Enable Zero Trust Packet Routing (ZPR)

Risk Level: Medium (should be achieved)

Rule ID: OCI-AutonomousAIDatabase-013

Ensure that Oracle Zero Trust Packet Routing (ZPR) is enabled for your OCI Autonomous AI Databases in order to enforce least-privilege access by explicitly defining authorized communication paths based on resource attributes, and protect against network misconfigurations since security policies are decoupled from the underlying network architecture. ZPR is an OCI security service that prevents unauthorized data access by enforcing intent-based policies on network traffic. It uses security attributes (labels) assigned to resources to strictly govern communication, completely decoupling security from the network architecture.

Security

Oracle Zero Trust Packet Routing (ZPR) can be applied directly to a private endpoint within your Autonomous AI Database, enhancing security. The ZPR service implements intent-based security policies that you define, ensuring sensitive data is protected from unauthorized access. The core mechanism involves writing policies for resources after assigning them specific security attributes. Essentially, ZPR uses these attributes and your stated intent to govern all network traffic, strictly permitting only authorized packet routing.

Oracle Zero Trust Packet Routing (ZPR) requires your Autonomous AI Database instances to be configured with private endpoints. Please refer to the Knowledge Base documentation for setup details.

Audit

To determine if Zero Trust Packet Routing (ZPR) is enabled for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.
For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.
Click on the name (link) of the Autonomous AI Database that you want to examine, listed in the Display Name column.
Select the Security tab and check the Security attributes list to identify any security policies created for your database instance. A security attribute is a label that can be referenced in a Zero Trust Packet Routing (ZPR) policy to control access to your Autonomous AI Database. The ZPR policy is enforced only on resources with a security attribute. If there are no security attribute listed in the Security attributes section, instead the following message is displayed: No items to display, Oracle Zero Trust Packet Routing (ZPR) is not enabled for the selected Oracle Cloud Infrastructure (OCI) Autonomous AI Database.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:
```
oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'
```

The command output should return the requested database instance IDs:

[
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database get command (Windows/macOS/Linux) with the ID of the Autonomous AI Database that you want to examine as the identifier parameter and custom output filters to determine if Zero Trust Packet Routing (ZPR) is enabled for the selected database instance:
```
oci db autonomous-database get
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."security-attributes"'
```
The command output should return the security attribute defined for the selected database instance. A security attribute is a label that can be referenced in a Zero Trust Packet Routing (ZPR) policy to control access to your Autonomous AI Database. The ZPR policy is enforced only on resources with a security attribute:
```
{}
```
If the db autonomous-database get command output returns an empty object, i.e., {}, as shown in the output example above, there are no security attribute applied to your database instance. As a result, Oracle Zero Trust Packet Routing (ZPR) is not enabled for the selected Oracle Cloud Infrastructure (OCI) Autonomous AI Database.

Remediation / Resolution

To enable Oracle Zero Trust Packet Routing (ZPR) for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Zero Trust Packet Routing console available at https://cloud.oracle.com/security/data-security/overview.
Choose Enable ZPR to enable the Zero Trust Packet Routing (ZPR) service in your tenancy. For confirmation, select Enable ZPR. Enabling Oracle Zero Trust Packet Routing (ZPR) in a tenancy creates a default namespace called oracle-zpr and a default security attribute named sensitivity. This configuration allows you to apply security attributes to supported resources. Subsequently, the communication between OCI resources is governed by the ZPR policy.
Once the ZPR service is enabled, choose Policies from the left navigation panel, to create the required ZPR policy. A ZPR policy represents a rule that governs the communication between resources. Choose Create policy and perform the following actions to create a new ZPR policy for connecting resources using security attributes:
1. For Name, enter a unique name for the policy.
2. For Description, provide a short description.
3. Under Policy statements, choose Add policy statements.
4. On the Add policy statements configuration panel, perform the following actions:
  1. For Choose how you want to build your policies, select Policy template builder. Policy template builder provides predefined ZPR policy statements based on common use case scenarios, allowing you to select and customize a template to quickly create your ZPR policy.
  2. For Category, select Autonomous Database.
  3. For Choose a policy use case, select Allow compute to connect to Autonomous Database.
  4. The Policy statements textbox should be automatically populated with the predefined policy statement, e.g., in \<security attribute of VCN\> VCN allow \<security attribute of source-compute\> endpoints to connect to \<security attribute of database service\> endpoints with protocol='tcp/1521'. To use this policy statement, replace \<security attribute of VCN\>, \<security attribute of source-compute\>, and \<security attribute of database service\> with your own information.
  5. Choose Add to save the policy statements.
5. Choose Create policy to deploy your new ZPR policy.
Once the ZPR policy is deployed, choose Protected Resources from the left navigation panel, to assign the necessary security attribute to your Autonomous AI Database in order to apply the ZPR policy. Choose Add Security Attribute to resource(s), and perform the following actions to add the ZPR security attribute to your database instance:
1. For Select resource, select the appropriate OCI compartment from the Compartment dropdown menu, choose AutonomousDatabase from Resource type dropdown list, and select your OCI Autonomous AI Database from the list. Choose Next to continue.
2. For Security Attributes, select oracle-zpr for Security Attribute Namespace, sensitivity for Security Attribute, and provide a value for the selected attribute in the Security Attribute Value box. Choose Next to continue.
3. For Review your added resources, review the configuration, and choose Submit to attach the ZPR security attribute to your database instance. This will apply the ZPR policy and enable Oracle Zero Trust Packet Routing for your OCI Autonomous AI Database.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run zpr configuration create command (Windows/macOS/Linux) to enable the Oracle Zero Trust Packet Routing (ZPR) service in the OCI root compartment (the root compartment is the OCI tenancy):
```
oci zpr configuration create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
```

The command output should return the ZPR service configuration as part of onboarding:

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "ZPR Configuration for OCI Tenancy",
		"freeform-tags": {},
		"id": "ocid1.zprconfiguration.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-state": "CREATING",
		"time-created": "2025-12-02T11:00:00.000Z",
		"time-updated": "2025-12-02T11:00:00.000Z"
	},
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

Run zpr zpr-policy create command (Windows/macOS/Linux) to create the necessary ZPR policy. A ZPR policy is required by the Oracle Zero Trust Packet Routing service and represents a rule that governs the communication between OCI resources. For --statements, specify your ZPR policy statements, written in the Zero Trust Packet Routing Policy language:

oci zpr zpr-policy create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--description 'ZPR Policy for OCI Autonomous AI Databases'
	--name cc-project5-zpr-policy
	--statements '["in sensitivity:project5-vcn VCN allow sensitivity:project5-compute endpoints to connect to sensitivity:project5-db endpoints"]'

The command output should return the configuration information for the newly created ZPR policy:

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"description": "ZPR Policy for OCI Autonomous AI Databases",
		"freeform-tags": {},
		"id": "ocid1.zprpolicy.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-details": null,
		"lifecycle-state": "CREATING",
		"name": "cc-project5-zpr-policy",
		"statements": [
		"in sensitivity:project5-vcn VCN allow sensitivity:project5-compute endpoints to connect to sensitivity:project5-db endpoints"
		],
		"system-tags": null,
		"time-created": "2025-12-02T11:25:08.447000+00:00",
		"time-updated": "2025-12-02T11:25:08.447000+00:00"
	},
	"opc-work-request-id": "ocid1.zprworkrequest.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

Run db autonomous-database update command (Windows/macOS/Linux) with the ID of the Autonomous AI Database that you want to configure as the identifier parameter, to assign the necessary security attribute to your database instance in order to apply the ZPR policy created in the previous steps:
```
oci db autonomous-database update
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-attributes '{"oracle-zpr": {"sensitivity": {"mode": "enforce","value": "high"}}}'
```

Type Y and press Enter for confirmation:

WARNING: Updates to long-term-backup-schedule and freeform-tags and defined-tags and security-attributes and whitelisted-ips and standby-whitelisted-ips and nsg-ids and customer-contacts and resource-pool-summary and scheduled-operations and db-tools-details and vanity-url-details and encryption-key will replace any existing values. Are you sure you want to continue? [y/N]: Y

The command output should return the configuration information available for the modified database instance:

{
	"data": {
		"allocated-storage-size-in-tbs": 0.0078125,
		"are-primary-whitelisted-ips-used": null,
		"auto-refresh-frequency-in-seconds": null,
		"auto-refresh-point-lag-in-seconds": null,
		"autonomous-container-database-id": null,
		"autonomous-maintenance-schedule-type": "REGULAR",
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"failed-data-recovery-in-seconds": null,
		"freeform-tags": {},
		"id": "ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"in-memory-area-in-gbs": null,
		"in-memory-percentage": null,
		"infrastructure-type": null,
		"is-access-control-enabled": null,
		"is-auto-scaling-enabled": true,
		"is-auto-scaling-for-storage-enabled": true,
		"is-backup-retention-locked": false,
		"is-data-guard-enabled": true,
		"is-dedicated": false,
		"is-dev-tier": null,
		"is-free-tier": false,
		"is-local-data-guard-enabled": false,
		"is-mtls-connection-required": true,
		"is-preview": false,
		"is-reconnect-clone-enabled": false,
		"is-refreshable-clone": null,
		"is-remote-data-guard-enabled": false,
		"key-store-wallet-name": null,
		"kms-key-id": "ORACLE_MANAGED_KEY",

		...

		"security-attributes": {
			"oracle-zpr": {
				"sensitivity": {
				"mode": "enforce",
				"value": "high"
				}
			}
		},
		"license-model": "LICENSE_INCLUDED",
		"lifecycle-state": "UPDATING",
		"local-adg-auto-failover-max-data-loss-limit": null,
		"local-disaster-recovery-type": "BACKUP_BASED",
		"time-data-guard-role-changed": null,
		"time-deletion-of-free-autonomous-database": null,
		"time-disaster-recovery-role-changed": null,
		"time-of-auto-refresh-start": null,
		"time-of-joining-resource-pool": null,
		"time-of-last-failover": null,
		"time-of-last-refresh": null,
		"time-of-last-refresh-point": null,
		"time-of-last-switchover": null,
		"time-of-next-refresh": null,
		"time-reclamation-of-free-autonomous-database": null,
		"time-scheduled-db-version-upgrade": null,
		"time-undeleted": null,
		"time-until-reconnect-clone-enabled": null,
		"total-backup-storage-size-in-gbs": 0.0,
		"vanity-connection-urls": null,
	},
	"etag": "abcd1234",
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Oracle Cloud Infrastructure Documentation
Overview of Zero Trust Packet Routing
Enabling Zero Trust Packet Routing
Creating a Security Attribute Namespace
Creating a ZPR Policy
Managing a Protected Resource's Security Attributes

Oracle Cloud Infrastructure CLI Documentation
compartment list
autonomous-database list
autonomous-database get
configuration create
zpr-policy create
autonomous-database update

Publication date Dec 8, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-AutonomousAIDatabase rules