Security

Oracle Cloud Infrastructure – A short Blog Post about a secure and small Development Setup

For an internal project I had the pleasure to setup a new Oracle Cloud Infrastructure environment for an APEX development team. Here is a short overview about the setup.

Requirements

  • VPN Access from everywhere – 2 people are working maximal at same time on the environment
  • Oracle Standard Edition 2 – no license available in project
  • Small monitoring to verify server stats
  • Instances can be started and stopped from the developers to save costs for example over night, weekend, holiday etc.

Architecture Diagram

Resource Network Usage Remarks
Open VPN Access Server Public Subnet VPN client access and traffic routing OCI Cloud Marketplace Image – OpenVPN Access Server (2 FREE VPN Connections) – OpenVPN Inc. – Oracle Cloud Marketplace
Management Server Private Subnet OCI-CLI, Monitoring Application server and database node start/stop with OCI-CLI, Grafana and Prometheus for monitoring
Application Server Private Subnet Tomcat ORDS, APEX
Database System Private Subnet OCI Database Standard Edition 2, Backup to Object Store enabled

Network Components

  • Regional private and public subnet
  • Security lists and network security groups
  • Private and public routing table
  • NAT gateway for regional private subnet

Monitoring

Grafana and Prometheus, running on the management server. The free shape VM.Standard.E2.1.Micro fits perfect for this small setup! The Prometheus node exporter runs on the database and the application server. I used this Grafana dashboard here: Prometheus Node Exporter Full dashboard for Grafana | Grafana Labs

Links

Next Steps

  • Adding Influx DB for persistence
  • Adding the Oracle database to Grafana monitoring
  • Optimizing shape size for the database server according usage

Other Ideas

  • Create a blueprint for internal developer environments
  • Automate the setup with Terraform and Ansible

Summary

Setting up this infrastructure in Oracle Cloud Infrastructure was fun. All developer requirements are fulfilled. Started with the Network and OpenVPN configuration – I really like their Marketplace instance – and the moved on to application and database server, step-by-step. There are many other ideas what we can do more based on this setup, the work will not run out. #ilike

Oracle Cloud Infrastructure Data Safe – How to burn down 201.44 Swiss Francs in 30 Seconds…

Is Data Safe really for free?

In the last autumn, the new Oracle Cloud Infrastructure feature called Data Safe was released. For sure, new features has to be tested. I have tested the Data Safe feature too and added a cloud database to Data Safe. But in my enthusiasm about this cool feature – or maybe it was just too late in the evening –  I did a mistake by adding the database target. Four days later, I recognized that Data Safe is charged in my account. Mmm, but should it not be for free? First reaction: I raised an SR and described the case. The nice guy from My Oracle Support realized the situation quickly:

Dear Mister Berger, you have used the wrong target type when adding the Oracle Cloud Infrastructure database as a new Data Safe target.

From the Service Request:

  • B91632 – Oracle Cloud Infrastructure – Data Safe for Database Cloud Service – Each (Includes 1 million audit records per target per month) – Free
  • B91631 – Oracle Cloud Infrastructure – Data Safe for Database Cloud Service – Audit Record Collection Over 1 Million Records (over 1 million audit records per target per month) – 0.0800 / 10,000 Audit Records Per Target Per Month
  • B92733 – Oracle Cloud Infrastructure – Data Safe for On-Premises Databases – Target Database Per Month – 200.00 Target Database Per Month + Includes 1 million audit records per target per month (pre-requisite under B91632)

Indeed, indeed. According My Oracle Support I have used the wrong target type. Instead Oracle Cloud Database, I used Oracle Database on Compute. And did not realized, the mistake and ignored the text below to the dropdown box. Shame on me 😉 –  here is the small, but important difference:

So far so good, the mistake was recognized. I deleted the target and added it from scratch with the correct target type. But this didn’t help, the charging went on.

Oracle Cloud Infrastructure Price List

Adding an other target type than Oracle Cloud Database is charged on monthly fee base as described here: Cloud Price List | Oracle

Cost and Usage Report

In the detailed  cost and usage report, the target is marked as deleted (suffix DELETED + deletion date), and charged.

