Jump to

• Request
• Response

List Network Security Group Security Rules

get

/20160918/networkSecurityGroups/{network_security_group_id}/securityRules

List the security rules in the specified network security group.

Request

Supported Media Types

• application/json

Path Parameters

• networkSecurityGroupId(required): string
  Minimum Length: 1

  Maximum Length: 255

  The OCID of the network security group.

Query Parameters

• direction: string
  Direction of the security rule. Set to EGRESS for rules that allow outbound IP packets. Set to INGRESS for rules that allow inbound IP packets.

  Allowed Values: [ "EGRESS", "INGRESS" ]
• limit: integer
  Minimum Value: 1

  Maximum Value: 1000

  For list pagination. The maximum number of results per page, or items to return in a paginated List call. 1 is the minimum, 1000 is the maximum.

  Default Value: 100
• page: string
  Minimum Length: 1

  Maximum Length: 512

  For list pagination. The value of the opc-next-page response header from the previous List call.

  Default Value: 0
• sortBy: string
  The field to sort by.

  Allowed Values: [ "TIMECREATED" ]
• sortOrder: string
  The sort order to use, either ascending (ASC) or descending (DESC).

  Default Value: ASC

  Allowed Values: [ "ASC", "DESC" ]

Back to Top

Response

Supported Media Types

• application/json

200 Response

The list is being retrieved.

Headers

• opc-next-page: string
  For list pagination. When this header appears in the response, additional pages of results remain. For important details about how pagination works, see [List Pagination](/iaas/Content/API/Concepts/usingapi.htm#nine).
• opc-request-id: string
  Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Body ()

Root Schema : schema

Type: array

Show Source

• Array of: object SecurityRule
  A security rule is a virtual firewall rule for the VNICs in a NetworkSecurityGroup. A rule can be for either inbound (direction= INGRESS) or outbound (direction= EGRESS) IP packets.

{
    "items":{
        "$ref":"#/definitions/SecurityRule"
    },
    "type":"array"
}

Nested Schema : SecurityRule

Type: object

A security rule is a virtual firewall rule for the VNICs in a NetworkSecurityGroup. A rule can be for either inbound (direction= INGRESS) or outbound (direction= EGRESS) IP packets.

Show Source

• description: string
  Minimum Length: 1

  Maximum Length: 255

  An optional description of your choice for the rule.
• destination: string
  This is the range of IP addresses that a packet originating from the instance can go to. The following values are allowed:
• An IP address range in CIDR notation. For example: 192.168.1.0/24 or 2001:0db8:0123:45::/56
• The cidrBlock value for a Service, if you're setting up a security rule for traffic destined for a particular Service through a service gateway.
• The OCID of a NetworkSecurityGroup in the same VCN. The value can be the NSG that the rule belongs to if the rule's intent is to control traffic between VNICs in the same NSG.

destinationType: string

Allowed Values: [ "CIDR_BLOCK", "SERVICE_CIDR_BLOCK", "NETWORK_SECURITY_GROUP" ]

Type of destination for the rule. This value is required if direction = EGRESS. The following values are allowed:

CIDR_BLOCK: If the rule's destination is an IP address range in CIDR notation.

SERVICE_CIDR_BLOCK: If the rule's destination is the cidrBlock value for a Service (the rule is for traffic destined for a particular Service through a service gateway).

NETWORK_SECURITY_GROUP: If the rule's destination is the OCID of a NetworkSecurityGroup.

direction(required): string

Allowed Values: [ "EGRESS", "INGRESS" ]

Direction of the security rule. Set to EGRESS for rules to allow outbound IP packets. Set to INGRESS for rules to allow inbound IP packets.

icmpOptions: object IcmpOptions

Optional and valid only for ICMP and ICMPv6. Use to specify a particular ICMP type and code as defined in: - [ICMP Parameters](http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) - [ICMPv6 Parameters](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) If you specify ICMP or ICMPv6 as the protocol but omit this object, then all ICMP types and codes are allowed. If you do provide this object, the type is required and the code is optional. To enable MTU negotiation for ingress internet traffic via IPv4, make sure to allow type 3 ("Destination Unreachable") code 4 ("Fragmentation Needed and Don't Fragment was Set"). If you need to specify multiple codes for a single type, create a separate security list rule for each.

