OCI Oracle cloud infrastructure – Setting up a NAT Instances for Public Internet Access from a Private Subnet

Goal of this Blog : Some of the BEST Practices of Enterprise Architecture is to keep the database within Private Subnet with no Public IP address and to keep WebServers with in Public Subnet which can have public IP address. The Idea here is Only the front end webservers will be able to communicate with the backend servers, And Backend servers cannot be directly accessed by Outside world. On the contrary the Backend servers will still be able to send traffic to external apps , example be it sending notifications to external applications or just upgrading the system / database

the blog helps you do exactly that on OCI ( Oracle cloud infrastructure ) 

NAT Instances

You can use a Network Address Translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other Oracle / AWS / Google / MS etc . Cloud services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.

CIDR Blocks

Classless inter-domain routing (CIDR) is a set of Internet protocol (IP) standards that is used to create unique identifiers for networks and individual devices. The IP addresses allow particular information packets to be sent to specific computers. Shortly after the introduction of CIDR, technicians found it difficult to track and label IP addresses, so a notation system was developed to make the process more efficient and standardized. That system is known as CIDR notation.

Architecture

Create VCN and Internet Gateway – Select the default compartment

Most Important select “Create Virtual Cloud Network Only” and CIDR block value will be 10.0.0.0/16

Create Public and Private Route tables

Let the Private Route table have no rules 

and Public Route table be mapped to 0.0.0.0/0 and NAT_public_internet_gateway

Create Private and Public Security Rules

Let us remove all rules inside and create a clean list

Create Private and Public Subnet

Private subnet maps to CIDR Block 10.0.0.0/24 , Private Route Table, Private Security List 

Public subnet maps to CIDR Block 10.0.10.0/24 , Public Route Table, Public Security List 

Edit Public Security List

Ingres traffic is network traffic that originates from outside of the network’s routers and proceeds toward a destination inside of the network. For example, an email message that is considered ingress traffic will originate somewhere outside of a enterprise’s , SSH , Ping is other examples

Egress traffic is network traffic that begins inside of a network and proceeds through its routers to a destination somewhere outside of the network. For example, an email ( Out going mails ) message that is considered egress traffic will travel from a user’s workstation and pass through the enterprise’s LAN routers before it is delivered to the Internet to travel to its final destination.

Ingres Rules for Public Subnet

Allow SSH from anywhere 0.0.0.0/0

Allow Ping ICMP from hosts in the Private Subnet 10.0.0.0/24

Allow TCP from hosts in the Private Subnet 10.0.0.0/24

Egress Rules

Allow outgoing All Protocols to go out Everywhere 0.0.0.0/0

Edit Private Security List

Ingress : Allow SSH from 10.0.10.24

Egress : Allow Outgoing all protocols to everywhere 0.0.0.0/0

Create Backend Server , Attach it to Private Subnet

Create NAT Instance , Attach it to Public Subnet

Create Back end Instance , Attach it to Private Subnet

Note : There is NO Public IP since we are attaching to Private Subnet

SSH to Public IP of NAT Instance

Copy Private Key to the NAT Machine using scp command

 
madhurao@MADHURAO-IN MINGW64 /D/BM
$ ls
bm_ssh_key  bm_ssh_key.pub

madhurao@MADHURAO-IN MINGW64 /D/BM
$ ssh -i bm_ssh_key opc@129.213.55.151
The authenticity of host '129.213.55.151 (129.213.55.151)' can't be established.
ECDSA key fingerprint is SHA256:xCkWvKoQm3mnX3DN2Xv/w/qxa56l9dEw8O2giSr4DDU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '129.213.55.151' (ECDSA) to the list of known hosts.
[opc@nat-public ~]$ pwd
/home/opc
[opc@nat-public ~]$ exit
logout
Connection to 129.213.55.151 closed.
madhurao@MADHURAO-IN MINGW64 /D/BM $ scp -i bm_ssh_key bm_ssh_key opc@129.213.55.151:/home/opc/bm_ssh_key bm_ssh_key
100% 1679 6.8KB/s 00:00 madhurao@MADHURAO-IN MINGW64 /D/BM $ ssh -i bm_ssh_key opc@129.213.55.151 Last login: Tue May 29 11:44:29 2018 from 125.23.164.98 [opc@nat-public ~]$ cd /home/opc/ [opc@nat-public ~]$ ls bm_ssh_key [opc@nat-public ~]$

