Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Network Security Groups to Control Traffic to Lustre File Systems

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: OCI-FileStorage-012

Ensure that your OCI Lustre file systems are associated with Network Security Groups (NSGs), which operate as a virtual firewall for resources by containing a set of security rules that control the allowed types of inbound and outbound traffic. Network Security Groups use ingress and egress security rules that are applied to defined Virtual Network Interface Cards (VNICs) within a single Virtual Cloud Network (VCN), and each Lustre file system is limited to a maximum of five NSGs.

Security

Use Network Security Groups (NSGs) with Oracle Cloud Infrastructure (OCI) Lustre file systems to achieve granular, resource-level network security and isolation, which is superior to the subnet-wide rules of OCI security lists. With NSGs, you can limit the attack surface and ensure only authorized clients and services can communicate with the high-performance storage system.

Audit

To determine if your Lustre file systems are configured to use Network Security Groups (NSGs) for traffic control, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Lustre File Storage console available at https://cloud.oracle.com/lfs/.

  3. In the left navigation panel, choose Lustre file systems, and select an OCI compartment from the Compartment dropdown menu, to list the Lustre file systems provisioned in that compartment.

  4. Click on the name (link) of the Lustre file system that you want to examine, listed in the Name column.

  5. Select the Lustre file system information tab, and check the Network security groups attribute value, listed in the Networking section. If the Network security groups attribute value is missing, the selected OCI Lustre file system is not configured to use Network Security Groups (NSGs) for traffic control.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run lfs lustre-file-system-collection list-lustre-file-systems command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Lustre file system provisioned in the selected OCI compartment:

    oci lfs lustre-file-system-collection list-lustre-file-systems
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'ABCD:AP-SYDNEY-1-AD-1'
	--all
	--query 'data."items"[]."id"'

  4. The command output should return the requested file system IDs:

    [
	"ocid1.lustrefilesystem.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.lustrefilesystem.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run lfs lustre-file-system get command (Windows/macOS/Linux) with the name of the Lustre file system that you want to examine as the identifier parameter and custom output filters to determine if the selected file system is using Network Security Groups (NSGs) for traffic control:

    oci lfs lustre-file-system get
	--lustre-file-system-id 'ocid1.lustrefilesystem.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."nsg-ids"'

  6. The command output should return the IDs (OCIDs) of the NSGs configured for the selected file system:

    []

    If the lfs lustre-file-system get command output returns an empty array, i.e., [], as shown in the example above, the selected OCI Lustre file system is not configured to use Network Security Groups (NSGs) for traffic control.

Remediation / Resolution

To ensure that your OCI Lustre file systems are using Network Security Groups (NSGs) for traffic control, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Lustre File Storage console available at https://cloud.oracle.com/lfs/.

  3. In the left navigation panel, choose Lustre file systems, and select an OCI compartment from the Compartment dropdown menu, to list the Lustre file systems provisioned in that compartment.

  4. Click on the name (link) of the Lustre file system that you want to configure, listed in the Name column.

  5. Select the Lustre file system information tab, and click on the Virtual cloud network attribute value (link), listed in the Networking section, to access the Virtual Cloud Network (VCN) associated with the selected file system.

  6. Select the Security tab, choose Create Network Security Group under Network Security Groups, and perform the following actions to create a new OCI Network Security Group (NSG):

    1. For Name, enter a unique name for the new Network Security Group.
    2. Select the appropriate OCI compartment from the Create in Compartment dropdown list.
    3. For Add Security Rules, choose Rule, and provide the following information to create the required NSG rules:
      1. To create an inbound (ingress) rule, choose Ingress for Directions, Network Security Group for Source Type, TCP for IP Protocol, 512-1023 for Source Port Range, 988 for Destination Port Range, and type a short description in the Description box.
      2. To create an outbound (egress) rule, select Another rule, choose Egress for Directions, Network Security Group for Destination Type, TCP for IP Protocol, 512-1023 for Source Port Range, 988 for Destination Port Range, and type a short description in the Description box.
    4. Choose Create to create your new OCI Network Security Group (NSG).

  7. Navigate back to the Lustre File Storage console available at https://cloud.oracle.com/lfs/.

  8. In the left navigation panel, choose Lustre file systems, and select the appropriate OCI compartment from the Compartment dropdown menu.

  9. Click on the name (link) of the Lustre file system that you want to configure, listed in the Name column.

  10. Select More actions from the page top menu, choose Edit network security groups, select the newly created Network Security Group (NSG) from the Network security groups in \<compartment-name\> dropdown list, and choose Update to apply the changes.

