Open in app

Sign in

Write

Sign in

Automation of Network Security Group (NSG) on OCI

Karthik Mani
Oracle Developers
Published in
4 min readMar 24, 2023

Adding Network Security Group rules via OCI CLI

Network Security Group(NSG) :

In my previous post we discussed adding security lists via OCI CLI. It’s a lot quicker and easier when rules gets added in bulk.

In this post we will discuss creating and adding rules to a Network Security Group from a Microsoft Excel spreadsheet.

A quick intro to NSG:

Network Security Groups (NSGs) act as a virtual firewall for your compute instances and other kinds of resources. NSG consists of a set of ingress and egress security rules that apply only to a set of VNICs of your choice in a single VCN (for example: all the compute instances that act as web servers in the web tier of a multi-tier application in your VCN).

Compared to security lists, NSGs allow you to separate your VCN’s subnet architecture from your application security requirements. See Comparison of Security Lists and Network Security Groups.

Converting rules captured in Excel to JSON

OCI provides a nice GUI to add NSG rules, but OCI CLI accepts these rules only in JSON format. Writing these rules in JSON is more time consuming than adding them via GUI.

My plan to simplify this was this:

  • Capture the NSG Access rules in an Excel spreadsheet.
  • Use Python to convert the Excel sheet to JSON.
  • Move the JSON files to OCI CLI.
  • Using a shell script, create and add rules to NSG using the JSON files.

Step 1. Download the sample Excel file here.

Step 2. You should find a sheet called “list” — update your rules in this sheet.

  • Description of the rule.
  • Protocols — TCP, UDP, ICMP are the only options added to the script. (This should cover most of the rules!)
  • Direction : Ingress and Egress
  • Network: CIDR range / IP address (Note: For Ingress rules — CIDR becomes source, for Egress rules — CIDR will be considered as Destination.)
  • Port — fill the destination port numbers — These are only applicable for TCP and UDP.

Step 3. Download the Python Script here.

Step 4. Prepare your personal laptop to run the downloaded Python Script. (Install required modules PIP install — Pandas , xlrd)

Step 5. Move the NSG.xls , NSG.py script in the same file path in your laptop.

Step 6. Execute the Python Script. Below is a sample output.

In the above output:

  • 118 denotes the number of access rules in Excel that will get converted to JSON.
  • Note: Per-NSG limit is 120 rules only.
  • 5 denotes the number of JSON files the program created.
  • OCI CLI currently does not allow more than 25 rules to be added in one API call, hence the JSON files are split into 5.
  • You must find those files in the same path where the script was run. Refer to the screenshot below.

Step 7. Drag and drop the JSON files named NSG_Split* , and the bash script named NSG.sh to OCI CLI.

Step 8: change the permission of the shell script with the command below:

chmod +x NSG.sh

Step 9 : Run the Script — it should give you 3 options.

  • Create NSG
  • Add Rules to NSG
  • Quit

Step 10:

Enter 1 — To create a new NSG.

It will ask for VCN OCID, Compartment OCID, and a Display name. Once these details are entered a new NSG is created!

Enter 2 — To add the JSON rules to NSG.

It will ask for NSG OCID and rules are added to the NSG via CLI.

If you are new to OCI, and need help in identifying your OCIDs — refer this article.

Refer to this quick video demo to see it in action.

What do you think? Let us know in our Developer Slack, and don’t forget you can try it out with an OCI Free Tier account!

Oci
Nsg
Network Security

--

--

Karthik Mani
Oracle Developers

Written by Karthik Mani

107 Followers
Writer for

Experienced Principal Cloud Security - Solution Architect with strong skills in information security, risk management, and scalable cloud infrastructure.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams