There are several ways you can control security for your cloud network and compute instances:
- Public vs. private subnets: You can designate a subnet to be private, which means instances in the subnet cannot have public IP addresses. For more information, see Public vs. Private Subnets.
- Security lists: To control packet-level traffic in/out of an instance. You configure security lists in the Oracle Cloud Infrastructure API or Console. For more information about security lists, see Security Lists.
- Firewall rules: To control packet-level traffic in/out of an instance. You configure firewall rules directly on the instance itself. Notice that Oracle Cloud Infrastructure images that run Oracle Linux automatically include default rules that allow ingress on TCP port 22 for SSH traffic. Also, the Windows images include default rules that allow ingress on TCP port 3389 for Remote Desktop access. For more information, see Oracle-Provided Images.Important
Firewall rules and security lists both operate at the instance level. However, you configure security lists at the subnet level, which means all instances in a given subnet have the same set of security list rules. Keep this in mind when setting up security for your cloud network and instances. When troubleshooting access to an instance, make sure both the security lists associated with the instance's subnet and the instance's firewall rules are set correctly.
If your instance is running Oracle Linux 7, you need to use firewalld to interact with the iptables rules. For your reference, here are commands for opening a port (1521 in this example):
sudo firewall-cmd --zone=public --permanent --add-port=1521/tcp sudo firewall-cmd --reload
- Gateways and route tables: To control general traffic flow from your cloud network to outside destinations (the internet, your on-premises network, or another VCN). You configure your cloud network's gateways and route tables in the Oracle Cloud Infrastructure API or Console. For more information about the gateways, see Networking Components. For more information about route tables, see Route Tables.
- IAM policies: To control who has access to the Oracle Cloud Infrastructure API or Console itself. You can control the type of access, and which cloud resources can be accessed. For example, you can control who can set up your network and subnets, or who can update route tables or security lists. You configure policies in the Oracle Cloud Infrastructure API or Console. For more information, see Access Control.