File Server Patterns for Allowlisting

By default, File Server provides a high level of security by authenticating all access using either user logins or a public key. You can supplement this security by configuring an allowlist for File Server.

When you use the File Server allowlist, the following patterns are available for access requests that go to File Server.

Pattern Description

1. Requests from outslide Oracle Cloud

This pattern is the only option for access requests that originate outside Oracle Cloud.

2. Oracle Cloud requests through the Service Gateway

By default, access requests that originate within the Oracle Cloud go through the Service Gateway.

Your organization must add the CIDR block for the Service Gateway to the File Server allowlist.

3. Oracle Cloud requests through a NAT Gateway

If your organization doesn't want to add the CIDR block for the Service Gateway to the File Server allowlist, you can bring your own load balancer, create a NAT gateway, and add the NAT gateway's IP address to the allowlist instead.

Note:

The File Server allowlist is separate from the Oracle Integration allowlist. See Create an Allowlist for Public IP Addresses.

Pattern 1. Requests from Outside Oracle Cloud

All File Server access requests that come from outside Oracle Cloud must be from IP addresses that are identified on the File Server allowlist.

To configure this pattern, update the self-service File Server allowlist so that it contains the IP address of all clients that much access File Server. See Create an Allowlist for Public IP Addresses.

Pattern 2. Oracle Cloud Requests Through the Service Gateway

By default, all File Server access requests that come from Oracle Cloud are routed through the service gateway. Therefore, the File Server allowlist must grant access to the service gateway's CIDR block.

To configure this pattern, update the self-service File Server allowlist so that it contains the CIDR block for the service gateway: 240.0.0.0/4. See Create an Allowlist for Public IP Addresses.

Pattern 3. Oracle Cloud Requests Through a NAT Gateway

Some organizations don't want to add the CIDR block for the service gateway to the File Server allowlist. In such cases, you can bring your own load balancer and route access requests for File Server through a NAT gateway.

Then, instead of adding the CIDR block for the service gateway to the File Server allowlist, you add the IP address for the NAT gateway. The File Server allowlist verifies that the request is from the NAT gateway's IP address.

A diagram shows the flow of access requests.

Note:

  • The diagram shows traffic originating from an Oracle Fusion Cloud Applications tenancy, but traffic could also originate from another source. For example, a private subnet.

  • The File Server allowlist includes the IP address for the NAT gateway on the VCN.

How Requests Are Routed

Requests go through a load balancer and NAT gateway and then on to File Server.

  1. The access request goes through a NAT gateway from the client, which could be a Oracle Fusion Cloud Applications tenancy or a private subnet.

    This diagram shows the NAT gateway routing the request through SFTP port 22 to an internet gateway, but you can use an alternate port.

  2. The internet gateway routes the access request to a load balancer that you set up in your virtual cloud network (VCN). The load balancer contains an SFTP TCP listener.

  3. The load balancer sends the request through a NAT gateway on the VCN.

  4. The NAT gateway routes the request through SFTP port 10223 to the allowlist for File Server.

  5. If the allowlist includes the IP address for the NAT gateway that is on the VCN, the allowlist grants access.

Configure This Pattern

To route requests through a NAT gateway, complete the following tasks.

Task More information

1. Configure a VCN

If your organization doesn't have a virtual cloud network (VCN), configure one. See Creating a VCN in Oracle Cloud Infrastructure Documentation.

2. Configure a NAT gateway

If the VCN doesn't already have a NAT gateway, configure one. See Configure NAT gateway for private compute instances.

3. Configure a subnet

Create a public subnet in the VCN. See Creating a Subnet in Oracle Cloud Infrastructure Documentation.

4. Configure the route rules for the VCN

Configure rules that perform the following tasks:

  1. For traffic that is going to File Server, route the traffic through the NAT gateway by specifying the IP address for File Server.

    Find the IP address for File Server on the Settings page in File Server. See Configure File Server Settings in Using File Server in Oracle Integration 3.

  2. Route traffic that comes from the client through an internet gateway.

See VCN Route Tables in Oracle Cloud Infrastructure Documentation.

5. Set up a load balancer

Create a load balancer, and perform the following configuration steps:

  1. Within the load balancer, create an SFTP TCP listener that listens for the port of your choice, such as port 22.

    See Creating a Load Balancer Listener in the Oracle Cloud Infrastructure Documentation.

  2. Add the IP address and port number for File Server to the load balancer.

    Find the IP address for File Server on the Settings page in File Server. See Configure File Server Settings in Using File Server in Oracle Integration 3.

6. Create a security list for the subnet

For the public subnet, add an ingress rule that allows inbound traffic from the client through the port of your choice, such as port 22.

7. Update your allowlist

Update the allowlist for File Server by adding the IP address for the NAT gateway on the VCN. See Create an Allowlist for Public IP Addresses.