Security Rules for the DB System

This article lists the security rules to use with your DB system. Security rules control the types of traffic allowed in and out of the DB system's compute nodes. The rules are pided into two sections.

For more information about security rules, see Security Rules. For more information about different ways to implement these rules, see Ways to Implement the Security Rules.


Your instances running Oracle-provided DB system images also have firewall rules that control access to the instance. Make sure that both the instance's security rules and firewall rules are set correctly. Also see Open Ports on the DB System.

General Rules Required for Basic Connectivity

The following sections has several general rules that enable essential connectivity for hosts in the VCN.

If you use security lists to implement your security rules, be aware that the rules that follow are included by default in the default security list. Update or replace the list to meet your particular security needs. The two ICMP rules (general ingress rules 2 and 3) are required for proper functioning of network traffic within the Oracle Cloud Infrastructure environment. Adjust the general ingress rule 1 (the SSH rule) and the general egress rule 1 to allow traffic only to and from hosts that require communication with resources in your VCN.

For more information on default security list, see Security Lists.

General Ingress Rule 1: Allows SSH Traffic From Anywhere

General Ingress Rule 2: Allows Path MTU Discovery Fragmentation Messages

General Ingress Rule 3: Allows Connectivity Error Messages Within the VCN

General Egress Rule 1: Allows All Egress Traffic

Custom Security Rules

The following rules are necessary for the DB system's functionality.


Custom ingress rules 1 and 2 only cover connections initiated from within the VCN. If you have a client that resides outside the VCN, Oracle recommends setting up two additional similar rules that instead have the Source CIDR set to the public IP address of the client.

Custom Ingress Rule 1: Allows ONS and FAN Traffic From Within the VCN

Custom Ingress Rule 2: Allows SQL*NET Traffic From Within the VCN

Custom Egress Rule 1: Allows Outbound SSH Access

Custom Egress Rule 2: Allows Access To Oracle Services Network

Ways to Implement the Security Rules

The Networking service offers two ways to implement security rules within your VCN:

For a comparison of Security Lists and Network Security Groups, see Security Rules.

Use Network Security Groups

Use Security Lists