Configuring VCN Rules and Options

VCNs and their subnets have various rules and options associated with them. The main categories are the use of DHCP, route tables, and security. If you do not configure these rules and options explicitly, the system uses default values.

This section describes the parameters that are available for DHCP options, route tables, and security lists.

Working with DHCP Options

When you create a subnet, you can specify the set of DHCP options for the subnet. A set of DHCP options is a resource with an OCID. If you do not specify a set of DHCP options, the default set for the VCN is used.

A subnet can only be assigned one set of DHCP options. You can edit a set of DHCP options, create a new set, and change which set is assigned to a subnet. The assigned DHCP option set applies to all of the instances in that subnet.

For more information, see "DHCP Options" in the Virtual Networking Overview of the Oracle Private Cloud Appliance Concepts Guide.

Viewing a VCN's DHCP Options Sets

Every VCN has a default set of DHCP options that is named Default DHCP Options for VCN_name. If you create additional sets, then you can choose which set to assign to a subnet.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to list DHCP Options sets. The VCN details page is displayed.

3. Under Resources, click DHCP Options. The list of DHCP options sets is displayed.

4. The DHCP Options sets in the list are not clickable. To see the options that are defined in the set, click the Actions menu for that set and then click Edit.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list)

   • VCN OCID (oci network vcn list --compartment-id compartment_OCID)

2. Run the list command.

   Use both the VCN OCID and the compartment OCID to list all DHCP Options sets that belong to the specified VCN and are in the specified compartment.

   oci network dhcp-options list --compartment-id ocid1.compartment.unique_ID \
   --vcn-id ocid1.vcn.unique_ID

   Use only the compartment OCID to list all DHCP Options sets in that compartment. The DHCP Options sets in a compartment could belong to any VCN. DHCP Options sets do not need to be in the same compartment with the VCN.

   oci network dhcp-options list --compartment-id ocid1.compartment.unique_ID

3. Use one of the following methods to show just one DHCP Options set.

   • Use the list command with the name of the DHCP Options set.

     oci network dhcp-options list --compartment-id ocid1.compartment.unique_ID \
     --display-name CustomDNSservers

   • Use the get command with the OCID for the DHCP Options set. The DHCP Options set OCID is the value of id property in the DHCP Options set list command output.

     oci network dhcp-options get --dhcp-id ocid1.dhcpoptions.unique_ID

Creating a Set of DHCP Options

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to create a set of DHCP options. The VCN details page is displayed.

3. Under Resources, click DHCP Options.

4. Click the Create DHCP Options button.

5. In the Create DHCP Options dialog, enter the following information:

   • Name: A descriptive name for the set of options. The name doesn't have to be unique, and you can change it later.

   • Create in Compartment: The compartment where you want to create the set of DHCP options.

   • DNS Type: If you want instances in the subnet to resolve internet hostnames and hostnames of instances in the VCN, select Internet and VCN Resolver. To use a DNS server of your choice, select Custom Resolver and then enter the IP address of the DNS server. You can enter up to three DNS server IP addresses. For more information, see "Name Resolution" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

   • Search Domain: If you want instances in the subnet to append a particular search domain when resolving DNS queries, enter that domain here. Note that the Networking service automatically sets the search domain option in certain situations. For more information, see "DHCP Options" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

   • Tagging: For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

6. Click the Create DHCP Options button in the dialog.

   You can specify this set of options when creating or updating a subnet.

Using the OCI CLI

1. Gather the information you need to run the command:

   • The OCID of the compartment where you want to create this set of DHCP options (oci iam compartment list)

   • The OCID of the VCN for this set of DHCP options (oci network vcn list --compartment-id compartment_OCID)

2. Construct an argument for the --options option.

   DHCP options are in JSON format. To see how to format the options, use the following command:

   oci network dhcp-options create --generate-param-json-input options > options_format.json

   Alternatively, run a list or get of an existing DHCP Options object and copy the value of the options property.

   Put the information for these options in the appropriate places in the format, or replace the information in the options that you copied.

   The value of the --options option is either a string between single quotation marks or a file specified as file://path_to_file.json.

