Skip to main content

Cloud

Prerequisites for onboarding OCI

Overview of OCI onboarding prerequisites

The following information is important to understanding how Illumio interacts with OCI.

For a list of ports and IP addresses required for flow log access, see OCI Flow Log Access IP Addresses.

OCI onboarding checklist

  • Access to Cloud

  • Access to the OCI Console

  • The user must have an IAM management policy in OCI Cloud. (The Illumio Segmentation for the Cloudonboarding script runs Terraform to create a group, a user for Illumio Segmentation for the Cloud, and add permissions to the group.)

  • The OCI tenant ID and home region of the OCI root tenant

Oracle Cloud Stack

The Oracle Cloud Stack is a feature that allows you to automate the creation of multiple cloud resources as a single unit, called the stack. Oracle Cloud lets you use Terraform to create stacks and manage resources. Illumio Segmentation for the Cloud makes use of this Stack feature to create the resources that are required to interact with Oracle cloud.

Oracle IAM users

A user is an identity created in OCI's Identity and Access Management (IAM) service that represents a person or an application that interacts with OCI services. Users allow for the authentication and authorization of individuals or entities to access and manage OCI resources in accordance with assigned permissions. API keys are created for a user, which can be used for API/SDK access over the resources in the OCI tenant.

Illumio Segmentation for the Cloud creates a new user when the stack is created, and adds an API key to the user. This API key is be used in to communicate with OCI tenant, synchronize the resources, and read flows.

Oracle IAM groups

An Oracle IAM group is a collection of users. Groups allow you to efficiently manage access permissions for multiple users at once, rather than needing to manage permissions for each user individually. By assigning users to groups, you can apply policies to the group as a whole, granting or revoking privileges to all members of the group simultaneously.

Illumio Segmentation for the Cloud creates an IAM group and adds the user to the group and write IAM policies.

Oracle IAM policies

OCI's IAM policies specify who has what type of access to your OCI resources. They play a crucial role in securing your OCI environment by granting precise permissions to users and groups, determining how they can interact with OCI resources. After creating the group, add the permissions mentioned in the Illumio-required policies section to access the resources.

Illumio-required policies

Illumio Segmentation for the Cloud requires the following onboarding policies:

"Allow group <groupname> to inspect all-resources in tenancy",

"Allow group <groupname> to read network-security-groups in tenancy",

Allow group <groupname> to read security-lists in tenancy",

"Allow group <groupname> to read serviceconnectors in tenancy",

"Allow group <groupname> to read load-balancers in tenancy",

Illumio Segmentation for the Cloud requires the following flow policies:

Allow group <groupname> to read objects in tenancy where all {target.bucket.name = '<bucket>', any{request.permission='OBJECT_INSPECT', request.permission='OBJECT_READ'}}

Terraform-created resources

Terraform creates the following resources during onboarding:

  • A group with the following name format<username>-group

  • A policy document, adding it to the group

  • A user, adding it to the group

  • An API key with the public key appended to the script

During flow access enablement, Terraform creates a policy document allowing access to the destinations for the group created during onboarding.