38 Security Rule for IP Network
A security rule permits traffic from a specified source or to a specified destination. You must specify the direction of a security rule - either ingress or egress. In addition, you can specify the source or destination of permitted traffic, and the security protocol and port used to send or receive packets. Each of the parameters that you specify in a security rule provides a criterion that the type of traffic permitted by that rule must match. Only packets that match all of the specified criteria are permitted. If you don't specify match criteria in the security rule, all traffic in the specified direction is permitted. The primary function of security rules is to help identify the type of traffic to be allowed in the IP network.
Before running the CLI commands described in this section, make sure that you've installed the CLI client and set up the required environment variables as described in Preparing to Use the CLI.
security-rule add
Adds a security rule for IP networks to Compute Classic. A security rule permits traffic from a specified source or to a specified destination. You must specify the direction of a security rule - either ingress or egress. In addition, you can specify the source or destination of permitted traffic, and the security protocol and port used to send or receive packets. Each of the parameters that you specify in a security rule provides a criterion that the type of traffic permitted by that rule must match. Only packets that match all of the specified criteria are permitted. If you don't specify match criteria in the security rule, all traffic in the specified direction is permitted.
When you create a security rule with a specified direction, say ingress, you should also create a corresponding security rule for the opposite direction - in this case, egress. This is generally required to ensure that when traffic is permitted in one direction, responses or acknowledgement packets in the opposite direction are also permitted.
When you create a security rule, you specify the ACL that it belongs to. ACLs apply to vNICsets. You can apply multiple ACLs to a vNICset and you can apply each ACL to multiple vNICsets. When an ACL is applied to a vNICset, every security rule that belongs to the ACL applies to every vNIC that is specified in the vNICset.
A security rule allows you to specify the following parameters:
-
The flow direction - ingress or egress
-
(Optional) A source vNICset or a list of source IP address prefix sets, or both
-
(Optional) A destination vNICset or a list of destination IP address prefix sets, or both
-
(Optional) A list of security protocols
-
(Optional) The name of the ACL that contains this rule
-
(Optional) An option to disable the security rule
Required Role
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute security-rule add name flow-direction [--acl acl] [--description description] [--tags tags] [--dst-ip-address-prefix-sets IPv4-prefixes-list] [--src-ip-address-prefix-sets IPv4-prefixes-list] [--dst-vnic-set vnic-set-list] [--src-vnic-set vnic-set-list] [--sec-protocols security_protocols] [--enabled-flag]
Example
opc -f json compute security-rule add /Compute-acme/jack.jones@example.com/secrule1 egress --acl /Compute-acme/jack.jones@example.com/acl1 --description 'Sample security rule' --src-ip-address-prefix-sets /Compute-acme/jack.jones@example.com/ipaddressprefixset1 --dst-vnic-set /Compute-acme/jack.jones@example.com/vnicset2 --src-vnic-set /Compute-acme/jack.jones@example.com/vnicset1 --sec-protocols /Compute-acme/jack.jones@example.com/secprotocol1 --enabled-flag
Sample Output
Some lines have been truncated with ellipses (...
) for readability. When you run the command in your environment, you'll see the full output.
{ "name": "/Compute-acme/jack.jones@example.com/secrule1", "uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/secrule/Compute-acme/jack.jones@example.com/secrule1", "description": "Sample security rule", "tags": null, "acl": "/Compute-acme/jack.jones@example.com/acl1", "flowDirection": "egress", "srcVnicSet": "/Compute-acme/jack.jones@example.com/vnicset1", "dstVnicSet": "/Compute-acme/jack.jones@example.com/vnicset2", "srcIpAddressPrefixSets": ["/Compute-acme/jack.jones@example.com/ipaddressprefixset1"] "dstIpAddressPrefixSets": null, "secProtocols": ["/Compute-acme/jack.jones@example.com/secprotocol1"], "enabledFlag": true }
security-rule list
Retrieves details of all the security rules in the specified container. This request is for security rules used in IP networks.
