Oracle Cloud Infrastructure Documentation

Required VCN Security Rules

Before you can create and mount a File Storage with Lustre file system, you must configure security rules to allow traffic to the file system using specific protocols and ports. A Lustre file system requires connectivity among its hosts and connectivity with the client.

Lustre uses LNet protocol and network drivers to communicate over different types of networks. By default, File Storage with Lustre uses a driver that uses TCP port 988 to create connections.

Option 1: Client and Lustre in Different Subnets

In this scenario, the file system is in a different subnet than the client. Security rules must be configured for both the file system and the client either in a security list for each subnet, or a network security group (NSG) for each resource.

Set up the following the following security rules for the Lustre file system:

  • Stateful ingress from client and Lustre subnet CIDR source ports 512-1023 to destination port 988, TCP protocol.
  • Stateful egress from source ports 512-1023 to Lustre and client subnet CIDR port 988, TCP protocol.

Next, set up the following security rules for the client:

  • Stateful ingress from Lustre subnet CIDR source ports 512-1023 to destination port 988, TCP protocol.
  • Stateful egress from source ports 512-1023 to Lustre subnet CIDR port 988, TCP protocol.

Option 2: Client and Lustre in the Same Subnet

In this scenario, the file system is in the same subnet as the client. Security rules must be configured in either in a security list for each subnet, or a network security group (NSG) for each resource:

  • Stateful ingress from subnet CIDR source ports 512-1023 to destination port 988, TCP protocol.
  • Stateful egress from source ports 512-1023 to subnet CIDR port 988, TCP protocol.

Ways to Enable VCN Security Rules

The Networking service offers two virtual firewall features that both use security rules to control traffic at the packet level. The two features are:

  • Network security groups (NSGs) (recommended): A feature designed for application components that have different security postures. Create an NSG that contains the required rules, and then add the file system to the NSG. Alternatively, you can add the required rules to a previously existing NSG, and add the file system to the NSG. Each file system can belong to up to five (5) NSGs.
  • Security lists: The original virtual firewall feature from the Networking service. When you create a VCN, a default security list is also created. Add the required rules to the security list for the subnet that contains the file system.
Important

You can use NSGs alone, security lists alone, or both together. It depends on your particular security needs. If you use both security lists and network security groups, the set of rules that applies to a particular VNIC is the combination of these items:

  • The security rules in the security lists associated with the VNIC's subnet
  • The security rules in all NSGs that the VNIC is in

It doesn't matter which method you use to apply security rules to the file system VNIC, as long as the ports for protocols necessary for File Storage with Lustre are correctly configured in the rules applied.

See Security Rules, Security Lists, and Network Security Groups for more information, examples, and scenarios about how these features interact in your network. Networking Overview provides general information about networking.