id: string

Minimum Length: 1

Maximum Length: 255

The OCID for the security rule. Specify this OCID when you want to update or delete the rule.

isStateless: boolean

A stateless rule allows traffic in one direction. Remember to add a corresponding stateless rule in the other direction if you need to support bidirectional traffic. For example, if egress traffic allows TCP destination port 80, there should be an ingress rule to allow TCP source port 80. The default value is false, which means the rule is stateful and a corresponding rule is not necessary for bidirectional traffic.

isValid: boolean

Whether the rule is valid. This value is True when the rule is first created. If the rule's source or destination is a network security group, the value changes to False if that network security group is deleted.

protocol(required): string

The transport protocol. Specify either all or an IPv4 protocol number as defined in [Protocol Numbers](http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Only the following are supported: 1 - ICMP, 6 - TCP, 17 - UDP, and 58 - ICMPv6.

source: string

This is the range of IP addresses that a packet coming into the instance can come from. The following values are allowed:

An IP address range in CIDR notation. For example: 192.168.1.0/24 or 2001:0db8:0123:45::/56

The cidrBlock value for a Service, if you're setting up a security rule for traffic coming from a particular Service through a service gateway.

The OCID of a NetworkSecurityGroup in the same VCN. The value can be the NSG that the rule belongs to if the rule's intent is to control traffic between VNICs in the same NSG.

sourceType: string

Allowed Values: [ "CIDR_BLOCK", "SERVICE_CIDR_BLOCK", "NETWORK_SECURITY_GROUP" ]

Type of source for the rule. This value is required if direction = INGRESS.

CIDR_BLOCK: If the rule's source is an IP address range in CIDR notation.

SERVICE_CIDR_BLOCK: If the rule's source is the cidrBlock value for a Service (the rule is for traffic coming from a particular Service through a service gateway).

NETWORK_SECURITY_GROUP: If the rule's source is the OCID of a NetworkSecurityGroup.

tcpOptions: object TcpOptions

Optional and valid only for TCP. Use to specify particular destination ports for TCP rules. If you specify TCP as the protocol but omit this object, then all destination ports are allowed.

timeCreated: string(date-time)

The date and time the security rule was created. Format defined by [RFC 3339](https://tools.ietf.org/html/rfc3339).

udpOptions: object UdpOptions

Optional and valid only for UDP. Use to specify particular destination ports for UDP rules. If you specify UDP as the protocol but omit this object, then all destination ports are allowed.

