Managing Security Rules for an NSG
Add, edit, or remove security rules for a network security group (NSG) in a virtual cloud network (VCN).
After an NSG is created, you can add or remove security rules to allow the types of ingress and egress traffic that the VNICs in the group require.
As mentioned in Overview of Network Security Groups,
you can specify an NSG as the source (for ingress rules) or destination (for egress
rules) in a given NSG's security rule. The two NSGs must be in the same VCN. For
example, if both NSG1 and NSG2 belong to the same VCN, you could add an ingress rule
to NSG1 that lists NSG2 as the source. If someone deletes NSG2, the rule becomes
invalid. The REST API uses an isValid
Boolean in the
SecurityRule
object to convey that status.
When you manage an NSG's VNIC membership, you do it as part of working with the parent resource, not the NSG itself. For more information, see Comparison of Security Lists and Network Security Groups.
Use the network nsg rules add command and required parameters to add NSG security rules:
oci network nsg rules add --nsg-id nsg-ocid ... [OPTIONS]
Use the network nsg rules update command and required parameters to update NSG security rules:
oci network nsg rules update --nsg-id nsg-ocid ... [OPTIONS]
Use the network nsg rules remove command and required parameters to remove NSG security rules:
oci network nsg rules remove --nsg-id nsg-ocid ... [OPTIONS]
For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.
If you're familiar with security lists and use the REST API, note that the model for updating existing security rules is different between security lists and NSGs. With NSGs, each rule in a given group has a unique Oracle-assigned identifier (example: 04ABEC). When you call
UpdateNetworkSecurityGroupSecurityRules
, you provide the IDs of the specific rules that you want to update. For comparison, with security lists, the rules have no unique identifier. When you callUpdateSecurityList
, you must pass in the entire list of rules, including rules that are not being updated in the call.Run the AddNetworkSecurityGroupSecurityRules operation to add NSG security rules.
Run the UpdateNetworkSecurityGroupSecurityRules operation to update NSG security rules.
Run the RemoveNetworkSecurityGroupSecurityRules operation to remove NSG security rules.