29. OCI‐Asymmetric Routing - pavankumarchittajallu/OCI_DOC GitHub Wiki
Step-by-Step Guide: Configuring Security Lists for Asymmetric Routing in OCI
When implementing asymmetric routing in Oracle Cloud Infrastructure (OCI), it’s crucial to configure security lists properly to ensure network traffic flows as intended and remains secure.
1. Understand Asymmetric Routing and Security Lists
- Asymmetric Routing: Occurs when outbound and inbound traffic between OCI and on-premises networks take different paths.
- Security Lists: Virtual firewall rules attached to subnets in a Virtual Cloud Network (VCN) that control both inbound (ingress) and outbound (egress) traffic.
2. Plan Your Security List Rules
- Identify Traffic Flows: Determine which protocols, ports, and IP ranges (CIDRs) are needed for your use case (e.g., SSH, application ports, ICMP).
- Stateful vs. Stateless Rules:
- Stateful (default): Automatically allows return traffic, even if it arrives via a different path.
- Stateless: Requires explicit rules for both inbound and outbound traffic in each direction.
3. Create or Update Security Lists
a. Add Ingress Rules
- Allow inbound traffic from your on-premises CIDR to the required ports and protocols.
- For stateless rules, you must also add explicit egress rules for return traffic.
b. Add Egress Rules
- Allow outbound traffic from your OCI subnet to your on-premises CIDR as needed.
c. ICMP Rules
- For stateless configurations, explicitly allow ICMP type 3 code 4 (fragmentation needed) to support path MTU discovery.
4. Special Considerations for Asymmetric Routing
- Stateful Security Lists: Recommended for most scenarios, as they handle return traffic automatically, even if the return path is different.
- Stateless Security Lists: Use only when you need granular control; always define both ingress and egress rules for all required protocols and ports.
5. Example Security List Rules Table
| Rule Type | Direction | Source/Destination | Protocol | Ports | Notes |
|---|---|---|---|---|---|
| Ingress | Inbound | On-premises CIDR | TCP | 22, 443... | Allow SSH, HTTPS, etc. |
| Egress | Outbound | On-premises CIDR | TCP | 22, 443... | Allow return traffic |
| Ingress | Inbound | On-premises CIDR | ICMP | Type 3/4 | Needed for stateless, path discovery |
| Egress | Outbound | On-premises CIDR | ICMP | Type 3/4 | Needed for stateless, path discovery |
6. Apply and Test
- Attach the security list to your OCI subnet.
- Test connectivity to ensure traffic flows in both directions, even when return traffic uses a different path.
- Use OCI monitoring and logs to troubleshoot any issues.
7. Best Practices
- Prefer stateful rules for simplicity and reliability.
- For stateless rules, always define both ingress and egress for each direction and protocol.
- Document all changes and regularly review security lists as your environment evolves.
- Coordinate with on-premises network teams to ensure firewalls and routers accept return traffic on any tunnel.
Proper configuration of security lists is essential for maintaining connectivity and security in asymmetric routing scenarios within OCI. Misconfiguration can lead to dropped connections or failed applications, so careful planning and testing are vital.