When running Autonomous Databases (ADB) in Oracle Cloud Infrastructure (OCI), it’s crucial to prioritize security, even for development and test environments. Allowing unrestricted public access (0.0.0.0/0
) is not a secure solution and should be avoided. To ensure that only trusted sources can access your databases, you can restrict access to specific IP addresses and Virtual Cloud Networks (VCNs).
To enhance security, I configured my ADB to allow access only from specified IP addresses and VCNs. This approach ensures that only authorized users can connect to the database. My next step was to add the public IP address of my workstation to the ADB’s access control rules, so I can securely manage the database from my current location.
While the OCI Console offers a user-friendly interface where you can easily add your public IP by clicking the “Add my IP address” button, I prefer using the OCI Command Line Interface (CLI) for making configuration changes. The CLI provides greater flexibility and can be automated, making it ideal for environments where your location or IP address might change frequently.
Below is a simple script that I run in my Windows Subsystem for Linux (WSL) environment (Oracle Linux 9) whenever my IP address changes. This script automatically updates the ADB’s access control rules with my new public IP, ensuring that I maintain secure access to the database.
The OCI Console way:
Just click on the button and press Update, the IP address is added.
The OCI-CLI way
Get the Current Public IP address
There are several ways to obtain the current public IP address of your client machine on a Linux-based operating system. Here are a few methods you can use:
-- with dig
$ dig +short myip.opendns.com @resolver1.opendns.com
145.40.255.232
-- with curl
$ curl ifconfig.me
145.40.255.232
$ curl ident.me
145.40.255.232
Update the Autonomous Database ACL list by OCI-CLI
More about the update command is available here: https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.45.2/oci_cli_docs/cmdref/db/autonomous-database/update.html
oci db autonomous-database update --autonomous-database-id <your-adb-ocid> --whitelisted-ips '["145.40.255.232"]'
Verify the notation, if you add more than one IP address, CIDR block or OCID or a VCN. OCI recognizes the type you added. Attention: Any existing configuration is replaced!
oci db autonomous-database update --autonomous-database-id <your-adb-ocid> --whitelisted-ips '["ocid1.vcn.oc1.eu-frankfurt-1.amaaaaaasijhdmqamhyocrt6ktwc4oq5fv4mthwxkoy6ql7lfn7detcltkrq","192.168.100.0/28","172.16.20.31"]'
Verify the Change
All three values are added properly and the IP notation type is recognized: IP address, CIDR block or Virtual cloud network.
The Shell Script way
As prerequisite, OCI-CLI must configured and your user needs privileges to manage the Autonomous Database. Existing settings are reused and any new recognized IP address is added. If the IP is already added in control list, there is no change. Set your ADB OCID properly.
#!/bin/bash
ADB_OCID="<your-adb-ocid>" # Replace with your ADB OCID
# Get the public IP of the terminal
myip="$(dig +short myip.opendns.com @resolver1.opendns.com)"
# Check if the IP retrieval was successful
if [ -z "$myip" ]; then
echo "Failed to retrieve public IP. Exiting."
exit 1
fi
echo "Public IP to be added: $myip"
# Get the current list of whitelisted IPs
current_ips=$(oci db autonomous-database get --autonomous-database-id $ADB_OCID --query "data.\"whitelisted-ips\"" --raw-output)
# If there are no existing whitelisted IPs, initialize the list
if [ "$current_ips" == "null" ] || [ -z "$current_ips" ]; then
current_ips="[]"
fi
# Convert the current IPs from JSON array to Bash array
current_ips_array=($(echo $current_ips | jq -r '.[]'))
# Check if the IP is already in the whitelist
if [[ " ${current_ips_array[@]} " =~ " ${myip} " ]]; then
echo "IP $myip is already in the whitelist. No update needed."
exit 0
fi
# Add the new IP to the array
current_ips_array+=("$myip")
# Convert the Bash array back to a JSON array string
new_whitelist=$(printf '%s\n' "${current_ips_array[@]}" | jq -R . | jq -s .)
echo "New Whitelist: $new_whitelist"
# Update the ADB with the new whitelist
oci db autonomous-database update --autonomous-database-id $ADB_OCID --whitelisted-ips "$new_whitelist"
echo "Whitelist updated successfully with IP: $myip"
Run the script and confirm the execution:
./update_acl.sh
Public IP to be added: 145.40.123.456
New Whitelist: [
"172.16.20.31",
"ocid1.vcn.oc1.eu-frankfurt-1.amaaaaaasijhdmqamhyocrt6ktwc4oqabcdefghijklfn7detcltkrq",
"192.168.100.0/28",
"145.40.123.456"
]
WARNING: Updates to long-term-backup-schedule and freeform-tags and defined-tags and whitelisted-ips and standby-whitelisted-ips and nsg-ids and customer-contacts and resource-pool-summary and scheduled-operations and db-tools-details will replace any existing values. Are you sure you want to continue? [y/N]: y
... some CLI Output
... some CLI Output
... some CLI Output
Whitelist updated successfully with IP: 145.40.123.456
Summary
Managing the access control list (ACL) for your Oracle Autonomous Database can be both simple and efficient when done with a shell script. By automating this process, you can quickly update your ACLs without the need for public access or insecure 0.0.0.0/0 entries.