Configuring Network Settings

Overview

Purpose

This tutorial covers Configuring Network Settings for a DBaaS Instance in the Oracle Database Cloud Service.

Time to Complete

Approximately 15 minutes.

Introduction

In this tutorial, you learn how to view and configure the network settings using the Oracle Compute Cloud Service Console.

Prerequisites

Before starting this tutorial, you should have performed the Signing Up for a Database Cloud Service, and Creating a Database Cloud Service (DBaaS) Instance tutorials.

Software Requirements

  • You need one of the supported browsers listed in the following table:

    • Browser Version
    Microsoft Internet Explorer 9 or 10; set Browser Mode to IE9 or IE10
    Mozilla Firefox 24 and later
    Google Chrome 29 and later
    Apple Safari 6
Note: This release does not support mobile browsers.

Viewing Network Settings Using the Oracle Compute Cloud Service Console

Log in to the Oracle Cloud My Services (DBaaS) console using the credentials provided by your Oracle Cloud account administrator. For details on accessing the console, see the documentation on Accessing the Database Cloud Service (DBaaS) Console.

  • Your administrator may provide you a link to the My Services console, from which you can choose Oracle Compute Cloud Service (DBaaS).
  • Or,  your administrator may provide you a direct link to the Oracle Database Cloud Service (DBaaS) console.
  1. From the Oracle Cloud My Cloud service, click the Consoles tab at the upper right of the page and hen select Oracle Compute Cloud Service from the drop down menu. This will display the Oracle Compute Cloud Services console.

    The console menu is open showing the Cloud Compute console highlighted

  2. On the Oracle Compute Cloud Services Overview page, select the Network near the top right of the page.

    Compute Cloud Console Header with Network tab highlighted

  3. On the Network page, observe the tabs along the right side of the page.These tabs are the object types that are used to control the Network Settings.The Access Rules tab is selected.The other tabs will direct you to pages that allow you to access Network groups, Protocols, IP List, and Public IPs. Each of these work together to allow you to tailor the network access to your needs. Access rules control the communication in the domain for packets going from a source, to a destination, using a particular port. Sources and destinations are defined by a Network group or an IP List. The port is defined by a Protocol. In the next steps you will view each of the object types

    Compute Cloud console, with Network tab selected, emphasizing the right hand tabs


  4. The Access Rules tabs display Access Rules that are applied over the entire domain. In the image below, several access rules are displayed, only the one with the arrow is enabled. An enabled rule allows the protocol from the source to the destination, this also allows responses from the destination to the source, when initiated by the source. Note: The Protocol defines the port used,Source can specify either an IP List or a Network Group, and Destination specifies a Network Group.

    Access Rules page without navigation panels. Arrow pointing to ora_p2_ssh rule, the only one enabled.

  5. The menu icon associated with each Access Rule allows you to Update (modify), or Delete the rule.

    One Access rule with menu Icon selected showing Update or Delete

  6. When Network Groups is selected, the list of network groups is displayed The red box highlights the various Policies that may defined. Inbound Policy is for communication that originates outside the network group, Outbound policy is for communication originating inside the network group. The Policies are blanket rules. Access Rules override network group policies. For example the default network group allows outbound communication but denies inbound. If an access rule allows ssh connections from the internet to the default network group any machine on the internet could establish an ssh connection to any DBaaS instance in the default group within the restrictions of the ssh server configuration. The DENY option drops the packet with no acknowledgement, REJECT refuses the packet and acknowledges it, PERMIT passes the packet to the application. DbaaS instances may be assigned to one or more network groups. When more than one network policy could be applied the most restrictive policy is used. Note: By default each DBaaS instance is assigned to its own Network Group on creation.

    Network Groups page

  7. Click Protocols tab on the left side of the page. The search field has been used to limit the listing to Protocols associated with the NFDBA instance. This instance was created in this domain as an example. The name of your DBaaS instance will be different. Notice there are 6 protocols created, These are the protocols created by default for every instance. Each protocol is named. the names of the default protocols are associated with the application the protocol services. Each protocol is for a port, and application, and, a network protocol such as tcp or udp.    

    Network page: Protocols tab: displays the protocols set for the NFDBA instance.


  8. Click IP List on the left side of the page. A list of all the defined IP will be shown. Notice the predefined IP lists do not have a menu icon to the right, so they cannot be modifed. The example list uses a subnet mask to include all the IP addresses in the mask range without have to specify each one. Notice that the IP list may also be made up of a set of comma separated addresses.
     
    Network page with IP List tab selected displaying various defined IP lists


  9. Click Public IPs. The IP addresses that have been reserved for your public use are shown. The menu icon to the right of the ipreservation will allow you to: remove an instance from the IP address (Remove Instance), associate an instance with an IP address (Update), and delete the public IP address (Delete).  

    Network Page with Public IPs tab selected, showing the reserved IP addresses.

Configure Network Settings

In this section you will create an access rule, to allow https access from 3 machines on the internet to the TESTJFV instance. You will create the components required to create an access rule, then create the access rule.

Create an IP List

  1. An IP_list or a network group is required to specify the source of an Access Rule, we will create an IP_list to specify certain machines on the internet. On the Network page of the Oracle Compute Cloud services console, click IP List tab on the left side of the page.

