Add Oracle Cloud Web Application Firewall (WAF) CIDR Ranges in OCI Security List

As part of the Oracle Cloud Web Application Firewall (WAF) configuration, you need to configure your Load Balancer / web server to accept the traffic from the Oracle Cloud Edge WAF servers. Oracle has published the list of CIDR ranges in the WAF documentation that you need to add to the security . You can also add the list of CIDR ranges in the Network Security Group and attach that to the vNIC of the web server.

 https://docs.oracle.com/en-us/iaas/Content/WAF/Concepts/gettingstarted.htm



The Oracle Cloud WAF documentation contains a long list of CIDR addresses. There are two ways to accomplish this task.

1.      Add each CIDR address in the Security List manually (one by one).

2.      Use a script to add all these CIDR addresses to the Security List.

 

This blog lists down the second approach of using a script to add the CIDR addresses in the Security List.

 

Log in to Oracle Cloud providing your tenancy, and login credentials. It is assumed that you are authorized to work on Oracle Virtual Cloud Network components and Oracle Cloud Shell.

 

After successful authentication, go to OCI Menu >> Network >> Virtual Cloud Network (VCN)

Create a Security List

Go to Security Lists >> Create New Security List

 



Click Create Security List to create the security list.

 



 

We will use Shell Script to create JSON file for OCI CLI. Now, Open the Oracle Cloud Shell to create the script.

A.      Create a text file with the list of Oracle Cloud WAF CIDR ranges. Name it iprange.txt

B. Create a shell script to read the CIDR addresses and generate a JSON output file.

 

#!/bin/bash

total_lines=`cat ipranges.txt | wc -l`

lines_no=0

echo "["

while read -r line;

do

  lines_no=$(( $lines_no + 1 ));

  echo " {";

  echo "  \"source\": \"${line}\",";

  echo "  \"protocol\": \"6\",";

  echo "  \"isStateless\": \"false\",";

  echo "  \"tcpOptions\": {\"destinationPortRange\": {\"max\": \"443\",\"min\": \"443\"}},";

  echo "  \"Description\": \"OCI WAF IP Ranges\"";

  if [[ $lines_no -eq $total_lines ]]; then

   echo " }";

  else

   echo " },";

  fi

done < ipranges.txt

echo "]"

 

 

Generate a JSON file using the shell script.

This will end up generating a JSON file with the Security Rules.


 

Update the Security List with the Security Rules using OCI CLI

Now, you can use OCI CLI to update the Security List with these Security Rules. Use the OCID of the Security list in the below command:

gagan_virk@cloudshell:~ (ca-montreal-1)$ oci network security-list update --security-list-id ocid1.securitylist.oc1.ca-montreal-1.aaaaaaaazqjjg5f6yy5v5ypqmb73tirbpifjxcsz5eom5iuj7cpybvkmwoua --ingress-security-rules file://security_list.json

 

 

Now check if all the security list rules get added. The successful execution of the script will populate the Security List with all the Security Rules.

 


The Security Rules are to allow the OCI WAF IP address on destination port 443 over TCP protocol.

That’s it. Hope you found this information useful.

No comments:

Post a Comment