00:00welcome back to this lesson on vcn security
00:07so within vcn you have this concept of security list
00:15think about security list as firewall rules associated with a subnet and apply to all instances inside the subnet
00:23so what does it look like
00:25the security list consists of rules that specify the type of traffic allowed in or out of the subnet
00:32this applies to a given instance whether it is talking with another instance in the vcn or a host outside the vcn
00:40and you can see couple of entries here these rules can be stateful or stateless
00:45stateful means that if traffic is allowed in a particular port allowed in it is always allowed out from that port and vice versa
00:53so you can see here couple of examples traffic is coming in at port 80 and the traffic is coming in from anywhere on the web
01:00so that is 0.0.0.0 slash 0 that is the source can be anywhere protocol is tcp and it is coming at port 80 that is a web traffic
01:10and the second rule says the traffic is going from the first subnet to the second subnet
01:16so you see the source is the ip the cider block for the first subnet and it is actually the egress traffic
01:23so it is the source for the second subnet the private subnet and the traffic is going on port 1521 that is oracle database port
01:30and you can see similarly for the private subnet you have their own firewall rules
01:36and in this case it is saying that because it is a private subnet you do not want any kind of web traffic
01:42so the only rule here is the traffic coming from the public subnet from the web server
01:48so that the source cider is 10.0.1.0 slash 24 and the port is 1521 right
01:55so this is how you would define security list within oci vcn service
02:02now there is also another concept which is called network security groups or nsg
02:09these are very similar construct as security list
02:12but the key difference is these apply only to a set of virtual network interface cards in a single vcn
02:20and another big difference here is nsgs can be the source or destination in the rules contrast this with the security list rules
02:29where you specify a cider only a cider as the source or destination
02:35so as you can see here in this example the egress traffic the source is nsg b
02:42so that is the nsg which is attached to my database similarly for the second network security group
02:48you can see that the source is the first network security group that is nsg a
02:54also one thing to keep in mind that as you leverage network security groups because they applied to individual vnics
03:02now you could have two instances in a single subnet and they can have different security constructs
03:09so one can have nsg with different kind of rules and the other instance you can see has an nsg
03:16in this case we say nsg c it has different sets of rule right
03:19so you could have that kind of scenario enabled by using network security groups
03:24so that is it just to recap there are two mechanisms to create these firewall rules in oci vcn
03:30one is security list and the other is network security groups
03:35thanks for watching
Comments