19 ‐ Scenario 1 ‐ Single VCN with internet connectivity - SanjeevOCI/Study GitHub Wiki

Scenario: You have only one virtual network (VCN) connected to the internet. The service deployed should be reachable from the internet. All components must be infrastructure services—no PaaS should be used. The solution must be built using plain compute, and your approach should reflect your understanding of networking, compute, and storage in OCI.

1. Create a Compartment Start by creating a compartment, if one doesn’t already exist. This helps logically organize and isolate resources.

2. Create a New VCN Create a new Virtual Cloud Network with a non-overlapping CIDR block. This ensures there’s no IP conflict with other networks.

3. Create a Public Subnet Design a public subnet with a smaller CIDR range depending on how many services or instances you plan to deploy. Since the instance needs a public IP to be reachable from the internet, choose the option to assign a public IP during subnet or instance creation.

4. Create an Internet Gateway Within the VCN, create an Internet Gateway. This component will allow instances in the public subnet to connect to the internet.

5. Add Route to the Subnet Go to the route table associated with the public subnet. Create a route rule:

  • Destination CIDR Block: 0.0.0.0/0
  • Target: Internet Gateway

This rule allows outbound traffic to any external address, since internet destinations don’t have fixed IP ranges.

6. Configure Security Rules (Security List or NSG) Update the security list or Network Security Group attached to the subnet/instance:

  • Egress Rule:

    • Destination: 0.0.0.0/0
    • Protocol: All (or TCP for specific services)
    • Allow all outbound traffic since it poses low risk

  • Ingress Rule:

    • If accessing the instance via SSH, allow TCP port 22
    • Restrict the source to your specific laptop/desktop’s public IP for security
    • If the application needs to be accessible over the internet (web traffic), allow port 80 (HTTP) and/or 443 (HTTPS)
    • Source CIDR for public web access: 0.0.0.0/0

7. Harden with a Firewall Since the instance is exposed to the internet, it's important to protect it at the perimeter. Recommend to the client to deploy a Palo Alto firewall or similar next-gen firewall within the network.

This firewall will provide Layer 7 (application-level) protection, detect threats, and help prevent attacks. As the service is publicly accessible, the risk of external threats is higher, so firewall protection is essential to secure the infrastructure.

Conclusion: By following this approach, you ensure the compute instance is internet-reachable using only infrastructure services, while also enforcing secure access controls and recommending proper firewall deployment to mitigate potential risks.

  1. Create Compartment, if not already created

  2. Create New VCN with non-overlapping CIDR Range

  3. Create a public subnet with a smaller CIDR Range based on the network or number of services I need to configure. I will create a public subnet, as I need a public IP for my resource(compute instance in this case)so that it can connect to the Internet.

  4. Create a Internet gateway in the Vcn.

  5. After that, I will go to that public subnet, and in that public subnet I will create a route to the Internet gateway. In the route, I will put destination as 0.0.0.0/0, because I want to connect to the external world, and external world doesn't have any fixed IP, as Internet doesn't have any fixed IP series.

  6. Once I have connected the route, then next I will go to Security List. I'll create 2 rules in the security list - Egress rule and Ingress rule

Egress --> I will add a rule for 0.0.0.0/0 which is towards the Internet. I will allow my traffic on particular port in this case, because it is egress. I'll make sure I will allow all the ports, because traffic is going out, so we don't need to worry

Ingress --> at the same time, I will create an Ingress rule. I just need to allow one port, because it is as a public IP. And if I am allowed to connect to the instance via Public IP, then I will allow that particular source. From where I want to connect I will check the public IP of my particular laptop or desktop, and then I will add an ingress rule - public IP with port 22 for login purpose only. So I will have one ingress ingress rule only for Port 22.

And in case Internet traffic needs to be carried on on Port 80 or 443(which is https traffic). Then I will have to allow one more port, which is 80 or 443 based on the need

from maybe if it is Internet, then it has to be allowed to 0 0 from 0. 0.

  1. as it is connected to Internet, I will also make sure that enough firewalls are provision at every level, so that we are not suspected to vulnerability. for which I think in my case we should also inform client that we should go for a Palo alto firewall

Once you have a palo alto, we know that layer server protection is there. As it is connected to Internet, there is very high success, ability of threat, so I will ensure that a firewall is installed so that we are safeguarding our services from the any kind of vulnerability or threat coming from outside to the network because it is connected to Internet. So I have to safeguard it.