Oracle Cloud Infrastructure Documentation

Policy Examples

Learn about Zero Trust Packet Routing policies from examples.

You can also learn about policies by exploring the Policy Template Builder.

Database policy examples

Write policy to allow a database to connect to OCI services

Allow databases with the security attribute DB-Server to connect to OCI services.

in VCN-Network:DB VCN allow db:DB-Server endpoints to connect to 'osn-services-ip-addresses'
Write policy to allow clients to connect to a database through a single port

Allow clients with the app1 security attribute to connect to the DB-Server:App1 database through the tcp/1521 port.

in VCN-Network:DB VCN allow all-endpoints to connect to DB-Server:App1:App1 endpoints with protocol='tcp/1521'
Write policy to allow clients to connect to a database through multiple ports

Allow clients with the app1 security attribute to connect to the DB-Server:App1 database through ports tcp/999-11199.

in VCN-Network:DB VCN allow all-endpoints to connect to DB-Server:App1:App1 endpoints with protocol='tcp/999-11199'
Write policy to allow clients to connect to a database with a stateless connection

Allow clients with the frontend security attribute to connect to the database:server database through the tcp/1521 port with a stateless connection.

in finance.network:prod VCN allow app:frontend endpoints to connect to database:server endpoints with protocol = 'tcp/1521', connection-state = 'stateless'
Write policy to allow clients in one VCN to connect to a database in a different VCN
Note

You must use IP addresses to reference targets in a different VCN.

Allow clients in the networks:net1 VCN to connect to <range of IP addresses in the other VCN>.

in networks:net1 VCN allow apps:app1 endpoints to connect to '192.168.0.0/16'

192.168.0.0/16 is the range of IP addresses in the other VCN.

Compute instance policy examples

Write policy to allow Compute instances in the same VCN to connect by SSH

Allow compute:instance1 endpoints to connect to compute:instance2 endpoints in the networks:net1 VCN by SSH.

in networks:net1 VCN allow compute:instance1 endpoints to connect to compute:instance2 endpoints with protocol='tcp/22'
Write policy to allow clients to connect to a database to make SQLNet connections

In the networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'.

in networks:net1 VCN allow compute:instance1 endpoints to connect to db:DB-Server endpoints with protocol='tcp/1521'

Network Load Balancer policy examples

Write policy to allow an IP address to connect to a network load balancer

In the my:VCN VCN allow 0.0.0.0/0 IP address to connect to the network load balancer with the XYZ-NLB:NLB1 security attribute.

in my:VCN VCN allow '0.0.0.0/0' to connect to XYZ-NLB:NLB1 endpoints
Write policy to connect network load balancers to application endpoints

In the my:VCN VCN allow network load balancer endpoints with the XYZ-NLB:NLB1 security attribute to connect to ABC-web-servers:app1 endpoints.

in my:VCN VCN allow XYZ-NLB:NLB1 endpoints to connect to ABC-web-servers:app1 endpoints

VCN policy example

Write policy to connect resources across VCNs

Allow compute clients with the applications:app1 security attribute to connect to the database running app1 over a SQLNet connection.

Note

Two policies are used because the database and clients reside in separate VCNs.
in VCN-Network:DB VCN allow DB-client:App1 endpoints to connect to '10.1.2.0/24' with protocol='tcp/1521'
in VCN-Network:Remote VCN allow '10.1.2.0/24' to connect to DB-client:app1 endpoints with protocol='tcp/1521'