Secure Your Cloud Workloads with Palo Alto Networks VM Series Firewall and Simplify Your Design

Security in the cloud is based on a shared responsibility model. Oracle is responsible for the security of the underlying infrastructure, such as data center facilities, hardware, and software to manage cloud operations and services. Customers are responsible for securing their workloads and configure their services and applications securely to meet their compliance obligations.

Oracle Cloud Infrastructure (OCI) offers best-in-class security technology and operational processes to secure its enterprise cloud services. VM-Series firewalls for OCI provide consistent threat prevention and inline network security across cloud environments, helping network security teams regain visibility and control over traffic in their cloud networks. As part of the family of Palo Alto Networks ML-Powered NGFWs, the VM-Series offers all the same capabilities as Palo Alto industry-leading hardware firewalls in a VM form factor, making it highly scalable—a prerequisite for cloud environments.

The VM-Series expands Layer 7 firewall capabilities by seamlessly integrating into Palo Alto Networks cloud-delivered security subscriptions like Palo Alto Networks's other next-generation firewalls (CN-Series container firewalls and PA-Series physical firewalls) and Prisma Access. These cloud-delivered security subscriptions coordinate intelligence capabilities and provide protections across all attack vectors. This security eliminates coverage gaps generated by disparate network security tools and provides a consistent platform experience to secure your organization against the most advanced and evasive threats.

This reference architecture shows how you can use VM-Series firewall to secure your workloads and provides a Terraform-based template to deploy architecture.

Architecture

This reference architecture illustrates how organizations can protect Oracle applications, like Oracle E-Business Suite, PeopleSoft, and applications deployed in OCI using Palo Alto Networks VM-Series firewall with flexible network load balancers and simplify design using dynamic routing gateways (DRGs).

To protect these traffic flows, Palo Alto Networks recommends segmenting the network using a hub and spoke topology, where traffic is routed through a central hub and is connected to multiple distinct networks (spokes). Ensure that you have deployed multiple VM-Series instances between flexible network load balancers, considered a sandwich topology. All traffic between spokes, whether to and from the internet, to and from on-premises, or to the Oracle Services Network, is routed through the hub and inspected with Palo Alto Networks VM-Series firewall’s multilayered threat prevention technologies.

Deploy each tier of your application in its own virtual cloud network (VCN), which acts as a spoke. The hub VCN contains a Palo Alto Networks VM-Series firewall active-active cluster, Oracle internet gateway, DRG, Oracle Service Gateway, and internal and external flexible network load balancers.

The hub VCN connects to the spoke VCNs through a DRG. Each VCN has an attachment to the DRG, which allows them to communicate with each other. All spoke traffic uses route table rules to route traffic through the DRG to the hub using a flexible network load balancer for inspection by the Palo Alto Networks VM-Series firewall cluster.

You can configure and manage the Palo Alto Networks firewall locally, or you can manage it centrally using Panorama, the Palo Alto Networks centralized security management system. Panorama helps customers reduce the complexity and administrative overhead in managing configuration, policies, software, and dynamic content updates. Using device groups and templates on Panorama, you can effectively manage firewall-specific configuration locally on a firewall and enforce shared policies across all firewalls or device groups.

The following diagram illustrates this reference architecture.

Description of drg_nlb_oci_pan_arch.png follows
Description of the illustration drg_nlb_oci_pan_arch.png

Each traffic flow ensures that network address translation (NAT) and security policies are open on a VM Series Firewall. The Flexible Network Load Balancer currently supported use-case requires that you enable source NAT on the firewalls from which traffic is exiting.

North-south inbound internet traffic

The following diagram illustrates how north-south inbound traffic accesses the web application tier from the internet.

Description of north_south_inbound.png follows
Description of the illustration north_south_inbound.png

North-south outbound internet traffic

The following diagram illustrates how outgoing connections from the web application and database tiers to the internet provide software updates and access to external web services.

Description of north_south_outbound.png follows
Description of the illustration north_south_outbound.png

East-west traffic (web to database)

The following diagram illustrates how traffic moves from the web application to the database tier.

Description of east_west_w2db.png follows
Description of the illustration east_west_w2db.png

East-west traffic (database to web)

The following diagram illustrates how traffic moves from the database tier to the web application.

Description of east_west_db2w.png follows
Description of the illustration east_west_db2w.png

East-west traffic (Web Application to Oracle Services Network)

The following diagram illustrates how traffic moves from the web application to the Oracle Services Network.