{
    "description":"A security rule is a virtual firewall rule for the VNICs in a NetworkSecurityGroup. A rule can be for either inbound (direction= INGRESS) or outbound (direction= EGRESS) IP packets.",
    "properties":{
        "description":{
            "description":"An optional description of your choice for the rule.",
            "maxLength":255,
            "minLength":1,
            "type":"string"
        },
        "destination":{
            "description":"This is the range of IP addresses that a packet originating from the instance can go to. The following values are allowed:<li>An IP address range in CIDR notation. For example: 192.168.1.0/24 or 2001:0db8:0123:45::/56<li>The cidrBlock value for a Service, if you're setting up a security rule for traffic destined for a particular Service through a service gateway.<li>The OCID of a NetworkSecurityGroup in the same VCN. The value can be the NSG that the rule belongs to if the rule's intent is to control traffic between VNICs in the same NSG.",
            "type":"string"
        },
        "destinationType":{
            "description":"Type of destination for the rule. This value is required if direction = EGRESS. The following values are allowed:<li>CIDR_BLOCK: If the rule's destination is an IP address range in CIDR notation.<li>SERVICE_CIDR_BLOCK: If the rule's destination is the cidrBlock value for a Service (the rule is for traffic destined for a particular Service through a service gateway).<li>NETWORK_SECURITY_GROUP: If the rule's destination is the OCID of a NetworkSecurityGroup.",
            "enum":[
                "CIDR_BLOCK",
                "SERVICE_CIDR_BLOCK",
                "NETWORK_SECURITY_GROUP"
            ],
            "type":"string"
        },
        "direction":{
            "description":"Direction of the security rule. Set to EGRESS for rules to allow outbound IP packets. Set to INGRESS for rules to allow inbound IP packets.",
            "enum":[
                "EGRESS",
                "INGRESS"
            ],
            "type":"string"
        },
        "icmpOptions":{
            "$ref":"#/definitions/IcmpOptions"
        },
        "id":{
            "description":"The OCID for the security rule. Specify this OCID when you want to update or delete the rule.",
            "maxLength":255,
            "minLength":1,
            "type":"string"
        },
        "isStateless":{
            "description":"A stateless rule allows traffic in one direction. Remember to add a corresponding stateless rule in the other direction if you need to support bidirectional traffic. For example, if egress traffic allows TCP destination port 80, there should be an ingress rule to allow TCP source port 80. The default value is false, which means the rule is stateful and a corresponding rule is not necessary for bidirectional traffic.",
            "type":"boolean"
        },
        "isValid":{
            "description":"Whether the rule is valid. This value is True when the rule is first created. If the rule's source or destination is a network security group, the value changes to False if that network security group is deleted.",
            "type":"boolean"
        },
        "protocol":{
            "description":"The transport protocol. Specify either all or an IPv4 protocol number as defined in [Protocol Numbers](http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Only the following are supported: 1 - ICMP, 6 - TCP, 17 - UDP, and 58 - ICMPv6.",
            "type":"string"
        },
        "source":{
            "description":"This is the range of IP addresses that a packet coming into the instance can come from. The following values are allowed:<li>An IP address range in CIDR notation. For example: 192.168.1.0/24 or 2001:0db8:0123:45::/56<li>The cidrBlock value for a Service, if you're setting up a security rule for traffic coming from a particular Service through a service gateway.<li>The OCID of a NetworkSecurityGroup in the same VCN. The value can be the NSG that the rule belongs to if the rule's intent is to control traffic between VNICs in the same NSG.",
            "type":"string"
        },
        "sourceType":{
            "description":"Type of source for the rule. This value is required if direction = INGRESS.<li>CIDR_BLOCK: If the rule's source is an IP address range in CIDR notation.<li>SERVICE_CIDR_BLOCK: If the rule's source is the cidrBlock value for a Service (the rule is for traffic coming from a particular Service through a service gateway).<li>NETWORK_SECURITY_GROUP: If the rule's source is the OCID of a NetworkSecurityGroup.",
            "enum":[
                "CIDR_BLOCK",
                "SERVICE_CIDR_BLOCK",
                "NETWORK_SECURITY_GROUP"
            ],
            "type":"string"
        },
        "tcpOptions":{
            "$ref":"#/definitions/TcpOptions"
        },
        "timeCreated":{
            "description":"The date and time the security rule was created. Format defined by [RFC 3339](https://tools.ietf.org/html/rfc3339).",
            "format":"date-time",
            "type":"string"
        },
        "udpOptions":{
            "$ref":"#/definitions/UdpOptions"
        }
    },
    "required":[
        "direction",
        "protocol"
    ],
    "type":"object"
}

Nested Schema : IcmpOptions

Type: object

Optional and valid only for ICMP and ICMPv6. Use to specify a particular ICMP type and code as defined in: - [ICMP Parameters](http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) - [ICMPv6 Parameters](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) If you specify ICMP or ICMPv6 as the protocol but omit this object, then all ICMP types and codes are allowed. If you do provide this object, the type is required and the code is optional. To enable MTU negotiation for ingress internet traffic via IPv4, make sure to allow type 3 ("Destination Unreachable") code 4 ("Fragmentation Needed and Don't Fragment was Set"). If you need to specify multiple codes for a single type, create a separate security list rule for each.

Show Source

• code: integer
  Minimum Value: 0

  Maximum Value: 16

  The ICMP code (optional).
• type(required): integer
  Minimum Value: 0

  Maximum Value: 254

  The ICMP type.

