Understanding Zero Trust Packet Routing Policy

Zero Trust Packet Routing policy enforces access control based on the security attributes that are applied to the resources involved in an access attempt.

A policy is a container for a set of policy statements. A policy statement is a rule that specifies who can access what resource, and how. Zero Trust Packet Routing (ZPR) policy is based on an Attribute Based Access Control (ABAC) authorization model that evaluates attributes (or characteristics) to determine access to resources. This approach is different than OCI IAM (see How ZPR Differs from IAM). ZPR policies are designed to achieve "attribute based access control" where the security attributes of source, target, and network are factored into the evaluation of policy using Zero Trust Packet Routing Policy Language (ZPL).

ZPL lets you write policy statements focused on allowing client endpoints with security attributes to access other endpoints. ZPL supports the following types of allow statements in regards to communication to, from, and within individual VCNs identified by their security attributes:

  • Allow communication between two endpoints within a VCN
  • Allow ingress from a source outside the VCN to an endpoint inside the VCN
  • Allow egress to a target outside the VCN from an endpoint inside the VCN

For example, the following policy statement allows apps:hr-apps hosts to read any OCI resource with the apps:hr-app-data security attribute:

in networks:application VCN allow apps:hr-apps endpoints to connect to apps:hr-app-data endpoints

When ingressing or egressing outside of the VCN, ZPR policy must refer to the clients using IP addresses instead of security attributes. Security attributes may only be used when referring to endpoints in the same VCN.

For example, if you need to allow a client in networks:net1 VCN to access a compute or database in another VCN, you need to use IP addresses to reference the targets in the other VCN:

in networks:net1 VCN allow apps:app1 endpoints to connect to '192.168.0.0/16'

To create ZPR policies, you must first create security attributes. Security attributes are factored into the evaluation of ZPR policy. After you create security attributes, review ZPR policy syntax, then examine the options for creating a policy with policy builders. You can also learn about ZPR policies from examples.

Note

You must apply security attributes to OCI resources for ZPR policy to take effect.

After you create security attributes and ZPR policies, you can apply the security attributes to resources.

See Resources That Can Be Assigned Security Attributes for the types of resources you can use in ZPR policies.