1. Secure web applications hosted on Oracle Cloud VMware Solution with OCI Certificates
  2. Secure Web Applications Hosted on Oracle Cloud VMware Solution with OCI Certificates

Secure Web Applications Hosted on Oracle Cloud VMware Solution with OCI Certificates

Publish your critical applications securely by integrating Oracle Cloud VMware Solution with Oracle Cloud Infrastructure Certificates and Oracle Cloud Infrastructure Load Balancing (LBaaS).

In the ever-evolving landscape of cloud computing, two critical components have emerged as essential pillars for optimizing the performance, security, and scalability of web applications: load balancers and SSL/TLS certificates. These elements play a pivotal role in ensuring seamless operation, data integrity, and user trust within the cloud environment.

Load balancers distribute incoming network traffic across multiple servers or instances to prevent any single server from being overwhelmed, thus ensuring optimal utilization and responsiveness.

With data traversing networks, ensuring their confidentiality and integrity is crucial. This is where SSL/TLS certificates come into play. These digital certificates are used to negotiate an encrypted communication channel, protecting it from eavesdropping, tampering, or unauthorized access.

The marriage of load balancers and SSL/TLS certificates within cloud infrastructure is a powerful combination. Load balancers ensure that traffic is efficiently distributed, optimizing performance, and preventing overloads, while SSL/TLS certificates secure data transmissions, upholding confidentiality, and integrity. This synergy not only enhances the end-user experience but also contributes significantly to the overall security posture of web servers hosted on Oracle Cloud VMware Solution.

Oracle Cloud VMware Solution provides a customer-managed, native VMware-based cloud environment, installed within a customer’s tenancy, and offers complete control using familiar VMware tools.

Oracle Cloud Infrastructure (OCI) is a next-generation, infrastructure-as-a-service (IaaS) offering architected on security-first design principles. These principles include isolated network virtualization and pristine physical host deployment, which were previously difficult to achieve with earlier public cloud designs. With these design principles, OCI helps to reduce risk from advanced persistent threats.

This reference architecture describes the integration options for Oracle Cloud VMware Solution with OCI Certificates and Oracle Cloud Infrastructure Load Balancing (LBaaS) allowing customers to securely publish their critical applications. However, LBaaS could also be used without certificate service.

Architecture

This logical reference architecture focuses on the usage of OCI Certificates in front of the web servers running inside the Oracle Cloud VMware Solution workloads.

The certificates are generated using native OCI Certificates and leveraged by the OCI Layer 7 load balancer for SSL offloading. The web servers are running inside the Oracle Cloud VMware Solution SDDC in the form of virtual machines (VMs).

This logical diagram represents the overall traffic flow that depicts the SSL offloading at the OCI Layer 7 load balancer and is trusted by the certificates issued by the OCI Certificates.


Description of ocvs-traffic-flow-diagram.png follows
Description of the illustration ocvs-traffic-flow-diagram.png

ocvs-traffic-flow-diagram-oracle.zip

The next diagram illustrates the two types of network connectivity options from the OCI load balancer to the web servers hosted in the Oracle Cloud VMware Solution SDDC. It also depicts the issuance of the SSL certificates from the certificate authority (CA) running in OCI for secure access to the web servers by integrating it with the OCI load balancer.

Note:

The certificates issued by OCI Certificates can only be used within OCI load balancer and functionality cannot be extended up to the web servers for end-to-end SSL.

When it comes to connecting your web servers hosted in the Oracle Cloud VMware Solution to the virtual cloud network you have two connectivity options:

  • NSX segments
  • Virtual local area network (VLAN) backed port groups

NSX segments leverage software-defined networking (SDN) to create isolated and logically segmented networks. This approach brings several benefits:

  • Micro-segmentation: NSX segments allow for micro-segmentation, enabling the isolation and security of individual workloads.
  • Dynamic scaling: NSX segments are highly scalable and can be provisioned on demand, accommodating changes in network traffic and workload requirements.
  • Logical grouping: VMs can be grouped based on application tiers or security requirements, and policies can be applied at the segment level, ensuring consistent enforcement across the network.
  • Enhanced management: NSX provides centralized management for network configuration, security policies, and traffic flows.

In contrast to the dynamic nature of NSX segments, VLAN-backed port groups utilize traditional VLAN technology to isolate VMs within a virtualized environment. Here are some key characteristics of this approach:

  • Simplicity and familiarity: For organizations already familiar with VLANs, using VLAN-backed port groups can be straightforward and familiar, requiring minimal additional training.
  • Resource sharing: While VLANs can isolate network traffic, they may not provide the same level of granularity as NSX segments when it comes to policy enforcement and micro-segmentation.

Choosing the Right Approach

The decision to use NSX segments or VLAN-backed port groups depends on various factors, including an organization's specific needs, existing infrastructure, and security requirements.

NSX segments and VLAN-backed port groups each offer distinct advantages in managing virtual machines within a virtualized environment. NSX segments excel in their ability to provide micro-segmentation, dynamic scaling, and centralized management, while VLAN-backed port groups offer simplicity and familiarity for those already accustomed to traditional VMware networking.