3. Run the DHCP options create command.

   Syntax:

   oci network dhcp-options create --compartment-id <compartment_OCID> \
   --vcn-id <vcn_OCID> --options JSON_formatted_values

   Example:

   $ oci network dhcp-options create \
   --compartment-id ocid1.compartment.unique_ID --vcn-id ocid1.vcn.unique_ID \
   --display-name CustomDNSservers --options \
   '[{"customDnsServers": ["IP_address"], "serverType": "CustomDnsServer","type":"DomainNameServer"},{"searchDomainNames": ["name.example.com"],"type":"SearchDomain"}]'
   {
     "data": {
       "compartment-id": "ocid1.compartment.unique_ID",
       "defined-tags": {},
       "display-name": "CustomDNSservers",
       "domain-name-type": null,
       "freeform-tags": {},
       "id": "ocid1.dhcpoptions.unique_ID",
       "lifecycle-state": "PROVISIONING",
       "options": null,
       "time-created": "2022-05-04T19:29:16.763027+00:00",
       "vcn-id": "ocid1.vcn.unique_ID"
     },
     "etag": "cf50eb7e-88ff-4e1f-b129-08e2c25b3aa2"
   }

   While the new DHCP Options object is still provisioning, the specified options might not be shown. To confirm the options, use the OCID in the id property of the create output to run a get command:

   $ oci network dhcp-options get --dhcp-id ocid1.dhcpoptions.unique_ID
   {
     "data": {
       "compartment-id": "ocid1.compartment.unique_ID",
       "defined-tags": {},
       "display-name": "CustomDNSservers",
       "domain-name-type": null,
       "freeform-tags": {},
       "id": "ocid1.dhcpoptions.unique_ID",
       "lifecycle-state": "AVAILABLE",
       "options": [
         {
           "custom-dns-servers": [
             "IP_address"
           ],
           "server-type": "CustomDnsServer",
           "type": "DomainNameServer"
         },
         {
           "search-domain-names": [
             "name.example.com"
           ],
           "type": "SearchDomain"
         }
       ],
       "time-created": "2022-05-04T19:29:16.763027+00:00",
       "vcn-id": "ocid1.vcn.unique_ID"
     },
     "etag": "cf50eb7e-88ff-4e1f-b129-08e2c25b3aa2"
   }

Updating a Set of DHCP Options

To update the DHCP options for the instances in a subnet, do one of the following:

• Update the DHCP Options object that is currently assigned to that subnet as described in this section.

• Update the subnet to assign a different DHCP Options object as described in Editing a Subnet.

For information about how to make the changes take effect in your instances, see "DHCP Options" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for the DHCP options that you want to edit. The VCN details page is displayed.

3. Under Resources, click DHCP Options.

   The list of DHCP options sets is displayed.

4. For the set of options that you want to change, click the Actions menu and then click Edit. See the descriptions of Name, DNS Type, and Search Domain in Creating a Set of DHCP Options.

5. Click the Save Changes button in the edit dialog.

Using the OCI CLI

1. Get the OCID of the DHCP Options object that you want to update (oci network dhcp-options list --compartment-id compartment_OCID)

2. Run the DHCP options update command.

   Syntax:

   oci network dhcp-options update --dhcp-id dhcp_OCID values_to_update

   You can update the display name, domain name type, and options. Any options JSON object that you provide replaces the entire set of options. If you want to keep any of the existing options, run the get command with this --dhcp-id and copy what you want from the output option property to your options JSON object.

   Example:

   $ oci network dhcp-options update --dhcp-id ocid1.dhcpoptions.unique_ID \
   --options file:///home/flast/dhcp_options.json

   The output from this command is similar to the output from the create, list, and get commands. If you make changes to options and you do not see those changes initially, wait a few seconds and then run the get command.

Deleting a Set of DHCP Options

You cannot delete a set of DHCP options that is assigned to any subnet. To unassign the DHCP options set from a subnet, update the subnet to assign a different set of DHCP options. See Editing a Subnet. You cannot delete a VCN's default set of DHCP options.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to delete a DHCP Options set. The VCN details page is displayed.

3. Under Resources, click DHCP Options.

4. For the set that you want to delete, click the Actions menu and then click Delete.

5. Confirm when prompted.

Using the OCI CLI

1. Get the OCID of the DHCP Options object that you want to delete (oci network dhcp-options list --compartment-id compartment_OCID)

2. Run the DHCP options delete command.

   $ oci network dhcp-options delete --dhcp-id ocid1.dhcpoptions.unique_ID
   Are you sure you want to delete this resource? [y/N]: y

   To suppress this prompt, use the --force option.

Working with Route Tables

When you create a subnet, you specify a route table to associate with the subnet. If you don't, the VCN's default route table is used. You can change route table entries for a subnet at any time, but a subnet can only be assigned one route table at a time. The assigned route table applies to all of the instances in that subnet.

To delete a route table, it must not be associated with a subnet yet. You can't delete a VCN's default route table.

