Best Practice for Network Restricted Access Environments

If you configure a set of IP addresses in the network perimeter in IAM, only those IP addresses are allowed to connect to all the environments in that domain. Use this method to set up IP allowlist to limit connections to all the environments managed by an identity domain to a specific set of IP addresses. See Manage Oracle Identity Cloud Service Network Perimeters in Administering Oracle Identity Cloud Service for detailed information on configuring and managing network perimeters.

If you used the deprecated setIPAllowlist EPM Automate command to setup IP allowlist for individual environments, a situation may occur where an IP allowlist is configured for an environment that is already protected by a network perimeter. In this scenario, the IP addresses that need to access the environment protected by the allowlist must be included in both the allowlist and the network perimeter configuration. Connections will, otherwise, fail.

This condition holds true for navigation flow connections between environments as well. In this case, you have to use the outbound IP address of the source environment in the network perimeter as well as the IP allowlist of the individual target environment, if both an IP allowlist and a network perimeter are configured. If only a network perimeter or an IP allowlist for an individual environment is configured, you need to add the allowed IP addresses only in the configured network perimeter or IP allowlist.