Network Security Groups within Oracle Cloud Infrastructure Overview

This blog aims to introduce you to a key OCI security concept: Network Security Groups. We will explore what Network Security Groups are and the comparison to the default Oracle Cloud Infrastructure (OCI) Security Lists. Before you read on, you can find out more about our Oracle Cloud Services here.

Network Security Groups

Network security groups (NSGs) act as a virtual firewall for your compute instances and other kinds of resources. An NSG consists of a set of ingress and egress security rules that apply only to a set of Virtual Network Interface Cards (VNICs) of your choice in a single Virtual Cloud Network (VCN). For example, all the compute instances that act as web servers in the web tier of a multi-tier application in your Virtual Cloud Network.

Compared to security lists, NSGs let you separate your VCN's subnet architecture from your application security requirements. A comparison of security lists and network security groups is available on the Oracle website.

NSG security rules function the same as security list rules. However, for an NSG security rule's source (for ingress rules) or destination (for egress rules), you can specify an NSG instead of a CIDR. This means you can easily write security rules to control traffic between two NSGs in the same VCN or traffic within a single NSG.

Unlike with security lists, the VCN does not have a default NSG. Also, each NSG you create is initially empty. It has no default security rules.

Comparison of Security Lists and Network Security Groups

Security lists let you define a set of security rules that applies to all the VNICs in an entire subnet. To use a given security list with a particular subnet, you associate the security list with the subnet either during subnet creation or later. A subnet can be associated with a maximum of five security lists. Any VNICs created in that subnet are subject to the security lists associated with the subnet.

Network security groups let you define a set of security rules that applies to a group of VNICs of your choice (or the VNICs' parent resources such as load balancers or DB systems). For example, the VNICs that belong to a set of compute instances that all have the same security posture. To use a given NSG, you add the VNICs of interest to the group. Any VNICs added to that group are subject to that group's security rules. A VNIC can be added to a maximum of five NSGs.

Oracle recommends using NSGs instead of security lists because NSGs let you separate the VCN's subnet architecture from your application security requirements. However, you can use both security lists and NSGs together if you want.

Support for Network Security Groups

NSGs are available for you to create and use. However, they are not yet supported by all the relevant Oracle Cloud Infrastructure services.

Currently, the following types of parent resources support the use of NSGs:

• Compute instances: When you create an instance, you can specify one or more NSGs for the instance's primary VNIC. If you add a secondary VNIC to an instance, you can specify one or more NSGs for that VNIC. You can also update existing VNICs on an instance so that they are in one or more NSGs.
• Load balancers: When you create a load balancer, you can specify one or more NSGs for the load balancer (not the backend set). You can also update an existing load balancer to use one or more NSGs.
• DB systems: When you create a DB system, you can specify one or more NSGs. You can also update an existing DB system to use one or more NSGs.
• Autonomous Databases: When you create an Autonomous Database on dedicated Exadata infrastructure, you can specify one or more NSGs for the infrastructure resource. You can also update an existing dedicated Exadata infrastructure instance to use NSGs.
• Mount targets: When you create a mount target for a file system, you can specify one or more NSGs. You can also update an existing mount target to use one or more NSGs.
• DNS resolver endpoint: When you create an endpoint for a private DNS resolver, you can specify one or more NSGs. You can also update an existing endpoint to use one or more NSGs.
• Kubernetes clusters: When you create a Kubernetes cluster using Container Engine for Kubernetes, you can specify one or more NSGs to control access to the Kubernetes API endpoint and to worker nodes. You can also specify NSGs when defining a load balancer for a cluster.
• API gateways: When you create an API gateway, you can specify one or more NSGs to control access to the API gateway.
• Functions: When you set up an application in OCI Functions, you can specify one or more NSGs to define ingress and egress rules that apply to all the functions in that particular application.
• GoldenGate deployments: When you create a GoldenGate deployment, you can specify one or more NSGs to control access to the deployment.

For resource types that do not yet support NSGs, continue to use security lists to control traffic in and out of those parent resources.

If you are interested in our specialist Oracle Cloud Services please contact one of our expert Oracle Cloud Consultants. You can also email us at enquiries@dsp.co.uk or book a meeting...