How do NSGs differ from security lists in OCI?

Security lists apply to all VNICs in a subnet and are limited to five per subnet with 200 rules each. NSGs attach to individual VNICs and support up to 120 rules per NSG with five NSGs per VNIC. The key advantage of NSGs is that you can reference other NSGs as sources or destinations, enabling dynamic security rules that automatically include new instances added to the referenced NSG. Oracle recommends NSGs as the primary security mechanism.

Can I use both security lists and NSGs simultaneously?

Yes, and OCI evaluates rules from both using union semantics. If either a security list rule or an NSG rule allows the traffic, it is permitted. This means combining both can only make access more permissive, never more restrictive. A common pattern is to use security lists for broad baseline rules (like allowing all intra-VCN ICMP) and NSGs for application-specific rules (like allowing port 8080 only from the load balancer NSG).

What source and destination types can NSG rules reference?

NSG rules support three source/destination types: CIDR blocks for IP-based rules, NSG OCID references for rules that dynamically include all VNICs in another NSG, and SERVICE_CIDR_BLOCK for rules targeting Oracle Services Network ranges accessible via the service gateway. The NSG reference type is particularly powerful because it decouples security rules from IP addresses, making your network security more maintainable.

OCI NSG Rule Builder

NetworkingOCI

Build Network Security Group rules with CIDR and NSG source references.

OCI Network Security Groups Configuration

Build NSG ingress and egress security rules with CIDR, NSG source/destination references.

Required Fields

compartmentIdvcnIddisplayNamesecurityRules

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "vcnId": "ocid1.vcn.oc1.iad.aaaaaaaexample",
  "displayName": "web-app-nsg",
  "securityRules": [
    {
      "direction": "INGRESS",
      "protocol": "6",
      "source": "0.0.0.0/0",
      "sourceType": "CIDR_BLOCK",
      "isStateless": false,
      "tcpOptions": {
        "destinationPortRange": {
          "min": 443,
          "max": 443
        }
      },
      "description": "Allow HTTPS from anywhere"
    },
    {
      "direction": "INGRESS",
      "protocol": "6",
      "source": "ocid1.networksecuritygroup.oc1.iad.aaaaaaabastion",
      "sourceType": "NETWORK_SECURITY_GROUP",
      "isStateless": false,
      "tcpOptions": {
        "destinationPortRange": {
          "min": 22,
          "max": 22
        }
      },
      "description": "Allow SSH from bastion NSG"
    },
    {
      "direction": "EGRESS",
      "protocol": "6",
      "destination": "ocid1.networksecuritygroup.oc1.iad.aaaaaaaadb",
      "destinationType": "NETWORK_SECURITY_GROUP",
      "isStateless": false,
      "tcpOptions": {
        "destinationPortRange": {
          "min": 1521,
          "max": 1521
        }
      },
      "description": "Allow Oracle DB access to database NSG"
    },
    {
      "direction": "EGRESS",
      "protocol": "6",
      "destination": "0.0.0.0/0",
      "destinationType": "CIDR_BLOCK",
      "isStateless": false,
      "tcpOptions": {
        "destinationPortRange": {
          "min": 443,
          "max": 443
        }
      },
      "description": "Allow HTTPS outbound for API calls"
    }
  ],
  "freeformTags": {
    "tier": "web",
    "environment": "production"
  }
}

Generated Output

Output will appear here...

About This Tool

Network Security Groups (NSGs) in OCI provide VNIC-level security rules that are more granular than subnet-level security lists. Unlike security lists that apply to all VNICs in a subnet, NSGs can be attached to specific VNICs — individual compute instances, load balancers, or database systems. Each NSG contains up to 120 ingress and egress rules, and a VNIC can belong to up to five NSGs. This builder helps you construct NSG rules with correct source/destination types (CIDR, NSG, or service), protocol settings, and stateful/stateless flags.

When to Use This Tool

•Building NSG rules for a three-tier application where web servers accept HTTPS, app servers accept traffic only from the web NSG, and databases accept traffic only from the app NSG
•Creating NSG rules that reference other NSGs as sources or destinations for service-to-service communication without hardcoding CIDR blocks
•Configuring stateless NSG rules for high-performance computing clusters that need minimum network latency
•Generating NSG configurations that allow OCI service gateway traffic to specific Oracle Services Network CIDRs

Frequently Asked Questions

How do NSGs differ from security lists in OCI?: Security lists apply to all VNICs in a subnet and are limited to five per subnet with 200 rules each. NSGs attach to individual VNICs and support up to 120 rules per NSG with five NSGs per VNIC. The key advantage of NSGs is that you can reference other NSGs as sources or destinations, enabling dynamic security rules that automatically include new instances added to the referenced NSG. Oracle recommends NSGs as the primary security mechanism.
Can I use both security lists and NSGs simultaneously?: Yes, and OCI evaluates rules from both using union semantics. If either a security list rule or an NSG rule allows the traffic, it is permitted. This means combining both can only make access more permissive, never more restrictive. A common pattern is to use security lists for broad baseline rules (like allowing all intra-VCN ICMP) and NSGs for application-specific rules (like allowing port 8080 only from the load balancer NSG).
What source and destination types can NSG rules reference?: NSG rules support three source/destination types: CIDR blocks for IP-based rules, NSG OCID references for rules that dynamically include all VNICs in another NSG, and SERVICE_CIDR_BLOCK for rules targeting Oracle Services Network ranges accessible via the service gateway. The NSG reference type is particularly powerful because it decouples security rules from IP addresses, making your network security more maintainable.

Related Learning Guides

OCI VCN Networking Deep Dive25 min read
OCI Security Best Practices24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.