Introduction
 

Fusion Cloud Applications supports various network patterns as illustrated MOS Note – Network Connectivity Patterns for Oracle Fusion Cloud Applications (Doc ID 3060221.1)

As part of requirement to restrict Fusion Cloud application from public internet access, we will address different scenarios how that can be done in this blog series, In first part of this series, we will demonstrate how we can restrict fusion cloud application from public internet & allow access to OCI Resources using VCN.

Use Case – Customer wants to block public access to fusion application but allow fusion applications to be access by OCI resources eg.. for Extension/Integrations use cases – VBCS applications /OIC Integrations.

Additional access to Customer On-prem Network can be provided using Service gateways.

Details
 

Below are the Prerequisite to perform configuration steps –

  • OCI tenancy where Fusion Cloud Application is hosted
  • IAM credentials with permissions to create and manage network resources.
  • Access to the OCI Console or OCI CLI (depending on how you want to create the VCN).
  • Ensure you have a compartment created to logically organize your VCN resources.        


High level architecture diagram :
1

 

We will cover this in three parts –

                                                                                                           

Part 1: OCI Configuration
 

Create Network to Allow access to OCI resources, below are high level steps –

  1. Configure OCI VCN – Building block of your network
  2. Create Subnets – To host the test VM.
  3. Configure Internet gateway – To allow internet access to the VM
  4. Update the Route Table of public subnet – Enable access to internet from our subnet
  5. Configure security rule – Enable access to the subnet from internet
  6. Configure service gateway   – To Access Fusion Application Privately.
  7. Configure route in routing table – Create network access rules
  8. Create & Configure VM – To check the connectivity to Fusion App

 

Step 1: Configure OCI VCN

  • Navigate to the Networking Section
  • Open the navigation menu () in the upper left.
  • Go to Networking > Virtual Cloud Networks.
  • Create VCN (manual, more flexible).
    Fill in VCN Details
  • Name: e.g., VCNForFusion
  • Compartment: Select the appropriate one.
  • CIDR Block: e.g., 10.2.0.0/16
  • 2

 

Step 2: Create Subnets:

  • Once the VCN is created, create subnets:
  • Subnet Name: e.g., Public-Subnet
  • Subnet Type: Regional (recommended)
  • CIDR Block: e.g., 10.2.1.0/24
  • Route Table & Security List: Use default or create custom.
  • Public Subnet: Enable public IP assignment.

3


Step 3: Configure Internet gateway.

  • Open “Internet Gateways” under Resources.
  • Click “Create Internet Gateway”.
  • Fill in the details:
  • Name: FusionGCP
  • Compartment: Select the correct one

4

 

Step 4: Update the Route Table of your public subnet

Add a route rule:

  • Go to the “Default Route Table for VCNforFusion”
  • Click to the “Add route rules”
  • Target Type: Internet Gateway
  • Destination CIDR Block: 0.0.0.0/0
  • Target: Select the created “Internet Gateway”
  • Select the internet gateway we created.

5



Step 5: Configure security rule

We need to create this to access the VM configured in the subnet

  • Click to the ” Default Security List for VCNforFusion”
  • Click “Add Ingress Rules”
  • Source type: CIDR
  • Source CIDR: 0.0.0.0/0
  • IP Protocol: RDP(TCP/3389)

Click to add ingress rule

6



Step6: Configure service gateway

  • Go to Networking > Virtual Cloud Networks.
  • Click on your VCN.
  • Under Resources, click Service Gateways > Create Service Gateway.
  • Name: My-Service-Gateway
  • Compartment: Choose appropriate compartment.
  • Select “All IAD services in oracle service network”
  • Create service gateway.
    78


Step 7 : Configure route in routing table

  • Go to the Compute-instance and click to the create instance.
  • Provide the name for VM
  • Select correct Compartment.
  • Select operating system ex: windows server 2016 standard.
  • Select shape for the VM.
  • Go to the “Default Route Table for VCNforFusion”
  • Click to the “Add route rules”
  • Target Type: service gateway
  • Destination Services: All IAD Services in Oracle service Network”
  • Target service gateway: Select service gateway we created.
  • Select the internet gateway we created.
  • Create route rules.
    11eibccbl


Step 8: Create & Configure VM

  • Go to the Compute-instance and click to the create instance.
  • Provide the name for VM
  • Select correct Compartment.
  • Select operating system ex: windows server 2016 standard.
  • Select shape for the VM.

21

  • Select VCN we configure earlier
  • Select public subnet

32


 

Part 2: Configurations in Fusion Applications environment network settings
 

Apply VCN & Restrict public access to Fusion           
You Need to have Fusion Applications Environment Administrator access to perform these operations

https://docs.oracle.com/en-us/iaas/Content/applications-manager/manage-access.htm

  • Go to Fusion Applications in OCI >>Applications>>My Applications
  • Select the Fusion POD in which you want to apply network rules
  • Go to Networking Section at left hand side

22

  • Disable Content Acceleration

323

  • This will take some time & Lifecycle state will go to Update, please wait till it is Active again.

34

  • Create Network Rule

43

  • Select OCI VCN which you have configured in Part1 of configurations –
  • Apply, lifecycle state will go in update again & then become active.



Part 3: Addition of Service Gateway routing configuration  
 

Enable access from Customer On-prem Network

Step1: Configure new route table in VCN

  • Go to Networking > Virtual Cloud Networks.
  • Click on your VCN.
  • Under Resources, click Route Tables.
  • Name: ex-SGRoutetable

Click Create Route Table.

44

 

Step2: Add route in the route table.

  • Go to the “Default Route Table for SGRoutetable”
  • Click to the “Add route rules”
  • Target Type: Dynamic Routing Gateway.
  • Destination CIDR Block: on-prem prefix
  • Target: Select the created : Select DRG
  • Create Route rule.

54


Step 3: Attach new route table to service gateway

  • Click to service gateway.
  • Click to edit and go to “associate route table.”

das

Select “SGRoutetable” and click on “Associate route table.”

dwa


Summing up – Testing Fusion Connectivity
 

1: Connectivity from OCI VCN to Fusion application.

rew

 

2. Connectivity from on-prem VM to Fusion Application.

wda

 

Conclusion


We hope with this blog you would be able to restrict public access to fusion cloud applications , access OCI resources for extension use-cases and able to connect from on-prem network.

Stay tuned for next part of series where we will demonstrate use cases to acccess fusion privately from on-premises networks using FastConnect.

 

Check out our latest blog on how to restrict public internet access to Oracle Fusion Cloud Applications using FastConnect private peering and Equinix Fabric here.

 

References
 

  1. Securely Accessing Fusion Applications

https://docs.oracle.com/en-us/iaas/Content/fusion-applications/network-setup.htm

  1. Site-to-Site VPN between your on-premises network and virtual cloud network

https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPsec.htm

  1. Connect Oracle Cloud Infrastructure resources to GCP

https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/vpn_to_gcp.htm

  1. Network connectivity patterns for Oracle Cloud HCM and ERP applications on OCI

https://www.ateam-oracle.com/post/network-connectivity-patterns-for-oracle-cloud-hcm-and-erp-applications-on-oci

  1. Extending Oracle Fusion SaaS with OCI: Network Consideration

https://www.ateam-oracle.com/post/extending-oracle-fusion-saas-with-oci-network-considerations