Do have a problem with a connection from or to your private/public subnet? There is a new functionality called VCN Flow Logs available. It collects information about network traffic (source/target) in the Oracle Cloud Infrastructure VCN subnet. At the moment (05/03/2020), this functionality is not available in all regions and I did not find any command in OCI CLI, but will be rolled out. There is no documentation available at docs.cloud.oracle.com.
Link to the OCI blog announcement and demo: https://blogs.oracle.com/cloud-infrastructure/announcing-vcn-flow-logs-for-oracle-cloud-infrastructure
LA
I have registered our company tenant for the Cloud Native Limited Availability Program to get this brand new feature available. Watch here: https://blogs.oracle.com/cloud-infrastructure/announcing-limited-availability-of-oracle-cloud-infrastructure-logging-service
Use Case
A public compute instance with private IP 10.92.10.2 is not able to connect to the private database server with IP 10.92.100.2 anymore via SSH/22 – data center is Switzerland North (Zurich).
Create a new Log Group in your Compartment
Fill in name and description for the Log Group
The Log Group is created, Enable Log
Enable Resource Log
Define the service and resource for VCN Flow Logs and enable logging. For the private subnet investigation I used:
- Service: Flow Logs
- Resource: My Private Subnet Name
Flow Log
The Flow is created, now we can explore the log. You can also disable logging or indexing or edit the name.
Log Search
Basically you see all log entries, with Explore with Log Search we can add filters. For example for a source IP address or a log content text like REJECTED.
Modify Filters & Columns
Now we add a filter to find out REJECTED connections. Wildcards are allowed in search terms.
- Log Field: msg
- Value: *REJECT*
Apply.
Now we see the connections with state REJECT.
The solution – Add the IP to the Security List
There was a missing entry in the private subnet security list. After adding the source IP address range to the list, the connection is ok now. There are no REJECT message entries anymore in the VCN Flow Logs by this source IP address.
Object Storage
Flow logs are stored in Object Storage too. The bucket is created automatically. Housekeeping can be configured by a Lifecycle Rule for the log file bucket or by CLI. Take a look into the documentation to avoid error when you want to create a lifecycle rule . You have to create a Service Permissions policy first for the object storage before you can create a rule.
OCI Object Storage Lifecycle Rule
You can remove them by a lifecycle rule or by CLI. Take a look at the OCI documentation section Using Object Lifecycle Management to avoid permission errors when you want to create a lifecycle rule . You have to create a service permissions policy first for the object storage before you can create a rule.
Missing permissions error message:
Example Policy Statement to allow actions on object store:
Allow service objectstorage-eu-zurich-1 to {BUCKET_INSPECT, BUCKET_READ, OBJECT_INSPECT, OBJECT_CREATE, OBJECT_DELETE} in compartment Compartment_Trivadis_MOHNWEG
OCI CLI example command to remove old files – for example with date pattern 2020-03-05T07 – 7AM
oci os object bulk-delete -ns trivadisbdsxsp -bn oci-logs._flowlogs.ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq --include *2020-03-05T07*
OCI Command Line Interface starter page: https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm
What’s next
Try out the new logging feature for other OCI components like Functions, Event Service and Object Storage. And why not to integrate the logs in your existing Splunk environment? There is Splunk OCI object storage plugin available. Take a look here: https://blogs.oracle.com/cloud-infrastructure/announcing-the-object-storage-plugin-for-splunk