1. Using Oracle Cloud Infrastructure Compute Classic
  2. Configuring the Shared Network
  3. Managing Security IP Lists

Managing Security IP Lists

Topics

About Security IP Lists

A security IP list is a list of IP subnets (in the CIDR format) or IP addresses that are external to instances in Compute Classic. You can use a security IP list as the source or the destination in security rules to control network access to or from Compute Classic instances.

A security IP list can contain a maximum of 100 entries.

The following table lists the predefined security IP lists that are available in Compute Classic.

Security IP List Description

/oracle/public/instance

Don’t use this security IP list as the source in any security rule.

/oracle/public/ntp

Don’t use this security IP list as the source in any security rule.

/oracle/public/powerbroker

Don’t use this security IP list as the source in any security rule.

/oracle/public/public-internet

You can use this security IP list as the source in security rules to permit traffic from any host on the Internet.

/oracle/public/site

Don’t use this security IP list as the source in any security rule.

Note:

You can use any security IP list that you create as either a source or a destination in a security rule. However, of the predefined security IP lists, you can use only /oracle/public/public-internet as a source in a security rule, and you can’t use any of the predefined security IP lists as a destination in a security rule.

Creating a Security IP List

To permit traffic from external hosts to Compute Classic instances, you must define those hosts in a Security IP List.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand Shared Network, and then click the Security IP Lists.
  4. Click Create Security IP List. Enter the required details and click Create.
  5. In the Create Security IP List dialog box, enter the following details:

    • In the Name field, enter a name for the security IP list.

    • In the IP List field, enter a comma-separated list of the subnets (in CIDR format) or IPv4 addresses for which you want to create the security IP list.

      For example, to create a security IP list containing the IP addresses 203.0.113.1 and 203.0.113.2, enter one of the following in the IP List field:

      203.0.113.0/30

      203.0.113.1, 203.0.113.2

      You can specify up to 100 entries in a security IP list.

      Note:

      You can specify only IP addresses that are external to Compute Classic in a security IP list. You can’t specify the IP address of a Compute Classic instance.

    • In the Description field, enter a description for the security IP list.

  6. Click Create.

To create a security IP list using the CLI, use the opc compute sec-ip-list add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To create a security IP list using the API, use the POST /seciplist/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

You can also create a security IP list by using an orchestration. See Orchestration v1 Attributes Specific to Each Object Type or Orchestration v2 Attributes Specific to Each Object Type.

Updating a Security IP List

You can update the IP addresses and description for a Security IP List.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. Identify the security IP list that you want to update. From the menu icon menu, select Update.
  4. In the Update Security IP List dialog box, change the IP List or Description field, as required, and click Update.

To update a security IP list using the CLI, use the opc compute sec-ip-list update command. You can use this command to replace the list of IP addresses and change the description. To add IP addresses to the list, use the opc compute security-ip-lists add command and specify the new IP addresses. For help with these commands, run each command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update a security IP list using the API, use the PUT /seciplist/name method. You can use this method to replace the list of IP addresses and change the description. To add IP addresses to the list, use the POST /seciplist/ method and specify the new IP addresses. See REST API for Oracle Cloud Infrastructure Compute Classic.

Deleting a Security IP List

If a security IP list isn’t used in any security rule and if you don’t plan to use the security IP list in the future, then you can delete it.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  • Ensure that no security rule is using the security list that you want to delete.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.

If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.

If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand Shared Network, and then click the Security IP Lists.
  4. Identify the security IP list that you want to delete. From the menu icon menu, select Delete.

To delete a security IP list using the CLI, use the opc compute sec-ip-list delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To delete a security IP list using the API, use the DELETE /seciplist/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.

If you created a security IP list using an orchestration v1, then you can delete the list by stopping the orchestration. See Terminating an Orchestration v1.

If you created a security IP list using an orchestration v2, then you can delete the security IP list by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.