For more information, see "Route Tables" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Viewing a VCN's Route Tables

To see which table is assigned to a particular subnet, view the subnet. See the Route Table on the subnet details page, or see the route-table-id property in the subnet list or get command output.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to view route tables. The VCN details page is displayed.

3. Under Resources, click Route Tables. The list of route tables is displayed.

4. Click the name of the route table to view its route rules.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list)

   • VCN OCID (oci network vcn list --compartment-id compartment_OCID)

2. Run the route table list command.

   Use both the VCN OCID and the compartment OCID to list all route tables that belong to the specified VCN and are in the specified compartment.

   oci network route-table list --compartment-id ocid1.compartment.unique_ID \
   --vcn-id ocid1.vcn.unique_ID

   Use only the compartment OCID to list all route tables in that compartment. The route tables in a compartment could belong to any VCN. Route tables do not need to be in the same compartment with the VCN.

   oci network route-table list --compartment-id ocid1.compartment.unique_ID

3. Use one of the following methods to show just one route table.

   • Use the list command with the name of the route table.

     oci network security-list list --compartment-id ocid1.compartment.unique_ID \
     --display-name ExtRoute

   • Use the get command with the OCID for the route table. The route table OCID is the value of id property in the route table list command output.

     oci network route-table get --rt-id ocid1.routetable.unique_ID

Creating a Route Table

Route rules are required to send traffic outside the VCN. If you don't need to send traffic outside the VCN, you can use the default route table that was created when the VCN was created. The default route table has no rules.

Each route rule specifies a destination CIDR block and the target (the next hop) for any traffic that matches that CIDR. Before you can create a rule, you must create a target. For descriptions of target types, see "Network Gateways" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide, and see Overview of Routing for Your VCN. To create a target, use one of the procedures in Configuring VCN Gateways.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to create a route table. The VCN details page is displayed.

3. Under Resources, click Route Tables.

4. Click the Create Route Table button.

5. Enter the name and compartment.

   • Name: A user-friendly name for the route table. The name doesn't have to be unique, and you can change it later.

   • Create in Compartment: The compartment where you want to create the route table. You aren't required to create the route table in the same compartment as the VCN.

6. To add a route table rule, click Add Route Rules, and enter the following information:

   • Target Type: Select from the list. Possible targets are:

     • Dynamic Routing Gateway
     • Internet Gateway
     • Local Peering Gateway
     • NAT Gateway
     • Private IP
     • Service Gateway

     The target is the OCID of the resource. This applies to the private IP address target also. If a gateway of the type selected is available, a list of choices for that type is presented. If no gateway of the type is available, the message None Available appears.
   • Destination Type: Choose the destination type: either CIDR Block or Service

   • CIDR Block: If the destination type is a CIDR block, enter the destination CIDR block for the traffic. A value of 0.0.0.0/0 means that all non-intra-VCN traffic that isn't already covered by other rules in the route table goes to the target specified in this rule.

   • Service: If the destination type is a service, select the service from the list, which can be extensive.

   • Target Selection: This value is the OCID of the Target Type. Click the arrow and select the target, or, if the target is a private IP address, enter the Private IP OCID.

   • Description: An optional description of the rule.

7. Click the Create Route Table button in the dialog.

   The details page of the new route table is displayed. You can specify this route table when creating or updating a subnet.

Using the OCI CLI

1. Gather the information you need to run the command:

   • The OCID of the compartment where you want to create this route table (oci iam compartment list)

   • The OCID of the VCN for this route table (oci network vcn list --compartment-id compartment_OCID)

2. Construct an argument for the --route-rules option.

   Route rules are in JSON format. To see how to format a rule, use the following command:

   oci network route-table create --generate-param-json-input route-rules > route_rule_format.json

   Alternatively, if a route table with route rules already exists, you can list or get that route table and copy the value of the route-rules property.

   Put the information for this new rule in the appropriate places in the format, or replace the information in the rule that you copied.

   The value of the --route-rules option is either a string between single quotation marks or a file specified as file://path_to_file.json.

3. Run the route table create command.

   If you don't specify a display name, a name is provided.

