1. Regulated Internet Access for OCI AI Services


    To regulate internet access for Oracle Cloud Infrastructure (OCI) AI Services, you would typically use a combination of networking resources that allow you to control the inbound and outbound traffic according to your organization's policies.

    Here's a conceptual rundown of what we need to create for regulated internet access:

    1. Virtual Cloud Network (VCN): This is comparable to a traditional network but with the benefits of scalable cloud resources. Within a VCN, we can create subnets, define route tables, and set up security lists.

    2. Internet Gateway (IG): This is a virtual router that you can attach to your VCN for enabling communication between resources in your VCN and the public internet.

    3. Route Tables: You'll need route tables associated with subnets to determine the paths for traffic leaving the subnet.

    4. Security Lists: These are virtual firewalls for your VCN that list the types of traffic allowed in and out.

    5. AI Private Endpoints: Private endpoints can be used for accessing OCI AI Services without exposing your data to the public internet. This means your AI services can be reached using a private network, which can be more secure.

    6. Network Firewalls: These are virtual firewalls that provide advanced threat protection and can help in ensuring that only authorized traffic can enter your VCN.

    For illustrative purposes, let's construct a simplified Pulumi program that creates these resources and a setup that allows regulated internet access for OCI AI Services. Keep in mind that for a real-world scenario, you would have to take into account many more factors and likely have a more complex setup.

    import pulumi import pulumi_oci as oci # Your OCI compartment ID compartment_id = "your-compartment-id" # Set up a Virtual Cloud Network (VCN) vcn = oci.core.Vcn("my-vcn", compartment_id=compartment_id, cidr_block="", display_name="My VCN") # Create an Internet Gateway for the VCN ig = oci.core.InternetGateway("my-ig", compartment_id=compartment_id, vcn_id=vcn.id, display_name="My Internet Gateway", enabled=True) # Create a Route Table with a rule to route traffic destined for the Internet to the IG route_table = oci.core.RouteTable("my-route-table", compartment_id=compartment_id, vcn_id=vcn.id, route_rules=[oci.core.RouteTableRouteRuleArgs( destination="", destination_type="CIDR_BLOCK", network_entity_id=ig.id )], display_name="My Route Table") # Setup a Security List to only allow outbound traffic to OCI AI Services and restrict all inbound traffic security_list = oci.core.SecurityList("my-security-list", compartment_id=compartment_id, vcn_id=vcn.id, egress_security_rules=[oci.core.SecurityListEgressSecurityRuleArgs( description="Allow outbound to OCI AI Services", destination="OCI_AI_SERVICES_CIDR", # Assuming 'OCI_AI_SERVICES_CIDR' represents the range of IP addresses you've gotten for OCI AI Services. destination_type="SERVICE_CIDR_BLOCK", protocol="6", # Assuming TCP (6) is required stateless=False )], ingress_security_rules=[ # You would configure inbound rules according to your requirements ], display_name="My Security List") # Using AI Private Endpoint for a private connection to OCI AI Services ai_private_endpoint = oci.aianomalydetection.AiPrivateEndpoint("my-ai-private-endpoint", compartment_id=compartment_id, subnet_id=vcn.default_security_list_id, display_name="My AI Private Endpoint") # Network Firewalls are not implemented in this example but OCI does offer them # You can create and configure them similarly by using resources in the 'oci' SDK # Outputs pulumi.export("vcn_id", vcn.id) pulumi.export("internet_gateway_id", ig.id) pulumi.export("route_table_id", route_table.id) pulumi.export("security_list_id", security_list.id) pulumi.export("ai_private_endpoint_id", ai_private_endpoint.id)


    • We initialized the OCI provider, then we created a new Vcn resource named my-vcn with a specified CIDR block.
    • We set up an InternetGateway, which will enable internet access for the created VCN.
    • The RouteTable my-route-table is defined with one rule to route all outbound traffic ( to the InternetGateway.
    • The SecurityList my-security-list specifies what inbound and outbound traffic is allowed. It currently allows outbound traffic to the OCI AI Services CIDRs.
    • We provision an AiPrivateEndpoint for private access to the OCI AI Services. This is a critical step to enable private network communication with those services.
    • At the end, we exported some useful identifiers of our resources, which can be used to reference these resources within Pulumi or to interface with other tools or scripts.

    Please replace "your-compartment-id" with the actual Compartment ID where you want to provision these resources. Also, the "OCI_AI_SERVICES_CIDR" placeholder should be replaced with the actual CIDR block representing the OCI AI Services that your organization uses.

    The idea behind the private endpoint to access AI services is not to expose the services directly to the public internet but rather through a private network path that we control through strict network rules and firewalls, fulfilling the requirement for regulated access.