Create a Security Rule for IP Networks

post

/network/v1/secrule/

Adds a security rule. A security rule permits traffic from a specified source or to a specified destination. You must specify the direction of a security rule - either ingress or egress. In addition, you can specify the source or destination of permitted traffic, and the security protocol and port used to send or receive packets. Each of the parameters that you specify in a security rule provides a criterion that the type of traffic permitted by that rule must match. Only packets that match all of the specified criteria are permitted. If you don't specify match criteria in the security rule, all traffic in the specified direction is permitted.

When you create a security rule with a specified direction, say ingress, you should also create a corresponding security rule for the opposite direction - in this case, egress. This is generally required to ensure that when traffic is permitted in one direction, responses or acknowledgement packets in the opposite direction are also permitted.

When you create a security rule, you specify the ACL that it belongs to. ACLs apply to vNICsets. You can apply multiple ACLs to a vNICset and you can apply each ACL to multiple vNICsets. When an ACL is applied to a vNICset, every security rule that belongs to the ACL applies to every vNIC that is specified in the vNICset.

A security rule allows you to specify the following parameters:

* The flow direction - ingress or egress

* (Optional) A source vNICset or a list of source IP address prefix sets, or both

* (Optional) A destination vNICset or a list of destination IP address prefix sets, or both

* (Optional) A list of security protocols

* (Optional) The name of the ACL that contains this rule

* (Optional) An option to disable the security rule

Required Role: To complete this task, you must have the Compute_Operations role. If this role isn't assigned to you or you're not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Request

Supported Media Types
Header Parameters
Body ()
The request body contains details of the security rule that you want to create.
Root Schema : SecurityRule-post-request
Type: object
The request body contains details of the security rule that you want to create.
Show Source
  • Select the three-part name of the access control list (ACL) that you want to add this security rule to. Security rules are applied to vNIC sets by using ACLs.
  • Description of the security rule.
  • dstIpAddressPrefixSets
    A list of IP address prefix sets to which you want to permit traffic. Only packets to IP addresses in the specified IP address prefix sets are permitted. When no destination IP address prefix sets are specified, traffic to any IP address is permitted.
  • The vNICset to which you want to permit traffic. Only packets to vNICs in the specified vNICset are permitted. When no destination vNICset is specified, traffic to any vNIC is permitted.
  • Allows the security rule to be enabled or disabled. This parameter is set to true by default. Specify false to disable the security rule.
  • Specify the direction of flow of traffic, which is relative to the instances, for this security rule. Allowed values are ingress or egress.

    An ingress packet is a packet received by a virtual NIC, for example from another virtual NIC or from the public Internet.

    An egress packet is a packet sent by a virtual NIC, for example to another virtual NIC or to the public Internet.

  • The three-part name of the Ip address association (/Compute-identity_domain/user/object).

    Object names can contain only alphanumeric characters, hyphens, underscores, and periods. Object names are case-sensitive. When you specify the object name, ensure that an object of the same type and with the same name doesn't already exist. If such an object already exists, another object of the same type and with the same name won't be created and the existing object won't be updated.

  • secProtocols
    A list of security protocols for which you want to permit traffic. Only packets that match the specified protocols and ports are permitted. When no security protocols are specified, traffic using any protocol over any port is permitted.
  • srcIpAddressPrefixSets
    A list of IP address prefix sets from which you want to permit traffic. Only packets from IP addresses in the specified IP address prefix sets are permitted. When no source IP address prefix sets are specified, traffic from any IP address is permitted.
  • The vNICset from which you want to permit traffic. Only packets from vNICs in the specified vNICset are permitted. When no source vNICset is specified, traffic from any vNIC is permitted.
  • tags
    Strings that you can use to tag the security rule.
Nested Schema : dstIpAddressPrefixSets
Type: array
A list of IP address prefix sets to which you want to permit traffic. Only packets to IP addresses in the specified IP address prefix sets are permitted. When no destination IP address prefix sets are specified, traffic to any IP address is permitted.
Show Source
Nested Schema : secProtocols
Type: array
A list of security protocols for which you want to permit traffic. Only packets that match the specified protocols and ports are permitted. When no security protocols are specified, traffic using any protocol over any port is permitted.
Show Source
Nested Schema : srcIpAddressPrefixSets
Type: array
A list of IP address prefix sets from which you want to permit traffic. Only packets from IP addresses in the specified IP address prefix sets are permitted. When no source IP address prefix sets are specified, traffic from any IP address is permitted.
Show Source
Nested Schema : tags
Type: array
Strings that you can use to tag the security rule.
Show Source

Response

Supported Media Types

201 Response

Created. See Status Codes for information about other possible HTTP status codes.
Headers
Body ()
Root Schema : SecurityRule-response
Type: object
Show Source
Nested Schema : dstIpAddressPrefixSets
Type: array
List of IP address prefix set names to match the packet's destination IP address.
Show Source
Nested Schema : secProtocols
Type: array
List of security protocol object names to match the packet's protocol and port.
Show Source
Nested Schema : srcIpAddressPrefixSets
Type: array
List of multipart names of IP address prefix set to match the packet's source IP address.
Show Source
Nested Schema : tags
Type: array
Tags associated with the object.
Show Source

Examples

cURL Command

The following example shows how to create a security rule by submitting a POST request on the REST resource using cURL. For more information about cURL, see Use cURL.

Enter the command on a single line. Line breaks are used in this example for readability.

curl -i -X POST
     -H "Cookie: $COMPUTE_COOKIE"
     -H "Content-Type: application/oracle-compute-v3+json"
     -H "Accept: application/oracle-compute-v3+json"
     -d "@requestbody.json"
        https://api-z999.compute.us0.oraclecloud.com/network/v1/secrule/
  • COMPUTE_COOKIE is the name of the variable in which you stored the authentication cookie earlier. For information about retrieving the authentication cookie and storing it in a variable, see Authentication.

  • api-z999.compute.us0.oraclecloud.com is an example REST endpoint URL. Change this value to the REST endpoint URL of your Compute Classic site. For information about finding out REST endpoint URL for your site, see Send Requests.

Example of Request Body

The following shows an example of the request body content in the requestbody.json file.

{
  "name": "/Compute-acme/jack.jones@example.com/secrule1",
  "flowDirection": "egress",
  "description": "Sample security rule",
  "acl": "/Compute-acme/jack.jones@example.com/acl1",
  "srcVnicSet": "/Compute-acme/jack.jones@example.com/vnicset1",
  "dstVnicSet": "/Compute-acme/jack.jones@example.com/vnicset2",
  "secProtocols": ["/Compute-acme/jack.jones@example.com/secprotocol1"],
  "srcIpAddressPrefixSets": ["/Compute-acme/jack.jones@example.com/ipaddressprefixset1"]
}

Example of Response Body

The following example shows the response body in JSON format.

{
  "name": "/Compute-acme/jack.jones@example.com/secrule1",
  "uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/secrule/Compute-acme/jack.jones@example.com/secrule1",
  "description": "Sample security rule",
  "tags": null,
  "acl": "/Compute-acme/jack.jones@example.com/acl1",
  "flowDirection": "egress",
  "srcVnicSet": "/Compute-acme/jack.jones@example.com/vnicset1",
  "dstVnicSet": "/Compute-acme/jack.jones@example.com/vnicset2",
  "srcIpAddressPrefixSets": ["/Compute-acme/jack.jones@example.com/ipaddressprefixset1"]
  "dstIpAddressPrefixSets": null,
  "secProtocols": ["/Compute-acme/jack.jones@example.com/secprotocol1"],
  "enabledFlag": true
}