IP Whitelisting for Secure Access to OCI AI Services

Question

Pulumi · Accepted Answer

To implement IP whitelisting for secure access to Oracle Cloud Infrastructure (OCI) AI services with Pulumi in Python, you would generally create security rules that limit network access to specific IP addresses or ranges. Here's how you might go about it:

1. **Virtual Cloud Network (VCN)**: You'll want to set up a VCN as your virtual network foundation upon which you can define subnets, route tables, and security rules.

2. **Security List**: This resource is used to create firewall rules to control traffic to and from instances in your VCN. For IP whitelisting, you'll create ingress rules that allow traffic from specific IP ranges.

3. **Compute Instances**: Setting up compute instances to host the OCI AI services, ensuring they are within the VCN network.

Below you'll find a program that demonstrates this setup. This program assumes that you have the necessary OCI Pulumi provider configured and that you are authenticated with your OCI account. It also assumes that you've created or have available an instance hosting the OCI AI services and have its `instance_id` at hand.

Now, let's dive into creating this infrastructure with Pulumi:

```python
import pulumi
import pulumi_oci as oci

# Configuration variables for the VCN and whitelist
whitelist_ips = ["192.0.2.1/32", "198.51.100.0/24"]  # Replace with your IP ranges
compartment_id = "ocid1.compartment.oc1.." # Your compartment OCID
vcn_cidr_block = "10.0.0.0/16"

# Create a Virtual Cloud Network
vcn = oci.core.VirtualNetwork("vcn",
    compartment_id=compartment_id,
    cidr_block=vcn_cidr_block,
    display_name="VCN for OCI AI Services")

# Create a Subnet in the VCN
subnet = oci.core.Subnet("aiServicesSubnet",
    compartment_id=compartment_id,
    vcn_id=vcn.id,
    cidr_block="10.0.1.0/24")

# Create a Security List for IP whitelisting
security_list = oci.core.SecurityList("whitelistSecurityList",
    compartment_id=compartment_id,
    vcn_id=vcn.id,
    egress_security_rules=[],
    ingress_security_rules=[
        oci.core.SecurityListIngressSecurityRuleArgs(
            protocol="6",        # TCP protocol
            source=ip_range,     # Individual IP or range to whitelist
            tcp_options=oci.core.SecurityListIngressSecurityRuleTcpOptionsArgs(
                min=port,
                max=port,
            )
        ) for ip_range in whitelist_ips  # Iterate over the whitelist IPs
    ],
    display_name="Whitelist IPs Security List")

# Assuming you have an instance hosting the OCI AI service, update it to use the new security list
# First, get the instance (this is an example, replace with your instance retrieval method)
ai_service_instance = oci.core.Instance.get("aiServiceInstance", "ocid1.instance.oc1..") # Replace with your instance OCID

# Now, update the instance's VNIC to use the new security list - this is a simplified example
ai_service_vnic = oci.core.VnicAttachment("aiServiceVnicAttachment",
    instance_id=ai_service_instance.id,
    subnet_id=subnet.id,
    nic_index=0,  # Let's assume it's the primary VNIC
)

ai_service_vnic.update(
    security_list_ids=[security_list.id]
)

# Export the VCN and Security List's ID to use elsewhere if needed
pulumi.export("vcn_id", vcn.id)
pulumi.export("security_list_id", security_list.id)
```

This Pulumi code does the following:

1. **Defines a new VCN**: The VCN is set up with a specific CIDR block to house your cloud network resources.

2. **Creates a Subnet within the VCN**: A subnet with a specified CIDR block is added to your VCN to further segment the network and organize resources.

3. **Sets up a Security List**: The list has ingress rules that allow traffic from only the specified IP addresses or ranges, effectively whitelisting those IPs for inbound traffic.

4. **Updates an Instance's VNIC**: Assuming you have an existing OCI AI service instance, this code updates its primary VNIC to adhere to the new security list. Please note that actual implementation may vary based on your specific instance and network setup.

5. **Exports the IDs**: The IDs of the VCN and Security List are exported, should you need to reference them elsewhere in your infrastructure.

Please adjust the IP ranges, compartment ID, VCN CIDR block, and the protocol/port options according to your specific requirements. Also, consider enhancing the security measures based on your application's needs and OCI's best practices.