Oracle OCI — secure connectivity in and out: UserVPN, FQDN filtering
If you are looking for a solution to connect your users to the resources in Oracle Cloud (OCI), or to secure the internet-bound access from your OCI resources based on FQDNs, this article is for you.
Getting started with Aviatrix
Aviatrix is a powerful and advanced platform providing networking and security services in the public clouds, with multi-cloud optionality. While being comprehensive, it is also perfectly modular — you can start really small with just one or two services, and if you need to add more services, or expand into other clouds, you can do it at any time. The platform is flexible and can easily follow your current needs. Start anywhere, grow anywhere.
In this writeup I will focus on two services that our customers are deploying early on into their environments, while working out the bigger architecture with Aviatrix MCNA (Multi-Cloud Network Architecture). These services are UserVPN and FQDN Egress Filtering.
Let’s first talk about UserVPN. This topic can be very simple (“I want to give my remote users access to all the resources in OCI”), or very advanced (“I want to give my remote users access to specific resources in OCI and other clouds, based on their group assignment in my SAML Identity Provider, all sprinkled with MFA”), or anything in between. Regardless of what you need, Aviatrix has got your back.
We can easily deploy a VPN service which will land your users in a dedicated VCN and from there they will be able to access the resources which you allow them to. User authentication and authorization can be handled directly by Aviatrix, or you can integrate Aviatrix with SAML Identity Provider.
In the diagram above there are 3 main group of users, accessing the OCI environment through the same VPN GWs, but each group is allowed granular access only to selected resources.
Configuration of the Aviatrix VPN service is detailed here: https://docs.aviatrix.com/HowTos/uservpn.html
Joint OCI-Aviatrix blog on UserVPN can be found here:
FQDN Egress Filtering
Now let’s take a look at the other topic — securing the outbound traffic from your private OCI resources to the public internet.
We see many customers want to provide additional level of security for their public internet connectivity, allowing only specific domains to be accessed. You may need your private VMs to fetch their latest code from GitHub, or download updates to the Ubuntu packages. But you don’t want to allow full outbound access.
You can try and use some native services which OCI offers — Security Lists or Network Security Groups. The challenge with them is that they work only on IP level, and not on the FQDN domain level. So first you’d need to find out what IPs to allow, then hardcode these IPs in your SL/NSG configuration, and keep on monitoring for IP changes.
Aviatrix offers a much simpler solution. With FQDN Filtering you specify a domain, optionally with a wildcard (e.g. *.ubuntu.com, *.github.com) and the allowed port/protocol for the outbound configuration.
Here’s a simple example of my OCI private VM trying to access two domains: google.com and oraclecloud.com. Only the latter is on the allowed list on the FQDN GW (see the diagram above).
Connection to google.com fails, but oraclecloud.com is very much accessible.
Relevant logs from the GW allows another level of visibility, not present in any of the native cloud services:
020–11–04T09:11:07.104404+00:00 GW-OCI-FQDN-18.104.22.168 avx-nfq: AviatrixFQDNRule2[CRIT]nfq_ssl_handle_client_hello() L#291 Gateway=OCI-FQDN S_IP=10.120.1.130 D_IP=22.214.171.124 hostname=www.google.com state=NO_MATCH drop_reason=NOT_WHITELISTED
2020–11–04T09:11:38.455101+00:00 GW-OCI-FQDN-126.96.36.199 avx-nfq: AviatrixFQDNRule3[CRIT]nfq_ssl_handle_client_hello() L#291 Gateway=OCI-FQDN S_IP=10.120.1.130 D_IP=188.8.131.52 hostname=console.us-ashburn-1.oraclecloud.com state=MATCHED Rule=*.oraclecloud.com,SourceIP:IGNORE;1;0;443
More details on FQDN Egress Filtering by Aviatrix can be found here: https://docs.aviatrix.com/HowTos/fqdn_faq.html
About Aviatrix platform
Aviatrix is a multi-cloud networking and security platform that works with OCI and other cloud providers to solve the challenges related to cloud networking (including transit architecture, cloud access and egress control). The solution takes only a few minutes to deploy, all the elements run in the cloud of your choice (no dependency on the data center), and the user experience is first class.
Two main components of the platform are the Aviatrix Controller and gateways. The Aviatrix Controller (available through Oracle Cloud Marketplace) is a VM that you can launch into your virtual cloud network (VCN) with a few clicks from e.g. the Oracle Cloud Infrastructure Console or with Terraform.
After the Controller is deployed, you use it to deploy one or more Aviatrix gateways (through the controller UI or using Terraform). These gateways are VMs that run in your VCNs and can have various roles — transit, spoke, VPN, Egress FQDN, and others.
Below you’ll find a more advanced architecture putting OCI in a multi-cloud context, interconnecting it in an encrypted manner to Azure over the OCI-Azure peering, and to AWS.
Are you ready to deploy Aviatrix in your OCI environment?
Start here: https://cloudmarketplace.oracle.com/marketplace/en_US/listing/65804594
Contact me firstname.lastname@example.org or email@example.com for additional information.
Perspective on OCI and Multi-Cloud
Oracle Cloud is the youngest of the big 4 clouds, but with the customer base which Oracle has accumulated over the years, OCI can grow tremendously in a very short time. We see that it is indeed getting more and more popularity, especially amongst the customers with themulti-cloud mindset, who understand they can easily run their DB in OCI, their front-end in Azure and analytics in GCP, all for the same application.
Aviatrix offers all the various options to interconnect these clouds/regions in a very secure manner, providing high throughput links and segmentation for all the resources, regardless of the cloud they are deployed in.
About the Author
Since September 2019 I have been working as Senior Solution Architect in EMEA for Aviatrix, building up the relationships with the local European and Middle-Eastern customers and helping them on the journey towards the public cloud. Prior to Aviatrix, I had spent many years working with on-prem and telco-solutions, in the QA, SE and PM roles.
My email address: firstname.lastname@example.org