Configuring VCN Security Rules for File Storage

Before you can mount a file system, you must configure security rules to allow traffic to the mount target's VNIC using specific protocols and ports. Security rules enable traffic for the following:

  • Open Network Computing Remote Procedure Call (ONC RPC) rpcbind utility protocol
  • Network File System (NFS) protocol
  • Network File System (MOUNT) protocol
  • Network Lock Manager (NLM) protocol
  • LDAPS protocol (if using NFS v.3 Kerberos authentication or LDAP for authorization)
  • DNS protocol (if using customer-managed DNS)

File Storage Security Rule Scenarios

There are several basic scenarios that require different security rules for File Storage:

Scenario A: Mount target and instance in different subnets (recommended)
Tip

Use separate subnets for mount targets and instances to avoid instance creation failures due to IP address allocation for mount targets.

In this scenario, the mount target that exports the file system is in a different subnet than the instance you want to mount the file system to. Security rules must be configured for both the mount target and the instance either in a security list for each subnet, or a network security group (NSG) for each resource.

Set up the following the following security rules for the mount target. Specify the instance IP address or CIDR block as the source for ingress rules and the destination for egress rules:

  • Stateful ingress from ALL ports in the source instance CIDR block to TCP ports 111, 2048, 2049, and 2050.
  • Stateful ingress from ALL ports in the source instance CIDR block to UDP ports 111 and 2048.
  • Stateful egress from TCP ports 111, 2048, 2049, and 2050 to ALL ports in the destination instance CIDR block.
  • Stateful egress from UDP port 111 ALL ports in the destination instance CIDR block.
Important

Oracle recommends that NFS clients be limited to reserved ports. To do this, set the Source Port range to 1-1023. You can also set export options for a file system to require clients to connect from a privileged source port. For more information, see Working with NFS Exports and Export Options.

Next, set up the following security rules for the instance. Specify the mount target IP address or CIDR block as the source for ingress rules and the destination for egress rules:

  • Stateful ingress from source mount target CIDR block TCP ports 111, 2048, 2049, and 2050 to ALL ports.
  • Stateful ingress from source mount target CIDR block UDPport 111 to ALL ports.
  • Stateful egress from ALL ports to destination mount target CIDR block TCP ports 111, 2048, 2049, and 2050.
  • Stateful egress from ALL ports to destination mount target CIDR block UDP ports 111 and 2048.

Here's an example of the rules for Scenario B set up in security list rules for the instance and mount target. This example shows rules for specific source and destination CIDR blocks.

Ingress rules for the mount target's NSG or subnet security list. The instance CIDR block 10.0.0.0/24 is the source:

This image shows ingress rules for the mount target subnet or NSG in scenario B.

Egress rules for the mount target's NSG or subnet security list. The instance CIDR block 10.0.0.0/24 is the destination:

This image shows egress rules for the mount target subnet or NSG in scenario B.

Ingress rules for the instance's NSG or subnet security list. The mount target CIDR block 10.0.1.0/24 is the source:

This image shows ingress rules for the instance subnet or NSG in scenario B.

Egress rules for the instance's NSG or subnet security list. The mount target CIDR block 10.0.1.0/24 is the destination:

This image shows egress rules for the instance subnet or NSG in scenario B.

Using a Security List

Security lists are associated with subnets. If you use security lists to set up your security rules, you need to set up the mount target rules in the mount target subnet, and the instance rules in the instance subnet. You can add the rules to the default security list for each subnet, or create new security lists.

Using a network security group (NSG)

Another method for applying security rules is to set them up in a network security group (NSG), and then add the mount target and instance to the NSG. Unlike security list rules that apply to all VNICs in the subnet, NSGs apply only to resource VNICs you add to the NSG.

See Ways to Enable Security Rules for File Storage for an overview of these methods and instructions about how to use them to set up security rules.

Scenario B: Mount target and instance in the same subnet

In this scenario, the mount target that exports the file system is in the same subnet as the instance you want to mount the file system to.

  • Stateful ingress from ALL ports in source CIDR block to TCP ports 111, 2048, 2049, and 2050.
  • Stateful ingress from ALL ports in source CIDR block to UDP ports 111 and 2048.
  • Stateful egress from TCP  ALL ports to ports 111, 2048, 2049, and 2050 in destination CIDR block.
  • Stateful egress from UDP  ALL ports to port 111 in destination CIDR block.
Important

Oracle recommends that NFS clients be limited to reserved ports. To do this, set the Source Port range to 1-1023. You can also set export options for a file system to require clients to connect from a privileged source port. For more information, see Working with NFS Exports and Export Options.

