Policy Examples

Learn about Zero Trust Packet Routing policies from examples.

You can also learn about policies by exploring the Policy Template Builder.

Database policy examples

Write policy to allow a database to connect to OCI services

Allow databases with the security attribute DB-Server to connect to OCI services.

in VCN-Network:DB VCN allow db:DB-Server endpoints to connect to 'osn-services-ip-addresses'
Write policy to allow clients to connect to a database through a single port

Allow clients with the App:App1 security attribute to connect to the DB-Server:App1 database through the tcp/1521 port.

in VCN-Network:DB VCN allow App:App1 to connect to DB-Server:App1 endpoints with protocol='tcp/1521'
Write policy to allow clients to connect to a database through multiple ports

Allow clients with the App:App1 security attribute to connect to the DB-Server:App1 database through ports tcp/999-11199.

in VCN-Network:DB VCN allow App:App1 to connect to DB-Server:App1 endpoints with protocol='tcp/999-11199'
Write policy to allow clients to connect to a database with a stateless connection

Allow clients with the frontend security attribute to connect to the database:server database through the tcp/1521 port with a stateless connection.

in finance.network:prod VCN allow app:frontend endpoints to connect to database:server endpoints with protocol = 'tcp/1521', connection-state = 'stateless'
Write policy to allow clients in one VCN to connect to a database in a different VCN
Note

You must use IP addresses to reference targets in a different VCN.

Allow clients in the networks:net1 VCN to connect to <range of IP addresses in the other VCN>.

in networks:net1 VCN allow apps:app1 endpoints to connect to '192.168.0.0/16'

192.168.0.0/16 is the range of IP addresses in the other VCN.

Compute instance policy examples

Write policy to allow Compute instances in the same VCN to connect by SSH

Allow compute:instance1 endpoints to connect to compute:instance2 endpoints in the networks:net1 VCN by SSH.

in networks:net1 VCN allow compute:instance1 endpoints to connect to compute:instance2 endpoints with protocol='tcp/22'
Write policy to allow clients to connect to a database to make SQLNet connections

In the networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'.

in networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'

Network Load Balancer policy examples

Write policy to allow an IP address to connect to a network load balancer

In the my:VCN VCN allow 0.0.0.0/0 IP address to connect to the network load balancer with the XYZ-NLB:NLB1 security attribute.

in my:VCN VCN allow '0.0.0.0/0' to connect to XYZ-NLB:NLB1 endpoints
Write policy to connect network load balancers to application endpoints

In the my:VCN VCN allow network load balancer endpoints with the XYZ-NLB:NLB1 security attribute to connect to ABC-web-servers:app1 endpoints.

in my:VCN VCN allow XYZ-NLB:NLB1 endpoints to connect to ABC-web-servers:app1 endpoints

VCN policy example

Write policy to connect resources across VCNs

Allow compute clients with the applications:app1 security attribute to connect to the database running app1 over a SQLNet connection.

Note

Two policies are used because the database and clients reside in separate VCNs.
in VCN-Network:DB VCN allow DB-client:App1 endpoints to connect to '10.1.2.0/24' with protocol='tcp/1521'
in VCN-Network:Remote VCN allow '10.1.2.0/24' to connect to DB-client:app1 endpoints with protocol='tcp/1521'