Understanding OCI Security Lists….

Security List

Security lists are alike set of common firewall rules associated with  a subnet. Because SL are associated with a subnet, they are going to be applied to all the instances  launched inside that subnet. Basically these are going to be the rules and all the resources in that subet are going to follow these rules. When you are creating these SL, you can define that whether these rules are either Stateful or Stateless.

So for example, we might have a VCN and that VCN contains three different subnets i.e. A, B and C. Thus our SL will have both Ingress and Egress rules and based on these rules, the instances in these subnets are going to be either allowed or not allowed to interact with the other resources or the internet. For example, with the Ingress rule with the CIDR as, anybody will have the access. And for the Egress, might have a rule that uses a Destination port of 1521. If this rule is using the CIDR of a particular subnet, for example, Subnet B and therefore, only the instance on that subnet will have the access to the port 1521.

So basically SL consists of rules that specify the types of traffic allowed in and out of the subnet.

A SL is enforced at the VNIC level from the subnet. It means that the any compute instances etc. has VNIC and that means that VNIC attaches to the subnet. SL is associated with the subnet either during or after subnet creation. Every subnet can have up to five SL. When you launch a VCN, it comes with the a default SL and that has three security rules. One is about SSH and that’s enabled for port number 22 and there are two that ICMP rules , which are for troubleshooting and they are not for echo. Everything else is closed and nothing else is enabled by default.

This applies to a given instance, whether it’s talking with another instance in the same VCN  or a host outside the VCN.

SL rules can be Stateful or Stateless.

When an instance receives traffic matching the stateful ingress rule, the response is tracked and automatically allowed regardless of any egress rules. Default SL are always Stateful.

On the other hand, Stateless SL do not automatically allow response traffic. Requires creation of stateless egress rule to allow automatic response traffic. Also it indicates that you do not want to use connection tracking for any traffic that matches the rule. And this is ideal for cases where you have large number of connections like Big Data or Load Balancing.