Goal of this Blog : Some of the BEST Practices of Enterprise Architecture is to keep the database within Private Subnet with no Public IP address and to keep WebServers with in Public Subnet which can have public IP address. The Idea here is Only the front end webservers will be able to communicate with the backend servers, And Backend servers cannot be directly accessed by Outside world. On the contrary the Backend servers will still be able to send traffic to external apps , example be it sending notifications to external applications or just upgrading the system / database
the blog helps you do exactly that on OCI ( Oracle cloud infrastructure )
NAT Instances
You can use a Network Address Translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other Oracle / AWS / Google / MS etc . Cloud services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.
CIDR Blocks
Classless inter-domain routing (CIDR) is a set of Internet protocol (IP) standards that is used to create unique identifiers for networks and individual devices. The IP addresses allow particular information packets to be sent to specific computers. Shortly after the introduction of CIDR, technicians found it difficult to track and label IP addresses, so a notation system was developed to make the process more efficient and standardized. That system is known as CIDR notation.
Architecture
Create VCN and Internet Gateway – Select the default compartment
Most Important select “Create Virtual Cloud Network Only” and CIDR block value will be 10.0.0.0/16
Create Public and Private Route tables
Let the Private Route table have no rules
and Public Route table be mapped to 0.0.0.0/0 and NAT_public_internet_gateway
Create Private and Public Security Rules
Let us remove all rules inside and create a clean list
Create Private and Public Subnet
Private subnet maps to CIDR Block 10.0.0.0/24 , Private Route Table, Private Security List
Public subnet maps to CIDR Block 10.0.10.0/24 , Public Route Table, Public Security List
Edit Public Security List
Ingres traffic is network traffic that originates from outside of the network’s routers and proceeds toward a destination inside of the network. For example, an email message that is considered ingress traffic will originate somewhere outside of a enterprise’s , SSH , Ping is other examples
Egress traffic is network traffic that begins inside of a network and proceeds through its routers to a destination somewhere outside of the network. For example, an email ( Out going mails ) message that is considered egress traffic will travel from a user’s workstation and pass through the enterprise’s LAN routers before it is delivered to the Internet to travel to its final destination.
Ingres Rules for Public Subnet
Allow SSH from anywhere 0.0.0.0/0
Allow Ping ICMP from hosts in the Private Subnet 10.0.0.0/24
Allow TCP from hosts in the Private Subnet 10.0.0.0/24
Egress Rules
Allow outgoing All Protocols to go out Everywhere 0.0.0.0/0
Edit Private Security List
Ingress : Allow SSH from 10.0.10.24
Egress : Allow Outgoing all protocols to everywhere 0.0.0.0/0
Create Backend Server , Attach it to Private Subnet
Create NAT Instance , Attach it to Public Subnet
Create Back end Instance , Attach it to Private Subnet
Note : There is NO Public IP since we are attaching to Private Subnet
SSH to Public IP of NAT Instance
Copy Private Key to the NAT Machine using scp command
madhurao@MADHURAO-IN MINGW64 /D/BM $ ls bm_ssh_key bm_ssh_key.pub madhurao@MADHURAO-IN MINGW64 /D/BM $ ssh -i bm_ssh_key [email protected] The authenticity of host '129.213.55.151 (129.213.55.151)' can't be established. ECDSA key fingerprint is SHA256:xCkWvKoQm3mnX3DN2Xv/w/qxa56l9dEw8O2giSr4DDU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '129.213.55.151' (ECDSA) to the list of known hosts. [opc@nat-public ~]$ pwd /home/opc [opc@nat-public ~]$ exit logout Connection to 129.213.55.151 closed.
