Deploys an Oracle Cloud Infrastructure Network Firewall with an inline firewall policy. The firewall appliance is deployed into a subnet and inspects traffic according to security rules that match on source/destination IP addresses, TCP/UDP ports, and URL patterns. The policy and all sub-resources (address lists, services, service lists, URL lists, security rules) are declared in a single manifest.
What Gets Created
When you deploy an OciNetworkFirewall resource, OpenMCF provisions:
Firewall Policy — a networkfirewall.NetworkFirewallPolicy resource in the specified compartment. Created first as the container for all policy sub-resources.
Address Lists — one networkfirewall.NetworkFirewallPolicyAddressList per entry in policy.addressLists. Each list contains IP CIDRs or FQDNs referenced by security rules.
Services — one networkfirewall.NetworkFirewallPolicyService per entry in policy.services. Each service defines TCP or UDP port ranges.
Service Lists — one networkfirewall.NetworkFirewallPolicyServiceList per entry in policy.serviceLists. Each list groups services for reuse across rules.
URL Lists — one networkfirewall.NetworkFirewallPolicyUrlList per entry in policy.urlLists. Each list contains URL patterns for L7 HTTP(S) inspection.
Security Rules — one networkfirewall.NetworkFirewallPolicySecurityRule per entry in policy.securityRules. Rules are evaluated in list order (priority derived from position). Each rule references address lists, services, and URL lists by name.
Network Firewall — a networkfirewall.NetworkFirewall appliance in the specified subnet, associated with the policy. Created last, after all policy sub-resources.
Prerequisites
OCI credentials configured via environment variables or OpenMCF provider config (API Key, Instance Principal, Security Token, Resource Principal, or OKE Workload Identity)
A compartment OCID where the firewall and policy will be created — either a literal value or a reference to an OciCompartment resource
A subnet OCID where the firewall appliance will be deployed — either a literal value or a reference to an OciSubnet resource
This creates a network firewall with a policy that allows traffic from internal RFC 1918 networks. The firewall OCID, IPv4 address, and policy OCID are exported as stack outputs.
Configuration Reference
Required Fields
Field
Type
Description
Validation
compartmentId
StringValueOrRef
OCID of the compartment where the firewall and policy will be created. Can reference an OciCompartment resource via valueFrom.
Required
subnetId
StringValueOrRef
OCID of the subnet where the firewall appliance will be deployed. ForceNew. Can reference an OciSubnet resource via valueFrom.
Required
policy
Policy
Inline firewall policy with security rules and supporting objects.
Required
Optional Fields
Field
Type
Default
Description
displayName
string
metadata name
Display name for the firewall.
ipv4Address
string
auto-assigned
Static IPv4 address for the firewall. ForceNew.
ipv6Address
string
auto-assigned
Static IPv6 address for the firewall (if subnet supports IPv6). ForceNew.
availabilityDomain
string
auto-selected
Availability domain for firewall placement. ForceNew.
networkSecurityGroupIds
StringValueOrRef[]
—
NSGs applied to the firewall. Can reference OciSecurityGroup resources via valueFrom.
natConfiguration
NatConfiguration
—
NAT configuration for egress traffic inspection.
shape
string
OCI default
Firewall shape determining throughput capacity.
NatConfiguration
Field
Type
Description
mustEnablePrivateNat
bool
When true, the firewall uses a private IP for NAT instead of a public IP.
Policy
Field
Type
Description
displayName
string
Display name for the policy. Defaults to "{firewall}-policy".
description
string
Description of the policy.
addressLists
AddressList[]
IP/FQDN address lists referenced by security rules.
services
Service[]
TCP/UDP port definitions referenced by security rules.
serviceLists
ServiceList[]
Groups of services for reuse across rules.
urlLists
UrlList[]
URL pattern lists for L7 HTTP(S) inspection.
securityRules
SecurityRule[]
Security rules evaluated in list order.
AddressList
Field
Type
Description
Validation
name
string
Unique name within the policy. ForceNew. Referenced by security rules.
Min length 1
type
enum
ip for IP addresses/CIDRs, fqdn for domain names.
Required
addresses
string[]
IP CIDRs (e.g., "10.0.0.0/8") or FQDNs (e.g., "example.com").
Min 1 item
description
string
Optional description.
—
Service
Field
Type
Description
Validation
name
string
Unique name within the policy. ForceNew. Referenced by security rules and service lists.
Min length 1
type
enum
tcp_service or udp_service.
Required
portRanges
PortRange[]
Port ranges for this service.
Min 1 item
description
string
Optional description.
—
PortRange
Field
Type
Description
Validation
minimumPort
int32
Start of the port range (inclusive).
1-65535
maximumPort
int32
End of the port range (inclusive). When omitted, equals minimumPort (single port).
>= minimumPort
ServiceList
Field
Type
Description
Validation
name
string
Unique name within the policy. ForceNew. Referenced by security rules.
Min length 1
services
string[]
Names of services to include. Each must match a Service defined in the policy.
—
description
string
Optional description.
—
UrlList
Field
Type
Description
Validation
name
string
Unique name within the policy. ForceNew. Referenced by security rules.
OciVcn — the firewall's subnet must belong to a VCN; route table entries direct traffic through the firewall's IPv4 address
Next article
OCI Network Load Balancer
OCI Network Load Balancer Deploys an Oracle Cloud Infrastructure Network Load Balancer (Layer 4) with backend sets, backends, and listeners in a single deployment unit. The NLB provides high-performance, low-latency traffic distribution for TCP, UDP, and mixed-protocol workloads with fully elastic bandwidth and source IP preservation. What Gets Created When you deploy an OciNetworkLoadBalancer resource, OpenMCF provisions: Network Load Balancer — an ocinetworkloadbalancernetworkloadbalancer...