Creating a Firewall

Learn how to create a network firewall with an attached policy that uses rules, lists, and mapped secrets to control how network traffic is handled.


Before you begin, you'll need:
  • Required IAM Service Policy permissions for Network Firewall, and permission to work in the compartment you want to use.
  • A separate compartment for your network firewalls and policies so that management is easier and more secure. This is optional, but recommended by Oracle.
  • An Oracle Cloud Infrastructure VCN and subnets. For more information, see VCNs and Subnets.
  • IP addresses, ports, and URLs that you want to allow or deny access to.
  • A network firewall policy to attach to the firewall. If you're using the console, you can create a policy as part of the workflow. If you're using the API or CLI, you must create a policy first, and then create the firewall.

  • If the rules configuration in the firewall policy includes certificate authentication to decrypt network traffic, you need an Oracle Cloud Infrastructure Vault secret for each inbound or outbound key. See Setting Up Certificate Authentication for instructions.

  • For better performance, Oracle recommends that you do not add stateful rules to the security list attached to the firewall subnet or include the firewall in a network security group (NSG) containing stateful rules.
  • Security list or network security group (NSG) rules associated with the firewall subnet and VNICs are evaluated before the firewall. Be sure that any security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
  • If the policy you use with the firewall doesn't have any rules specified, the firewall denies all traffic.
    1. Open the navigation menu and click Identity and Security. Under Firewalls, click Network Firewalls.
    2. Click Create network firewall.
    3. Enter a Name for the firewall that can help you identify it later.
    4. Choose a compartment to create the firewall in.
    5. Choose a policy to associate to this firewall. If no policies exist, change the compartment you're working in, or create a policy.
    6. Select a VCN for the firewall.
    7. Select a subnet for the firewall. You can select public or private regular or regional subnets.
    8. (Optional) Select an availability domain for the firewall.

      If you selected a regional subnet, this option isn't available. See VCNs and Subnets for more information.
    9. (Optional) Select I want to manually assign the IP address from the subnet to the firewall and enter an IPv4 address, an IPv6 address, or both. If not selected, the IP address is automatically assigned.
    10. (Optional) Select Use network security groups to control traffic and choose an NSG to control traffic to and from the firewall. Click +Add another network security group to add more NSGs. For more information, see Network Security Groups.
    11. (Optional) Show tagging options: See Overview of Tagging for more information.
    12. Click Create network firewall.

      A work request is created. To view the work request, under Resources click Work requests. When the firewall is created, it appears as Active.

  • Note

    Before you begin, use the oci network-firewall network-firewall-policy create command and required parameters to create a policy for a network firewall.

    Use the oci network-firewall network-firewall create command and required parameters to create a network firewall.
    oci network-firewall network-firewall create --compartment-id compartment_id
     --subnet-id subnet_id --network-firewall-policy-id network_firewall_policy_id[OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Note

    Before you begin, Use the CreateNetworkFirewallPolicy operation to create a policy for the network firewall.

    Use the CreateNetworkFirewall operation to create a network firewall.