Network Port and Protocol Matrix

Compute Cloud@Customer requires access permissions to be granted for certain IP addresses, ports, and protocols.

The default security posture for almost all firewalls is to deny access. This applies to the firewalls used between the Compute Cloud@Customer rack and the customer data center.

To allow certain Compute Cloud@Customer features to operate correctly, access must be granted for certain IP address and related services. An "allow all" rule such as 0.0.0.0/0 is too broad for security purposes, so the best practice is to explicitly list addresses, ports, and protocols to allow.

Compute Cloud@Customer is installed with connections to different networks for different purposes (see Customer Site Network Requirements). For security purposes, Compute Cloud@Customer isolates the administration network from the customer data network.

During the Compute Cloud@Customer installation, Oracle configures the isolated networks, and works with your network administrator to configure the network ports so they work within your environment.

The following table lists the access permissions for certain IP addresses, ports, and protocols that are granted for data center and admin network isolation.

Table key:

  • Customer – Customer administrator access for Compute Cloud@Customer resource management
  • Oracle – Oracle administrator access, which is only accessible by Oracle when granted access by the customer using Oracle Operator Access Control.
Source IP Address

Destination IP Address

Port

Protocol

Description

All customer networks Customer VIP ICMP Type 0/Echo reply
Oracle administrators Oracle VIP ICMP Type 0/Echo reply
All customer networks Management Nodes ICMP Type 0/Echo reply
All customer networks Object Storage IP ICMP Type 0/Echo reply
All customer networks Customer VIP ICMP Type 3/Unreachable
Oracle administrators Oracle VIP ICMP Type 3/Unreachable
All customer networks Management Nodes ICMP Type 3/Unreachable
All customer networks Object Storage IP ICMP Type 3/Unreachable
All customer networks Customer VIP ICMP Type 8/ping to VIP
Oracle administrators Oracle VIP ICMP Type 8/ping to VIP
Oracle administrators Management Nodes ICMP Type 8/ping to node
All customer networks Object Storage IP ICMP Type 8/ping to VIP
Oracle administrators Oracle VIP 22 TCP SSH to Active Management Node
Oracle administrators Management Nodes 22 TCP SSH to Specific Management Node
Initial installation DNS IPs Customer VIP 53 UDP Authoritative Zones
Initial installation DNS IPs Customer VIP 53 TCP Authoritative Zones
Initial installation DNS IPs Oracle VIP 53 UDP Administrative Zone
Initial installation AdminDNS IPs Oracle VIP 53 TCP Administrative Zone
Management Nodes Initial installation DNS IPs 53 UDP External DNS Resolution for Data Network
Management Nodes Initial installation DNS IPs 53 TCP External DNS Resolution for Data Network
Management Nodes Initial installation AdminDNS IPs 53 UDP External DNS Resolution for Admin Network
Management Nodes Initial installation AdminDNS IPs 53 TCP External DNS Resolution for Admin Network
Oracle administrators Oracle VIP 443 TCP Oracle API Endpoints and BUI
All Compute Cloud@Customer users Customer VIP 443 TCP Compute Cloud@Customer API Endpoints and BUI
All Compute Cloud@Customer users Customer VIP 8079 TCP Image download repository
Oracle administrators Oracle VIP 30006 TCP Admin CLI
Oracle administrators Management Nodes 30006 TCP Admin CLI
Customer VIP DNS Recursive Servers 53 UDP DNS Forwarding
Customer VIP DNS Recursive Servers 53 TCP DNS Forwarding
Oracle VIP DNS Recursive Servers 53 UDP DNS Forwarding
Oracle VIP DNS Recursive Servers 53 TCP DNS Forwarding
Oracle VIP Customer NTP Servers 123 UDP NTP
Oracle VIP Usually transport.oracle.com 443 TCP ASR Targets
Oracle VIP Oracle Grafana Notification Targets 443 TCP Grafana Notification Targets
Oracle VIP Oracle Local ULN Mirror 443 TCP patching
Customer VIP Local image repository 443 TCP Custom image import from-object-uri
Management Nodes Load balancer public IP address 6443 TCP Load balancer public IP address endpoint