Hairpins ? Hairpins!

6th April 2023

So what have hairpins got to do with Oracle and specifically Oracle Cloud security ?

Well when you have a specific use case for the cloud but you don't want to go to the issues of getting security approval for exposing applications to the internet you can use a hairpin connection to allow Legacy applications in the cloud to connect via your on Premises firewall and gateways.

This gives you all the protection of the on Premises systems but the flexibility of cloud. basically your cloud tenancy hides behind your on premise setup. 

This does not mean you do not put in place a defense in depth. Nothing is to be trusted by default , but this makes it both easier and harder from a security audit purpose to prove that your implementation is secure.  

So basically when we set this up all connections go through the on premise proxy and firewall, IDS and IPS is handled through the central NOC and SOC team. OS patches can be pulled using the Oracle cloud service gateway, this allows the benefits of using the cloud linux repos and not having to go over the internet. Application patches however do need to be pulled through the on premises internet but that is the price we have to pay for thislevel of isolation and security.


We can combine the use of Oracle maximum security zones with the hairpin technique to ensure that no malicious actor can breach the hairpin setup as a MSZ does not allow internet gateways. IF we have the right IAM policies that also disallow nat gateways we can totally lock down the MSZ and ensure there is no route for data leakage.

This is an architecture I have successfully implemented in several customers and it is always an easier sell to the CISO organization as it keeps their teams in charge without increasing the burden of managing additional ingress and egress points.

In conjunction with other security measures like the Vulnerability Scanning service within the OCI tenancy and possible extension of the on premise endpoint secirity solutions into cloud this can form a robust hybrid model providing the best of both worlds, the control of an on premise security model with the flexibility of provisioning of a cloud solution.