19_1 Scenario – Single Public VCN Connected to Internet (OCI) - SanjeevOCI/Study GitHub Wiki

1. Create a Compartment
Start by creating a compartment, if one doesn’t already exist. This helps logically organize and isolate resources.

2. Create a New VCN
Create a new Virtual Cloud Network with a non-overlapping CIDR block. This ensures there’s no IP conflict with other networks.

3. Create a Public Subnet
Create a public subnet with a smaller CIDR Range based on the network or number of services I need to configure. I will create a public subnet, as I need a public IP for my resource(compute instance in this case)so that it can connect to the Internet.

4. Create an Internet Gateway
Within the VCN, create an Internet Gateway. This component will allow instances in the public subnet to connect to the internet.

5. Create an Instance
In the public subnet, I will create a compute instance with public IP.

6. Add Route to the Subnet
I will go to the route table associated with the public subnet and I will create a route rule to the Internet gateway. In the route, I will put destination as 0.0.0.0/0, because I want to connect to the external world, and external world doesn't have any fixed IP, as Internet doesn't have any fixed IP series.

  • Destination CIDR Block: 0.0.0.0/0
  • Target: Internet Gateway

This rule allows outbound traffic to any external address, since internet destinations don’t have fixed IP ranges.

7. Configure Security Rules (Security List or NSG)

Once I have connected the route, then next I will update the Security List attached to the public subnet. I'll create 2 rules in the security list - Egress rule and Ingress rule

Egress --> I will add a rule for 0.0.0.0/0 which is towards the Internet. in this case, because it is egress. I'll make sure I will allow all the ports, because traffic is going out, so we don't need to worry. AS SEEN IN OCI, THIS RULE IS CREATED BY DEFAULT WHENEVER A VCN AND SUBNET IS CREATED

  • Egress Rule:
    • Destination: 0.0.0.0/0
    • Protocol: All (or TCP for specific services)
    • Allow all outbound traffic since it poses low risk

Ingress --> at the same time, I will create an Ingress rule. I just need to allow one port, because it is as a public IP. And if I am allowed to connect to the instance via Public IP, then I will allow that particular source. From where I want to connect I will check the public IP of my particular laptop or desktop, and then I will add an ingress rule - public IP with port 22 for login purpose only. So I will have one ingress ingress rule only for Port 22.

And in case Internet traffic needs to be carried on on Port 80 or 443(which is https traffic). Then I will have to allow one more port, which is 80 or 443 based on the need. If source is internet, then it has to be allowed to 0 0 from 0. 0.

  • Ingress Rule:
    • If accessing the instance via SSH, allow TCP port 22
    • Restrict the source to your specific laptop/desktop’s public IP for security
    • If the application needs to be accessible over the internet (web traffic), allow port 80 (HTTP) and/or 443 (HTTPS)
    • Source CIDR for public web access: 0.0.0.0/0

NOTE: When you create a VCN and subnet in OCI, a default security list is automatically created and attached to the subnet (unless you explicitly choose a different one).

Default Ingress Rules
Source CIDR: VCN’s CIDR block (e.g., 10.0.0.0/16)
Protocol: All protocols
Description: Allows all inbound traffic within the VCN (east-west traffic between subnets/instances in the same VCN).
Purpose: So that instances in the same VCN can communicate without additional rules.

Default Egress Rules
Destination CIDR: 0.0.0.0/0
Protocol: All protocols
Description: Allows all outbound traffic to anywhere (internet, other networks, etc.).
Purpose: Ensures that instances can send traffic out without restrictions (subject to route table and gateway setup).

8. Harden with a Firewall
As the instance is connected to Internet, I will also make sure that enough firewalls are provisioned at every level, so that we are not suspected to vulnerability. for which I think in my case we should also inform client that we should go for a Palo alto firewall

Once you have a palo alto firewall, it will provide Layer 7 (application-level) protection, detect threats, and help prevent attacks. As the service is publicly accessible, the risk of external threats is higher, so firewall protection is essential to secure the infrastructure.

9. Storage Configuration

  • Boot Volume (automatically created)
  • Attach additional Block Volumes if needed
  • Optionally enable volume backup policy

10. Verify Access

  • SSH into the VM using its public IP.
  • Host a simple app or web server and test from the internet.