The default firewall features in Oracle Cloud Infrastructure (OCI) are provided using Security Lists(SL) and Network Security Groups(NSG). These work on the Layer3 level that is they filter traffic based on the to/from the IP Address of the host. But in most cases, Customers want to block all outgoing internet traffic and open traffic only to specific URLs like yum repos, and public cloud-based application URLs for REST API integrations. Fulfilling this requirement using SL & NSG is very difficult, as IP addresses of Cloud-hosted applications sometimes keep changing because of CDN usage. A better way to meet this requirement is to use a firewall that provides layer 7 filtering like Fortigate, Palo Alto, etc.
Oracle has its offering in this area called OCI Network Firewall Service. OCI NFW costs about $2500 a month. Fortigate and Palo Alto are not very cheap either. Their price ranges from $500 to $1500 a month. This made me look for other open-source/commercial solutions that are much cheaper to deploy and use. The below architecture describes a solution that provides layer 7 filtering while being light on your wallet.
This solution uses Zenarmor, a Secure web gateway product from Sunny Valley Cyber Security Inc. running on a Ubuntu VM. This setup only costs about $50 a month. Here is what the architecture looks like
To deploy this architecture, here are the high-level steps
Create required subnets as follows. App & DB Subnet will be private to host the respective VMs. IN and OUT subnets will be used by the firewall VM. IN subnet will be private and used to receive inbound traffic from other private subnets (App & DB) that is to be passed to the internet
Subnet Name | CIDR Block | Type | Description |
---|---|---|---|
App | 10.0.0.0/28 | Private | Subnet to host App VM |
DB | 10.0.0.16/28 | Private | Subnet to host Database |
In | 10.0.0.96/28 | Private | FW Incoming Subnet |
Out | 10.0.0.112/28 | Public | FW Outbound Subnet |
Deploy a VM with Ubuntu’s latest 22.04 LTS image on the VM.Standard.E4.Flex shape. You can use a burstable instance to save on cost as well. Make sure to assign the nic in the public subnet (OUTPUT subnet) as the primary nic and assign a second nic later from the private subnet (IN subnet).
Configure primary nic that is in the OUT subnet to use DHCP, and the second nic to use fixed IP.
$ cat /etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens3:
dhcp4: true
match:
macaddress: 02:00:17:01:38:e4
set-name: ens3
ens5:
match:
macaddress: 02:00:17:00:c7:55
addresses:
- 10.0.0.100/28
set-name: ens5
Once you have the NICs configured in the VM, configure the Ubuntu built-in firewall to route traffic from private nic (IN) to public nic (OUT). This guide hosted on GitHub helped me configure it – https://gist.github.com/kimus/9315140
Run the one-liner to install the package
$ curl https://updates.sunnyvalley.io/getzenarmor | sudo sh
Register an account in the Zenconsole Cloud Portal. Connect and start managing through Zenconsole
# zenarmorctl cloud register
After the Zenarmor agent is installed, go to the Zenarmor dashboard and configure the firewall to be in L3 routed mode, tag ens3 as wan interface, and tag ens5 as an interface as shown below
Create Two route tables. One for the outbound subnet that routes all traffic to the internet gateway. Assign this route table to the OUT subnet
The second route table is assigned to the inbound subnet that routes all traffic to the private IP of the Firewall NIC
Make sure to assign the inbound route table to all private subnets ( IN, APP, DB subnets)
Configure the policy attached to the registered VM and set what URLs to block and what URLs to allow
The above policy blocks any connections to r12dba.com and allows connections to eclipsys.ca. Let’s test it from a app VM that is deployed on APP subnet
As you can see, the connection to r12dba.com got dropped and we can get a response from eclipsys.ca.
We don’t need fancy firewalls that cost an arm and a leg to achieve this Layer7 filtering. We can do this easily and cost-effectively with a Ubuntu VM along with a Zenarmor subscription. We can take this solution to the next level using 2 VMs for high availability as well as deploy in a hub-spoke model. Any questions about this solution, reach out to me via Linkedin