   Syntax:

   oci network route-table create --compartment-id compartment_OCID \
   --vcn-id vcn_OCID --route-rules route_rules_json

   Example:

   $ oci network route-table create --compartment-id ocid1.compartment.unique_ID \
   --vcn-id ocid1.vcn.unique_ID --display-name InternetRoute --route-rules \
   '[{"cidrBlock":"0.0.0.0/0","networkEntityId":"ocid1.internetgateway.unique_ID"}]'
   {
     "data": {
       "compartment-id": "ocid1.compartment.unique_ID",
       "defined-tags": {},
       "display-name": "InternetRoute",
       "freeform-tags": {},
       "id": "ocid1.routetable.unique_ID",
       "lifecycle-state": "PROVISIONING",
       "route-rules": [
         {          
           "cidr-block": "0.0.0.0/0",
           "description": null,
           "destination": null,
           "destination-type": "CIDR_BLOCK",
           "network-entity-id": "ocid1.internetgateway.unique_ID"
         }
       ],
       "time-created": "2022-04-11T06:00:29.527637+00:00",
       "vcn-id": "ocid1.vcn.unique_ID"
     },
     "etag": "15dcf54f-fa85-40f6-9557-75774e73f1ce" 
   }

   While the new route table is still provisioning, the route-rules property might be empty. To confirm the options, use the OCID in the id property of the create output to run a get command:

   oci network route-table get --rt-id ocid1.routetable.unique_ID

Updating Rules in a Route Table

You can change the name of a route table and add, edit, or delete rules in a route table.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to update the route table. The VCN details page is displayed.

3. Under Resources, click Route Tables.

4. Click the name of the route table that you want to update.

5. To change the name of the route table, click the Edit button, change the name in the dialog, and click the Save Changes button.

6. To create a route rule, click Add Route Rules and enter the information described in Creating a Route Table.

7. To edit an existing rule, click the Actions menu for that rule, and then click Edit.

8. To delete a rule, click the Actions menu for that rule, and then click Delete.

Using the OCI CLI

1. Get the OCID of the route table to update (oci network route-table list --compartment-id compartment_OCID)

2. If you are changing the route rules, create an argument for the --route-rules option. See Creating a Route Table. This argument replaces any existing route rules, so be sure to include any rules that you want to keep. Use the following command to view existing rules in this route table:

   oci network route-table get --rt-id ocid1.routetable.unique_ID

3. Run this command.

   Syntax:

   oci network route-table update --rt-id route_table_OCID --route-rules options_to_change

   You can change the name (--display-name) or the rules (--route-rules), including the network entity ID.

   Note:

   The Network Entity ID for a private IP address is the OCID of the private IP address. See the following example.

   Example:

   oci network route-table update --rt-id ocid1.routetable.unique_ID \
     --route-rules [\{"destination":"10.231.0.0/16","destination-type":"CIDR_BLOCK", \
     "network-entity-id":"ocid1.privateip.unique_ID"}]'
   {
     "data": {
       "compartment-id": "ocid1.compartment.unique_ID",
       "defined-tags": {},
       "display-name": "InternetRoute",
       "freeform-tags": {},
       "id": "ocid1.routetable.unique_ID",
       "lifecycle-state": "AVAILABLE",
       "route-rules": [
         {          
           "cidr-block": "10.231.0.0/16",
           "description": "Uses the ExtG8Way",
           "destination": null,
           "destination-type": "CIDR_BLOCK",
           "network-entity-id": "ocid1.privateip.unique_ID"
         }
       ],
       "time-created": "2022-04-11T06:00:29.527637+00:00",
       "vcn-id": "ocid1.vcn.unique_ID"
     },
     "etag": "15dcf54f-fa85-40f6-9557-75774e73f1ce" 
   }

Deleting a Route Table

You cannot delete a route table that is associated with a subnet. You cannot delete a VCN's default route table.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to delete a route table. The VCN details page is displayed.

3. Under Resources, click Route Tables.

4. For the route table that you want to delete, click the Actions menu and click Delete.

5. Confirm when prompted.

Using the OCI CLI

1. Get the OCID of the route table to delete (oci network route-table list --compartment-id compartment_OCID)

2. Run the route table delete command.

   $ oci network route-table delete --rt-id ocid1.routetable.unique_ID
   Are you sure you want to delete this resource? [y/N]: y

   To suppress this prompt, use the --force option.

Controlling Traffic with Security Lists

Both security lists and network security groups (NSGs) are types of virtual firewalls for your compute instances. Both security lists and NSGs define network security rules that determine which types of traffic are allowed in and out of instances (VNICs).

Security lists provide virtual firewall rules to all the VNICs in a subnet. To provide a set of firewall rules for a set of VNICs of your choice in a VCN, you can create an NSG. See Controlling Traffic with Network Security Groups.

