Managing Security Lists

About Security Lists

A security list is a group of Compute Classic instances that you can specify as the source or destination in one or more security rules. The instances in a security list can communicate fully, on all ports, with other instances in the same security list using their private IP addresses.

When you add an instance to a security list, the inbound and outbound policies of the security list are applicable to that instance.

  • The inbound policy controls the flow of traffic into the security list. The inbound policy is always set to deny, so by default traffic from any source outside the security list can’t access the instances that are part of the security list.
  • The outbound policy controls the flow of traffic out of the security list. For example, if the outbound policy is set to deny, packets can’t flow out of the security list. To allow instances in a security list to communicate with hosts outside the security list, set the outbound policy to permit.

By default, a security list has its inbound policy set to deny and outbound policy set to permit. However, you can specify a different outbound policy when you create a security list. If you specify the outbound policy as deny, then you can set up security rules to override that policy. Similarly, you can create security rules to permit inbound traffic from specified sources, over specified protocols and ports, to the instances in that security list.

Note:

A security rule acts only on a policy that is set to deny. If a security list has its outbound policy set to permit (the default), then you don’t need to define security rules to enable outbound traffic from instances in that security list.

When you create a security rule, you can specify a security list as a source or destination in that security rule. A security list can be specified as the source or destination in up to 10 security rules.

The following diagram shows the relationship between instances and security lists.

Communication paths between security lists with different inbound and outbound policies
In this diagram,
  • Security-list-c has the inbound policy set to permit. So traffic from the other security lists can reach the instances in this security list, as indicated by the arrows. Traffic from the Internet can also reach the instances in this security list.

    Note:

    The web console doesn’t allow you to specify the inbound policy as permit. This is because setting the inbound policy to permit in effect disables the firewall. If you need to specify this inbound policy, use the PUT or POST /seclist/ API method, or the opc compute security-list add or opc compute security-list update CLI command.

  • For Security-list-a and Security-list-b, the inbound policy is deny. So the instances in these security lists can’t receive traffic from any host outside their security lists.

You can add an instance to up to five security lists.

Note:

If an instance is added to multiple security lists that have different policies, then the most restrictive policy is applicable to the instance. For example, in the previous diagram, Inst_4 is in Security-list-c, which has the inbound policy permit. If you were to add Inst_4 to Security-list-b as well (inbound policy is deny), then the effective inbound policy for Inst_4 would be deny.

Remember, however, that all instances in a security list can communicate with each other across all protocols and ports. So in this scenario, Inst_4 would be able to communicate with Inst_5 in Security-list-c, as well as with Inst_6, Inst_7, Inst_8, and Inst_9 in Security-list-b.

Creating a Security List

A security list is a group of Compute Classic instances that you can specify as the source or destination in one or more security rules. The instances in a security list can communicate fully, on all ports, with other instances in the same security list using their private IP addresses.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand Shared Network, and then click the Security Lists.
  4. Click Create Security List.
  5. Enter or select the required details—a name and description, and the inbound and outbound policies—and click Create.

To create a security list using the CLI, use the opc compute sec-list add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To create a security list using the API, use the POST /seclist/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

You can also create a security list by using an orchestration. See Orchestration v1 Attributes Specific to Each Object Type or Orchestration v2 Attributes Specific to Each Object Type.

Updating a Security List

After creating a security list, at any time, you can update it to change its description as well the inbound and outbound policies.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand Shared Network, and then click the Security Lists.
  4. Identify the security list that you want to update. From the menu icon menu, select Update.
  5. Make the required changes, and click Update.

To update a security list using the CLI, use the opc compute sec-list update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update a security list using the API, use the PUT /seclist/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.

Adding an Instance to a Security List

You can add an instance to a security list either when you create the instance or later by updating the instance.

Removing an Instance from a Security List

To prevent other hosts from accessing an instance, you can remove the instance from the security lists that it is attached to. This may be useful when you want to perform maintenance activities, change or upgrade applications, and so on.

Deleting a Security List

You can delete a security list that isn’t being used by any instance or security rule.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  • Ensure that no instance is attached to the security list that you want to delete.

  • Ensure that no security rule uses the security list that you want to delete.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.

If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.

If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand Shared Network, and then click the Security Lists.
  4. Identify the security list that you want to delete. From the menu icon menu, select Delete.

To delete a security list using the CLI, use the opc compute sec-list delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To delete a security list using the API, use the DELETE /seclist/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.