• Deployment

Deploying PrivX to Oracle Cloud: architecture blueprint

This article describes how to deploy PrivX to Oracle Cloud.

1194

Reference architecture components

  1. PrivX virtual machine is the host the PrivX service will be running on. A suitable starting point is an Oracle VM.Standard.E5.Flex virtual machine (2 VCPUs, 4GB RAM) running Oracle Linux or RHEL. A minimum of 2 PrivX hosts are required for high availability. You can upscale the deployment by setting up additional PrivX instances.
  2. PrivX virtual network is the virtual network PrivX hosts will run in.
  3. OCI Load Balancer distributes HTTP/HTTPS traffic to the PrivX virtual machines. Cookie based affinity and Weighted Round Robin policy must be enabled.
  4. OCI Database for PostgreSQL is used for persistence. A suitable starting point is a VM.Standard.E4.Flex database server with 32 GB of memory and 100 GB storage. In production systems, set the database's max_connections parameter to 1000 or higher.
  5. OCI File Storage Service is used for audit-trail storage. Standard performance with zone redundancy recommended. Size depends on usage.
  6. OCI API - if configured to do so, PrivX will index all computing resources from OCI and present them as connectable targets.
  7. PrivX Extender can be deployed to a private network and establishes a secure websocket control connection back to PrivX. Routes traffic from PrivX to target hosts within the private network.
  8. Target virtual network contains target hosts which have no publicly accessible addresses.
  9. Publicly accessible target hosts can be connected directly via SSH/RDP in case they have an address the PrivX instance can connect to.

Connections

  1. Administrators, end users, and API clients will always access PrivX via HTTPS:443. HTTP:80 is required for Windows CRL checks and redirects to HTTPS.

  2. All PrivX internal communication, including connections from the OCI Load Balancer to application nodes is over HTTPS:443

  3. The PrivX Extenders establish secure websocket connections back to PrivX instances - subsequent connections from the Extender to target hosts use SSH/RDP.

  4. PrivX can access target hosts directly via SSH/RDP.

Disclaimers

This document includes instructions regarding third-party products by Oracle Cloud. This blueprint is provided for general guidance only.

The architecture in this blueprint was verified against the Oracle Cloud products current in October 2024. These instructions will need to be adapted when using other versions of Oracle Cloud products.

SSH Communications Security Corporation does not make any warranties as to the accuracy, reliability, or usefulness of these instructions, or guarantee that the content related to third-party products is up to date.

SSH Communications Security Corporation does not provide any warranties regarding third-party products, such as Oracle Cloud, nor provide any support or other services for third-party products.

For instructions about setting up and operating Oracle Cloud products, we always recommend that you consult the official Oracle Cloud documentation intended for the specific version(s) of Oracle Cloud products in your use, and/or directly contact Oracle Cloud representatives or support.

Was this page helpful?