Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Attach Function Applications to Network Security Groups (NSGs)

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-Functions-001

Ensure that your Oracle Cloud Infrastructure (OCI) Functions applications are attached to Network Security Groups (NSGs) to implement granular ingress and egress network access controls at the application level. NSGs provide more fine-grained security than subnet-level security lists by allowing you to define specific rules for individual applications rather than all resources in a subnet. This is particularly important when multiple applications with different access requirements share the same subnet, as it enables you to apply different security rules to functions in different applications without compromising network security. You can attach a Functions application to up to five NSGs, and these NSGs can be in the same or different compartments (but must be in the same VCN as the application subnets).

Security

Attaching Oracle Cloud Infrastructure (OCI) Functions applications to Network Security Groups (NSGs) provides granular network-level security that separates application security requirements from VCN subnet architecture. Unlike subnet-level security lists that apply to all resources in a subnet, NSGs enable you to define specific ingress and egress rules for individual Functions applications, allowing different applications in the same subnet to have different security postures. This is particularly valuable when one application needs access to databases and object storage while another requires access to external REST APIs, as each can be attached to NSGs with appropriate rules without affecting other applications. NSGs support both CIDR-based rules and NSG-to-NSG rules, enabling you to create security boundaries between application tiers and control traffic flow at the packet level. By implementing NSG-based access controls, you enhance defense-in-depth security, maintain network segmentation, and gain the flexibility to modify application security rules without restructuring your VCN or subnet architecture.

Audit

To determine if your OCI Functions applications are attached to Network Security Groups (NSGs), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Functions console available at https://cloud.oracle.com/functions/.

  3. Choose the OCI compartment that you want to access from the Compartment dropdown list.

  4. In the Applications list, click on the name (link) of the Functions application that you want to examine.

  5. Select the Details tab and check the Network security groups attribute value, listed under Network information.

  6. If the Network security groups value shows None or is empty, the selected Oracle Cloud Infrastructure (OCI) Functions application is not attached to any Network Security Groups, which means the application lacks granular network access controls and relies solely on subnet-level security lists.

  7. Repeat steps no. 4 – 6 for each Functions application available in the selected compartment.

  8. Repeat steps no. 3 – 7 for each compartment available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID and name of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list \
	--all \
	--include-root \
	--query 'data[].{name:"name",id:"id"}'

  2. The command output should return the requested OCI compartment identifiers (OCIDs) and names:

    [
	{
		"id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "root"
	},
	{
		"id": "ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "production-compartment"
	}
]

  3. Run fn application list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID and name of each Functions application available in the selected OCI compartment:

    oci fn application list \
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' \
	--all \
	--query 'data[].{name:"display-name",id:"id"}'

  4. The command output should return the requested Functions application IDs and names:

    [
	{
		"id": "ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "cc-web-function-app"
	},
	{
		"id": "ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"name": "cc-data-function-app"
	}
]

  5. Run fn application get command (Windows/macOS/Linux) with the ID of the Functions application that you want to examine as the identifier parameter, to describe the configuration of the selected application:

    oci fn application get \
	--application-id 'ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' \
	--query 'data'

  6. The command output should return the configuration metadata for the selected Functions application:

    {
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"config": {},
	"defined-tags": {},
	"display-name": "cc-web-function-app",
	"freeform-tags": {},
	"id": "ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"image-policy-config": {
		"is-policy-enabled": false,
		"key-details": null
	},
	"lifecycle-state": "ACTIVE",
	"network-security-group-ids": [],
	"shape": "GENERIC_X86",
	"subnet-ids": [
		"ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
	],
	"syslog-url": null,
	"time-created": "2025-01-15T10:45:00.456000+00:00",
	"time-updated": "2025-02-16T14:20:00.789000+00:00",
	"trace-config": null
}

    Check the "network-security-group-ids" property value returned by the fn application get command output. If the "network-security-group-ids" value is set to an empty array [], as shown in the example above, the selected Oracle Cloud Infrastructure (OCI) Functions application is not attached to any Network Security Groups, which means the application lacks granular network access controls and relies solely on subnet-level security lists.