Here's an example of the rules for Scenario A set up for a single subnet that contains both the mount target and the instance. In this example, both the mount target and the instance are in CIDR block 10.0.0.0/24:

This image shows ingress rules for scenario A.

This image shows egress rules for scenario A.

Using a security list

Security lists are associated with subnets. You can set up the required security rules in the default security list for the mount target subnet, or create a new security list. Security list rules apply to all resources in the subnet.

Using a network security group (NSG)

Another method for applying security rules is to set them up in a network security group (NSG), and then add the mount target to the NSG. Unlike security list rules that apply to all VNICs in the subnet, NSGs apply only to the resource VNICs you add to the NSG.

See Ways to Enable Security Rules for File Storage for an overview of these methods and instructions about how to use them to set up security rules.

Scenario C: Mount target and instance use TLS in-transit encryption

In this scenario, in-transit encryption secures your data between instances and mounted file systems using TLS v.1.2 (Transport Layer Security) encryption. See Using In-transit TLS Encryption for more information.

You can limit the source or destination to the IP address or CIDR block of your choice. Alternatively, you can allow traffic from all sources or destinations.

Set up the following security rules for the mount target:

  • Stateful ingress from ALL ports in the source CIDR block to TCP port 2051.
  • Stateful egress from TCP port 2051 to ALL ports in the destination CIDR block.

This image shows ingress rules for the mount target subnet or NSG in scenario C.

This image shows egress rules for the mount target subnet or NSG in scenario C.

Using a security list

Security lists are associated with subnets. You can set up the required security rules in the default security list for the mount target subnet, or create a new security list. Security list rules apply to all resources in the subnet.

Using a network security group (NSG)

Another method for applying security rules is to set them up in a network security group (NSG), and then add the mount target to the NSG. Unlike security list rules that apply to all VNICs in the subnet, NSGs apply only to resource VNICs you add to the NSG.

See Ways to Enable Security Rules for File Storage for an overview of these methods and instructions about how to use them to set up security rules.

Scenario D: Mount target uses LDAP for authorization

In this scenario, traffic between a mount target and the LDAPS port of an LDAP server is allowed.

You can limit the source to the IP address of the mount target and the destination IP address to your LDAP server's subnet.

Set up the following security rules for the mount target:

  • Stateful egress from TCP ALL ports to LDAP server IP (or corresponding CIDR) port 636.
    Note

    This rule assumes LDAPS uses the default port of 636. Change this value if your LDAP server is using a different port.

If using a customer-managed DNS server, the mount target also needs the following security rules:

  • Stateful egress from TCP ALL ports to DNS server IP (or corresponding CIDR) port 53.
  • Stateful egress from UDP ALL ports to DNS server IP (or corresponding CIDR) port 53.

Using a security list

Security lists are associated with subnets. You can set up the required security rules in the default security list for the mount target subnet, or create a new security list. Security list rules apply to all resources in the subnet.

Using a network security group (NSG)

Another method for applying security rules is to set them up in a network security group (NSG), and then add the mount target to the NSG. Unlike security list rules that apply to all VNICs in the subnet, NSGs apply only to resource VNICs you add to the NSG.

See Ways to Enable Security Rules for File Storage for an overview of these methods and instructions about how to use them to set up security rules.

Ways to Enable Security Rules for File Storage

The Networking service offers two virtual firewall features that both use security rules to control traffic at the packet level. The two features are:

Important

You can use security lists alone, network security groups alone, or both together. It depends on your particular security needs.

If you choose to use both security lists and network security groups, the set of rules that applies to a given mount target VNIC is the combination of these items:

  • The security rules in the security lists associated with the VNIC's subnet
  • The security rules in all NSGs that the VNIC is in

It doesn't matter which method you use to apply security rules to the mount target VNIC, as long as the ports for protocols necessary for File Storage are correctly configured in the rules applied.

See Security Rules, Security Lists, and Network Security Groups for more information, examples, and scenarios about how these features interact in your network. Networking Overview provides general information about networking. See About File Storage Security for information about how security rules work with other types of security in File Storage.

Required IAM Service Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: The policy in Let network admins manage a cloud network covers management of all networking components, including security lists and NSGs. See the Policy Reference for more information.

If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

Setting Up Required Rules in a Security List

You can add the required rules to a pre-existing security list associated with a subnet, such as the default security list that is created along with the VCN. See Creating a Security List for more information.

To add required rules to a security list
  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. In the Scope section, select the compartment that contains the VCN the subnet is in.

