Adding Security Attributes to a Private Endpoint

Use Zero Trust Packet Routing to manage access to private endpoints in Object Storage.

You can use Zero Trust Packet Routing (ZPR) along with or in place of network security groups to manage network access to OCI resources . To do this, define ZPR policies that govern how resources communicate with each other, and then add security attributes to those resources. For more information, see Zero Trust Packet Routing.

Prerequisites

Create security attribute namespaces and security attributes, and grant the permissions required to apply, update, or remove a security attribute for a resource.
See Security Attributes and Zero Trust Packet Routing IAM Policies.
You must also write ZPR policies to connect resources using security attributes.

Caution

If an endpoint has a Zero Trust Packet Routing (ZPR) security attribute, traffic to the endpoint must satisfy ZPR policies and also all NSG and security list rules. For example, if you're already using NSGs and you add a security attribute to an endpoint, all traffic to the endpoint is blocked. From then onward, a ZPR policy must explicitly allow traffic to the endpoint.

1. On the Private Endpoints list page, select Create private endpoint. If you need help finding the list page, see Listing Private Endpoints.
2. After entering required details for the private endpoint, scroll to the Security attributes section and select Add security attribute.
  You can add up to three security attributes to control access to this private endpoint.
3. Enter the following information:
  
  Namespace: Select a security attribute namespace from the list. A security attribute namespace is a container for a set of security attributes in Zero Trust Packet Routing (ZPR).
  This list contains those security attribute namespaces already configured. See Creating a Security Attribute Namespace for more information.
  
  Key: Select a key from the list. The key is the name for a specific security attribute.
  
  Value: Enter a value or select a value for the corresponding key from the list. This is the value for a specific security attribute.
  
  These values must match an existing ZPR policy. For more information about security attributes and security attribute namespaces, see Security Attributes.
4. When finished, select Add security attributes.

Use the oci os private-endpoint create command and parameters shown to add security attributes when you create a private endpoint:

oci os private-endpoint create --name name --compartment-id compartment_ocid --subnet-id subnet_ocid --prefix prefix --access-targets access_targets [. . .] --security-attributes securityattributes [OPTIONS]

Use the oci os private-endpoint update command and parameters shown to add security attributes to an existing private endpoint:

oci os private-endpoint update --pe-name private_endpoint_name --name private_endpoint_name --access-targets access_targets [. . .] --security-attributes securityattributes [OPTIONS]

For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

Run the CreatePrivateEndpoint operation to add security attributes when you create a private endpoint, and use the securityAttributes attribute.

Run the UpdatePrivateEndpoint operation to add security attributes when you update a private endpoint, and use the securityAttributes attribute.

Oracle Cloud Infrastructure Documentation

Adding Security Attributes to a Private Endpoint