Policy Syntax
A Zero Trust Packet Routing (ZPR) policy consists of one or more policy statements. A policy statement is an expression of intent written in a specific syntax.
ZPR policy statements use the following syntax and rules:
<src-location> <command> <endpoint> to <verb> <endpoint>
<src-location>
is required, and it must be in the formin <security attribute> VCN.
<security attribute>
must be specified, and it can only be a single security attribute.<command>
must be allow.<endpoint>
must be security attribute, ip address, all-endpoints, or osn-services-ip-endpoints.<verb>
must be connect to.
For example, the following policy statement expresses intent to allow traffic from or to endpoints within the same VCN identified by a source location:
in app:fin-network VCN allow app:web endpoints to connect to app:store endpoints
When ingressing or egressing outside of the VCN, ZPR policy must refer to the clients using IP addresses instead of security attributes. Security attributes may only be used when referring to endpoints in the same VCN.
The source location identifies the VCN by its security attribute and is subject to the policy referencing it. The allow statement applies to each VCN with that security attribute.
The security attribute identifies a subject VCN and endpoints within the subject VCN. The security attribute is made up of a security attribute namespace and a security attribute key separated with a dot, and a value separated with a colon:
in applications.app:fin-network
: applications
is the security attribute namespaceapp
is the security attribute keyfin-network
is the value
Security attribute namespaces, security attribute keys, and values are constrained by specific limits. Importantly, security attribute namespaces and security attribute keys don't contain a space or a dot character. Values, however, can contain spaces, dots, and single quotes. If a security attribute whose value contains more than the allowed characters is referenced, the whole security attribute clause is enclosed within single quotes. Any single quote character in the value must be escaped with a single quote character. For example:
app:fin-network
oracle-zpr.app:fe-nodes
my-corp.biz:hr
'my-corp.biz:dev and test db'
If the namespace of a security attribute is omitted, ZPR defaults to the
oracle-zpr
namespace.The endpoint clause identifies the source or the target of traffic with the specified security attribute set, within a subject VCN. The keyword all-endpoints
signifies any endpoint inside or outside of the subject VCN regardless of whether it carries any security attributes:
app:fe-nodes endpoints
oracle-zpr.app:store endpoints
my-corp.biz:hr-web endpoints
'my-corp.biz:dev and test database' endpoints
The source and target can't both be
all-endpoint
. One must be identified (Endpoint Attribute List). Traffic to and from endpoints can be further limited in a policy by filtering on the keyword ip-address
, and one or more of the allowed network filter attributes: protocol
, protocol.icmp.type
, protocol.icmp.code
, and connection-state
.
The ip-address
or osn-services-ip-addresses
can be a target or a source. However, you can't use ip-address
and osn-services-ip-addresses
on both the source and target endpoints; ip-address
and osn-services-ip-addresses
must be either the source or the target. For example:
in apps:app1 VCN allow '1.2.3.4/16' to connect to apps:app1 endpoints