Virtual Firewall Rules for AI Training VMs on OCI

Question

Pulumi · Accepted Answer

Creating Virtual Firewall Rules for your AI Training Virtual Machines (VMs) in Oracle Cloud Infrastructure (OCI) involves defining a set of security rules that control the traffic to and from your VM instances. These rules are typically part of a Security List or a Network Security Group (NSG) in OCI and they dictate the kinds of network communication that are allowed or blocked. Unfortunately, Pulumi does not currently have support for OCI's native resources for setting up firewall rules. However, you can always write your own custom provider or use the Pulumi Terraform bridge to work with OCI resources.

Let's illustrate this with an example using Pulumi and OCI Terraform provider. To create virtual firewall rules for VMs, you would define Security List or NSG resources with ingress and egress rules specifying the types of traffic allowed. Below is a simplified Pulumi program that demonstrates how to create firewall rules within a Security List in OCI, but remember you would need to set up Terraform provider and import the respective Pulumi resource packages for OCI to make this work.

```python
import pulumi
from pulumi_terraform import TerraformResource

# Note: The `TerraformResource` class here is a stand-in to represent
# working with OCI resources via the Pulumi Terraform bridge.
# Replace this with actual OCI Pulumi resource imports when they become available.

# Replace 'compartment_id' with your OCI compartment ID and 'vcn_id' with your Virtual Cloud Network (VCN) ID.
compartment_id = 'ocid1.compartment.oc1..exampleuniqueID'
vcn_id = 'ocid1.vcn.oc1..exampleuniqueID'

# Security List for our AI Training VMs
ai_training_security_list = TerraformResource("ai_training_security_list",
  resource_type="oci_core_security_list",
  compartment_id=compartment_id,
  vcn_id=vcn_id,
  egress_security_rules=[{ # Egress rules for allowing outbound traffic to the Internet
    "destination": "0.0.0.0/0",
    "protocol": "6", # TCP protocol
    "stateless": False
  }],
  ingress_security_rules=[{ # Ingress rules for allowing specific inbound traffic to your VMs
    "source": "123.123.123.123/32", # Replace with your source IP
    "protocol": "6", # TCP protocol
    "stateless": False,
    "tcp_options": {
      "min": "22", # SSH port
      "max": "22"
    }
  }],
  display_name="AI_Training_Security_List"
)

# Export the security list ID as an output
pulumi.export('security_list_id', ai_training_security_list.id)
```

In this program, we create a Security List named `AI_Training_Security_List` with one egress rule that allows all outbound traffic and one ingress rule that only allows SSH traffic from a specific IP address. You'll need to replace placeholders such as `compartment_id`, `vcn_id`, and source IP with actual values from your OCI setup.

To reiterate, it is important to note that this Pulumi program would work if you set up a Pulumi Terraform bridge and use the OCI Terraform provider to manage resources as Pulumi resources. Since this is outside the current capabilities of Pulumi's native support, additional setup and understanding of both Pulumi and Terraform is required.