-
Open the navigation menu and click Developer Services. Under Containers & Artifacts, click Service Mesh.
-
Click Service Meshes.
-
On the Service Mesh page, from the list of compartments on the left side, select a compartment.
-
From the list of meshes, click the mesh name for which you want to create an access policy.
-
On the details page of the mesh, under Resources, click Access Policies.
-
Click Create access policy.
-
In the Create Access Policy panel, provide the following details:
- Name: A name for the new access policy. The name must start with a letter or underscore, followed by letters, numbers, hyphens, or underscores. The length can be 1–255 characters. Avoid entering confidential information.
- Description: (Optional) A description for the new access policy. Avoid entering confidential information.
- Compartment: The compartment in which you want to create the access policy. The default compartment is the one you selected before, but you can select any compartment that you have permission to work in.
- Source: Select one of the following sources of the traffic this access policy applies to:
- All Virtual Services: Applies to all virtual services.
- Virtual Service: Select a specific virtual service.
- Ingress Gateway: Select a specific ingress gateway.
- Destination: Select the destination for the traffic this access policy applies to.
- All Virtual Services: Applies to all virtual services.
- Virtual Service: Select a specific virtual service.
- External Service: Provide the protocol, host name or IP address, and ports for the external service.
- Protocol: Select HTTP, HTTPS, or TCP protocol. If you select HTTP or HTTPS, enter a host name as described. If you select TCP, enter an IP address as described.
- Host name: You can use a fully qualified host name or wildcards. For example,
host.example.com
, *.example.com
, *.com
, and *
. Note
Using '*
' allows all egress traffic.
-
IP Addresses: The IP addresses of the external service in CIDR notation. All requests matching the given CIDR notation pass through. If a wildcard CIDR "0.0.0.0/0" is provided, the same port can't be used for a virtual service communication.
- Ports (comma separated): Values can be a single port or a list of ports separated by commas. The following example shows multiple ports separated by commas:
80, 443, 8080
Note
If no ports are set, egress is allowed on all ports.
Caution
Do not use the following Service Mesh reserved ports in your mesh resource: 15000, 15003, 15006, or 9901.
- To add another rule, click + Add rule.
- (Optional) To add tags to the access policy, click show advanced options. For more information about tagging, see Resource Tags.
-
Click Create access policy.
Sample Access Policy Rules
You can use the following example access policy rules with your application:
Rule: Allow all the virtual services to talk to all other virtual services.
Source:
All Virtual Services
->
Action:
Allow
->
Destination:
All Virtual Services
Rule: An ingress gateway serves as a traffic entry point to a mesh. The ingress gateway traffic talks to a specific virtual service.
Source:
Ingress Gateway:
<ingress-gateway-name>
->
Action:
Allow
->
Destination:
Virtual Service:
Virtual Service:
<virtual-service-name>
Rule: Traffic from a virtual service flows to all virtual services within a mesh network.
Source:
Virtual Service:
<virtual-service-name>
->
Action:
Allow
->
Destination:
All Virtual Services