Security lists enable you to define network security rules that apply to all VNICs in a subnet. A default security list is automatically created for each VCN. That default security list is assigned to each subnet in the VCN if you do not assign a different security list. Up to five security lists can be associated with a subnet.

If you use both security lists and NSGs, traffic in or out of a given VNIC is allowed if any rule in any applicable security list or NSG allows the traffic:

• Any rule in any security list that is associated with the VNIC's subnet

• Any rule in any NSG that the VNIC is in

For general information and a comparison of security lists and NSGs, see "Virtual Firewall" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Viewing a VCN's Security Lists

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to view security lists. The VCN details page is displayed.

3. Under Resources, click Security Lists. The list of security lists is displayed.

4. Click the name of the security list to view its ingress and egress rules.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list)

   • VCN OCID (oci network vcn list --compartment-id compartment_OCID)

2. Run the list command.

   Use both the VCN OCID and the compartment OCID to list all security lists that belong to the specified VCN and are in the specified compartment.

   oci network security-list list --compartment-id ocid1.compartment.unique_ID \
   --vcn-id ocid1.vcn.unique_ID

   Use only the compartment OCID to list all security lists in that compartment. The security lists in a compartment could belong to any VCN. Security lists do not need to be in the same compartment with the VCN.

   oci network security-list list --compartment-id ocid1.compartment.unique_ID

3. Use one of the following methods to show just one security list.

   • Use the list command with the name of the security list.

     oci network security-list list --compartment-id ocid1.compartment.unique_ID \
     --display-name "Custom Security List"

   • Use the get command with the OCID for the security list. The security list OCID is the value of id property in the security list list command output.

     oci network security-list get --security-list-id ocid1.securitylist.unique_ID

Creating a Security List

Before you create a security list, use the following command to see the security rules that are already defined in the default security list and any other security list for this VCN:

$ oci network security-list get --security-list-id ocid1.securitylist.unique_ID

A security list must have at least one rule. A security list is not required to have both ingress and egress rules.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to create a security list. The VCN details page is displayed.

3. Under Resources, click Security Lists.

4. Click the Create Security List button.

5. In the Create Security List dialog, enter the following information:

   • Name: A descriptive name for the security list. The name does not have to be unique. The name cannot be changed later in the Console but can changed with the CLI).

   • Create in Compartment: The compartment where you want to create the security list.

6. Add at least one rule.

   To add one or more ingress rules, click +New Rule in the Allow Rules for Ingress box. To add one or more egress rules, click +New Rule in the Allow Rules for Egress box. Enter the following information:

   • Stateless: If you want the new rule to be stateless, check this box. By default, security list rules are stateful and apply to both a request and its coordinated response. For more information about stateless and stateful rules, see "Security Lists" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

   • CIDR: The CIDR block for the ingress or egress traffic.

   • IP Protocol: The rule can apply to all IP protocols, or choices such as ICMP, TCP, or UDP. Select the protocol from the drop-down list.

     • Port Range: For some protocols, such as TCP or UDP, you can supply a source port range and destination port range.

     • Parameter Type and Code: For ICMP, you can select a parameter type and corresponding parameter code.

   • Description: An optional description of the rule.

7. Tagging: For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

8. Click the Create Security List button in the dialog.

   The details page of the new security list is displayed. You can specify this security list when creating or updating a subnet.

Using the OCI CLI

1. Gather the information you need to run the command:

   • The OCID of the compartment where you want to create this security list (oci iam compartment list)

   • The OCID of the VCN for this security list (oci network vcn list --compartment-id compartment_OCID)

2. Construct arguments for the --ingress-security-rules and --egress-security-rules options.

   Security rules are in JSON format. To see how to format a rule, use the following command:

   oci network security-list create --generate-param-json-input ingress-security-rules > ingress.json

   Use the same command with egress-security-rules.

   Ingress and egress security rules are the same except that ingress rules have source and sourceType properties while egress rules have destination and destinationType properties.

   The value of the protocol property is all or one of the following numbers: 1 for ICMP, 6 for TCP, or 17 for UDP.

   Alternatively, you can list or get the default security list or another security list and copy the values of the egress-security-rules and ingress-security-rules properties.

   Put the information for rules for this new security list in the appropriate places in the format, or replace the information in the rules that you copied.

   The value of both rules options is either a string between single quotation marks or a file specified as file://path_to_file.json.

   Egress and ingress rules must be in a list. If the list of egress rules or the list of ingress rules has only one item, that single rule must be enclosed in square brackets just as multiple rules would be. See the command in the next step for an example showing only one ingress rule.

