Network security groups and security lists control what can talk to what at the packet level, but they do not look inside the traffic they allow. The OCI network firewall adds that deeper inspection, examining traffic for threats, enforcing policy on what flows where, and giving you a managed, scalable point of control for the connections your network permits. It is the layer that turns allow this connection into allow this connection and inspect what travels over it, and it is an important part of a defence in depth posture. This guide covers what the network firewall does, where it fits, and when it earns its place in a design.
The network firewall complements rather than replaces the packet level controls in our NSGs versus security lists guide, and it sits within the broader security thinking that runs through our complete networking guide. Defence in depth means having controls at several layers, and the firewall is one of them.
What the network firewall does
The OCI network firewall is a managed firewall service built on a recognised firewall engine. It inspects traffic passing through it and applies policy, allowing or denying based on rules, detecting and blocking known threats, and giving you visibility into what is actually flowing across your network. Because it is managed, OCI handles its scaling and availability, and you focus on the policy rather than running firewall infrastructure yourself. You place it in the traffic path, typically at a boundary you want to inspect, and route the relevant traffic through it.
Where it fits in defence in depth
Network security groups control connectivity at the packet level, deciding which sources can reach which destinations on which ports. They are essential, but they make a binary decision about whether a connection is allowed, not about whether the traffic over an allowed connection is safe. The network firewall adds the second question. By inspecting allowed traffic for threats and applying deeper policy, it catches what packet level rules cannot. A complete posture uses both, security groups to minimise what can connect at all, and the firewall to inspect what does, which is the essence of defence in depth.
Firewall capabilities
| Capability | What it provides |
|---|---|
| Stateful inspection | Tracks connections and enforces policy on them |
| Threat detection | Identifies and blocks known threats in traffic |
| URL and domain filtering | Controls which destinations traffic may reach |
| Decryption and inspection | Inspects encrypted traffic where configured |
| Logging and visibility | Records what flows for audit and investigation |
| Managed scaling | OCI handles availability and capacity |
When the firewall earns its place
The network firewall is not needed in every design. For a simple workload with tightly scoped security groups and no demanding inspection requirement, it may be more than you need. It earns its place when you have regulatory or policy requirements for traffic inspection, when you are running workloads that handle sensitive data and need deeper control over what leaves the network, or when you want centralised inspection of traffic crossing a trust boundary. The decision is a matter of requirement and risk, the same honest assessment that runs through our network design choices and the wider networking guide.
Deploying the firewall well
- Decide whether you need it, based on inspection and compliance requirements.
- Place it at the boundary you want to inspect, routing the relevant traffic through it.
- Keep security groups tight too, so the firewall inspects a minimised flow.
- Write policy deliberately, allowing only what is needed and inspecting the rest.
- Use the logs for audit and investigation, not just enforcement.
The network firewall is the layer that lets you inspect, not just permit, the traffic on your network, and in the right design it is an important part of defence in depth. The key is to treat it as a complement to packet level controls rather than a replacement, and to deploy it where the inspection genuinely adds value. Used that way it closes a gap that security groups alone cannot. The full security and networking context is in our complete networking guide, and we design layered network security for clients as part of our OCI networking solution.
Inspecting outbound traffic
One of the most valuable uses of the network firewall is inspecting traffic leaving your network, not just traffic arriving. Outbound inspection lets you control which external destinations your workloads may reach, which is a meaningful defence against data leaving where it should not and against compromised workloads reaching out to attacker controlled infrastructure. By filtering outbound traffic to an allowed set of destinations, you turn the firewall into a control on exfiltration and command and control, categories that inbound controls alone do nothing about. For workloads handling sensitive data this is often the firewall's most important job, and it is a capability that packet level security groups cannot provide because they do not understand destinations beyond addresses and ports.
The firewall and compliance
For regulated workloads, the network firewall often does double duty as a control and as evidence. Many compliance frameworks expect traffic inspection at trust boundaries and a record of what was inspected and what was blocked, and the firewall's logging provides exactly that. Placing a firewall at the boundary of a regulated environment, inspecting traffic in and out, and retaining the logs gives you both the control the framework expects and the audit trail to demonstrate it. This is why the firewall appears in the design of regulated estates even where a purely technical assessment might consider it optional, and it connects to the broader compliance thinking that runs through a well governed OCI estate.
Operating the firewall
A firewall is only as good as its policy, and policy needs maintenance. As workloads change, the destinations they legitimately need and the traffic they legitimately generate change too, and a policy that is not kept current either blocks legitimate traffic or, more dangerously, allows traffic it should no longer permit. Operating the firewall well means reviewing its policy as the estate evolves, using its logs to understand what is actually flowing, and tuning the rules to match real need. Treated as set and forget it drifts out of alignment with the estate, which is the same drift problem that affects every security control, and the same answer applies, continuous review rather than one time configuration. The wider context is in our complete networking guide.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.