Oracle Cloud Infrastructure Documentation

Configuring VCN Security Rules for File Storage

Before you can mount a file system, you must configure security rules to allow traffic to the mount target's VNIC using specific protocols and ports.

File Storage requires stateful ingress to TCP ports 111, 2048, 2049, and 2050 and stateful ingress to UDP ports 111 and 2048. File storage also requires stateful egress from TCP ports 111, 2048, 2049, and 2050 and stateful egress from UDP port 111.

Security rules configured with the specified ports and protocols enable traffic for the following:

  • Open Network Computing Remote Procedure Call (ONC RPC) rpcbind utility protocol
  • Network File System (NFS) protocol
  • Network File System (MOUNT) protocol
  • Network Lock Manager (NLM) protocol

Ways to Enable Security Rules for File Storage

The Networking service offers two virtual firewall features that both use security rules to control traffic at the packet level. The two features are:

  • Security lists: The original virtual firewall feature from the Networking service. When you create a VCN, a default security list is also created. Add the required rules to the security list for the mount target subnet. See Setting Up Required Rules in a Security List for instructions.
  • Network security groups (NSGs): A subsequent feature designed for application components that have different security postures. Create an NSG that contains the required rules, and then add the mount target to the NSG. Alternatively, you can add the required rules to a previously existing NSG, and add the mount target to the NSG. Each mount target can belong to up to five (5) NSGs. See Setting Up Required Rules in a Network Security Group (NSG) for instructions.
Important

You can use security lists alone, network security groups alone, or both together. It depends on your particular security needs.

If you choose to use both security lists and network security groups, the set of rules that applies to a given mount target VNIC is the combination of these items:

  • The security rules in the security lists associated with the VNIC's subnet
  • The security rules in all NSGs that the VNIC is in

It doesn't matter which method you use to apply security rules to the mount target VNIC, as long as the ports for protocols necessary for File Storage are correctly configured in the rules applied.

See Security Rules, Security Lists, and Network Security Groups for more information, examples, and scenarios about how these features interact in your network. Overview of Networking provides general information about networking. See About Security for information about how security rules work with other types of security in File Storage.

Required IAM Service Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: The policy in Let network admins manage a cloud network covers management of all networking components, including security lists and NSGs. See the Policy Reference for more information.

If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

Setting Up Required Rules in a Security List

You can add the required rules to a pre-existing security list associated with the mount target subnet, such as the default security list that is created along with the VCN. See To create a security list for more information.

This image shows the correct ingress rules for File Storage.

This image shows the correct egress rules for File Storage

To add required rules to a security list

Setting Up Required Rules in a Network Security Group (NSG)

The general process for setting up NSGs that work with File Storage is:

  1. Create an NSG with the required security rules. (Alternatively, you can add them to a previously existing NSG.)
  2. Add the mount target (or more specifically, the mount target's VNIC) to the NSG. You can do this when you create the mount target, or you can update the mount target and add it to one or more NSGs that contain the required security rules.

This image shows the correct NSG ingress rules for File Storage.

This image shows the correct NSG egress rules for File Storage.

To create an NSG with the required security rules
To add a mount target to the NSG