OCI Security Lists vs Network Security Groups — What to Use and When (Terraform Examples Included)
🧩 Introduction
When designing secure architectures in Oracle Cloud Infrastructure, understanding OCI Security List vs NSG Terraform differences is key. These two constructs define how network traffic is filtered — at subnet level or VNIC level — and using Terraform makes both easy to automate.
Both are used to define ingress and egress rules for traffic — but they work at different scopes and serve different purposes.
If you’ve already created your OCI Virtual Cloud Network (VCN) and subnets with Terraform, it’s time to explore how to secure them properly.
🧱 Step 1 — Understanding the Scope Difference
Security Lists and Network Security Groups might look similar at first glance — both control which packets are allowed in or out — but their behavior differs fundamentally:
Feature
Security List
Network Security Group
Scope
Entire Subnet
Individual VNICs
Type
Stateless/Stateful
Always Stateful
Rule Granularity
Broad (applies to all subnet resources)
Fine-grained (selective VNICs)
Ideal For
Simple or static environments
Dynamic, micro-segmented workloads
Terraform Resources
oci_core_security_list
oci_core_network_security_group
👉 In short:
Security Lists apply rules at the subnet level, while NSGs operate at the VNIC level.
This difference gives NSGs far greater flexibility for modern architectures, where different instances within the same subnet perform different roles.
🧱 Step 2 — Terraform Example: Defining a Security List
Let’s start with a simple Security List definition for your public subnet.
It allows SSH ingress (TCP/22) from anywhere and full egress to the Internet.
resource "oci_core_security_list" "foggykitchen_sl" {
compartment_id = var.compartment_id
vcn_id = oci_core_virtual_network.foggykitchen_vcn.id
display_name = "foggykitchen-sl"
ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
tcp_options {
min = 22
max = 22
}
}
egress_security_rules {
protocol = "all"
destination = "0.0.0.0/0"
}
}
🧩 What’s happening here:
protocol = "6"→ TCP trafficsource = "0.0.0.0/0"→ open to all sources (not ideal for production!)You can attach this Security List directly to a subnet in Terraform or via the OCI Console.
🧱 Step 3 — Terraform Example: Creating a Network Security Group (NSG)
For finer-grained control, define an NSG for your backend VM.
NSGs are attached to VNICs, not entire subnets.
resource "oci_core_network_security_group" "foggykitchen_nsg" {
compartment_id = var.compartment_id
vcn_id = oci_core_virtual_network.foggykitchen_vcn.id
display_name = "foggykitchen-nsg"
}
resource "oci_core_network_security_group_security_rule" "foggykitchen_nsg_rule" {
network_security_group_id = oci_core_network_security_group.foggykitchen_nsg.id
direction = "INGRESS"
protocol = "6"
source = "0.0.0.0/0"
tcp_options {
destination_port_range {
min = 22
max = 22
}
}
}
💡 Pro tip:
You can attach multiple NSGs to a single VNIC — this allows combining reusable security patterns (for example: web-tier, database-tier, monitoring-tier).
🧠 Step 4 — When to Use Each (Best Practices)
Here’s how to decide between Security Lists and Network Security Groups:
✅ Use Security Lists when:
You have simple, static architectures (e.g., a bastion or single-tier app)
All instances in a subnet require the same rules
You want minimal configuration and fewer Terraform resources
✅ Use Network Security Groups when:
You need granular access control for each instance or service
You operate multi-tier or dynamic environments (microservices, Kubernetes, DevOps pipelines)
You want to isolate traffic between workloads within the same subnet
⚙️ Combined approach (recommended)
You can — and often should — combine both:
Use Security Lists for base, subnet-wide protection (e.g., egress to NAT Gateway)
Use NSGs for dynamic inbound traffic rules or east-west microsegmentation
🚀 Step 5 — What’s Next
Now that you understand how to secure traffic within your OCI VCN, the next logical step is to manage outbound connectivity.
👉 Check out my related articles:
- OCI NAT Gateway with Terraform — Enabling Private Subnet Outbound Traffic
- Building Your First OCI Virtual Cloud Network (VCN) and Subnets with Terraform
By structuring your Terraform configurations around both Security Lists and Network Security Groups, you get the best of both worlds — simplicity and precision — while keeping your OCI environment secure and well-segmented.
🚀 Master OCI Networking and Security with Terraform
Build real OCI architectures from scratch — from VCNs and Subnets to Security Lists, NSGs, and Load Balancers. Learn how to secure your cloud the right way.
🔒 Lifetime • ⏱️ Self-paced • 🧪 Real labs
Check also other courses:
How to automate Oracle Cloud Infrastructure with Terraform/OpenTofu (2025 Edition)
