Check for Service Gateway Configuration for Private Function Access

Risk Level: Medium (should be achieved)

Ensure that your Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) containing Functions applications has a service gateway configured to enable private communication between functions and Oracle Services Network resources without traffic traversing the public internet. A service gateway is a regional virtual router that provides a private path for resources in your VCN (such as functions deployed in private subnets) to access supported Oracle Cloud Infrastructure services including Object Storage, Autonomous Database, and other services in the Oracle Services Network.

Security

Performance
efficiency

Without a service gateway, functions in private subnets would require either a NAT gateway or internet gateway to access these Oracle services, which routes traffic through the public internet and increases security risks including potential data interception, man-in-the-middle attacks, and exposure to internet-based threats. By using a service gateway, traffic between functions and Oracle services travels exclusively over Oracle's private backbone network, providing better security isolation, reduced latency, improved performance, and no data egress charges for accessing Oracle services. Service gateways also simplify network architecture by eliminating the need for NAT gateways solely for Oracle service access, reducing costs and management overhead. This approach aligns with defense-in-depth security practices and supports compliance requirements for network segmentation and data protection by ensuring that sensitive data processed by functions never traverses the public internet when accessing Oracle services.

Audit

To determine if your VCNs containing OCI Functions applications have service gateways configured, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Functions console available at https://cloud.oracle.com/functions/.
Choose the OCI compartment that you want to access from the Compartment dropdown list.
In the Applications list, identify Functions applications and note the Subnet IDs associated with each application by clicking on the application name and checking the Network information section.
Click on the Subnet ID link to view the subnet details, including the VCN ID.
Navigate to Networking console available at https://cloud.oracle.com/networking/.
Choose the OCI compartment that contains the VCN from the Compartment dropdown list.
In the left navigation panel, under Virtual cloud networks, choose Virtual cloud networks to list the VCNs.
Click on the name (link) of the VCN that hosts your Functions applications (identified in step 4).
In the tab navigation panel, under Gateways, choose Service gateways to view service gateways configured for the VCN.
Check if a service gateway exists in the Service gateways list. If no service gateway is listed, or if the State of the service gateway is not Available, the selected Oracle Cloud Infrastructure (OCI) VCN does not have a properly configured service gateway, which means functions in private subnets cannot privately access Oracle Services Network resources and would require internet access to reach Oracle services.
If a service gateway exists, check the Services section to ensure that appropriate Oracle services are enabled (typically All Services in Oracle Services Network).
In the tab navigation panel, under Routing, choose Route tables to verify route configuration.
Click on the route table associated with the private subnet(s) hosting your Functions applications.
In the Route rules section, verify that a route rule exists with:
- Target type: Service gateway
- Destination service: All Services in Oracle Services Network (or specific services)
- Target service gateway: The service gateway created for the VCN
If no route rule directing traffic to the service gateway exists, functions cannot use the service gateway to access Oracle services, even if the service gateway has been created.
Repeat steps no. 8 – 16 for each VCN that hosts Functions applications in the selected compartment.
Repeat steps no. 6 – 17 for each compartment available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run fn application list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list Functions applications and their VCN associations:
```
oci fn application list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].{name:"display-name", id:id}'
```

The command output should return the Functions application names and IDs:

[
	{
		"id": "ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "cc-web-function-app"
	}
]

Run fn application get command (Windows/macOS/Linux) with the ID of a Functions application to get the subnet IDs, which will help identify the VCN:

oci fn application get
	--application-id 'ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."subnet-ids"'

The command output should return the subnet OCIDs for the Functions application:

[
	"ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run network subnet get command (Windows/macOS/Linux) with the subnet ID to get the VCN ID:

oci network subnet get
	--subnet-id 'ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."vcn-id"'

The command output should return the VCN OCID:

"ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"

Run network service-gateway list command (Windows/macOS/Linux) with the VCN ID to list service gateways configured for the VCN:

oci network service-gateway list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

The command output should return service gateway OCIDs if they exist:
```
[
	"ocid1.servicegateway.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]
```
If the command returns an empty array [], no service gateway exists for the VCN, which means functions in private subnets cannot privately access Oracle Services Network resources.

