Zero Trust Packet Routing Visualizer

The ZPR Visualizer provides a visual representation of ZPR security attributes and the ZPR policies that reference them within a selected region and tenancy. The tool helps you analyze how policy-driven access between resources is allowed or blocked based on policy definitions.

Use the ZPR Visualizer to help you do the following:

• Visualize relationship between security attributes, protected resources, and ZPR policies.
• Verify that ZPR policies are correctly configured and enforced.
• Diagnose allowed or blocked communication between resources
• Detect resources not protected by security attributes,
• Review network access patterns to ensure compliance with zero-trust principles.

The following IAM policies are required to enable the ZPR Visualizer to read resources in the tenancy.

1. Add policy to zpr-tools services to read resources in an IAM policy written by an administrator

   Allow service zpr-tools to read all-resources in tenancy

2. Select one to add policy to grant Visualizer topology access to read resources
   1. Global access

      Allow any-user to read all-resources in tenancy where ALL { request.principal.type = 'zprtopology' }

   2. Restricted access
      1. Create the dynamic group with a matching rule

         ALL { resource.type = 'zprtopology' }

      2. Add IAM Policy

         
         Allow dynamic-group <dg_name> to read all-resources in tenancy

         If dynamic group isn't in the default domain, then use

         Allow dynamic-group '<domain_name>/<dg_name>' to read all-resources in tenancy
         

For more information and examples, see Zero Trust Packet Routing IAM Policies.

The ZPR Visualizer uses the following symbols and conventions:

Icon	Description
Attributes and networking types
	VCN security attribute Attributes applied to VCNs define scope in ZPR policies.
	Resource security attribute Attributes applied to resources are used in ZPR policy to connect endpoints.
	Resources without attributes Displays resources without ZPR attributes. The unprotected resources need attention before you can view policy relationships.
	IP address Internet Protocol (IP) address refers to the unique identifying number associated with any device connected to the internet.
	CIDR Group of IP addresses sharing the same network prefix and number of bits, used for efficient IP address allocation and routing on the internet.
Example Resource Types
	Load Balancer: Group of Load Balancer sharing the same security attribute
	Instances: Group of Instances sharing the same security attribute.
Policy statements
	Single ZPR Policy statement (cross attribute): One or more ZPR policy statements representing connection between endpoint attributes or network endpoints. The number on the connection shows the number of policy statements that are associated with that relationship.

Use ZPR Visualizer to find resources that aren't yet protected, apply security attributes and policies, and verify the updated connectivity.

Scenario: Assume that a Compute instance without a security attribute appears under Resources without attributes.

1. Open ZPR Visualizer and set the required compartment.
2. Open resources without attributes to identify unprotected resources.

   

3. Review and filter the list to find relevant resources.
4. Assign a security attribute to the resource. See Adding a Resource to Zero Trust Packet Routing.
5. Create the required ZPR policy for communication. See Create ZPR Policy.
6. Return to the visualizer and select the Refresh icon.
7. Verify that the nodes are displayed with expected connection edges.