OCI Zero Trust Packet Routing
Prevent unauthorized access to data by managing network security policy separately from underlying network architecture with Oracle Cloud Infrastructure (OCI) Zero Trust Packet Routing. Using an intuitive and intent-driven policy language, security administrators can define specific access pathways for data. Traffic that isn’t explicitly allowed by policy can’t travel the network, improving security while streamlining operations for security, network, and audit teams.
What is OCI Zero Trust Packet Routing?
OCI Zero Trust Packet Routing lets organizations assign human-readable security attributes to resources and create policies in natural language to manage network traffic based on resource and data service access. The software stems from an initiative with Applied Invention and other organizations to develop a new open standard for zero trust packet routing. Unlike traditional, error-prone internet protocol (IP)–based rules, zero trust packet routing establishes clear trust boundaries, fills gaps in legacy controls, and guards against network misconfigurations—one of the most common causes of compromise.
OCI Zero Trust Packet Routing helps prevent lateral movement and, when integrated with OCI Private Service Access and identity and access management (IAM) deny statements, mitigates risks associated with compromised credentials and data exfiltration. The latest release broadens service coverage and improves visibility, providing a simpler, more resilient, and smarter zero trust security framework. Oracle is the first cloud provider to implement zero trust packet routing into its cloud platform.
Zero Trust, Maximum Resilience
Traditional perimeter security is no longer sufficient. Learn how a zero trust approach can help protect your systems in the cloud and on-premises from advanced threats, insider risks, and other vulnerabilities.
Why use OCI Zero Trust Packet Routing?
-
Enhance security
OCI Zero Trust Packet Routing improves traditional data security by restricting the potential paths for data exfiltration—even for authorized users—thereby minimizing the attack surface area.
-
Reduce administrative burden
Databases with guessable credentials can be breached in minutes; just one line of OCI Zero Trust Packet Routing policy can prevent a database from being exposed to threats.
-
Simplify compliance
OCI Zero Trust Packet Routing helps streamline audit and compliance processes by providing visibility via clear policies and security labels applied to data sources.
-
Address key security threats
OCI Zero Trust Packet Routing helps prevent lateral movement within networks, restricts data exfiltration through strict access controls, and mitigates the impact of compromised credentials by integrating OCI Private Service Access and IAM deny statements.
Zero Trust Packet Routing product tour
Easily secure access to data
OCI Zero Trust Packet Routing provides an easily managed way to secure access to data. Leveraging the principles of zero trust and least privilege, OCI Zero Trust Packet Routing restricts access based on policies and security attributes. These policies are enforced at the network layer. Any request that doesn’t originate from a source allowed by OCI Zero Trust Packet Routing policy won’t be able to reach the database.
How to access OCI Zero Trust Packet Routing
You can access OCI Zero Trust Packet Routing from the OCI console menu bar under Identity & Security.
Get started from the overview page
The OCI Zero Trust Packet Routing overview page provides guidance and links to update security attributes, write policies, and apply security attributes to protected OCI resources.
Manage security attribute namespaces
An OCI Zero Trust Packet Routing security attribute namespace creates a security model for your implementation. It defines the set of security attributes that OCI Zero Trust Packet Routing policies will use to allow or deny access.
To create a new namespace, click Create Security Attribute Namespace.
Create security attributes
Within an OCI Zero Trust Packet Routing security attribute namespace, create the set of security attributes that you’ll use to write policies. These may be used, for example, to identify compute instances or databases associated with a particular application.
Manage policies
Create and manage OCI Zero Trust Packet Routing policies with the built-in policy editor. You can use the policy wizard, select a template based on common scenarios, or write your own policies.
Apply security attributes to OCI resources
Apply the policies you develop to OCI resources you wish to protect. OCI Zero Trust Packet Routing will then disallow traffic that doesn’t conform to policy. This helps prevent unwanted data exfiltration by limiting requests to approved paths.
