“I read the manual, but it is still hard to choose between SLs and NSGs…”. #
Originally posted at the Oracle University Learning Community
Security is paramount to OCI, with plenty of options to ensure that your workloads are secure. Regarding virtual cloud network security, Security Lists and Network Security Groups provide the initial line of defense, controlling which networks will access your resources. The security rules on both are pretty similar, making you wonder which one to choose.
Security Lists and NSG security rules are enforced at the resource (check the list of resources that support NSGs), but what makes them different is how they are assigned.
- Security Lists are assigned per subnet.
- NSGs are assigned directly to a specific vNIC.
So, which one to choose?
NSGs allow a more granular control. If you want to allow access to only some instances in a subnet, NSGs are one of the ways of doing that. If you have broader access to be defined, like the security rule allowing the bastion host SSH access to any instance in a subnet, a security list should suffice to grant that access.
The good thing is that you do not need to work exclusively with one another. Both can be combined, and you can take advantage of that. Each one is doing its part, helping you build a safer environment. Dividing the duties to conquer security.
How are you combining SLs and NSGs to achieve your goals? Share your thoughts and experiences.