Oracle Cloud Infrastructure Documentation

Security Lists

The Networking service offers two virtual firewall features to control traffic at the packet level:

  • Security lists: Covered in this topic. This is the original type of virtual firewall offered by the Networking service.
  • Network security groups: Another type of virtual firewall that Oracle recommends over security lists. See Network Security Groups.

Both of these features use security rules. For important information about how security rules work, and a general comparison of security lists and network security groups, see Security Rules.

Highlights

  • Security lists act as virtual firewalls for your compute instances and other kinds of resources. A security list consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. This means that all the VNICs in a given subnet are subject to the same set of security lists. See Comparison of Security Lists and Network Security Groups.
  • Security list rules function the same as network security group rules. For a discussion of rule parameters, see Parts of a Security Rule.
  • Each VCN comes with a default security list that has several default rules for essential traffic. If you don't specify a custom security list for a subnet, the default security list is automatically used with that subnet. You can add and remove rules from the default security list.
  • Security lists have separate and different limits compared to network security groups. See Comparison of Security Lists and Network Security Groups.

Overview of Security Lists

A security list acts as a virtual firewall for an instance, with ingress and egress rules that specify the types of traffic allowed in and out. Each security list is enforced at the VNIC level. However, you configure your security lists at the subnet level, which means that all VNICs in a given subnet are subject to the same set of security lists. The security lists apply to a given VNIC whether it's communicating with another instance in the VCN or a host outside the VCN.

Each subnet can have multiple security lists associated with it, and each list can have multiple rules (for the maximum number, see Comparison of Security Lists and Network Security Groups). A packet in question is allowed if any rule in any of the lists allows the traffic (or if the traffic is part of an existing connection being tracked). There's a caveat if the lists happen to contain both stateful and stateless rules that cover the same traffic. For more information, see Stateful Versus Stateless Rules.

Security lists are regional entities. For limits related to security lists, see Comparison of Security Lists and Network Security Groups.

Security lists can control both IPv4 and IPv6 traffic. IPv6 addressing and related security list rules are supported in all commercial and government regions. For more information, see IPv6 Addresses.

See Security List Limits and Requesting a Service Limit Increase for limits-related information.

Default Security List

Unlike other security lists, the default security list comes with an initial set of stateful rules, which should in most cases be changed to only allow inbound traffic from authorized subnets relevant to the region that homes that VCN or subnet. A list of authorized subnet ranges relevant to each region can be found at https://docs.cloud.oracle.com/iaas/tools/public_ip_ranges.json.

  • Stateful ingress: Allow TCP traffic on destination port 22 (SSH) from authorized source IP addresses and any source port. This rule makes it easy for you to create a new cloud network and public subnet, launch a Linux instance, and then immediately use SSH to connect to that instance without needing to write any security list rules yourself.

    Important

    The default security list does not include a rule to allow Remote Desktop Protocol (RDP) access. If you're using Windows images, make sure to add a stateful ingress rule for TCP traffic on destination port 3389 from authorized source IP addresses and any source port.

    See To enable RDP access for more information.

  • Stateful ingress: Allow ICMP traffic type 3 code 4 from authorized source IP addresses. This rule enables your instances to receive Path MTU Discovery fragmentation messages.
  • Stateful ingress: Allow ICMP traffic type 3 (all codes) from your VCN's CIDR block. This rule makes it easy for your instances to receive connectivity error messages from other instances within the VCN.
  • Stateful egress: Allow all traffic. This allows instances to initiate traffic of any kind to any destination. Notice that this means the instances with public IP addresses can talk to any internet IP address if the VCN has a configured internet gateway. And because stateful security rules use connection tracking, the response traffic is automatically allowed regardless of any ingress rules. For more information, see Stateful Versus Stateless Rules.

The default security list comes with no stateless rules. However, you can always add or remove rules from the default security list.

If your VCN is enabled for IPv6 addressing the default security list contains some default rules for IPv6 traffic. For more information, see Security Rules for IPv6 Traffic.

Enabling Ping

The default security list does not include a rule to allow ping requests. If you plan to ping an instance, see Rules to Handle Fragmented UDP Packets.

Security Rules for IPv6 Traffic

Like route tables, the VCN's network security groups and security lists support both IPv4 and IPv6 rules. For example, a network security group or security list could have these security rules:

  • Rule to allow SSH traffic from the on-premises network's IPv4 CIDR
  • Rule to allow ping traffic from the on-premises network's IPv4 CIDR
  • Rule to allow SSH traffic from the on-premises network's IPv6 prefix
  • Rule to allow ping traffic from the on-premises network's IPv6 prefix

The default security list in an IPv6-enabled VCN includes default IPv4 rules and the following default IPv6 rules:

  • Stateful ingress: Allow IPv6 TCP traffic on destination port 22 (SSH) from source ::/0 and any source port. This rule makes it easy for you to create a VCN with a public subnet and internet gateway, create a Linux instance, add an internet-access-enabled IPv6, and then immediately connect with SSH to that instance without needing to write any security rules yourself.

    Important

    The default security list does not include a rule to allow Remote Desktop Protocol (RDP) access. If you're using Windows images, add a stateful ingress rule for TCP traffic on destination port 3389 from source ::/0 and any source port.

    See To enable RDP access for more information.

  • Stateful ingress: Allow ICMPv6 traffic type 2 code 0 (Packet Too Big) from source ::/0 and any source port. This rule enables your instances to receive Path MTU Discovery fragmentation messages.
  • Stateful egress: Choosing to allow all IPv6 traffic lets instances initiate IPv6 traffic of any kind to any destination. Notice that instances with an internet-access-enabled IPv6 can talk to any internet IPv6 address if the VCN has a configured internet gateway. And because stateful security rules use connection tracking, the response traffic is automatically allowed regardless of any ingress rules. For more information, see Stateful Versus Stateless Rules.

