1. Security checklist for Oracle Cloud Infrastructure
  2. Network Security

Network Security

The Oracle Cloud Infrastructure Networking service supports provisioning virtual cloud networks (VCNs) and subnets, which you can use to isolate your resources in the cloud at the network level.

The VCNs can be configured for internet connectivity or connected to your on-premises data centers by using Oracle Cloud Infrastructure FastConnect circuits or IPSec VPN connections. You can use bidirectional stateful and stateless firewall rules, communication gateways, and route tables to control the flow of traffic to and from the networks that you create. Firewalls and access control lists (ACLs) specified for a VCN are propagated throughout the network topology and control plane, ensuring a multitiered and defense-in-depth implementation. For more information about networking in Oracle Cloud Infrastructure, see Overview of Networking.

The following architecture illustrates how you can use subnets, route tables, and security lists to secure your network boundaries.


Description of vcn-config-png.png follows
Description of the illustration vcn-config-png.png

This architecture shows a virtual firewall implementation using security lists. The rules that you specify in a security list apply to all the VNICs in the subnet to which you attach the security list. If you need firewalls at a more granular level, use network security groups (NSGs). The rules in an NSG apply to only the VNICs that you specify. Oracle recommends that you use NSGs, because they enable you to separate the subnet architecture from your workload's security requirements.

The following example compares security lists and NSGs:


Description of nsg-seclist-png.png follows
Description of the illustration nsg-seclist-png.png

Use the following checklist to protect your network boundaries:

Done? Security Controls and Recommendations
Check box Partition your VCN into private and public subnets.
Check box Define firewall rules to control access to your instances.
Check box Create and configure virtual routers for network connectivity.
Check box Use IAM policies to restrict access to network resources to only groups allowed to manage network resources.
Check box To control network access, use a tiered subnet strategy for the VCN. Use a demilitarized zone (DMZ) subnet for load balancers; a public subnet for externally accessible hosts, such as web servers; and a private subnet for internal hosts, such as databases.
Check box Use a NAT gateway for connectivity to the internet from private compute instances.
Check box Use a service gateway for connectivity to the Oracle Services Network.
Check box Use granular security rules for access within a VCN, communication with the internet, access with other VCNs through peering gateways, and access to on-premises networks through IPSec VPN and FastConnect.
Check box Set up an intrusion detection and protection system (IDS/IPS).
Check box Create and configure load balancers for high availability and transport layer security (TLS).
Check box Use a web application firewall (WAF).
Check box Create DNS zones and mappings. An important security consideration in load balancers is using customer TLS certificates to configure TLS connections to the customer’s VCN.
Check box Follow security best practices for external cloud connections.

The following graphic shows network connectivity options with Oracle Cloud Infrastructure.


Description of connectivity-options-png.png follows
Description of the illustration connectivity-options-png.png