Managing Security Rules

About Security Rules

Security rules are essentially firewall rules, which you can use to permit traffic between Compute Classic instances in different security lists, as well as between instances and external hosts.

The source and destination specified in a security rule can be either a security IP list (that is, a list of external hosts) or a security list.

When you create an instance by using the web console, if you accept the default settings and don’t specify any security lists that you want to add your instance to, then your instance is added to a default security list. Any security rules that specify this default security list as a source or destination automatically apply to the instance when the instance is created.

You can create security lists and add instances to those security lists either while creating an instance, or later on when the instance is running. You can then define appropriate security rules that control traffic to and from all instances in the specified security lists.

Creating a Security Rule

A security rule is a firewall rule that you can define to control network access to Compute Classic instances over a specified security application.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  • Identify (or create) the following:

    • The security application that you want to use in your security rule.

    • The security list or security IP list that you want to use as the source in the security rule.

    • The security list or security IP list that you want to use as the destination in the security rule.

      Note:

      You can’t use any of the predefined security IP lists as a destination in a security rule. If you want to use a security IP list as a destination, ensure that you’ve created the security IP list.

    See Creating a Security Application, Creating a Security IP List, and Creating a Security List.

Caution:

Use security rules carefully and open only a minimal and essential set of ports. Keep in mind your business needs and the IT security policies of your organization.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. Click Create Rule.
    The Create Security Rule dialog box is displayed.
  4. Enter or select the following:
    • Enter a name for the new security rule.
    • By default, new security rules are enabled. If you’d like to enable the rule later, then set Status to Disabled.
    • In the Security Application field, select the security application that you want to enable traffic over.
    • In the Source field, select the security list or security IP list from which traffic over the specified protocol should be allowed.
    • In the Destination field, select the security list or security IP list to which traffic should be allowed.
    • Enter a meaningful description for the rule.
  5. Click Create.

To create a security rule using the CLI, use the opc compute sec-rule add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To create a security rule using the API, use the POST /secrule/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

You can also create a security rule by using orchestrations. See Orchestration v1 Attributes Specific to Each Object Type or Orchestration v2 Attributes Specific to Each Object Type.

Updating a Security Rule

You can update a security rule to enable or disable it.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. Identify the security rule that you want to update. From the menu icon menu, select Update.
  4. In the Update Security Rule dialog box, change the Status as required, and click Update.

To update a security rule using the CLI, use the opc compute sec-rule update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update a security rule using the API, use the PUT /secrule/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Deleting a Security Rule

If a security rule is no longer required, you can delete it.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.

If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.

If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. Go to the security rule that you want to delete. From the menu icon menu, select Delete.

To delete a security rule using the CLI, use the opc compute sec-rule delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To delete a security rule using the API, use the DELETE /secrule/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.