Oracle Cloud Infrastructure Documentation

Securely Accessing Fusion Applications

Control network access to Fusion Applications.

Users can access Fusion Applications from the internet as long as they have valid user credentials. To further control access to your environment, Fusion Applications supports the following options:

  • Access Control List (ACL): Allow access to your environment only from selected public IPs (CIDRs) or virtual cloud networks (VCNs) using an Access Control List (ACL).
  • Access privately from on-premises networks: Allow access to your environment from your on-premises network without going through the internet.
  • Location Based Access Control (LBAC): Allow users access to tasks and data based on their roles and compute IP addresses. This option is configured in the Fusion Applications Security Console by an administrator with the IT Security Manager role. For details, see Overview of Location-Based Access.

These use cases are not mutually exclusive and can be supported with each other. For example, you can set up private access from an on-premises network and also provide access via the internet for selected IPs; or, you can enable LBAC with private access from on-premises.

Private Access from an On-Premises Network Overview

Fusion Application allows you to set private connectivity from your on-premises network to Fusion Applications. At a high level this configuration involves:

  • Establishing connection from your on-premises network to your VCN in OCI.

  • Configuring the VCN to prepare for connection between the OCI VCN and Fusion Applications.
  • Updating the Fusion Applications environment network settings.

Prerequisites for Private Access from On-Premises

To set up private access from an on-premises network to Fusion Applications on OCI, you must have the following:

  • A tenancy in Oracle Cloud Infrastructure (OCI), where your Fusion Applications environment is provisioned.
  • A Virtual Cloud Network (VCN) in your OCI tenancy.
  • A connection from your on-premises network to your VCN. There are two ways to connect from your on-premises network to your VCN in OCI: Site-to-Site VPN or FastConnect.
    • Site-to-site VPN: Provides a site-to-site IPSec connection between your on-premises network and your virtual cloud network (VCN). The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives. The instructions in this topic guide you through setting up Site-to-Site VPN. For complete details, see Site-to-Site VPN.
    • FastConnect: Provides a way to create a dedicated, private connection between your data center and OCI. FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections. When connecting via FastConnect, BGP is the only option to exchange routes. See the FastConnect blog and documentation for information on setting it up.
  • You must have service limits to allow you to provision the VCN, and Site-to-Site VPN (previously called IPSec VPN) or FastConnect in your tenancy.

You can verify your limits in the Console as follows:

Open the navigation menu and click Governance & Administration. Under Tenancy Management, click Limits, Quotas and Usage.

Select the following from the Service list to view the limit:

  • Limits for Site-to-Site VPN: select VPN, view the limit for IPSec Connection Count.
  • Limits for VCN: select Virtual Cloud Network.
  • Limits for FastConnect: select Fast Connect.

To request a service limits increase, see Requesting a Service Limit Increase.

Steps to Set Up Private Connectivity Using Site-to-Site VPN

The following steps describe how to set up private connectivity using Site-to-Site VPN. Reference the OCI Networking service documentation using the specific values noted below.

Create a VCN and establish connection from your on-premises network to the VCN in OCI

  1. Create the virtual cloud network.

    To create the VCN, follow the instructions in the Networking service documentation: Creating a VCN. Ensure that the IPV4 CIDR block that you enter does not overlap with your on-premises network IP range.

  2. Connect the VCN to the on-premises network.

    In this step, you connect the VCN to your on-premises network using Site-to-Site VPN. To achieve the connection, you need to create and attach a Dynamic Routing Gateway (DRG) to the VCN and set up routing between the VCN and your on-premises network.

    1. Create a Dynamic Routing Gateway using the instructions in the topic Creating a DRG.
    2. Attach your VCN to the DRG using the instructions in the topic Attaching a VCN to a DRG.

  3. Follow the instructions in the topic Setting Up Site-to-Site VPN to set your Customer-Premises Equipment and create the Site-to-Site VPN IPSec connection.

Configure the VCN to prepare for connection between the OCI VCN and Fusion Applications

To configure your VCN, perform the following steps:
  1. Add a Service Gateway (SGW) to the VCN and enable the gateway for the regional Oracle Services Network.

    Follow the instructions in the topic Access to Oracle Services: Service Gateway. Ensure that when making a selection from the Services list, you select All <region-code> Services in Oracle Services Network.

  2. Set up ingress routing for the DRG and Service Gateway.

    Set up the routing by creating a route table for the DRG attachment and adding a route rule to send inbound traffic from the on-premises network to the Service Gateway.

    To create the route table, follow the instructions in the topic Creating a VCN Route Table. Ensure that you make the following selections:

    • For Target Type, select Service Gateway.
    • For Destination, select All <region-code> Services in Oracle Services Network.
  3. Attach the route table to the DRG attachment.

    After the route table is created, navigate to the DRG you created earlier and select the route table you created in the previous step. For details on performing this task, see To associate a VCN route table with an existing DRG attachment.

  4. Create a route table for the Service Gateway.

    The route table for the Service Gateway routes response traffic from the Fusion Applications service to your on-premises network through the DRG.

    To create the route table, follow the instructions in the topic Creating a VCN Route Table. Ensure that you make the following selections:

    • For Target Type, select Service Gateway.
    • For Destination, select All <region-code> Services in Oracle Services Network.
  5. Attach the route table to the Service Gateway.

    For details, see Associating a Route Table with an Existing Service Gateway.

Update the Fusion Applications environment network settings

In the final steps, update your Fusion Applications environment to allow private traffic from your VCN. To block access from the public internet, you must ensure that no other public IPs are added to the Fusion Applications environment access control list.

Additionally, Fusion Applications uses Content Delivery Network (CDN)-based caching to deliver content faster to users. You must disable content acceleration to prevent caching.

Create the access control rule to allow only your VCN:

  1. Navigate to the environment: On the Applications tab of the Console, click Fusion Applications. On the Overview page, find the environment family for the environment, and then click the environment name.
  2. On the environment details page, under Resources, click Networking.
  3. Click Create rule.
  4. For IP notation type, select Virtual Cloud Network , then in the next field select your VCN.
  5. Click Create rule.

Disable the internet cache (Content Acceleration):

  1. Still under Networking, click the Content acceleration tab.
  2. Click Edit.
  3. Set the Internet cache switch to disabled.
  4. Click Save changes.

Location-Based Access Control (LBAC) with Private On-Premises Connectivity

LBAC is another feature that Fusion Applications provides to control user access to tasks and data based on their roles and computer IP addresses.

LBAC is configured in the Fusion Applications Security Console. To enable location-based access and make a role public, you must have the IT Security Manager role. You can make a role public only when location-based access is enabled. To enable location-based access, you must register the IP addresses of computers from which the users usually sign in to the application. You can find the details and how to enable and disable LBAC at Overview of Location-Based Access.

To configure LBAC with private on-premises connectivity, you also must Open a Support Request (SR) to Fusion Applications Customer Support to enable LBAC with private on-premises connectivity.