Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Create and Configure Oracle Cloud Infrastructure Zero Trust Packet Routing
Introduction
Oracle Cloud Infrastructure (OCI) Zero Trust Packet Routing prevents unauthorized access to data by managing network security policies separately from the underlying network architecture. Using an easily understood and intent-based policy language, security administrators can define specific access pathways for data. Traffic that is not explicitly allowed by policy cannot travel the network, improving security while simplifying the work of security, network, and audit teams.
The following tutorial provides details of how to configure OCI Zero Trust Packet Routing to apply security controls to govern communication across the network within an Oracle Cloud Infrastructure (OCI) tenancy. For this tutorial, the following architecture has been deployed.
In this architecture, the following resources have been configured:
-
financeprod
is an instance of Oracle Autonomous Database, configured as the production database, hosted in a private network, made accessible within the private subnet through a private endpoint. -
client-prod
is a compute instance simulating an enterprise application in the production environment. For this scenario, this is an Oracle Linux instance running the Oracle Instant Client. -
client-dev
is a compute instance simulating an enterprise application in the development environment. As with client-prod, this is an Oracle Linux instance running the Oracle Instant Client.
In addition, a separate VCN (so-vcn-pt
) has been configured for this use case, comprising of:
-
subnet-public
is the public subnet containing the compute instances. -
subnet-private
is the private subnet containing the database. -
sl-allow-public
is a security list allowing SSH access from the internet. An egress rule has also been configured to allow outbound traffic. It is assigned tosubnet-public
. -
sl-allow-private
is a security list allowing Oracle Instant Client traffic (port1522
) fromsubnet-public
. An egress rule has also been configured to allow outbound traffic. This security list is assigned tosubnet-private
. -
route-public
is the route table to route all traffic to the internet gateway. This is assigned tosubnet-public
. -
route-private
is the route table to route all traffic to the NAT gateway. This is assigned tosubnet-private
. -
gw-internet
is the internet gateway used inroute-public
. -
gw-nat
is the NAT gateway used inroute-private
.
Objectives
-
Configure new security attributes for OCI Zero Trust Packet Routing.
-
Create OCI Zero Trust Packet Routing policies to control the flow of network traffic.
-
Assign OCI Zero Trust Packet Routing security attributes to resources.
-
Test the OCI Zero Trust Packet Routing policies.
Prerequisites
-
A paid subscription for the OCI tenancy with appropriate permissions to manage OCI Zero Trust Packet Routing resources.
-
The networking structure as defined in the architecture.
-
Two compute instances as per the architecture, deployed in the public subnet.
-
Install and configure Oracle Instant Client (including the SQL*Plus client) on both compute instances.
Note: Download and install Oracle Instant Client from here: Installing Oracle Instant Client Using RPMs.
-
Create an Oracle Autonomous Database instance as per the architecture, and deploy it with a private endpoint within the private subnet.
-
Configure access to the database from the Oracle Instant Client on both compute instances.
Task 1: Confirm Access to the Database from Clients
In this task, we will confirm that both compute instances are able to access the database through the Oracle Instant Client.
-
Connect to your client-prod compute instance using SSH as the
opc
user. -
Run the
sqlplus
command to connect to your autonomous database.As per the Prerequisites, the Oracle Instant client should be installed and configured. Here is a summary of the setup steps:
-
Download and install Oracle Instant Client.
-
Configure Oracle Instant Client.
-
Download the connection wallet for your autonomous database from OCI.
-
Extract the wallet into a folder.
-
Configure the
sqlnet.ora
file within your wallet folder to point to your wallet location. -
Export the variable
TNS_ADMIN
to point to your extracted wallet location. For example,export TNS_ADMIN=/opt/wallet
. -
Run the
sqlplus
command, for example,sqlplus admin@financeprod_low
and enter your password when prompted.
If your Oracle Instant Client is working correctly and all your Prerequisites have been done, you should successfully connect to your database and be able to run commands. Run the
show user;
command to see the users. -
-
Repeat the database connection test from client-dev.
If your Oracle Instant Client is working correctly and all your Prerequisites have been done, you should successfully connect to your database and be able to run commands. Run the
show user;
command to see the users.
Task 2: Enable OCI Zero Trust Packet Routing
If this is the first time you have used OCI Zero Trust Packet Routing within your tenancy, it will need to be enabled.
-
Log in to the OCI Console as a user with suitable permissions to manage OCI Zero Trust Packet Routing resources and the other resources used in this tutorial.
-
Go to Identity and Security and click Zero Trust Packet Routing.
-
Click Enable ZPR, the button will become greyed out and the OCI Zero Trust Packet Routing menus will become accessible.
