Oracle Cloud Infrastructure (OCI) Networking provides Security Lists to control inbound and outbound traffic for resources inside a Virtual Cloud Network (VCN).
Using OCI CLI, administrators can generate ready-made JSON templates for security rules, making automation and Infrastructure as Code much easier.
OCI CLI Command
The following command generates a sample JSON structure for ingress security rules:
oci network security-list create \ --generate-param-json-input ingress-security-rules
Real Example
(base) karandodwal@Karans-MacBook-Air ~ % oci network security-list create \ --generate-param-json-input ingress-security-rules
Sample Output
[
{
"description": "string",
"icmpOptions": {
"code": 0,
"type": 0
},
"isStateless": true,
"protocol": "string",
"source": "string",
"sourceType": "string",
"tcpOptions": {
"destinationPortRange": {
"max": 0,
"min": 0
},
"sourcePortRange": {
"max": 0,
"min": 0
}
},
"udpOptions": {
"destinationPortRange": {
"max": 0,
"min": 0
},
"sourcePortRange": {
"max": 0,
"min": 0
}
}
}
]
What Does This Command Do?
The command does not create a Security List.
Instead, it generates a JSON template that can later be customized and used with OCI CLI commands.
This is extremely useful for:
- Automation
- Infrastructure as Code
- Terraform-style workflows
- Repeatable deployments
- Complex networking configurations
Understanding OCI Security Lists
A Security List in OCI acts like a virtual firewall at the subnet level.
It controls:
- Ingress traffic (incoming)
- Egress traffic (outgoing)
OCI Networking Architecture
VCN
└── Subnet
└── Security List
├── Ingress Rules
└── Egress Rules
Understanding the JSON Template
The generated JSON contains all possible parameters for an ingress rule.
Field-by-Field Explanation
| Field | Description |
|---|---|
| description | Description of the security rule |
| icmpOptions | ICMP protocol settings |
| isStateless | Defines whether the rule is stateful or stateless |
| protocol | Network protocol number |
| source | Allowed source CIDR block |
| sourceType | Source type definition |
| tcpOptions | TCP-specific port rules |
| udpOptions | UDP-specific port rules |
Understanding the Protocol Field
The protocol field specifies network protocol numbers.
| Protocol | Value |
|---|---|
| ICMP | 1 |
| TCP | 6 |
| UDP | 17 |
| All Protocols | all |
Example TCP Rule
Allow SSH traffic on port 22:
{
"description": "Allow SSH",
"protocol": "6",
"source": "0.0.0.0/0",
"sourceType": "CIDR_BLOCK",
"tcpOptions": {
"destinationPortRange": {
"min": 22,
"max": 22
}
}
}
Understanding TCP Options
TCP options define source and destination port ranges.
Destination Port Range
Defines which ports are allowed on the destination system.
Example:
"destinationPortRange": {
"min": 22,
"max": 22
}
This allows SSH traffic.
Understanding UDP Options
UDP options work similarly to TCP options but apply to UDP traffic.
Examples:
- DNS
- NTP
- Streaming services
Understanding ICMP Options
ICMP rules are used for:
- Ping requests
- Network diagnostics
- Troubleshooting
Example:
"icmpOptions": {
"type": 3,
"code": 4
}
Stateful vs Stateless Rules
The template includes:
"isStateless": true
Stateful Rule
- Return traffic automatically allowed
- Easier to manage
- Default behavior in OCI
Stateless Rule
- Return traffic must be explicitly allowed
- Higher performance
- Useful for specialized workloads
Understanding Source and SourceType
Example
"source": "0.0.0.0/0", "sourceType": "CIDR_BLOCK"
Meaning
- 0.0.0.0/0 means all IP addresses
- CIDR_BLOCK specifies source is defined using CIDR notation
Security Warning
Using:
0.0.0.0/0
opens access from the entire internet.
Use carefully, especially for:
- SSH ports
- Database ports
- Application ports
How JSON Templates Are Used
The generated JSON can be:
- Saved to a file
- Edited manually
- Passed back to OCI CLI commands
Save JSON Template to File
oci network security-list create \ --generate-param-json-input ingress-security-rules \ > ingress-rules.json
Edit the JSON File
Modify the template with real values:
{
"description": "Allow HTTPS",
"protocol": "6",
"source": "0.0.0.0/0",
"sourceType": "CIDR_BLOCK",
"tcpOptions": {
"destinationPortRange": {
"min": 443,
"max": 443
}
}
}
Create Security List Using JSON
oci network security-list create \ --compartment-id <compartment_ocid> \ --vcn-id <vcn_ocid> \ --display-name MySecurityList \ --ingress-security-rules file://ingress-rules.json
Understanding the Warning Message
The command also displayed:
SyntaxWarning: "\." is an invalid escape sequence
Why Does This Warning Appear?
This warning originates from:
- Python 3.14 compatibility changes
- OCI CLI internal Python libraries
- Regular expression formatting updates
It usually does not impact OCI CLI functionality.
Benefits of Generate-Param-JSON-Input
- Reduces manual syntax errors
- Shows all available parameters
- Useful for automation
- Simplifies complex configurations
- Ideal for scripting
OCI Security List Best Practices
- Use least privilege rules
- Avoid open internet access when unnecessary
- Use stateful rules unless stateless is required
- Document security rule purposes
- Regularly audit security lists
Security Lists vs Network Security Groups (NSGs)
| Security Lists | NSGs |
|---|---|
| Subnet-level firewall | VNIC-level firewall |
| Applies to entire subnet | Applies to specific resources |
| Simpler management | More granular control |
Conclusion
The OCI CLI command:
oci network security-list create \ --generate-param-json-input ingress-security-rules
is a powerful way to generate networking rule templates for OCI Security Lists.
It helps cloud administrators:
- Understand rule structures
- Automate networking
- Create reusable configurations
- Build Infrastructure as Code workflows
Combined with OCI CLI automation and JSON templates, OCI networking becomes highly flexible and script-friendly for enterprise cloud deployments.
No comments:
Post a Comment