Oracle Cloud Infrastructure Documentation

Restrict Access to an Instance

Restrict the networks that have access to your Oracle Integration instance by configuring an allowlist (formerly a whitelist). Only users from the specific IP addresses, Classless Inter-Domain Routing (CIDR) blocks, and virtual cloud networks that you specify can access the Oracle Integration instance.

For the Oracle Integration instance, configure the allowlist when you create the instance or after creating the instance.

Option 1 for Configuring Allowlists: Restrict Access to Oracle Integration Using the Self-service Allowlist Capabilities

Description of allowlist-only.png follows

In this scenario, you restrict access to Oracle Integration using an allowlist. The allowlist restricts access based on the following parameters:

  • Single IP address
  • Classless Inter-Domain Routing (CIDR) block (that is, an IP address range)
  • Virtual Cloud Network Oracle Cloud ID (VCN OCID)

Additionally, your organization might have a service gateway. The service gateway lets your virtual cloud network (VCN) privately access Oracle Integration without exposing the data to the public internet.

Only the specified IP addresses and VCN OCIDs can access Oracle Integration. Users and systems accessing Oracle Integration from listed VCNs have full access.

Advantages

  • Easy setup! You can configure your allowlist in just a few minutes, without having to create a custom endpoint.
  • All traffic is supported, including REST, SOAP, and other internet traffic.

Disadvantages

  • The rules allow for all-or-nothing access and don't allow for more nuanced control.

    For instance, all traffic for a particular IP address or range is allowed, even if someone using an allowed IP address passes SQL as a command line parameter.

  • You're limited to 15 access rules.

    However, a CIDR block counts as only 1 entry, so you might not need more than 15 rules.

Tasks to Complete for this Scenario

  1. Add your organization's VCN OCID to the allowlist. The VCN must be in the same region as Oracle Integration and should have a service gateway.

    When you add the VCN OCID to the allowlist, all resources on the VCN can access Oracle Integration

  2. For all partner networks and applications, add their IP addresses or address ranges to the allowlist.

    You need all the IP addresses for all applications and systems that require access to Oracle Integration. Make sure you consider all partner systems and SaaS applications when compiling the list. For example, if a CRM platform requires access, you must add the individual or range of IP addresses for the platform.

    When you add the IP addresses or address ranges to the allowlist, you grant full access to the user interface and integrations for your network.

  3. Enable loopback so that Oracle Integration can call itself.

    For example, enabling loopback allows Oracle Integration to call its own REST APIs.

Option 2 for Configuring Allowlists: Restrict Access to Oracle Integration Using the Oracle Cloud Infrastructure Web Application Firewall (WAF)

Description of allowlist_with_waf.png follows

This scenario is the most powerful configuration option for allowlisting, allowing you to create sophisticated rules. In this scenario, you restrict access to Oracle Integration using Oracle Cloud Infrastructure Web Application Firewall (WAF).

How Each Item Controls Access

The allowlist lets the following entities access Oracle Integration:

  • WAF
  • Virtual Cloud Network Oracle Cloud ID (VCN OCID)

As a result, all internet traffic is routed to WAF, which restricts access based on:

  • Single IP address
  • Classless Inter-Domain Routing (CIDR) block (that is, an IP address range)
  • Virtual Cloud Network Oracle Cloud ID (VCN OCID)
  • Additional rules that you define

If your organization has a service gateway, the service gateway lets your virtual cloud network (VCN) privately access Oracle Integration without exposing the data to the public internet.

Advantages

  • WAF allows you to create sophisticated rules for your allowlist. For instance:
    • If someone tries to pass SQL as a command line parameter, you can disallow the request.
    • You can restrict access based on location using geo-blocking.

    For more information, see Managing WAF Policies for Oracle Cloud Infrastructure Web Application Firewall.

  • All traffic is supported, including REST, SOAP, and other internet traffic.
  • The limitation of 15 allowlist rules doesn't apply to this scenario.

Disadvantages

  • This option is more complex, time consuming, and error prone than the self-service allowlist on its own.
  • You must create a custom endpoint for WAF, requiring a server certificate and a DNS entry.

Tasks to Complete for this Scenario

  1. Configure WAF according to your organization's requirements. 

    See Overview of Web Application Firewall for Oracle Cloud Infrastructure Web Application Firewall.

  2. Configure a custom endpoint for Oracle Integration.

    See Configure a Custom Endpoint for an Instance.

  3. Add the IP address(es) for WAF to the allowlist.

    If your organization has Oracle Integration in multiple regions, each region has its own WAF. You must add the IP addresses for all WAFs to the allowlist.

  4. Add your organization's VCN OCID to the allowlist. The VCN must be in the same region as Oracle Integration and should have a service gateway.

    When the VCN OCID is on the allowlist, your virtual cloud network bypasses WAF.

Note

You don't need to enable loopback when you use WAF to restrict access to Oracle Integration.

Option 3 for Configuring Allowlists: Restrict Access to Oracle Integration Using the API Gateway

Description of allowlist_with_api_gateway.png follows

In this scenario, you restrict access to Oracle Integration using the API Gateway and and an allowlist.

If all traffic to Oracle Integration is in the form of REST API calls, this setup suits your needs. However, if you have traffic in the form of non-REST API calls, this scenario might not be ideal. You have traffic in the form of non-REST calls if your organization supports any of the following situations:

  • Users working in the Oracle Integration user interface, including using Visual Builder and the Processes feature
  • Users working in the Oracle Cloud Infrastructure Console user interface
  • SOAP calls

If you support any non-REST calls, you must use the Oracle Integration allowlist to manage this access. Here's why: API Gateway doesn't let you add IP addresses to an allowlist.