In the following sections we will show LBaaS connectivity aspects to web servers deployed in NSX segments and VLAN-backed port groups.

Web Servers Connected to NSX Overlay Segment

Connect aspects of the OCI load balancer with web servers connected to the NSX overlay segment in the OCVS, and use OCI Certificates to issue the certificates for secure publishing of the web servers running in the OCVS.

The primary goal of this reference architecture is to showcase the following objective.

  • Connectivity aspect of the OCI load balancer with web servers connected to the NSX overlay segment in the Oracle Cloud VMware Solution SDDC.
  • Usage of Certificate Manager to issue the certificates for secure publishing of the web servers running in the Oracle Cloud VMware Solution SDDC.

The architecture for the web servers connected to the NSX overlay network segment is illustrated below.


Description of web-server-nsx-diagram.png follows
Description of the illustration web-server-nsx-diagram.png

web-server-nsx-diagram-oracle.zip

Architecture components

The architecture has the following components.

  • Oracle Cloud VMware Solution: The environment in the customer tenancy where the web servers are hosted.
    • NSX overlay segment: The NSX overlay segment offers network connectivity to the web servers.
    • Tier 0 router: A logical router that provides gateway services between the logical and physical network (North-South).
    • Tier 1 router: The NSX overlay segments are connected to the Tier 1 router and control the East-West traffic.
    • NSX Edge uplink 1 VLAN: This VLAN is an interface between the OCI underlay networking and NSX overlay networking to bridge the communication between overlay (NSX) and underlay (VCN) networks.
    • Web servers: The web servers are the VMs deployed inside the Oracle Cloud VMware Solution SDDC.
  • OCI load balancer (LBaaS): OCI Layer 7 load balancer that balances the traffic to the web servers. The OCI-provided public IP or your IP can be used with the load balancer.
    • Health check: Backend web servers are configured with HTTP health checks.
    • Listener: The listener is configured with HTTPS for SSL offloading.
  • OCI Certificate Manager Service: The OCI Certificate Manager service helps to provide SSL/TLS secure access to servers, web applications, and so on. The administrator can create and manage private certificate authorities (CA) hierarchies and TLS certificates that integrate with OCI Load Balancing.
    • Certificate authority (CA): Private certificate authorities are configured to issue the certificates.
    • Vault: Vaults provide your growing data and application encryption with scalable key storage.
    • Key: RSA (asymmetric key) with HSM mode is the only supported key for certificates.

Web Servers Connected to the VLAN Network

Connect the OCI load balancer with web servers connected to the vSphere DvPortGroup backed by the VLAN network, and use OCI Certificates to issue the certificates for secure publishing web servers running in the OCVS SDDC.

The primary goal of this reference architecture is to showcase the following objective.

  • Connectivity aspect of the OCI load balancer with web servers connected to the vSphere DvPortGroup backed by the VLAN network.
  • Usage of OCI Certificate Manager to issue the certificates for secure publishing of the web servers running in the Oracle Cloud VMware Solution SDDC.

The architecture for the web servers connected to the VLAN-backed network is illustrated below.


Description of web-server-vlan-diagram.png follows
Description of the illustration web-server-vlan-diagram.png

web-server-vlan-diagram-oracle.zip

Architecture components

The architecture has the following components.

  • Oracle Cloud VMware Solution: The environment in the customer tenancy where the web servers are hosted.
    • VLAN network: A dedicated VLAN created in the Oracle Cloud VMware Solution VCN for the web servers. This network is considered as an underlay network.
    • vSphere Distributed Switch (VDS): A virtual switch in the vCenter to provide virtual networking capabilities to the Oracle Cloud VMware Solution workloads.
    • vSphere distributed port group: Port configuration options for each member port. VLAN-backed network to represent underlay to Oracle Cloud VMware Solution workloads.
    • Web servers: Web servers are the VMs deployed inside the Oracle Cloud VMware Solution SDDC.
  • OCI load balancer (LBaaS): OCI Layer 7 load balancer that balances the traffic to the web servers. The OCI-provided public IP or your IP can be used with the load balancer.
    • Health check: Backend web servers are configured with HTTP health checks.
    • Listener: The listener is configured with HTTPS for SSL offloading.
  • OCI Certificates: OCI Certificates helps to provide SSL/TLS secure access to servers, web applications, and so on. The administrator can create and manage private certificate authorities (CA) hierarchies and TLS certificates that integrate with OCI Load Balancing.
    • Certificate authority (CA): Private certificate authorities configured to issue the certificates.
    • Vault: Vaults provide your growing data and application encryption with scalable key storage.
    • Key: RSA (asymmetric key) with HSM mode is the only supported key for certificates.

About Required Services

This solution requires the following services:

  • Oracle Cloud VMware Solution
  • OCI Load Balancing
  • OCI Certificates

These are the roles needed for each service.

Service Name Required to...
Oracle Cloud VMware Solution Run workloads with VMware vSphere.
OCI Load Balancing Load balance traffic.
OCI Certificates Issue and manage certificates.

See Oracle Products, Solutions, and Services to get what you need.