Although Oracle Cloud Infrastructure offers network security controls through security lists and network security groups, in some scenarios different types of network security are required. For those scenarios, Oracle Cloud Infrastructure uses virtual cloud networks (VCN) and subnets to lay the different segments of the network, and the firewall to handle the security controls.
- Centralized access controls
- Content filtering
- Inbound and outbound Network Address Translation (NAT) and Port Address Translation (PAT)
- Advanced traffic policies
- Consistency of procedures through different environments (on-premises and other cloud providers), which also simplifies migration and expansion to the cloud because the same tools are being used
- Extended design capabilities for complex scenarios
This reference architecture consists of a firewall that controls north-south traffic and east-west traffic. North-south traffic is the traffic that comes from the internet (through the internet gateway) or the on-premises environment (through the dynamic routing gateway) to the VCNs. East-west traffic is the traffic between VCNs in your tenancy. This architecture shows how to design the network and where to place the firewall.
The following diagram illustrates this reference architecture.
Description of the illustration firewall-oci.png
The architecture has the following components:
A region is a localized geographic area and is composed of one or more availability domains. Regions are independent of other regions and can be separated by vast distances (across countries or continents).
- Availability domains
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Fault domains
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you place Compute instances across multiple fault domains, applications can tolerate physical server failure, system maintenance, and many common networking and power failures inside the availability domain.
- Virtual cloud network (VCN) and subnets
Every Compute instance is deployed in a VCN that can be segmented into subnets.
- Security lists
For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.
- Virtual network interface card (VNIC)
A VNIC enables an instance to connect to a VCN and determines how the instance connects with endpoints inside and outside the VCN. Each instance automatically comes with a primary VNIC, and you can add secondary ones.
The firewall controls the flow between the segments in your environment. Advanced features vary among providers.
Your requirements might differ from the architecture described here. Use the following recommendations as a starting point.
When you create the VCN, determine how many IP addresses your cloud resources in each subnet require. Using Classless Inter-Domain Routing (CIDR) notation, specify a subnet mask and a network address range large enough for the required IP addresses. Use an address space that falls within the standard private IP address blocks.
Select an address range that doesn’t overlap with your on-premises network, so that you can set up a connection between the VCN and your on-premises network later, if necessary.
After you create the VCN, you can't change the address range.
When you design the subnets, consider functionality and security requirements. All compute instances within the same tier or role should go into the same subnet.
Use a regional subnet.
- Security lists
Although all the traffic is flowing through the firewall, security lists are still required for traffic within and among subnets.
If your environment is mission-critical, ensure that the firewall you implement supports a highly available deployment to avoid unexpected outages.
When using a standby firewall, deploy it on a different fault domain.
Because the firewall isn’t managed as part of Oracle Cloud Infrastructure, ensure that its patches are always applied.
The firewall requires multiple VNICs to connect the different segments in your environment. Choose an instance shape that provides enough VNICs.
As the central point of communication, the firewall instance should have enough VNICs to connect the existing segments. For most cases, CPU is not a limiting factor. In Oracle Cloud Infrastructure, the number of VNICs and the associated bandwidth scale up with the number of OCPUs of the instance’s shape.
The firewall isn’t managed as part of Oracle Cloud Infrastructure. Implement secure procedures to ensure secure management access and a good patching policy.
The firewall is the central point where all the communications flows. The firewall that you choose must be able to work in a high-availability mode to avoid impacts if an unplanned outage occurs.
The cost of using this architecture is based on the size of the instance shape used for the firewall. If you choose a paid firewall solution, the licensing costs should also be considered.