Managing Zero Trust Packet Routing Policies
Create and manage Zero Trust Packet Routing (ZPR) policies.
A ZPR policy is a rule that governs the communication between specific endpoints identified by their security attributes. A ZPR policy can be created only in the root compartment of a tenancy. To create a ZPR policy, you have several options:
- Simple policy builder lets you select from prepopulated lists of resources identified by their security attributes to express security intent between two endpoints. The policy builder automatically generates the policy statement using correct syntax.
- Policy template builder lets you select from a list of templates based on common use case scenarios that provide prefilled ZPR policy statements that you can then customize to create a ZPR policy.
- Manual policy builder lets you enter free-form policy.
Changes to ZPR policies in the Console might take up to five minutes to apply.
Policy Template Builder
The policy templates included in the Policy template builder provide you with the sample syntax you might need for common use cases.
The policy in the Policy template builder is organized in the following sections:
| Use Case | Policy | Notes |
|---|---|---|
| Allow a Compute instance to connect on all ports & protocols to another compute instance in the same VCN. | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of target-compute> endpoints |
None. |
| Allow a Compute instance to connect via SSH to another Compute instance in the same VCN. | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of target-compute> endpoints with protocol='tcp/22'
|
None. |
| Allow a Compute instance to connect to a database service within the same VCN. | in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521'
|
None. |
| Allow a Compute instance to connect to another Compute instance across VCNs in the same region. | Allow <security attribute of source-compute> endpoints in <security attribute of source VCN> VCN to connect to <security attribute of target-compute> endpoints in <security attribute of target VCN> VCN |
For different regions or VCNs that don't use ZPR security attributes, use the following policy: in |
| Use Case | Policy | Notes |
|---|---|---|
| Enable database service for SSH access, database client access, Object Storage Access, Vault, Data Safe, and other OCI service access, Real Application Clusters (RAC), and Data Guard |
in in in |
This policy allows Compute instances to connect to the database service on TCP port 1521 for client access. This policy allows the database service to connect to OSN-services. This policy enables communication between database service endpoints. |
| Data Guard Cross VCN or Region |
Allow |
This policy allows Compute-to-database communication to Data Guard Standby VCN in the same region. |
| Data Guard Cross VCN or Region |
in |
This policy allows Compute-to-database communication to Data Guard Standby VCN in a different region or to a VCN that doesn't have security attributes applied to it. |
| Data Guard Cross VCN or Region |
in |
This policy allows the Data Guard Standby to connect to OSN services. |
| Data Guard Cross VCN or Region |
Allow Allow |
This policy allows communication between the Data Guard Primary and Standby databases in the same region, and Compute-to-database communication to standby VCN in the same region. |
|
in in |
This policy allows communication between the Data Guard Primary and Standby databases, even if they're located in different regions or VCNs, or to a VCN that doesn't have security attributes applied to it. | |
| Data Guard Cross VCN or Region |
Allow |
This policy allows Data Guard Standby-to-Primary communication in the same region. |
|
in in |
This policy allows Data Guard Standby-to-Primary communication in different regions, or to a VCN that doesn't have security attributes applied to it. |
| Use Case | Policy | Notes |
|---|---|---|
| Enable database service for all scenarios (includes backup and Data Guard). |
in in |
VM-Cluster Provisioning, Backup/Restore, KMS, Patching, DP events, Oracle RAC Apply the security attribute of the database service to the Oracle Base Database Service resources for the Data Guard Primary and Standby. |
| RAC support |
in |
None. |
| Data Guard Cross VCN or Region |
Allow |
This policy allows Compute clients to connect to Data Guard Standby VCN in the same region. |
|
in |
This policy allows Compute clients to connect to Data Guard Standby VCN in different regions, or to a VCN that doesn't have security attributes applied to it. | |
| Data Guard Cross VCN or Region |
in |
This policy allows the Data Guard Standby to connect to OSN services. |
| Data Guard Cross VCN or Region |
Allow Allow |
This policy allows Data Guard Primary to connect to the Data Guard Standby, both egress and ingress, in each VCN in the same region. |
|
in in |
This policy allows Data Guard Primary to connect to the Data Guard Standby using CIDR, both egress and ingress, in each VCN in different regions, or to a VCN that doesn't have security attributes applied to it. | |
| Data Guard Cross VCN or Region |
Allow Allow |
This policy allows Data Guard Standby to connect to the Data Guard Primary in each VCN in the same region. |
|
in in |
This policy allows Data Guard Standby to connect to the Data Guard Primary in VCNs in different regions, or to a VCN that doesn't have security attributes applied to it. |
| Use Case | Policy | Notes |
|---|---|---|
| Allow compute to connect to Autonomous AI Database. | Allow <security attribute of source-compute> endpoints in <security attribute of source VCN> VCN to connect to <security attribute of database service> endpoints with protocol='tcp/1521' in <security attribute of target VCN> VCN |
Allow Compute-to-database communication across VCNs in the same region. |
in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521'
|
Allow Compute-to-database communication across VCNs in different regions, or to a VCN that doesn't have security attributes applied to it. |
| Use Case | Policy | Notes |
|---|---|---|
| Enable database service for all scenarios (includes backup and Data Guard). | Allow <security attribute of source-compute> endpoints in <security attribute of source VCN> VCN to connect to <security attribute of database service> endpoints with protocol='tcp/1521' in <security attribute of target VCN> VCN |
Allow Compute-to-database communication across VCNs in the same region. |
in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521'
|
Allow Compute-to-database communication across VCNs in different regions, or to a VCN that doesn't have security attributes applied to it. |