Managing Zero Trust Packet Routing Policies

Create and manage Zero Trust Packet Routing (ZPR) policies.

A ZPR policy is a rule that governs the communication between specific endpoints identified by their security attributes. A ZPR policy can be created only in the root compartment of a tenancy. To create a ZPR policy, you have several options:

  • Simple policy builder lets you select from prepopulated lists of resources identified by their security attributes to express security intent between two endpoints. The policy builder automatically generates the policy statement using correct syntax.
  • Policy template builder lets you select from a list of templates based on common use case scenarios that provide prefilled ZPR policy statements that you can then customize to create a ZPR policy.
  • Manual policy builder lets you enter free-form policy.

Policy Template Builder

The policy templates included in the Policy template builder provide you with the sample syntax you might need for common use cases.

The policy in the Policy template builder is organized in the following sections:

Compute
Use Case Policy Notes
Allow a compute instance to connect on all ports & protocols to another compute instance. in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of target-compute> endpoints None.
Allow compute instance to connect via SSH to another compute instance. in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of target-compute> endpoints with protocol='tcp/22' None.
Allow compute to connect to database service. in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521' None.
Oracle Exadata Database Service on Dedicated Infrastructure
Use Case Policy Notes
Enable database service for SSH access, database client access, Object Storage Access, Vault, Data Safe, and other OCI service access, Real Application Clusters (RAC), and Data Guard

in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521'

in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to 'osn-services-ip-addresses'

in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to <security attribute of database service> endpoints

This policy allows the VM Cluster to accept client connection and connect to OSN-services, and connect between Data Guard Primary and Standby VM-Cluster.

This policy assumes the Compute clients and Data Guard Primary are in the same VCN.

Apply the security attribute of the database service to the VM-Cluster resources for the Data Guard Primary and Standby.

Data Guard Cross VCN or Region in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <Standby VCN CIDR> with protocol='tcp/1521' This policy allows Compute clients to connect to Data Guard Standby VCN.
Data Guard Cross VCN or Region in <security attribute of Standby VCN> VCN allow <security attribute of database service> endpoints to connect to 'osn-services-ip-addresses' This policy allows the Data Guard Standby to connect to OSN services.
Data Guard Cross VCN or Region

in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to <Standby VCN CIDR>

in <security attribute of Standby VCN> VCN allow <VCN CIDR> to connect to <security attribute of database service> endpoints

This policy allows Data Guard Primary to connect to the Data Guard Standby using CIDR, both egress and ingress in each VCN.
Data Guard Cross VCN or Region

in <security attribute of VCN> VCN allow <Standby VCN CIDR> to connect to <security attribute of database service> endpoints

in <security attribute of Standby VCN> VCN allow <security attribute of database service> endpoints to connect to <VCN CIDR>

This policy allows Data Guard Standby to connect to the Data Guard Primary using CIDR.
Oracle Base Database Service
Use Case Policy Notes
Enable database service for all scenarios (includes backup and Data Guard).

in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521'

in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to 'osn-services-ip-addresses'

VM-Cluster Provisioning, Backup/Restore, KMS, Patching, DP events, Oracle RAC

Apply the security attribute of the database service to the Oracle Base Database Service resources for the Data Guard Primary and Standby.

RAC support

in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to <security attribute of database service> endpoints

None.
Data Guard Cross VCN or Region

in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <Standby VCN CIDR> with protocol='tcp/1521'

This policy allows Compute clients to connect to Data Guard Standby VCN.
Data Guard Cross VCN or Region

in <security attribute of Standby VCN> VCN allow <security attribute of database service> endpoints to connect to 'osn-services-ip-addresses'

This policy allows the Data Guard Standby to connect to OSN services.
Data Guard Cross VCN or Region

in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to <Standby VCN CIDR>

in <security attribute of Standby VCN> VCN allow <VCN CIDR> to connect to <security attribute of database service> endpoints

This policy allows Data Guard Primary to connect to the Data Guard Standby using CIDR, both egress and ingress in each VCN.
Data Guard Cross VCN or Region

in <security attribute of VCN> VCN allow <Standby VCN CIDR> to connect to <security attribute of database service> endpoints

in <security attribute of Standby VCN> VCN allow <security attribute of database service> endpoints to connect to <VCN CIDR>

This policy allows Data Guard Standby to connect to the Data Guard Primary using CIDR.
Autonomous Database
Use Case Policy Notes
Allow compute to connect to Autonomous Database. in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521' None.
Autonomous Dedicated Infrastructure
Use Case Policy Notes
Enable database service for all scenarios (includes backup and Data Guard). in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521' None.