Firewall for Outgoing Layer7 Web Traffic on OCI

Share on:


The default firewall features in Oracle Cloud Infrastructure (OCI) are provided using Security Lists(SL) and Network Security Groups(NSG). These work on the Layer3 level that is they filter traffic based on the to/from the IP Address of the host. But in most cases, Customers want to block all outgoing internet traffic and open traffic only to specific URLs like yum repos, and public cloud-based application URLs for REST API integrations. Fulfilling this requirement using SL & NSG is very difficult, as IP addresses of Cloud-hosted applications sometimes keep changing because of CDN usage. A better way to meet this requirement is to use a firewall that provides layer 7 filtering like Fortigate, Palo Alto, etc. Oracle has its offering in this area called OCI Network Firewall Service. OCI NFW costs about $2500 a month. Fortigate and Palo Alto are not very cheap either. Their price ranges from $500 to $1500 a month. This made me look for other open-source/commercial solutions that are much cheaper to deploy and use. The below architecture describes a solution that provides layer 7 filtering while being light on your wallet.

This solution uses Zenarmor, a Secure web gateway product from Sunny Valley Cyber Security Inc. running on a Ubuntu VM. This setup only costs about $50 a month. Here is what the architecture looks like



To deploy this architecture, here are the high-level steps

  1. Create a public subnet that the firewall VM uses to send traffic out to the Internet
  2. Create a private subnet that firewall receives that traffic from Internal IPs that is destined to the internet
  3. Deploy an Ubuntu 22.04 LTS VM on a public (OUT) subnet which will be used as a Firewall
  4. Attach a VNIC from a private (IN) subnet to the Ubuntu Firewall VM
  5. Configure the Ubuntu VM firewall to route traffic from Private NIC to Public NIC
  6. Update routing table of private subnets & pubic subnets to make traffic go via Firewall VM private nic IP
  7. Deploy and Activate Zenarmor Agent on Ubuntu Firewall VM
  8. Enable URL filtering using policies on the Zenarmor dashboard


Create Subnets

Create required subnets as follows. App & DB Subnet will be private to host the respective VMs. IN and OUT subnets will be used by the firewall VM. IN subnet will be private and used to receive inbound traffic from other private subnets (App & DB) that is to be passed to the internet

Subnet Name CIDR Block Type Description
App Private Subnet to host App VM
DB Private Subnet to host Database
In Private FW Incoming Subnet
Out Public FW Outbound Subnet


Create Firewall VirtualMachine

Deploy a VM with Ubuntu’s latest 22.04 LTS image on VM.Standard.E4.Flex shape. You can use a burstable instance to save on cost as well. Make sure to assign the nic in the public subnet (OUTPUT subnet) as the primary nic and assign a second nic later from the private subnet (IN subnet).



Configure second NIC and Ubuntu firewall

Configure primary nic that is in the OUT subnet to use DHCP, and the second nic to use fixed IP.

$ cat /etc/netplan/50-cloud-init.yaml
    version: 2
            dhcp4: true
                macaddress: 02:00:17:01:38:e4
            set-name: ens3
                macaddress: 02:00:17:00:c7:55
            set-name: ens5

Once you have the NICs configured in the VM, configure the Ubuntu built-in firewall to route traffic from private nic (IN) to public nic (OUT). This guide hosted on GitHub helped me configure it –


Install Zenarmor

Run the one-liner to install the package

$ curl | sudo sh

Register an account in the Zenconsole Cloud Portal. Connect and start managing through Zenconsole

# zenarmorctl cloud register

After the Zenarmor agent is installed, go to the Zenarmor dashboard and configure the firewall to be in L3 routed mode, tag ens3 as wan interface, and tag ens5 as an interface as shown below



Configure the route tables

Create Two route tables. One for the outbound subnet that routes all traffic to the internet gateway. Assign this route table to the OUT subnet



The second route table is assigned to the inbound subnet that routes all traffic to the private IP of the Firewall NIC


Make sure to assign the inbound route table to all private subnets ( IN, APP, DB subnets)


Configure Zenarmor Policy

Configure the policy attached to the registered VM and set what URLs to block and what URLs to allow




The above policy blocks any connections to and allows connections to Let’s test it from a app VM that is deployed on APP subnet


As you can see, the connection to got dropped and we can get a response from



We don’t need fancy firewalls that cost an arm and a leg to achieve this Layer7 filtering. We can do this easily and cost-effectively with a Ubuntu VM along with a Zenarmor subscription. We can take this solution to the next level using 2 VMs for high availability as well as deploy in a hub-spoke model. Any questions about this solution, reach out to me via Linkedin

Share on:

More from this Author

OCI and Azure – Best of Both Worlds!

OCI and Azure – Best of Both Worlds!

Many in Oracle and Microsoft domains, might have noticed the recent announcement about Oracle DB service availability for Azure. Even before this ... Read More

Oracle E-Business Suite Upgrade Options

Oracle E-Business Suite Upgrade Options

Many Oracle E-Business Suite (EBS) customers are still at crossroads in their strategic direction for their ERP (Enterprise Resource Planning) ... Read More

Back to Top