How OCI Zero Trust Packet Routing works
This diagram explains – in three steps – how OCI ZPR can be used to help secure access to data within an OCI tenancy. In the first step, “Establish security model,” identify the resources you wish to protect, then create related OCI ZPR security namespaces and attributes for each. Next, in the second step, Deploy OCI ZPR policies to express your security intent. For example, a policy might allow compute instances tagged with a specific security attribute to access database resources tagged with another security attribute. Finally, in the third step, apply security attributes to the in-scope data and compute resources. Once policies are in place and security attributes are applied, OCI will prevent access to data that originates outside the specific path you’ve defined in your OCI ZPR policies. OCI implementation of the open zero trust policy language
OCI Zero Trust Packet Routing implements the open zero trust policy language using the OCI Zero Trust Packet Routing policy enforcement language, which is designed specifically for OCI virtual cloud networks. It adheres to the open zero trust packet routing specification while providing native enforcement and scalability in OCI.
Explore the OCI Zero Trust Packet Routing architecture
Watch Pradeep Vincent, Chief Technical Architect at OCI, explain how OCI Zero Trust Packet Routing architecture helps protect against data breaches.
Industry perspectives on Zero Trust Packet Routing
“As public clouds emerged, enterprises had the opportunity to redefine how they address network security. However, they carried over most of the same concepts that tightly coupled security and network configuration. A single mistake in a highly complex cloud network can result in exposure. OCI Zero Trust Packet Routing enables organizations to decouple network configuration from security, helping to eliminate the effects of human network configuration errors. This new standard driven by Oracle flips this all too often checkbox item on its head to provide an innovative solution for organizations that simplifies compliance efforts, reduces the burden on security teams, and ultimately strengthens security.”
“Traditional security tools try to protect sensitive data by blocking access, but history shows it is almost impossible to anticipate all the ways a hacker might attempt to infiltrate a network. With Zero Trust Packet Routing, the network does not allow any data to move through the network without explicit permission. Organizations using Oracle Cloud Infrastructure can now take advantage of this to better safeguard their data. Oracle is the first to offer this new level of security, and we’re hopeful other cloud platforms will follow.”
OCI Zero Trust Packet Routing resources
Set security attributes on sensitive resources
Oracle Cloud Infrastructure (OCI) Zero Trust Packet Routing uses security attributes (essentially metadata) to identify and organize resources. With it, you can assign security attributes to OCI resources, such as databases and compute instances. You can then create OCI Zero Trust Packet Routing policies that reference those security attributes. These policies are enforced at the network layer to block traffic through any unauthorized paths.
Write network security policies in natural language
OCI Zero Trust Packet Routing’s policy language makes it simple to create rules that specify which resources are allowed to communicate. These policies reference metadata about the specific data resources being accessed and their associated security attributes. Access is permitted only from a specific originator (such as a compute instance) to a designated data resource. If an authorized request attempts to access the resource outside of the defined path, it will be denied.
Although unprotected databases with guessable credentials can be breached within minutes, just one line of OCI Zero Trust Packet Routing policy can help prevent databases from being exposed.
Separate network security from network architecture
Using a traditional network architecture–based security approach is time-consuming due to the complexity of securing and auditing multiple network configuration points. Additionally, the responsibility for implementing security policies often falls to network teams, whose typical goals of low latency and high availability don’t always align with security goals. OCI Zero Trust Packet Routing helps address these challenges by separating network security from network architecture, letting security teams create policies that are enforced at the network layer. OCI Zero Trust Packet Routing dramatically helps reduce complexity by letting network administrators run a flat network while security teams protect resources as intended.
Streamline compliance
OCI Zero Trust Packet Routing helps simplify audit and compliance processes by establishing clear intent-based policies and applying security attributes to resources. Without it, understanding access required auditors to manually review subnets; CIDR blocks; routing tables; security groups; network access control lists; and detailed rules based on IP, port, protocol, and firewall configurations defining ingress and egress restrictions. OCI Zero Trust Packet Routing helps reduce the effort needed to analyze and understand which hosts and services can communicate with each other.
