Policy Syntax
A Zero Trust Packet Routing (ZPR) policy consists of one or more policy statements. A policy statement is an expression of intent written in a specific syntax.
ZPR policy statements use the following syntax and rules:
<src-location> <command> <endpoint> to <verb> <endpoint><src-location>is required, and it must be in the formin <security attribute> VCN.<security attribute>must be specified, and it can be only a single security attribute.<command>must be allow.<endpoint>must besecurity attribute,ip address,all-endpoints, orosn-services-ip-endpoints.<verb>must be connect to.
For example, the following policy statement expresses intent to allow traffic from or to endpoints within the same VCN identified by a source location:
in app:fin-network VCN allow app:web endpoints to connect to app:store endpointsWhen ingressing or egressing outside of the VCN, ZPR policy must refer to the clients by using IP addresses instead of security attributes. Security attributes can be used only when referring to endpoints in the same VCN.
The source location identifies the VCN by its security attribute and is subject to the policy referencing it. The allow statement applies to each VCN with that security attribute.
The security attribute identifies a subject VCN and endpoints within the subject VCN. The security attribute is made up of a security attribute namespace and a security attribute key separated with a period, and a value separated with a colon:
applicationsis the security attribute namespaceappis the security attribute keyfin-networkis the value
Security attribute namespaces, security attribute keys, and values are constrained by specific limits. Importantly, security attribute namespaces and security attribute keys don't contain a space or a period character. Values, however, can contain spaces, periods, and single quotation marks. If a security attribute whose value contains more than the allowed characters is referenced, the whole security attribute clause is enclosed within single quotation marks. Any single quotation mark character in the value must be escaped with another single quotation mark character. For example:
app:fin-network
oracle-zpr.app:fe-nodes
my-corp.biz:hr
'my-corp.biz:dev and test db'
If the namespace of a security attribute is omitted, ZPR defaults to the
oracle-zpr namespace.The endpoint clause identifies the source or the target of traffic with the specified security attribute set, within a subject VCN. The all-endpoints keyword signifies any endpoint inside or outside of the subject VCN regardless of whether it carries any security attributes:
app:fe-nodes endpoints
oracle-zpr.app:store endpoints
my-corp.biz:hr-web endpoints
'my-corp.biz:dev and test database' endpoints
The source and target can't both be
all-endpoint. One must be identified (Endpoint Attribute List). 
Traffic to and from endpoints can be further limited in a policy by filtering on the ip-address keyword and one or more of the allowed network filter attributes: protocol, protocol.icmp.type, protocol.icmp.code, and connection-state.
ip-address or osn-services-ip-addresses can be a target or a source. However, you can't use ip-address and osn-services-ip-addresses on both the source and target endpoints; ip-address and osn-services-ip-addresses must be either the source or the target. For example:
in apps:app1 VCN allow '10.0.0.0/16' to connect to apps:app1 endpoints