Before you implement a web application firewall (WAF) in Oracle Cloud Infrastructure (OCI), you need to configure your web server to accept traffic from the WAF servers. The WAF documentation gives a list of CIDR range that you need to add into your security list.
So, how can you add all these entries to your security list manually?
Adding ingress rules manually
First, create a security list. It has no rules by default.
To add an ingress rule into the security list, click Add Ingress Rules.
To add a list of WAF IP ranges, you can repeat this step multiple times.
Adding ingress rules using the OCI CLI
You could add every ingress rule by hand, or you can use the OCI CLI to add all the CIDR ranges into the security list with a few simple steps.
- Launch Cloud Shell. If the OCI CLI is installed and configured to connect to your tenancy, you can use any Linux instance.
2.Prepare a list of IP address in a text file. You can copy the CIDR ranges from the documentation.
3.To read the IP ranges and generate a JSON output, create the generate_json.sh script. If you want to enable TCP protocol only, replace “all” with “6.”
4.To generate a json file to update your security list with all the entries from WAF nodes, run the generate_json.sh script.
Check the contents of the json file.
6.Get the OCID of the security list that you created.
7.Run the following command to update the security list with all the ingress rules. Replace <security-list-ocid> with the OCID from the previous step.
oci network security-list update --security-list-id <security-list-ocid> --ingress-security-rules file://./security_list.json --force</security-list-ocid>Summary
For details of OCI CLI commands, updating security lists, and other acceptable parameters, see the Oracle Cloud Infrastructure CLI Command Reference.
If you want to add ports information into your security list rules, refer to this JSON file format.
Leave a Reply