    Network page, IP lists selected, Create IP List Highlighted

  2. Click Create IP List, the Create IP List Dialog appears.

    Create IP List dialog

  3. In the Create IP List dialog, Enter:
    • Name: demo_list,
    • list of IP addresses: 192.0.2.50,192,0.2.51,192.0.2.141,
    • Description: "Demonstration IP list with example IP addresses",
    and then click Create.

    Create IP List dialog with list values. Create button highlighted

  4. The IP List, Demo_list, appears in the IP List page with a confirmation message.

    IP list view showing the Demo_list and confirmation message

Create a Network Group

  1. A Network Group for the destination portion of the access rule is required, since the TESTJFV instance is the only instance to which we wish to open the https protocol, we must create a network group for this instance and assign the TESTJFV instance to the group.  To reduce the complexity of rule evaluations, we will also remove TESTJFV from any other network groups that may exist. On the Network page, click Network Groups tab on the left. 

    Network Page, Network groups tab partial view

  2. Click Create Network Group button in upper right of the page. 

    Network page network groups tab, partial focus on Create Network Groups button  

  3. In the Create Network Group dialog, Enter the requested information:
    • Name: demo_group,
    • Inbound Policy: Deny,
    • Outbound policy: Permit.
    These policy settings do not allow any connections from other machine outside the network group.
    Click Create.

    Create Network group dialog, with fields completed

  4. The Network Groups page is displayed with a confirmation message the demo_group was created.

    Network groups page showing a confirmation message and the demo_group entry

  5. The TESTJFV instance will be added to the demo_group and removed from all other network groups in the next step.

Add and Remove an Instance from Network Groups

  1. On the Compute Cloud Service console, click Overview.

    Compute Cloud Sevice console header, with the Overview tab highlighted.

  2. On the Overview page, with Instances tab (on left side) selected, click the Instance, that you wish to modify. In our example, it is TESTJFV.

    Partial view of TESTJFV detail page, in Compute Cloud Services console

  3. Scroll down to the Network Groups section, click the menu icon, and select Remove.

    Partial view of TESTJFV details showing network groups, and menu selection

  4. A confirmation message appears, click Yes.

    network group remove instance from network group

  5. In the Network Groups section of the Instance details page, click Add to Network Group

    netork groups section with Add to Network Group button highlighted

  6. In the Add to Network group dialog, use the pull-down to find and select the demo_group.

    Add to Network Group dialog with puldown shown and demo_group highlighted

  7. Then click Attach.

    Add to Network Group dialog Attach button highlighted

  8. The Instance Details page is displayed, and the TESTJFV instance now is associated with the demo_group.

    Instance Details page Network Groups section

Create a Protocol

  1. Create a Protocol to allow https to port 443. Click the Network tab in the Compute Cloud Service Console header. Note: a protocol for this port already exists, this protocol is created for demonstration purposes.

    compute cloud console header with network tab selected

  2. Click the Protocols tab on the left side of the page.

    Compute Cloud Service console, with Protcols tab selected, a few protocols are display in this partial screenshot

  3. Click Create Protocol in the upper right of the Protocols pane.

    Protocols pane with Create Protocol button emphasized

  4. In the Create Protocol enter the required information. Enter:
    • Name:https_access_443,
    • Port Type: tcp,
    • Port Range Start: 443,
    • Description:permit access to https on port 443 when enabled.
    then  click Create

    Create Protocol dialog with information entered

  5. Confirmation message appears in the protocols pane.

    Protocols pane confirmation message

  6. Scroll down or search for the https_access_443 protocol. in the example a search is shown. Notice from this page the menu only allows Delete of the Protocol.

    Protocols pane with https in search box and menu icon selected


Creating an Access Rule

  1. In the Compute Cloud Service console, on the network page, click Access Rules tab on right side.

    Compute Cloud Service console with Network page and Access Rules selected

  2. Click Create Access Rule button in Access Rules pane, upper right.

    Access rules pane with Create Access Rulle button being selected

  3. In the Create Access Rule dialog, enter the information to allow access:
    • Name: Https_access_Demo,
    • Status:Enabled,
    •  Protocol: https_access_443,
    • Source: IP Lists, Demo_list,
    • Destination: demo_group,
    • Description:Allow access through https from machine listed in Demo_list to demo_group.
    Click Create.

    Create Access Rule dialog with information entered, and Create button highlighted

  4. In the Access Rules pane a Confirmation message appears.

    Access Rules pane showing confirmation message

  5. Enter search Https_access and click the Search icon.

    Access Rules pane showing result of search

  6. Because the Access Rule is enabled and it takes precedence over the Network group policies, any machine in the Demo_list, can initiate an https connection to any machine in the demo_group using port 443.

Summary

    You can configure network access to DBaaS instances using the Compute Cloud Service console.
    In this tutorial, you learned to:
    • View the components of the Network configuration settings.
    • Create the various components required to create an Access Rule.

To navigate this Oracle by Example tutorial, note the following:

Topic List:
Click a topic to navigate to that section.
Expand All Topics:
Click the button to show or hide the details for the sections. By default, all topics are collapsed.
Hide All Images:
Click the button to show or hide the screenshots. By default, all images are displayed.
Print:
Click the button to print the content. The content that is currently displayed or hidden is printed.

To navigate to a particular section in this tutorial, select the topic from the list.