   Both egress rules and ingress rules must be specified. See the command in the next step for an example showing no egress rules.

3. Run the security list create command.

   Syntax:

   oci network security-list create --compartment-id compartment_OCID \
   --vcn-id vcn_OCID --ingress-security-rules ingress_rules \
   --egress-security-rules egress_rules

   Example:

   $ oci network security-list create --compartment-id ocid1.compartment.unique_ID \
   --vcn-id ocid1.vcn.unique_ID --display-name "Limited Port Range" \
   --egress-security-rules [] \
   --ingress-security-rules '[{"source": "10.0.2.0/24", "protocol": "6", "isStateless": true, \
   "tcpOptions": {"destinationPortRange": {"max": 1521, "min": 1521}, \
   "sourcePortRange": {"max": 1521, "min": 1521}}}]'
   {
     "data": {
       "compartment-id": "ocid1.compartment.unique_ID",
       "defined-tags": {},
       "display-name": "Limited Port Range",
       "egress-security-rules": [],
       "freeform-tags": {},
       "id": "ocid1.securitylist.unique_ID",
       "ingress-security-rules": [
         {
           "description": null,
           "icmp-options": null,
           "is-stateless": true,
           "protocol": "6",
           "source": "10.0.2.0/24",
           "source-type": "CIDR_BLOCK",
           "tcp-options": {
             "destination-port-range": {
               "max": 1521,
               "min": 1521
             },
             "source-port-range": {
               "max": 1521,
               "min": 1521
             }
           },
           "udp-options": null
         }
       ],
       "lifecycle-state": "PROVISIONING",
       "time-created": "2022-05-06T02:17:10.965748+00:00",
       "vcn-id": "ocid1.vcn.unique_ID"
     },
     "etag": "30d67d2d-5e11-4b13-9607-1948c52a78f5"
   }

Updating a Security List

You can edit the name of the security list and add, edit, or delete rules or tags in any security list, including the default security list.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to update a security list. The VCN details page is displayed.

3. Under Resources, click Security Lists.

4. For the security list that you want to update, do one of the following:

   • Click the Actions menu and then click Edit to open the Edit Security List dialog. Update rules in the Allow Rules for Ingress and Allow Rules for Egress sections. To delete a rule, click the trash can icon. To add a rule, click the +New Rule button. You can also update the security list name and tags. Click the Save button on the dialog.

   • Click the Actions menu and then click View Details to open the security list details page.

     • Click the Edit button to open the Edit Security List dialog.

     • To edit only the rules, scroll to the Resources section and click either Ingress Rules or Egress Rules. To create a new rule, click the Create Security Rule button. To update a rule, click the Actions menu for that rule and then click Edit. To delete a rule, click the actions menu and then click Delete.

Using the OCI CLI

1. Get the OCID of the security list that you want to update (oci network vcn list --compartment-id compartment_OCID)

2. If you want to update rules, construct arguments for the --ingress-security-rules and --egress-security-rules options as described in Creating a Security List. Arguments that you provide to these rules options overwrite any existing rules. If you want to keep some existing rules, use the following command to show the current rules, and then copy the rules that you want to keep into the new option arguments.

   $ oci network security-list get --security-list-id ocid1.securitylist.unique_ID

3. Run the security list update command.

   Example:

   oci network security-list update  \
   --security-list-id ocid1.securitylist.unique_ID \
   --ingress-security-rules file:///home/flast/ingress_rules.json
   
   WARNING: Updates to defined-tags and egress-security-rules and freeform-tags and 
    ingress-security-rules will replace any existing values. 
    Are you sure you want to continue? [y/N]: y

Delete a Security List

You cannot delete a security list that is associated with a subnet. You cannot delete a VCN's default security list.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to delete a security list. The VCN details page is displayed.

3. Under Resources, click Security Lists.

4. For the security list that you want to delete, click the Actions menu and then click Delete.

5. Confirm the deletion when prompted.

Using the OCI CLI

1. Get the OCID of the security list that you want to delete (oci network vcn list --compartment-id compartment_OCID)

2. Run the security list delete command.

   $ oci network security-list delete --security-list-id ocid1.securitylist.unique_ID
   Are you sure you want to delete this resource? [y/N]: y

   To suppress this prompt, use the --force option.

Controlling Traffic with Network Security Groups

Both network security groups (NSGs) and security lists are types of virtual firewalls for your compute instances. Both NSGs and security lists define network security rules that determine which types of traffic are allowed in and out of instances (VNICs).

