Sometimes during the initial setup of E-Business Suite on OCI the setup is done with a public load balancer subnet for both the Cloud Manager web interface as well as the E-Business Suite environments. Hopefully such scenarios are always at least secured through IP Whitelisting and HTTPS-Only. But still, it may be necessary to improve security later on by migrating to private subnets for those load balancers.
Here are the steps we recently performed in a customer project:
Preparation of Cloud Manager
For the Cloud Manager web access, the following initial steps are required:
- create a new private subnet in the Virtual Cloud Network
- add proper routing rules and security lists to the subnet
- modify the cloud manager subnet security list
- Modify the linux-firewall of cloud manager:
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=172.31.15.0/24 port port=8081 protocol=tcp accept' --permanent
- Create a new load balancer in the private subnet and add the backend
The actual "cutover" step then depends on the fact if you can use the same hostname as before:
- If you can use an unchanged hostname: change the DNS entry to point to the private IP address
- If you have to modify the hostname: re-wire Cloud Manager and IDCS; see Oracle documentation of Cloud Manager for "Update the Oracle E-Business Suite Cloud Manager Load Balancer Fully Qualified Domain Name (FQDN)" https://docs.oracle.com/cd/E18727_01/doc.121/f35809/T679330T679341.htm#cmg_manage_cmlbfqdn
The final step is to retire the old load balancer for the Cloud manager.
Preparation for E-Business Suite environment
The initial steps for E-Business Suite are the same as for the Cloud Manager load balancer. For me it was not necessary to modify the linux firewall; this may depend on the OS of the E-Business Suite Apps Tier though.
In addition to the basic setup, after the access through the new load balancer works, the following steps must be performed:
- un-register the environment from Cloud Manager
- create a new network profile with the private net
- re-register the environment with Cloud Manager
New network profile with private subnet
Summary
Even though the overall procedure to migrate E-Business Suite Cloud Manager environments from a public to a private load balancer subnet is straight forward, the exact steps unfortunately are not officially documented. With the above guidance, the migration as performed by PROMATIS in the projects can be done, though – and I highly recommend doing this for security reasons in all production/important environments.