Blogs

Firewall for Outgoing Layer7 Web Traffic on OCI

The default firewall features in Oracle Cloud Infrastructure (OCI) are provided using Security Lists(SL) and Network Security Groups(NSG). These work on the Layer3 level that is they filter traffic based on the to/from the IP Address of the host. But in most cases, Customers want to block all outgoing internet traffic and open traffic only to specific URLs like yum repos, and public cloud-based application URLs for REST API integrations. Fulfilling this requirement using SL & NSG is very difficult, as IP addresses of Cloud-hosted applications sometimes keep changing because of CDN usage. A better way to meet this requirement is to use a firewall that provides layer 7 filtering like Fortigate, Palo Alto, etc. Oracle has its offering in this area called OCI Network Firewall Service. OCI NFW costs about $2500 a month. Fortigate and Palo Alto are not very cheap either. Their price ranges from $500 to $1500 a month. This made me look for other open-source/commercial solutions that are much cheaper to deploy and use. The below architecture describes a solution that provides layer 7 filtering while being light on your wallet.

This solution uses Zenarmor, a Secure web gateway product from Sunny Valley Cyber Security Inc. running on a Ubuntu VM. This setup only costs about $50 a month. Here is what the architecture looks like

 

To deploy this architecture, here are the high-level steps

1. Create a public subnet that the firewall VM uses to send traffic out to the Internet
2. Create a private subnet that firewall receives that traffic from Internal IPs that is destined to the internet
3. Deploy an Ubuntu 22.04 LTS VM on a public (OUT) subnet which will be used as a Firewall
4. Attach a VNIC from a private (IN) subnet to the Ubuntu Firewall VM
5. Configure the Ubuntu VM firewall to route traffic from Private NIC to Public NIC
6. Update routing table of private subnets & pubic subnets to make traffic go via Firewall VM private nic IP
7. Deploy and Activate Zenarmor Agent on Ubuntu Firewall VM
8. Enable URL filtering using policies on the Zenarmor dashboard

 

Create Subnets

Create required subnets as follows. App & DB Subnet will be private to host the respective VMs. IN and OUT subnets will be used by the firewall VM. IN subnet will be private and used to receive inbound traffic from other private subnets (App & DB) that is to be passed to the internet

Subnet Name	CIDR Block	Type	Description
App	10.0.0.0/28	Private	Subnet to host App VM
DB	10.0.0.16/28	Private	Subnet to host Database
In	10.0.0.96/28	Private	FW Incoming Subnet
Out	10.0.0.112/28	Public	FW Outbound Subnet

 

Create Firewall VirtualMachine

Deploy a VM with Ubuntu’s latest 22.04 LTS image on VM.Standard.E4.Flex shape. You can use a burstable instance to save on cost as well. Make sure to assign the nic in the public subnet (OUTPUT subnet) as the primary nic and assign a second nic later from the private subnet (IN subnet).

 

Configure second NIC and Ubuntu firewall

Configure primary nic that is in the OUT subnet to use DHCP, and the second nic to use fixed IP.

$ cat /etc/netplan/50-cloud-init.yaml
 network:
    version: 2
    ethernets:
        ens3:
            dhcp4: true
            match:
                macaddress: 02:00:17:01:38:e4
            set-name: ens3
        ens5:
            match:
                macaddress: 02:00:17:00:c7:55
            addresses:
              - 10.0.0.100/28
            set-name: ens5

Once you have the NICs configured in the VM, configure the Ubuntu built-in firewall to route traffic from private nic (IN) to public nic (OUT). This guide hosted on GitHub helped me configure it – https://gist.github.com/kimus/9315140

 

Install Zenarmor

Run the one-liner to install the package

$ curl https://updates.sunnyvalley.io/getzenarmor | sudo sh

Register an account in the Zenconsole Cloud Portal. Connect and start managing through Zenconsole

# zenarmorctl cloud register

After the Zenarmor agent is installed, go to the Zenarmor dashboard and configure the firewall to be in L3 routed mode, tag ens3 as wan interface, and tag ens5 as an interface as shown below

 

Configure the route tables

Create Two route tables. One for the outbound subnet that routes all traffic to the internet gateway. Assign this route table to the OUT subnet

 

The second route table is assigned to the inbound subnet that routes all traffic to the private IP of the Firewall NIC

Make sure to assign the inbound route table to all private subnets ( IN, APP, DB subnets)

 

Configure Zenarmor Policy

Configure the policy attached to the registered VM and set what URLs to block and what URLs to allow

 

Test

The above policy blocks any connections to r12dba.com and allows connections to eclipsys.ca. Let’s test it from a app VM that is deployed on APP subnet

As you can see, the connection to r12dba.com got dropped and we can get a response from eclipsys.ca.

 

Conclusion

We don’t need fancy firewalls that cost an arm and a leg to achieve this Layer7 filtering. We can do this easily and cost-effectively with a Ubuntu VM along with a Zenarmor subscription. We can take this solution to the next level using 2 VMs for high availability as well as deploy in a hub-spoke model. Any questions about this solution, reach out to me via Linkedin

More from this Author