This blog aims to introduce you to a key OCI security concept: Network Security Groups. We will explore what Network Security Groups are and the comparison to the default Oracle Cloud Infrastructure (OCI) Security Lists. Before you read on, you can find out more about our Oracle Cloud Services here.
Network security groups (NSGs) act as a virtual firewall for your compute instances and other kinds of resources. An NSG consists of a set of ingress and egress security rules that apply only to a set of Virtual Network Interface Cards (VNICs) of your choice in a single Virtual Cloud Network (VCN). For example, all the compute instances that act as web servers in the web tier of a multi-tier application in your Virtual Cloud Network.
Compared to security lists, NSGs let you separate your VCN's subnet architecture from your application security requirements. A comparison of security lists and network security groups is available on the Oracle website.
NSG security rules function the same as security list rules. However, for an NSG security rule's source (for ingress rules) or destination (for egress rules), you can specify an NSG instead of a CIDR. This means you can easily write security rules to control traffic between two NSGs in the same VCN or traffic within a single NSG.
Unlike with security lists, the VCN does not have a default NSG. Also, each NSG you create is initially empty. It has no default security rules.
Security lists let you define a set of security rules that applies to all the VNICs in an entire subnet. To use a given security list with a particular subnet, you associate the security list with the subnet either during subnet creation or later. A subnet can be associated with a maximum of five security lists. Any VNICs created in that subnet are subject to the security lists associated with the subnet.
Network security groups let you define a set of security rules that applies to a group of VNICs of your choice (or the VNICs' parent resources such as load balancers or DB systems). For example, the VNICs that belong to a set of compute instances that all have the same security posture. To use a given NSG, you add the VNICs of interest to the group. Any VNICs added to that group are subject to that group's security rules. A VNIC can be added to a maximum of five NSGs.
Oracle recommends using NSGs instead of security lists because NSGs let you separate the VCN's subnet architecture from your application security requirements. However, you can use both security lists and NSGs together if you want.
NSGs are available for you to create and use. However, they are not yet supported by all the relevant Oracle Cloud Infrastructure services.
Currently, the following types of parent resources support the use of NSGs:
For resource types that do not yet support NSGs, continue to use security lists to control traffic in and out of those parent resources.