35 Security List
A security list is a group of one or more instances that you can specify as the destination or source in a security rule. Instances within a network group can communicate fully with one another on all ports. When you attach an instance to a security list, the inbound and outbound policies defined in the security list are applicable to that instance.
While creating an instance, if you don't attach it to any security list, the instance gets attached automatically to the predefined /Compute-identity_domain/default/default
security list, which has the inbound policy set to DENY
and the outbound policy set to PERMIT
.
For more information about security lists, see About Security Lists in Using Oracle Cloud Infrastructure Compute Classic.
Before running the CLI commands described in this section, make sure that you've installed the CLI client and set up the required environment variables as described in Preparing to Use the CLI.
sec-list add
Creates a security list. After creating security lists, you can add instances to them by using the add secassociation command.
Required Role
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute sec-list add name [--description 'description'] [--policy inbound_policy] [--outbound_cidr_policy outbound_policy]
For help with the parameters and options of this command, run the command with the -h
option.
Example
This command creates a security list that permits inbound and outbound traffic.
opc -f json compute sec-list add /Compute-acme/jack.jones@example.com/deny-traffic --description 'Deny traffic' --policy deny --outbound-cidr-policy deny
Note:
If the outbound_cidr_policy
for a security list (seclist) is set to DENY
, you can create security rules (secrules) to enable outbound communication from the instances within that security list to public IP addresses (seciplists). This way, you can create holes in the outbound firewall. You cannot create security rules to enable outbound communication from a security list to public IP addresses if the outbound_cidr_policy
for the security list is set to PERMIT
.
Sample Output
{ "account": "/Compute-acme/default", "name": "/Compute-acme/jack.jones@example.com/deny-traffic", "uri": "https://api-z999.compute.us0.oraclecloud.com/seclist/Compute-acme/jack.jones@example.com/deny-traffic", "outbound_cidr_policy": "DENY", "policy": "DENY", "description": "Deny traffic" }
sec-list list
Retrieves details of the security lists that are in the specified container and match the specified query criteria. If you don't specify any query criteria, then details of all the security lists in the container are displayed. Use the list
command to validate the results of add
, update
, and delete
operations.
Required Role
To complete this task, you must have the Compute_Monitor
or Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute sec-list list container [--name name]
For help with the parameters and options of this command, run the command with the -h
option.
Example
The following example retrieves the details of all the security lists in the /Compute-acme
container.
opc -f json compute sec-list list /Compute-acme
Sample Output
{ "result": [ { "account": "/Compute-acme/default", "description": "deny traffic", "name": "/Compute-acme/jack.jones@example.com/deny-traffic", "outbound_cidr_policy": "DENY", "policy": "DENY", "uri": "https://api-z999.compute.us0.oraclecloud.com/seclist/Compute-acme/jack.jones@example.com/deny-traffic" }, { "account": "/Compute-acme/default", "description": "", "name": "/Compute-acme/default/default", "outbound_cidr_policy": "PERMIT", "policy": "DENY", "uri": "https://api-z999.compute.us0.oraclecloud.com/seclist/Compute-acme/default/default" } ] }
sec-list discover
Required Role
To complete this task, you must have the Compute_Monitor
or Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute sec-list discover container
For help with the parameters and options of this command, run the command with the -h
option.
Example
opc -f json compute sec-list discover /Compute-acme/jack.jones@example.com
Sample Output
{ "result": [ "/Compute-acme/jack.jones@example.com/deny", "/Compute-acme/jack.jones@example.com/permitall" ] }
sec-list get
Retrieves information about the specified security list.
Required Role
To complete this task, you must have the Compute_Monitor
or Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute sec-list get name
For help with the parameters and options of this command, run the command with the -h
option.
Example
This command retrieves the name
and policy
attributes of the /Compute-acme/jack.jones@example.com/permitall
seclist.
opc -f json compute sec-list get /Compute-acme/jack.jones@example.com/deny
Sample Output
{ "account": "/Compute-acme/default", "name": "/Compute-acme/jack.jones@example.com/deny-traffic", "uri": "https://api-z999.compute.us0.oraclecloud.com/seclist/Compute-acme/jack.jones@example.com/deny-traffic", "outbound_cidr_policy": "DENY", "policy": "DENY", "description": "Deny traffic" }
sec-list update
Updates inbound policy, outbound policy, and description for the specified security list.
Required Role
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute sec-list update name [--policy inbound_policy] [--outbound_cidr_policy outbound_policy] [--description 'description']
For help with the parameters and options of this command, run the command with the -h
option.
Example
This command changes the inbound policy and outbound policy of the /Compute-acme/jack.jones@example.com/deny
security list to permit
and updates the description.
opc compute sec-list update /Compute-acme/jack.jones@example.com/deny --policy permit --outbound-cidr-policy permit --description "updated security list"
Sample Output
{ "account": "/Compute-acme/default", "name": "/Compute-acme/jack.jones@example.com/deny", "uri": "https://api-z999.compute.us0.oraclecloud.com/seclist/Compute-acme/jack.jones@example.com/deny", "outbound_cidr_policy": "PERMIT", "policy": "PERMIT", "description": "updated security list" }
sec-list delete
Deletes the specified security list. No response is returned.
Note that a security list that’s associated with instances or is used in security rules can’t be deleted.
Required Role
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute sec-list delete name
For help with the parameters and options of this command, run the command with the -h
option.
Example
opc compute sec-list delete /Compute-acme/jack.jones@example.com/deny