Scribd Logo
Upload

Welcome to Scribd!

  • Managing Network Sources

    Uploaded by

    sss ppp
    12 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views4 pages

    Managing Network Sources

    Uploaded by

    sss ppp

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Managing Network Sources

    This topic describes the basics of working with network sources.

    Required IAM Policy


    If you're in the Administrators group, then you have the required access for managing
    network sources. To write policies specifically for network sources, use the network-sources
    resource type, found with the other IAM components, in Details for IAM.

    If you're new to policies, see Getting Started with Policies and Common Policies.

    Tagging Resources
    You can apply tags to your resources to help you organize them according to your business
    needs. You can apply tags at the time you create a resource, or you can update the resource
    later with the desired tags. For general information about applying tags, see Resource Tags.

    Introduction to Network Sources


    A network source specifies IP addresses that are allowed to access resources in your tenancy.
    The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy.
    After you create the network source, you use policy to restrict access to only requests that
    originate from the IPs in the network source. When specified in a policy, IAM validates that
    requests to access a resource originate from an allowed IP address.

    For example, you can restrict access to Object Storage buckets in your tenancy to only users
    that are signed in to Oracle Cloud Infrastructure through your corporate network. Or, you can
    allow only resources belonging to specific subnets of a specific VCN to make requests over
    a service gateway.

    Network resources can only be created in the tenancy (or root compartment) and, like
    other Identity resources, reside in the home region.

    For information about the number of network sources you can have, see IAM Limits.

    Restricting Access to Specific IP Addresses


     Important

    This feature is currently supported by the Object Storage service only.

    To restrict access to requests made from a set of IP addresses, do the following:

    1. Create a network source that specifies the allowed IP addresses.


    2. Write a policy that uses the network source variable in a condition.

    1. Create the Network Source

    Follow the instructions provided for the Console or the API to create the network source.

    A single network source can include IP addresses from a specific VCN, public IP addresses,
    or both.

    To specify the VCN, you need the VCN OCID and the subnet IP ranges that you want to
    allow.

    Examples:

     Public IP addresses or CIDR blocks: 192.0.2.143 or 192.0.2.0/24


     VCN OCID: ocid1.vcn.oc1.iad.aaaaaaaaexampleuniqueID
    o Subnet IP addresses or CIDR blocks: 10.0.0.4, 10.0.0.0/16
    To allow any IP address from a specific VCN, use 0.0.0.0/0.

    2. Write the Policy

    The IAM service includes a variable to use in policy that allows you to scope your policy
    using a condition. The variable is:

    request.networkSource.name

    After you have created your network source, you can scope policies for Object Storage by
    using this variable in a condition. For example, assume you create a network source named
    "corpnet". You can restrict users of the group "CorporateUsers" to access your Object
    Storage resources only when their requests originate from IP addresses you specified in
    corpnet. To do this, write a policy like the following:

    allow group CorporateUsers to manage object-family in tenancy where


    request.networkSource.name='corpnet'
    This policy allows users in the CorporateUsers group to manage Object Storage resources
    only when their requests originate from an allowed IP address specified in the network source
    "corpnet". Requests made from outside the specified IP ranges are denied. For general
    information about writing policies, see How Policies Work.

    Currently, only the Object Storage service supports network sources. See Resource-Types for


    the Object Storage resource types you can use in policies.

    Using the Console to Manage Network Sources


     Warning

    Avoid entering confidential information when assigning descriptions, tags, or friendly names
    to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.
    To create a network source

    1. Open the navigation menu. Under Governance and Administration, go


    to Identity and click Network Sources. A list of the network sources in your tenancy is
    displayed.
    2. Click Create Network Source.
    3. Enter the following:
     Name: A unique name for the network source. The name must be unique in
    your tenancy. You cannot change this later.
     Description: A friendly description. You can change this later if you want to.
     Allow OCI Services: This check box is selected by default to allow Oracle
    Cloud Infrastructure services access, even if the request comes from outside the specified IP
    addresses. Typically, you want this option enabled, for example, to allow a service to interact
    with objects in a bucket.
     Network Type: Select one of the following:
    o Public Network: Enter a specific IP address or CIDR block range. For
    example: 192.0.2.143.
    Click Another IP Address/CIDR Block to add another allowed address or range.
    o Virtual Cloud Network: Enter the following for this option:
     VCN OCID: Enter the OCID from the VCN you want to
    allow.
    For example: ocid1.vcn.oc1.iad.aaaaaaaaexampleuniqueID
     IP Address/CIDR Block: Enter an IP address from the VCN
    or a subnet CIDR block. For example: 10.0.0.0/16 or 10.0.0.4.
    If you want to allow all subnets from the specified VCN, enter 0.0.0.0/0.
    Click Another IP Address/CIDR Block to add another allowed address or range from the
    same VCN.
    4. To add more IP ranges to this network source, click Add Source.
    5. Show Advanced Options: If you have permissions to create a resource, you also
    have permissions to apply free-form tags to that resource. To apply a defined tag, you must
    have permissions to use the tag namespace. For more information about tagging,
    see Resource Tags. If you are not sure if you should apply tags, skip this option (you can
    apply tags later) or ask your administrator.
    6. Click Create.

    To update a network source

    1. Open the navigation menu. Under Governance and Administration, go


    to Identity and click Network Sources. A list of the network sources in your tenancy is
    displayed.
    2. Locate the network source in the list and click its name to view its details.
    3. Edit the network source:
     To add more allowed IP addresses to this network source, click Add Sources.
    In the Add Sources dialog, click Add Source again, and enter the details for each IP address
    or CIDR block you want to add to this network source.
     To remove an allowed source, click the Actions icon (three dots) and
    click Delete.
     To change the setting of Allow OCI Services, click Add Sources. Update the
    check box setting and click Update.

    To delete a network source

    1. Open the navigation menu. Under Governance and Administration, go


    to Identity and click Groups. The list of network sources in your tenancy is displayed.
    2. Locate the network source in the list and click the Actions icon (three dots) for
    the item.
    3. Click Delete.
    4. Confirm when prompted.

    You might also like