Working with Security Lists

General Process for Working with Security Lists

  1. Create a security list.
  2. Add security rules to the security list.
  3. Associate the security list with one or more subnets.
  4. Create resources in the subnet (for example, create compute instances in the subnet). The security rules apply to all the VNICs in that subnet. See Comparison of Security Lists and Network Security Groups.

Additional Details

When you create a subnet, you must associate at least one security list with it. It can be either the VCN's default security list or one or more other security lists that you've already created (for the maximum number, see Service Limits). You can change which security lists the subnet uses at any time.

You may optionally assign a friendly name to the security list during creation. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the security list a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

For the purposes of access control, you must specify the compartment where you want the security list to reside. Consult an administrator in your organization if you're not sure which compartment to use. For more information, see Access Control.

You can move security lists from one compartment to another. Moving a security list doesn’t affect its attachment to a subnet. When you move a security list to a new compartment, inherent policies apply immediately and affect access to the security list. For more information, see Managing Compartments.

You can add and remove rules from the security list. A security list can have no rules. Notice that when you update a security list in the API, the new set of rules replaces the entire existing set of rules.

To delete a security list, it must not be associated with a subnet. You can't delete a VCN's default security list.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: The policy in Let network admins manage a cloud network covers management of all Networking components, including security lists.

If you have security admins who need to manage security lists but not other components in Networking, you could write a more restrictive policy: 

Allow group SecListAdmins to manage security-lists in tenancy

Allow group SecListAdmins to manage vcns in tenancy

Both statements are needed because the creation of a security list affects the VCN the security list is in. The scope of the second statement also allows the SecListAdmins group to create VCNs. However, the group can't create subnets or manage any other components related to any of those VCNs (except for the security lists), because other permissions would be required for those resources. The group also can't delete any existing VCNs that already have subnets in them, because that action would require permissions related to subnets.

For more information, see IAM Policies for Networking.

Using the Console

To view a VCN's default security list
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.

  4. Click the default security list to view its details.

    Under Resources, you can click Ingress Rules or Egress Rules to switch between the different types of rules.

To update rules in an existing security list
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click the security list you're interested in.
  5. Under Resources, click either Ingress Rules or Egress Rules depending on the type of rule you want to work with.
  6. If you want to add a rule, click Add Ingress Rule (or Add Egress Rule). See details of adding a rule in To create a security list.
  7. If you want to delete an existing rule, click the Actions menu, and then click Remove.
  8. If you wanted to edit an existing rule, click the Actions menu, and then click Edit.
To create a security list
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click Create Security List.

  5. Enter the following:

    1. Name: A descriptive name for the security list. The name doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    2. Create in Compartment: The compartment where you want to create the security list, if different from the compartment you're currently working in.

  6. Add either an ingress rule or egress rule (for examples of rules, see Networking scenarios):

    1. Click either Add Ingress Rule or Add Egress Rule.
    2. Choose whether it's a stateful or stateless rule (see Stateful Versus Stateless Rules). By default, rules are stateful unless you specify otherwise.

    3. Enter either the source CIDR (for ingress) or destination CIDR (for egress). For example, use 0.0.0.0/0 to indicate all IP addresses. Other typical CIDRs you might specify in a rule are the CIDR block for your on-premises network, or for a particular subnet. If you're setting up a security list rule to allow traffic with a service gateway , instead see Task 3: (Optional) Update security rules.

    4. Select the IP protocol (for example, TCP, UDP, ICMP, "All protocols", and so on).

    5. Enter further details depending on the protocol:

      • If you chose TCP or UDP, enter a source port range and destination port range. You can enter "All" to cover all ports. If you want to allow a specific port, enter the port number (for example, 22 for SSH or 3389 for RDP) or a port range (for example, 20–22).
      • If you chose ICMP, you can enter "All" to cover all types and codes. If you want to allow a specific ICMP type, enter the type and an optional code separated by a comma (for example, 3,4). If the type has multiple codes you want to allow, create a separate rule for each code.
    6. Enter an optional description of the rule to help manage your security list rules.
  7. Repeat the preceding step for each rule you want to add to the list.
  8. Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  9. When you're done, click Create Security List.

The security list is created and then displayed on the Security Lists page in the compartment you chose. You can now specify this security list when creating or updating a subnet.

When you view all the rules in a security list, notice that any stateless rules in the list are shown above any stateful rules. Stateless rules in the list take precedence over stateful rules. In other words: If there's traffic that matches both a stateless rule and a stateful rule across all the security lists associated with the subnet, the stateless rule takes precedence and the connection is not tracked.

To change which security lists a subnet uses
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Click Subnets.
  4. Click the subnet you're interested in.
  5. Under Resources, click Security Lists.
  6. If you want to add a security list, click Add Security List, and select the new security list you want the subnet to use.

  7. If you want to remove a security list, click the Actions menu, and then click Remove. Remember that a subnet must always have at least one security list associated with it.

    The changes take effect within a few seconds.

To move a security list to a different compartment
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Find the security list, click the the Actions menu, and then click Move Resource.
  5. Choose the destination compartment from the list.
  6. Click Move Resource.
To delete a security list

Prerequisite: To delete a security list, it must not be associated with a subnet. You can't delete the default security list in a VCN.

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. For the security list you want to delete, click the Actions menu, and then click Terminate.
  5. Confirm when prompted.
To manage tags for a security list
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click the security list you're interested in.
  5. Click the Tags tab to view or edit the existing tags. Or click Add tags to add new ones.

For more information, see Resource Tags.