6 Access Control List (ACL)
Access Control List (ACL) is a collection of security rules. You can use ACLs to control the traffic between instances. To control traffic from and to Compute Classic instances, you can apply ACLs to:
-
virtual NICs of Compute Classic instances in the same IP network
-
virtual NICs of a transit node, such as the VPN gateway or Internet gateway node
The default ACL allows traffic to all virtual NICs in an IP network.
Before running the CLI commands described in this section, make sure that you've installed the CLI client and set up the required environment variables as described in Preparing to Use the CLI.
Commands
acl add
Add an access control list (ACL) to control the traffic between virtual NICs. An ACL consists of one or more security rules that is applied to a virtual NIC set. Each security rule may refer to a virtual NIC set in either the source or destination. See Workflow for Applying Access Control Lists in Using Oracle Cloud Infrastructure Compute Classic.
After creating an ACL, you can associate it to one or more virtual NIC sets.
Required Role
To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute acl add name [--description description] [--enabled-flag] [--tags tags]
Example
opc -f json compute acl add /Compute-acme/jack.jones@example.com/acl1 --description 'Sample ACL 1' --enabled-flag
Sample Output
{
"description": "Sample ACL 1",
"enabledFlag": true,
"name": "/Compute-acme/jack.jones@example.com/acl1",
"tags": null,
"uri": "https://api-z999.compute.us0.oraclecloud.com/network/v1/acl/Compute-acme/jack.jones@example.com/acl1"
}
acl list
Retrieves details of all ACLs in the specified container.
Required Role
To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute acl list container
Example
opc -f json compute acl list /Compute-acme
Sample Output
{
"result": [
{
"name": "/Compute-acme/jack.jones@example.com/acl1",
"uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/acl/Compute-acme/jack.jones@example.com/acl1",
"description": "Updating sample ACL 1",
"tags": [
"test"
],
"enabledFlag": false
},
{
"name": "/Compute-acme/default",
"uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/acl/Compute-acme/default",
"description": null,
"tags": [],
"enabledFlag": true
}
]
}
acl get
Retrieves details of the specified ACL.
You can use the get command to verify whether add and update operations were completed successfully.
Required Role
To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute acl get name
Example
opc -f json compute acl get /Compute-acme/jack.jones@example.com/acl1
Sample Output
{
"description": "Sample ACL 1",
"enabledFlag": true,
"name": "/Compute-acme/jack.jones@example.com/acl1",
"tags": null,
"uri": "https://api-z999.compute.us0.oraclecloud.com/network/v1/acl/Compute-acme/jack.jones@example.com/acl1"
}
acl update
You can update the description and tag fields for an ACL. You can also enable or disable an ACL. When you disable an ACL, it also disables the flow of traffic allowed by the security rules in scope of the ACL.
Required Role
To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute acl update name [--description description] [--enabled-flag] [--tags tags]
Example
The following example demonstrates how you can update the values of description and tags fields and disable the ACL by passing false to the --enabled-flag option.
opc -f json compute acl update /Compute-acme/jack.jones@example.com/acl1 --description 'Updating description, tags, and enabledFlag for a sample ACL' --enabled-flag=false --tags 'test'
Sample Output
{
"name": "/Compute-acme/jack.jones@example.com/acl1",
"uri": "https://api-z999.compute.us0.oraclecloud.com/network/v1/acl/Compute-acme/jack.jones@example.com/acl1",
"description": "Updating description, tags, and enabledFlag for a sample ACL",
"tags": ["test"],
"enabledFlag": false
}
acl delete
Deletes the specified ACL. No response is returned.
If you delete an ACL that is being used, all the affected instances will lose network connectivity.
If you want to disable an ACL and not delete it, pass false as the value for the --enabled-flag option while running the acl update command.
Required Role
To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute acl delete name
Example
opc compute acl delete /Compute-acme/jack.jones@example.com/acl1