Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Network Perimeters

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-IAM-018

Use network perimeters for OCI identity domains to enforce strict access control by location and significantly reducing the attack surface.

Security

Enabling and configuring network perimeters for OCI identity domains is vital for enhancing security by restricting access to users originating from specific, approved IP addresses or IP address ranges. This mitigates unauthorized access from untrusted locations, ensuring only internal or trusted network traffic can reach your identity services.

Audit

To determine if your Oracle Cloud Infrastructure (OCI) identity domains use network perimeters for access control, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Identity console available at https://cloud.oracle.com/identity/.

  3. In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

  4. Click on the name (link) of the identity domain that you want to examine, listed in the Name column.

  5. Select the Security tab and check the Network perimeters list to identify any network perimeters created for the selected domain. If there are no network perimeters listed in the Network perimeters section, instead the following message is displayed: No items to display, the selected Oracle Cloud Infrastructure (OCI) identity domains is not using network perimeters for IP-based access control.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run iam domain list command (OSX/Linux/UNIX) to list the OCI domains created for your Oracle Cloud Infrastructure (OCI) compartment:

    oci iam domain list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["display-name","url"]'

  4. The command output should return the name and the endpoint of each OCI domain available in the selected compartment:

    [
	[
		"Project5",
		"https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443"
	],
	[
		"Default",
		"https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443"
	]
]

  5. Run identity-domains network-perimeters list command (OSX/Linux/UNIX) to list the ID of each network perimeter created for the specified OCI domain:

    oci identity-domains network-perimeters list
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443'
	--query 'data."resources"[]."id"'

  6. The command output should return the requested network perimeter ID(s):

    []

    If the identity-domains network-perimeters list command output returns an empty array (i.e., []), as shown in the example above, the selected Oracle Cloud Infrastructure (OCI) identity domains is not using network perimeters for IP-based access control.

Remediation / Resolution

Enable and configure network perimeters for Oracle Cloud Infrastructure (OCI) identity domains, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Identity console available at https://cloud.oracle.com/identity/.

  3. In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

  4. Click on the name (link) of the identity domain that you want to configure, listed in the Name column.

  5. Select the Security tab, choose Create network perimeter, and perform the following actions to create a new network perimeter for the selected OCI identity domain:

    1. For Name, provide a unique name for the network perimeter.
    2. For IP addresses, enter the exact IP address or IP addresses, IP range, or masked IP address range for the network perimeter. You can also provide multiple IP addresses as a comma-separated list. Use CIDR notation.
    3. Choose Create to deploy your new network perimeter and enforce strict access control for the selected OCI identity domain.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run iam domain list command (OSX/Linux/UNIX) to list the OCI domains created for your Oracle Cloud Infrastructure (OCI) compartment:

    oci iam domain list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["display-name","url"]'

  4. The command output should return the name and the endpoint of each OCI domain available in the selected compartment:

    [
	[
		"Project5",
		"https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443"
	],
	[
		"Default",
		"https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443"
	]
]

  5. Run identity-domains network-perimeter create command (OSX/Linux/UNIX) to create your new network perimeter and enforce strict access control for the specified OCI identity domain. For \<ipv4-address\> specify the exact IP address or IP addresses, IP range, or masked IP address range for the network perimeter. You can also provide multiple IP addresses as a comma-separated list:

    oci identity-domains network-perimeter create
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443'
	--name 'cc-project5-trusted-network'
	--schemas '["urn:ietf:params:scim:schemas:oracle:idcs:NetworkPerimeter"]'
	--ip-addresses '[{"type": "CIDR","value": "<ipv4-address>","version": "IPV4"}]'

  6. The command output should return the configuration information available for the new network perimeter:

    {
	"data": {
		"compartment-ocid": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"delete-in-progress": null,
		"description": null,
		"domain-ocid": "ocid1.domain.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"external-id": null,
		"id": "1234abcd1234abcd1234abcd1234abcd",
		"idcs-last-upgraded-in-release": null,
		"idcs-prevented-operations": null,
		"ip-addresses": [
			{
				"type": "CIDR",
				"value": "<ipv4-address>",
				"version": "IPV4"
			}
		],
		"meta": {
			"created": "2025-12-03T16:10:45.907Z",
			"last-modified": "2025-12-03T16:10:45.907Z",
			"location": "https://idcs-1234abcd1234abcd1234abcd.identity.oraclecloud.com:443/admin/v1/NetworkPerimeters/1234abcd1234abcd1234abcd1234abcd",
			"resource-type": "NetworkPerimeter",
			"version": "1234abcd1234abcd1234abcd1234abcd"
		},
		"name": "cc-project5-trusted-network",
		"ocid": "ocid1.domainnetworkperimeter.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"schemas": [
			"urn:ietf:params:scim:schemas:oracle:idcs:NetworkPerimeter"
		],
		"tags": null,
		"tenancy-ocid": "ocid1.tenancy.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "1234abcd1234abcd1234abcd1234abcd",
	"opc-total-items": "1"
}

References

Publication date Dec 8, 2025

Related OCI-IAM rules