Using OCI CLI

  1. Run network nsg create command (OSX/Linux/UNIX) to create a new Network Security Group (NSG) for your Oracle Cloud Infrastructure (OCI) Lustre file system:

    oci network nsg create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'cc-project5-lfs-nsg'

  2. The command output should return the configuration information available for the new NSG:

    {
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-lfs-nsg",
		"freeform-tags": {},
		"id": "ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-state": "AVAILABLE",
		"time-created": "2025-11-07T18:23:26.258000+00:00",
		"vcn-id": "ocid1.vcn.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "abcd1234"
}

  3. Run network nsg rules add command (OSX/Linux/UNIX) to add an ingress rule to your new OCI Network Security Group (NSG). Ensure the new inbound rule allows communication to Lustre server side port 988 with client side port in between port 512-1023:

    oci network nsg rules add
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rules '[{ "description": "Allow TCP Traffic to Lustre File System", "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "ABC123", "is-stateless": false, "is-valid": true, "protocol": "6", "source": "10.0.1.0/24", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 988, "min": 988 }, "source-port-range": { "max": 1023, "min": 512 } }, "udp-options": null }]'

  4. The command output should return the ingress rule configured for the new OCI NSG:

    {
	"data": {
		"security-rules": [
			{
				"description": "Allow TCP Traffic to Lustre File System",
				"destination": null,
				"destination-type": null,
				"direction": "INGRESS",
				"icmp-options": null,
				"id": "ABC123",
				"is-stateless": false,
				"is-valid": true,
				"protocol": "6",
				"source": "10.0.1.0/24",
				"source-type": "CIDR_BLOCK",
				"tcp-options": {
					"destination-port-range": {
						"max": 988,
						"min": 988
					},
					"source-port-range": {
						"max": 1023,
						"min": 512
					}
				},
				"time-created": "2025-11-07T18:35:44.654000+00:00",
				"udp-options": null
			}
		]
	}
}

  5. Run network nsg rules add command (OSX/Linux/UNIX) to add an egress rule to your new OCI Network Security Group (NSG). Ensure the new outbound rule allows communication from Lustre server side port 988 with client side port in between port 512-1023:

    oci network nsg rules add
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rules '[{ "description": "Allow TCP Traffic from Lustre File System", "destination": "0.0.0.0/0", "destination-type": "CIDR_BLOCK", "direction": "EGRESS", "icmp-options": null, "id": "CBA123", "is-stateless": false, "is-valid": true, "protocol": "6", "source": null, "source-type": null, "tcp-options": { "destination-port-range": { "max": 988, "min": 988 }, "source-port-range": { "max": 1023, "min": 512 } }, "udp-options": null }]'

  6. The command output should return the ingress rules configured for the new OCI NSG:

    {
	"data": {
		"security-rules": [
			{
				"description": "Allow TCP Traffic from Lustre File System",
				"destination": "0.0.0.0/0",
				"destination-type": "CIDR_BLOCK",
				"direction": "EGRESS",
				"icmp-options": null,
				"id": "BCA123",
				"is-stateless": false,
				"is-valid": true,
				"protocol": "6",
				"source": null,
				"source-type": null,
				"tcp-options": {
					"destination-port-range": {
						"max": 988,
						"min": 988
					},
					"source-port-range": {
						"max": 1023,
						"min": 512
					}
				},
				"time-created": "2025-11-07T18:38:46.135000+00:00",
				"udp-options": null
			}
		]
	}
}

  7. Run lfs lustre-file-system update command (Windows/macOS/Linux) with the name of the Lustre file system that you want to configure as the identifier parameter, to attach the Network Security Group (NSG) created and configured in the previous steps:

    oci lfs lustre-file-system update
	--lustre-file-system-id 'ocid1.lustrefilesystem.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--nsg-ids '{"nsg-ids": "ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"}'

  8. Type Y and press Enter for confirmation:

    WARNING: Updates to freeform-tags and defined-tags and nsg-ids and root-squash-configuration will replace any existing values. Are you sure you want to continue? [y/N]: Y

  9. The command output should return the configuration information available for the modified file system:

    {
	"data": {
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"capacity-in-gbs": 31200,
		"cluster-placement-group-id": null,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-lustrefs",
		"file-system-description": null,
		"file-system-name": "lustrefs",
		"freeform-tags": {},
		"id": "ocid1.lustrefilesystem.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"kms-key-id": null,
		"lifecycle-details": null,
		"lifecycle-state": "CREATING",
		"lnet": null,
		"maintenance-window": null,
		"major-version": "2.15",
		"management-service-address": null,
		"nsg-ids": [
			"ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
		],
		"performance-tier": "MBPS_PER_TB_125",
		"root-squash-configuration": {
			"client-exceptions": null,
			"identity-squash": "NONE",
			"squash-gid": null,
			"squash-uid": null
		},
		"subnet-id": "ocid1.subnet.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"system-tags": {},
		"time-billing-cycle-end": null,
		"time-created": "2025-11-07T17:09:40.274000+00:00",
		"time-updated": "2025-11-07T17:09:54.201000+00:00"
	}
}

References

Publication date Nov 12, 2025

Related OCI-FileStorage rules