  3. Click the name of the VCN.
  4. On the details page for the cloud network, in Resources, and then click Security Lists.
  5. Click the name of the security list used by the subnet.
  6. In Resources, click Ingress Rules.
  7. Click Add Ingress Rules.

    • Specify that it's a stateful rule by leaving the check box clear. (For more information about stateful and stateless rules, see Stateful Versus Stateless Rules). By default, rules are stateful unless you specify otherwise.
    • To allow traffic from the subnet of the cloud network, click Source Type, choose CIDR, and then enter the CIDR block for the subnet. For example, 10.0.0.0/24.
    • Click IP Protocol, and then choose the protocol. For example, TCP.
    • In Source Port Range, specify the range of ports that you want to allow traffic from. Alternatively, accept the default of All to allow traffic from any source port.

    • Click Destination Port Range, and then enter individual ports or a port range. For example, 2048-2050.
  8. Click + Additional Ingress Rule to create more ingress rules.
  9. When you're done, click Add Ingress Rules.
  10. Next, create the egress rules. In Resources, click Egress Rules.
  11. Click Add Egress Rules.

    • Specify that it's a stateful rule by leaving the check box clear.
    • Click Destination Type, choose CIDR, and then enter the CIDR block for the subnet. For example, 10.0.0.0/24.
    • Click IP Protocol, and then choose the protocol. For example, TCP.
    • In Source Port Range, and then enter individual ports or a port range. For example, 2048-2050.

    • In Destination Port Range, accept the default of All to allow traffic to any destination port.
  12. Click + Additional Egress Rule to create more egress rules.
  13. When you're done, click Add Egress Rules.

Setting Up Required Rules in a Network Security Group (NSG)

The general process for setting up NSGs that work with File Storage is:

  1. Create an NSG with the required security rules. (Alternatively, you can add them to a previously existing NSG.)
  2. Add the mount target (or more specifically, the mount target's VNIC) to the NSG. You can do this when you create the mount target, or you can update the mount target and add it to one or more NSGs that contain the required security rules.
  3. If you're setting up Scenario A: Mount target and instance in different subnets (recommended), you'll have to add both the mount target and instance to an NSG that contains the required security rules.
To create an NSG with the required security rules

Prerequisite: Become familiar with the parts of security rules.

  1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Network Security Groups.
  4. Click Create Network Security Group.
  5. Enter the following:

    • Name: A descriptive name for the network security group. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Create in Compartment: The compartment where you want to create the network security group, if different from the compartment you're currently working in.
    • Show Tagging Options: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
  6. Click Next.

  7. Enter ingress rules.

    • Specify that it's a stateful rule by leaving the check box clear. (For more information about stateful and stateless rules, see Stateful Versus Stateless Rules). By default, rules are stateful unless you specify otherwise.
    • In Direction, choose Ingress.
    • To allow traffic from the subnet of the cloud network, click Source Type, choose CIDR, and then enter the CIDR block for the subnet. For example, 10.0.0.0/24.
    • Click IP Protocol, and then choose the protocol. For example, TCP.
    • In Source Port Range, specify the range of ports that you want to allow traffic from. Alternatively, accept the default of All to allow traffic from any source port.

    • Click Destination Port Range, and then enter individual ports or a port range. For example, 2048-2050.
  8. Click + Another Rule to create more ingress rules.
  9. Enter egress rules.

    • Specify that it's a stateful rule by leaving the check box clear.
    • In Direction, choose Egress.
    • Click Destination Type, choose CIDR, and then enter the CIDR block for the subnet. For example, 10.0.0.0/24.
    • Click IP Protocol, and then choose the protocol. For example, TCP.
    • In Source Port Range, and then enter individual ports or a port range. For example, 2048-2050.

    • In Destination Port Range, accept the default of All to allow traffic to any destination port.
  10. Click + Another Rule to create more egress rules.
  11. When you're done, click Create.
To add a mount target to an NSG
  • When creating a mount target along with a file system: See Creating a File System.
  • When creating only the mount target: See Creating a Mount Target.
  • For an existing mount target:

    1. Open the navigation menu and click Storage. Under File Storage, click Mount Targets.
    2. In the List Scope section, select a compartment.

    3. Find the mount target you're interested in, click the Actions menu (Actions Menu), and then click View Mount Target Details.

    4. In the Mount Target Information tab, click the Edit link next to Network Security Groups.

    5. Select a Compartment and NSG from the list.
    6. Click Save.
To add an instance to an NSG

See Adding or Removing a Resource from an NSG for instructions on how to add an instance to an NSG.