{
    "description":"Optional and valid only for ICMP and ICMPv6. Use to specify a particular ICMP type and code as defined in: - [ICMP Parameters](http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) - [ICMPv6 Parameters](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml)  If you specify ICMP or ICMPv6 as the protocol but omit this object, then all ICMP types and codes are allowed. If you do provide this object, the type is required and the code is optional. To enable MTU negotiation for ingress internet traffic via IPv4, make sure to allow type 3 (\"Destination Unreachable\") code 4 (\"Fragmentation Needed and Don't Fragment was Set\"). If you need to specify multiple codes for a single type, create a separate security list rule for each.",
    "properties":{
        "code":{
            "description":"The ICMP code (optional).",
            "maximum":16,
            "minimum":0,
            "type":"integer"
        },
        "type":{
            "description":"The ICMP type.",
            "maximum":254,
            "minimum":0,
            "type":"integer"
        }
    },
    "required":[
        "type"
    ],
    "type":"object"
}

Nested Schema : TcpOptions

Type: object

Optional and valid only for TCP. Use to specify particular destination ports for TCP rules. If you specify TCP as the protocol but omit this object, then all destination ports are allowed.

Show Source

• destinationPortRange: object PortRange
• sourcePortRange: object PortRange

{
    "description":"Optional and valid only for TCP. Use to specify particular destination ports for TCP rules. If you specify TCP as the protocol but omit this object, then all destination ports are allowed.",
    "properties":{
        "destinationPortRange":{
            "$ref":"#/definitions/PortRange"
        },
        "sourcePortRange":{
            "$ref":"#/definitions/PortRange"
        }
    },
    "type":"object"
}

Nested Schema : UdpOptions

Type: object

Optional and valid only for UDP. Use to specify particular destination ports for UDP rules. If you specify UDP as the protocol but omit this object, then all destination ports are allowed.

Show Source

• destinationPortRange: object PortRange
• sourcePortRange: object PortRange

{
    "description":"Optional and valid only for UDP. Use to specify particular destination ports for UDP rules. If you specify UDP as the protocol but omit this object, then all destination ports are allowed.",
    "properties":{
        "destinationPortRange":{
            "$ref":"#/definitions/PortRange"
        },
        "sourcePortRange":{
            "$ref":"#/definitions/PortRange"
        }
    },
    "type":"object"
}

Nested Schema : PortRange

Type: object

Show Source

• max(required): integer
  Minimum Value: 1

  Maximum Value: 65535

  The maximum port number, which must not be less than the minimum port number. To specify a single port number, set both the min and max to the same value.
• min(required): integer
  Minimum Value: 1

  Maximum Value: 65535

  The minimum port number, which must not be greater than the maximum port number.

{
    "properties":{
        "max":{
            "description":"The maximum port number, which must not be less than the minimum port number. To specify a single port number, set both the min and max to the same value.",
            "maximum":65535,
            "minimum":1,
            "type":"integer"
        },
        "min":{
            "description":"The minimum port number, which must not be greater than the maximum port number.",
            "maximum":65535,
            "minimum":1,
            "type":"integer"
        }
    },
    "required":[
        "max",
        "min"
    ],
    "type":"object"
}

400 Response

Bad Request

Headers

• opc-request-id: string
  Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Body ()

Root Schema : Error

Type: object

The properties that define an error.

Show Source

• code(required): string
  A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm).
• message(required): string
  A human-readable error string.

{
    "description":"The properties that define an error.",
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm)."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "type":"object"
}

401 Response

Unauthorized

Headers

• opc-request-id: string
  Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Body ()

Root Schema : Error

Type: object

The properties that define an error.

Show Source

• code(required): string
  A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm).
• message(required): string
  A human-readable error string.

{
    "description":"The properties that define an error.",
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm)."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "type":"object"
}

404 Response

Not Found

Headers

• opc-request-id: string
  Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Body ()

Root Schema : Error

Type: object

The properties that define an error.

Show Source

• code(required): string
  A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm).
• message(required): string
  A human-readable error string.

{
    "description":"The properties that define an error.",
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm)."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "type":"object"
}

500 Response

Internal Server Error

Headers

• opc-request-id: string
  Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Body ()

Root Schema : Error

Type: object

The properties that define an error.

Show Source

• code(required): string
  A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm).
• message(required): string
  A human-readable error string.

{
    "description":"The properties that define an error.",
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm)."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "type":"object"
}

Default Response

An error has occurred.

Headers

• opc-request-id: string
  Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Body ()

Root Schema : Error

Type: object

The properties that define an error.

Show Source

• code(required): string
  A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm).
• message(required): string
  A human-readable error string.

{
    "description":"The properties that define an error.",
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing. See [API Errors](https://docs.us-phoenix-1.oraclecloud.com/Content/API/References/apierrors.htm)."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "type":"object"
}

Back to Top