All you can do is getting angry about that mistake and wait. After a month, the money was burned down, and there were no more Oracle Cloud Infrastructure Data Safe costs charged. As you can see, there are 201.44 CHF charged for a month.

I don’t know what Oracle has for a currency converter, but actual 200 USD are less that 180 CHF 😉

Lessons learned

Pity about the beautiful money – and for my next test run: RTFM.

Let’s IPSec VPN – How to connect your Unifi Security Gateway to Oracle Cloud Infrastructure

When I connect from home to the Oracle Cloud Infrastructure normally I used a Bastion Host, an Open VPN compute instance or Public IPs.  Some of the cool stuff like MV2OCI (which transfers data from on-premises to OCI) or integration of an ADB instance in my local running Oracle Enterprise Manager are referred to direct cloud connections. A SSH reverse tunnel works fine, but this cannot be a permanent solution for my lab environment.

At home I have an Unifi Security Gateway (USG) up an running at home. This gateway has the capability, to create site-to-site VPN connections. Good: The Oracle Cloud Infrastruicture VPN service is for free, and I don’t expect over 10 TB outbound traffic. Time to create a VPN setup from home to OCI. Take care about the USG, it needs a “direct” internet contact, this is why my FTTH modem is configured in bridge mode on port 4. Small hint: If your modem is not bridged, ask your internet provider. Here in Switzerland, almost all internet providers support this function.

Architecture

Click on the image for a larger view.

Prerequisites

  • Unifi Security Gateway Public IP – visible in the USG web interface or on webpage (search term: what’s my IP)
  • Oracle Cloud Infrastructure network setup according the setup guide
  • Knowledge about IPSec details which are used by OCI and as described in the setup guide: Key Exchange Version (IKEv1), Encryption (AES-256), Hash (SHA-1), DH Group (5)
  • VCN and local network ranges
  • The IPSec endpoint IP addresses and the secrets

Oracle Cloud Infrastructure IPSec Setup

My Oracle Cloud infrastructure network is configured 1:1 as described in the manual Setting Up VPN Connect: https://docs.cloud.oracle.com/en-en/iaas/Content/Network/Tasks/settingupIPsec.htm. Here in the IPSec connection you can see the endpoint IPs, the IPSec status is actually shown as down. The secrets are provided in the detail view.

Unifi Security Gateway Setup

Here you find the details of the USG site-to-site configuration: https://help.ui.com/hc/en-us/articles/360002668854#3. Create a new network in Settings – Networks.

Oracle Cloud Infrastructure Settings

VPN Type Manual IPsec
Enabled Checkbox activated
Route Distance 30
Peer IP OCI VPN endpoint IP
Local WAN IP Local public address of the USG
Pre-Shared Key OCI IPsec tunnel secret
IPsec Profile Customized
Key Exchange Version IKEv1
Encryption AES-256
Hash SHA1
DG Group 5
PFS Checkbox activated
Dynamic Routing Checkbox activated

 

Network Configuration

Oracle Cloud Infrastructure IPSec Status Update

After about two minutes, the OCI tunnel status turns into green. The VPN tunnel is now ready to use.

Unifi Security Gateway Routing

To be sure that local connections to instances running in the Oracle Cloud Infrastructure private subnet are working properly, we need a routing entry in the USG. Create a new routing entry in Settings – Routing & Firewall.

Routing Settings

Enabled Checkbox activated
Type Bullet activated
Destination Network CIDR of the OCI VCN network / subnet
Local WAN IP Local public address of the USG
Static Route Type: Interface
Interface Select interface created above, in my case OCI – Tunnel 1

 

Connection Verification

For testing purposes, I have created a compute instance in the OCI private subnet with IP 172.16.0.2, no public access – works!

