1. Securing OCI Function Endpoints with Network Security Groups


    When deploying serverless functions in the Oracle Cloud Infrastructure (OCI), it's important to ensure they are securely accessible. One of the methods for enhancing security is using network security groups (NSGs).

    A network security group acts as a virtual firewall for your OCI resources, including serverless Functions, enabling you to apply a set of ingress and egress security rules that govern traffic to and from resources associated with the NSG.

    Here's how you can secure OCI Functions with NSGs using Pulumi:

    1. Create a Virtual Cloud Network (VCN): Before you can create an NSG, you need a Virtual Cloud Network where you can place your resources.

    2. Create a Network Security Group (NSG): Within the VCN, you create an NSG where your security rules will be applied. You can define rules that control traffic to and from the functions.

    3. Associate the NSG with your Function: When creating an OCI Function, you associate it with the NSG you created, enforcing the defined rules on your Function's network traffic.

    Let's implement this using Pulumi with Python:

    import pulumi import pulumi_oci as oci # You need to initialize a Pulumi project and configure it with the necessary OCI credentials and settings. # Create a Virtual Cloud Network (VCN) vcn = oci.core.Vcn("myVcn", cidr_block="", compartment_id=oci.config.require("compartment_id"), display_name="my-virtual-cloud-network" ) # Create a Network Security Group (NSG) within our VCN nsg = oci.core.NetworkSecurityGroup("myFunctionNsg", vcn_id=vcn.id, compartment_id=vcn.compartment_id, display_name="my-function-nsg", # Define rules for the NSG ingress_security_rules=[ oci.core.NetworkSecurityGroupSecurityRuleArgs( protocol="6", source="", tcp_options=oci.core.NetworkSecurityGroupSecurityRuleTcpOptionsArgs( destination_port_range=oci.core.NetworkSecurityGroupSecurityRuleDestinationPortRangeArgs( min=443, max=443 ) ) ) ], egress_security_rules=[ oci.core.NetworkSecurityGroupSecurityRuleArgs( destination="", protocol="all" ) ] ) # Create an OCI Function and associate it with the NSG my_function = oci.functions.FunctionApplication("myFunction", display_name="MySecureFunction", compartment_id=vcn.compartment_id, subnet_ids=[oci.config.require("subnet_id")], syslog_url=oci.config.require("syslog_url"), network_security_group_ids=[nsg.id] # Associate the NSG with your Function ) # Export the IDs of the created resources as stack outputs pulumi.export("vcn_id", vcn.id) pulumi.export("nsg_id", nsg.id) pulumi.export("function_id", my_function.id)

    In the above code:

    • We create a VCN with oci.core.Vcn resource. The VCN is a prerequisite for the NSG, providing a virtual network where your cloud resources reside.

    • The oci.core.NetworkSecurityGroup resource is used to create an NSG within the VCN. We define ingress and egress rules to control network access. The sample ingress rule allows TCP traffic on port 443 (HTTPS) from anywhere (, and the egress rule allows all outbound traffic.

    • An OCI Function is created using the oci.functions.FunctionApplication resource. The function is associated with the NSG by referencing the NSG's ID in the network_security_group_ids parameter.

    To deploy this infrastructure, you would run pulumi up from the command line in the same directory as your Pulumi Python script.

    Note that you'll want to replace placeholders like oci.config.require("compartment_id") with the appropriate OCI compartment information, and providing your OCI Function specifics where required.

    With this setup, your OCI Function endpoints are now secured by the defined NSG rules, reducing the risk of unauthorized access or traffic to your serverless infrastructure.

    To learn more about each of these resources, please refer to the official Pulumi OCI documentation: