Security Lists

The Networking service offers two virtual firewall features to control traffic at the packet level:

  • Security lists: Covered in this topic. This is the original type of virtual firewall offered by the Networking service.
  • Network security groups: Another type of virtual firewall that Oracle recommends over security lists. See Network Security Groups.

Both of these features use security rules. For important information about how security rules work, and a general comparison of security lists and network security groups, see Security Rules.

Highlights

  • Security lists act as virtual firewalls for your Compute instances and other kinds of resources. A security list consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. This means that all the VNICs in a given subnet are subject to the same set of security lists. See Comparison of Security Lists and Network Security Groups.
  • Security list rules function the same as network security group rules. For a discussion of rule parameters, see Parts of a Security Rule.
  • Each VCN comes with a default security list that has several default rules for essential traffic. If you don't specify a custom security list for a subnet, the default security list is automatically used with that subnet. You can add and remove rules from the default security list.
  • Security lists have separate and different limits compared to network security groups. See Comparison of Security Lists and Network Security Groups.

Overview of Security Lists

A security list acts as a virtual firewall for an instance, with ingress and egress rules that specify the types of traffic allowed in and out. Each security list is enforced at the VNIC level. However, you configure your security lists at the subnet level, which means that all VNICs in a given subnet are subject to the same set of security lists. The security lists apply to a given VNIC whether it's communicating with another instance in the VCN or a host outside the VCN.

Each subnet can have multiple security lists associated with it, and each list can have multiple rules (for the maximum number, see Comparison of Security Lists and Network Security Groups). A packet in question is allowed if any rule in any of the lists allows the traffic (or if the traffic is part of an existing connection being tracked). There's a caveat if the lists happen to contain both stateful and stateless rules that cover the same traffic. For more information, see Stateful Versus Stateless Rules.

Security lists are regional entities. For limits related to security lists, see Comparison of Security Lists and Network Security Groups.

Security lists can control both IPv4 and IPv6 traffic. However, IPv6 addressing and related security list rules are currently supported only in the US Government Cloud. For more information, see IPv6 Addresses.

Default Security List

Each cloud network has a default security list. You can also create other security lists for the VCN. A given subnet automatically has the default security list associated with it if you don't specify one or more other security lists during subnet creation. At any time after you create a subnet, you can change which security lists are associated with it. And you can change the rules in the lists.

Unlike other security lists, the default security list comes with an initial set of stateful rules, which you can change:

  • Stateful ingress: Allow TCP traffic on destination port 22 (SSH) from source 0.0.0.0/0 and any source port. This rule makes it easy for you to create a new cloud network and public subnet, launch a Linux instance, and then immediately use SSH to connect to that instance without needing to write any security list rules yourself.

    Important

    The default security list does not include a rule to allow Remote Desktop Protocol (RDP) access. If you're using Windows images, make sure to add a stateful ingress rule for TCP traffic on destination port 3389 from source 0.0.0.0/0 and any source port.

    See To enable RDP access for more information.

  • Stateful ingress: Allow ICMP traffic type 3 code 4 from source 0.0.0.0/0. This rule enables your instances to receive Path MTU Discovery fragmentation messages.
  • Stateful ingress: Allow ICMP traffic type 3 (all codes) from source = your VCN's CIDR. This rule makes it easy for your instances to receive connectivity error messages from other instances within the VCN.
  • Stateful egress: Allow all traffic. This allows instances to initiate traffic of any kind to any destination. Notice that this means the instances with public IP addresses can talk to any internet IP address if the VCN has a configured internet gateway. And because stateful security rules use connection tracking, the response traffic is automatically allowed regardless of any ingress rules. For more information, see Stateful Versus Stateless Rules.

The default security list comes with no stateless rules. However, you can add or remove rules from the default security list as you like.

If your VCN is enabled for IPv6 addressing (which is currently supported in only the Government Cloud), the default security list contains some default rules for IPv6 traffic. For more information, see IPv6 Addresses.

Enabling Ping

The default security list does not include a rule to allow ping requests. If you plan to ping an instance, see Rules to Handle Fragmented UDP Packets.

Working with Security Lists

Caution

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

General Process for Working with Security Lists

  1. Create a security list.
  2. Add security rules to the security list.
  3. Associate the security list with one or more subnets.
  4. Create resources in the subnet (for example, create Compute instances in the subnet). The security rules apply to all the VNICs in that subnet. See Comparison of Security Lists and Network Security Groups.

Additional Details

When you create a subnet, you must associate at least one security list with it. It can be either the VCN's default security list or one or more other security lists that you've already created (for the maximum number, see Service Limits). You can change which security lists the subnet uses at any time.

You may optionally assign a friendly name to the security list during creation. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the security list a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

For the purposes of access control, you must specify the compartment where you want the security list to reside. Consult an administrator in your organization if you're not sure which compartment to use. For more information, see Access Control.

