Managing Network Sources

This topic describes the basics of working with network sources.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing network sources. To write policies specifically for network sources, use the network-sources resource type, found with the other IAM components, in Details for IAM.

If you're new to policies, see Getting Started with Policies and Common Policies.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Introduction to Network Sources

A network source specifies IP addresses that are allowed to access resources in your tenancy. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After you create the network source, you use policy to restrict access to only requests that originate from the IPs in the network source. When specified in a policy, IAM validates that requests to access a resource originate from an allowed IP address.

For example, you can restrict access to Object Storage buckets in your tenancy to only users that are signed in to Oracle Cloud Infrastructure through your corporate network. Or, you can allow only resources belonging to specific subnets of a specific VCN to make requests over a service gateway.

Network resources can only be created in the tenancy (or root compartment) and, like other Identity resources, reside in the home region.

For information about the number of network sources you can have, see IAM Limits.

Restricting Access to Specific IP Addresses

Important

This feature is currently supported by the Object Storage service only.

To restrict access to requests made from a set of IP addresses, do the following:

  1. Create a network source that specifies the allowed IP addresses.
  2. Write a policy that uses the network source variable in a condition.

1. Create the Network Source

Follow the instructions provided for the Console or the API to create the network source.

A single network source can include IP addresses from a specific VCN, public IP addresses, or both.

To specify the VCN, you need the VCN OCID and the subnet IP ranges that you want to allow.

Examples:

  • Public IP addresses or CIDR blocks: 192.0.2.143 or 192.0.2.0/24
  • VCN OCID: ocid1.vcn.oc1.iad.aaaaaaaaexampleuniqueID
    • Subnet IP addresses or CIDR blocks: 10.0.0.4, 10.0.0.0/16

      To allow any IP address from a specific VCN, use 0.0.0.0/0.

2. Write the Policy

The IAM service includes a variable to use in policy that allows you to scope your policy using a condition. The variable is:

request.networkSource.name

After you have created your network source, you can scope policies for Object Storage by using this variable in a condition. For example, assume you create a network source named "corpnet". You can restrict users of the group "CorporateUsers" to access your Object Storage resources only when their requests originate from IP addresses you specified in corpnet. To do this, write a policy like the following:

allow group CorporateUsers to manage object-family in tenancy where request.networkSource.name='corpnet'

This policy allows users in the CorporateUsers group to manage Object Storage resources only when their requests originate from an allowed IP address specified in the network source "corpnet". Requests made from outside the specified IP ranges are denied. For general information about writing policies, see How Policies Work.

Currently, only the Object Storage service supports network sources. See Resource-Types for the Object Storage resource types you can use in policies.

Using the Console to Manage Network Sources

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

To create a network source
To update a network source
To delete a network source

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to manage network sources:

Creating the Network Source Object

A sample network source object looks like the following example:

{
"compartmentId" : "ocid1.tenancy.oc1..aaaaaaaabaexampleuniqueID",
"description" : "Corporate IP ranges to be used for IP-based authorization",
"name" : "corpnet",
"virtualSourceList": [{"vcnId": "ocid1.vcn.oc1.iad.aaaaaaaaexampleuniqueID", "ipRanges": [ "129.213.39.0/24" ]}],
"publicSourceList": [ "192.0.2.5", "192.0.2.6" ],
"services": ["all"]
}

The elements are:

  • virtualSourceList - specifies the VCN (OCID) and subnet IP ranges within that VCN that are allowed access. The virtualSourceList must contain both the VCN OCID and the subnet IP ranges:
    • vcnID - the OCID of the VCN
    • IpRanges - comma-separated list of the IP addresses or CIDR blocks of the subnets belonging to the specified VCN that are allowed to access the resource. To allow all ranges in the specified VCN, enter 0.0.0.0/0.
  • publicSourceList - comma-separated list of the public IP ranges that are allowed access.
  • services - currently, "all" or "none" are the only supported values. The default is "all". Specifying "all" allows Oracle Cloud Infrastructure services to access the resource.

Example:

{
"virtualSourceList": [{vcnId: "ocid1.vcn.oc1.iad.aaaaaaaaexampleuniqueID", "ipRanges": [ "129.213.39.0/24" ]}],
"publicSourceList": [ "192.0.2.0/25", "192.0.2.200" ],
"services": ["all"]
}