Introduction:

OCI Network Firewall has very useful capabilities, including URL filtering which allows customers to configure granular security access policies. Many of the OCI customers want to selectively access certain services within OSN.

In this blog, we will demonstrate how to use the URL filtering feature of OCI Network Firewall to selectively access SaaS Services.

Problem Statement:

At the time of writing this blog, the Service Gateway supports only 2 types of service CIDR labels:

1. Object Storage
2. All services in the Oracle Services network

As you can see, there is no way for the customers to distinguish between any PaaS or SaaS services when adding the networking route rules on OCI. So, it’s not possible to use route rules to configure granular access.

Additionally, PaaS/SaaS users rely on the URL of these services since Oracle can change the IP addresses of these services in the OSN without any notice. Security Lists and Network Security Groups do not have the capability to perform URL filtering, and for this reason customers need to allow 0.0.0.0/0 in the egress security rules to account for dynamic IPs.

Solution:

We will use the URL filtering capability of OCI Network Firewall along with Intra-VCN routing and gateway ingress routing.

We will have the following configuration:

• The Network Firewall is placed in a separate subnet.
• Service Gateway is configured for All services in OSN.
• Provision Fusion SaaS and OIC for demonstration purposes.
• Route tables are configured as follows:
• Client Subnet: Routing 0.0.0.0/0 to the Network Firewall private IP
• Firewall Subnet: Routing All services in OSN to the Service Gateway
• Service Gateway: Routing 10.0.0.0/24 to the Network Firewall private IP

To create a Network Firewall policy, go to Identity and Security → Firewalls → Network Firewall Policies and create a new one.

After adding basic information,

• Add all the SaaS URLs required to access your SaaS application to the URL list.
• Add protocol TCP and port 443 to the application list.
• Add Private Subnet’s CIDR block where your resources are in the IP Address List. If you want to be more granular, you can also add individual virtual machine IP addresses with /32 notation.
• In rules, add a security rule which explicitly allows the private subnet’s CIDR block if and only if the URL matches that of the SaaS service

Hit Create. Your policy configuration should look like this:

Now, the next step is to create Network Firewall.

To create the Network Firewall, go to Identity and Security → Firewalls → Network Firewalls and create a new one.

Enter all the appropriate details such as VCN, and subnet, and select the network firewall policy we created previously.

Network Firewall configuration should look like this:

Verification:

For testing, I have deployed the OIC instance, which is also part of the OSN, along with the SaaS service.

Accessing the SaaS instance from the client VM:

Let’s see if we can login and navigate to all the pages within the application.

Accessing OIC instance from the client VM:

As expected, we can access all the pages of the SaaS application but not the OIC instance from the client VM.

Conclusion:

In this blog, we successfully implemented selective access to the SaaS service. You can follow this blog to implement a similar design for all the services within OSN such as Autonomous DB, Oracle Analytics Cloud, etc.

View the companion video for this blog here: