Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Network Security Groups to Control Traffic to Compute Instances

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your OCI compute instances are associated with Network Security Groups (NSGs), which operate as a virtual firewall for resources by containing a set of security rules that control the allowed types of inbound and outbound traffic. Network Security Groups use ingress and egress security rules that are applied to defined Virtual Network Interface Cards (VNICs) within a single Virtual Cloud Network (VCN).

Security

Use Network Security Groups (NSGs) with Oracle Cloud Infrastructure (OCI) compute instances to achieve granular, resource-level network security and isolation, which is superior to the subnet-wide rules of OCI security lists. With NSGs, you can limit the attack surface and ensure only authorized clients and services can communicate with your OCI compute instances.

Audit

To determine if your OCI compute instances are configured to use Network Security Groups (NSGs) for traffic control, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Networking tab, and check the Network security groups attribute value, listed in the Primary VNIC section. If the Network security groups attribute value is missing, the selected Oracle Cloud Infrastructure (OCI) compute instance is not configured to use Network Security Groups (NSGs) for traffic control.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance list-vnics command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to determine if the selected compute instance is using Network Security Groups (NSGs) for traffic control: 

oci compute instance list-vnics
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'ABCD:AP-SYDNEY-1-AD-1'
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query '{"nsg-ids": data[]."nsg-ids"}'

06 The command output should return the IDs (OCIDs) of the NSGs configured for the selected instance: 

{
	"nsg-ids": []
}

If the compute instance list-vnics command output returns an empty array for the "nsg-ids" property, as shown in the example above, the selected Oracle Cloud Infrastructure (OCI) compute instance is not configured to use Network Security Groups (NSGs) for traffic control.

Remediation / Resolution

To ensure that your Oracle Cloud Infrastructure (OCI) compute instances are using Network Security Groups (NSGs) for traffic control, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to configure.

06 Select the Details tab, and click on the Virtual cloud network attribute value (link), listed in the Instance details section, to access the Virtual Cloud Network (VCN) associated with the selected instance.

07 Select the Security tab, choose Create Network Security Group under Network Security Groups, and perform the following actions to create a new OCI Network Security Group (NSG):

  1. For Name, enter a unique name for the new Network Security Group.
  2. Select the appropriate OCI compartment from the Create in Compartment dropdown list.
  3. For Add Security Rules, choose Rule, and provide the following information to create NSG rules. As an example, the following NSG rules allows access on TCP port 22 (SSH access):
    1. To create an inbound (ingress) rule, provide the following information:
      1. Choose Ingress for Directions.
      2. For Source Type, select CIDR.
      3. For Source CIDR, enter the IP address or IP address range of the trusted network, service, or machine (must be in CIDR notation).
      4. For IP Protocol, choose TCP.
      5. For Source Port Range, enter 22.
      6. For Destination Port Range, enter 22.
      7. Type a short description in the Description box.
    2. To create an outbound (egress) rule, select Another rule, and provide the following information:
      1. Choose Egress for Directions.
      2. For Destination Type, select CIDR.
      3. For Destination CIDR, enter an IP address or IP address range where the egress traffic can go to.
      4. For IP Protocol, choose TCP.
      5. For Source Port Range, enter All.
      6. For Destination Port Range, enter All.
      7. Type a short description in the Description box.
  4. Choose Create to create your new OCI Network Security Group (NSG).

08 Navigate back to the Compute console available at https://cloud.oracle.com/compute/.

09 In the left navigation panel, under Overview, choose Instances to list the compute instances available in the selected OCI compartment.

10 Click on the name (link) of the compute instance that you want to configure.

11 Select the Networking tab and choose Edit next to Network security groups.

12 Choose the appropriate OCI compartment from the Network security group compartment list, select the newly created Network Security Group (NSG) from the Network security groups dropdown list, and choose Save changes to apply the changes.

Using OCI CLI

01 Run network nsg create command (OSX/Linux/UNIX) to create a new Network Security Group (NSG) for your Oracle Cloud Infrastructure (OCI) compute instance: 

oci network nsg create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'cc-project5-compute-nsg'

02 The command output should return the configuration information available for the new NSG: 

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-compute-nsg",
		"freeform-tags": {},
		"id": "ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-state": "AVAILABLE",
		"time-created": "2025-12-01T18:23:26.258000+00:00",
		"vcn-id": "ocid1.vcn.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "abcd1234"
}

03 Run network nsg rules add command (OSX/Linux/UNIX) to add an ingress (inbound) rule to your new OCI Network Security Group (NSG). As an example, the following NSG rule allows access on TCP port 22 (SSH access): 

oci network nsg rules add
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rules '[{ "description": "Allow SSH Access to Project5 Compute Instance", "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "ABC123", "is-stateless": false, "is-valid": true, "protocol": "6", "source": "10.0.1.0/24", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 22, "min": 22 }, "source-port-range": { "max": 22, "min": 22 } }, "udp-options": null }]'

04 The command output should return the ingress rule configured for the new OCI NSG: 

{
	"data": {
		"security-rules": [
			{
				"description": "Allow SSH Access to Project5 Compute Instance",
				"destination": null,
				"destination-type": null,
				"direction": "INGRESS",
				"icmp-options": null,
				"id": "ABC123",
				"is-stateless": false,
				"is-valid": true,
				"protocol": "6",
				"source": "10.0.1.0/24",
				"source-type": "CIDR_BLOCK",
				"tcp-options": {
				"destination-port-range": {
					"max": 22,
					"min": 22
				},
				"source-port-range": {
					"max": 22,
					"min": 22
				}
				},
				"time-created": "2025-12-01T18:35:44.654000+00:00",
				"udp-options": null
			}
		]
	}
}

05 Run network nsg rules add command (OSX/Linux/UNIX) to add an egress (outbound) rule to your new OCI Network Security Group (NSG). As an example, the following NSG rule allows all outbound access: 

oci network nsg rules add
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rules '[{ "description": "Allow ALL Outbound Access", "destination": "0.0.0.0/0", "destination-type": "CIDR_BLOCK", "direction": "EGRESS", "icmp-options": null, "id": "CBA123", "is-stateless": false, "is-valid": true, "protocol": "6", "source": null, "source-type": null, "tcp-options": { "destination-port-range": null, "source-port-range": null }, "udp-options": null }]'

06 The command output should return the egress rules configured for the new OCI NSG: 

{
	"data": {
		"security-rules": [
			{
				"description": "Allow ALL Outbound Access",
				"destination": "0.0.0.0/0",
				"destination-type": "CIDR_BLOCK",
				"direction": "EGRESS",
				"icmp-options": null,
				"id": "BCA123",
				"is-stateless": false,
				"is-valid": true,
				"protocol": "6",
				"source": null,
				"source-type": null,
				"tcp-options": {
					"destination-port-range": null,
					"source-port-range": null
				},
				"time-created": "2025-12-01T18:38:46.135000+00:00",
				"udp-options": null
			}
		]
	}
}

07 Run compute instance list-vnics command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to describe the Virtual Network Interface Cards (VNICs) configured for your compute instance: 

oci compute instance list-vnics
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'ABCD:AP-SYDNEY-1-AD-1'
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

08 The command output should return the IDs (OCIDs) of the VNICs configured for the selected instance: 

[
	"ocid1.vnic.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

09 Run network vnic update command (Windows/macOS/Linux) with the ID of the VNIC configured for the compute instance that you want to configure as the identifier parameter, to attach the Network Security Group (NSG) created and configured in the previous steps: 

oci network vnic update
	--vnic-id 'ocid1.vnic.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--nsg-ids '["ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"]'
	--force

10 The command output should return the configuration information available for the modified VNIC: 

{
	"data": {
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-instance-vnic",
		"freeform-tags": {},
		"hostname-label": "cc-project5-instance-vnic",
		"id": "ocid1.vnic.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"ipv6-addresses": null,
		"is-primary": true,
		"lifecycle-state": "AVAILABLE",
		"mac-address": "02:00:17:05:C5:15",
		"nsg-ids": [
			"ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
		],
		"private-ip": "16.0.1.251",
		"public-ip": "xxx.xxx.xxx.xxx",
		"route-table-id": null,
		"security-attributes": {},
		"skip-source-dest-check": false,
		"subnet-id": "ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"time-created": "2025-12-01T12:24:23.927000+00:00",
		"vlan-id": null
	},
	"etag": "abcd1234"
}

References

Publication date Dec 8, 2025

Related OCI-Compute rules