Oracle Cloud Infrastructure Documentation

Configuring VCN Security Rules for File Storage

Before you can mount a file system, you must configure security rules to allow traffic to the mount target's VNIC using specific protocols and ports. Security rules enable traffic for the following:

  • Open Network Computing Remote Procedure Call (ONC RPC) rpcbind utility protocol
  • Network File System (NFS) protocol
  • Network File System (MOUNT) protocol
  • Network Lock Manager (NLM) protocol

File Storage Security Rule Scenarios

There are three basic scenarios that require different security rules for File Storage:

Scenario A: Mount target and instance in the same subnet
Scenario B: Mount target and instance in different subnets
Scenario C: Mount target and instance use in-transit encryption

Ways to Enable Security Rules for File Storage

The Networking service offers two virtual firewall features that both use security rules to control traffic at the packet level. The two features are:

Important

You can use security lists alone, network security groups alone, or both together. It depends on your particular security needs.

If you choose to use both security lists and network security groups, the set of rules that applies to a given mount target VNIC is the combination of these items:

  • The security rules in the security lists associated with the VNIC's subnet
  • The security rules in all NSGs that the VNIC is in

It doesn't matter which method you use to apply security rules to the mount target VNIC, as long as the ports for protocols necessary for File Storage are correctly configured in the rules applied.

See Security Rules, Security Lists, and Network Security Groups for more information, examples, and scenarios about how these features interact in your network. Overview of Networking provides general information about networking. See About Security for information about how security rules work with other types of security in File Storage.

Required IAM Service Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: The policy in Let network admins manage a cloud network covers management of all networking components, including security lists and NSGs. See the Policy Reference for more information.

If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

Setting Up Required Rules in a Security List

You can add the required rules to a pre-existing security list associated with a subnet, such as the default security list that is created along with the VCN. See To create a security list for more information.

To add required rules to a security list

Setting Up Required Rules in a Network Security Group (NSG)

The general process for setting up NSGs that work with File Storage is:

  1. Create an NSG with the required security rules. (Alternatively, you can add them to a previously existing NSG.)
  2. Add the mount target (or more specifically, the mount target's VNIC) to the NSG. You can do this when you create the mount target, or you can update the mount target and add it to one or more NSGs that contain the required security rules.
  3. If you're setting up Scenario B: Mount target and instance in different subnets, you'll have to add both the mount target and instance to an NSG that contains the required security rules.
To create an NSG with the required security rules
To add a mount target to an NSG
To add an instance to an NSG