Managing Security Rules for IP Networks

Creating a Security Rule for IP Networks

A security rule permits traffic from a specified source or to a specified destination. You must specify the direction of a security rule — either ingress or egress. In addition, you can specify the source or destination of permitted traffic, and the security protocol and port used to send or receive packets. Each of the parameters that you specify in a security rule provides a criterion that the type of traffic permitted by that rule must match. Only packets that match all of the specified criteria are permitted. If you don’t specify match criteria for any parameter, all traffic for that parameter is permitted. For example, if you don’t specify a security protocol, then traffic using any protocol and port is permitted.

In a security rule, you can specify a maximum of 32 security protocols, 32 source IP address prefix sets, and 32 destination IP address prefix sets.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Rules.
  4. Click Create Security Rule.
  5. Select or enter the required information:
    • Name: Enter a name for the security rule.
    • Status: Security rules are enabled by default. To disable a security rule, select Disabled.
    • Type: Select the direction of flow of traffic for this security rule.
    • Access Control List: Select the access control list that you want to add this security rule to. Security rules are applied to vNICsets by using ACLs.
    • Security Protocols: Select a list of security protocols for which you want to permit traffic. Only packets that match the specified protocols and ports are permitted. When no security protocols are specified, traffic using any protocol over any port is permitted.
    • Source IP Address Prefix Sets: Enter a list of IP address prefix sets from which you want to permit traffic. Only packets from IP addresses in the specified IP address prefix sets are permitted. When no source IP address prefix sets are specified, traffic from any IP address is permitted.
    • Source vNICset: Select the vNICset from which you want to permit traffic. Only packets from vNICs in the specified vNICset are permitted. When no source vNICset is specified, traffic from any vNIC is permitted.
    • Destination IP Address Prefix Sets: Enter a list of IP address prefix sets to which you want to permit traffic. Only packets to IP addresses in the specified IP address prefix sets are permitted. When no destination IP address prefix sets are specified, traffic to any IP address is permitted.
    • Destination vNICset: Select the vNICset to which you want to permit traffic. Only packets to vNICs in the specified vNICset are permitted. When no destination vNICset is specified, traffic to any vNIC is permitted.
    • Description: Enter a meaningful description for the security rule.
    • Tags: Enter one or more tags to help you identify the security rule.

To create a security rule using the CLI, use the opc compute security—rule add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To create a security rule using the API, use the POST /network/v1/secrule/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

You can also create a security rule by using an orchestration. See Orchestration v1 Attributes Specific to Each Object Type or Orchestration v2 Attributes Specific to Each Object Type.

After creating a security rule, to update or delete the security rule, see Updating a Security Rule for IP Networks or Deleting a Security Rule for IP Networks.

Listing Security Rules for IP Networks

After creating a security rule, you can view a list of your security rules for IP networks along with information about each security rule.

To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Rules.
The Security Rules page displays a list of security rules for IP networks. You can view information about each security rule such as whether a rule is an ingress rule or an egress rule, and whether a rule is enabled or disabled. You can also see the ACL that a security rule references as well as the security protocol, source, and destination specified in each rule, if any.

To list security rules using the CLI, use the opc compute security—rule list command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To list security rules using the API, use the GET /network/v1/secrule/container/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

After creating a security rule, to update or delete the security rule, see Updating a Security Rule for IP Networks or Deleting a Security Rule for IP Networks.

Applying a Security Rule for IP Networks

After you’ve created a security rule for using with IP networks, you can apply this security rule to one or more specified vNICsets. If you don’t apply a security rule, the security rule isn’t used.

To apply a security rule, do the following:

  1. Reference an ACL in the security rule. A security rule can reference only one ACL, so plan your security rules and ACLs carefully. You can reference an ACL in a security rule either while creating the security rule, or later, by updating the security rule. See Creating a Security Rule for IP Networks or Updating a Security Rule for IP Networks.

  2. Apply the ACL to the required vNICsets. You can apply an ACL to a vNICset by specifying the required ACL either while creating the vNICset, or later, by updating the vNICset. See Creating a vNICset or Updating a vNICset.

Updating a Security Rule for IP Networks

After creating a security rule, if required you can modify the security rule.

In a security rule, you can specify a maximum of 32 security protocols, 32 source IP address prefix sets, and 32 destination IP address prefix sets.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Rules.
  4. Go to the security rule that you want to update, and from the menu icon menu, select Update.
  5. Update the information as required:
    • Status: Security rules are enabled by default. To disable a security rule, select Disabled.
    • Type: Update the direction of flow of traffic for this security rule, if required.
    • Access Control List: Select the access control list that you want to add this security rule to. Security rules are applied to vNICsets by using ACLs.
    • Security Protocols: Select a list of security protocols for which you want to permit traffic. Only packets that match the specified protocols and ports are permitted. When no security protocols are specified, traffic using any protocol over any port is permitted.
    • Source IP Address Prefix Sets: Enter a list of IP address prefix sets from which you want to permit traffic. Only packets from IP addresses in the specified IP address prefix sets are permitted. When no source IP address prefix sets are specified, traffic from any IP address is permitted.
    • Source vNICset: Select the vNICset from which you want to permit traffic. Only packets from vNICs in the specified vNICset are permitted. When no source vNICset is specified, traffic from any vNIC is permitted.
    • Destination IP Address Prefix Sets: Enter a list of IP address prefix sets to which you want to permit traffic. Only packets to IP addresses in the specified IP address prefix sets are permitted. When no destination IP address prefix sets are specified, traffic to any IP address is permitted.
    • Destination vNICset: Select the vNICset to which you want to permit traffic. Only packets to vNICs in the specified vNICset are permitted. When no destination vNICset is specified, traffic to any vNIC is permitted.
    • Description: Update the description, if required.
    • Tags: Update the tags, if required.
  6. Click Update. The security rule is updated.

To update a security rule using the CLI, use the opc compute security—rule update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update a security rule using the API, use the PUT /network/v1/secrule/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.

Deleting a Security Rule for IP Networks

If you no longer need a security rule, you can delete it.

Caution:

Default ingress and egress security rules exist to allow communication between vNICs in the default vNICset. These default security rules belong to the default ACL and are applied to the default vNICset. If you delete either of these default security rules, ensure that you have other security rules or other ACLs in place to permit communication to and from the vNICs in the default vNICset. Otherwise communication with these vNICs will be blocked.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.

If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.

If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Rules.
  4. Go to the security rule that you want to delete, and from the menu icon menu, select Delete.

To delete a security rule using the CLI, use the opc compute security—rule delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.