OCI Zero Trust Packet Routing FAQ

FAQ topics

General

What is OCI Zero Trust Packet Routing (ZPR)?

OCI ZPR prevents unauthorized access to data by separating network security from the underlying network architecture. OCI ZPR policies utilize intent-based and human-readable language, making them easy to audit, understand, and manage. These policies enable security administrators to define precise data access pathways, helping ensure that only explicitly permitted traffic can traverse the network. By adopting OCI ZPR, organizations can significantly enhance their security postures while simplifying administration and compliance management.

How do I use OCI ZPR?

OCI ZPR is available by default within your tenancy and can be accessed from the web console. The steps for enabling OCI ZPR for the first time are as follows:

  • From the top-level menu, select Identity &Security > Zero Trust Packet Routing.
  • Click the “Enable ZPR” button.

How much does OCI ZPR cost?

OCI ZPR is offered at no additional cost for OCI configuration and OCI activity across supported OCI services. This means you can leverage OCI ZPR's robust security features without incurring extra charges, making it an accessible and cost-effective solution for enhancing your cloud security.

Is OCI ZPR a regional or global service?

OCI ZPR is implemented regionally.

Which regions are enabled?

Tenancies are enabled for OCI ZPR for all commercial regions. Please consult our list of currently supported regions.

What is a security attribute namespace?

A security attribute namespace is a container for security attributes that helps organize and manage sensitive resources. A namespace will have IAM policy written against it to define which groups of OCI administrators have access.

When you enable ZPR, it creates a security attribute namespace in your tenancy called “Oracle-zpr” that includes an example security attribute labeled “Sensitivity.” If you omit the security attribute namespace of a security attribute when writing policy, ZPR will default to the Oracle-zpr security attribute namespace.

How does adding or removing OCI ZPR policies impact existing networking and security configurations (NSGs/routing tables)?

OCI ZPR policies are evaluated in addition to network security groups (NSGs) and security lists. Traffic is first evaluated against existing NSG rules, then by OCI ZPR policies. This helps ensure that only traffic that meets both the network security rules and the OCI ZPR policies is permitted.

By contrast, removing OCI ZPR policies can reduce the efficacy of this layered security approach, as traffic is solely governed by the NSG and security lists. While the foundational security remains intact, the absence of OCI ZPR policies may expose the network to risks that would previously have been mitigated by these additional rules. Therefore, any changes to OCI ZPR policies should be carefully managed to keep the overall security framework aligned with the organization's security requirements.

What is the scope of OCI ZPR policies?

OCI ZPR policies reside in the root compartment of the tenancy and apply to the entire tenancy.