Policy Examples
Learn about Zero Trust Packet Routing policies from examples.
You can also learn about policies by exploring the Policy Template Builder.
See the following sections for service-specific policy examples:
Compute instance policy examples
Allow compute:instance1 endpoints to connect to compute:instance2 endpoints in the networks:net1 VCN by SSH.
in networks:net1 VCN allow compute:instance1 endpoints to connect to compute:instance2 endpoints with protocol='tcp/22'In the networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'.
in networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'Database policy examples
Allow databases with the security attribute DB-Server to connect to OCI services.
in VCN-Network:DB VCN allow db:DB-Server endpoints to connect to 'osn-services-ip-addresses'Allow clients with the App:App1 security attribute to connect to the DB-Server:App1 database through the tcp/1521 port.
in VCN-Network:DB VCN allow App:App1 to connect to DB-Server:App1 endpoints with protocol='tcp/1521'Allow clients with the App:App1 security attribute to connect to the DB-Server:App1 database through ports tcp/999-11199.
in VCN-Network:DB VCN allow App:App1 to connect to DB-Server:App1 endpoints with protocol='tcp/999-11199'Allow clients with the frontend security attribute to connect to the database:server database through the tcp/1521 port with a stateless connection.
in finance.network:prod VCN allow app:frontend endpoints to connect to database:server endpoints with protocol = 'tcp/1521', connection-state = 'stateless'You must use IP addresses to reference targets in a different VCN.
Allow clients in the networks:net1 VCN to connect to <range of IP addresses in the other VCN>.
in networks:net1 VCN allow apps:app1 endpoints to connect to '192.168.0.0/16'192.168.0.0/16 is the range of IP addresses in the other VCN.
Network Load Balancer policy examples
In the my:VCN VCN allow 0.0.0.0/0 IP address to connect to the network load balancer with the XYZ-NLB:NLB1 security attribute.
in my:VCN VCN allow '0.0.0.0/0' to connect to XYZ-NLB:NLB1 endpointsIn the my:VCN VCN allow network load balancer endpoints with the XYZ-NLB:NLB1 security attribute to connect to ABC-web-servers:app1 endpoints.
in my:VCN VCN allow XYZ-NLB:NLB1 endpoints to connect to ABC-web-servers:app1 endpointsOCI Cache policy example
In the my:VCN VCN allow compute:instance1 endpoints to connect to redis:cluster1 endpoints.
in my:VCN VCN allow compute:instance1 endpoints to connect to redis:cluster1 endpointsPrivate Service Access example
PSA endpoints give cloud resources without public IP addresses private access to OCI services.
Allow endpoints with the app:dbs security attribute to connect to a PSA endpoint when the PSA endpoint is assigned the svc:dbs security attribute:
in vcn:A VCN allow app:dbs endpoints to connect to svc:dbs endpoints with protocol='tcp/443'To use security attributes and policies with PSA endpoints, you must first create a PSA endpoint, create security attributes to apply to the endpoint, and then create ZPR policy to control access to the endpoint.
VCN policy example
Allow compute clients with the applications:app1 security attribute to connect to the database running app1 over a SQLNet connection.
Two policies are used because the database and clients reside in separate VCNs.
in VCN-Network:DB VCN allow DB-client:App1 endpoints to connect to '10.1.2.0/24' with protocol='tcp/1521'in VCN-Network:Remote VCN allow '10.1.2.0/24' to connect to DB-client:app1 endpoints with protocol='tcp/1521'