* This blog was last tested on Oracle Identity Cloud Service 21.2.2-2105182223 by Jay Pearson (Oracle A-Team) *
Customers may want to restrict access to their Oracle Cloud Services to a set of IP ranges, for instance to only allow connections coming from their corporate office. That type of restriction is not possible within Oracle Analytics Cloud itself, but it possible to set up using the Identity Cloud Service. This functionality requires the 'Foundation' level for Identity Cloud Service. For more information on the tiers for IDCS, see this document.
With this method, we can restrict access at the individual instance.
This article will walk through the steps to lock down an Oracle Analytics Cloud instance to a single IP, meaning only connections coming from that IP, will be allowed access. While this article is intended for an OAC audience, the same concepts could be used to lock down any cloud instance. The 2 steps involved are:
1. Configuring a Network Perimeter, which is where the IP address(s) or Ranges that are allowed to connect, are defined
2. Create a Sign-On Policy, where the rule(s), and cloud applications, or instances, that should be restricted, are configured.
Configuring the network perimeter, requires administrative rights within Identify Cloud Service, typically given to identity domain administrators, security administrators, and application administrators
1. Within the Identity Cloud Service console, select 'Security' and then 'Network Perimeters'
2. 'Add' a new perimeter, and give it a name. Once the list of IP addresses is complete, hit 'Save'
Note, in this example, we are restricting to a single IP address, but it is possible to add multiple IP addresses (separated by commas), a range of IPs (example, 10.1.1.1 - 10.1.1.255), or a masked range (example, 10.11.12.18/24)
It is also possible to set up multiple perimeters, and then assign them in different rules.
For more information on the network perimeter, see this document.
For additional information on using APIs to update the network perimeter rules, see this article. In that way, the rule could be programmatically updated to allow for IP changes.
1. Within the Identity Cloud Console, select 'Security' and then 'Sign-On Policies', then select 'Add' to create a new policy.
2. Give the Policy a name, and then hit the forward arrow.
3. In the next screen, select 'Add' to create a new rule. Give it a name, and then create the rule. In this case we are simply restricting access by the option 'in one of more of these network perimeters', and then selecting the network perimeter set up in the previous step Make sure the 'Access' is set to 'Allowed'.
For additional security, you can also select 'Prompt for reauthentication', then hit 'Save'
While in this example, we are using a very simplistic rule, it is possible to make them more granular. For instance, you could additionally restrict by user groups. You could create a rule that prevents OAC application users from accessing the environment from outside the network perimeter, but at the same time allowing administrative group users to do just that.
Notice also, that in addition to the concept of only allowing access from a set of IPs (white-listing) you can also 'Deny' access to certain IPs, so have the concept of black-listing.
For more information on the network setting up sign-on rules, see this document.
4. Click the 'Forward' button to move to the next screen
5. The final screen is where you can set which application instances to restrict. Select the 'Assign Apps' option, and then select which instances, will be restricted by this rule.
In this environment we have 2 Oracle Managed OAC instances, one called 'OACBINew' and one called 'OACEss'. We will restrict access just to the OACBINew instance, although you could select the other one too if you wanted to restrict both.
Once the selection is complete, hit 'OK'.
6. On the final screen, hit 'Finish'
7. You may notice that the 'Save' button isn't available, but that's okay. The policy has been created, although it has not yet been activated.. Select the 'Sign-On-Policies' link as shown.
8. Then, using the menu for the newly created policy, select 'Activate'
Now only the IP(s) in the network perimeter can access that OAC instance. Any user outside of the network perimeter, attempting to connect to the instance will receive the following error in their browser.
This article walked through the steps to restrict access to an Oracle Analytics Cloud instance to an IP range, configured via the Identity Cloud Service network perimeter and sign-on policies.