Required Role
To complete this task, you must have the Compute_Monitor
or Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute security-rule list container [--name name]
Example
opc -f json compute security-rule list /Compute-acme
Sample Output
{ "result": [ { "name": "/Compute-acme/default/egress", "uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/secrule/Compute-acme/default/egress", "description": "Default egress Network Security Rule", "tags": [], "acl": "/Compute-acme/default", "flowDirection": "egress", "srcVnicSet": "/Compute-acme/default", "dstVnicSet": null, "srcIpAddressPrefixSets": [], "dstIpAddressPrefixSets": [], "secProtocols": [], "enabledFlag": true }, { "name": "/Compute-acme/default/ingress", "uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/secrule/Compute-acme/default/ingress", "description": "Default ingress Network Security Rule", "tags": [], "acl": "/Compute-acme/default", "flowDirection": "ingress", "srcVnicSet": "/Compute-acme/default", "dstVnicSet": "/Compute-acme/default", "srcIpAddressPrefixSets": [], "dstIpAddressPrefixSets": [], "secProtocols": [], "enabledFlag": true } ] }
security-rule get
Retrieves details of the specified security rule which is used in IP networks.
You can use the get
command to verify whether add
and update
operations were completed successfully.
Required Role
To complete this task, you must have the Compute_Monitor
or Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute security-rule get name
Example
opc -f json compute security-rule get /Compute-acme/jack.jones@example.com/secrule1
Sample Output
{ "name": "/Compute-acme/jack.jones@example.com/secrule1", "uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/secrule/Compute-acme/jack.jones@example.com/secrule1", "description": "Sample security rule", "tags": null, "acl": "/Compute-acme/jack.jones@example.com/acl1", "flowDirection": "egress", "srcVnicSet": "/Compute-acme/jack.jones@example.com/vnicset1", "dstVnicSet": "/Compute-acme/jack.jones@example.com/vnicset2", "srcIpAddressPrefixSets": ["/Compute-acme/jack.jones@example.com/ipaddressprefixset1"] "dstIpAddressPrefixSets": null, "secProtocols": ["/Compute-acme/jack.jones@example.com/secprotocol1"], "enabledFlag": true }
security-rule update
You can update values of all the parameters of a security rule that is used in IP networks, except its name. You can also enable or disable a security rule.
This command updates values for all the parameters. If you don’t provide a value for a parameter, it is changed to null. Before updating a security rule, you can run the security-rule get command to retrieve all the values that are currently assigned to it, so that you can check which values you want to retain and which values you want to change.
Required Role
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute security-rule update name flow-direction [--acl acl] [--description description] [--tags tags] [--dst-ip-address-prefix-sets IPv4-prefixes-list] [--src-ip-address-prefix-sets IPv4-prefixes-list] [--dst-vnic-set vnic-set-list] [--src-vnic-set vnic-set-list] [--sec-protocols security_protocols] [--enabled-flag]
Example
The following example shows how you can disable a security rule,/Compute-acme/jack.jones@example.com/secrule1
, by passing false
as value for the --enabled-flag
option.
opc -f json compute security-rule update /Compute-acme/jack.jones@example.com/secrule1 egress --enabled-flag=false
Sample Output
Some lines have been truncated with ellipses (...
) for readability. When you run the command in your environment, you'll see the full output.
{ "name": "/Compute-acme/jack.jones@example.com/secrule1", "uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/secrule/Compute-acme/jack.jones@example.com/secrule1", "description": null, "tags": [], "acl": null, "flowDirection": "egress", "srcVnicSet": null, "dstVnicSet": null, "srcIpAddressPrefixSets": [], "dstIpAddressPrefixSets": [], "secProtocols": [], "enabledFlag": false }
security-rule delete
Deletes the specified security rule. Before deleting a security rule, ensure that it is not being used.
If you want to disable a security rule, run the security-rule update command and set the value of the --enabled-flag
option as false
to disable the security rule.
Required Role
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Syntax
opc compute security-rule delete name
Example
opc compute security-rule delete /Compute-acme/jack.jones@example.com/secrule1