Policy Syntax

Security attributes identify the VCN and endpoints within the VCN.

A security attribute is made up of a security attribute namespace and a security attribute key separated with a period, and a value separated with a colon:

Security attribute namespaces, and security attribute keys and values are constrained by specific limits. Importantly, security attribute namespaces and security attribute keys must not contain a space or a period character. Values, however, can contain spaces, periods, and single quotation marks. If a security attribute whose value contains more than the allowed number of characters is referenced, the whole security attribute clause is enclosed within single quotation marks. Any single quotation mark character in the value must be escaped with another single quotation mark character. For example:

app:fin-network

oracle-zpr.app:fe-nodes

my-corp.biz:hr

'my-corp.biz:dev and test db'

See Security Attributes for more information about security attributes and the permissions required to use them.

ZPR policy statements use the following syntax and rules when the source and target reside in the same VCN:

in <location> <command> <source endpoint> <verb> <destination endpoint>

• <location> is required, and it must be in the form in <security attribute> VCN. <security attribute> must be specified, and it can be only a single security attribute.
• <command> must be allow.
• <source endpoint> must be security attribute, ip address, all-endpoints, or osn-services-ip-addresses.
• <verb> must be to connect to.
• <destination endpoint> must be security attribute, ip address, all-endpoints, or osn-services-ip-addresses.

For example, the following policy statement expresses intent to allow traffic between endpoints within the same VCN:

in app:fin-network VCN allow app:web endpoints to connect to app:store endpoints

The VCN is identified by its security attribute and is subject to the policy referencing it. The allow statement applies to each VCN with that security attribute. The endpoint clauses identify either the source or the target of traffic with the specified security attribute within a VCN:

The all-endpoints keyword signifies any endpoint inside or outside of the VCN regardless of whether it carries any security attributes. The source endpoint and target endpoint can't both be all-endpoint. One must be identified (endpoint attribute list).

Traffic between endpoints can be further limited in a policy by filtering on the ip-address and one or more of the allowed network filter attributes: protocol, protocol.icmp.type, protocol.icmp.code, and connection-state.

ip-address or osn-services-ip-addresses can be a target or a source. However, you can't use ip-address and osn-services-ip-addresses on both the source and target endpoints; ip-address and osn-services-ip-addresses must be either the source or the target. For example:

in applications.apps:app1 VCN allow '10.0.0.0/16' to connect to apps:app1 endpoints

ZPR policy statements use the following syntax and rules when the source and target VCNs reside in the same region and tenancy, and both VCNs use security attributes:

<command> <source endpoints> in <source location> to <verb> <destination endpoints> in <destination location>

• <command> must be allow.
• <source endpoint> must be security attribute.
  Note
  
  To refer to an endpoint by IP address or CIDR range, use the policy syntax for a single VCN.
• <source location> is required, and it must be in the form in <security attribute> VCN. <security attribute> must be specified, and it can be only a single security attribute.
• <verb> must be to connect to.
• <destination endpoint> must be security attribute.
• <destination location> is required, and it must be in the form in <security attribute> VCN. <security attribute> must be specified, and it can be only a single security attribute.

For example, the following policy statement expresses intent to allow traffic from or to endpoints in two VCNs within the same region:

allow applications.app:webserver endpoints in applications.vcn:A VCN to connect to database.database:MySQL endpoints in database.vcn:B VCN

The VCNs are identified by their security attributes and are subject to the policies referencing them. The allow statement applies to each VCN with those security attributes. The endpoint clauses identify either the source or the target of traffic with the specified security attribute within a VCN:

Traffic to and from endpoints can be further limited in policy by filtering with one or more of the allowed network filter attributes: protocol, protocol.icmp.type, protocol.icmp.code, and connection-state.

To allow traffic to or from a source or destination without a defined security attribute (such as another VCN, a different region, an on-premises network, or the internet), specify the IP address or CIDR block in a ZPR policy using the single VCN policy syntax.

For example, the following policy statement expresses intent to allow traffic from or to endpoints at the specified IP address regardless of where there resource resides or whether it has security attributes applied to it:

in front-end:network VCN allow loadbalancer:web to connect to '0.0.0.0/0'