Oracle Cloud Infrastructure Documentation

Adding Security Attributes to a VCN

Use Zero Trust Packet Routing with an existing Virtual Cloud Network (VCN).

You can use Zero Trust Packet Routing (ZPR) along with or in place of network security groups to control network access to OCI resources  by applying security attributes to them and creating ZPR policies to control communication among them. For more information, see Zero Trust Packet Routing.

Caution

If an endpoint has a ZPR security attribute, traffic to the endpoint must satisfy ZPR rules and also all NSG and security list rules. For example, if you're already using NSGs and you apply a security attribute to an endpoint, as soon as the attribute is applied, all traffic to the endpoint is blocked. From then onward, a ZPR policy must allow traffic to the endpoint.
    1. On the Virtual Cloud Networks list page, select the VCN that you want to work with. If you need help finding the list page or the VCN, see Listing VCNs.
    2. On the details page, go to the Security tab and perform one of the following actions depending on the option that you see:
      • In the Security attributes section, select Add.
      • Select Add security attributes
    3. In the panel that opens, select Add security attribute, and then enter the following information:
      • Security attribute namespace: A security attribute namespace is a container for a set of security attributes in Zero Trust Packet Routing (ZPR).
      • Security attribute key: The name for a specific security attribute.
      • Security attribute value: The value for a specific security attribute.

      These values must match an existing ZPR policy. For more information about security attributes and security attribute namespaces, see Zero Trust Packet Routing

    4. When finished, select Add security attributes.

  • Use the network vcn create command and parameters shown to add security attributes when you create a VCN:

    oci network vcn create --compartment-id compartment_id [. . .] --security-attributes securityattributes [OPTIONS]

    Use the network vcn update command and parameters shown to add security attributes to an existing VCN:

    oci network vcn update --vcn-id ocid [. . .] --security-attributes securityattributes [OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateVcn operation to add security attributes when you create a VCN, and use the securityAttributes attribute.

    Run the UpdateVcn operation to add security attributes when you update a VCN, and use the securityAttributes attribute.