  7. Repeat steps no. 5 and 6 to verify the NSG configuration for other Functions applications available in the selected compartment.

  8. Repeat steps no. 3 – 7 for each compartment available within your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To attach your existing Oracle Cloud Infrastructure (OCI) Functions applications to Network Security Groups (NSGs), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Networking console available at https://cloud.oracle.com/networking/.

  3. Choose the OCI compartment that contains your VCN from the Compartment dropdown list.

  4. In the left navigation panel, under Virtual cloud networks, choose Virtual cloud networks to list the VCNs in the selected compartment.

  5. Click on the name (link) of the VCN that hosts your Functions application subnets.

  6. In the top navigation tabs, under Security, see Network security groups to verify that NSGs exist. If no NSGs exist or you need to create a new one, choose Create network security group and perform the following actions:

    1. For Name, provide a unique name for the NSG (e.g., "cc-functions-app-nsg").
    2. For Create in compartment, ensure the appropriate compartment is selected.
    3. Choose Next to proceed to security rules configuration.
    4. For Security rules, add appropriate ingress and egress rules based on your application requirements. For example:
      • Add an egress rule for Oracle Services Network (use the service CIDR label).
      • Add ingress/egress rules for specific databases, storage, or other services your functions need to access.
    5. Choose Create to create the NSG.

  7. Navigate to Functions console available at https://cloud.oracle.com/functions/.

  8. Choose the OCI compartment that you want to access from the Compartment dropdown list.

  9. In the Applications list, click on the name (link) of the Functions application that you want to reconfigure (see Audit section part I to identify the right resource).

  10. In the Network security groups section under Network information, choose Edit to add the NSG configuration.

  11. In the Edit network security groups dialog box, perform the following actions:

    1. Choose Select network security groups to select the NSG(s) you want to attach.
    2. Select one or more NSGs from the list (up to five NSGs). Choose NSGs that have appropriate security rules for your application requirements.
    3. Choose Save changes to attach the selected NSGs to the application.

  12. Verify that the Network security groups attribute now displays the attached NSG names.

  13. Repeat steps no. 9 – 12 for other Functions applications that are not attached to NSGs.

  14. Repeat steps no. 8 – 13 for each compartment available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run network nsg list command (Windows/macOS/Linux) with the ID of the compartment and VCN to list available Network Security Groups. If NSGs don't exist, create them first using the network nsg create command:

    oci network nsg list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234'
	--all
	--query 'data[].{name:"display-name", id:id}'

  2. The command output should return the names and IDs of available NSGs in the VCN:

    [
	{
		"id": "ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd",
		"name": "cc-functions-app-nsg"
	}
]

  3. Run fn application get command (Windows/macOS/Linux) with the ID of the Functions application that you want to reconfigure (see Audit section part II to identify the right resource) as the identifier parameter, to retrieve the current application configuration:

    oci fn application get
	--application-id 'ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

  4. The command output should return the current configuration of the specified application. Note the current NSG configuration for reference.

  5. Run fn application update command (Windows/macOS/Linux) with the ID of the Functions application that you want to reconfigure as the identifier parameter, to attach the application to Network Security Groups. Replace the NSG IDs with the NSG OCID(s) identified in step 2:

    oci fn application update
	--application-id 'ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--network-security-group-ids '["ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd"]'

  6. The command output should return the updated configuration information for the Functions application, showing the attached NSGs:

    {
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"config": {},
	"defined-tags": {},
	"display-name": "cc-web-function-app",
	"freeform-tags": {},
	"id": "ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"image-policy-config": {
		"is-policy-enabled": false,
		"key-details": null
	},
	"lifecycle-state": "ACTIVE",
	"network-security-group-ids": [
		"ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd"
	],
	"shape": "GENERIC_X86",
	"subnet-ids": [
		"ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
	],
	"syslog-url": null,
	"time-created": "2025-01-15T10:45:00.456000+00:00",
	"time-updated": "2025-02-17T09:15:00.123000+00:00",
	"trace-config": null
}

  7. Repeat steps no. 3 – 6 for other Functions applications that are not attached to NSGs.

References

Publication date Feb 24, 2026

Related OCI-Functions rules