NSGs provide virtual firewall rules for a set of VNICs of your choice in a VCN. To provide a set of firewall rules for all VNICs in a subnet, you can create a security list. See Controlling Traffic with Security Lists.

NSGs enable you to define network security rules for groups of instances, which can be in different subnets. For example, an NSG can apply to all the database servers, or to all the application servers running a certain application. Instead of applying security to a particular subnet, you create an NSG and then add the appropriate instances (VNICs) to the NSG.

When you create a VCN, a default security list is created. No default NSG is created because you must choose which VNICs to include in the group.

If you use both security lists and NSGs, traffic in or out of a given VNIC is allowed if any rule in any applicable security list or NSG allows the traffic:

• Any rule in any security list that is associated with the VNIC's subnet

• Any rule in any NSG that the VNIC is in

For general information and a comparison of security lists and NSGs, see "Virtual Firewall" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

Creating a Network Security Group

These procedures create an NSG with no rules and no VNICs.

• To add security rules to the NSG, see Manage Rules for a Network Security Group.

• To add VNICs to the NSG, see Attaching a VNIC to a Network Security Group.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to create an NSG. The VCN details page is displayed.

3. Under Resources, click Network Security Groups.

4. Click the Create Network Security Group button.

5. In the Create Network Security Group dialog, enter the following information:

   • Name: A descriptive name for the NSG. The name does not have to be unique, and it can be changed later.

   • Create in Compartment: The compartment where you want to create the NSG.

6. Tagging: For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

7. Click the Create Network Security Group button in the dialog.

   The details page for the new NSG is displayed. You can create security rules and select VNICs to add to the group now, or you can do these tasks later. See the procedures referenced at the beginning of this section.

Using the OCI CLI

You can add a display name and defined and free-form tags. Similarly, when you update an NSG (oci network nsg update), you can only update the name and tags. To add rules and VNICs, see the procedures referenced at the beginning of this section.

1. Gather the information you need to run the command:

   • The OCID of the compartment where you want to create this NSG (oci iam compartment list)

   • The OCID of the VCN for this NSG (oci network vcn list --compartment-id compartment_OCID)

2. Run the NSG create command.

   Example:

   $ oci network nsg create --compartment-id ocid1.compartment.unique_ID \
   --vcn-id ocid1.vcn.unique_ID --display-name "Application A"
   {
     "data": {
       "compartment-id": "ocid1.compartment.unique_ID",
       "defined-tags": {},
       "display-name": "Application A",
       "freeform-tags": {},
       "id": "ocid1.networksecuritygroup.unique_ID",
       "lifecycle-state": "PROVISIONING",
       "time-created": "2022-05-09T15:48:30.069904+00:00",
       "vcn-id": "ocid1.vcn.unique_ID"
     },
     "etag": "49073741-0cc7-4371-82ee-2abf4667b14d"
   }

Viewing a VCN's Network Security Groups

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to view Network Security Groups. The VCN details page is displayed.

3. Under Resources, click Network Security Groups. The list of NSGs is displayed.

4. Click the name of the NSG to view its details, including security rules and attached VNICs.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list)

   • VLAN OCID (oci network vlan list --compartment-id compartment_OCID)

2. Run the NSG list command.

   Specify the compartment OCID to list all the NSGs in that compartment.

   oci network nsg list --compartment-id ocid1.compartment.unique_ID

   Specify the VLAN OCID to list all the NSGs in that VLAN.

   oci network nsg list \
   --vlan-id ocid1.networksecuritygroup.unique_ID

3. Use one of the following methods to show just one NSG.

   • Use the list command with the name of the NSG.

     oci network nsg list --compartment-id ocid1.compartment.unique_ID \
     --display-name "Custom NSG"

   • Use the get command with the OCID for the NSG. The NSG OCID is the value of id property in the NSG list command output.

     oci network nsg get --nsg-id ocid1.networksecuritygroup.unique_ID

4. The NSG security rules are not shown in the list or get command output. Use the following command to show the NSG security rules.

   oci network nsg rules list --nsg-id ocid1.networksecuritygroup.unique_ID

Manage Rules for a Network Security Group

These procedures describe how to add, update, and remove rules that are applied by an NSG.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to manage rules in an NSG. The VCN details page is displayed.

