OCI Networking Series – Part 6: Advanced Security in OCI Networking

Modern cloud architectures demand security that is proactive, identity-aware, and deeply embedded within the network fabric. In Oracle Cloud Infrastructure (OCI), networking security is not limited to simple port restrictions—it spans intelligent firewalls, zero trust access, automated remediation, encryption lifecycle management, and deep traffic inspection.

In this blog, we explore the advanced security controls in OCI Networking, including NSGs vs Security Lists, OCI Network Firewall, WAF, Bastion, Zero Trust, Vault integration, and advanced capabilities like Cloud Guard, Threat Intelligence, and Flow Logs.

1. NSGs vs Security Lists – When to Use Which

Security Lists (SLs)

Security Lists are stateful virtual firewalls applied at the subnet level. All VMs in the subnet receive the same rules. This means each subnet can have different security list and it works at the subnet level. If you open the port 443 in the security list then all the servers or any OCI components can have the incoming traffic on port 443. 

They’re ideal for broad, subnet-wide policies such as:

  • Allowing port 22 internally
  • Permitting egress to the internet
  • Allowing VCN-to-VCN traffic within a private zone

v Use SLs when you need consistent security behavior for all resources in a subnet.


Network Security Groups (NSGs)

NSGs are stateful virtual firewalls attached directly to VNICs. They allow resource-level micro-segmentation and are more flexible than Security Lists. so if you create NSG and open port 1521 in it and attach it to the database then port 1521 will only accessible on the database.

Use NSGs when:

  • You need granular control for individual compute, load balancers, databases, etc.
  • You want different rules for different resources in the same subnet
  • You want application tiers (web, app, DB) isolated without creating multiple subnets
Use NSGs for fine-grained control and Security Lists only for baseline subnet rules.

2. OCI Network Firewall – Enterprise-Grade Threat Prevention

OCI Network Firewall (powered by Palo Alto Networks) delivers deep packet inspection (DPI), intrusion prevention, URL filtering, malware detection, and SSL inspection capabilities directly inside OCI. But the real power of the Network Firewall comes from where you place it.

Network Firewall in Hub-and-Spoke Architecture

For large deployments, OCI recommends a centralized transit (hub) VCN connected to multiple spoke VCNs through a DRG. The OCI network firewall can reside into the HUB VCN which is attached to the DRG via HUB VCN DRG attachment and all other VCN act as a spoke.

Whenever traffic comes to the DRG, A VCN route table attach to the DRG send all the traffic to the private IP of the OCI network firewall which inspect the traffic and sends to the destination. The traffic goes back to the DRG and check the spoke VCN for which it is send to and divert the same to that spoke VCN attachments.


By placing the Network Firewall in the hub VCN, it becomes the inspection point for:

  • North–South traffic
            Internet ↔ VCN
            On-prem ↔ VCN (via IPSec/FastConnect)
  • East–West traffic
        VCN ↔ VCN within a region
        VCN ↔ VCN across regions via RPC

This ensures all traffic passes through a single firewall, improving governance, policy consistency, and auditability. 

Key Network Firewall Capabilities
  • Intrusion Prevention (IPS)
  • Threat Intelligence–based filtering
  • URL and application filtering
  • SSL forward proxy and inspection
  • Custom policy creation
  • High availability
  • Logging and analytics

Use Cases:

- Enforced inspection for hybrid traffic
- Secure DMZ architectures
- Segmentation between sensitive workloads
- Preventing lateral movement inside the cloud

3. OCI Web Application Firewall (WAF)

OCI WAF protects public-facing applications from common web threats. The OCI Web Application Firewall provides an intelligent security layer that shields web applications from threats before they reach your infrastructure. It protects against OWASP Top 10 vulnerabilities, malicious bots, DDoS-style traffic spikes, and unwanted geographic access. 

WAF policies can be applied globally at the edge or directly to load balancers, ensuring consistent protection for websites, APIs, and modern microservices. With custom rules, threat intelligence, and rate-limiting, WAF becomes a critical frontline defense for any internet-facing workload.

Key Features
  • OWASP Top 10 protection
  • Bot management & rate limiting
  • Custom access control rules
  • Geo-blocking
  • Integration with OCI Load Balancer & API Gateway
  • Edge protection (CDN + WAF)
  • WAF is essential for frontend applications, APIs, and any service exposed to the public.

4. Bastion Service – Secure Access into Private Networks

Bastion Service eliminates the need for public SSH/RDP access to servers. Instead of opening ports or using jump hosts, Bastion provides identity-driven, time-limited secure access.

When a user needs access:
  1. They request a Bastion session.
  2. Bastion generates a short-lived SSH key.
  3. A secure tunnel is created to the private target.
  4. Default sessions last 180 minutes (TTL) and then automatically terminate.
  5. All access is logged in OCI Audit.


Why Bastion Is Critical for Zero Trust
  • Servers never require public IPs
  • NSGs/Security Lists remain locked down
  • No long-lived SSH keys
  • Fine-grained IAM control
  • Fully auditable access
Bastion is ideal for administrators, DBAs, break-glass operations, or emergency troubleshooting.

