Oracle Cloud Infrastructure Documentation

Security Lists

The Networking service offers two virtual firewall features to control traffic at the packet level:

  • Security lists: Covered in this topic. This is the original type of virtual firewall offered by the Networking service.
  • Network security groups: Another type of virtual firewall that Oracle recommends over security lists. See Network Security Groups.

Both of these features use security rules. For important information about how security rules work, and a general comparison of security lists and network security groups, see Security Rules.

Highlights

  • Security lists act as virtual firewalls for your Compute instances and other kinds of resources. A security list consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. This means that all the VNICs in a given subnet are subject to the same set of security lists. See Comparison of Security Lists and Network Security Groups.
  • Security list rules function the same as network security group rules. For a discussion of rule parameters, see Parts of a Security Rule.
  • Each VCN comes with a default security list that has several default rules for essential traffic. If you don't specify a custom security list for a subnet, the default security list is automatically used with that subnet. You can add and remove rules from the default security list.
  • Security lists have separate and different limits compared to network security groups. See Limits.

Overview of Security Lists

A security list acts as a virtual firewall for an instance, with ingress and egress rules that specify the types of traffic allowed in and out. Each security list is enforced at the VNIC level. However, you configure your security lists at the subnet level, which means that all VNICs in a given subnet are subject to the same set of security lists. The security lists apply to a given VNIC whether it's communicating with another instance in the VCN or a host outside the VCN.

Each subnet can have multiple security lists associated with it, and each list can have multiple rules (for the maximum number, see Limits). A packet in question is allowed if any rule in any of the lists allows the traffic (or if the traffic is part of an existing connection being tracked). There's a caveat if the lists happen to contain both stateful and stateless rules that cover the same traffic. For more information, see Stateful Versus Stateless Rules.

Security lists are regional entities. For limits related to security lists, see Limits.

Security lists can control both IPv4 and IPv6 traffic. However, IPv6 addressing and related security list rules are currently supported only in the Government Cloud. For more information, see IPv6 Addresses.

Default Security List

Each cloud network has a default security list. You can also create other security lists for the VCN. A given subnet automatically has the default security list associated with it if you don't specify one or more other security lists during subnet creation. At any time after you create a subnet, you can change which security lists are associated with it. And you can change the rules in the lists.

Unlike other security lists, the default security list comes with an initial set of stateful rules, which you can change:

  • Stateful ingress: Allow TCP traffic on destination port 22 (SSH) from source 0.0.0.0/0 and any source port. This rule makes it easy for you to create a new cloud network and public subnet, launch a Linux instance, and then immediately use SSH to connect to that instance without needing to write any security list rules yourself.

    Important

    The default security list does not include a rule to allow Remote Desktop Protocol (RDP) access. If you're using Windows images, make sure to add a stateful ingress rule for TCP traffic on destination port 3389 from source 0.0.0.0/0 and any source port.

    See To enable RDP access for more information.

  • Stateful ingress: Allow ICMP traffic type 3 code 4 from source 0.0.0.0/0. This rule enables your instances to receive Path MTU Discovery fragmentation messages.

  • Stateful ingress: Allow ICMP traffic type 3 (all codes) from source = your VCN's CIDR. This rule makes it easy for your instances to receive connectivity error messages from other instances within the VCN.
  • Stateful egress: Allow all traffic. This allows instances to initiate traffic of any kind to any destination. Notice that this means the instances with public IP addresses can talk to any internet IP address if the VCN has a configured internet gateway. And because stateful security rules use connection tracking, the response traffic is automatically allowed regardless of any ingress rules. For more information, see Connection Tracking Details for Stateful Rules.

The default security list comes with no stateless rules. However, you can add or remove rules from the default security list as you like.

If your VCN is enabled for IPv6 addressing (which is currently supported in only the Government Cloud), the default security list contains some default rules for IPv6 traffic. For more information, see IPv6 Addresses.

Enabling Ping

The default security list does not include a rule to allow ping requests. If you plan to ping an instance, see Rules to Enable Ping.

Security Rules

If you're not yet familiar with the basics of security rules, see these sections in the security rules topic:

Working with Security Lists

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

General Process for Working with Security Lists

  1. Create a security list.
  2. Add security rules to the security list.
  3. Associate the security list with one or more subnets.
  4. Create resources in the subnet (for example, create Compute instances in the subnet). The security rules apply to all the VNICs in that subnet. See About VNICs and Parent Resources.

Additional Details

When you create a subnet, you must associate at least one security list with it. It can be either the VCN's default security list or one or more other security lists that you've already created (for the maximum number, see Service Limits). You can change which security lists the subnet uses at any time.

You may optionally assign a friendly name to the security list during creation. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the security list a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

For the purposes of access control, you must specify the compartment where you want the security list to reside. Consult an administrator in your organization if you're not sure which compartment to use. For more information, see Access Control.

You can move security lists from one compartment to another. Moving a security list doesn’t affect its attachment to a subnet. When you move a security list to a new compartment, inherent policies apply immediately and affect access to the security list. For more information, see Managing Compartments.

You can add and remove rules from the security list. A security list can have no rules. Notice that when you update a security list in the API, the new set of rules replaces the entire existing set of rules.

To delete a security list, it must not be associated with a subnet. You can't delete a VCN's default security list.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.

For administrators: The policy in Let network admins manage a cloud network covers management of all Networking components, including security lists.

If you have security admins who need to manage security lists but not other components in Networking, you could write a more restrictive policy:

Allow group SecListAdmins to manage security-lists in tenancy

Allow group SecListAdmins to manage vcns in tenancy

Both statements are needed because the creation of a security list affects the VCN the security list is in. The scope of the second statement also allows the SecListAdmins group to create VCNs. However, the group can't create subnets or manage any other components related to any of those VCNs (except for the security lists), because additional permissions would be required for those resources. The group also can't delete any existing VCNs that already have subnets in them, because that action would require permissions related to subnets.

For more information, see IAM Policies for Networking.

Using the Console

To view a VCN's default security list
To update rules in an existing security list
To create a security list
To change which security lists a subnet uses
To move a security list to a different compartment
To delete a security list
To manage tags for a security list

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

To manage a VCN's security lists, use these operations:

This topic has moved. If you are not redirected in 2 seconds, click the following link: Security Lists.