Containers and Kubernetes

Get Involved. Join the Conversation.

Topic

    Gianni Ceresa
    OCCS and "intra-Oracle-cloud" rules connecting to...
    Topic posted January 16, 2017 by Gianni CeresaGold Medal: 3,500+ Points, last edited December 31, 2018 by Arijit ChakrabortyBronze Trophy: 5,000+ Points, tagged Tip 
    151 Views, 4 Comments
    Title:
    OCCS and "intra-Oracle-cloud" rules connecting to DBCS
    Summary:
    OCCS and "intra-Oracle-cloud" rules connecting to DBCS
    Content:

    Hi,

    Was reading   by ​ on connecting to DBCS from a container in OCCS and I see it requires to open connections to DBCS from everywhere (the rule uses a Source as "PUBLIC-INTERNET", Destination as "DB" on port TCP Port 1521).

     

    This means the DB accept connections from anywhere, doesn't sound like the ideal setup to me ...

     

    Is there a plan to add OCCS to other Oracle cloud services as "source"? A way to enable a connection to my DBCS instance only from OCCS containers and not the public internet?

    Or is OCCS for now something completely separate from other Oracle cloud things and so better to not expect some kind of "intra-Oracle-cloud" rules for communication between services?

     

    The question can be asked on both places, DBCS and here, but as you are the last to join the party... (as far as I know )

    Comment

     

    • Adolganov

      My understanding is you don't have to open the TCP 1251 access to the "everybody". This blog post was showing the easiest (and the least secure) way to connect between two services.

      You should be able to tighten the DBCS security, limiting the incoming 1251 traffic to the public IP addresses of your containers

      Regards

    • Adolganov

      Actually in the case where your DBCS and OCCS belong to the same subscription account and the same identity domain, you can make them easily communicate both ways: the only thing needed is to include your DBCS compute instance and Container Worker instance(s) in the same Security List. Almost as easy as one button click .

      If they aren't in the same identity domain, you'll have to add the Security Apps (that define port ranges) and Security Rules (that define firewall rules) to allow the communication. A little bit more involved but not complicated really.

      Regards

    • Gianni Ceresa
      
      

      Alex-D__CSC wrote:

      You should be able to tighten the DBCS security, limiting the incoming 1251 traffic to the public IP addresses of your containers

      That's the minimum I would be looking for (I still didn't entered the 30 trial as it's only 30 days, so I want to make sure to have lot of free time before to enter it ). But ideally I would expect something smarter like a button "intra-cloud" access based on the services I currently have in my account.

    • Jairo Rojas Mendez

      My understanding is you don't have to open the TCP 1251 access to the "everybody". This blog post was showing the easiest (and the least secure) way to connect between two services.

      You should be able to tighten the DBCS security, limiting the incoming 1251 traffic to the public IP addresses of your containers

      Regards