Add
Oracle Cloud Web Application Firewall (WAF) CIDR Ranges in OCI Security List
As part of the Oracle Cloud Web Application Firewall (WAF)
configuration, you need to configure your Load Balancer / web server to accept
the traffic from the Oracle Cloud Edge WAF servers. Oracle has published the
list of CIDR ranges in the WAF documentation that you need to add to the
security . You can also add the list of CIDR ranges in the Network Security
Group and attach that to the vNIC of the web server.
https://docs.oracle.com/en-us/iaas/Content/WAF/Concepts/gettingstarted.htm
The Oracle Cloud WAF
documentation contains a long list of CIDR addresses. There are two ways to
accomplish this task.
1.
Add each CIDR address in the Security List manually (one by one).
2.
Use a script to add all these CIDR addresses to the Security List.
This blog lists down the
second approach of using a script to add the CIDR addresses in the Security
List.
Log in to Oracle Cloud
providing your tenancy, and login credentials. It is assumed that you are
authorized to work on Oracle Virtual Cloud Network components and Oracle Cloud
Shell.
After successful
authentication, go to OCI Menu >> Network >> Virtual Cloud
Network (VCN)
Create a Security List
Go to Security
Lists >> Create New Security List
Click Create Security
List to create the security list.
We will use Shell Script to
create JSON file for OCI CLI. Now, Open the Oracle Cloud Shell to create the
script.
A.
Create a text file with the list of Oracle Cloud WAF CIDR ranges.
Name it iprange.txt
#!/bin/bash total_lines=`cat
ipranges.txt | wc -l` lines_no=0 echo
"[" while
read -r line; do lines_no=$(( $lines_no + 1 )); echo " {"; echo "
\"source\": \"${line}\","; echo "
\"protocol\": \"6\","; echo "
\"isStateless\": \"false\","; echo "
\"tcpOptions\": {\"destinationPortRange\":
{\"max\": \"443\",\"min\":
\"443\"}},"; echo "
\"Description\": \"OCI WAF IP Ranges\""; if [[ $lines_no -eq $total_lines ]]; then echo " }"; else echo " },"; fi done
< ipranges.txt echo
"]"
|
Generate a JSON file using the shell
script.
This will end up generating
a JSON file with the Security Rules.
Update
the Security List with the Security Rules using OCI CLI
Now, you can use OCI CLI to
update the Security List with these Security Rules. Use the OCID of the
Security list in the below command:
gagan_virk@cloudshell:~
(ca-montreal-1)$ oci network security-list update --security-list-id
ocid1.securitylist.oc1.ca-montreal-1.aaaaaaaazqjjg5f6yy5v5ypqmb73tirbpifjxcsz5eom5iuj7cpybvkmwoua
--ingress-security-rules file://security_list.json
|
Now check
if all the security list rules get added. The successful execution of the
script will populate the Security List with all the Security Rules.
The Security Rules are to allow the OCI WAF IP
address on destination port 443 over TCP protocol.
That’s it. Hope you found this information useful.
No comments:
Post a Comment