Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Unrestricted Network Access

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: OCI-OIC-001

Ensure that network access to your Oracle Integration Cloud (OIC) instances is restricted to trusted networks only in order to significantly reduce the instance's exposure to risk and prevent unauthorized access.

Security

Oracle Integration Cloud (OIC) instances are provisioned within an Oracle-managed private network, yet each has a public endpoint. To protect these instances from unauthorized network access, OIC includes the capability to configure inbound filtering of network traffic. It is strongly advised to restrict network access to your OIC instances to approved corporate IP addresses or Virtual Cloud Networks (VCNs). This practice is essential for reducing the OIC instance's exposure to risk.

Audit

To determine whether the network access to your Oracle Integration Cloud (OIC) instances is restricted, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Integration instances console available at https://cloud.oracle.com/oic.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Oracle Integration Cloud (OIC) instances provisioned in the selected compartment.

  4. Click on the name (link) of the OIC integration instance that you want to examine, listed in the Name column.

  5. Select the Networking tab, and check the allowlist configured for the instance, listed in the Network access section. If there is no allowlist available in the Network access section, instead the following message is displayed: No items to display, network access to the selected Oracle Integration Cloud (OIC) instances is not restricted.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run integration integration-instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OIC integration instance provisioned in the selected OCI compartment:

    oci integration integration-instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested integration instance IDs:

    [
	"ocid1.integrationinstance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.integrationinstance.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run integration integration-instance get command (Windows/macOS/Linux) with the name of the OIC integration instance that you want to examine as the identifier parameter and custom output filters to determine if the network access to the selected integration instance is restricted:

    oci integration integration-instance get
	--id 'ocid1.integrationinstance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.["network-endpoint-details"."allowlisted-http-ips","network-endpoint-details"."allowlisted-http-vcns"]'

  6. The command output should return the network access configuration for the selected instance. The "allowlisted-http-ips" configuration property value (first line) represents the trusted network(s)/IP(s) defined in the allowlist and "allowlisted-http-vcns" property value (second line) represents the trusted Virtual Cloud Networks (VCNs) configured in the allowlist:

    [
	null,
	null
]

    If the integration integration-instance get command output returns null for both "allowlisted-http-ips" and "allowlisted-http-vcns" properties, as shown in the output example above, there is no allowlist defined. As a result, the network access to the selected Oracle Integration Cloud (OIC) instances is not restricted.

Remediation / Resolution

To ensure that network access to your Oracle Integration Cloud (OIC) instances is restricted to trusted IPs and networks, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Integration instances console available at https://cloud.oracle.com/oic.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Oracle Integration Cloud (OIC) instances provisioned in the selected compartment.

  4. Click on the name (link) of the OIC integration instance that you want to configure, listed in the Name column.

  5. Select the Networking tab, choose Edit, and provide the following actions to create the necessary allowlist:

    1. Toggle on the Restrict network access button to initiate the allowlist configuration. When Restrict network access is enabled, only users from networks that meet the configured settings are allowed to access your OCI integration instance.
    2. (Optional) Toggle on the Enable loopback button if you want integration instances in your region to be able to call this instance.
    3. For Protocol, select the protocol to which the allowlist rule applies. Available options: HTTP and File Server, HTTP, and File Server.
    4. For Type, if you selected HTTP protocol, choose what you want to allowlist: an IP address/CIDR block, a Virtual cloud network, or a Virtual cloud network OCID. If you selected HTTP and File Server or File Server, the only type is IP address/CIDR block, so you don't have to select the Type.
    5. For Value, enter or select the specific IP address, CIDR block, VCN, or VCN OCID.
    6. Choose Update to apply the new allowlist and restrict the network access to the selected OIC integration instance.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run integration integration-instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to access as the identifier parameter, to list the ID of each OIC integration instance provisioned in the selected OCI compartment:

    oci integration integration-instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested integration instance IDs:

    [
	"ocid1.integrationinstance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.integrationinstance.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run integration integration-instance change-network-endpoint command (Windows/macOS/Linux) with the ID of the OIC integration instance that you want to configure as the identifier parameter, to create the necessary allowlist for the selected integration instance. Replace \◂ipv4-address\> with the trusted IP address or CIDR block. To configure the allowlist with trusted Virtual Cloud Networks (VCNs), add '{"allowlisted-http-vcns": [{"id":"\◂vcn-ocid\>"}],"network-endpoint-type": "PUBLIC"}' for the --network-endpoint-details parameter, where \◂vcn-ocid\> is the OCID of the trusted VCN:

    oci integration integration-instance change-network-endpoint
	--id 'ocid1.integrationinstance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--network-endpoint-details '{"allowlisted-http-ips": ["<ipv4-address>"],"network-endpoint-type": "PUBLIC"}'

  6. The command output should return the working request ID:

    {
	"opc-work-request-id": "ocid1.integrationworkrequest.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Publication date Dec 7, 2025

Related OCI-OIC rules