OCI Network Firewall has very useful capabilities, including URL filtering which allows customers to configure granular security access policies. Many of the OCI customers want to selectively access certain services within OSN.
In this blog, we will demonstrate how to use the URL filtering feature of OCI Network Firewall to selectively access SaaS Services.
At the time of writing this blog, the Service Gateway supports only 2 types of service CIDR labels:
As you can see, there is no way for the customers to distinguish between any PaaS or SaaS services when adding the networking route rules on OCI. So, it’s not possible to use route rules to configure granular access.
Additionally, PaaS/SaaS users rely on the URL of these services since Oracle can change the IP addresses of these services in the OSN without any notice. Security Lists and Network Security Groups do not have the capability to perform URL filtering, and for this reason customers need to allow 0.0.0.0/0 in the egress security rules to account for dynamic IPs.
We will use the URL filtering capability of OCI Network Firewall along with Intra-VCN routing and gateway ingress routing.
We will have the following configuration:
To create a Network Firewall policy, go to Identity and Security → Firewalls → Network Firewall Policies and create a new one.
After adding basic information,
Hit Create. Your policy configuration should look like this:
Now, the next step is to create Network Firewall.
To create the Network Firewall, go to Identity and Security → Firewalls → Network Firewalls and create a new one.
Enter all the appropriate details such as VCN, and subnet, and select the network firewall policy we created previously.
Network Firewall configuration should look like this:
For testing, I have deployed the OIC instance, which is also part of the OSN, along with the SaaS service.
Accessing the SaaS instance from the client VM:
Let’s see if we can login and navigate to all the pages within the application.
Accessing OIC instance from the client VM:
As expected, we can access all the pages of the SaaS application but not the OIC instance from the client VM.
In this blog, we successfully implemented selective access to the SaaS service. You can follow this blog to implement a similar design for all the services within OSN such as Autonomous DB, Oracle Analytics Cloud, etc.
View the companion video for this blog here:
Previous Post