VNIC Configurations

Under Public NAT Instance , select attached VNICs , NAT_Public

 

Check Skip Source and Destination Check 

Add one more Private IP Address 10.0.10.20  and Select NO Public IP

Network Configuration

madhurao@MADHURAO-IN MINGW64 /D/BM
$ ssh -i bm_ssh_key opc@129.213.55.151
Last login: Tue May 29 11:48:02 2018 from 125.23.164.98
[opc@nat-public ~]$ sudo su
[root@nat-public opc]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@nat-public opc]# sysctl -p
[root@nat-public opc]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP qlen 1000
    link/ether 02:00:17:02:72:08 brd ff:ff:ff:ff:ff:ff
    inet 10.0.10.3/24 brd 10.0.10.255 scope global dynamic ens3
       valid_lft 84373sec preferred_lft 84373sec
[root@nat-public opc]# ip addr add 10.0.10.20/24 dev ens3
[root@nat-public opc]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP qlen 1000
    link/ether 02:00:17:02:72:08 brd ff:ff:ff:ff:ff:ff
    inet 10.0.10.3/24 brd 10.0.10.255 scope global dynamic ens3
       valid_lft 84275sec preferred_lft 84275sec
    inet 10.0.10.20/24 scope global secondary ens3
       valid_lft forever preferred_lft forever
[root@nat-public opc]# 
iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE [root@nat-public opc]#
iptables -I FORWARD 1 -i ens3 -o ens -j ACCEPT [root@nat-public opc]#

Setting up NAT Address to all incoming traffic to NAT

SSH to Private Backend Image from NAT Public Image

Grab the Private IP address of Backend Server Image which in our case is 10.0.0.3, SSH to NAT machine and from there SSH to Backend Server

madhurao@MADHURAO-IN MINGW64 /D/BM
$ ssh -i bm_ssh_key opc@129.213.55.151
Last login: Tue May 29 12:04:09 2018 from 125.23.164.98
[opc@nat-public ~]$ sudo su
[root@nat-public opc]# ssh -i bm_ssh_key opc@10.0.0.3
The authenticity of host '10.0.0.3 (10.0.0.3)' can't be established.
ECDSA key fingerprint is SHA256:GL0YnHAHWTwsExEO37Oi8S3cd63zWxqELike0EcMPd8.
ECDSA key fingerprint is MD5:31:f6:f3:d2:e8:c5:e2:f3:21:ef:4e:d7:e6:e0:ac:72.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.3' (ECDSA) to the list of known hosts.
[opc@backendserver-private ~]$

Pinging Outside World / Public Websites from the Backend Server

[opc@backendserver-private ~]$
[opc@backendserver-private ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.38 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=1.55 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=1.35 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.358/1.431/1.556/0.098 ms
[opc@backendserver-private ~]$ ping oracle.com
PING oracle.com (137.254.120.50) 56(84) bytes of data.
64 bytes from vp-ocoma-cms-adc.oracle.com (137.254.120.50): icmp_seq=1 ttl=244 time=106 ms
64 bytes from vp-ocoma-cms-adc.oracle.com (137.254.120.50): icmp_seq=2 ttl=244 time=106 ms
64 bytes from vp-ocoma-cms-adc.oracle.com (137.254.120.50): icmp_seq=3 ttl=244 time=106 ms
^C
--- oracle.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 106.206/106.245/106.281/0.267 ms
[opc@backendserver-private ~]$ sudo yum update
[opc@backendserver-private ~]$ ping www.google.com
PING www.google.com (74.125.136.103) 56(84) bytes of data.
64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=1 ttl=47 time=14.0 ms
64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=2 ttl=47 time=14.0 ms
64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=3 ttl=47 time=14.2 ms
64 bytes from 74.125.136.103 (74.125.136.103): icmp_seq=4 ttl=47 time=14.0 ms
^C
--- www.google.com ping statistics ---