1. Best practices for securing workloads in the cloud
  2. Ensure Secure Network Access

Ensure Secure Network Access

Adopt the following best practices to secure your virtual cloud networks, subnets, load balancers, and other networking resources.

Implement Network Access Controls

Enterprise Architect, Security Architect, Network Architect

Use access controls to secure your network.
  • Define appropriate IAM policies to limit access to network resources to only the users and groups that are allowed to manage network resources.
  • Formulate a tiered subnet strategy for the VCN:
    • DMZ subnet for load balancers.
    • Public subnets for externally accessible hosts, such as web application servers and instances that run intrusion detection systems (IDS).
    • Private subnets for internal hosts such as databases.
  • Compute instances that are attached to a private subnet can have only private IP addresses.
  • Attach security-sensitive hosts (DB systems, for example) to private subnets. For connectivity from such hosts to the internet, use a NAT gateway. To enable the hosts to access otherOracle Cloud Infrastructure services, use a service gateway.
  • Network security groups provide fine grain control of traffic flowing between vNICs controlled by the network security group.
  • Security lists control traffic that can flow into, within and out of subnets.
  • Use network security groups to control access to your resources in both private and public subnets:
    • Allow only network flows required for a workload by creating security groups for each tier of the application.
    • Do not allow unnecessary lateral traffic within or between application tiers.
    • Do not allow application tiers to communicate with other tiers unless required.
  • Use granular security rules to regulate communication within the VCN, with the Internet, with other VCNs that are connected through peering gateways, and with on-premises hosts.
  • To set up an intrusion detection system and scan all outgoing traffic, use the VCN route table feature.
  • VCN Subnet Flow Logs log traffic flowing within a VCN. Turn on VCN Subnet Flow Logs and regularly monitor their contents.
  • Enable Web Application Firewall for public-facing HTTPS services.

Secure the Load Balancers

Enterprise Architect, Security Architect, Network Architect

You can enable end-to-end TLS connections between a client's applications and a customer's VCN by using load balancers.
  • To terminate TLS at the load balancer, use a HTTP load balancer. To terminate TLS at a backend server, use a TCP load balancer.
  • You can configure network access to the load balancers by using network security groups or security lists.
  • Define IAM policies to limit permissions to manage the load balancers to a minimal set of users and groups.

Restrict Access Using Network Sources

Enterprise Architect, Security Architect, Network Architect

A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy.
After you create a network source, you can reference it in policy or in your tenancy's authentication settings to control access based on the originating IP address.

Network resources can only be created in the tenancy (or root compartment) and, like other Identity resources, reside in the home region.

You can use network sources to help secure your tenancy in the following ways:

  • Specify the network source in an IAM policy to restrict access to resources. When specified in a policy, IAM validates that requests to access a resource originate from an allowed IP address. For example, you can restrict access to Object Storage buckets in your tenancy to only users that are signed in to Oracle Cloud Infrastructure through your corporate network. Or, you can allow only resources belonging to specific subnets of a specific VCN to make requests over a Service Gateway.
  • Specify the network source in your tenancy's authentication settings to restrict sign in to the Console. You can set up your tenancy's authentication policy to allow sign in to the Console from only those IP addresses specified in your network source. Users attempting to sign in from an IP address not on the allowed list in your network source will be denied access.

Secure DNS Zones and Records

Enterprise Architect, Security Architect, Network Architect

Incorrect updates or unauthorized deletions of DNS zones and records could result in service outages.

Define IAM policies to limit the users who can modify DNS zones and records.

Leverage Maximum Security Zones in Oracle Cloud Infrastructure

Enterprise Architect, Security Architect, Network Architect

The Maximum Security Zones service helps you minimize the risk of inappropriately low security policies.

When you start a new project and build a new solution there is plenty of best practices guidance out there, from many different sources, such as:

  • Vendor recommendations
  • Organizational standards and policies
  • External frameworks
  • Regulatory compliance
  • Reference architectures

These best practices typically cover a range of different security topics, including authentication, encryption, storage, access control, etc. However, in many cases, best practices advice is ignored. We’ve all seen it many times: project timelines, budget constraints, knowledge gaps, and environments starting out as non-production, can all mean that the relevant best practices are not followed, leading to an insecure environment and a weak security posture.

The Maximum Security Zones service within Oracle Cloud Infrastructure aims to help you minimise this risk. A security zone is a preventative control, which, by nature of the fact that it contains sensitive data and resources, is restrictive by design. For example, Maximum Security Zones will release with a maximum security policy enabled. This takes the position that public access should not be allowed, and that sensitive data should be separated from the Internet as much as possible. The security policy enforces this position by preventing you, in real-time, from creating resources that would break this policy.

Learn More