Oracle Cloud Infrastructure Documentation

Policy Examples

Learn about Zero Trust Packet Routing policies from examples.

You can also learn about policies by exploring the Policy Template Builder.

Database policy examples

Write policy to allow a database to connect to OCI services

Allow databases with the security attribute DB-Server to connect to OCI services.

in VCN-Network:DB VCN allow db:DB-Server endpoints to connect to 'osn-services-ip-addresses'
Write policy to allow clients to connect to a database.

Allow clients with the app1 security attribute to connect to the DB-Server:App1 database.

in VCN-Network:DB VCN allow all-endpoints to connect to DB-Server:App1:App1 endpoints with protocol='tcp/1521'
Write policy to allow clients in one VCN to connect to a database in a different VCN.

Note

You must use IP addresses to reference targets in different VCN.

Allow clients in the networks:net1 VCN to connect to <range of IP addresses in the other VCN>.

in networks:net1 allow apps:app1 endpoints to connect to '192.168.0.0/16'

192.168.0.0/16 is the range of IP addresses in the other VCN.

Compute instance policy examples

Write policy to allow Compute instances in the same VCN to connect by SSH.

Allow compute:instance1 endpoints to connect to compute:instance2 endpoints in the networks:net1 VCN by SSH.

in networks:net1 VCN allow compute:instance1 endpoints to connect to compute:instance2 endpoints with protocol='tcp/22'
Write policy to allow clients to connect to a database to make SQLNet connections.

In the networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'.

in networks:net1 allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'

192.168.0.0/16 is the range of IP addresses in the other VCN.

Write policy to allow clients in one VCN to connect to a Compute instance in a different VCN.
Note

You must use IP addresses to reference targets in different VCN.

Allow clients in the networks:net1 VCN to connect to <range of IP addresses in the other VCN>.

in networks:net1 allow apps:app1 endpoints to connect to '192.168.0.0/16'

192.168.0.0/16 is the range of IP addresses in the other VCN.

Network Load Balancer policy examples

Write policy to allow an IP address to connect to a network load balancer

In the my:VCN VCN allow 0.0.0.0/0 IP address to connect to the network load balancer with the XYZ-NLB:NLB1 security attribute.

in my:VCN VCN allow 0.0.0.0/0 to connect to XYZ-NLB:NLB1 endpoints
Write policy to connect network load balancers to application endpoints

In the my:VCN VCN allow network load balancer endpoints with the XYZ-NLB:NLB1 security attribute to connect to ABC-web-servers:app1 endpoints.

in my:VCN VCN allow XYZ-NLB:NLB1 endpoints to connect to ABC-web-servers:app1 endpoints

VCN policy example

Write policy to connect resources across VCNs

Allow compute clients with the applications:app1 security attribute to connect to the database running app1 over a SQLNet connection.

Note

Two policies are used because the database and clients reside in separate VCNs.
in VCN-Network:DB VCN allow DB-client:App1 endpoints to connect to 192.168.0.0/16 with protocol='tcp/1521'
in VCN-Network:Remote VCN allow 0.0.0.0/0 to connect to DB-client:app1 endpoints with protocol='tcp/1521'