Zero Trust Packet Routing

Oracle Cloud Infrastructure Zero Trust Packet Routing (ZPR) protects sensitive data from unauthorized access through intent-based security policies that you write for the OCI resources that you assign security attributes to. Security attributes are labels that ZPR uses to identify and organize OCI resources.

ZPR enforces policy at the network level each time access is requested, regardless of potential network architecture changes or misconfigurations.

ZPR is built on top of existing network security group (NSG) and security control list (SCL) rules. For a packet to reach a target, it must pass all NSG and SCL rules, and ZPR policy. If any NSG, SCL, or ZPR rule or policy doesn't allow traffic, the request is dropped.

Related Topics

Manage ZPR

You can secure networks with Zero Trust Packet Routing (ZPR) in three steps:You can secure networks with Zero Trust Packet Routing (ZPR) in three steps:

Create and manage security attribute namespaces and security attributes.
Write policies using security attributes to control access to resources.
Apply security attributes to specified resources.

Note:

Administrators must set up security attribute namespaces and security attributes in a tenancy before users can apply security attributes to the DB systems.

For detailed information on ZPR, see Overview of Zero Trust Packet Routing.

Manage ZPR Policies

A ZPR policy is a rule that governs the communication between specific endpoints identified by their security attributes. ZPR policy can only be created in the root compartment of a tenancy.

The following policies are required for Base Database service to enable database service for all scenarios including backup and Data Guard.

Table - ZPR Policy Use Cases

Use Case	Policy	Notes
Enable database service for all scenarios (includes backup and Data Guard).	`in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <security attribute of database service> endpoints with protocol='tcp/1521'`	This policy allows a compute VM to connect to a DB system.
	`in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to 'osn-services-ip-addresses'`	This policy allows the DB system to connect to OSN services.
	`in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to <security attribute of database service> endpoints`	This policy is required for RAC support.
	`in <security attribute of VCN> VCN allow <security attribute of source-compute> endpoints to connect to <Standby VCN CIDR> with protocol='tcp/1521'`	This policy allows Compute clients to connect to Data Guard Standby VCN.
	`in <security attribute of Standby VCN> VCN allow <security attribute of database service> endpoints to connect to 'osn-services-ip-addresses'`	This policy allows the Data Guard Standby to connect to OSN services.
	`in <security attribute of VCN> VCN allow <security attribute of database service> endpoints to connect to <Standby VCN CIDR>` `in <security attribute of Standby VCN> VCN allow <VCN CIDR> to connect to <security attribute of database service> endpoints`	This policy allows Data Guard Primary to connect to the Data Guard Standby using CIDR, both egress and ingress in each VCN.
	`in <security attribute of VCN> VCN allow <Standby VCN CIDR> to connect to <security attribute of database service> endpoints` `in <security attribute of Standby VCN> VCN allow <security attribute of database service> endpoints to connect to <VCN CIDR>`	This policy allows Data Guard Standby to connect to the Data Guard Primary using CIDR.

For detailed instructions about deleting, updating, and viewing ZPR policies, see Managing Zero Trust Packet Routing Policies.

Manage Security Attributes

You can add, edit, or remove a security attribute for a DB system. For more information, see Manage Security Attributes for the DB System.

Title and Copyright Information

Oracle and/or its affiliates.