A quick Bandwith Test

I am using iperf for this small test between my Windows client and the OCI compute instance. It’s not for production, just for the feeling. 68.7 Mbits/sec 🙂

Troubleshooting in USG

The connection can be verified when logged in as administrator in the Unifi Security Gateway as user ubnt / admin. Link to the documentation: https://help.ui.com/hc/en-us/articles/360002668854-UniFi-UDM-USG-Verifying-and-Troubleshooting-IPsec-VPNs

Show the current VPN configuration

Follow the Logfile

Troubleshooting in Oracle Cloud Infrastructure

There is a small document available to verify the basic configuration, maybe in future some log access will be provided. In a past project where we had VPN connection issues with a Fortigate firewall, I had a good experience with the guys from My Oracle Support.

Link: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Troubleshoot/ipsectroubleshoot.htm

Summary

Finally I have a stable VPN connection to Oracle Cloud Infrastructure for free. If all requirements are met, the configuration can be done in a few minutes. Next steps: Activation of the second tunnel to get VPN redundancy, enable notifications when a IPsec tunnel is down and some other Oracle Enterprise Manager 13c monitoring stuff. The weather conditions in Switzerland are bad for the next days, so there is enough time in the evenings to do further research.

#freedom #network #together #doer #curiosity

Oracle Cloud Infrastructure – Security first: Cloud Guard and Security Zones – a first View

Two new Oracle Cloud Infrastructure Cloud Security Services

Good news: Oracle has provided two new services for cloud security. Cloud Guard to get an overview of existing possible security breaches and Security Zones, which allows to create a full restricted compartment.  In this blog, I will give you a short overview about this brand new services.

Cloud Guard

The Cloud Guard service helps you to identify security issues in your tenancy. Before the first use, it has to be enabled and a base region and for a minimum one compartment has to be selected. It needs a new policy which Cloud Guard allows to gather information in your tenancy. Oracle Cloud Guard discovers available object in compartments like Compute Instances, Object Storage and many more and checks Oracle Cloud Infrastructure security best practices.

Link to documentation: https://docs.cloud.oracle.com/en-us/iaas/cloud-guard/using/index.htm

Enable Cloud Guard first

Based on recipes, it show you security recommendations for the findings and can execute corrective actions. There are two different receipes types available:

  • Oracle Managed Detector Recipe – provided by Cloud Guard, doesn’t allow to disable rules
  • User Managed Detector Recipe – a clone of an Oracle managed recipe, allows to disable individual rules

Examples for recipes – docs.cloud.oracle.com

  Oracle Managed Recipe User Managed Recipe
Rule Status Risk Level Status Risk Level
Bucket is public ENABLED HIGH DISABLED HIGH
Instance has public IP address ENABLED CRITICAL ENABLED HIGH
VCN has no inbound Security List ENABLED MEDIUM DISABLED MEDIUM

 

Based on detected findings, Cloud Guard is able to to corrective actions. This feature called Responder Rules requires a policy. Problems can be fixed on three ways:

  • Remediated – Fix using Cloud Guard responder
  • Resolved – Fixed by other process
  • Dismissed – Ignore and close

Example for a Cloud Guard Responder Action

Example – Cloud Guard has detected a Public IP 

Cloud Guard Dashboard

The dashboard gives you an overview of the findings and actions. There are direct links to the findings and recommendations. Ok, It looks I have to review my test compartment 😉

Security Zones

A security zone is associated on a compartment and a security zone recipe. For example when in the recipe is defined, users cannot create an Internet Gateway in a defined compartement, an error message occurs when he tries to create one.

Link to documentation: https://docs.cloud.oracle.com/en-us/iaas/security-zone/using/security-zones.htm

Create a new Security Zone

Recipes

There are some basic rules in the Oracle defined recipe (at the moment you can not create a customer based recipe) – for example:

  • Resources can’t be moved out from a security zone to a regular compartment
  • Resources are not accessible by Internet
  • Resources must be regularly backed up

 

Test – Create an Internet Gateway in the new created Security Zone

A violation message occurs, the security zone recipe doesn’t allow creating Internet Gateways.

Summary

I really like these two new services. Cloud Guard which helps me to identify possible security issues and Security Zones to create secure compartments without writing manual policies. This is only a short overview, in next days I will definitely take a deeper look, especially in Cloud Guard and the corrective actions. I have a great interest to find out how it works in the background for example when a public IP is detected and so on. The Oracle Cloud Infrastructure security is definitely on track!