madhurao@MADHURAO-IN MINGW64 /D/BM $ scp -i bm_ssh_key bm_ssh_key [email protected]:/home/opc/bm_ssh_key bm_ssh_key
100% 1679 6.8KB/s 00:00 madhurao@MADHURAO-IN MINGW64 /D/BM $ ssh -i bm_ssh_key [email protected] Last login: Tue May 29 11:44:29 2018 from 125.23.164.98 [opc@nat-public ~]$ cd /home/opc/ [opc@nat-public ~]$ ls bm_ssh_key [opc@nat-public ~]$
VNIC Configurations
Under Public NAT Instance , select attached VNICs , NAT_Public
Check Skip Source and Destination Check
Add one more Private IP Address 10.0.10.20 and Select NO Public IP
Network Configuration
madhurao@MADHURAO-IN MINGW64 /D/BM $ ssh -i bm_ssh_key [email protected] Last login: Tue May 29 11:48:02 2018 from 125.23.164.98 [opc@nat-public ~]$ sudo su [root@nat-public opc]# echo 1 > /proc/sys/net/ipv4/ip_forward [root@nat-public opc]# sysctl -p [root@nat-public opc]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP qlen 1000 link/ether 02:00:17:02:72:08 brd ff:ff:ff:ff:ff:ff inet 10.0.10.3/24 brd 10.0.10.255 scope global dynamic ens3 valid_lft 84373sec preferred_lft 84373sec [root@nat-public opc]# ip addr add 10.0.10.20/24 dev ens3 [root@nat-public opc]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP qlen 1000 link/ether 02:00:17:02:72:08 brd ff:ff:ff:ff:ff:ff inet 10.0.10.3/24 brd 10.0.10.255 scope global dynamic ens3 valid_lft 84275sec preferred_lft 84275sec inet 10.0.10.20/24 scope global secondary ens3 valid_lft forever preferred_lft forever [root@nat-public opc]#
iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE [root@nat-public opc]#
iptables -I FORWARD 1 -i ens3 -o ens -j ACCEPT [root@nat-public opc]#
Setting up NAT Address to all incoming traffic to NAT
SSH to Private Backend Image from NAT Public Image
Grab the Private IP address of Backend Server Image which in our case is 10.0.0.3, SSH to NAT machine and from there SSH to Backend Server
madhurao@MADHURAO-IN MINGW64 /D/BM $ ssh -i bm_ssh_key [email protected] Last login: Tue May 29 12:04:09 2018 from 125.23.164.98 [opc@nat-public ~]$ sudo su [root@nat-public opc]# ssh -i bm_ssh_key [email protected] The authenticity of host '10.0.0.3 (10.0.0.3)' can't be established. ECDSA key fingerprint is SHA256:GL0YnHAHWTwsExEO37Oi8S3cd63zWxqELike0EcMPd8. ECDSA key fingerprint is MD5:31:f6:f3:d2:e8:c5:e2:f3:21:ef:4e:d7:e6:e0:ac:72. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.0.3' (ECDSA) to the list of known hosts. [opc@backendserver-private ~]$
Pinging Outside World / Public Websites from the Backend Server
[opc@backendserver-private ~]$ [opc@backendserver-private ~]$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.38 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=1.55 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=1.35 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 1.358/1.431/1.556/0.098 ms [opc@backendserver-private ~]$ ping oracle.com PING oracle.com (137.254.120.50) 56(84) bytes of data. 64 bytes from vp-ocoma-cms-adc.oracle.com (137.254.120.50): icmp_seq=1 ttl=244 time=106 ms 64 bytes from vp-ocoma-cms-adc.oracle.com (137.254.120.50): icmp_seq=2 ttl=244 time=106 ms 64 bytes from vp-ocoma-cms-adc.oracle.com (137.254.120.50): icmp_seq=3 ttl=244 time=106 ms ^C --- oracle.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 106.206/106.245/106.281/0.267 ms [opc@backendserver-private ~]$ sudo yum update [opc@backendserver-private ~]$ ping www.google.com PING www.google.com (74.125.136.103) 56(84) bytes of data. 64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=1 ttl=47 time=14.0 ms 64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=2 ttl=47 time=14.0 ms 64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=3 ttl=47 time=14.2 ms 64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=4 ttl=47 time=14.0 ms ^C --- www.google.com ping statistics ---