Protect Your Cloud Resources Using a Virtual Firewall

Although Oracle Cloud Infrastructure offers network security controls through security lists and network security groups, in some scenarios different types of network security are required. For those scenarios, Oracle Cloud Infrastructure uses virtual cloud networks (VCN) and subnets to lay the different segments of the network, and the firewall to handle the security controls.

Deploying a firewall to control the network flow gives you the following benefits:
  • Centralized access controls
  • Content filtering
  • Inbound and outbound Network Address Translation (NAT) and Port Address Translation (PAT)
  • Advanced traffic policies
  • Consistency of procedures through different environments (on-premises and other cloud providers), which also simplifies migration and expansion to the cloud because the same tools are being used
  • Extended design capabilities for complex scenarios

Architecture

This reference architecture consists of a firewall that controls north-south traffic and east-west traffic. North-south traffic is the traffic that comes from the internet (through the internet gateway) or the on-premises environment (through the dynamic routing gateway) to the VCNs. East-west traffic is the traffic between VCNs in your tenancy. This architecture shows how to design the network and where to place the firewall.

The following diagram illustrates this reference architecture.

Description of firewall-oci.png follows
Description of the illustration firewall-oci.png

The architecture has the following components:

  • Region

    A region is a localized geographic area and is composed of one or more availability domains. Regions are independent of other regions and can be separated by vast distances (across countries or continents).

  • Availability domains

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Fault domains

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you place Compute instances across multiple fault domains, applications can tolerate physical server failure, system maintenance, and many common networking and power failures inside the availability domain.

  • Virtual cloud network (VCN) and subnets

    Every Compute instance is deployed in a VCN that can be segmented into subnets.

  • Security lists

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Virtual network interface card (VNIC)

    A VNIC enables an instance to connect to a VCN and determines how the instance connects with endpoints inside and outside the VCN. Each instance automatically comes with a primary VNIC, and you can add secondary ones.

  • Firewall

    The firewall controls the flow between the segments in your environment. Advanced features vary among providers.

Recommendations

Your requirements might differ from the architecture described here. Use the following recommendations as a starting point.

  • VCN

    When you create the VCN, determine how many IP addresses your cloud resources in each subnet require. Using Classless Inter-Domain Routing (CIDR) notation, specify a subnet mask and a network address range large enough for the required IP addresses. Use an address space that falls within the standard private IP address blocks.

    Select an address range that doesn’t overlap with your on-premises network, so that you can set up a connection between the VCN and your on-premises network later, if necessary.

    After you create the VCN, you can't change the address range.

    When you design the subnets, consider functionality and security requirements. All compute instances within the same tier or role should go into the same subnet.

    Use a regional subnet.

  • Security lists

    Although all the traffic is flowing through the firewall, security lists are still required for traffic within and among subnets.

  • Firewall

    If your environment is mission-critical, ensure that the firewall you implement supports a highly available deployment to avoid unexpected outages.

    When using a standby firewall, deploy it on a different fault domain.

    Because the firewall isn’t managed as part of Oracle Cloud Infrastructure, ensure that its patches are always applied.

    The firewall requires multiple VNICs to connect the different segments in your environment. Choose an instance shape that provides enough VNICs.

Considerations

  • Performance

    As the central point of communication, the firewall instance should have enough VNICs to connect the existing segments. For most cases, CPU is not a limiting factor. In Oracle Cloud Infrastructure, the number of VNICs and the associated bandwidth scale up with the number of OCPUs of the instance’s shape.

  • Security

    The firewall isn’t managed as part of Oracle Cloud Infrastructure. Implement secure procedures to ensure secure management access and a good patching policy.

  • Availability

    The firewall is the central point where all the communications flows. The firewall that you choose must be able to work in a high-availability mode to avoid impacts if an unplanned outage occurs.

  • Cost

    The cost of using this architecture is based on the size of the instance shape used for the firewall. If you choose a paid firewall solution, the licensing costs should also be considered.