OCI Security rules for SQL Always On
Posted on Jan, 14 2021 By Maciej Dadok-Grabski
Security rules in Oracle Cloud Infrastructure (OCI) allow you to specify inbound and outbound traffic rules for your VCN (Virtual Cloud Network). They operate at the subnet level and are used to control traffic flow between resources within the VCN, and between the VCN and the internet.
Security rules consist of the following components:
- Protocol: The protocol that the rule applies to, such as TCP or UDP.
- Source: The source of the traffic, which can be a range of IP addresses, a specific security list, or all sources.
- Destination: The destination of the traffic, which can be a range of IP addresses, a specific security list, or all destinations.
- Destination port range: The range of destination ports that the rule applies to.
- Action: The action to take when the rule is matched, such as allowing or denying the traffic.
Security rules are evaluated in the order that they are listed, and the first rule that matches the traffic is applied. You can use security rules to allow or deny specific traffic, or to allow all traffic and then use other security measures, such as network security groups (NSGs) or firewall appliances, to control and monitor the traffic.
Active Directory
As a best practice, all the domain controllers should be in a subnet that either has no external IP addresses or has no access from the internet. As a result, you might want to enable OCI security rules to communicate between your subnets and the Active Directory subnets. However, be aware that this still opens potential paths of attack from those subnets. Therefore, it’s a best practice to open only the following ports between the subnets:
OCI security rules for Domain Controllers subnet
| Name | Protocol | Port |
| Remote Desktop Protocol (RDP) | TCP | 3389 |
| Domain Name System (DNS) | TCP, UDP | 53 |
| LDAP plain text | TCP, UDP | 389 |
| LDAP over ssl | TCP | 636 |
| LDAP Global Catalog plain text | TCP | 3268 |
| LDAP Global Catalog over ssl | TCP | 3269 |
| Kerberos | TCP, UDP | 88, 464 |
| Remote Procedure Call (RPC) | TCP | 135 |
| NETBIOS Name Service | TCP, UDP | 137 |
| NETBIOS Datagram Service | UDP | 138 |
| NETBIOS Session Service | TCP | 139 |
| Samba (SMB), Microsoft-DS | TCP, UDP | 445 |
| WINS replication | TCP, UDP | 42 |
| WINS resolution | TCP, UDP | 1512 |
| Windows Remote Management (Winrm) | TCP | 5985-5986 |
| Web Services (ADWS), Management Gateway Service | TCP | 9389 |
| Application dynamic ports | TCP, UDP | 49152-65535 |
Further, you need to open ports for SQL Server Availability Groups.
OCI security rules for SQL Server Always On subnet
| Name | Protocol | Port |
| Remote Desktop Protocol (RDP) | TCP | 3389 |
| Remote Procedure Call (RPC) | TCP | 135 |
| NETBIOS Name Service | TCP, UDP | 137 |
| Samba (SMB), Microsoft-DS | TCP, UDP | 445 |
| Kerberos | TCP, UDP | 464 |
| Sql Server Service | TCP | 1433 |
| Sql Server Service | UDP | 1434 |
| Cluster for Sql Server Service | TCP, UDP | 3343 |
| Endpoint for Sql Server Service | TCP | 5022 |
| Windows Remote Management (Winrm) | TCP | 5985-5986 |
| Application dynamic ports | TCP, UDP | 49152-65535 |
