Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Protect Visual Builder Cloud Service Apps on Oracle Integration with OCI Web Application Firewall

Introduction

Web Application Firewall protects web applications from a wide range of online threats including SQL injection, cross-site scripting (XSS), remote code execution and more. Thus it is recommended to protect Visual Builder Cloud Service (VBCS) applications using Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF) (Edge or Regional).

Objectives

In this tutorial, we will cover two Scenarios using Edge WAF:

1. Dedicated WAF for Individual VBCS Application.

2. Centralized WAF for Multiple VBCS Applications.

APP NAME	Custom URL
VBCS APP1	myapp1.mydomain.com
VBCS APP2	myapp2.mydomain.com

Prerequisites

Before proceeding with WAF configuration, see Configure Custom App URL/Vanity Domain for VBCS App and configure Vanity Domains to VBCS apps.

Scenario 1: Set up dedicated WAF for Individual VBCS Application

In this, each VBCS application is set up with its own dedicated WAF.

Task 1.1: Create WAF

1. On OCI Console, navigate to Identity & Security, Web Application Firewall, Policies, Create WAF Policy.

   

2. In URI, enter the alternate custom endpoint that you got from step ‘Get custom endpoint alias details’ in Configure Custom App URL/Vanity Domain for VBCS App.

Task 1.2: Upload Certificate

1. Navigate to Settings, General settings, Edit.

   

2. Choose Upload or paste certificate and private key. In the first field, enter CA signed certificate chain. In the second field enter private key.

   

Task 1.3: Publish changes

Note: Configure ‘access rules’ and ‘protection rules’ as per your security policies, this is not covered as part of this tutorial.

Task 1.4: Create DNS records

1. Point the Custom APP URL to WAF CNAME Target. Get the CNAME target from the WAF page as shown below:

   

2. Create CNAME DNS records as below:

   Custom Hostname	WAF CNAME target
   myapp1.mydomain.com	<xxxyyyy.o.waas.oci.oraclecloud.net>

Scenario 2: Set up centralized WAF for Multiple VBCS Applications

Single WAF alongside a load balancer can be used to protect multiple VBCS applications. This setup is preferable when WAF policies are the same for multiple VBCS apps.

Task 2.1: Create WAF

1. On OCI console, navigate to Identity & Security, Web Application Firewall, Policies, Create WAF Policy.

   

2. Update custom URLs for app2, app3 as additional domains.

3. In the URI field, enter the OCI Load Balancer public IP.

Task 2.2: Upload Certificate

1. Navigate to Settings, General settings, Edit.

   

   

   Note: When using single WAF for multiple apps, ensure to request SAN Certificate that covers all the apps domain names.

Task 2.3: Create DNS records

1. Point Custom APP URL to WAF CNAME Target. Get the CNAME target from the WAF page as shown below:

   

2. Create CNAME DNS records as below:

   Custom Hostname	WAF CNAME target
   myapp1.mydomain.com	<xxxyyyy.o.waas.oci.oraclecloud.net>
   myapp2.mydomain.com	<xxxyyyy.o.waas.oci.oraclecloud.net>

Prevent WAF bypass

The ‘Network access’ option in Oracle Integration provides allowed list that can prevent users from accessing direct URL and bypassing the WAF.

For list of WAF IP ranges, see WAF IP ranges.

Note: For Scenario 2, make sure the load balancer can only be accessed from the WAF IP ranges by updating its NSG/SecList.

Conclusion

Vanity Domains or Custom URLs presents a valuable opportunity for customers to enhance their applications hosted on the VBCS instance. By opting for personalized domains, customers can reinforce their brand identity, promote a professional online image, and create a more memorable experience for users. Utilizing Vanity Domains/Custom URLs allows customers to shield their applications underlying infrastructure, safeguarding against direct exposure to actual hostnames.

Furthermore, customers can take their security measures a step further by implementing a Web Application Firewall (WAF) in front of their applications. The WAF acts as a proactive defense mechanism, analyzing and filtering incoming web traffic, thus reducing the risk of malicious attacks and ensuring a safer browsing experience for end-users.

In summary, the combination of Vanity Domains/Custom URLs and the implementation of a WAF reinforces both branding and security aspects for applications hosted on the VBCS instance, providing a comprehensive and robust solution for businesses to thrive in the digital landscape.

Related Links

• Visual Builder - Specify Custom URL

• Update Oracle Integration instance

• Oracle Integration - Configure a Custom Endpoint for an Instance

• WAF IP ranges

Acknowledgments

• Author: Anil Guttala (Senior Cloud Engineer, Oracle Cloud Infrastructure)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Protect Visual Builder Cloud Service Apps on Oracle Integration with OCI Web Application Firewall

F87546-04

October 2023

Copyright © 2023, Oracle and/or its affiliates.