5. Zero Trust in OCI Networking

Zero Trust in OCI goes beyond simple security rules and embraces the principle of “never trust, always verify.” Every request—whether internal or external—must be authenticated, authorized, and continuously monitored. 

OCI implements Zero Trust through identity-driven access, micro-segmentation using NSGs, encrypted communications, short-lived credentials (like Bastion sessions), and automated compliance enforcement via Cloud Guard. This model ensures that no network path or user is inherently trusted, reducing attack surfaces dramatically.

OCI’s Zero Trust framework is built around:
  • Identity-based access
  • Least-privilege networking (NSGs, SLs)
  • Encrypted communications
  • No implicit trust between networks
  • Continuous monitoring (Cloud Guard)
  • Short-lived credentials (Bastion, Vault)
Zero Trust ensures that no traffic or user is trusted by default—every request must be authenticated, authorized, and logged.

6. Oracle Cloud Guard – Cloud Security Posture Management

I know cloud guard is not related with the network security topics and it come under security posture management but it worth to mention because it helps detecting public exposure of subnets, VNICs, load balancers, alerting when NSG/SL rules are overly permissive and Identifying risky network configurations. Oracle Cloud Guard acts as the central security watchdog for your entire OCI tenancy, continuously scanning configurations, network paths, identity policies, and resource behavior for vulnerabilities or misconfigurations. 

When it detects risks—such as exposed ports, overly permissive NSGs, insecure storage buckets, or abnormal API activity—it not only alerts administrators but can automatically remediate them using responder recipes. Cloud Guard transforms cloud security posture management from reactive monitoring into proactive, automated governance.

Cloud Guard is OCI’s unified engine for monitoring, detecting, and remediating risky configurations across the entire cloud footprint.

Cloud Guard as a Security Brain
Cloud Guard continuously analyzes:
  • Network configurations (open ports, NSGs, SLs)
  • Public endpoints
  • IAM privileges
  • Object Storage exposure
  • Logging/Audit anomalies
  • Suspicious API activity


Automated Remediation
Using responder recipes, Cloud Guard can automatically:
  • Remove dangerous security rules
  • Close exposed ports
  • Disable risky network paths
  • Remove public access from buckets
  • Quarantine compromised resources
Cloud Guard enforces global governance across multi-VCN and multi-region deployments.

7. OCI Vault – Keys, Secrets & Certificates

Again OCI vaults comes under security but it can be consumed by network-facing services (e.g., Load Balancer SSL termination, API Gateway certificates).

OCI Vault provides secure, centralized storage for encryption keys, credentials, API tokens, SSL certificates, and other sensitive secrets that applications depend on. With strong lifecycle management, automated secret rotation, versioning, and fine-grained IAM access control, 

Vault ensures secrets never appear in code or on servers. Integrations with services like Load Balancer, OKE, Functions, and Databases enable a fully encrypted, identity-driven, Zero Trust environment where sensitive data is always protected both at rest and in transit.

OCI Vault handles:
  • Encryption keys (KMS)
  • Secrets (passwords, tokens, API keys, private keys)
  • Certificates (TLS/SSL)
Vault integrates with:
  • Load Balancer
  • API Gateway
  • OKE
  • Functions
  • Compute
  • Autonomous & DB Systems

Secrets Management
Vault lets you securely store:
  • App passwords
  • DB credentials
  • SSH keys
  • Cloud API tokens
  • Application secrets
Secrets can be automatically rotated, versioned, and retrieved only through IAM-controlled API calls, implementing true Zero Trust security.

8. Additional Advanced Security Features You Should Not Ignore

OCI includes several advanced networking security capabilities that enhance visibility and threat detection across cloud deployments. Services like Flow Logs allow deep traffic analysis, while Threat Intelligence integrates global reputation data to block known malicious sources. Traffic Mirroring enables packet-level inspection for forensic investigations, and Security Zones enforce secure-by-default policies across sensitive compartments. 

Together, these features create a comprehensive defense strategy tailored for modern cloud environments.

Flow Logs -> Capture VCN-level traffic patterns for analysis and anomaly detection.

Threat Intelligence Service -> Aggregates global threat sources and provides reputation-based filtering.

VCN Traffic Mirroring -> Clone live network traffic to analysis tools for forensic or security inspection.

Security Zones -> Hard enforcement of “secure-by-default” rules (no public subnets, no open ports, no disabled logs, etc.).

Conclusion

OCI provides a rich suite of networking security tools—from foundational firewalls to Zero Trust frameworks, encryption vaults, cloud firewalls, and intelligent automated remediation. Whether securing a small application or designing a global-scale, multi-region enterprise architecture, these tools enable deep protection for workloads and data.

Adopting NSGs for micro-segmentation, deploying Network Firewall in a hub, enabling Cloud Guard across the tenancy, storing secrets in Vault, and using Bastion for secure access together create a layered security model aligned with modern Zero Trust principles.


No comments:
Tags ,
Subscribe to: Comments (Atom)