You can move security lists from one compartment to another. Moving a security list doesn’t affect its attachment to a subnet. When you move a security list to a new compartment, inherent policies apply immediately and affect access to the security list. For more information, see Managing Compartments.

You can add and remove rules from the security list. A security list can have no rules. Notice that when you update a security list in the API, the new set of rules replaces the entire existing set of rules.

To delete a security list, it must not be associated with a subnet. You can't delete a VCN's default security list.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

For administrators: The policy in Let network admins manage a cloud network covers management of all Networking components, including security lists.

If you have security admins who need to manage security lists but not other components in Networking, you could write a more restrictive policy:

Allow group SecListAdmins to manage security-lists in tenancy

Allow group SecListAdmins to manage vcns in tenancy

Both statements are needed because the creation of a security list affects the VCN the security list is in. The scope of the second statement also allows the SecListAdmins group to create VCNs. However, the group can't create subnets or manage any other components related to any of those VCNs (except for the security lists), because other permissions would be required for those resources. The group also can't delete any existing VCNs that already have subnets in them, because that action would require permissions related to subnets.

For more information, see IAM Policies for Networking.

Using the Console

To view a VCN's default security list
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click the default security list to view its details.

    Under Resources, you can click Ingress Rules or Egress Rules to switch between the different types of rules.

To update rules in an existing security list
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click the security list you're interested in.
  5. Under Resources, click either Ingress Rules or Egress Rules depending on the type of rule you want to work with.
  6. If you want to add a rule, click Add Ingress Rule (or Add Egress Rule). See details of adding a rule in To create a security list.
  7. If you want to delete an existing rule, click the Actions icon (three dots), and then click Remove.
  8. If you wanted to edit an existing rule, click the Actions icon (three dots), and then click Edit.
To create a security list
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click Create Security List.
  5. Enter the following:

    1. Name: A descriptive name for the security list. The name doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    2. Create in Compartment: The compartment where you want to create the security list, if different from the compartment you're currently working in.
  6. Add either an ingress rule or egress rule (for examples of rules, see Networking Scenarios):

    1. Click either Add Ingress Rule or Add Egress Rule.
    2. Choose whether it's a stateful or stateless rule (see Stateful Versus Stateless Rules). By default, rules are stateful unless you specify otherwise.
    3. Enter either the source CIDR (for ingress) or destination CIDR (for egress). For example, use 0.0.0.0/0 to indicate all IP addresses. Other typical CIDRs you might specify in a rule are the CIDR block for your on-premises network, or for a particular subnet. If you're setting up a security list rule to allow traffic with a service gateway , instead see Task 3: (Optional) Update security rules.

    4. Select the IP protocol (for example, TCP, UDP, ICMP, "All protocols", and so on).
    5. Enter further details depending on the protocol:

      • If you chose TCP or UDP, enter a source port range and destination port range. You can enter "All" to cover all ports. If you want to allow a specific port, enter the port number (for example, 22 for SSH or 3389 for RDP) or a port range (for example, 20–22).
      • If you chose ICMP, you can enter "All" to cover all types and codes. If you want to allow a specific ICMP type, enter the type and an optional code separated by a comma (for example, 3,4). If the type has multiple codes you want to allow, create a separate rule for each code.
    6. Enter an optional description of the rule to help manage your security list rules.
  7. Repeat the preceding step for each rule you want to add to the list.
  8. Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  9. When you're done, click Create Security List.

The security list is created and then displayed on the Security Lists page in the compartment you chose. You can now specify this security list when creating or updating a subnet.

When you view all the rules in a security list, notice that any stateless rules in the list are shown above any stateful rules. Stateless rules in the list take precedence over stateful rules. In other words: If there's traffic that matches both a stateless rule and a stateful rule across all the security lists associated with the subnet, the stateless rule takes precedence and the connection is not tracked.

To change which security lists a subnet uses
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Click Subnets.
  4. Click the subnet you're interested in.
  5. Under Resources, click Security Lists.
  6. If you want to add a security list, click Add Security List, and select the new security list you want the subnet to use.
  7. If you want to remove a security list, click the Actions icon (three dots), and then click Remove. Remember that a subnet must always have at least one security list associated with it.

    The changes take effect within a few seconds.

To move a security list to a different compartment
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Find the security list, click the the Actions icon (three dots), and then click Move Resource.
  5. Choose the destination compartment from the list.
  6. Click Move Resource.
To delete a security list

Prerequisite: To delete a security list, it must not be associated with a subnet. You can't delete the default security list in a VCN.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. For the security list you want to delete, click the Actions icon (three dots), and then click Terminate.
  5. Confirm when prompted.
To manage tags for a security list
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click the security list you're interested in.
  5. Click the Tags tab to view or edit the existing tags. Or click Add tags to add new ones.

For more information, see Resource Tags.