Auditors can rest assured that security policies apply to all appropriately labeled resources, even as network configurations change.
General
What is OCI Zero Trust Packet Routing?
OCI Zero Trust Packet Routing prevents unauthorized access to data by separating network security from the underlying network architecture. OCI Zero Trust Packet Routing policies utilize intent-based and human-readable language, making them easy to audit, understand, and manage. These policies enable security administrators to define precise data access pathways, helping ensure that only explicitly permitted traffic can traverse the network. By adopting OCI Zero Trust Packet Routing, organizations can significantly enhance their security postures while simplifying administration and compliance management.
How do I use OCI Zero Trust Packet Routing?
OCI Zero Trust Packet Routing is available by default within your tenancy and can be accessed from the web console. The steps for enabling OCI Zero Trust Packet Routing for the first time are as follows:
- From the top-level menu, select Identity & Security > Zero Trust Packet Routing.
- Click the "Enable Zero Trust Packet Routing" button.
How much does OCI Zero Trust Packet Routing cost?
OCI Zero Trust Packet Routing is offered at no additional cost for OCI configuration and OCI activity across supported OCI services. This means you can leverage OCI Zero Trust Packet Routing's robust security features without incurring extra charges, making it an accessible and cost-effective solution for enhancing your cloud security.
Is OCI Zero Trust Packet Routing a regional or global service?
OCI Zero Trust Packet Routing is implemented regionally.
Which regions are enabled?
Tenancies are enabled for OCI Zero Trust Packet Routing for all commercial regions. Please consult our list of currently supported regions.
What is a security attribute namespace?
A security attribute namespace is a container for security attributes that helps organize and manage sensitive resources. A namespace will have IAM policy written against it to define which groups of OCI administrators have access.
When you enable Zero Trust Packet Routing, it creates a security attribute namespace in your tenancy called “Oracle-Zero Trust Packet Routing” that includes an example security attribute labeled “Sensitivity.” If you omit the security attribute namespace of a security attribute when writing policy, Zero Trust Packet Routing will default to the Oracle-Zero Trust Packet Routing security attribute namespace.
How does adding or removing OCI Zero Trust Packet Routing policies impact existing networking and security configurations (NSGs/routing tables)?
OCI Zero Trust Packet Routing policies are evaluated in addition to network security groups (NSGs) and security lists. Traffic is first evaluated against existing NSG rules, then by OCI Zero Trust Packet Routing policies. This helps ensure that only traffic that meets both the network security rules and the OCI Zero Trust Packet Routing policies is permitted.
By contrast, removing OCI Zero Trust Packet Routing policies can reduce the efficacy of this layered security approach, as traffic is solely governed by the NSG and security lists. While the foundational security remains intact, the absence of OCI Zero Trust Packet Routing policies may expose the network to risks that would previously have been mitigated by these additional rules. Therefore, any changes to OCI Zero Trust Packet Routing policies should be carefully managed to keep the overall security framework aligned with the organization's security requirements.
What is the scope of OCI Zero Trust Packet Routing policies?
OCI Zero Trust Packet Routing policies reside in the root compartment of the tenancy and apply to the entire tenancy.
Purpose and scope
What problem is OCI Zero Trust Packet Routing trying to solve?
OCI Zero Trust Packet Routing removes the tight coupling between network security and IP/routing constructs. It lets customers express security intent using security attributes so access controls remain stable as networks evolve, IPs change, or routing changes.
Is OCI Zero Trust Packet Routing virtual cloud network–centric or interservice focused?
OCI Zero Trust Packet Routing is virtual cloud network–centric today. It started with enforcement within a single virtual cloud network and is expanding to cross–virtual cloud network enforcement within the same tenancy and region.
Enforcement and architecture
Where does OCI Zero Trust Packet Routing enforcement occur?
Enforcement happens at the virtual network interface card, at Layer 4. OCI Zero Trust Packet Routing is implemented using NSGs and evaluated at the same network layer.
How does OCI Zero Trust Packet Routing identify the source and destination?
OCI Zero Packet Routing uses a unique identifier (UID) representing the source and destination endpoints. This isn’t tied to users or applications.
Is the UID evaluated per packet or per connection?
OCI Zero Trust Packet Routing is stateful by default. The UID is associated with a connection (flow), not evaluated independently for each packet.
Do all packets in a connection share the same UID?
Yes. All packets belonging to the same flow share the same UID.
If there are multiple identical TCP connections, are they treated separately?
No. Identical source, destination, protocol, and port combinations are treated as a single flow.
Does OCI Zero Trust Packet Routing perform deep packet inspection or application-layer inspection?
No. OCI Zero Trust Packet Routing evaluates only L4 attributes: source, destination, protocol, and port.
Which protocols does OCI Zero Trust Packet Routing support?
TCP and UDP.
Does OCI Zero Trust Packet Routing understand users, processes, or applications?
No. OCI Zero Trust Packet Routing operates at the endpoint/host level and doesn’t have user, process, or application awareness.
Policy semantics
What is the syntax for communication within a single VCN?
For communication between workloads inside the same VCN, policies must explicitly specify the VCN security attribute context along with source and destination security attributes. This helps ensure enforcement is scoped correctly and avoids ambiguity when attributes may exist across multiple VCNs.
Syntax
In
<VCN security attribute>
VCN allow
<source attribute>
endpoints to connect to
<destination attribute>
endpoints
Examples
In SA_BACKEND_VCN VCN allow SA_WEB_FRONTEND endpoints to connect to SA_APP_BACKEND endpoints
In SA_BACKEND_VCN VCN allow SA_APP_BACKEND endpoints to connect to SA_DB_TIER endpoints
What syntax should be used for communication across VCNs?
When traffic crosses VCN boundaries, both source and destination VCN contexts must be specified so the policy engine evaluates the correct trust domains.
Syntax
Allow
<source attribute>
endpoints in
<source VCN attribute>
VCN to connect to
<destination attribute>
endpoints in
<destination VCN attribute>
VCN
Examples
Allow SA_WEB_FRONTEND endpoints in SA_FRONTEND_VCN VCN to connect to SA_APP_BACKEND endpoints in SA_BACKEND_VCN VCN
Allow SA_APP_BACKEND endpoints in SA_BACKEND_VCN VCN to connect to SA_DB_TIER endpoints in SA_DATABASE_VCN VCN
How do policies work between tagged and untagged resources?
During phased onboarding, some workloads may not yet support security attributes. OCI Zero Trust Packet Routing supports temporary policies allowing communication between resources that support security attributes and untagged endpoints using IP-based targets.
Syntax
In
<VCN security attribute>
VCN allow
<source attribute>
endpoints to connect to
<IP address>
Examples
In SA_BACKEND_VCN VCN allow SA_APP_BACKEND endpoints to connect to 10.10.0.15
In SA_FRONTEND_VCN VCN allow SA_WEB_FRONTEND endpoints to connect to 10.10.1.25
Can ports and protocols be restricted?
Yes. Policies can explicitly specify TCP/UDP and numeric ports, and specifying both is recommended.
Can ports or protocols be specified using service names like SSH?
No. Policies require explicit protocol names and numeric port values.
Security attributes
What is a security attribute?
A logical label assigned to resources that defines trust grouping and routing permissions.
Are security attributes just OCI tags?
No. They’re built on top of tagging infrastructure but are separate first-class objects with a distinct model.
Which resources support security attributes today?
Compute instances, load balancers, databases, private endpoints, OCI Private Service Access endpoints, and more.
Trust boundary and external access
What is the OCI Zero Trust Packet Routing trust boundary?
