Managing Zero Trust Packet Routing Policies
Create and manage Zero Trust Packet Routing (ZPR) policies.
A ZPR policy is a rule that governs the communication between specific endpoints identified by their security attributes. ZPR policy can only be created in the root compartment of a tenancy. To create a ZPR policy, you have several options:
- Simple policy builder lets you select from prepopulated lists of resources identified by their security attributes to express security intent between two endpoints. The policy builder automatically generates the policy statement using correct syntax.
- Policy template builder lets you select from a list of templates based on common use case scenarios that provide prefilled ZPR policy statements that you can then customize to create a ZPR policy.
- Manual policy builder lets you enter free-form policy.
Policy Template Builder
The policy templates included in the Policy template builder provide you with the sample syntax you might need for common use cases.
The policy in the Policy template builder is organized in the following sections:
| Use Case | Policy | Notes |
|---|---|---|
| Allow a compute instance to connect on all ports & protocols to another compute instance. | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of target-compute> endpoints |
None. |
| Allow compute instance to connect via SSH to another compute instance. | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of target-compute> endpoints with protocol='tcp/22' |
None. |
| Allow compute to connect to database service. | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521' |
None. |
| Use Case | Policy | Notes |
|---|---|---|
| Enable database service for SSH access, database client access, Object Storage Access, Vault, Data Safe, and other OCI service access, Real Application Clusters (RAC), and Data Guard |
in in in |
This policy allows the VM Cluster to accept client connection and connect to OSN-services, and connect between Data Guard Primary and Standby VM-Cluster. This policy assumes the Compute clients and Data Guard Primary are in the same VCN. Apply the security attribute of the database service to the VM-Cluster resources for the Data Guard Primary and Standby. |
| Data Guard Cross VCN or Region | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <Standby VCN CIDR> with protocol='tcp/1521' |
This policy allows Compute clients to connect to Data Guard Standby VCN. |
| Data Guard Cross VCN or Region | in <security attribute of Standby VCN> VCN allow <security attribute of database service> endpoints to connect to 'osn-services-ip-addresses' |
This policy allows the Data Guard Standby to connect to OSN services. |
| Data Guard Cross VCN or Region |
in in |
This policy allows Data Guard Primary to connect to the Data Guard Standby using CIDR, both egress and ingress in each VCN. |
| Data Guard Cross VCN or Region |
in in |
This policy allows Data Guard Standby to connect to the Data Guard Primary using CIDR. |
| Use Case | Policy | Notes |
|---|---|---|
| Enable database service for all scenarios (includes backup and Data Guard). |
in in |
VM-Cluster Provisioning, Backup/Restore, KMS, Patching, DP events, Oracle RAC Apply the security attribute of the database service to the Oracle Base Database Service resources for the Data Guard Primary and Standby. |
| RAC support |
in |
None. |
| Data Guard Cross VCN or Region |
in |
This policy allows Compute clients to connect to Data Guard Standby VCN. |
| Data Guard Cross VCN or Region |
in |
This policy allows the Data Guard Standby to connect to OSN services. |
| Data Guard Cross VCN or Region |
in in |
This policy allows Data Guard Primary to connect to the Data Guard Standby using CIDR, both egress and ingress in each VCN. |
| Data Guard Cross VCN or Region |
in in |
This policy allows Data Guard Standby to connect to the Data Guard Primary using CIDR. |
| Use Case | Policy | Notes |
|---|---|---|
| Allow compute to connect to Autonomous Database. | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521' |
None. |
| Use Case | Policy | Notes |
|---|---|---|
| Enable database service for all scenarios (includes backup and Data Guard). | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521' |
None. |