Prepare Your OCI Account

This procedure automates the connection between Multicloud Defense and your OCI account; it also directs you to create a policy with the correct permissions. Without all of the permissions listed as part of the procedure, some features are unavailable.

Execute the following procedure to connect to an Oracle Cloud (OCI) account with Multicloud Defense's setup wizard:

Procedure

Step 1

Log into your OCI tenant.

Step 2

Navigate to Identity & Security > Groups.

Step 3

Click Create Group.

Step 4

Enter the following:

  • Name: Multicloud Defense-controller-group

  • Description: Multicloud Defense Group

Step 5

Click Create.

Step 6

Create a Network Firewall Policy in OCI. See OCI documentation for information but include the following information when creating the policy;

  • Name: Multicloud Defense-controller-policy.

  • Description: Multicloud Defense Policy.

  • Compartment: [Must be the "root" Compartment].

  1. Add the following permissions under the Show Manual Editor tab:

    
Allow group <group_name> to inspect instance-images in compartment <compartment_name>
Allow group <group_name> to read app-catalog-listing in compartment <compartment_name>
Allow group <group_name> to use volume-family in compartment <compartment_name>
Allow group <group_name> to use virtual-network-family in compartment <compartment_name>
Allow group <group_name> to manage volume-attachments in compartment <compartment_name>
Allow group <group_name> to manage instances in compartment <compartment_name>
Allow group <group_name> to {INSTANCE_IMAGE_READ} in compartment <compartment_name>
Allow group <group_name> to manage load-balancers in compartment <compartment_name>
Allow group <group_name> to read marketplace-listings in tenancy
Allow group <group_name> to read marketplace-community-listings in tenancy
Allow group <group_name> to inspect compartments in tenancy
Allow group <group_name> to manage app-catalog-listing in compartment <compartment_name>
Allow group <group_name> to read virtual-network-family in tenancy
Allow group <group_name> to read instance-family in tenancy
Allow group <group_name> to read load-balancers in tenancy

    • group_name: Multicloud Defense-controller-group.

    • compartment_name:[Compartment where Multicloud Defense will be deployed].

      Note

      When replacing the <compartment_name> with the name of the compartment where the policy will apply, if the compartment is a sub-compartment, the name format is compartment:sub-compartment (e.g., Prod:App1).

      If the <compartment_name> is specified as the root compartment (e.g., multicloud (root)), OCI will not accept the policy and will produce an error: Invalid parameter. The policy will need to be defined for an specific compartment and that compartment cannot be the root compartment.

  2. Click Create.

Step 7

Create a User in OCI. See OCI documentation for more information, but provide the following configuration information when creating a user:

  • Name: Multicloud Defense-controller-user

  • Description: Multicloud Defense User

Step 8

Create an API Key. See OCI documentation for more information.

Be sure to download both the private key and the public key before you add the API Key.

Step 9

Accept the Terms and Conditions for an OCI account. See OCI documentation for more information, and be sure to access the Change image section of the UI to add the following "community image" information specific to Multicloud Defense:

  1. Check the box for Multicloud Defense.

  2. Check the box for I have reviewed and accept the Publishers terms of use, Oracle Terms of Use, and the Oracle General Privacy Policy.

  3. We strongly recommend clicking Exit without deploying the image prior to connecting the account to Multicloud Defense

    You may have to repeat the steps for each Compartment you plan to deploy a Multicloud Defense Gateway.