What is the difference between stateful and stateless security list rules?

Stateful rules automatically allow return traffic for established connections — if you allow inbound TCP port 443, the response traffic is permitted without an explicit egress rule. Stateless rules do not track connections, so you must create explicit rules in both directions. Stateless rules perform better for high-throughput workloads because they skip connection tracking, but they are harder to manage correctly.

Should I use security lists or network security groups in OCI?

Oracle recommends Network Security Groups (NSGs) for most use cases because they apply to individual VNICs rather than entire subnets, giving you more granular control. Security lists are better for broad baseline rules that apply to all resources in a subnet. You can use both simultaneously — NSGs for application-specific rules and security lists for common rules like allowing internal VCN communication.

What happens when multiple security lists are attached to a subnet?

OCI uses union semantics across all security lists attached to a subnet. This means if any rule in any attached security list allows the traffic, it is permitted. There is no deny rule capability in security lists — they are allow-only. The maximum of five security lists per subnet and 200 rules per list means you need to plan your rule organization carefully for complex environments.

OCI Security List Builder

IAM & SecurityOCI

Build VCN security list ingress and egress rules with protocol and port configuration.

OCI VCN Security Lists Configuration

Build VCN security list ingress and egress rules with protocol, port, and CIDR configurations.

Required Fields

compartmentIdvcnIddisplayNameingressSecurityRulesegressSecurityRules

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "vcnId": "ocid1.vcn.oc1.iad.aaaaaaaexample",
  "displayName": "web-tier-security-list",
  "ingressSecurityRules": [
    {
      "protocol": "6",
      "source": "0.0.0.0/0",
      "sourceType": "CIDR_BLOCK",
      "isStateless": false,
      "tcpOptions": {
        "destinationPortRange": {
          "min": 443,
          "max": 443
        }
      },
      "description": "Allow HTTPS from internet"
    },
    {
      "protocol": "6",
      "source": "10.0.0.0/16",
      "sourceType": "CIDR_BLOCK",
      "isStateless": false,
      "tcpOptions": {
        "destinationPortRange": {
          "min": 22,
          "max": 22
        }
      },
      "description": "Allow SSH from VCN"
    }
  ],
  "egressSecurityRules": [
    {
      "protocol": "all",
      "destination": "0.0.0.0/0",
      "destinationType": "CIDR_BLOCK",
      "isStateless": false,
      "description": "Allow all outbound traffic"
    }
  ],
  "freeformTags": {
    "tier": "web"
  }
}

Generated Output

Output will appear here...

About This Tool

Security lists in OCI act as virtual firewalls for subnets within a Virtual Cloud Network (VCN), controlling both ingress and egress traffic at the subnet level. Each subnet can be associated with up to five security lists, and the rules across all lists are combined with union semantics — if any rule allows the traffic, it is permitted. This tool helps you build security list rules with correct protocol numbers, port ranges, CIDR sources/destinations, and stateful/stateless flags. It validates your inputs and generates the complete rule set in a format ready for Terraform, the OCI CLI, or the console.

When to Use This Tool

•Building ingress rules for a web tier subnet that allows HTTPS from the internet and SSH only from a bastion subnet CIDR
•Creating egress rules that restrict database subnet traffic to only the application tier CIDR on specific Oracle database ports
•Configuring stateless rules for high-throughput data processing subnets where connection tracking overhead is unacceptable
•Generating matching ingress and egress rule pairs for ICMP path MTU discovery to prevent silent packet drops

Frequently Asked Questions

What is the difference between stateful and stateless security list rules?: Stateful rules automatically allow return traffic for established connections — if you allow inbound TCP port 443, the response traffic is permitted without an explicit egress rule. Stateless rules do not track connections, so you must create explicit rules in both directions. Stateless rules perform better for high-throughput workloads because they skip connection tracking, but they are harder to manage correctly.
Should I use security lists or network security groups in OCI?: Oracle recommends Network Security Groups (NSGs) for most use cases because they apply to individual VNICs rather than entire subnets, giving you more granular control. Security lists are better for broad baseline rules that apply to all resources in a subnet. You can use both simultaneously — NSGs for application-specific rules and security lists for common rules like allowing internal VCN communication.
What happens when multiple security lists are attached to a subnet?: OCI uses union semantics across all security lists attached to a subnet. This means if any rule in any attached security list allows the traffic, it is permitted. There is no deny rule capability in security lists — they are allow-only. The maximum of five security lists per subnet and 200 rules per list means you need to plan your rule organization carefully for complex environments.

Related Learning Guides

OCI VCN Networking Deep Dive25 min read
OCI Security Best Practices24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.