* This blog was last tested on Oracle Identity Cloud Service 21.2.2-2105182223 by Jay Pearson (Oracle A-Team) *

For other A-Team articles by Richard, click here

Introduction

Customers may want to restrict access to their Oracle Cloud Services to a set of IP ranges, for instance to only allow connections coming from their corporate office.  That type of restriction is not possible within Oracle Analytics Cloud itself, but it possible to set up using the Identity Cloud Service.  This functionality requires the 'Foundation' level for Identity Cloud Service.  For more information on the tiers for IDCS, see this document.

With this method, we can restrict access at the individual instance.

This article will walk through the steps to lock down an Oracle Analytics Cloud instance to a single IP, meaning only connections coming from that IP, will be allowed access.  While this article is intended for an OAC audience, the same concepts could be used to lock down any cloud instance.  The 2 steps involved are:

1. Configuring a Network Perimeter, which is where the IP address(s) or Ranges that are allowed to connect, are defined

2. Create a Sign-On Policy, where the rule(s), and cloud applications, or instances, that should be restricted, are configured.

Configure Network Perimeter

Configuring the network perimeter, requires administrative rights within Identify Cloud Service, typically given to identity domain administrators, security administrators, and application administrators

1. Within the Identity Cloud Service console, select 'Security' and then 'Network Perimeters'

2. 'Add' a new perimeter, and give it a name. Once the list of IP addresses is complete, hit 'Save'

Create a Sign-On Policy

1. Within the Identity Cloud Console, select 'Security' and then 'Sign-On Policies', then select 'Add' to create a new policy.

2. Give the Policy a name, and then hit the forward arrow.

3. In the next screen, select 'Add' to create a new rule.  Give it a name, and then create the rule.  In this case we are simply restricting access by the option 'in one of more of these network perimeters', and then selecting the network perimeter set up in the previous step  Make sure the 'Access' is set to 'Allowed'.

For additional security, you can also select 'Prompt for reauthentication', then hit 'Save'

4. Click the 'Forward' button to move to the next screen

5. The final screen is where you can set which application instances to restrict.  Select the 'Assign Apps' option, and then select which instances, will be restricted by this rule.

In this environment we have 2 Oracle Managed OAC instances, one called 'OACBINew' and one called 'OACEss'.  We will restrict access just to the OACBINew instance, although you could select the other one too if you wanted to restrict both.

Once the selection is complete, hit 'OK'.

6. On the final screen, hit 'Finish'

7. You may notice that the 'Save' button isn't available, but that's okay.  The policy has been created, although it has not yet been activated..  Select the 'Sign-On-Policies' link as shown.

8. Then, using the menu for the newly created policy, select 'Activate'

Now only the IP(s) in the network perimeter can access that OAC instance.  Any user outside of the network perimeter, attempting to connect to the instance will receive the following error in their browser.

Summary

This article walked through the steps to restrict access to an Oracle Analytics Cloud instance to an IP range, configured via the Identity Cloud Service network perimeter and sign-on policies.

For other A-Team articles by Richard, click here