OCI Security Lists and Network Security Groups
Access to an OCI cloud instance can be controlled by
- an external firewall,
- the operating system firewall of the instance,
- security list of the subnet to which the instance belongs, and
- VNIC-specific Network Security Groups.
Security Lists
Security lists form the original type of virtual firewall offered by the Oracle cloud network service.
A security list acts as a virtual firewall for an instance. It has ingress and egress rules that specify the types of traffic allowed in and out. Security lists are defined at the subnet level. Therefore, all VNICs in a given subnet are subject to the same set of security lists.
You can associate multiple security lists with a subnet. Each list can have multiple rules. Traffic is allowed if any rule in any of the lists allows the traffic. Traffic is also allowed if it is the response traffic of a permitted tracked connection.
If you don't specify one or more other security lists during the creation of a subnet, a default security list will be associated with it.
Please see the relevant Oracle documentation for more information and configuration details.
Network Security Groups
Network Security Groups (or NSGs) form another type of virtual firewall. Unlike a security list, an NSG does not apply to all VNICs in a subnet, but is assigned to specific VNICs connected to the subnet. This allows a more granular access control. By default, no NSG is assigned to a VNIC.
Please see the relevant Oracle documentation for more information and configuration detail.
Please note: Traffic is allowed if any rule in any of the relevant lists and groups allows the traffic. Traffic is also allowed if it is the response traffic of a permitted tracked connection.
Connecting to the Cloud Instance
With the default subnet security list, and without custom Network Security Groups installed, you can, for example, use SSH from the command-line or from a tool such as PuTTY to access the command-line of the user sshuser (for Charon-SSP prepackaged marketplace images) or your custom user (for RPM installations) on the Charon-SSP instance. If you select your instance in the instance list and then click on the name, you will see details about your instance including its public IP address as shown below.
To connect to the instance, you need the private key corresponding to the public key uploaded during the launch of the instance.
Please note: the file permissions of the private key file must be set such that the file is only readable by the user (e.g., #
chmod 400 <private-key-file>
).
There are several ways to connect to your Charon-SSP cloud instance using this basic SSH protocol access. Some of them are described in the following sections below: