Most network security incidents in cloud estates do not come from a clever attacker defeating a control. They come from a control that was too broad, left open during a project and never tightened, or applied inconsistently across an estate so that one forgotten subnet became the way in. OCI gives you a small set of effective network controls. The work is using them with discipline so that every allowed flow is allowed on purpose. This guide lays out the practices that matter.
Security lists and network security groups
OCI offers two ways to control traffic at the virtual network layer. Security lists apply to an entire subnet, so every resource in the subnet inherits the same rules. Network security groups apply to a set of resources you choose, regardless of subnet, which lets you write rules around the role of a workload rather than around where it happens to sit. Both are stateful by default, meaning return traffic for an allowed flow is permitted automatically.
| Aspect | Security list | Network security group |
|---|---|---|
| Scope | Entire subnet | Chosen set of resources |
| Granularity | Coarse, by location | Fine, by role |
| Rule references | CIDR ranges | CIDR ranges or other groups |
| Best for | Broad subnet wide baselines | Application specific, role based rules |
The recommended approach is to lean on network security groups for the specific, role based rules that define how a workload communicates, and use security lists sparingly for broad baselines that genuinely apply to a whole subnet. Being able to reference one group from another, for example allowing the web tier group to reach the database tier group on a single port, produces rules that read like the architecture and survive change far better than lists of addresses.
Least privilege as the default
Every rule should answer a clear question: which source needs to reach which destination on which port, and why. If you cannot answer the why, the rule should not exist. Start from deny and open only what a flow requires. The opposite habit, opening a wide range to get a project moving and promising to tighten it later, is how estates accumulate silent exposure. Later rarely comes.
A defence in depth framework
- Segment by tier and sensitivity. Put public facing, application and data tiers in separate subnets with private subnets for anything that does not need a public address. The subnet design guide covers the layout.
- Write role based rules. Use network security groups that reference each other so rules express the architecture rather than a list of addresses.
- Keep data private. Place databases and internal services in private subnets reachable only through defined paths, never with a public IP.
- Reach Oracle services privately. Use a service gateway so traffic to object storage and other OCI services never leaves the Oracle network, as covered in service gateway and NAT.
- Inspect north south traffic. Where you need deep inspection, intrusion detection or URL filtering, insert the OCI Network Firewall in the path.
- Log and review. Enable flow logs, review rules regularly, and remove anything that no longer maps to a live flow.
Segmentation and private access
The strongest single practice is segmentation. Public facing resources, application logic and data should sit in separate subnets so that compromising one tier does not hand over the others. Anything that does not need to be reachable from the internet should have no public address at all and should live in a private subnet. Outbound internet access for those private resources, where it is needed for patching or third party APIs, should go through a NAT gateway rather than by giving them public addresses, and access to Oracle services should go through a service gateway so that traffic stays on the Oracle network.
This combination, private subnets with controlled egress, removes a large class of exposure before any rule is written. Many estates that look complex from a firewall perspective are simply ones that never segmented properly and now try to compensate with rules.
The Network Firewall and deeper inspection
Security lists and network security groups control which flows are allowed, but they do not inspect the contents of a flow. When you need intrusion detection, deep packet inspection, URL filtering or transport inspection, the managed OCI Network Firewall provides it as a service you insert into the traffic path, typically in a hub network through which north south traffic is routed. Use it where the workload's risk justifies the inspection, and combine it with transit routing so that the traffic you want inspected passes through the hub while plain traffic routes directly. The Network Firewall guide goes into placement and policy.
Operating the controls over time
Network security is not a one time build. Rules drift as projects come and go, and the estate that was tight at launch loosens unless someone tends it. Enable VCN flow logs so you can see what is actually traversing the network, review network security groups and security lists on a schedule, and treat any rule that no longer maps to a live, named flow as something to remove. Express the whole configuration as infrastructure as code so that every change is reviewed and the running state matches the intended state. Drift between the two is where surprises hide.
Stateful behaviour and why it matters
Both security lists and network security groups are stateful by default, which means that when you allow a flow in one direction, the return traffic for that flow is permitted automatically. This is convenient and it is also a source of confusion, because people sometimes add explicit return rules that are not needed, cluttering the configuration, or assume a flow is allowed in both directions when they only opened one. Understanding the stateful model lets you write the minimum set of rules: allow the direction in which the connection is initiated, and trust the platform to handle the return. Stateless rules exist for specific cases where you need fine control over both directions, but they are the exception, and reaching for them without a clear reason usually adds complexity rather than security.
The practical lesson is to write rules around who initiates a connection. A web tier initiates connections to a database tier, so you allow that direction on the database group and let the responses flow back automatically. Modelling rules this way keeps them few, readable, and aligned with how the application actually behaves, which is exactly what makes them auditable later.
Logging, visibility and detection
Controls you cannot see into are controls you cannot trust. VCN flow logs record which flows were accepted and which were rejected, and they are the difference between knowing what your network is doing and assuming it. Enable them, send them to a central place, and use them both for troubleshooting and for detection. A spike in rejected flows to a sensitive subnet, or accepted flows to a destination that should never be contacted, is a signal worth alerting on. Network security is not only about blocking the wrong traffic, it is about noticing when something unexpected is attempted, and that requires the logs to be on and watched.
Pair flow logs with the broader observability of the estate so that a security signal sits alongside performance and availability signals rather than in a silo. An attempted lateral movement often shows up first as an unusual connection pattern, and the team most likely to catch it is the one already watching the network for operational reasons. Visibility, in other words, does double duty.
Treating the configuration as code
The final practice that ties the rest together is to express the entire network security configuration as infrastructure as code. When security lists, network security groups, route tables and gateways are defined in code, every change is reviewed before it is applied, the running state can be compared against the intended state, and drift becomes visible rather than silent. The opposite, a configuration edited by hand in a console over months by many people, is how estates accumulate rules nobody can explain and exposures nobody intended. Code does not make the rules themselves any tighter, but it makes them honest, reviewable and reproducible, which over the life of an estate is what keeps security from quietly eroding.
Pulling it together
Good OCI network security is unglamorous. Segment properly, keep data private, write role based rules that read like the architecture, reach Oracle services and the internet through the right gateways, inspect what needs inspecting, and review continuously. None of it is exotic, and all of it compounds. For how these controls fit the wider network, see the complete OCI networking guide, and when you want the controls designed, audited and operated to a standard, our OCI networking solution covers exactly that.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.