Oracle Cloud Infrastructure Documentation

Managing Security Rules for an NSG

Add, edit, or remove security rules for a network security group (NSG) in a virtual cloud network (VCN).

After an NSG is created, you can add or remove security rules to allow the types of ingress and egress traffic that the VNICs in the group require.

As mentioned in Overview of Network Security Groups, you can specify an NSG as the source (for ingress rules) or destination (for egress rules) in a given NSG's security rule. The two NSGs must be in the same VCN. For example, if both NSG1 and NSG2 belong to the same VCN, you could add an ingress rule to NSG1 that lists NSG2 as the source. If someone deletes NSG2, the rule becomes invalid. The REST API uses an isValid Boolean in the SecurityRule object to convey that status.

When you manage an NSG's VNIC membership, you do it as part of working with the parent resource, not the NSG itself. For more information, see Comparison of Security Lists and Network Security Groups.

    1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
    2. Click the name of the VCN you're interested in.
    3. Under Resources, click Network Security Groups.
    4. Click the NSG you're interested in to view its details.

      The NSG's security rules are displayed on the page. From there you can add, update, or remove security rules. For information about the fields, see Creating an NSG.

  • Use the network nsg rules add command and required parameters to add NSG security rules:

    oci network nsg rules add --nsg-id nsg-ocid ... [OPTIONS]

    Use the network nsg rules update command and required parameters to update NSG security rules:

    oci network nsg rules update --nsg-id nsg-ocid ... [OPTIONS]

    Use the network nsg rules remove command and required parameters to remove NSG security rules:

    oci network nsg rules remove --nsg-id nsg-ocid ... [OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • If you're familiar with security lists and use the REST API, note that the model for updating existing security rules is different between security lists and NSGs. With NSGs, each rule in a given group has a unique Oracle-assigned identifier (example: 04ABEC). When you call UpdateNetworkSecurityGroupSecurityRules, you provide the IDs of the specific rules that you want to update. For comparison, with security lists, the rules have no unique identifier. When you call UpdateSecurityList, you must pass in the entire list of rules, including rules that are not being updated in the call.

    Run the AddNetworkSecurityGroupSecurityRules operation to add NSG security rules.

    Run the UpdateNetworkSecurityGroupSecurityRules operation to update NSG security rules.

    Run the RemoveNetworkSecurityGroupSecurityRules operation to remove NSG security rules.