Description of east_west_webapp2osn.png follows
Description of the illustration east_west_webapp2osn.png

East-west traffic (Oracle Services Network to Web Application)

The following diagram illustrates how traffic moves from the Oracle Services Network to the web application.

Description of east_west_osn2webapp.png follows
Description of the illustration east_west_osn2webapp.png

The architecture has the following components:
  • Palo Alto networks VM-Series firewall

    Provides all the capabilities of physical next-generation firewalls in a virtual machine (VM) form, delivering in-line network security and threat prevention to consistently protect public and private clouds.

  • Oracle E-Business Suite or PeopleSoft application tier

    Composed of Oracle E-Business Suite or PeopleSoft application servers and file system.

  • Oracle E-Business Suite or PeopleSoft database tier

    Composed of Oracle Database but not limited to Oracle Exadata Database Cloud service or Oracle Database services.

  • Region

    An OCI region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Availability domain

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Fault domain

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

  • Virtual cloud network (VCN) and subnet

    A VCN is a customizable, software-defined network that you set up in an OCI region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which you can scope to a region or availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Hub VCN

    The hub VCN is a centralized network where Palo Alto Networks VM-Series firewalls are deployed. It provides secure connectivity to all spoke VCNs, OCI services, public endpoints and clients, and on-premises data center networks. Application tier spoke VCN The application tier spoke VCN contains a private subnet to host Oracle E-Business Suite or PeopleSoft components.

  • Database tier spoke VCN

    The database tier spoke VCN contains a private subnet for hosting Oracle databases.

  • Load balancer

    OCI Load Balancing service provides automated traffic distribution from a single-entry point to multiple servers in the backend end.

  • Flexible network load balancer

    OCI's flexible network load balancer provides automated traffic distribution from one entry point to multiple backend servers in your VCNs. It operates at the connection level and load balancers incoming client connections to healthy backend servers based on Layer3 or Layer4 (IP protocol) data.

  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Route table

    Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways. In the hub VCN, you have the following route tables:

    • Management route table attached to the management subnet, which has a default route connected to the internet gateway.
    • Untrust route table attached to the untrust subnet or default VCN for routing traffic from the hub VCN to internet or on-premises spoke VCNs targets through the DRG. This route table also has entries for each spoke VCNs CIDR block route through DRGs.
    • Trust route table attached to the trust subnet pointing to the CIDR block of the spoke VCNs through the DRG.
    • Network load balancer (NLB) route table attached to the NLB subnet, pointing to the CIDR block of the spoke VCNs through the DRG.
    • For each spoke attached to the hub by a DRG, a distinct route table is defined, and the route target is used as DRG. That route table forwards all traffic (0.0.0.0/0) from the spoke VCN to DRG through the internal flexible network load balancer, or you can define it at granular level too.
    • The Oracle service gateway route table attached to the Oracle service gateway for Oracle Services Network communication. That route forwards all traffic (0.0.0.0/0) to the internal private network load balancer VIP IP.
    • To maintain traffic symmetry, routes are also added to each Palo Alto Networks VM-Series firewall to point the CIDR block of spoke traffic to the trust (internal) subnet’s default gateway IP and default CIDR block (0.0.0.0/0) pointing to the untrust subnet default gateway IP. The default gateway IP is available in the trust subnet on the hub VCN.
  • Internet gateway

    The internet gateway allows traffic between the public subnets in a VCN and the public internet.

  • NAT gateway

    The NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

  • Dynamic routing gateway (DRG)

    The DRG is a virtual router that provides a path for private network traffic between a VCN and a network outside the region, such as a VCN in another OCI region, an on-premises network, or a network in another cloud provider.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as OCI Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • FastConnect

    OCI FastConnect provides an easy way to create a dedicated, private connection between your data center and OCI. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.

  • Virtual network interface card (VNIC)

    The services in OCI data centers have physical network interface cards (NICs). VM instances communicate using virtual NICs (VNICs) associated with the physical NICs. Each instance has a primary VNIC that's automatically created and attached during deployment and is available during the instance's lifetime. DHCP is offered to the primary VNIC only. You can add secondary VNICs after instance deployment. Set static IPs for each interface.

  • Private IPs

    A private IPv4 address and related information for addressing an instance. Each VNIC has a primary private IP, and you can add and remove secondary private IPs. The primary private IP address on an instance is attached during instance deployment and doesn’t change during the instance’s lifetime. Secondary IPs also belong to the same CIDR of the VNIC’s subnet. The secondary IP is used as a floating IP because it can move between different VNICs on different instances within the same subnet. You can also use it as a different endpoint to host different services.