Task 3: Configure the OCI Zero Trust Packet Routing Security Attributes
To configure OCI Zero Trust Packet Routing, we need to set up the security attributes that will be used in your OCI Zero Trust Packet Routing policies.
In this task, we will create three new security attributes representing the network, databases, and applications. We will create predefined values for these security attributes.
-
Go to Zero Trust Packet Routing and click Security Attribute Namespace.
-
Under List scope, select the
root
Compartment. We will be presented with the predefinedoracle-zpr
Namespace. -
Click
oracle-zpr
, you will see the predefinedsensitivity
security attribute. We will not use the attribute in this tutorial. -
Select Create Security Attribute to create a new security attribute.
-
In Create Security Attribute, enter the following information.
- Name: Enter
app
. - Description: Enter
Security attribute representing applications
. - Security attribute value type: Select A list of values.
- Values: Enter
prod
anddev
(on separate lines).
- Name: Enter
-
Click Create to create the new attribute.
-
Repeat step 5 and 6 to create two more security attributes.
-
Create a security attribute for databases using the following information:
- Name: Enter
db
. - Description: Enter
Security attribute representing databases
. - Security attribute value type: Select A list of values.
- Values: Enter
prod
anddev
(on separate lines).
- Name: Enter
-
Create a security attribute for networks using the following information:
- Name: Enter
network
. - Description: Enter
Security attribute representing networks
. - Security attribute value type: Select A list of values.
- Values: Enter
prod
anddev
(on separate lines).
- Name: Enter
Once complete, you should see your list of security attributes, including the predefined
sensitivity
attribute. -
Task 4: Create OCI Zero Trust Packet Routing Policies
We have defined the security attributes, now we need to create the policies to control the flow of information over the network.
For this use case, we need a policy that allows the production application to be able to communicate with the production database. In this task, we will configure the OCI Zero Trust Packet Routing policy to achieve that.
-
Go to the OCI Console, navigate to Identity and Security, Zero Trust Packet Routing and click Policies.
-
Click Create policy to create a new OCI Zero Trust Packet Routing policy.
-
Enter the following information and click Add policy statements to add a policy statement to your policy.
- Name: Enter
prod_policy
. - Description: Enter
Policy to allow production clients in the production network to access production databases
.
- Name: Enter
-
Examine the three options for building policy statements, select Manual policy builder, enter the following policy statement and click Add to save the policy statement.
- Policy statements: Enter
in network:prod VCN allow app:prod endpoints to connect to db:prod endpoints with protocol = 'tcp/1522'
.
Note: The policy statement is easy to understand, even without an explanation. However, for clarity, you are telling OCI Zero Trust Packet Routing that you want any resources that have the security attribute
app:prod
assigned to them, to be able to talk to any resources that have thedb:prod
security attribute assigned to them, within thenetwork:prod
VCN over TCP protocol 1522.Your completed policy should look like:
- Policy statements: Enter
-
Click Create policy to complete the creation of the
prod_policy
.Note: Once you assign security attributes to your resources, the OCI Zero Trust Packet Routing policy will be enforced and only traffic that matches an OCI Zero Trust Packet Routing policy will be allowed to transit the network. Since you will be assigning security attributes to your two compute instances, you will lose SSH access to those compute instances, since there is no OCI Zero Trust Packet Routing policy to allow SSH access to your clients. Therefore, you need to fix this by creating two additional policies.
-
Repeat step 2 to 5 to create two additional OCI Zero Trust Packet Routing policies, to allow you to connect to your compute instances through SSH.
-
Policy for allowing SSH access to client-prod:
- Name: Enter
prod_client_access_policy
. - Description: Enter
Policy to allow SSH access to the production clients in the production network
. - Policy statements: Enter
in network:prod VCN allow 'x.x.x.x/32' to connect to app:prod endpoints with protocol='tcp/22'
.
- Name: Enter
-
Policy for allowing SSH access to client-dev:
- Name: Enter
dev_client_access_policy
. - Description: Enter
Policy to allow dev clients in the production network to access production databases
. - Policy statements: Enter
in network:prod VCN allow 'x.x.x.x/32' to connect to app:dev endpoints with protocol='tcp/22'
.
Note:
-
Replace
x.x.x.x
with your IP address. -
In a production scenario, access to the clients will typically be through an OCI Bastion host. However, to keep this tutorial simple, access is direct. Therefore, the external IP address of the source machine connecting to the clients through SSH needs to be included.
- Name: Enter
Your completed policies should look:
-
Task 5: Assign Security Attributes to your Resources
In this task, to configure OCI Zero Trust Packet Routing we will assign the security attributes to the necessary resources.
