Oracle Cloud Infrastructure Documentation

Security Rules for the DB System

This article lists the security rules to use with your DB system. Security rules control the types of traffic allowed in and out of the DB system's compute nodes. The rules are pided into two sections.

For more information about security rules, see Security Rules. For more information about different ways to implement these rules, see Ways to Implement the Security Rules.

Note

Your instances running Oracle-provided DB system images also have firewall rules that control access to the instance. Make sure that both the instance's security rules and firewall rules are set correctly. Also see Open Ports on the DB System.

General Rules Required for Basic Connectivity

The following sections has several general rules that enable essential connectivity for hosts in the VCN.

If you use security lists to implement your security rules, be aware that the rules that follow are included by default in the default security list. Update or replace the list to meet your particular security needs. The two ICMP rules (general ingress rules 2 and 3) are required for proper functioning of network traffic within the Oracle Cloud Infrastructure environment. Adjust the general ingress rule 1 (the SSH rule) and the general egress rule 1 to allow traffic only to and from hosts that require communication with resources in your VCN.

For more information on default security list, see Security Lists.

General Ingress Rule 1: Allows SSH Traffic From Anywhere

  • Stateless: No (all rules must be stateful)
  • Source Type: CIDR
  • Source CIDR: 0.0.0.0/0
  • IP Protocol: TCP
  • Source Port Range: All
  • Destination Port Range: 22

General Ingress Rule 2: Allows Path MTU Discovery Fragmentation Messages

This rule enables hosts in the VCN to receive Path MTU Discovery fragmentation messages. Without access to these messages, hosts in the VCN can have problems communicating with hosts outside the VCN.

  • Stateless: No (all rules must be stateful)
  • Source Type: CIDR
  • Source CIDR: 0.0.0.0/0
  • IP Protocol: ICMP
  • Type: 3
  • Code: 4

General Ingress Rule 3: Allows Connectivity Error Messages Within the VCN

This rule enables the hosts in the VCN to receive connectivity error messages from each other.

  • Stateless: No (all rules must be stateful)
  • Source Type: CIDR
  • Source CIDR: Your VCN's CIDR
  • IP Protocol: ICMP
  • Type: 3
  • Code: All

General Egress Rule 1: Allows All Egress Traffic

  • Stateless: No (all rules must be stateful)
  • Destination Type: CIDR
  • Destination CIDR: 0.0.0.0/0
  • IP Protocol: All

Custom Security Rules

The following rules are necessary for the DB system's functionality.

Note

Custom ingress rules 1 and 2 only cover connections initiated from within the VCN. If you have a client that resides outside the VCN, Oracle recommends setting up two additional similar rules that instead have the Source CIDR set to the public IP address of the client.

Custom Ingress Rule 1: Allows ONS and FAN Traffic From Within the VCN

This rule is recommended and enables the Oracle Notification Services (ONS) to communicate about Fast Application Notification (FAN) events.

  • Stateless: No (all rules must be stateful)
  • Source Type: CIDR
  • Source CIDR: VCN's CIDR
  • IP Protocol: TCP
  • Source Port Range: All
  • Destination Port Range: 6200
  • Description: An optional description of the rule.

Custom Ingress Rule 2: Allows SQL*NET Traffic From Within the VCN

This rule is for SQL*NET traffic and is required only if you need to enable client connections to the database.

  • Stateless: No (all rules must be stateful)
  • Source Type: CIDR
  • Source CIDR: VCN's CIDR
  • IP Protocol: TCP
  • Source Port Range: All
  • Destination Port Range: 1521
  • Description: An optional description of the rule.

Custom Egress Rule 1: Allows Outbound SSH Access

This rule enables SSH access between nodes in a 2-node DB system. It is redundant with the general egress rule in General Rules Required for Basic Connectivity (and in the default security list). It is optional but recommended in case the general rule (or default security list) is inadvertently changed.

  • Stateless: No (all rules must be stateful)
  • Destination Type: CIDR
  • Destination CIDR: 0.0.0.0/0
  • IP Protocol: TCP
  • Source Port Range: All
  • Destination Port Range: 22
  • Description: An optional description of the rule.

Custom Egress Rule 2: Allows Access To Oracle Services Network

This rule enables the DB system to communicate with the Oracle services (for public subnet with internet gateway), or with the Oracle Services Network, which includes all the Oracle services (for private subnet with service gateway). It is redundant with the general egress rule in General Rules Required for Basic Connectivity (and in the default security list). It is optional but recommended in case the general rule (or default security list) is inadvertently changed.

  • Stateless: No (all rules must be stateful)
  • Destination Type: Service

  • Destination Service:

    • When using public subnet (with internet gateway), use the CIDR 0.0.0.0/0
    • When using private subnet (with service gateway), use the CIDR label called All <region> Services in Oracle Services Network
  • IP Protocol: TCP
  • Source Port Range: All
  • Destination Port Range: 443 (HTTPS)
  • Description: An optional description of the rule.

For more information about networking, see Networking Overview.

Ways to Implement the Security Rules

The Networking service offers two ways to implement security rules within your VCN:

For a comparison of Security Lists and Network Security Groups, see Security Rules.

Use Network Security Groups

If you choose to use network security groups (NSGs), here is the recommended process:

  1. Create a network security group for DB systems. Add the following security rules to that NSG:
    • The rules listed in General Rules Required for Basic Connectivity.
    • The rules listed in Custom Security Rules.
  2. When the database administrator creates the DB system, they must choose several networking components (for example, which VCN and subnet to use). They can also choose which NSG or NSGs to use. Make sure they choose the NSG you created.

You could instead create one NSG for the general rules and a separate NSG for the custom rules. Then when the database administrator chooses which NSGs to use for the DB system, make sure they choose both NSGs.

Use Security Lists

If you choose to use security lists, here is the recommended process:

  1. Configure the subnet to use the required security rules:
    1. Create a custom security list for the subnet and add the rules listed in Custom Security Rules.
    2. Associate the following two security lists with the subnet:
      • VCN's default security list with all its default rules. This automatically comes with the VCN.
      • The new custom security list you created for the subnet
  2. Later when the database administrator creates the DB system, they must choose several networking components. When they select the subnet that you have already created and configured, the security rules are automatically enforced for the compute nodes created in the subnet.

Caution:

Do not remove the default egress rule from the default security list. If you do, instead make sure to include the following replacement egress rule in the subnet's custom security list:
  • Stateless: No (all rules must be stateful)
  • Destination Type: CIDR
  • Destination CIDR: 0.0.0.0/0
  • IP Protocol: All