  • Public IPs
    The networking services define a public IPv4 address chosen by Oracle that's mapped to a private IP. Public IPs have the following types:
    • Ephemeral: This address is temporary and exists for the lifetime of the instance.
    • Reserved: This address persists beyond the lifetime of the instance. It can be unassigned and reassigned to another instance.
  • Source and destination check

    Every VNIC performs the source and destination check on its network traffic. Disabling this flag enables the Palo Alto Networks VM-Series firewall to handle network traffic that's not targeted for the firewall.

  • Compute shape

    The shape of a Compute instance specifies the number of CPUs and amount of memory allocated to the instance. The Compute shape also determines the number of VNICs and maximum bandwidth available for the compute instance.

Recommendations

Use the following recommendations as a starting point to secure Oracle E-Business Suite or PeopleSoft workloads on OCI using Palo Alto Networks VM-Series firewall. Your requirements might differ from the architecture described here.
  • VCN

    When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

    Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

    After you create a VCN, you can change, add, and remove its CIDR blocks.

    When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

    If you want to inspect the whole spoke VCN’s traffic, use regional subnets and ensure that the spoke VCN's CIDR is fully associated with spoke subnets.

  • Palo Alto Networks VM-Series firewall
    • Deploy an active-active cluster and add necessary instances.
    • Whenever possible, deploy in distinct fault domains at a minimum or different availability domains.
    • Ensure that MTU is set to 9000 on all VNICs. Utilize VFIO interfaces.
  • Palo Alto Networks VM-Series firewall management
    • If you’re creating a deployment hosted in OCI, create a dedicated subnet for management.
    • Use security lists or network service gateways to restrict inbound access to ports 443 and 22, sourced from the internet for administration of the security policy and to view logs and events.
  • Palo Alto Networks VM-Series firewall policies

    Refer to the firewall documentation in the Explore more section for the most up-to-date information on required security policies, ports, and protocols. Ensure that you've configured required network address translation policies enabled on VM-Series firewall instances.

Considerations

When securing Oracle E-Business Suite or PeopleSoft workloads on OCI using Palo Alto Networks VM-Series firewalls, consider the following factors:

  • Performance
    • Selecting the proper instance size, which is determined by the Compute shape, determines the maximum available throughput, CPU, RAM, and number of interfaces.
    • Organizations need to know what types of traffic traverses the environment, determine the appropriate risk levels, and apply proper security controls as needed. Different combinations of enabled security controls impact performance.
    • Consider adding dedicated interfaces for FastConnect or VPN services.
    • Consider using large Compute shapes for higher throughput and access to more network interfaces.
    • Run performance tests to validate the design can sustain the required performance and throughput.
  • Security

    Deploying a Palo Alto Networks VM-Series firewall in OCI allows for centralized security policy configuration and monitoring of all physical and virtual Palo Alto Networks VM-Series instances.

  • Availability
    • Deploy your architecture to distinct geographic regions for greatest redundancy.
    • Configure site-to-site VPNs with relevant organizational networks for redundant connectivity with on-premises networks.
  • Cost
    Palo Alto Networks VM-Series Firewall is available in bring-your-own-license (BYOL) and Pay As You Go license models for bundle 1 and bundle 2 in the Oracle Cloud Marketplace.
    • Bundle 1 includes the VM-Series capacity license, threat prevention license, and a premium support entitlement.
    • Bundle 2 includes the VM-Series capacity license with the complete suite of licenses that includes threat prevention, WildFire, URL filtering, DNS security, GlobalProtect, and a premium support entitlement.

Deploy

You can deploy the VM-Series firewall on OCI using Oracle Cloud Marketplace. You can also download the code from GitHub and customize it to suit your specific business requirements. Oracle recommends deploying the architecture from Oracle Cloud Marketplace..
  • Deploy using the stack in Oracle Cloud Marketplace:
    1. Set up the required networking infrastructure as shown in the architecture diagram. See the example, Set up a hub-and-spoke network topology.
    2. Deploy the application (Oracle E-Business Suite or PeopleSoft or applications) on your environment.
    3. Oracle Cloud Marketplace has multiple listings for different configurations and licensing requirements. For example, the following listings feature bring your own licensing (BYOL) or paid. For each listing you choose, click Get App and follow the on-screen prompts:
  • Deploy using the Terraform code in GitHub:
    1. Go to GitHub.
    2. Clone or download the repository to your local computer.
    3. Follow the instructions in the README document.