Policy Examples
Learn about Zero Trust Packet Routing policies from examples.
You can also learn about policies by exploring the Policy Template Builder.
Database policy examples
Allow databases with the security attribute DB-Server
to connect to OCI services.
in VCN-Network:DB VCN allow db:DB-Server endpoints to connect to 'osn-services-ip-addresses'
Allow clients with the app1
security attribute to connect to the DB-Server:App1
database through the tcp/1521
port.
in VCN-Network:DB VCN allow all-endpoints to connect to DB-Server:App1:App1 endpoints with protocol='tcp/1521'
Allow clients with the app1
security attribute to connect to the DB-Server:App1
database through ports tcp/999-11199
.
in VCN-Network:DB VCN allow all-endpoints to connect to DB-Server:App1:App1 endpoints with protocol='tcp/999-11199'
Allow clients with the frontend
security attribute to connect to the database:server
database through the tcp/1521
port with a stateless
connection.
in finance.network:prod VCN allow app:frontend endpoints to connect to database:server endpoints with protocol = 'tcp/1521', connection-state = 'stateless'
You must use IP addresses to reference targets in a different VCN.
Allow clients in the networks:net1
VCN to connect to <range of IP addresses in the other VCN>.
in networks:net1 VCN allow apps:app1 endpoints to connect to '192.168.0.0/16'
192.168.0.0/16
is the range of IP addresses in the other VCN.
Compute instance policy examples
Allow compute:instance1
endpoints to connect to compute:instance2
endpoints in the networks:net1
VCN by SSH.
in networks:net1 VCN allow compute:instance1 endpoints to connect to compute:instance2 endpoints with protocol='tcp/22'
In the networks:net1
VCN allow compute:instance1
endpoints to connect to db:DB-Server
endpoints with protocol='tcp/1521'
.
in networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'
Network Load Balancer policy examples
In the my:VCN
VCN allow 0.0.0.0/0
IP address to connect to the network load balancer with the XYZ-NLB:NLB1
security attribute.
in my:VCN VCN allow '0.0.0.0/0' to connect to XYZ-NLB:NLB1 endpoints
In the my:VCN
VCN allow network load balancer endpoints with the XYZ-NLB:NLB1
security attribute to connect to ABC-web-servers:app1
endpoints.
in my:VCN VCN allow XYZ-NLB:NLB1 endpoints to connect to ABC-web-servers:app1 endpoints
VCN policy example
Allow compute clients with the applications:app1
security attribute to connect to the database running app1
over a SQLNet connection.
Two policies are used because the database and clients reside in separate VCNs.
in VCN-Network:DB VCN allow DB-client:App1 endpoints to connect to '10.1.2.0/24' with protocol='tcp/1521'
in VCN-Network:Remote VCN allow '10.1.2.0/24' to connect to DB-client:app1 endpoints with protocol='tcp/1521'