OCI Security rules for SQL Always On

oci security list

As a best practice, all the domain controllers should be in a subnet that either has no external IP addresses or has no access from the internet. As a result, you might want to enable OCI security rules to communicate between your subnets and the Active Directory subnets. However, be aware that this still opens potential paths of attack from those subnets. Therefore, it’s a best practice to open only the following ports between the subnets:

OCI security rules for Domain Controllers subnet

NameProtocolPort
Remote Desktop Protocol (RDP)TCP3389
Domain Name System (DNS)TCP, UDP53
LDAP plain textTCP, UDP389
LDAP over sslTCP636
LDAP Global Catalog plain textTCP3268
LDAP Global Catalog over sslTCP3269
KerberosTCP, UDP88, 464
Remote Procedure Call (RPC)TCP135
NETBIOS Name ServiceTCP, UDP137
NETBIOS Datagram ServiceUDP138
NETBIOS Session ServiceTCP139
Samba (SMB), Microsoft-DSTCP, UDP445
WINS replicationTCP, UDP42
WINS resolutionTCP, UDP1512
Windows Remote Management (Winrm)TCP5985-5986
Web Services (ADWS), Management Gateway ServiceTCP9389
Application dynamic portsTCP, UDP49152-65535

Further, you need to open ports for SQL Server Availability Groups.

OCI security rules for SQL Server Always On subnet

NameProtocolPort
Remote Desktop Protocol (RDP)TCP3389
Remote Procedure Call (RPC)TCP135
NETBIOS Name ServiceTCP, UDP137
Samba (SMB), Microsoft-DSTCP, UDP445
KerberosTCP, UDP464
Sql Server ServiceTCP1433
Sql Server ServiceUDP1434
Cluster for Sql Server ServiceTCP, UDP3343
Endpoint for Sql Server ServiceTCP5022
Windows Remote Management (Winrm)TCP5985-5986
Application dynamic portsTCP, UDP49152-65535

Leave a Reply