Assign Subnet Security

You must provide security rules to allow access to the remote data gateway (RDG), and the private subnets housing the Oracle Function service and Autonomous JSON Database.

The remote data gateway (RDG) and the Oracle Function service private subnet use rules assigned to a security list. Autonomous JSON Database uses rules assigned to a network security group (NSG).

• Security list: Defines a set of security rules that applies to all the VNICs in an entire subnet. To use a given security list with a particular subnet, you associate the security list with the subnet either during subnet creation or later. Any VNICs that are created in that subnet are subject to the security lists associated with the subnet.

  You can add rules to existing security lists and you can create and assign multiple security lists to a subnet.

• Network security group (NSG): Defines a set of security rules that applies to a group of VNICs (resources, such as Autonomous JSON Database) of your choice. To use a given NSG, you add the VNICs of interest to the group or assign the NSG when provisioning the service. Not all services support NSGs. Any VNICs added to that group are subject to that group's security rules.

Create a Security List

Security lists act as virtual firewalls using a set of ingress and egress security rules that apply to all the virtual network interface cards (VNICs) in any subnet that is associated with the security list.

1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
2. Click the VCN you're interested in.
3. Under Resources, click Security Lists.
4. Click Create Security List.
5. Enter the following:
   • Name: A descriptive name for the security list. For example: my-domain-sec-list. The name doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
   • Create in Compartment: The compartment where you want to create the security list, if different from the compartment you're currently working in.
6. Add ingress or egress security rules. You can also add, revise, and delete security rules after you create the security list.
7. Click Create Security List.

Add Ingress Rules for Oracle Functions

A security rule allows a particular type of traffic in or out of a virtual network interface card (NVIC).

Oracle Functions requires TCP access for a number of ports and internet control message protocol (ICMP) from all ports

1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
2. Click the VCN you're interested in.
3. Under Resources, click Security Lists.
4. Click the security list you are interested in.
5. To add a rule that allows ICMP traffic from all ports:
   1. Click Add Ingress Rule.
   2. Specify the 0.0.0.0/0 as the source CIDR.
   3. Select ICMP as the IP protocol.
   4. Leave the destination port range blank to specify all ports.
6. To add a rule that allows TCP access to Oracle Functions from servers or applications in a different VCN using port range 443:
   1. Click Add Ingress Rule.
   2. Specify the VCN CIDR block as the source CIDR.
   3. Select TCP as the IP protocol.
   4. Specify 443 as the destination port range.
7. To add a rule that allows TCP access to Oracle Functions from servers or applications in a different VCN using port range 1521:
   1. Click Add Ingress Rule.
   2. Specify the VCN CIDR block as the source CIDR.
   3. Select TCP as the IP protocol.
   4. Specify 1521 as the destination port range.
8. To add a rule that allows TCP access to Oracle Functions from servers or applications in a different VCN using port range 6200:
   1. Click Add Ingress Rule.
   2. Specify the VCN CIDR block as the source CIDR.
   3. Select TCP as the IP protocol.
   4. Specify 6200 as the destination port range.
9. To add a rule that allows TCP access to Oracle Functions from servers or applications in a different VCN using port range 2484:
   1. Click Add Ingress Rule.
   2. Specify the VCN CIDR block as the source CIDR.
   3. Select TCP as the IP protocol.
   4. Specify 2484 as the destination port range.

Add a Security List to a Private Subnet

You can add security lists to or remove security lists from an existing virtual cloud network (VCN) subnet.

1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
2. Click Subnets.
3. Click the VCN you're interested in.
4. Click Subnets.
5. Click the private subnet you're interested in. Verify that it is a private subnet by checking the value listed under Subnet Access.
6. Under Resources, click Security Lists.
7. If you want to add a security list, click Add Security List, and select the security list you want the subnet to use.

   If you want to remove a security list, click the Actions icon (three dots), and then click Remove. Remember that a subnet must always have at least one security list associated with it.

   The changes take effect within a few seconds.

Create a Network Security Group (NSG) for Private Endpoint Access

Network security groups (NSGs) let you define a set of security rules that apply to a group of VNICs (or resources) of your choice.

When you provision the resource, such as Oracle Autonomous Data Warehouse, you can assign the network security group. Not all services support NSGs.

1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
2. Click the VCN you're interested in.
3. Under Resources, click Network Security Groups.
4. Click Create Network Security Group.
5. Enter the following:
   • Name: A descriptive name for the network security group. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Create in Compartment: The compartment where you want to create the security list, if different from the compartment you're currently working in.
6. Click Next.
7. For the first security rule, enter the following items:
   • Stateless: Leave unselected. Connection tracking is used for traffic matching the rule.
   • Direction: Select Ingress (inbound traffic to the VNIC).
   • Source Type: Select CIDR.
   • Source CIDR: Specify the CIDR block for the private subnet that contains the service, such as Oracle Autonomous Data Warehouse.
   • IP Protocol: Select TCP.
   • Source port range: Specify 1522.
   • Destination port range: Leave blank (denotes all ports).
8. When you're done, click Create.