If a service gateway OCID is returned, run network service-gateway get command (Windows/macOS/Linux) to verify the service gateway configuration:

oci network service-gateway get
	--service-gateway-id 'ocid1.servicegateway.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

The command output should return the service gateway configuration:

{
	"block-traffic": false,
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"defined-tags": {},
	"display-name": "cc-service-gateway",
	"freeform-tags": {},
	"id": "ocid1.servicegateway.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"lifecycle-state": "AVAILABLE",
	"route-table-id": null,
	"services": [
		{
			"service-id": "ocid1.service.oc1.ap-sydney-1.aaaabbbbccccdddd",
			"service-name": "All SYD Services In Oracle Services Network"
		}
	],
	"time-created": "2025-01-20T10:00:00.123000+00:00",
	"vcn-id": "ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

Check the "lifecycle-state" property. If it is not "AVAILABLE", the service gateway is not properly configured. Verify that "services" contains appropriate Oracle services (typically "All Services in Oracle Services Network").

Run network route-table list command (Windows/macOS/Linux) to list route tables in the VCN:

oci network route-table list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].{id:id, name:"display-name"}'

Run network route-table get command (Windows/macOS/Linux) with the route table ID associated with the private subnet(s) hosting Functions applications:

oci network route-table get
	--rt-id 'ocid1.routetable.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."route-rules"'

The command output should return the route rules:

[
	{
		"cidr-block": null,
		"description": "Route to Oracle Services Network",
		"destination": "all-syd-services-in-oracle-services-network",
		"destination-type": "SERVICE_CIDR_BLOCK",
		"network-entity-id": "ocid1.servicegateway.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"route-type": null
	}
]

Check if a route rule exists with "destination-type": "SERVICE_CIDR_BLOCK" and "network-entity-id" pointing to a service gateway. If no such route rule exists, functions cannot use the service gateway to access Oracle services, even if the service gateway has been created.

Repeat steps no. 5 – 15 to verify service gateway configuration for other Functions applications available in the selected compartment.
Repeat steps no. 3 – 16 for each compartment available within your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To configure service gateways for your Oracle Cloud Infrastructure (OCI) VCNs containing Functions applications, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Networking console available at https://cloud.oracle.com/networking/.
Choose the OCI compartment that contains the VCN from the Compartment dropdown list.
In the left navigation panel, under Virtual cloud networks, choose Virtual cloud networks to list the VCNs.
Click on the name (link) of the VCN that hosts your Functions applications (see Audit section part I to identify the right resource).
In the tab navigation panel, under Gateways, choose Service gateways to manage service gateways.
If no service gateway exists, choose Create service gateway and perform the following actions:
1. For Name, provide a unique name for the service gateway (e.g., "cc-service-gateway").
2. For Create in compartment, ensure the appropriate compartment is selected.
3. For Services, choose All Services in Oracle Services Network to enable access to all Oracle services in the region. Alternatively, you can select specific services if you want to restrict access to only certain Oracle services.
4. Choose Create service gateway to create the gateway.
Wait for the service gateway to be created. The State should show Available once the creation is complete.
In the tab navigation panel, under Routing, choose Route tables to configure routing to the service gateway.
Click on the route table associated with the private subnet(s) hosting your Functions applications.
In the Route rules section, choose Add route rules to create a new route rule.
In the Add route rules dialog, perform the following actions:
1. For Target type, select Service gateway.
2. For Destination service, choose All Services in Oracle Services Network (or the same service selection used when creating the service gateway).
3. For Target service gateway, select the service gateway created in step 7.
4. For Description (optional), provide a description such as "Route to Oracle Services Network via service gateway".
5. Choose Add route rules to save the route rule.
Verify that the route rule appears in the Route rules section with the correct configuration.
Test the configuration by invoking a function that accesses an Oracle service (such as Object Storage) to ensure private access works correctly.
Repeat steps no. 5 – 14 for other VCNs that host Functions applications but do not have service gateways configured.
Repeat steps no. 3 – 15 for each compartment available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run network service list command (Windows/macOS/Linux) to list available Oracle services that can be enabled for a service gateway in your region:
```
oci network service list
	--all
	--query 'data[].{id:id, name:name}'
```

