Managing ACLs

Creating an ACL

An access control list (ACL) is a collection of security rules that can be applied to a vNICset. ACLs determine whether a packet can be forwarded to or from a vNIC, based on the criteria specified in its security rules. When you create a security rule, you specify the ACL that it belongs to. ACLs apply to vNICsets. Each vNICset can reference multiple ACLs and each ACL can be referenced in multiple vNICsets. When an ACL is referenced in a vNICset, every security rule that belongs to the ACL applies to every vNIC that is specified in the vNICset.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Access Control Lists.
  4. Click Create Access Control List.
  5. Select or enter the required information:
    • Name: Enter a name for the ACL.
    • Status: ACLs are enabled by default. To disable an ACL, select Disabled.
    • Description: Enter a meaningful description for the ACL.
    • Tags: Enter one or more tags to help you identify the ACL.

To create an ACL using the CLI, use the opc compute acl add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To create an ACL using the API, use the POST /network/v1/acl/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

You can also create an ACL by using an orchestration. See Orchestration v1 Attributes Specific to Each Object Type or Orchestration v2 Attributes Specific to Each Object Type.

After creating an ACL:

Listing ACLs

After creating access control lists (ACLs), you can view a list of your ACLs along with information about each ACL such as its status and the security rules it contains.

To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Access Control Lists.
The Access Control Lists page displays a list of ACLs along with information about each ACL such as its status and the security rules that are added to each ACL.

To list ACLs using the CLI, use the opc compute acl list command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To list ACLs using the API, use the GET /network/v1/acl/container/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

After listing ACLs:

Adding a Security Rule to an ACL

After you’ve created the access control lists (ACLs) that you want to use in your IP networks, to add security rules to an ACL, reference the ACL in each of the required security rules. If you don’t specify any ACL in a security rule, that security rule isn’t used.

A security rule can reference only one ACL, so plan your security rules and ACLs carefully. You can reference an ACL in a security rule either while creating the security rule, or later, by updating the security rule. See Creating a Security Rule for IP Networks or Updating a Security Rule for IP Networks.

Applying an ACL to a vNICset

To apply an ACL, reference it in one or more vNICsets when you create or update vNICsets. When an ACL is referenced in a vNICset, every security rule that references that ACL is applied to every vNIC in that vNICset.

See Creating a vNICset or Updating a vNICset.

Updating an ACL

After creating an ACL, if required, you can modify the description and tags associated with it, or change its status to disabled or enabled.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Access Control Lists.
  4. Go to the ACL that you want to update, and from the menu icon menu, select Update.
  5. Update the required information:
    • Status: ACLs are enabled by default. To disable an ACL, select Disabled.
    • Description: Update the description, if required.
    • Tags: Update the tags, if required.
  6. Click Update. The ACL is updated.

To update an ACL using the CLI, use the opc compute acl update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update an ACL using the API, use the PUT /network/v1/acl/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.

After updating an ACL:

Deleting an ACL

If you no longer need to use an ACL, you can delete it. Remember, however, that security rules reference ACLs and ACLs are applied to vNICsets. If you delete an ACL that is referenced in one or more security rules, those security rules can no longer be used. If you delete an ACL that is applied to a vNICset, the security rules in that ACL no longer apply to that vNICset.

Before deleting an ACL, ensure that other ACLs are in place to provide access to relevant vNICsets. If you delete all the ACLs applied to a vNICset, some vNICs in that vNICset might become unreachable.

Caution:

A default ACL is applied to the default vNICset. This ACL allows communication between vNICs in the default vNICset. If you delete the default ACL, it can cause all communication to and from vNICs in the default vNICset to be blocked.

Prerequisites

  • Ensure that the ACL that you want to delete isn’t referenced in any security rule that you want to use.

  • Ensure that vNICs in vNICsets that the ACL applies to don’t become unreachable by deleting the ACL.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.

If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.

If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Access Control Lists.
  4. Go to the ACL that you want to delete, and from the menu icon menu, select Delete.

To delete an ACL using the CLI, use the opc compute acl delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To delete an ACL using the API, use the DELETE /network/v1/acl/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.