Oracle Cloud Infrastructure Documentation

Managing Security Attributes for Private Endpoints (PE)s

Learn how to add, list, and update Zero Trust Packet Routing (ZPR) security attributes for Generative AI private endpoints. Security attributes are labels used by Zero Trust Packet Routing (ZPR) to identify resources and enforce ZPR policies.

About

You can secure a Generative AI private endpoint with ZPR by assigning security attributes to the endpoint and defining ZPR policies that explicitly allow approved traffic.

ZPR is evaluated in addition to routing and traditional network controls. To reach the private endpoint, traffic must be allowed by all the following controls:

  • A valid route to the endpoint subnet
  • Network security group (NSG) and security list rules
  • Applicable ZPR policies
Caution

If you add a ZPR security attribute to a private endpoint, traffic to the endpoint is blocked unless a ZPR policy explicitly allows it. Create and validate your ZPR policy rules before (or immediately after) assigning security attributes to avoid unintended outages.

Key Terms

  • Security attribute: A label that's referenced in a ZPR policy to control access to supported resources.
  • Security attribute namespace: A container for the security attributes.
  • ZPR policy language (ZPL): The policy syntax you use to write ZPR rules that allow or deny network traffic based on security attributes.
  • ZPR policy: A set of allow/deny rules, written in ZPR policy language (ZPL), that controls which resources can communicate by matching their security attribute namespace/key/value labels.

Setup

  1. In the ZPR service, create a security attribute namespace and security attributes, and write ZPR policies (ZPR policies are not IAM policies).
  2. In the Generative AI service, add up to three security attributes to the private endpoint.
  3. Ensure traffic to the endpoint is allowed by:
    • routing
    • NSG/security list rules
    • ZPR policies

See the Zero Trust Packet Routing documentation.

Prerequisites

Complete the following tasks in the ZPR service before you assign security attributes to a private endpoint.

  1. Verify IAM access: Ensure administrators or users have permissions to manage ZPR resources (namespaces, attributes, and ZPR policies). See ZPR IAM Policies.

  2. Create namespace and attributes: Create a security attribute namespace, then create up to 3 security attributes for the design.

  3. Write ZPR policies: Use ZPR policy language (ZPL) to explicitly allow the required traffic to the private endpoint. See ZPR Policies and Policy Syntax.

    Reminder: Traffic must also be allowed by routing, NSG, and security lists.

  4. Plan endpoint labels: Decide the namespace/key/value to apply to the private endpoint and confirm that the ZPR policy allows traffic to that attribute set.

Example ZPR policy:

in <namespace>.<label-1>:42 
VCN allow <namespace>.<label-1>:42 endpoints 
to connect to <namespace>.<label-1>:42 endpoints
in <label-1>:42 VCN allow all-endpoints 
to connect to <label-1>:42 
endpoints with protocol = 'tcp/443'
Tip

Learn about ZPR

In the Console, open the navigation menuΒ  and select Identity & Security. Under Zero Trust Packet Routing, select Overview. See the videos and guidance about the service on this page.

Adding ZPR When Creating a PE πŸ”—

  1. Follow the steps in Creating a private endpoint.
  2. In the create flow, expand Show security attributes, and then expand the Tags option that displays for the security attributes.
  3. Select Add security attribute.
  4. Enter the following information:
    • Security attribute namespace
    • Security attribute key
    • Security attribute value
  5. Select Add security attribute to add more attributes (up to 3 total).
  6. Select Create.
Note

To avoid unintentionally blocking access, ensure the ZPR policies are defined to allow the intended traffic flow to the endpoint before using the endpoint in production. See Prerequisites.

Adding or Updating ZPR in an Existing PE πŸ”—

Follow these steps to add security attributes to an existing endpoint or to change the namespace/key/value already applied.

  1. On the Private Endpoints list page, select the private endpoint that you want to work with. If you need help finding the list page for private endpoints, see Listing Private Endpoints.
  2. On the private endpoint details page, select the Security attributes tab.
  3. Select Add security attributes.
  4. Enter the following information:
    • Security attribute namespace
    • Security attribute key
    • Security attribute value
  5. Select Add security attributes again to add more attributes (up to 3 total).
  6. When finished, select Add security attributes.
Caution

Changing security attributes can change which ZPR policies apply to the endpoint. After any change, verify that access is allowed by ZPR policies and also by routing and NSG/security list rules.

Permissions Note

To add a security attribute, you must have permission to use the security attribute namespace. For details, see Zero Trust Packet Routing documentation.

Listing Security Attributes

  1. On the Private Endpoints list page, select the private endpoint that you want to work with. If you need help finding the list page for private endpoints, see Listing Private Endpoints.
  2. On the private endpoint details page, select the Security attributes tab.