We will associate a db
security attribute to your database, an app
security attribute to your two clients, and a network
security attribute to your VCN.
Note: When assigning security attributes, it can either be done from within the OCI Zero Trust Packet Routing screens, or from the individual resources. This tutorial will show you both methods.
-
Assign the security attribute to the database.
-
Go to the OCI Console, navigate to Oracle Database and Autonomous Database.
Note: Ensure you are in the compartment where you created your database, you should see it listed.
-
Select your database (for example,
Finance-PROD
) from the list of available databases. -
Click Security attributes. You will see that it is currently empty with no security attribute assigned.
-
Click Add security attributes and enter the following information.
- Namespace: Select
oracle-zpr
. - Key: Select
db
. - Value: Select
prod
.
- Namespace: Select
-
Click Add security attributes to assign the security attribute to the database. The database will update and the attribute will be assigned.
-
-
Assign the security attributes to the compute instances.
-
Go to the OCI Console, navigate to Compute and Instances.
Note: Ensure you are in the compartment where you created your compute instances, you should see them both listed.
-
Select your client-prod instance from the list of available instances.
-
Click Security. This is empty as no security attribute has been assigned to the instance yet.
-
Click Add security attributes and enter the following information.
- Namespace: Enter
oracle-zpr
. - Key: Enter
app
. - Value: Enter
prod
.
- Namespace: Enter
-
Click Add security attributes to assign the security attribute to the database. The compute instance will update and the attribute will be assigned.
-
Go to the OCI Console, navigate to Compute and Instances.
-
Select your client-dev instance from the list of available instances.
-
Click Security.
-
Click Add security attributes and enter the following information.
- Namespace: Select
oracle-zpr
. - Key: Select
app
. - Value: Select
dev
.
- Namespace: Select
-
Click Add security attributes to assign the security attribute to the database. The compute instance will update and the attribute will be assigned.
-
-
Assign the security attributes to the VCN.
-
Go to the OCI Console, navigate to Networking and Virtual Cloud Networks.
Note: Ensure you are in the compartment where you created your VCN, you should see it listed.
-
Select your so-vcn-pt VCN from the list of available VCNs.
-
Click Security.
Note: For assigning this security attribute, you are going to assign it through the OCI Zero Trust Packet Routing menu, rather than from the resource. This shows you the two different ways of assigning OCI Zero Trust Packet Routing security attributes.
-
Go to the OCI Console, navigate to Identity and Security, Zero Trust Packet Routing and click Protected Resources.
You will see the existing list of resources that have been protected, for example, had security attributes assigned to them.
-
Click Add security attribute to resources.
-
To filter the list, select the Compartment where you created your VCN and Resource Type as
Vcn
. -
Select your VCN (so-vcn-pt) and click Next.
-
Enter the following information.
- Security attribute namespace: Select
oracle-zpr
. - Security attribute: Select
network
. - Security attribute value: Select
prod
.
- Security attribute namespace: Select
-
Click Next and review the summary.
-
Click Submit and Close to exit the Work Request. After a couple of minutes, the work request will be completed and the VCN will appear in the Protected Resources. We can also check in the VCN to ensure the security attribute has been assigned.
-
Repeat step 1 to 3 to see the security attribute assigned to your VCN.
-
Task 6: Testing the Policy
Now, the OCI Zero Trust Packet Routing configuration is completed, the final task is to test the policy. In this tutorial, we have two test cases.
-
The first test case is to ensure that client-prod is still able to access the financeprod database.
-
Connect to your client-prod compute instance using SSH as the
opc
user.Your OCI Zero Trust Packet Routing policy is allowing this connection from your local machine and therefore, your SSH connection should be successful.
-
Run the
sqlplus
command to connect to your autonomous database.Your OCI Zero Trust Packet Routing policy is allowing this connection from your production client (client-prod) to your production database (financeprod) and therefore you should successfully connect to your database and be able to run the
show user;
command.
-
-
The second test case is to ensure that client-dev is no longer able to access the financeprod database.
-
Connect to your client-dev compute instance using SSH as the
opc
user.Your Zero Trust Packet Routing policy is allowing this connection from your local machine and therefore, your SSH connection should be successful.
-
Run the
sqlplus
command to connect to your autonomous database.Since there is no OCI Zero Trust Packet Routing policy allowing this connection from your development client (client-dev) to your production database (financeprod), the connection will be blocked.
-
Related Links
Acknowledgments
- Authors - Paul Toal (Field CISO, Senior Director)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Create and Configure Oracle Cloud Infrastructure Zero Trust Packet Routing
G17481-01
October 2024