About Access Control to Interfaces on IP Networks

When you add an instance to an IP network, two factors determine whether traffic can flow to and from the instance: network reachability and access control. By default, an interface on an IP network is reachable by other instances only if those instances have an interface either on the same IP network or on an IP network connected to the same IP network exchange. An interface on an IP network is not, by default, reachable from any source that is not on the same IP network or on the same IP network exchange.

When reachability is provided, access control to an interface is determined by the vNICsets that the vNIC is added to and on the access control lists applied to those vNICsets. A Virtual NIC, or vNIC, is a virtual network interface card that enables an instance to be associated with a network. Instances created using Oracle-provided Oracle Linux or Windows images with the release version 16.3.6 or later support eight vNICs, enabling each instance to be associated with up to eight networks. You can add each vNIC to multiple vNICsets. You can then define various access control lists and apply them to each vNICset.

An access control list (ACL) is a collection of security rules that can be applied to a vNICset. ACLs determine whether a packet can be forwarded to or from a vNIC, based on the criteria specified in its security rules. A security rule permits traffic from a specified source or to a specified destination. You must specify the direction of a security rule — either ingress or egress. In addition, you can specify the source or destination of permitted traffic, and the security protocol and port used to send or receive packets. Each of the parameters that you specify in a security rule provides a criterion that the type of traffic permitted by that rule must match. Only packets that match all of the specified criteria are permitted. If you don’t specify match criteria for any parameter, all traffic for that parameter is permitted. For example, if you don’t specify a security protocol, then traffic using any protocol and port is permitted.

When you create an instance, you can specify one or more vNICsets for each interface on an IP network. You can also define various ACLs and apply them to each vNICset. When the instance is created, the vNICs for those interfaces are added to the specified vNICsets and access to each vNIC is controlled by the ACLs applied to those vNICsets.

If you don’t specify any vNICsets for an interface, the vNIC for that interface is added to the default vNICset. A default ACL is applied to the default vNICset. This default ACL contains a default ingress and egress security rule, to permit traffic across the vNICs in the default vNICset.

Note:

Remember, however, that reachability must be ensured as well. If a vNICset contains vNICs on IP networks that aren’t connected by an IP network exchange, those vNICs won’t be able to communicate with each other.

The following network objects exist by default to control traffic to and from vNICs in the default vNICset.

  • /Compute-identity_domain/default: The default vNICset. If you don’t specify a vNICset for an interface while creating an instance, the vNIC for that interface is automatically added to this default vNICset.

  • /Compute-identity_domain/default: The default ACL. This ACL is automatically applied to the default vNICset.

  • /Compute-identity_domain/default/ingress: The default ingress security rule. This security rule specifies the default vNICset as the source and the destination. It doesn’t specify any security protocol. Traffic is permitted from any vNIC within the default vNICset to any destination within the default vNICset over all protocols and ports.

  • /Compute-identity_domain/default/egress: The default egress security rule. This security rule specifies the default vNICset as the source. No destination or security protocol are specified. Traffic from the default vNICset is permitted to all destinations over all protocols and ports.

Caution:

While it is possible to delete any of the default access control objects, doing so could result in cutting off access to multiple vNICs. If you delete the default ACL, vNICset, or security rules, ensure that you create the corresponding objects required to enable and control traffic to and from the affected vNICs.