It includes all resources that can be assigned security attributes. Attribute-to-attribute communication is the preferred model within this boundary.
How does OCI Zero Trust Packet Routing handle communication outside the trust boundary?
OCI Zero Trust Packet Routing supports attribute-to-IP/CIDR rules for internet access, on-premises connectivity, and services not yet enabled by OCI Zero Trust Packet Routing.
Does OCI Zero Trust Packet Routing support cross-region or cross-tenancy enforcement?
No. Cross-region and cross-tenancy enforcement are under consideration but not available today.
Comparison to existing controls
Can OCI Zero Trust Packet Routing do anything that host-based firewalls can’t?
Functionally, no. Host-based firewalls can replicate the behavior, but OCI Zero Trust Packet Routing significantly helps reduce complexity, misconfiguration risk, and operational overhead.
If object storage is accessed through a public endpoint instead of OCI Private Service Access, will OCI Zero Trust Packet Routing block it?
No. OCI Zero Trust Packet Routing alone won’t block it. An IAM deny policy is required to enforce OCI Private Service Access–only access.
Troubleshooting and validation
What are the ways to validate whether resources are communicating or not communicating due to security attributes and corresponding OCI Zero Trust Packet Routing policies?
Connectivity validation can be performed using OCI Network Path Analyzer, which evaluates all enforcement layers affecting traffic between two resources. This analysis determines whether communication is allowed or blocked and identifies the specific control responsible for the decision.
How can you run the analysis?
You can initiate path analysis using either of the following methods:
- Navigate to OCI Network Path Analyzer and select the source and destination resources to evaluate connectivity.
- Within the OCI Zero Trust Packet Routing console, go to Protected Resources, then select the relevant resource from the Actions menu for path analysis.
What do validation checks include?
- Whether NSG or security list rules block traffic
- Whether OCI Zero Trust Packet Routing policies allow or deny the flow and policy details
- Whether routing rules prevent reachability
- Whether security attributes on endpoints match policy conditions
What does the analysis show?
The analysis output provides a consolidated decision explaining
- Allowed path or blocked path due to OCI Zero Trust Packet Routing, NSGs or security lists, and underlying routing rules
- OCI Zero Trust Packet Routing policies and security attributes causing the outcome
Activate OCI Zero Trust Packet Routing service
Step 1
Launch OCI Zero Trust Packet Routing
Launch OCI Zero Trust Packet Routing in the Oracle Cloud console by navigating to “Identity & Security,” then selecting “Zero Trust Packet Routing.”
Step 2
Enable OCI Zero Trust Packet Routing
On the Zero Trust Packet Routing overview page, click “Enable ZPR.”
Step 3 (optional)
Create an OCI Zero Trust Packet Routing security attribute namespace
When you enable OCI Zero Trust Packet Routing, it creates a security attribute namespace in the tenancy called “Oracle-zpr” that includes an example security attribute named “Sensitivity.” You can use this default namespace or create additional namespaces by selecting “Security Attribute Namespace” from the Zero Trust Packet Routing menu, then selecting “Create Security Attribute Namespace.” You can use the filters on the landing page to list the namespaces in your tenancy.
Step 4
Create OCI Zero Trust Packet Routing security attributes
Select the appropriate namespace and click the “Create” button to add new security attributes.
Step 5
Create an OCI Zero Trust Packet Routing protected resource
Add one or more security attributes to an OCI resource, such as a VCN, compute instance, or database, to create a protected resource. To do this, select “Protected Resources” from the left-hand menu, then click “Add security attribute to resources.” You can set the three filters on the landing page to list the protected resources.
Step 6
Create OCI Zero Trust Packet Routing policies
To create OCI Zero Trust Packet Routing policies, select “Policies” from the left-hand Zero Trust Packet Routing menu, then click “Create policy.” The landing page lists the policies in your tenancy.
To write the OCI Zero Trust Packet Routing policies, you can use one of the following options.
