoints with protocol='tcp/22'.
    • Policy for allowing SSH access to client-dev:

      • Name: Enter dev_client_access_policy.
      • Description: Enter Policy to allow dev clients in the production network to access production databases.
      • Policy statements: Enter in network:prod VCN allow 'x.x.x.x/32' to connect to app:dev endpoints with protocol='tcp/22'.

      Note:

      • Replace x.x.x.x with your IP address.

      • In a production scenario, access to the clients will typically be through an OCI Bastion host. However, to keep this tutorial simple, access is direct. Therefore, the external IP address of the source machine connecting to the clients through SSH needs to be included.

    Your completed policies should look:

    Screenshot showing the ZPR policy list.

Task 5: Assign Security Attributes to your Resources

In this task, to configure OCI Zero Trust Packet Routing we will assign the security attributes to the necessary resources.

We will associate a db security attribute to your database, an app security attribute to your two clients, and a network security attribute to your VCN.

Note: When assigning security attributes, it can either be done from within the OCI Zero Trust Packet Routing screens, or from the individual resources. This tutorial will show you both methods.

  1. Assign the security attribute to the database.

    1. Go to the OCI Console, navigate to Oracle Database and Autonomous Database.

      Note: Ensure you are in the compartment where you created your database, you should see it listed.

      Screenshot showing Autonomous Database.

    2. Select your database (for example, Finance-PROD) from the list of available databases.

    3. Click Security attributes. You will see that it is currently empty with no security attribute assigned.

      Screenshot showing the Security Attributes tab.

    4. Click Add security attributes and enter the following information.

      • Namespace: Select oracle-zpr.
      • Key: Select db.
      • Value: Select prod.

      Screenshot showing the selection of the security attribute.

    5. Click Add security attributes to assign the security attribute to the database. The database will update and the attribute will be assigned.

      Screenshot showing the Security Attributes tab populated.

  2. Assign the security attributes to the compute instances.

    1. Go to the OCI Console, navigate to Compute and Instances.

      Note: Ensure you are in the compartment where you created your compute instances, you should see them both listed.

      Screenshot showing Compute instances.

    2. Select your client-prod instance from the list of available instances.

    3. Click Security. This is empty as no security attribute has been assigned to the instance yet.

      Screenshot showing the Security Attributes tab.

    4. Click Add security attributes and enter the following information.

      • Namespace: Enter oracle-zpr.
      • Key: Enter app.
      • Value: Enter prod.

      Screenshot showing the selection of the security attribute.

    5. Click Add security attributes to assign the security attribute to the database. The compute instance will update and the attribute will be assigned.

      Screenshot showing the Security Attributes tab populated.

    6. Go to the OCI Console, navigate to Compute and Instances.

      Screenshot showing the compute breadcrumb menu.

    7. Select your client-dev instance from the list of available instances.

    8. Click Security.

      Screenshot showing the Security Attributes tab.

    9. Click Add security attributes and enter the following information.

      • Namespace: Select oracle-zpr.
      • Key: Select app.
      • Value: Select dev.

      Screenshot showing the selection of the security attribute.

    10. Click Add security attributes to assign the security attribute to the database. The compute instance will update and the attribute will be assigned.

      Screenshot showing the Security Attributes tab populated.

  3. Assign the security attributes to the VCN.

    1. Go to the OCI Console, navigate to Networking and Virtual Cloud Networks.

      Note: Ensure you are in the compartment where you created your VCN, you should see it listed.

      Screenshot showing VCNs.

    2. Select your so-vcn-pt VCN from the list of available VCNs.

    3. Click Security.

      Screenshot showing the Security Attributes tab.

      Note: For assigning this security attribute, you are going to assign it through the OCI Zero Trust Packet Routing menu, rather than from the resource. This shows you the two different ways of assigning OCI Zero Trust Packet Routing security attributes.

    4. Go to the OCI Console, navigate to Identity and Security, Zero Trust Packet Routing and click Protected Resources.

      You will see the existing list of resources that have been protected, for example, had security attributes assigned to them.

      Screenshot showing the ZPR protected resources.

    5. Click Add security attribute to resources.

    6. To filter the list, select the Compartment where you created your VCN and Resource Type as Vcn.

      Screenshot showing the ZPR protected resources.

    7. Select your VCN (so-vcn-pt) and click Next.

    8. Enter the following information.

      • Security attribute namespace: Select oracle-zpr.
      • Security attribute: Select network.
      • Security attribute value: Select prod.

      Screenshot showing the ZPR protected resources attribute selection.

    9. Click Next and review the summary.

      Screenshot showing the ZPR protected resources attribute selection summary.

    10. Click Submit and Close to exit the Work Request. After a couple of minutes, the work request will be completed and the VCN will appear in the Protected Resources. We can also check in the VCN to ensure the security attribute has been assigned.

    11. Repeat step 1 to 3 to see the security attribute assigned to your VCN.

      Screenshot showing the security attribute assigned to the VCN.

Task 6: Testing the Policy

Now, the OCI Zero Trust Packet Routing configuration is completed, the final task is to test the policy. In this tutorial, we have two test cases.

  1. The first test case is to ensure that client-prod is still able to access the financeprod database.

    1. Connect to your client-prod compute instance using SSH as the opc user.

      Your OCI Zero Trust Packet Routing policy is allowing this connection from your local machine and therefore, your SSH connection should be successful.

    2. Run the sqlplus command to connect to your autonomous database.

      Your OCI Zero Trust Packet Routing policy is allowing this connection from your production client (client-prod) to your production database (financeprod) and therefore you should successfully connect to your database and be able to run the show user; command.

      Screenshot showing SSH access to client-prod.

  2. The second test case is to ensure that client-dev is no longer able to access the financeprod database.

    1. Connect to your client-dev compute instance using SSH as the opc user.

      Your Zero Trust Packet Routing policy is allowing this connection from your local machine and therefore, your SSH connection should be successful.

    2. Run the sqlplus command to connect to your autonomous database.

      Since there is no OCI Zero Trust Packet Routing policy allowing this connection from your development client (client-dev) to your production database (financeprod), the connection will be blocked.

      Screenshot showing failing SQL access to DB from client-dev.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.