• If a customer would like to customize or override the inbound allow list behavior, the expected flow is:

• Customers need to determine how they will identify the sources that are allowed to access the resources:

• via IP address ranges defined as CIDR blocks

• via VCN OCID - only sources that access the resources via the OCI service gateway

• both IP and VCN OCID

• Optionally, customers can create and name groups of CIDR blocks and/or VCN OCID.

• Customer will identify what resources will be restricted:

• These can be grouped into paths depending on the application. For example: /web for online OUAF application; /sql for ORDS, /rest for OUAF rest services etc

• These can also be grouped into paths that start with a particular subpath. For example: /rest/busSvc/K1 for all K1-owned rest services

• These can also be grouped into specific paths. For example: /rest/busSvc/F1-HealthCheck can be configured to be accessible by set of sources

• Optionally, the customers can create and name groups of paths (refer path matching below)

• Customer will identify the "allow rules" based on sources and paths they have identified:

• each allow rule is made up of a path group, and one or more sources that can access it

• The customer can request for Inbound Allow List by creating a Service Request in My Oracle Support (MOS).

• The customer must provide necessary details for the request as stated in Request Specification section.

• The customer must specify the environment names and desired date/ time for this activity to be scheduled

• Acknowledge and schedule the execution of the service request

• Submit the ticket with internal security team for approval

• Coordinate with Infrastructure teams (if needed) for completion of the service request

• Communicate the status upon completion of the service request

• Advanced Notice: 7 business days

• Acknowledge/Schedule: 2 business days

• Execution Time: 2 business days

• Outage Expected: No