Controlling Ingress/Egress for OCI Autonomous Databases
PythonControlling Ingress/Egress for Oracle Cloud Infrastructure (OCI) Autonomous Databases is an important aspect of securing your database workloads. OCI provides Network Security Groups (NSGs) which act as a virtual firewall to control the traffic in and out of your Autonomous Database. NSGs allow you to specify a list of ingress and egress security rules that can be applied to your database instances to restrict traffic based on source and destination IP addresses, protocols, and ports.
In a Pulumi program, we can create an Autonomous Database and associate it with a NSG by assigning the NSG IDs to the database configuration. We'll first create a NSG with the necessary egress and ingress rules, and then we'll create an Autonomous Database that utilizes this NSG for network security.
Below is a step-by-step Pulumi Python program to create an OCI Autonomous Database with controlled ingress and egress, along with comments explaining each step.
import pulumi import pulumi_oci as oci # Define the compartment where all resources will reside compartment_id = "ocid1.compartment.oc1..your_compartment_id" # Create a new Network Security Group (NSG) for the Autonomous Database db_nsg = oci.core.NetworkSecurityGroup("dbNsg", compartment_id=compartment_id, display_name="autonomous-db-nsg", vcn_id="ocid1.vcn.oc1..your_vcn_id", # Replace with your VCN OCID # Define the rules for ingress and egress ingress_security_rules=[ oci.core.NetworkSecurityGroupSecurityRuleArgs( protocol="6", # TCP protocol source="0.0.0.0/0", # Allow from any source IP source_type="CIDR_BLOCK", tcp_options=oci.core.NetworkSecurityGroupSecurityRuleTcpOptionsArgs( destination_port_range=oci.core.NetworkSecurityGroupSecurityRuleDestinationPortRangeArgs( max=1521, # Port used for SQL*Net listener min=1521, ), ), ), # Add any other specific ingress rules you need here ], egress_security_rules=[ oci.core.NetworkSecurityGroupSecurityRuleArgs( protocol="6", # TCP protocol destination="0.0.0.0/0", # Allow to any destination IP destination_type="CIDR_BLOCK", tcp_options=oci.core.NetworkSecurityGroupSecurityRuleTcpOptionsArgs( destination_port_range=oci.core.NetworkSecurityGroupSecurityRuleDestinationPortRangeArgs( max=443, # Port used for HTTPS min=443, ), ), ), # Add any other specific egress rules you need here ], ) # Create an Autonomous Database with the created NSG autonomous_db = oci.database.AutonomousDatabase("autonomousDb", compartment_id=compartment_id, display_name="my-autonomous-database", db_name="myadb", # Choose a unique database name admin_password="MyComplexPassword#2024", # Change this to a strong unique password cpu_core_count=1, # Specify the CPU core count data_storage_size_in_tbs=1, # Request storage in terabytes db_workload="OLTP", # Choose the workload type (OLTP or DW) is_auto_scaling_enabled=True, # Enable CPU auto-scaling is_free_tier=True, # Use the Always Free tier if desired license_model="LICENSE_INCLUDED", nsg_ids=[db_nsg.id], # Attach the NSG to this database # Other options can be specified according to your requirements ) # Export the Autonomous Database's OCID and the NSG's OCID pulumi.export("autonomous_database_ocid", autonomous_db.id) pulumi.export("network_security_group_ocid", db_nsg.id)
In this program:
-
We define a
NetworkSecurityGroup
that includes ingress rules to allow incoming traffic on the SQL*Net listener port (1521) from any IP address and egress rules to allow outgoing traffic on the HTTPS port (443) to any IP address. Thesource
anddestination
can be modified to restrict traffic from specific IP ranges. -
Next, we create an
AutonomousDatabase
and specify thensg_ids
parameter with the ID of the NSG we created earlier. This associates the NSG with the Autonomous Database, thereby applying the specified ingress and egress rules. -
The
autonomous_db
object contains other parameters such ascpu_core_count
,data_storage_size_in_tbs
,db_workload
, andis_free_tier
, among others, that you can adjust based on your needs. -
We export the OCID (Oracle Cloud Identifier) of the Autonomous Database and NSG so they can be used or referenced elsewhere if needed.
Remember to replace placeholder values (e.g., compartment ID, VCN ID, database name) with appropriate values for your OCI environment.
By controlling the ingress and egress rules for your OCI Autonomous Database, you effectively add an additional layer of security to your database environment. As you continue to work with OCI and Pulumi, you can further refine these rules and apply more granular policies as per your organizational security requirements.
-