Cloud-Specific Firewall Information
Contents
OCI Firewall Information
Access to an OCI cloud instance can be controlled by
- an external firewall,
- the operating system firewall of the instance (see Installing the VE License Server and the Charon Emulator Packages),
- security list of the subnet to which the instance belongs, and
- VNIC-specific Network Security Groups.
The different firewall levels must be configured to permit at least TCP port 8083 to enable a license client to access a VE license server. If the web interface is to be used, TCP port 8084 must also be allowed.
Security Lists
Security lists form the original type of virtual firewall offered by the Oracle cloud network service.
A security list acts as a virtual firewall for an instance. It has ingress and egress rules that specify the types of traffic allowed in and out. Security lists are defined at the subnet level. Therefore, all VNICs in a given subnet are subject to the same set of security lists.
You can associate multiple security lists with a subnet. Each list can have multiple rules. Traffic is allowed if any rule in any of the lists allows the traffic. Traffic is also allowed if it is the response traffic of a permitted tracked connection.
If you don't specify one or more other security lists during the creation of a subnet, a default security list will be associated with it.
Please see the relevant Oracle documentation for more information and configuration details.
Network Security Groups
Network Security Groups (or NSGs) form another type of virtual firewall. Unlike a security list, an NSG does not apply to all VNICs in a subnet, but is assigned to specific VNICs connected to the subnet. This allows a more granular access control. By default, no NSG is assigned to a VNIC.
Please see the relevant Oracle documentation for more information and configuration detail.
Please note: Traffic is allowed if any rule in any of the relevant lists and groups allows the traffic. Traffic is also allowed if it is the response traffic of a permitted tracked connection. In addition to allowing SSH access, at least TCP port 8083 must be allowed to enable a license client to access a VE license server. If the web interface is to be used, TCP port 8084 must also be allowed.
AWS Firewall Information
Access to an AWS cloud instance can be controlled by
- an external firewall,
- the operating system firewall of the instance,
- AWS security groups, and
- AWS network ACLs.
In addition to allowing SSH access, the different firewall levels must be configured to permit at least TCP port 8083 to enable a license client to access a VE license server. If the web interface is to be used, TCP port 8084 must also be allowed.
Network ACLs
A network ACL applies to a subnet as a whole. Only one network ACL per subnet is allowed. The rules in a network ACL are stateless (i.e., return traffic must be explicitly allowed). Rules are evaluated starting from the lowest rule number. After the first match the search is terminated.
Please note: Security groups cannot allow more than what is permitted in a Network ACL.
Security Groups
A security group can be seen as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you must assign a security group to the instance. If no custom security group is specified, a default security group will be created and associated with the instance. You can add rules to each security group that allow traffic to or from its associated instances. The rules of a security group can be modified at any time, and the modifications are automatically applied to all instances that are associated with the security group. If there is more than one security group associated with an instance, the rules of all groups are combined.
Security groups in a VPC are associated with network interfaces. Changing an instance's security groups changes the security groups associated with the primary network interface (eth0). Additional security groups can associated with any other network interfaces added to an instance.
Points to note:
- By default, all outbound traffic is allowed.
- Rules in a security group always define what is permitted. They cannot be used to deny specific traffic.
- Response traffic to traffic that was permitted by a rule is always allowed (connection tracking).
Please see the relevant AWS documentation for more information and configuration details.
Azure Firewall Information
Access to an Azure cloud instance can be controlled by
- an external firewall,
- the operating system firewall of the instance,
- Azure Network Security Groups (NSGs).
In addition to allowing SSH access, the different firewall levels must be configured to permit at least TCP port 8083 to enable a license client to access a VE license server. If the web interface is to be used, TCP port 8084 must also be allowed.
Network Security Groups
Network Security Groups can be associated to interfaces or subnets. Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. When a cloud instance is created, you can assign a default security group to its interface (allowing SSH). Please refer to the following tutorial for more information: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic.
GCP Firewall Information
Access to an GCP cloud instance can be controlled by
- an external firewall,
- the operating system firewall of the instance,
- GCP Firewall
In addition to allowing SSH access, the different firewall levels must be configured to permit at least TCP port 8083 to enable a license client to access a VE license server. If the web interface is to be used, TCP port 8084 must also be allowed.
Google Cloud Firewall Rules
In addition to firewall rules created by the customer, there are other rules that can affect incoming or outgoing traffic:
Certain IP protocols, such as GRE, are not allowed within a VPC network. For more information, see always blocked traffic.
Communication between a VM instance and its corresponding metadata server (
169.254.169.254
). Is always allowed.Every network has two implied firewall rules that permit outgoing connections and block incoming connections. Firewall rules that you create can override these implied rules.
The default network is pre-populated with firewall rules that can be deleted or modified.
VPC firewall rule characteristics:
- Each rule is either for incoming or outgoing traffic. It can allow or deny traffic.
- Only IPv4 traffic is supported.
- Firewall rules are stateful (return traffic for an established connection is allowed).
- If TCP traffic is fragmented, a rule is only applied to the first fragment of a packet.
IBM Firewall Information
Access to an IBM cloud instance can be controlled by
- an external firewall,
- the operating system firewall of the instance,
- IBM-specific security groups, and
- IBM-specific subnet ACLs.
In addition to allowing SSH access, the different firewall levels must be configured to permit at least TCP port 8083 to enable a license client to access a VE license server. If the web interface is to be used, TCP port 8084 must also be allowed.
IBM Cloud Security Groups
Security Groups are associated with a virtual server instance. They have the following characteristics:
- Stateful: once an inbound connection is permitted, return traffic is allowed.
- Only allow rules are possible.
- All rules are considered to determine if traffic should be permitted.
- An instance can have several security groups.
IBM Cloud Subnet ACLs
Subnet ACLs are associated with subnets in a VPC. They have the following characteristics:
- Stateless: inbound and outbound connections must be explicitly allowed.
- Allow and deny rules are possible.
- Rules are processed in sequence.
- One ACL can be assigned to several subnets.
- The default ACL allows all traffic.
© Stromasys, 1999-2024 - All the information is provided on the best effort basis, and might be changed anytime without notice. Information provided does not mean Stromasys commitment to any features described.