3. Under Resources, click Network Security Groups.

4. In the list of NSGs, click the name of the NSG for which you want to manage rules. The NSG details page is displayed.

5. Under Resources, click Security Rules.

6. You can add new rules, and edit and delete existing rules.

   To add a rule, click the Create Security Rules button. To add one or more ingress rules, click +New Rule in the Allow Rules for Ingress box. To add one or more egress rules, click +New Rule in the Allow Rules for Egress box. Enter the following information:

   • Stateless: If you want the new rule to be stateless, check this box. By default, security list rules are stateful and apply to both a request and its coordinated response. For more information about stateless and stateful rules, see "Security Lists" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

   • CIDR: The CIDR block for the ingress or egress traffic.

   • IP Protocol: The rule can apply to all IP protocols, or choices such as ICMP, TCP, or UDP. Select the protocol from the drop-down list.

     • Port Range: For some protocols, such as TCP or UDP, you can supply a source port range and destination port range.

     • Parameter Type and Code: For ICMP, you can select a parameter type and corresponding parameter code.

   • Description: An optional description of the rule.

   To edit a rule, click the Actions menu for the Egress or Ingress rule, click Edit, make the necessary changes, and then click Update.

   To delete a rule, click the Actions menu for the Egress or Ingress rule, click Remove, and then click Confirm. While you are editing a rule, click the trash can icon to delete the rule.

Using the OCI CLI

1. Get the OCID of the NSG for which you want to manage rules (oci network nsg list --compartment-id <compartment_OCID>).

2. Construct an argument for the --security-rules option. Security rules are in JSON format. To see how to format a rule, use the following command:

   oci network nsg rules add --generate-param-json-input security-rules > nsg_rules.json

   The --security-rules option argument is exactly the same for the oci network nsg rules update command.

   Alternatively, you can list and copy the rules of an existing NSG.

   oci network nsg rules list --nsg-id ocid1.networksecuritygroup.unique_ID

   Put the information for the rules for this new or updated NSG in the appropriate places in the format output by --generate-param-json-input, or change the information in the rules that you copied.

   The value of the rules option is either a string between single quotation marks or a file specified as file://path_to_file.json.

3. Run the NSG rules add or update command.

   Add:

   The specified security_rules are added to any existing rules.

   oci network nsg rules add --nsg-id nsg_OCID \
   --security-rules security_rules

   Update:

   The specified security_rules replace any existing rules.

   oci network nsg rules update --nsg-id nsg_OCID \
   --security-rules security_rules

4. To delete one or more rules, construct a list of rule OCIDs.

   Use the following command to find the OCIDs of the rules that you want to delete:

   oci network nsg rules list --nsg-id ocid1.networksecuritygroup.unique_ID

   Run the NSG rules remove command.

   oci network nsg rules add --nsg-id ocid1.networksecuritygroup.unique_ID \
   --security-rule-ids '{[ocid1.security_rule.unique_ID1,ocid1.security_rule.unique_ID2]}'

Attaching a VNIC to a Network Security Group

An NSG has one or more VNICs. You can attach a VNIC to an NSG when you create an instance or when you create or update the VNIC. See the following procedures:

• Creating an Instance

• Creating and Attaching a Secondary VNIC

• Using the Compute Web UI to Update NSGs Only in Updating a VNIC

Do one of the following to view the list of NSGs that a VNIC is attached to:

• View the VNIC details.

  1. On the instance details page, scroll to the resources section, and click Attached VNICs.

  2. In the list, click the name of the VNIC.

  3. On the VNIC details page, scroll to the resources section, and click Network Security Groups.

• Run the following command:

  $ oci network vnic get --vnic-id ocid1.vnic.unique_ID

Do one of the following to view the list of VNICs that are attached to an NSG:

• View the NSG details.

  1. On the VCN details page, scroll to the resources section, and click Network Security Groups.

  2. In the list, click the name of the NSG.

  3. On the NSG details page, scroll to the resources section, and click VNICs.

• Run the following command:

  $ oci network nsg vnics list --nsg-id ocid1.networksecuritygroup.unique_ID

To change the list of NSGs that a VNIC is attached to, update the VNIC.

Deleting a Network Security Group

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Virtual Cloud Networks.

2. Click the name of the VCN for which you want to delete an NSG. The VCN details page is displayed.

3. Under Resources, click Network Security Groups.

4. For the NSG that you want to delete, click the Actions menu and then click Delete.

5. Confirm the deletion when prompted.

Using the OCI CLI

1. Get the OCID of the NSG that you want to delete (oci network nsg list --compartment-id compartment_OCID)

2. Run the NSG delete command..

   $ oci network nsg delete --nsg-id ocid1.networksecuritygroup.unique_ID
   Are you sure you want to delete this resource? [y/N]: y

To suppress this prompt, use the --force option.