Creating an Access Policy

Create an access policy for your service mesh. By default, all communications between services are denied. Therefore, at least one access policy is required to enable service-to-service communication.

    1. Open the navigation menu and click Developer Services. Under Containers & Artifacts, click Service Mesh.
    2. Click Service Meshes.
    3. On the Service Mesh page, from the list of compartments on the left side, select a compartment.
    4. From the list of meshes, click the mesh name for which you want to create an access policy.
    5. On the details page of the mesh, under Resources, click Access Policies.
    6. Click Create access policy.
    7. In the Create Access Policy panel, provide the following details:
      • Name: A name for the new access policy. The name must start with a letter or underscore, followed by letters, numbers, hyphens, or underscores. The length can be 1–255 characters. Avoid entering confidential information.
      • Description: (Optional) A description for the new access policy. Avoid entering confidential information.
      • Compartment: The compartment in which you want to create the access policy. The default compartment is the one you selected before, but you can select any compartment that you have permission to work in.
      • Source: Select one of the following sources of the traffic this access policy applies to:
        • All Virtual Services: Applies to all virtual services.
        • Virtual Service: Select a specific virtual service.
        • Ingress Gateway: Select a specific ingress gateway.
      • Destination: Select the destination for the traffic this access policy applies to.
        • All Virtual Services: Applies to all virtual services.
        • Virtual Service: Select a specific virtual service.
        • External Service: Provide the protocol, host name or IP address, and ports for the external service.
        • Protocol: Select HTTP, HTTPS, or TCP protocol. If you select HTTP or HTTPS, enter a host name as described. If you select TCP, enter an IP address as described.
        • Host name: You can use a fully qualified host name or wildcards. For example, host.example.com, *.example.com, *.com, and *.
          Note

          Using '*' allows all egress traffic.
        • IP Addresses: The IP addresses of the external service in CIDR notation. All requests matching the given CIDR notation pass through. If a wildcard CIDR "0.0.0.0/0" is provided, the same port can't be used for a virtual service communication.
        • Ports (comma separated): Values can be a single port or a list of ports separated by commas. The following example shows multiple ports separated by commas:
          80, 443, 8080
          Note

          If no ports are set, egress is allowed on all ports.
          Caution

          Do not use the following Service Mesh reserved ports in your mesh resource: 15000, 15003, 15006, or 9901.
      • To add another rule, click + Add rule.
      • (Optional) To add tags to the access policy, click show advanced options. For more information about tagging, see Resource Tags.
    8. Click Create access policy.

    Sample Access Policy Rules

    You can use the following example access policy rules with your application:

    Rule: Allow all the virtual services to talk to all other virtual services.

    Source: All Virtual Services -> Action: Allow -> Destination: All Virtual Services

    Rule: An ingress gateway serves as a traffic entry point to a mesh. The ingress gateway traffic talks to a specific virtual service.

    Source: Ingress Gateway: <ingress-gateway-name> -> Action: Allow -> Destination: Virtual Service: Virtual Service: <virtual-service-name>

    Rule: Traffic from a virtual service flows to all virtual services within a mesh network.

    Source: Virtual Service: <virtual-service-name> -> Action: Allow -> Destination: All Virtual Services

  • To create an access policy, use the service-mesh resource with the access-policy option.

    oci service-mesh access-policy create --from-json <json-file-name>

    Example:

    oci service-mesh access-policy create --from-json file://create.json

    To see what operations are available for access-policy create use:

    oci service-mesh access-policy create -h

    To generate a sample JSON file for access-policy create use:

    oci service-mesh access-policy create --generate-full-command-json-input
  • Use the CreateAccessPolicy operation to create an access policy.