The Networking service now offers a new virtual firewall feature called network security groups (NSGs) to control the types of traffic allowed in and out of Compute instances and other resources in your virtual cloud network (VCN).

Historically, you've used your VCN's security lists, which contain security rules to allow traffic at the packet level. NSGs are another method for implementing security rules. An NSG consists of a set of security rules and a set of resouces (such as Compute instances) that have the same security posture. An NSG's security rules apply only to the resources in that NSG. Contrast this with a security list, where the rules apply to all the resources in any subnet that uses the list.

When writing a security rule for an NSG, you can specify another NSG in the same VCN as the source or destination of the rule (instead of an IP address range). This makes it easy to write rules to control traffic between NSGs. For a more detailed comparison of NSGs and security lists, see Security Rules.

To use network security groups, you must:

1. Create one or more NSGs in the VCN.
2. Add security rules to the NSGs.
3. Choose one or more NSGs (up to 5) when you create a resource such as a Compute instance. Or you can put the resource in one or more NSGs later. At any time after creating the resource, you can edit which NSGs it belongs to.

For example, when you create an instance, you must specify a VCN and subnet. You then have the option to put the instance in one or more NSGs in that VCN. The security rules in those NSGs are then applied to the instance's primary VNIC. If the instance's subnet also has security rules in its security lists, the instance is subject to the union of the security rules in the instance's NSGs and the subnet's security lists.

Resources That Can Be Placed in NSGs

At this time, you can place these resources in NSGs:

• Compute instances: primary VNIC
• Compute instances: secondary VNICs
• DB systems
• Load balancers

For more information, see Network Security Groups.