Back to Blog
How to Secure Your OCI Always Free Tier Network: A Practical Guide

How to Secure Your OCI Always Free Tier Network: A Practical Guide

   Mariusz Antonik    Security    4 min read    4 views

1. Introduction

Oracle Cloud’s Always Free Tier is incredibly powerful — but just because it’s free doesn’t mean it’s secure out of the box.
If you spin up a VCN, a VM, and a DB system without hardening the environment, you’re exposing yourself to attacks within minutes.

In this guide, I’ll walk you through exactly how I secure every Always Free Tier deployment for clients, students, and my own lab environments.

This method is lightweight, simple, and follows Oracle’s recommended architecture—perfect for beginners and small businesses building their first cloud presence.

2. What Problem This Solves

Most Free Tier users run into these issues:

  • VM SSH port exposed to the whole internet

  • Public subnet used when private would be better

  • No NSGs (Network Security Groups)

  • Security Lists left wide open

  • No host-level firewall rules

  • No monitoring alerts for security events

And yes, I’ve seen production systems running like this.

Let’s fix that.

3. Step-by-Step Guide

Step 1 — Create a Private VCN Layout

OCI Console → Networking → Virtual Cloud Networks → Create VCN

Recommended CIDR:

 
10.0.0.0/16

Subnets:

  • 10.0.1.0/24 — Public Subnet (for LB / bastion)

  • 10.0.2.0/24 — Private Subnet (for compute/db)

CLI Equivalent:

 
oci network vcn create \ --cidr-block "10.0.0.0/16" \ --compartment-id <COMPARTMENT_OCID> \ --display-name "secure-vcn"

Step 2 — Replace Security Lists With NSGs

Security Lists apply to subnets → too broad
NSGs apply to resources → perfect for security

Create NSG for Compute

 
NSG_COMPUTE

Rules to allow only:

  • SSH from your home IP

  • HTTP/HTTPS if you run a website

  • MySQL only inside VCN

CLI Example:

 
oci network nsg create \ --vcn-id <VCN_OCID> \ --display-name "nsg-compute"

Add ingress rule:

 
oci network nsg rules add \ --nsg-id <NSG_OCID> \ --ingress-rules '[ {"protocol":"6","source":"YOUR.IP.ADDR.0/24","tcpOptions":{"destinationPortRange":{"min":22,"max":22}}} ]'

Step 3 — Harden Your Compute VM

SSH into your VM and run:

 
sudo ufw allow from YOUR.IP.ADDR.0/24 to any port 22 sudo ufw enable

Disable password login:

 
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo systemctl restart sshd

Step 4 — Remove Public IP from Database

Never expose MySQL or HeatWave externally.

OCI Console → MySQL → DB →
Disable Public Access

Step 5 — Add a Bastion for Administrative Access

OCI Console → Bastion → Create Bastion
Attach to Public Subnet.

You now SSH using:

 
ssh -i key opc@<PRIVATE_IP> -J <BASTION_IP>

Step 6 — Enable Cloud Guard + Security Zones

Turn on:

  • Cloud Guard

  • Security Recipes

  • Threat Detection

This gives you alerts when something is misconfigured or suspicious.

4. Architecture Diagram

(Image will be generated in next message)

Placeholder:

 
Internet | +--------------+ | OCI Bastion | +--------------+ | ------------------------- | VCN 10.0.0.0/16 | ------------------------- | Public Subnet 10.0.1.0/24 (LB) | Private Subnet 10.0.2.0/24 (Compute/DB)

5. Best Practices

  • Always restrict SSH by IP

  • Always use NSGs instead of Security Lists

  • Never expose DB services publicly

  • Use Bastion instead of public VMs

  • Enable automatic OS updates

  • Use Vault for private keys

  • Use Cloud Guard for continuous monitoring

6. Common Errors / Troubleshooting

Error Cause Fix
“SSH timeout” NSG rule missing Allow port 22 from your IP
DB not reachable DB in private subnet Use bastion or private endpoint
Website offline LB health check failing Allow LB subnet inside NSG
Cannot update OS DHCP disabled Re-enable VNIC DHCP

7. Summary

With these steps, your Always Free Tier network becomes secure, structured, and production-ready — even though it costs you $0/month.

If you're a beginner or small business owner building your first OCI environment, this is the safest and simplest setup.

 

👉 Download the free guide: “7 OCI Networking Mistakes to Avoid”
https://dmcloudarchitect.com/c/7_oci_mistakes_to_avoid.html

 

Tags: #MySQL #OCI
Share: Twitter LinkedIn Facebook
About the Author
Mariusz Antonik

Oracle Cloud Infrastructure expert and consultant specializing in database management and automation.

Recent Posts
Connect to server using Console
Nov 30, 2025 Troubleshooting HeatWave — Common Issues, Causes & Fixes
Nov 28, 2025 OCI Dynamic Routing Gateway Setup Step-by-Step for Hybrid Networking
Nov 27, 2025 Monitoring HeatWave — Complete Guide for DBAs & DevOps
Nov 26, 2025 HeatWave Query Engine Internals — Joins, Aggregations, Hashing & Vectorization
Nov 24, 2025
All Tags
#Advanced #Beginner #Best Practices #free-tier #Guide #MySQL #OCI #oracle-cloud #Security #Tutorial