The command output should return available Oracle services:

[
	{
		"id": "ocid1.service.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"name": "All SYD Services In Oracle Services Network"
	},
	{
		"id": "ocid1.service.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd5678",
		"name": "OCI SYD Object Storage"
	}
]

Note the service ID for "All Services in Oracle Services Network" as this will be used when creating the service gateway.

Run network subnet get command (Windows/macOS/Linux) with the subnet ID hosting your Functions application (see Audit section part II to identify the right resource) to get the VCN ID:
```
oci network subnet get
	--subnet-id 'ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."vcn-id"'
```
Create a JSON file (e.g., service-gateway-services.json) containing the service configuration. Use the service ID from step 2:
```
[
	{
		"serviceId": "ocid1.service.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
	}
]
```

Run network service-gateway create command (Windows/macOS/Linux) to create a service gateway in the VCN:

oci network service-gateway create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--services file://service-gateway-services.json
	--display-name 'cc-service-gateway'

The command output should return the created service gateway configuration:

{
	"block-traffic": false,
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"defined-tags": {},
	"display-name": "cc-service-gateway",
	"freeform-tags": {},
	"id": "ocid1.servicegateway.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"lifecycle-state": "AVAILABLE",
	"route-table-id": null,
	"services": [
		{
			"service-id": "ocid1.service.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
			"service-name": "All SYD Services In Oracle Services Network"
		}
	],
	"time-created": "2025-02-18T11:30:00.456000+00:00",
	"vcn-id": "ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

Note the service gateway ID for use in the route table configuration.

Run network route-table get command (Windows/macOS/Linux) with the route table ID associated with the private subnet(s) hosting Functions applications to get the current route rules:
```
oci network route-table get
	--rt-id 'ocid1.routetable.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."route-rules"'
```

Create a JSON file (e.g., updated-route-rules.json) containing the current route rules plus a new route rule for the service gateway. Add the service gateway route to the existing rules. Important: The oci network route-table update --route-rules command replaces all existing route rules, so you must include any existing rules in the JSON file to avoid losing them:

[
	{
		"destination": "0.0.0.0/0",
		"destinationType": "CIDR_BLOCK",
		"networkEntityId": "ocid1.internetgateway.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Default route to Internet Gateway"
	},
	{
		"destination": "all-syd-services-in-oracle-services-network",
		"destinationType": "SERVICE_CIDR_BLOCK",
		"networkEntityId": "ocid1.servicegateway.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Route to Oracle Services Network via service gateway"
	}
]

Run network route-table update command (Windows/macOS/Linux) to add the service gateway route rule to the route table:

oci network route-table update
	--rt-id 'ocid1.routetable.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--route-rules file://updated-route-rules.json
	--force

The command output should return the updated route table configuration with the new service gateway route rule included.
Test the configuration by invoking a function that accesses an Oracle service to ensure private access works correctly.
Repeat steps no. 3 – 11 for other VCNs that host Functions applications but do not have service gateways configured.
Repeat steps no. 1 – 12 for each compartment available within your Oracle Cloud Infrastructure (OCI) account.

References

Oracle Cloud Infrastructure Documentation
OCI Functions Support for Private Network Access
Access to Oracle Services: Service Gateway
VCN Route Tables
Creating the VCN and Subnets to Use with OCI Functions, if they don't exist already

Oracle Cloud Infrastructure CLI Documentation
compartment list
application list
application get
subnet get
service-gateway list
service-gateway create
service-gateway get
service-gateway list
route-table list
route-table get
route-table update

Publication date Feb 24, 2026

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-Functions rules