Oracle Cloud Infrastructure Documentation

Policy Syntax

A Zero Trust Packet Routing (ZPR) policy consists of one or more policy statements. A policy statement is an expression of intent written in a specific syntax.

ZPR policy statements use the following syntax and rules:

<src-location> <command> <endpoint> to <verb> <endpoint>
  • <src-location> is required, and it must be in the form in <security attribute> VCN. <security attribute> must be specified, and it can only be a single security attribute.
  • <command> must be allow.
  • <endpoint> must be security attribute, ip address, all-endpoints, or osn-services-ip-endpoints.
  • <verb> must be connect to.

For example, the following policy statement expresses intent to allow traffic from or to endpoints within the same VCN identified by a source location:

in app:fin-network VCN allow app:web endpoints to connect to app:store endpoints
Note

When ingressing or egressing outside of the VCN, ZPR policy must refer to the clients using IP addresses instead of security attributes. Security attributes may only be used when referring to endpoints in the same VCN.

The source location identifies the VCN by its security attribute and is subject to the policy referencing it. The allow statement applies to each VCN with that security attribute.

The security attribute identifies a subject VCN and endpoints within the subject VCN. The security attribute is made up of a security attribute namespace and a security attribute key separated with a dot, and a value separated with a colon:

Security attribute

For in applications.app:fin-network:
  • applications is the security attribute namespace
  • app is the security attribute key
  • fin-network is the value

Security attribute namespaces, security attribute keys, and values are constrained by specific limits. Importantly, security attribute namespaces and security attribute keys don't contain a space or a dot character. Values, however, can contain spaces, dots, and single quotes. If a security attribute whose value contains more than the allowed characters is referenced, the whole security attribute clause is enclosed within single quotes. Any single quote character in the value must be escaped with a single quote character. For example:

app:fin-network

oracle-zpr.app:fe-nodes

my-corp.biz:hr

'my-corp.biz:dev and test db'

Note

If the namespace of a security attribute is omitted, ZPR defaults to the oracle-zpr namespace.

The endpoint clause identifies the source or the target of traffic with the specified security attribute set, within a subject VCN. The keyword all-endpoints signifies any endpoint inside or outside of the subject VCN regardless of whether it carries any security attributes:

app:fe-nodes endpoints

oracle-zpr.app:store endpoints

my-corp.biz:hr-web endpoints

'my-corp.biz:dev and test database' endpoints

Note

The source and target can't both be all-endpoint. One must be identified (Endpoint Attribute List).
Source location, source endpoint, and target endpoint.

Traffic to and from endpoints can be further limited in a policy by filtering on the keyword ip-address, and one or more of the allowed network filter attributes: protocol, protocol.icmp.type, protocol.icmp.code, and connection-state.

Endpoint attribute list.

The ip-address or osn-services-ip-addresses can be a target or a source. However, you can't use ip-address and osn-services-ip-addresses on both the source and target endpoints; ip-address and osn-services-ip-addresses must be either the source or the target. For example:

in apps:app1 VCN allow '1.2.3.4/16' endpoints to connect to apps:app1 endpoints