In our previous posts, we have understood what is a compute instance and what role VCN plays in making a compute instance interact with other compute instances or to the outer world. But there should be a security check on these communications. In this post, we shall look at VCN security using security rules and network groups. Let’s get started.
We have already understood by now that in OCI, compute instances are going to be using subnets and are assigned IP addresses from the subnet. Thus, for security we do want to control the data flow that’s coming in and going out from these subnets (inherently from the compute instances). it’s important to mention that even though two(or more) instances are in the same VCN, they are not allowed to communicate with each other by default.
Now in the on-prem network, this kind of network security is driven through the firewall. Same is true in the case of OCI as well with the only thing that now these firewall rules are going to be applied at the subnets – feature which is called Subnet Rules. Since subnets are where the compute instances are, these security rules are applied to these instances also. Security rules are created to govern that which kind of traffic is applied to come in or go out. Since a compute instance may require to talk to another instance within the same VCN or to a host that’s outside the VCN, these rules work for both the scenarios.
Ingress and Egress, Stateful and Stateless
Security rule basically allows (or not), data to be travelled in or out , to and from VCNs. Now, the traffic that’s directed towards the VCN is called Ingress. On the other hand, traffic that’s directed from the VCN i.e. to the world is called Egress. Furthermore, security rules are possible to be stateful or stateless. Stateful rule means that any traffic that’s going to match with our security rule, we are going to use connection tracking back to the host from where the traffic did come from. Automatically, the response is also allowed back to the very same host. Stateless is quite the opposite. Having a stateless rule means that we are not going to have connection tracking. Thus the connection won’t be allowed automatically back to the originating host. And for this reason, an explicitly created ingress security rule , we need create an explicitly created stateless egress rule.
To summarize, security rules are like firewalls which you create on the subnets.
Important to remember that all the network in OCI is created virtually and hence these firewalls are also available virtually. In real world, to connect a server with the network, we need a network interface card. Same is true within the OCI as well but here since the network and compute instance, both are virtual-thus the card is also created and is called Virtual Network Interface Card(VNIC). But unlike the on-prem server, as soon as the compute instance is created on a VNC, VNIC for that instance is also created automatically. So what we can do is that instead of applying the security rules at the subnet level, we can apply them at the VNIC level – feature which is called Network Groups. Thus, having a network security group, you can apply them right at the instance instead of applying at the subnet level, thus achieving a better control over the administration of the security.
Hope that helped.