21 ‐ Single Private VCN with no internet, having all other services connected like block storage, object storage - SanjeevOCI/Study GitHub Wiki

1. Create a Compartment
Start by creating a compartment, if one doesn’t already exist. This helps logically organize and isolate resources.

2. Create a New VCN
Create a new Virtual Cloud Network with a non-overlapping CIDR block. This ensures there’s no IP conflict with other networks.

3. Create a Private Subnet
Create a private subnet with a smaller CIDR range based on the number of services or instances you plan to deploy.
In this case, since the VCN will have no internet access, do not assign a public IP to the compute instance, and do not associate this subnet with an Internet Gateway.

4. No Internet Gateway
Since the requirement is no internet connectivity, do not create or attach an Internet Gateway to the VCN.
If outbound-only access to OCI services like Object Storage is needed, consider using a Service Gateway (private connectivity to OCI services without going over the internet).

5. Create an Instance
In the private subnet, create a compute instance without assigning a public IP.
This ensures it is not reachable directly from the internet.
The instance can still communicate with:

  • Block Volumes (through iSCSI or attachment in the same availability domain)
  • Object Storage (through Service Gateway if configured)

6. Add Route to OCI Services (Optional)
If the instance needs to communicate with OCI services such as Object Storage:

  • Add a route in the private subnet’s route table with:
    • Destination CIDR Block: all-oci-services-in-oracle-services-network OR Object Storage
    • Target: Service Gateway

If no external or service traffic is required, keep only the local VCN route.

7. Configure Security Rules (Security List or NSG)

Update the security list or Network Security Group attached to the private subnet:

  • Egress Rule:

    • Destination: VCN CIDR (or 0.0.0.0/0 if Service Gateway is used)
    • Protocol: All (or TCP for specific ports needed)

  • Ingress Rule:

    • Allow inbound traffic from trusted subnets or specific private IP ranges only
    • For management access, use Bastion Service or connect via VPN/FastConnect from on-prem

Default Security List Rules in OCI:

  • Default Ingress: Allows all inbound traffic from within the VCN’s CIDR
  • Default Egress: Allows all outbound traffic to any destination (this still requires proper routes and gateways)

8. Harden with a Firewall
Even though there’s no internet connectivity, internal threats or misconfigurations can occur.
You can deploy:

  • OCI Network Firewall
  • Third-party firewall appliances in private mode
  • Tight NSG/Security List rules

9. Storage Configuration

  • Boot Volume (automatically created when VM is created)
  • Attach additional Block Volumes if needed
  • Connect to Object Storage via Service Gateway for backups or large file transfers
  • Optionally enable volume backup policy

10. Verify Access

  • Use Bastion or VPN to connect to the private instance for administration
  • Test access to Block Storage and Object Storage if configured