Build VCN security list ingress and egress rules with protocol and port configuration.
Last verified: May 2026
Build VCN security list ingress and egress rules with protocol, port, and CIDR configurations.
Required Fields
compartmentIdvcnIddisplayNameingressSecurityRulesegressSecurityRulesOutput will appear here...Security lists in OCI act as virtual firewalls for subnets within a Virtual Cloud Network (VCN), controlling both ingress and egress traffic at the subnet level. Each subnet can be associated with up to five security lists, and the rules across all lists are combined with union semantics — if any rule allows the traffic, it is permitted. This tool helps you build security list rules with correct protocol numbers, port ranges, CIDR sources/destinations, and stateful/stateless flags. It validates your inputs and generates the complete rule set in a format ready for Terraform, the OCI CLI, or the console.
Stateful rules automatically allow return traffic for established connections — if you allow inbound TCP port 443, the response traffic is permitted without an explicit egress rule. Stateless rules do not track connections, so you must create explicit rules in both directions. Stateless rules perform better for high-throughput workloads because they skip connection tracking, but they are harder to manage correctly.
Oracle recommends Network Security Groups (NSGs) for most use cases because they apply to individual VNICs rather than entire subnets, giving you more granular control. Security lists are better for broad baseline rules that apply to all resources in a subnet. You can use both simultaneously — NSGs for application-specific rules and security lists for common rules like allowing internal VCN communication.
OCI uses union semantics across all security lists attached to a subnet. This means if any rule in any attached security list allows the traffic, it is permitted. There is no deny rule capability in security lists — they are allow-only. The maximum of five security lists per subnet and 200 rules per list means you need to plan your rule organization carefully for complex environments.
Your team is setting up the security list for a 3-tier app in OCI: web tier accepts HTTPS from internet, app tier accepts traffic only from web tier, db tier accepts traffic only from app tier. The builder generates 6 rules across the 3 security lists with correct stateful flag, port ranges, and CIDR sources. Without the tool, the team had been writing rules manually and missed an egress rule on the app tier — meaning the app couldn't return responses to the web tier. The builder includes egress rules by default (with stateful=true), preventing that class of bug.
The builder constructs OCI security list rules with: direction (INGRESS/EGRESS), protocol (TCP/UDP/ICMP/ICMPv6/all), source/destination CIDR or service tag, port range (for TCP/UDP), ICMP type/code (for ICMP), stateful flag, and optional description. It validates that protocol numbers are valid and port ranges are within bounds, then outputs rule definitions as Terraform oci_core_security_list.ingress_security_rules / egress_security_rules blocks plus oci CLI commands.
Use Network Security Groups (NSGs) for application-specific rules and security lists for subnet-wide baseline rules. NSGs are attached to VNICs (per-instance), making them dramatically more flexible. A common pattern: security list with broad 'allow VCN-internal traffic', NSGs for app-specific 'allow port 8080 only on app-tier instances'.
Stateful rules are the right default — they auto-allow return traffic and are simpler to reason about. Only use stateless rules for genuinely high-throughput data planes (database replication, video streaming) where the 5-10% performance overhead of connection tracking matters. Stateless rules require explicit egress + ingress rule pairs and are extremely error-prone.
Always include an explicit ICMP rule (Type 3, Code 4) for path MTU discovery. Without it, large packets get silently dropped causing mysterious 'connection hangs' that look like network bugs. This is especially important for VPN-connected on-prem traffic where MTU mismatches are common.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.