Oracle OCI — secure connectivity in and out: UserVPN, FQDN filtering

If you are looking for a solution to connect your users to the resources in Oracle Cloud (OCI), or to secure the internet-bound access from your OCI resources based on FQDNs, this article is for you.

Image for post
Image for post
Basic OCI Transit architecture with UserVPN and FQDN Egress control

Getting started with Aviatrix

Aviatrix is a powerful and advanced platform providing networking and security services in the public clouds, with multi-cloud optionality. While being comprehensive, it is also perfectly modular — you can start really small with just one or two services, and if you need to add more services, or expand into other clouds, you can do it at any time. The platform is flexible and can easily follow your current needs. Start anywhere, grow anywhere.

In this writeup I will focus on two services that our customers are deploying early on into their environments, while working out the bigger architecture with Aviatrix MCNA (Multi-Cloud Network Architecture). These services are UserVPN and FQDN Egress Filtering.

UserVPN

Let’s first talk about UserVPN. This topic can be very simple (“I want to give my remote users access to all the resources in OCI”), or very advanced (“I want to give my remote users access to specific resources in OCI and other clouds, based on their group assignment in my SAML Identity Provider, all sprinkled with MFA”), or anything in between. Regardless of what you need, Aviatrix has got your back.

We can easily deploy a VPN service which will land your users in a dedicated VCN and from there they will be able to access the resources which you allow them to. User authentication and authorization can be handled directly by Aviatrix, or you can integrate Aviatrix with SAML Identity Provider.

In the diagram above there are 3 main group of users, accessing the OCI environment through the same VPN GWs, but each group is allowed granular access only to selected resources.

Configuration of the Aviatrix VPN service is detailed here: https://docs.aviatrix.com/HowTos/uservpn.html

Joint OCI-Aviatrix blog on UserVPN can be found here:
https://blogs.oracle.com/cloud-infrastructure/simple-secure-cloud-access-with-aviatrix-user-vpn

FQDN Egress Filtering

Now let’s take a look at the other topic — securing the outbound traffic from your private OCI resources to the public internet.

We see many customers want to provide additional level of security for their public internet connectivity, allowing only specific domains to be accessed. You may need your private VMs to fetch their latest code from GitHub, or download updates to the Ubuntu packages. But you don’t want to allow full outbound access.

You can try and use some native services which OCI offers — Security Lists or Network Security Groups. The challenge with them is that they work only on IP level, and not on the FQDN domain level. So first you’d need to find out what IPs to allow, then hardcode these IPs in your SL/NSG configuration, and keep on monitoring for IP changes.

Aviatrix offers a much simpler solution. With FQDN Filtering you specify a domain, optionally with a wildcard (e.g. *.ubuntu.com, *.github.com) and the allowed port/protocol for the outbound configuration.

Here’s a simple example of my OCI private VM trying to access two domains: google.com and oraclecloud.com. Only the latter is on the allowed list on the FQDN GW (see the diagram above).

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Connection to google.com fails, but oraclecloud.com is very much accessible.

Relevant logs from the GW allows another level of visibility, not present in any of the native cloud services:

020–11–04T09:11:07.104404+00:00 GW-OCI-FQDN-193.122.172.74 avx-nfq: AviatrixFQDNRule2[CRIT]nfq_ssl_handle_client_hello() L#291 Gateway=OCI-FQDN S_IP=10.120.1.130 D_IP=142.250.31.104 hostname=www.google.com state=NO_MATCH drop_reason=NOT_WHITELISTED

2020–11–04T09:11:38.455101+00:00 GW-OCI-FQDN-193.122.172.74 avx-nfq: AviatrixFQDNRule3[CRIT]nfq_ssl_handle_client_hello() L#291 Gateway=OCI-FQDN S_IP=10.120.1.130 D_IP=129.213.0.129 hostname=console.us-ashburn-1.oraclecloud.com state=MATCHED Rule=*.oraclecloud.com,SourceIP:IGNORE;1;0;443

More details on FQDN Egress Filtering by Aviatrix can be found here: https://docs.aviatrix.com/HowTos/fqdn_faq.html

About Aviatrix platform

Aviatrix is a multi-cloud networking and security platform that works with OCI and other cloud providers to solve the challenges related to cloud networking (including transit architecture, cloud access and egress control). The solution takes only a few minutes to deploy, all the elements run in the cloud of your choice (no dependency on the data center), and the user experience is first class.

Two main components of the platform are the Aviatrix Controller and gateways. The Aviatrix Controller (available through Oracle Cloud Marketplace) is a VM that you can launch into your virtual cloud network (VCN) with a few clicks from e.g. the Oracle Cloud Infrastructure Console or with Terraform.

After the Controller is deployed, you use it to deploy one or more Aviatrix gateways (through the controller UI or using Terraform). These gateways are VMs that run in your VCNs and can have various roles — transit, spoke, VPN, Egress FQDN, and others.

Below you’ll find a more advanced architecture putting OCI in a multi-cloud context, interconnecting it in an encrypted manner to Azure over the OCI-Azure peering, and to AWS.

Image for post
Image for post

Are you ready to deploy Aviatrix in your OCI environment?
Start here: https://cloudmarketplace.oracle.com/marketplace/en_US/listing/65804594

Contact me tomasz@aviatrix.com or sales@aviatrix.com for additional information.

Perspective on OCI and Multi-Cloud

Oracle Cloud is the youngest of the big 4 clouds, but with the customer base which Oracle has accumulated over the years, OCI can grow tremendously in a very short time. We see that it is indeed getting more and more popularity, especially amongst the customers with themulti-cloud mindset, who understand they can easily run their DB in OCI, their front-end in Azure and analytics in GCP, all for the same application.
Aviatrix offers all the various options to interconnect these clouds/regions in a very secure manner, providing high throughput links and segmentation for all the resources, regardless of the cloud they are deployed in.

About the Author

Image for post
Image for post

Since September 2019 I have been working as Senior Solution Architect in EMEA for Aviatrix, building up the relationships with the local European and Middle-Eastern customers and helping them on the journey towards the public cloud. Prior to Aviatrix, I had spent many years working with on-prem and telco-solutions, in the QA, SE and PM roles.

My email address: tomasz@aviatrix.com

Written by

Senior Solution Architect in EMEA for Aviatrix

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store