Fortify Visual Builder and Oracle Integration With Cloudflare
I received an interesting question on how to defend Visual Builder apps with Cloudflare. Cloudflare provides a proxying mechanism that secures your applications on multiple layers, including DDoS protection, WAF, SSL, DNS, etc. If you are addicted to Cloudflare services, you would logically expect to use them to defend OCI services.
To set up Cloudflare in front of Oracle Integration (OIC) and Visual Builder (VB), you need to create a custom hostname (as Cloudflare proxied DNS record) pointing to the original OIC hostname. Ensure you have issued a certificate for the custom hostname since OCI will ask for it. Finally, you will configure OIC Custom Endpoint and Network Access to attach a custom hostname and limit Internet access from Cloudflare IP ranges exclusively.
1. Prepare Cloudflare DNS hostname
OIC supports custom hostnames, a crucial resource in Cloudflare proxied setup. I'm going to use Cloudflare DNS to create a custom hostname record on the existing Website ocimagic.win. Let's make a CNAME record www.ocimagic.win pointing to OCI's original hostname. You will find your OIC's original hostname in the Integration instance details on the OCI Console under the Service console URL attribute (e.g. oic-test-frsxwtjslf35-fr.integration.ocp.oraclecloud.com).
2. Configure OCI to Use a Custom Hostname Managed by Cloudflare
Position yourself in the OCI Console and select desired Integration instance. Press a button Edit instance and select Show advanced options. Under the Custom Endpoint section, fill in the custom hostname you have created in Step 1. Make sure to specify the right Vault and Secret in which you have stored a certificate matching the hostname you have created. It might sound redundant since Cloudflare will handle the SSL termination, but that's a prerequisite of the OIC. The format of the Certificate must comply with the following form:
{
"key": "-----BEGIN PRIVATE KEY-----\n…..-----END PRIVATE KEY-----\n",
"cert": "-----BEGIN CERTIFICATE-----\n….-----END CERTIFICATE-----\n",
"intermediates": [
"-----BEGIN CERTIFICATE-----\n….-----END CERTIFICATE-----\n",
"-----BEGIN CERTIFICATE-----\n….-----END CERTIFICATE-----\n"
],
"passphrase": "<private key password if encrypted key is provided>"
}For that purpose, I used a ZeroSSL certificate with free 90-day validity. I stored two DNS records in the certificate (www.ocimagic.win and ocimagic.win). You can use any SSL provider, and the goal is to have a match between the custom hostname and the OIC endpoint. I didn't test the self-signed yet.
The whole process of a custom endpoint is briefly explained in the official docs.
Once you configure everything and save changes, Cloudflare will start proxying HTTP requests towards Integration and Visual Builder. Still, in favor of security, you need to restrict access to OIC only from Cloudflare CIDRs, as explained in Step 3.
3. Restrict Network Access
We need to ensure that Cloudflare has exclusive access to OIC service endpoints so nobody cannot override it. Let's implement it with Network Access rules. Make a note of the Cloudflare source IP range documented here. Under the Integration instance details, select Network access and press Edit button. Now, paste those 15 CIDRs, one by one, and save the changes. It will whitelist Cloudflare CIDRs to access the OIC instance. All other IP addresses will get a 403 error.
Restricting network access is briefly explained in the official docs.
4. Test It
Finally, you can test your OIC or VB instance by invoking a custom hostname via the browser. I typed my custom hostname www.ocimagic.win , which rendered a well-known OIC UI — proxied by Cloudflare.
We have successfully created a custom hostname, configured OIC to use custom endpoints, and restricted network access to Cloudflare only. Now you can continue to play with WAF, rate limiting, geolocation rules, etc.
