Oracle Cloud Infrastructure Documentation

Securely Accessing Fusion Applications

Control network access to Fusion Applications.

Users can access Fusion Applications from the internet as long as they have valid user credentials. To further control access to your environment, Fusion Applications supports the following options:

  • Access Control List (ACL): Allow access to your environment only from selected public IPs (CIDRs) or virtual cloud networks (VCNs) using an Access Control List (ACL).
  • Access privately from on-premises networks: Allow access to your environment from your on-premises network without going through the internet.
  • Location Based Access Control (LBAC): Allow users access to tasks and data based on their roles and compute IP addresses. This option is configured in the Fusion Applications Security Console by an administrator with the IT Security Manager role. For details, see Overview of Location-Based Access.

These use cases are not mutually exclusive and can be supported with each other. For example, you can set up private access from an on-premises network and also provide access via the internet for selected IPs; or, you can enable LBAC with private access from on-premises.

Private Access from an On-Premises Network Overview

Fusion Application allows you to set private connectivity from your on-premises network to Fusion Applications. At a high level this configuration involves:

  • Creating and configuring the connection from your on-premises network to your VCN and Fusion Application in OCI.

  • Updating the Fusion Applications environment network settings.

Prerequisites for Private Access from On-Premises

To set up private access from an on-premises network to Fusion Applications on OCI, you must have the following:

  • A tenancy in Oracle Cloud Infrastructure (OCI), where your Fusion Applications environment is provisioned.
  • A Virtual Cloud Network (VCN) in your OCI tenancy.
  • A connection from your on-premises network to your VCN. There are two ways to connect from your on-premises network to your VCN in OCI: Site-to-Site VPN or FastConnect.
    • Site-to-site VPN: Provides a site-to-site IPSec connection between your on-premises network and your virtual cloud network (VCN). The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives. The instructions in this topic guide you through setting up Site-to-Site VPN. For complete details, see Site-to-Site VPN.
    • FastConnect: Provides a way to create a dedicated, private connection between your data center and OCI. FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections. When connecting via FastConnect, BGP is the only option to exchange routes. See the FastConnect blog and documentation for information on setting it up.
  • You must have service limits to allow you to provision the VCN, and Site-to-Site VPN (previously called IPSec VPN) or FastConnect in your tenancy.

You can verify your limits in the Console as follows:

Open the navigation menu and select Governance & Administration. Under Tenancy Management, select Limits, Quotas and Usage.

Select the following from the Service list to view the limit:

  • Limits for Site-to-Site VPN: select VPN, view the limit for IPSec Connection Count.
  • Limits for VCN: select Virtual Cloud Network.
  • Limits for FastConnect: select Fast Connect.

To request a service limits increase, see Requesting a Service Limit Increase.

Steps to Set Up Private Connectivity Using Site-to-Site VPN

The following steps describe how to set up private connectivity using Site-to-Site VPN. Reference the OCI Networking service documentation using the specific values noted below.

Create a VCN and establish connection from your on-premises network to your VCN and Fusion Application in OCI

  1. Create the virtual cloud network.

    To create the VCN, follow the instructions in the Networking service documentation: Creating a VCN. Ensure that the IPV4 CIDR block that you enter does not overlap with your on-premises network IP range.

  2. Connect the VCN to the on-premises network.

    In this step, you connect the VCN to your on-premises network using Site-to-Site VPN. To achieve the connection, you need to create and attach a Dynamic Routing Gateway (DRG) to the VCN and set up routing between the VCN and your on-premises network.

    1. Create a Dynamic Routing Gateway using the instructions in the topic Creating a DRG.
    2. Attach your VCN to the DRG using the instructions in the topic Attaching a VCN to a DRG.

  3. Follow the instructions in the topic Setting Up Site-to-Site VPN to set your Customer-Premises Equipment and create the Site-to-Site VPN IPSec connection.

  4. Configure transit routing by following the instructions in the topic: Transit Routing Options for Private Access to Oracle Services. Use these instructions to configure your transit routing directly through service gateways. Or, if you have more advanced scenarios, see the details for routing through a private IP.

Update the Fusion Applications environment network settings

In the final steps, update your Fusion Applications environment to allow private traffic from your VCN. To block access from the public internet, you must ensure that no other public IPs are added to the Fusion Applications environment access control list.

Additionally, Fusion Applications uses Content Delivery Network (CDN)-based caching to deliver content faster to users. You must disable content acceleration to prevent caching.

Create the access control rule to allow only your VCN:

  1. Navigate to the environment: On the Applications Home of the Console, click Fusion Applications. On the Overview page, find the environment family for the environment, and then select the environment name.
  2. On the environment details page, under Resources, select Networking.
  3. Select Create rule.
  4. For IP notation type, select Virtual Cloud Network , then in the next field select your VCN.
  5. Select Create rule.

Disable the internet cache (Content Acceleration):

  1. Still under Networking, select the Content acceleration tab.
  2. Select Edit.
  3. Set the Internet cache switch to disabled.
  4. Select Save changes.

Location-Based Access Control (LBAC) with Private On-Premises Connectivity

LBAC is another feature that Fusion Applications provides to control user access to tasks and data based on their roles and computer IP addresses.

LBAC is configured in the Fusion Applications Security Console. To enable location-based access and make a role public, you must have the IT Security Manager role. You can make a role public only when location-based access is enabled. To enable location-based access, you must register the IP addresses of computers from which the users usually sign in to the application. You can find the details and how to enable and disable LBAC at Overview of Location-Based Access.

To configure LBAC with private on-premises connectivity, you also must Open a Support Request (SR) to Fusion Applications Customer Support to enable LBAC with private on-premises connectivity.