Policy Examples

Learn about Zero Trust Packet Routing policies from examples.

You can also learn about policies by exploring the Policy Template Builder.

See the following sections for service-specific examples:

Compute
Database
Network Load Balancer
OCI Cache
Private Service Access
VCN

Compute instance examples

Write a policy to allow Compute instances in the same VCN to connect by SSH

Allow compute:instance1 endpoints to connect to compute:instance2 endpoints in the networks:net1 VCN by SSH.

in networks:net1 VCN allow compute:instance1 endpoints to connect to compute:instance2 endpoints with protocol='tcp/22'

Write a policy to allow access between Compute instances in peered VCNs to connect by SSH

Allow compute:instance1 endpoints in the networks:net1 VCN to connect to compute:instance2 endpoints with protocol='tcp/22' in the networks:net2 VCN.

allow compute:instance1 endpoints in networks:net1 VCN to connect to compute:instance2 endpoints with protocol='tcp/22' in networks:net2 VCN

Write a policy to allow clients to connect to a database to make SQLNet connections

In the networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'.

in networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'

Write a policy to allow clients to connect to a database to make SQLNet connections in peered VCNs

Allow compute:instance1 endpoints in the networks:net1 VCN to connect to db:DB-Server endpoints with protocol='tcp/1521' in the VCN-Network:DB VCN.

allow compute:instance1 endpoints in networks:net1 VCN to connect to db:DB-Server endpoints with protocol='tcp/1521' in VCN-Network:DB VCN

Database examples

Write a policy to allow a database to connect to OCI services

Allow databases with the security attribute DB-Server to connect to OCI services.

in VCN-Network:DB VCN allow db:DB-Server endpoints to connect to 'osn-services-ip-addresses'

Write a policy to allow clients to connect to a database through a single port

Allow clients with the App:App1 security attribute to connect to the DB-Server:App1 database through the tcp/1521 port.

in VCN-Network:DB VCN allow App:App1 to connect to DB-Server:App1 endpoints with protocol='tcp/1521'

Write a policy to allow clients to connect to a database through multiple ports

Allow clients with the App:App1 security attribute to connect to the DB-Server:App1 database through ports tcp/999-11199.

in VCN-Network:DB VCN allow App:App1 to connect to DB-Server:App1 endpoints with protocol='tcp/999-11199'

Write a policy to allow clients to connect to a database with a stateless connection

Allow clients with the frontend security attribute to connect to the database:server database through the tcp/1521 port with a stateless connection.

in finance.network:prod VCN allow app:frontend endpoints to connect to database:server endpoints with protocol = 'tcp/1521', connection-state = 'stateless'

Write a policy to allow clients in one VCN to connect to a database in a different VCN

Allow clients in the networks:net1 VCN to connect to DB-Server:App1 databases in the networks:net2 VCN.

allow networks:net1:App1 endpoints in networks:net1 VCN to connect to DB-Server:App1 endpoints in networks:net2 VCN

Write a policy to allow database access with port restriction between resources in peered VCNs

Allow clients with the App:App1 security attribute in the VCN-Network:App VCN to connect to DB-Server:App1 databases with protocol='tcp/1521' in the VCN-Network:DB VCN.

allow App:App1 endpoints in VCN-Network:App VCN to connect to DB-Server:App1 endpoints with protocol='tcp/1521' in VCN-Network:DB VCN

Network Load Balancer examples

Write a policy to allow an IP address to connect to a network load balancer

In the my:VCN VCN allow 0.0.0.0/0 IP address to connect to the network load balancer with the XYZ-NLB:NLB1 security attribute.

in my:VCN VCN allow '0.0.0.0/0' to connect to XYZ-NLB:NLB1 endpoints

Write a policy to connect network load balancers to application endpoints

In the my:VCN VCN allow network load balancer endpoints with the XYZ-NLB:NLB1 security attribute to connect to ABC-web-servers:app1 endpoints.

in my:VCN VCN allow XYZ-NLB:NLB1 endpoints to connect to ABC-web-servers:app1 endpoints

Write a policy to allow stateless database access in peered VCNs

Allow app:frontend endpoints in the finance.network:dev VCN to connect to database:server endpoints with protocol='tcp/1521' with connection-state='stateless' in the finance.network:prod VCN.

allow app:frontend endpoints in finance.network:dev VCN to connect to database:server endpoints with protocol='tcp/1521' with connection-state='stateless' in finance.network:prod VCN

Write a policy to allow multiport access for applications in peered VCNs

Allow App:App1 endpoints in the VCN-Network:App VCN to connect to DB-Server:App1 endpoints through ports tcp/999-11199 in the VCN-Network:DB VCN.

allow App:App1 endpoints in VCN-Network:App VCN to connect to DB-Server:App1 endpoints with protocol='tcp/999-11199' in VCN-Network:DB VCN

OCI Cache policy example

Write a policy to allow a Compute instance to connect to a redis cluster in the same VCN

In the my:VCN VCN allow compute:instance1 endpoints to connect to redis:cluster1 endpoints.

in my:VCN VCN allow compute:instance1 endpoints to connect to redis:cluster1 endpoints

Private Service Access example

Write a policy to connect Private Service Access (PSA) endpoints

PSA endpoints give cloud resources without public IP addresses private access to OCI services.

Allow endpoints with the app:dbs security attribute to connect to a PSA endpoint when the PSA endpoint is assigned the svc:dbs security attribute:

in vcn:A VCN allow app:dbs endpoints to connect to svc:dbs endpoints with protocol='tcp/443'

To use security attributes and policies with PSA endpoints, you must first create a PSA endpoint, create security attributes to apply to the endpoint, and then create ZPR policy to control access to the endpoint.

VCN policy example

Write a policy to connect resources in peered VCNs over a SQLNet connection

Allow Compute clients with the DB-client:App1 security attribute to connect to the database running app1 over a SQLNet connection.

allow DB-client:App1 endpoints in VCN-Network:DB VCN to connect to DB-client:app1 endpoints with protocol='tcp/1521' in VCN-Network:Remote VCN