OCI Security rules for SQL Always On

oci security list

Security rules in Oracle Cloud Infrastructure (OCI) allow you to specify inbound and outbound traffic rules for your VCN (Virtual Cloud Network). They operate at the subnet level and are used to control traffic flow between resources within the VCN, and between the VCN and the internet.

Security rules consist of the following components:

  • Protocol: The protocol that the rule applies to, such as TCP or UDP.
  • Source: The source of the traffic, which can be a range of IP addresses, a specific security list, or all sources.
  • Destination: The destination of the traffic, which can be a range of IP addresses, a specific security list, or all destinations.
  • Destination port range: The range of destination ports that the rule applies to.
  • Action: The action to take when the rule is matched, such as allowing or denying the traffic.

Security rules are evaluated in the order that they are listed, and the first rule that matches the traffic is applied. You can use security rules to allow or deny specific traffic, or to allow all traffic and then use other security measures, such as network security groups (NSGs) or firewall appliances, to control and monitor the traffic.

Active Directory

As a best practice, all the domain controllers should be in a subnet that either has no external IP addresses or has no access from the internet. As a result, you might want to enable OCI security rules to communicate between your subnets and the Active Directory subnets. However, be aware that this still opens potential paths of attack from those subnets. Therefore, it’s a best practice to open only the following ports between the subnets:

OCI security rules for Domain Controllers subnet

Remote Desktop Protocol (RDP)TCP3389
Domain Name System (DNS)TCP, UDP53
LDAP plain textTCP, UDP389
LDAP over sslTCP636
LDAP Global Catalog plain textTCP3268
LDAP Global Catalog over sslTCP3269
KerberosTCP, UDP88, 464
Remote Procedure Call (RPC)TCP135
NETBIOS Name ServiceTCP, UDP137
NETBIOS Datagram ServiceUDP138
NETBIOS Session ServiceTCP139
Samba (SMB), Microsoft-DSTCP, UDP445
WINS replicationTCP, UDP42
WINS resolutionTCP, UDP1512
Windows Remote Management (Winrm)TCP5985-5986
Web Services (ADWS), Management Gateway ServiceTCP9389
Application dynamic portsTCP, UDP49152-65535

Further, you need to open ports for SQL Server Availability Groups.

OCI security rules for SQL Server Always On subnet

Remote Desktop Protocol (RDP)TCP3389
Remote Procedure Call (RPC)TCP135
NETBIOS Name ServiceTCP, UDP137
Samba (SMB), Microsoft-DSTCP, UDP445
KerberosTCP, UDP464
Sql Server ServiceTCP1433
Sql Server ServiceUDP1434
Cluster for Sql Server ServiceTCP, UDP3343
Endpoint for Sql Server ServiceTCP5022
Windows Remote Management (Winrm)TCP5985-5986
Application dynamic portsTCP, UDP49152-65535


Leave a Reply

Your email address will not be published. Required fields are marked *