Understanding Zero Trust Packet Routing Policy

A policy is a container for a set of policy statements. A policy statement is a rule that specifies who can access what resource, and how. Zero Trust Packet Routing (ZPR) policy is based on an Attribute Based Access Control (ABAC) authorization model that evaluates attributes (or characteristics) to determine access to resources. This approach is different than OCI IAM (see How ZPR Differs from IAM). ZPR policies are designed to achieve "attribute based access control" where the security attributes of source, target, and network are factored into the evaluation of policy using Zero Trust Packet Routing Policy Language (ZPL).

ZPL lets you write policy statements focused on allowing client endpoints with security attributes to access other endpoints. ZPL supports the following types of allow statements in regards to communication to, from, and within individual VCNs identified by their security attributes:

• Allow communication between two endpoints within a VCN
• Allow ingress from a source outside the VCN to an endpoint inside the VCN
• Allow egress to a target outside the VCN from an endpoint inside the VCN

For example, the following policy statement allows client:business-analyst users (subject) on the apps:hr-apps hosts (target) to read any OCI resource with the apps:hr-app-data security attribute (environment):

in networks:application VCN allow hosts:business-analyst endpoints to connect to apps:hr-app-data endpoints

When ingressing or egressing outside of the VCN, ZPR policy must refer to the clients using IP addresses instead of security attributes. Security attributes may only be used when referring to endpoints in the same VCN.

For example, if you need to allow a client in networks:net1 VCN to access a compute or database in another VCN, you need to use IP addresses to reference the targets in the other VCN:

in networks:net1 allow apps:app1 endpoints to connect to 192.168.0.0/16
where 192.168.0.0/16 is the range of ip addresses in the other VCN

To create ZPR policies, you must first create security attributes. Security attributes are factored into the evaluation of ZPR policy. After you create security attributes, review ZPR policy syntax, then examine the options for creating a policy with policy builders. You can also learn about ZPR policies from examples.

After you create security attributes and ZPR policies, you can apply the security attributes to resources.

See Resources That Can Be Assigned Security Attributes for the types of resources you can use in ZPR policies.