Controlling Ingress/Egress for OCI Autonomous Databases

Question

Pulumi · Accepted Answer

Controlling Ingress/Egress for Oracle Cloud Infrastructure (OCI) Autonomous Databases is an important aspect of securing your database workloads. OCI provides Network Security Groups (NSGs) which act as a virtual firewall to control the traffic in and out of your Autonomous Database. NSGs allow you to specify a list of ingress and egress security rules that can be applied to your database instances to restrict traffic based on source and destination IP addresses, protocols, and ports.

In a Pulumi program, we can create an Autonomous Database and associate it with a NSG by assigning the NSG IDs to the database configuration. We'll first create a NSG with the necessary egress and ingress rules, and then we'll create an Autonomous Database that utilizes this NSG for network security.

Below is a step-by-step Pulumi Python program to create an OCI Autonomous Database with controlled ingress and egress, along with comments explaining each step.

```python
import pulumi
import pulumi_oci as oci

# Define the compartment where all resources will reside
compartment_id = "ocid1.compartment.oc1..your_compartment_id"

# Create a new Network Security Group (NSG) for the Autonomous Database
db_nsg = oci.core.NetworkSecurityGroup("dbNsg",
    compartment_id=compartment_id,
    display_name="autonomous-db-nsg",
    vcn_id="ocid1.vcn.oc1..your_vcn_id", # Replace with your VCN OCID
    # Define the rules for ingress and egress
    ingress_security_rules=[
        oci.core.NetworkSecurityGroupSecurityRuleArgs(
            protocol="6", # TCP protocol
            source="0.0.0.0/0", # Allow from any source IP
            source_type="CIDR_BLOCK",
            tcp_options=oci.core.NetworkSecurityGroupSecurityRuleTcpOptionsArgs(
                destination_port_range=oci.core.NetworkSecurityGroupSecurityRuleDestinationPortRangeArgs(
                    max=1521, # Port used for SQL*Net listener
                    min=1521,
                ),
            ),
        ),
        # Add any other specific ingress rules you need here
    ],
    egress_security_rules=[
        oci.core.NetworkSecurityGroupSecurityRuleArgs(
            protocol="6", # TCP protocol
            destination="0.0.0.0/0", # Allow to any destination IP
            destination_type="CIDR_BLOCK",
            tcp_options=oci.core.NetworkSecurityGroupSecurityRuleTcpOptionsArgs(
                destination_port_range=oci.core.NetworkSecurityGroupSecurityRuleDestinationPortRangeArgs(
                    max=443, # Port used for HTTPS
                    min=443,
                ),
            ),
        ),
        # Add any other specific egress rules you need here
    ],
)

# Create an Autonomous Database with the created NSG
autonomous_db = oci.database.AutonomousDatabase("autonomousDb",
    compartment_id=compartment_id,
    display_name="my-autonomous-database",
    db_name="myadb",                           # Choose a unique database name
    admin_password="MyComplexPassword#2024",    # Change this to a strong unique password
    cpu_core_count=1,                           # Specify the CPU core count
    data_storage_size_in_tbs=1,                 # Request storage in terabytes
    db_workload="OLTP",                         # Choose the workload type (OLTP or DW)
    is_auto_scaling_enabled=True,               # Enable CPU auto-scaling
    is_free_tier=True,                          # Use the Always Free tier if desired
    license_model="LICENSE_INCLUDED",
    nsg_ids=[db_nsg.id],                        # Attach the NSG to this database
    # Other options can be specified according to your requirements
)

# Export the Autonomous Database's OCID and the NSG's OCID
pulumi.export("autonomous_database_ocid", autonomous_db.id)
pulumi.export("network_security_group_ocid", db_nsg.id)
```

In this program:

- We define a `NetworkSecurityGroup` that includes ingress rules to allow incoming traffic on the SQL*Net listener port (1521) from any IP address and egress rules to allow outgoing traffic on the HTTPS port (443) to any IP address. The `source` and `destination` can be modified to restrict traffic from specific IP ranges.

- Next, we create an `AutonomousDatabase` and specify the `nsg_ids` parameter with the ID of the NSG we created earlier. This associates the NSG with the Autonomous Database, thereby applying the specified ingress and egress rules.

- The `autonomous_db` object contains other parameters such as `cpu_core_count`, `data_storage_size_in_tbs`, `db_workload`, and `is_free_tier`, among others, that you can adjust based on your needs.

- We export the OCID (Oracle Cloud Identifier) of the Autonomous Database and NSG so they can be used or referenced elsewhere if needed.

Remember to replace placeholder values (e.g., compartment ID, VCN ID, database name) with appropriate values for your OCI environment.

By controlling the ingress and egress rules for your OCI Autonomous Database, you effectively add an additional layer of security to your database environment. As you continue to work with OCI and Pulumi, you can further refine these rules and apply more granular policies as per your organizational security requirements.