Create Security Lists in OCI using OCI CLI

Security Lists is one of the most critical setup that needs to be configured in your OCI Cloud to secure your environments. To prevent attacks from external world, you need to allow connections only from known IP’s or CIDR Range.

Its simple to create a security list from OCI Console and add required rules (ingress and egress). But when we have multiple IP’s or CIDR’s to be allowed to OCI adding them can be laborious and tedious. Also, currently One Security List can support maximum of 200 rules each for Ingress and Egress. This post will walk through the process of creating security list using OCI CLI.

Requirements

1. You already need to you oci cli configured and the account setup should have required privilege's to create security list.
2. Identify all the required IP’s and CIDR’s to add as part of creation.

Below are the list of information we need to proceed with creation using OCI CLI.

Compartment OCID: ocid1.compartment.oc1..a************asdjklhsdkjhsdkfjh

VCN OCID: ocid1.vcn.oc1.uk-london-1.sdghfsjdgsdhghsdhdsddddssshshs

Security List Name: sl-allow-public

Create as json file with ingress rules added to it. The file should have format as below

{“description”: “WAF IP”, “source”: “140.204.8.128/25”, “protocol”: “6”, “isStateless”: false, “tcpOptions”: {“destinationPortRange”: {“max”: 443, “min”: 443}, “sourcePortRange”: null}},

The above example with allow connection from 140.204.8.128/25 with protocol TCP onto port 443 to the subnet or VCN attached.

You can add any number of rules in above format and save file as ingress.json

[

{“description”: “WAF IP”, “source”: “129.146.12.128/25”, “protocol”: “6”, “isStateless”: false, “tcpOptions”: {“destinationPortRange”: {“max”: 443, “min”: 443}, “sourcePortRange”: null}},
{“description”: “WAF IP”, “source”: “129.146.13.128/25”, “protocol”: “6”, “isStateless”: false, “tcpOptions”: {“destinationPortRange”: {“max”: 443, “min”: 443}, “sourcePortRange”: null}},
{“description”: “WAF IP”, “source”: “129.146.14.128/25”, “protocol”: “6”, “isStateless”: false, “tcpOptions”: {“destinationPortRange”: {“max”: 443, “min”: 443}, “sourcePortRange”: null}}

]

Similarly create egress,json rule file as below

[
{“description”: “Egress Allow”, “destination”: “0.0.0.0/0”, “destinationType”: “CIDR_BLOCK”, “protocol”: “all”, “isStateless”: false}
]

Now Login to server where you can run oci cli commands and upload both ingress and egress files. Run the following command to create the security list

oci network security-list create -c <Compartment OCID> -vcn-id <VCN OCID> -display-name sl-public-allow -ingress-security-rules file://<ingress file location> file://<engress file location>

Tip: Security list has limitation of creating 200 rules each for both ingress and egress. If you have rules more than 200, you have create separate Security lists and attach them to required subnets.