How Each Item Controls Access

  • All REST traffic from the internet is routed to API Gateway.

    For details about how access is restricted, see Overview of API Gateway for API Gateway.

  • The allowlist lets the following entities access Oracle Integration:
    • API Gateway VCN
    • Service gateway, if your organization has one
    • REST and SOAP requests
    Note

    If you need Visual Builder and Processes access, this pattern allows for bypassing the API Gateway.

If your organization has a service gateway, the service gateway lets your virtual cloud network (VCN) privately access Oracle Integration without exposing the data to the public internet.

Advantages

Disadvantages

  • If your organization uses File Server, you can't restrict access using the API Gateway.

    You'd have to allow direct access to File Server.

  • This option is more complex, time consuming, and error prone than the self-service allowlist on its own.
  • If you don't configure everything exactly as required, users experience access issues. For instance, users can't access the Processes feature, and only people on the internal network can access Visual Builder.
  • For any non-REST calls to Oracle Integration, you must provide direct access using the Oracle Integration allowlist. You're limited to 15 access rules for this allowlist.

Tasks to Complete for this Scenario

Note

You must complete these steps by hand and use the correct format, or users experience access issues.
  1. Configure API Gateway according to your organization's requirements.

    See the API Gateway documentation.

  2. Add your organization's VCN OCID to the allowlist. The VCN must be in the same region as Oracle Integration.

    When the VCN OCID is on the allowlist, your virtual cloud network bypasses the API Gateway

  3. Add API Gateway to the allowlist.
  4. Enable loopback so that Oracle Integration can call itself.

    For example, enabling loopback allows Oracle Integration to call its own REST APIs. 

REST API for Allowlisting

You can also use the REST API for creating and modifying allowlists. See /integrationInstances/{integrationInstanceId}/actions/changeNetworkEndpoint.

Prerequisites for Creating an Allowlist for Oracle Integration

When creating your allowlist, you must include all applications that require access to your instance. Here's the information you need.

Note

These tasks are required for Oracle Integration.

Get the Outbound IP Addresses for Applications That Are Event Sources

You must add all event sources, such as Oracle Fusion Applications ERP events, to the allowlist. To do so, you must get the outbound IP address of the applications. Contact the application providers to get the IP addresses.

Get the Public IP Addresses for Oracle SaaS Applications That Make HTTPS Calls to Oracle Integration

Oracle SaaS applications can make HTTPS calls to Oracle Integration depending on the design of the integration. Go to the About menu in Oracle Integration to get the public IP address of your SaaS instance to add to the allowlist in Oracle Integration. See Obtain the NAT Gateway IP Address of the Oracle Integration Instance.

Some examples:

  • Integrations using SaaS adapter connections for trigger and callbacks
  • When the connectivity agent is used with an adapter that does polling, such as for database polling and invoking
  • When the connectivity agent is used to communicate with Oracle Integration

For a list of external IP addresses by data center that you can add to your allowlist for web service calls initiated by Oracle Cloud Applications, see the support note ID 1903739.1: IP Whitelist for Web Service Calls Initiated by Oracle Cloud Applications .

Configure an Allowlist for Your Instance

Your allowlist can contain up to 15 rules for HTTPS connections to the Oracle Integration instance. The allowlist restrictions that you create are in addition to the standard authorization mechanisms, such as user credentials, which are always in place.

  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. In the Display Name column, click the instance to edit.
  3. On the Integration Instance Details page, below Resources in the lower left, select Network Access.
  4. Below the Network Access header, click Edit.
    The Network Access dialog is displayed. If your list is empty, the first blank allowlist rule is added for you.
  5. Complete the fields at the top of the dialog:
    • Restrict Network Access: Select this option to be able to add allow list rules and to apply the rules. When this option is selected, only users from networks that meet the configured settings are allowed to access the integration instance. When this option is not selected, there are no allowlist rules and there are no network restrictions to access your instance.

      Caution:

      If you deselect Restrict Network Access after configuring allowlist rules, all configured allowlist rules are deleted.
    • Enable Loopback: Select this option to allow the integration to call itself.
      Note

      If you enable loopback, any Oracle Integrationinstance in your region can call your instance.

      Loopback is required for certain calls. You must enable loopback for the following scenarios:

      • To invoke an Oracle Integration API from within an integration. Use a REST connection to call the API.
      • To call your integration from another Oracle Integration instance.

      To call your integration from within your Oracle Integration instance, you can enable loopback, but we recommend using the local invoke instead. If you use the local invoke for this scenario, you don't need to enable loopback. You also don't need a connection when using the local invoke.

  6. Configure your allowlist rules.
    1. To add a rule, click Add Rule, located below the last rule in the list. You might need to scroll down to see the button.
    2. In the Type field, select the type of rule to configure.
      • IP Address/CIDR Block: Configure access from an IP address or an IP address range.
      • Virtual Cloud Network: Configure access from a specific virtual cloud network. To display a list of networks in other compartments, click Change Compartment. In addition to a specific virtual cloud network, you can specify an IP address or IP address range within the virtual cloud network.
      • Virtual Cloud Network OCID: Provide access to an Oracle Cloud ID (OCID) of the virtual cloud network. For information about the OCID format see Resource Identifiers.
  7. After adding all the desired rules to the allowlist, click Save Changes.
    The work request is submitted and the changes go into effect when the instance status changes to Active. In the instance details, under Integration Instance Information, you'll also notice Network Access: Restricted.