Skip to content

Add OCI Network Security Groups Support (oci.network.networkSecurityGroup resource) #6548

New issue
New issue
Open
Feature
Open
Add OCI Network Security Groups Support (oci.network.networkSecurityGroup resource)#6548
Feature
Labels
enhancementNew feature or request
@syrull

Description

@syrull
syrull
opened on Feb 3, 2026

Summary

Add support for Oracle Cloud Infrastructure Network Security Groups (NSGs), which provide fine-grained virtual firewall rules for VNICs within a VCN.

OCI API Reference

Proposed MQL Resources

oci.network (Extend Existing)

Field Type Description
networkSecurityGroups []oci.network.networkSecurityGroup Network Security Groups in the tenancy

oci.network.networkSecurityGroup

Field Type Description
id string NSG OCID
name string Display name
compartmentID string Compartment OCID
vcnId string VCN OCID the NSG belongs to
state string Lifecycle state (AVAILABLE, PROVISIONING, TERMINATED)
created time Creation time
ingressSecurityRules []dict Ingress security rules
egressSecurityRules []dict Egress security rules

Security Rule Structure (dict)

Field Type Description
direction string INGRESS or EGRESS
protocol string Protocol number (6=TCP, 17=UDP, 1=ICMP, all)
source string Source CIDR or NSG OCID (for ingress)
destination string Destination CIDR or NSG OCID (for egress)
sourceType string CIDR_BLOCK, NSG, SERVICE_CIDR_BLOCK
tcpOptions dict TCP port range options
udpOptions dict UDP port range options
icmpOptions dict ICMP type and code options
isStateless bool Whether the rule is stateless

Example MQL Queries

# Check no NSGs allow SSH from anywhere
oci.network.networkSecurityGroups.all(
  ingressSecurityRules.none(
    _["source"] == "0.0.0.0/0" && 
    _["protocol"] == "6" && 
    _["tcpOptions"]["destinationPortRange"]["min"] <= 22 &&
    _["tcpOptions"]["destinationPortRange"]["max"] >= 22
  )
)

# List NSGs allowing RDP access
oci.network.networkSecurityGroups.where(
  ingressSecurityRules.any(
    _["tcpOptions"]["destinationPortRange"]["min"] <= 3389
  )
)

Use Cases

  • Audit network security group rules for overly permissive access
  • Verify ingress rules don't allow unrestricted access to sensitive ports
  • Ensure NSGs follow least-privilege network access patterns
  • Monitor NSG rule changes across compartments

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions